[solved] Simple wireless bridge doesn't allow traffic



  • I'm attempting what I think is a fairly unsurprising setup:

    
    ISP
    router/modem with NAT
    192.168.0.1/24
         |
    WAN:DHCP in 192.168.0.0/24
    pfSense
    LAN:192.168.1.1/24 -- bridge -- WLAN:no IP
         |                                |
    wired DHCP clients             wireless clients
    
    

    The wired DHCP clients work fine, but the wireless ones do not. They connect successfully through WPA PSK but then cannot connect to any hosts.

    First I'll show some config details if it helps:

    Interfaces
    LAN - re1 - Static IPv4 192.168.1.1/24
    WAN - re0 - DHCP
    WLAN - ral0 - None; auto 802.11b/g; access point; WPA2 PSK AES
    WLANBR - BRIDGE0 - None

    The bridge BRIDGE0 has members LAN, WLAN

    Firewall / Rules / WLAN
    Protocol IPv4+6, source *, port *, dest *, port *, gw *, queue none

    As for logs: either I'm reading them incorrectly, or they seem to indicate that everything is working.

    
    Jun 21 20:19:44 pfSense hostapd: ral0_wlan0: WPA GMK rekeyd
    Jun 21 20:19:46 pfSense hostapd: ral0_wlan0: WPA rekeying GTK
    Jun 21 20:19:52 pfSense hostapd: ral0_wlan0: STA 8c:3a:e3:4a:31:6b IEEE 802.11: associated
    Jun 21 20:19:52 pfSense hostapd: ral0_wlan0: STA 8c:3a:e3:4a:31:6b WPA: event 1 notification
    Jun 21 20:19:52 pfSense hostapd: ral0_wlan0: STA 8c:3a:e3:4a:31:6b WPA: start authentication
    Jun 21 20:19:52 pfSense hostapd: ral0_wlan0: STA 8c:3a:e3:4a:31:6b IEEE 802.1X: unauthorizing port
    Jun 21 20:19:52 pfSense hostapd: ral0_wlan0: STA 8c:3a:e3:4a:31:6b WPA: sending 1/4 msg of 4-Way Handshake
    Jun 21 20:19:53 pfSense hostapd: ral0_wlan0: STA 8c:3a:e3:4a:31:6b WPA: EAPOL-Key timeout
    Jun 21 20:19:53 pfSense hostapd: ral0_wlan0: STA 8c:3a:e3:4a:31:6b WPA: sending 1/4 msg of 4-Way Handshake
    Jun 21 20:19:53 pfSense hostapd: ral0_wlan0: STA 8c:3a:e3:4a:31:6b WPA: received EAPOL-Key frame (2/4 Pairwise)
    Jun 21 20:19:53 pfSense hostapd: ral0_wlan0: STA 8c:3a:e3:4a:31:6b WPA: sending 3/4 msg of 4-Way Handshake
    Jun 21 20:19:53 pfSense hostapd: ral0_wlan0: STA 8c:3a:e3:4a:31:6b WPA: received EAPOL-Key frame (4/4 Pairwise)
    Jun 21 20:19:53 pfSense hostapd: ral0_wlan0: STA 8c:3a:e3:4a:31:6b IEEE 802.1X: authorizing port
    Jun 21 20:19:53 pfSense hostapd: ral0_wlan0: STA 8c:3a:e3:4a:31:6b RADIUS: starting accounting session 594A807F-0000000C
    Jun 21 20:19:53 pfSense hostapd: ral0_wlan0: STA 8c:3a:e3:4a:31:6b WPA: pairwise key handshake completed (RSN)
    Jun 21 20:20:46 pfSense hostapd: ral0_wlan0: WPA rekeying GTK
    Jun 21 20:20:46 pfSense hostapd: ral0_wlan0: STA 8c:3a:e3:4a:31:6b WPA: sending 1/2 msg of Group Key Handshake
    Jun 21 20:20:47 pfSense hostapd: ral0_wlan0: STA 8c:3a:e3:4a:31:6b WPA: EAPOL-Key timeout
    Jun 21 20:20:47 pfSense hostapd: ral0_wlan0: STA 8c:3a:e3:4a:31:6b WPA: sending 1/2 msg of Group Key Handshake
    Jun 21 20:20:48 pfSense hostapd: ral0_wlan0: STA 8c:3a:e3:4a:31:6b WPA: received EAPOL-Key frame (2/2 Group)
    Jun 21 20:20:48 pfSense hostapd: ral0_wlan0: STA 8c:3a:e3:4a:31:6b WPA: group key handshake completed (RSN)
    Jun 21 20:20:48 pfSense hostapd: ral0_wlan0: STA 8c:3a:e3:4a:31:6b WPA: received EAPOL-Key 2/2 Group with unexpected replay counter
    
    Jun 21 20:19:54 pfSense dhcpd: DHCPDISCOVER from 8c:3a:e3:4a:31:6b (android-fdd5c8e7e1391c12) via re1
    Jun 21 20:19:55 pfSense dhcpd: DHCPOFFER on 192.168.1.101 to 8c:3a:e3:4a:31:6b (android-fdd5c8e7e1391c12) via re1
    Jun 21 20:19:55 pfSense dhcpd: DHCPREQUEST for 192.168.1.101 (192.168.1.1) from 8c:3a:e3:4a:31:6b (android-fdd5c8e7e1391c12) via re1
    Jun 21 20:19:55 pfSense dhcpd: DHCPACK on 192.168.1.101 to 8c:3a:e3:4a:31:6b (android-fdd5c8e7e1391c12) via re1
    
    

    When I attempt connections from the client, I do not see any new entries in filter.log. The client is getting both IPv4 and IPv6 addresses but cannot make connections, including to the web config interface of pfSense.

    Any ideas? Thank you in advance.


  • Galactic Empire

    https://doc.pfsense.org/index.php/Interface_Bridges

    Think you might need to tweak the following settings System -> Advanced -> System Tunables

    net.link.bridge.pfil_member
    net.link.bridge.pfil_bridge



  • Do you need to complicate the situation by bridging? Wireless on a separate subnet would be simpler to achieve.



  • @dotdash:

    Do you need to complicate the situation by bridging? Wireless on a separate subnet would be simpler to achieve.

    That's a very good idea. I suppose since I don't have any network printers or NAS, and don't have a burning need for filesharing between clients, this will be a good fallback if those other tunables don't work.



  • I solved the issue. My main problem is that, apparently, in the firewall rules, IPv4+IPv6 does NOT mean "both IPv4 and IPv6". Maybe it means "IPv4 over IPv6" or something, but anyway, when separating out rules into individual IPv4 and IPv6, everything started working.


  • Rebel Alliance Global Moderator

    "IPv4+IPv6 does NOT mean "both IPv4 and IPv6". Maybe it means "IPv4 over IPv6" or something, but anyway,"

    No it doesn't - it means what it says either ipv4 or ipv6.



  • @johnpoz:

    No it doesn't - it means what it says either ipv4 or ipv6.

    That's quite curious, because so far as I can tell, that's the deciding factor in whether all of my traffic is blocked or not. I noticed that the "default allow all LAN" rules issued with pfSense were similarly split; why wouldn't they use the combined address family if it does what it looks like it should?



  • You have to read is as the exclusive or operator XOR, either IPv4 or IPv6 but not both at the same time. A single IP packet is always one or the other but not both at the same time.

    The rules are fine either as split by address family or combined, the end effect is exactly the same because the combined rule would still create the exact same states that differ by address families depending on if the first packets of the connections were IPv4 or IPv6.



  • Long story short, my setup is working now. I think a bridge is the best way to go, and I'm impressed at the way pfSense handles it. I was wrong about the IPv4/IPv6 split; having them combined is fine.

    Now:

    • Neither LAN nor WLAN has an IP address
    • The bridge interface LANBR has static IP addresses for IPv4 and IPv6
    • No firewall rules for LAN or WLAN
    • Firewall rules on LANBR only
    • Tunable net.link.bridge.pfil_member=0, net.link.bridge.pfil_bridge=1