List clientes from AP



  • Hello,

    In my adventures in pfSense as a newbie, I have now come to my home automation system. Currently this system has a script running in my Asus router, which checks with all connected wifi clients.

    How do I do that in pfSense, with a M2 Atheros NFA222 wificard setup as Access Point from / within pfSense/FreeBSD?

    I thought I might be able to use wicontrol - but that failed, not available. arp-a shows all clients, yes - but if a client goes off line, this is not tracked.

    So, what I need is to see if me or my wife's mobile phone is connected to the wifi Access Point of pfSense, can this be done?


  • Rebel Alliance Global Moderator

    What is your wife's phone mac address?  Does it have dhcp lease, is it in the arp table?



  • arp -a gives all clients - that is not the problem, the problem is that list is not updated when a client goes offline. There seems to be some sort of connection to some sort of lease?

    dhcp has the same issue as arp -a, the IP adress is reserved for to long time.

    I need something more "as long as an active connection". I could of course do a ping or something to verify if the cellphone is there or not - after it got an IP (however I am not sure that Android allows ping response).

    In Asus I can do:

    macadresser=wl -i eth1 assoclist

    This gives me the correct list. However wl does not exist in FreeBSD within pfSense.


  • Rebel Alliance Global Moderator

    Wifi support in freebsd and therefore pfsense is not very good… If you want to do fancy stuff with your wifi then get a real AP.. I can see what clients are associated to my wifi with simple look on the unifi controller gui..  And I get alerts when my sons phones connect and disconnect via running dmotoz on my network to give me alerts when any device enters or leaves the network.

    I can setup alerts in the controller when stuff associates or goes offline.. And get them right on my phone or sms, or email or all 3 (see attached)..  And you can setup alerts for email in the unifi controller for the same sort of thing.. Or just just the event log (see attached)..

    The domotoz does it via sending out actual arps.. At scheduled times.. So you can know within 30 seconds of something online or offline if you want, etc.

    The arp cache in freebsd defaults to 20 minutes I believe.. There is a arpping package, that you could use so even if the client doesn't answer ping, its going to have to answer a arp ;)

    You could prob cobble some script to run on pfsense - but I am a fan of using the correct tools for the job ;)






  • Very large thanks - Yes I have had a though or two about changing to external AP. One of the reasons is that the internal, although seems to fully function in 801.11n mode with good transfeer, goes missing on the status/dashboard on pfSense - and I can not figure out why. We will see where I end up, since it is stil a work in progress, and sits behind my Asus router (until I feel secure enough for letting it go full production).


  • Rebel Alliance Global Moderator

    wifi in freebsd blows!!! its going to be nothing but PITA..  N.. who and the F runs N these days.. Most any mobile device is AC these days ;) only cheap iot devices run N…

    Just my personal advice - do yourself a HUGE favor and spend a few bucks and get a real AP... Something that can do vlans and supports current tech, DFS channels, ATF, BandSteering, etc. etc.



  • Well I do have an old Asus N56 router, which can be made to a AP - I might start with that before I find the correct UNI* Ap…?

    (yes I am dead tired of my Atheros NFA222 M2 WiFi card - it just kind of works, but not reliable).


  • Rebel Alliance Global Moderator

    Running dd-wrt or openwrt would be ok I guess… Still not going have anything close to the feature set of actual AP correctly place for proper coverage..

    Say a Ubiquiti Unifi Ap-AC Lite, runs < $80 and is AC and can actually be placed via POE for good coverage..  If you want good reliable wifi, then you need to get some decent AP or even a few and properly place them for coverage..  N56U, the best PHY you can get on that is 300.. Like watching freaking paint dry..  If your happy with such shitty wifi or have really old clients that can not do better than 300 PHY.. then sure ok and you live in a closet for needed coverage ;)

    How many wireless devices do you have?  What speeds do they support, what is your internet speed?  How big of area do you want wifi to be good in?



  • The only clients are mobile phones (4) and tablets (3) - and no kids, so no YouTube or anything - more just email and light web surfing. Now we only have 100/100 Mbit/s as WAN - so anything above that is well useless…


  • Rebel Alliance Global Moderator

    "Now we only have 100/100 Mbit/s as WAN - so anything above that is well useless…"

    So your three tablets and you do not stream any video from local?  Like plex or anything?  If you don't do any local anything with your mobile devices, then sure anything over your internet connection would not be available to use.. But keep in mind that to actually see 100mbps to your internet your going to need more than that to be available via wifi.. Lots of factors come into play with real world speed of wifi.

    So you are saying you get 100/100 to the internet from your current wifi from anywhere in your house?  Find that really hard to believe with a 1x1 N connection on client.. Are you clients 2x2 AC?  OR they old N device?. That is max phy of 300..  When all the stars are aligned and good signal ok...

    Its your network you know what you need, etc.  All I am saying is you want to play with alert features and new wifi tech your going to want reall wifi equipment not some card in your pfsense box or some old N300 soho wifi router.. yeah they call it N600.. But that is just marketing nonsense they add the 2.4 and 5 bands together ;)  which never going to work with any single client.. So the max any client can ever see with that device is PHY of 300.. Or about 150mbps real world - when all the planets are aligned, etc..

    You have no iot devices that are wifi?  Not roku or firesticks, etc.  Your only wifi devices are phones and tablets?  Wow.. I have more iot wifi devices than mobile devices.. Thermostat, Smoke detector, harmony, lights, roku sticks, etc. etc..  Which also makes nice to be able to isolate to their own networks via vlan support.

    I sound like a freaking salesman ;) heheeh  -- But sure I would agree your old wifi router going to be better than some card in pfsense. And if running 3rd party you should have access to some typical wifi commands..



  • Well it is 100/100 to the switch in the house (91 appartments), and then I think it is 1000/1000 stil from that point. So well to be able to use 100/100 fully it will take some….

    As far as I know, my Sony Z3 and my wifes Samsung Note 4, may or may not be able to use better network. The same goes for the Nexus 7 (2013) and the two Samsung TAB S 10.5 tabletts we use. Wifi is realy not that importent - since anything that is importent uses wired network in out installtion. Like the media player which connects to the media server - ethernet, 1 gbit/s.

    So NO none of our phones, including workphones (my iPhone 7 which I do not like, and wifes Asus 3 Android one), uses any bandwith worth mentioning. I think my contract with my mobile phone company has a limit of 0,5 GB/month - and I never uses event that. I checked it a while back, and it was only about 0,13 GB that month.

    I fully understand your point, I do, it is just that we do not need that. For example, we do not use Facebook, Twitter, SnapChat - or any other service like that, We are only about 50 years old, and no we do not use latest and greatest....

    Makes me wonder why I bother with pfSense - I can not even get it to block ads as effective as my old Asus AC88 router (yes it is most likly a config thind, squid/squidguard/pfBlockNG is all installed, however I seem to have "taken water above my head" for the moment since I can not even block a simple web site).


  • Rebel Alliance Global Moderator

    "We are only about 50 years old"

    hehehe - dude I am 52.. I sure and the hell do not use snapchat either ;)

    pfblocker can block ads.. But to be honest right tool for the job.. pi-hole is much easier better solution if what your wanting to do is block ads..

    I do tech for a living, and I have the added benefit of it being my hobby and passion.. So whats the old saying when you love what you do you never work a day in your life ;)  But to be honest from this last post I have to wonder why your using pfsense as well.  I take you only have 1 network, your not effectively using any of the packages it seems.  Tech not a hobby of yours since you have old tech ;)  And you don't even really use the internet.. Then yeah you prob be better off just using some off the self soho router..

    if you want to get alerts when your wife's phone goes on and off the wifi.. And your not into tech and don't use the internet - I have to wonder why it matters?  If you only have 1 network something like fingbox would be good for you..

    https://www.indiegogo.com/projects/fingbox-network-security-wi-fi-troubleshooting#/

    It can alert you when devices enter and leave your network.. be it wired or wireless.  The domotz I run is its big brother and supports vlans - which I need in my network.  the fingbox does not have vlan support.



  • Well, here goes then: Why I need (!) pfSense:

    As a long time Asus (different models) user, with RMerlin Firmware, and nowdays AdBlock and SkyNet, I was not to comfortable with 1) depending on RMerlin to support his firmware (he had gone away a few times) and 2) Asus history of moving more and more code to closed source. And depending on all that. On top of this, I like to secure some parts of our network to a new level - this can not be done with Asus. Also, I do like to learn new stuff. No I might not be the most social internet man on earth, however I do like my privacy…. And well I got hacked once with my Asus RMerlin setup - so yes I thought I needed somwthing better.

    That said, yes pfSense is a bit harder to set up, and a lot of new details to accept and learn. My new pfSense firewall solution is getting better and better by the day. I get more and more correct installation and configuration. But I am not done yet - still need snort and then a better WiFi solution (yes I will change to external AP - it would have been soooo nice if it worked with the builtin, I gave it a shot but hey I know when to give up also - and I was aware of this when I started all).

    Would I do it again knowing what I know today? Yes most likly.

    That said, yes I stil have a lot of ground to cover before I can use this pfSense setup. I will be angry somedays, and happy other days - it is just a bit of life :-) And I will ask more questions for sure :-)


  • Rebel Alliance Global Moderator

    "still need snort"

    No you don't - not really.. Running an IPS is HUGE learning curve.. It is going to be full of noise and false.. If you do not trim down your rules your just going to be bombed with false info..  And if you turn it other than monitor its going to block shit that you would want working..

    "And well I got hacked once with my Asus RMerlin setup"

    That had nothing to do with the firewall more than likely you forwarded a port you should not have - pfsense is no better.  If allow inbound traffic to something you shouldn't then your going to have a problem no matter what firewall you run.  No matter if you run ips or not, etc.



  • Well sorry, no port open or forward at that time. So why? How? Well depending on someone is not alwys the best solution, now it is? So is depending on pfSense better? most likly not - you are not making this easier ;-)


  • Rebel Alliance Global Moderator

    You ran some bad code then, etc..  You had UPnP open… I have no idea what your "hack" was.. But sorry pfsense is not going to protect you from your own messup..  Out of the box pfsense doesn't do anything different than your off the shelf soho router.  No unsolicited inbound traffic, and does nat..

    Now it has way more capabilities sure.. You can run a proxy, you can run IPS, its overall routing features, etc. etc. etc..  I can go on on an on why you would run pfsense vs some soho router..  But it seems to me you don't like tech, you don't use tech, you don't even really use the internet..  So thinking you need to run an IPS to keep from getting hacked doesn't make a lot of sense.



  • I do not understand why you make all this assumptions - you are not even close.


  • Moderator

    @Bamsefar:

    I do not understand why you make all this assumptions - you are not even close.

    Check out the following boards for more specific help to your questions:

    https://forum.pfsense.org/index.php?board=61.0
    https://forum.pfsense.org/index.php?board=70.0

    Would recommend reading other posts in those boards first before posting questions. Would also recommend working on one piece at a time then rinse and repeat for the next issue. Otherwise, you will be chasing your tail.