Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [solved] Simple wireless bridge doesn't allow traffic

    Scheduled Pinned Locked Moved Wireless
    9 Posts 5 Posters 1.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      reinderien
      last edited by

      I'm attempting what I think is a fairly unsurprising setup:

      
      ISP
      router/modem with NAT
      192.168.0.1/24
           |
      WAN:DHCP in 192.168.0.0/24
      pfSense
      LAN:192.168.1.1/24 -- bridge -- WLAN:no IP
           |                                |
      wired DHCP clients             wireless clients
      
      

      The wired DHCP clients work fine, but the wireless ones do not. They connect successfully through WPA PSK but then cannot connect to any hosts.

      First I'll show some config details if it helps:

      Interfaces
      LAN - re1 - Static IPv4 192.168.1.1/24
      WAN - re0 - DHCP
      WLAN - ral0 - None; auto 802.11b/g; access point; WPA2 PSK AES
      WLANBR - BRIDGE0 - None

      The bridge BRIDGE0 has members LAN, WLAN

      Firewall / Rules / WLAN
      Protocol IPv4+6, source *, port *, dest *, port *, gw *, queue none

      As for logs: either I'm reading them incorrectly, or they seem to indicate that everything is working.

      
      Jun 21 20:19:44 pfSense hostapd: ral0_wlan0: WPA GMK rekeyd
      Jun 21 20:19:46 pfSense hostapd: ral0_wlan0: WPA rekeying GTK
      Jun 21 20:19:52 pfSense hostapd: ral0_wlan0: STA 8c:3a:e3:4a:31:6b IEEE 802.11: associated
      Jun 21 20:19:52 pfSense hostapd: ral0_wlan0: STA 8c:3a:e3:4a:31:6b WPA: event 1 notification
      Jun 21 20:19:52 pfSense hostapd: ral0_wlan0: STA 8c:3a:e3:4a:31:6b WPA: start authentication
      Jun 21 20:19:52 pfSense hostapd: ral0_wlan0: STA 8c:3a:e3:4a:31:6b IEEE 802.1X: unauthorizing port
      Jun 21 20:19:52 pfSense hostapd: ral0_wlan0: STA 8c:3a:e3:4a:31:6b WPA: sending 1/4 msg of 4-Way Handshake
      Jun 21 20:19:53 pfSense hostapd: ral0_wlan0: STA 8c:3a:e3:4a:31:6b WPA: EAPOL-Key timeout
      Jun 21 20:19:53 pfSense hostapd: ral0_wlan0: STA 8c:3a:e3:4a:31:6b WPA: sending 1/4 msg of 4-Way Handshake
      Jun 21 20:19:53 pfSense hostapd: ral0_wlan0: STA 8c:3a:e3:4a:31:6b WPA: received EAPOL-Key frame (2/4 Pairwise)
      Jun 21 20:19:53 pfSense hostapd: ral0_wlan0: STA 8c:3a:e3:4a:31:6b WPA: sending 3/4 msg of 4-Way Handshake
      Jun 21 20:19:53 pfSense hostapd: ral0_wlan0: STA 8c:3a:e3:4a:31:6b WPA: received EAPOL-Key frame (4/4 Pairwise)
      Jun 21 20:19:53 pfSense hostapd: ral0_wlan0: STA 8c:3a:e3:4a:31:6b IEEE 802.1X: authorizing port
      Jun 21 20:19:53 pfSense hostapd: ral0_wlan0: STA 8c:3a:e3:4a:31:6b RADIUS: starting accounting session 594A807F-0000000C
      Jun 21 20:19:53 pfSense hostapd: ral0_wlan0: STA 8c:3a:e3:4a:31:6b WPA: pairwise key handshake completed (RSN)
      Jun 21 20:20:46 pfSense hostapd: ral0_wlan0: WPA rekeying GTK
      Jun 21 20:20:46 pfSense hostapd: ral0_wlan0: STA 8c:3a:e3:4a:31:6b WPA: sending 1/2 msg of Group Key Handshake
      Jun 21 20:20:47 pfSense hostapd: ral0_wlan0: STA 8c:3a:e3:4a:31:6b WPA: EAPOL-Key timeout
      Jun 21 20:20:47 pfSense hostapd: ral0_wlan0: STA 8c:3a:e3:4a:31:6b WPA: sending 1/2 msg of Group Key Handshake
      Jun 21 20:20:48 pfSense hostapd: ral0_wlan0: STA 8c:3a:e3:4a:31:6b WPA: received EAPOL-Key frame (2/2 Group)
      Jun 21 20:20:48 pfSense hostapd: ral0_wlan0: STA 8c:3a:e3:4a:31:6b WPA: group key handshake completed (RSN)
      Jun 21 20:20:48 pfSense hostapd: ral0_wlan0: STA 8c:3a:e3:4a:31:6b WPA: received EAPOL-Key 2/2 Group with unexpected replay counter
      
      Jun 21 20:19:54 pfSense dhcpd: DHCPDISCOVER from 8c:3a:e3:4a:31:6b (android-fdd5c8e7e1391c12) via re1
      Jun 21 20:19:55 pfSense dhcpd: DHCPOFFER on 192.168.1.101 to 8c:3a:e3:4a:31:6b (android-fdd5c8e7e1391c12) via re1
      Jun 21 20:19:55 pfSense dhcpd: DHCPREQUEST for 192.168.1.101 (192.168.1.1) from 8c:3a:e3:4a:31:6b (android-fdd5c8e7e1391c12) via re1
      Jun 21 20:19:55 pfSense dhcpd: DHCPACK on 192.168.1.101 to 8c:3a:e3:4a:31:6b (android-fdd5c8e7e1391c12) via re1
      
      

      When I attempt connections from the client, I do not see any new entries in filter.log. The client is getting both IPv4 and IPv6 addresses but cannot make connections, including to the web config interface of pfSense.

      Any ideas? Thank you in advance.

      1 Reply Last reply Reply Quote 0
      • NogBadTheBadN
        NogBadTheBad
        last edited by

        https://doc.pfsense.org/index.php/Interface_Bridges

        Think you might need to tweak the following settings System -> Advanced -> System Tunables

        net.link.bridge.pfil_member
        net.link.bridge.pfil_bridge

        Andy

        1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

        1 Reply Last reply Reply Quote 0
        • dotdashD
          dotdash
          last edited by

          Do you need to complicate the situation by bridging? Wireless on a separate subnet would be simpler to achieve.

          1 Reply Last reply Reply Quote 0
          • R
            reinderien
            last edited by

            @dotdash:

            Do you need to complicate the situation by bridging? Wireless on a separate subnet would be simpler to achieve.

            That's a very good idea. I suppose since I don't have any network printers or NAS, and don't have a burning need for filesharing between clients, this will be a good fallback if those other tunables don't work.

            1 Reply Last reply Reply Quote 0
            • R
              reinderien
              last edited by

              I solved the issue. My main problem is that, apparently, in the firewall rules, IPv4+IPv6 does NOT mean "both IPv4 and IPv6". Maybe it means "IPv4 over IPv6" or something, but anyway, when separating out rules into individual IPv4 and IPv6, everything started working.

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by

                "IPv4+IPv6 does NOT mean "both IPv4 and IPv6". Maybe it means "IPv4 over IPv6" or something, but anyway,"

                No it doesn't - it means what it says either ipv4 or ipv6.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • R
                  reinderien
                  last edited by

                  @johnpoz:

                  No it doesn't - it means what it says either ipv4 or ipv6.

                  That's quite curious, because so far as I can tell, that's the deciding factor in whether all of my traffic is blocked or not. I noticed that the "default allow all LAN" rules issued with pfSense were similarly split; why wouldn't they use the combined address family if it does what it looks like it should?

                  1 Reply Last reply Reply Quote 0
                  • K
                    kpa
                    last edited by

                    You have to read is as the exclusive or operator XOR, either IPv4 or IPv6 but not both at the same time. A single IP packet is always one or the other but not both at the same time.

                    The rules are fine either as split by address family or combined, the end effect is exactly the same because the combined rule would still create the exact same states that differ by address families depending on if the first packets of the connections were IPv4 or IPv6.

                    1 Reply Last reply Reply Quote 0
                    • R
                      reinderien
                      last edited by

                      Long story short, my setup is working now. I think a bridge is the best way to go, and I'm impressed at the way pfSense handles it. I was wrong about the IPv4/IPv6 split; having them combined is fine.

                      Now:

                      • Neither LAN nor WLAN has an IP address
                      • The bridge interface LANBR has static IP addresses for IPv4 and IPv6
                      • No firewall rules for LAN or WLAN
                      • Firewall rules on LANBR only
                      • Tunable net.link.bridge.pfil_member=0, net.link.bridge.pfil_bridge=1
                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.