Wifi bridged to LAN -> no traffic passed



  • Okay so I realize this is a huge point of contention for newbies, but I've read over the past few pages of topics on the subject and done a few searches and I can't find anyone facing the same problems.

    I am trying to bridge WLAN (OPT2) and LAN and pass DHCP and other broadcast traffic just like a standard commercial wireless router. I can't seem to get pfSense to pass any traffic at all though, DHCP fails (I see the requests come in with tcpdump, but no responses are generated) and if I statically configure the client its arp requests are not responded to. I have added 'allow from any to any' rules on WLAN as well as a suggested rule for port 67-68 (dhcp) and also tried adding a rule to allow any with destination 255.255.255.255, all with no avail. On the LAN side I've added a rule to allow all to LAN subnet - perhaps this is insufficient?

    I can't seem to find any documentation on how to properly configure the rules for filtering on the bridge. I basically want to allow all and bridge broadcast traffic as well, but this doesn't seem to be trivial. Is there no way to disable filtering on the bridge? I'd rather not take that performance or complexity hit if possible.

    As a standalone interface, WLAN works fine on a different subnet, but I would prefer a naive bridge if that configuration is possible. With the 3 LANs I'd then have I'd be maintaining 3 sets of rules on each of several firewalls which is a bit cumbersome.

    I'm running 1.2.1 on an alix2d3 with a Wistron dcma81 Atheros wifi NIC. The one caveat I have is that I have built a custom kernel for this box to enable glxsb(4) and the LEDs on this box. It's based on 7.0-RELEASE with the glxsb code from 7.1-RELEASE and geode.c from 8. As far as I know (famous last words) my kernel config is okay, and I haven't had any problems with 'routing' functions, nor do I see any errors or warnings in the logs.

    Thanks



  • Can you show a screenshot of the rule(s) you created on the WLAN interface?
    Did you try this: http://forum.pfsense.org/index.php/topic,13351.0.html



  • Yes, that's the suggested rule I was talking about. Here are the other rules I've added:



  • Well, I'll put on my dunce cap now. I didn't have the kernel configuration handy to check, but it looks like I forgot to build in bridging support:

    
    # ifconfig bridge create
    ifconfig: SIOCIFCREATE2: Invalid argument
    # ngctl types
    There are 10 total types:
          Type name   Number of living nodes
          ---------   ----------------------
             socket       1
               mppc       0
              iface       0
              ether       4
                bpf       0
                tty       0
                tee       0
            rfc1490       0
              pppoe       0
                ppp       0
    
    

    I tried loading the ng_bridge module from the pfsense kernel and reloading the rules/reconfiguring the interface but pfsense doesn't seem to be creating any bridge nodes. Is pf using if_bridge or ng_bridge, I was assuming ng_bridge would be used but…?

    # ngctl list
    There are 5 total nodes:
      Name: ngctl5590       Type: socket          ID: 00000008   Num hooks: 0
      Name: ath0            Type: ether           ID: 00000004   Num hooks: 0
      Name: vr2             Type: ether           ID: 00000003   Num hooks: 0
      Name: vr1             Type: ether           ID: 00000002   Num hooks: 0
      Name: vr0             Type: ether           ID: 00000001   Num hooks: 0
    # ngctl types
    There are 11 total types:
          Type name   Number of living nodes
          ---------   ----------------------
             bridge       0
             socket       1
               mppc       0
              iface       0
              ether       4
                bpf       0
                tty       0
                tee       0
            rfc1490       0
              pppoe       0
                ppp       0
    
    


  • Try adding your modifications by using either of these kernel files as a base:

    Embedded/Wrap

    Full Install



  • I was referencing the embedded kernel config, but I wanted to compile the kernel statically and remove all the unnecessary driver so I was also referencing the kernel modifications suggested here, but that configuration is missing a lot of the networking options necessary. I forgot to copy the if_bridge option from the default pfSense config. Adding it back into the configuration did the trick, the bridge is up and running well now. Now I've got support for the LEDs (need to do something more useful than a boot progress bar with them ;)) and hardware accelerated crypto (need to figure out how to make openssl use the cryptodev engine by default…).

    All my needs are filled now though, these ALIX boxes are really great and so is pfSense. Will be deploying several more soon ;D Thanks.



  • Hi Ktims,

    I'm also using Alix and therefore i must ask, would you mind sharing your kernel config ?
    I have to admit i'ld like to make some use of the LED support too ;)

    Ps: Is there any chance to see the LED support added to the current pfsense kernel config ?



  • @df:

    Hi Ktims,

    I'm also using Alix and therefore i must ask, would you mind sharing your kernel config ?
    I have to admit i'ld like to make some use of the LED support too ;)

    Ps: Is there any chance to see the LED support added to the current pfsense kernel config ?

    Sure. I have been experiencing some freezes when mucking in Advanced Options in the webUI, so I'm not going to vouch for the stability of my kernel, but that could easily be (and probably is) something else. I haven't had a chance to hook up a serial console and see what's happening.

    config
    tarball of /boot/kernel

    It's based on 7.0-RELEASE. I have added the content of src/sys/dev/glxsb to the kernel tree and modified src/sys/conf/files.i386 to include the lines that reference those files so it will compile. That gets you hardware cryptodev. I have also copied src/sys/i386/i386/geode.c from HEAD. That gets you /dev/led support. If all you're interested in is LED support I would grab the pfSense-embedded kernel config linked above by lsf (you might need an older revision, I couldn't find where IPSEC_NAT_T and ALTQ_FAIRQ where coming from, they don't seem to be in 7.0) and build it with the replaced geode.c and no other changes.

    I based my changes on this article by Kvedulv.


Locked