Unable to access Internet from WIFI AP
- 
 No for WAN I get DHCP from my ISP. And I had all my machines setup for 192.168.2.1/24 from long time ago that is why I have it set up as 2.1 no real reason. WIFI is 192.168.3.1 because it I want it to be in different subnet. Unable to set IP as 192.168.2.2/24 as that would overlap with "LAN" interface. My AP is definately a dump AP with all function turned off. (Apologies on using the term "router") Appreciate your help. 
- 
 Internet: 
 Destination Gateway Flags Refs Use Netif Expire
 default 192.168.3.1 UGSc 6 0 en0
 127 127.0.0.1 UCS 0 0 lo0Default gateway is fine too. Yeah, really pulling my hair out here. I have been using pfsense for a while the only difference is I had these interface bridged before. I want to setup different subnet so my wifi connection cannot talk to my LAN and IPMI subnets. 
- 
 that is the outbound of your laptiop netstat? Why do you have /32 bit mask set "192.168.3.1/32" And then this? "192.168.3.3/32" And you have that set on a wired interface en0 
- 
 that is the outbound of your laptiop netstat? Why do you have /32 bit mask set "192.168.3.1/32" And then this? "192.168.3.3/32" And you have that set on a wired interface en0 The two /32's seem to be a MacOS thing, I see them on my Mac one is the default gateway the other the actual device. mac-pro:~ andy$ netstat -rn 
 Routing tablesInternet: 
 Destination Gateway Flags Refs Use Netif Expire
 default 172.16.2.1 UGSc 50 6 en0
 127 127.0.0.1 UCS 0 0 lo0
 127.0.0.1 127.0.0.1 UH 8 3282 lo0
 169.254 link#6 UCS 0 0 en0
 172.16.2/24 link#6 UCS 4 0 en0
 172.16.2.1/32 link#6 UCS 1 0 en0
 172.16.2.1 0:8:a2 9d:cb    UHLWIir        7        1    en0    286 9d:cb    UHLWIir        7        1    en0    286
 172.16.2.6 6c:70:9f:d8:3b:4e UHLWI 0 0 en0 1074
 172.16.2.20/32 link#6 UCS 0 0 en0
 172.16.2.23 a8:20:66:10:fc:b7 UHLWI 0 0 en0 1075
 172.16.2.40 40:9c:28:a2:e0:7e UHLWI 0 6 en0 1060
 172.16.2.41 d0:4f:7e:85:d9:be UHLWI 0 41 en0 449
 192.168.12 link#19 UC 1 0 vmnet1
 192.168.33 link#20 UC 1 0 vmnet8
 224.0.0/4 link#6 UmCS 1 0 en0
 224.0.0.251 1:0:5e:0:0:fb UHmLWI 0 0 en0
 255.255.255.255/32 link#6 UCS 0 0 en0What I see but don't in the OPs netstat is a /24 like my entry in green. 
- 
 ….. 
 WIFI is 192.168.3.1 because it I want it to be in different subnet. Unable to set IP as 192.168.2.2/24 as that would overlap with "LAN" interface.All my AP's have IP's like 192.168.1.2 - 192.168.1.3 etc (LAN being 192.168.1.1/24) , because they are 'dumb' converters **. 
 On your Wifi network you mus have a DHCP server, is this pfSense ? So it hand out IPs from pool like 192.168.2.[x-y] == LAN ? Or is your AP handing out IPs from 192.168.3.[x-y] (and in that case your AP IS a router … not a dumb device anymore)** and I want my AP's using pfSense as a gateway for their internal domestic services like NTP, DNS etc. If the IP of a AP is not in the network where it is situated, your in trouble. 
- 
 All my AP's have IP's like 192.168.1.2 - 192.168.1.3 etc (LAN being 192.168.1.1/24) , because they are 'dumb' converters **. 
 On your Wifi network you mus have a DHCP server, is this pfSense ? So it hand out IPs from pool like 192.168.2.[x-y] == LAN ? Or is your AP handing out IPs from 192.168.3.[x-y] (and in that case your AP IS a router … not a dumb device anymore)** and I want my AP's using pfSense as a gateway for their internal domestic services like NTP, DNS etc. If the IP of a AP is not in the network where it is situated, your in trouble. This is exactly the case. NTP and DNS is definitely handled by pfsense. My AP is wireless switch in different subnet. If you have a look at my OP you can see the pfsense getting DNS request. As discussed before even without the converted AP laptop getting connected to the pfsense port/interface directly I am having same issue. That rules out this as an issue with AP I believe. 
- 
 All my AP's have IP's like 192.168.1.2 - 192.168.1.3 etc (LAN being 192.168.1.1/24) , because they are 'dumb' converters **. 
 On your Wifi network you mus have a DHCP server, is this pfSense ? So it hand out IPs from pool like 192.168.2.[x-y] == LAN ? Or is your AP handing out IPs from 192.168.3.[x-y] (and in that case your AP IS a router … not a dumb device anymore)** and I want my AP's using pfSense as a gateway for their internal domestic services like NTP, DNS etc. If the IP of a AP is not in the network where it is situated, your in trouble. This is exactly the case. NTP and DNS is definitely handled by pfsense. My AP is wireless switch in different subnet. If you have a look at my OP you can see the pfsense getting DNS request. As discussed before even without the converted AP laptop getting connected to the pfsense port/interface directly I am having same issue. That rules out this as an issue with AP I believe. All the AP is doing is bridging the LAN to Wi-Fi. If it doesn't work when connecting directly to the ethernet port it's not an issue with the AP. Run the command in red to verify what is providing DHCP. Last login: Thu Feb 1 20:22:19 on console 
 mac-pro:~ andy$ ipconfig getoption en0 server_identifier
 172.16.2.1
 mac-pro:~ andy$I think you might need to start doing packet captures on the pfSense interfaces. 
- 
 Just a thought, you mentioned you'd once had the interfaces bridged. You have changed back the following :- net.link.bridge.pfil_member 
 net.link.bridge.pfil_bridgeAs these would cause filtering on the bridge only. https://doc.pfsense.org/index.php/Interface_Bridges 
- 
 @NogBadTheBad At work so just vpnd home and checked 
 net.link.bridge.pfil_member
 net.link.bridge.pfil_bridge as suggested and it appears to be off.Please see attached screenshot. Looks like I will have to run packet capture tonight.  
 
- 
 Hello everyone, I have been unable to get my wifi AP to get to the internet. It is connected to the different interface. DHCP works and I am able to get DHCP on the subnet. However, I cannot connect to the internet. Cannot ping subnet IP. So far, I have LAN as 192.168.2.1 
 WIFI as 192.168.3.1
 IPMI which I am planning to use for all my server management interface set as 192.168.4.1I have set up rules for wifi to allow for any to any connection. I have set up my outband NAT as automatic. I cannot see anything getting blocked in firewall either. My AP is the router provided by my ISP and DHCP has been turned off and Ethernet is connected to LAN. Really appreciate if you could advise what to check for. Cheers, Ethernet should be connected to WAN on your AP, or do you mean that Ethernet is conencted from LAN on pfsense? No it shouldn't you'll get a double NAT if you use the WAN port, use one of the LAN port. That is not necessarily true. If you set the router to AP mode, DHCP will not be enabled and there will not be double NAT. Hell, I use the very same setup myself, i.e Pfsense (LAN) -> switch -> (WAN) Asus router -> Wifi clients. If I switch the cable from WAN to LAN on the Asus router (when in AP mode), it doesn't work. And why would it, any simple consumer router expects upstream connection on the WAN port, not the LAN port. 
- 
 If you use the wan interface on a ADSL or cable Wi-Fi router you'll be routing between its wan interface and the lan & Wi-Fi interface. There will be a NAT of your public IP address on the pfSense router then another on your ADSL or cable Wi-Fi router. Many here will agree. 
- 
 @NogBadTheBad At work so just vpnd home and checked 
 net.link.bridge.pfil_member
 net.link.bridge.pfil_bridge as suggested and it appears to be off.Please see attached screenshot. Looks like I will have to run packet capture tonight. Hmm i'm stumped then. 
- 
 If you use the wan interface on a ADSL or cable Wi-Fi router you'll be routing between its wan interface and the lan & Wi-Fi interface. There will be a NAT of your public IP address on the pfSense router then another on your ADSL or cable Wi-Fi router. Many here will agree. Probably missed the distinction between cable/adsl router and "normal" counsumer router (without modem). I would assume that they would work in a similar fashion. Please disregard my comments if they dont! 
- 
 Ok, the DHCP server is definately pfSense we can put that issue to bed. It is not an issue with DHCP. $ ipconfig getoption en0 server_identifier 
 192.168.3.1The packet capture is as below: 23:37:23.564678 IP 192.168.3.3.5353 > 224.0.0.251.5353: UDP, length 504 
 23:37:23.564893 IP 192.168.3.3.55736 > 192.168.3.1.53: UDP, length 57
 23:37:23.564968 IP 192.168.3.3.56214 > 192.168.3.1.53: UDP, length 58
 23:37:23.565379 IP 192.168.3.3.56221 > 192.168.3.1.53: UDP, length 40
 23:37:23.565381 IP 192.168.3.3.53338 > 192.168.3.1.53: UDP, length 58
 23:37:23.566058 IP 192.168.3.3.61273 > 192.168.3.1.53: UDP, length 41
 23:37:23.566376 IP 192.168.3.3.52096 > 192.168.3.1.53: UDP, length 41
 23:37:23.567298 IP 192.168.3.3.50299 > 192.168.3.1.53: UDP, length 42
 23:37:23.619931 IP 192.168.3.3 > 224.0.0.2: igmp
 23:37:23.621867 IP 192.168.3.3 > 224.0.0.2: igmp
 23:37:23.678451 IP 192.168.3.1.5353 > 224.0.0.251.5353: UDP, length 381
 23:37:23.691769 IP 192.168.3.1.5353 > 224.0.0.251.5353: UDP, length 291
 23:37:23.717323 IP 192.168.3.3.5353 > 224.0.0.251.5353: UDP, length 252
 23:37:23.718800 IP 192.168.3.1.5353 > 224.0.0.251.5353: UDP, length 1096
 23:37:23.765310 IP 192.168.3.3.40827 > 192.168.3.1.53: UDP, length 46
 23:37:23.828317 IP 192.168.3.3.16403 > 17.173.254.222.16384: UDP, length 16
 23:37:23.828546 IP 192.168.3.3.16403 > 17.173.254.222.16385: UDP, length 16
 23:37:23.829258 IP 192.168.3.3.16403 > 17.173.254.223.16386: UDP, length 16
 23:37:23.912807 IP 192.168.3.3.53145 > 192.168.3.1.53: UDP, length 27
 23:37:23.912928 IP 192.168.3.3.54839 > 192.168.3.1.53: UDP, length 31
 23:37:23.912988 IP 192.168.3.3.54295 > 192.168.3.1.53: UDP, length 50
 23:37:23.913119 IP 192.168.3.3.61340 > 192.168.3.1.53: UDP, length 42
 23:37:23.913244 IP 192.168.3.3.55505 > 192.168.3.1.53: UDP, length 30
 23:37:23.913475 IP 192.168.3.3.49284 > 192.168.3.1.53: UDP, length 50
 23:37:23.914281 IP 192.168.3.3.63063 > 192.168.3.1.53: UDP, length 43
 23:37:23.949944 IP 192.168.3.3.65212 > 192.168.3.1.53: UDP, length 48
 23:37:23.950247 IP 192.168.3.3.56222 > 192.168.3.1.53: UDP, length 48
 23:37:23.952349 IP 192.168.3.3.50907 > 192.168.3.1.53: UDP, length 35
 23:37:24.050275 IP 192.168.3.3.21751 > 192.168.3.1.53: UDP, length 34
 23:37:24.050803 IP 192.168.3.3.25910 > 192.168.3.1.53: UDP, length 32
 23:37:24.499358 IP 192.168.3.3.59259 > 192.168.3.1.53: UDP, length 42
 23:37:24.522294 IP 192.168.3.3.27118 > 192.168.3.1.53: UDP, length 37
 23:37:24.555107 IP 192.168.3.3.56400 > 192.168.3.1.192: UDP, length 4
 23:37:24.559538 IP 192.168.3.3.55736 > 192.168.3.1.53: UDP, length 57
 23:37:24.559573 IP 192.168.3.3.56214 > 192.168.3.1.53: UDP, length 58
 23:37:24.559616 IP 192.168.3.3.53338 > 192.168.3.1.53: UDP, length 58
 23:37:24.559729 IP 192.168.3.3.56221 > 192.168.3.1.53: UDP, length 40
 23:37:24.559840 IP 192.168.3.3.61273 > 192.168.3.1.53: UDP, length 41
 23:37:24.559960 IP 192.168.3.3.52096 > 192.168.3.1.53: UDP, length 41
 23:37:24.566590 IP 192.168.3.3.5353 > 224.0.0.251.5353: UDP, length 676
 23:37:24.777339 IP 192.168.3.3.61863 > 192.168.3.1.53: UDP, length 46
 23:37:24.894125 IP 192.168.3.3.53145 > 192.168.3.1.53: UDP, length 27
 23:37:24.894372 IP 192.168.3.3.54839 > 192.168.3.1.53: UDP, length 31
 23:37:24.894379 IP 192.168.3.3.54295 > 192.168.3.1.53: UDP, length 50
 23:37:24.895705 IP 192.168.3.3.61340 > 192.168.3.1.53: UDP, length 42
 23:37:24.896116 IP 192.168.3.3.55505 > 192.168.3.1.53: UDP, length 30
 23:37:24.898720 IP 192.168.3.3.49284 > 192.168.3.1.53: UDP, length 50
 23:37:24.908239 IP 192.168.3.3.63063 > 192.168.3.1.53: UDP, length 43
 23:37:24.944160 IP 192.168.3.3.65212 > 192.168.3.1.53: UDP, length 48
 23:37:24.946450 IP 192.168.3.3.56222 > 192.168.3.1.53: UDP, length 48
 23:37:24.955006 IP 192.168.3.3.50907 > 192.168.3.1.53: UDP, length 35
 23:37:25.050644 IP 192.168.3.3.64095 > 192.168.3.1.53: UDP, length 39
 23:37:25.051365 IP 192.168.3.3.26479 > 192.168.3.1.53: UDP, length 35
 23:37:25.057382 IP 192.168.3.3.56400 > 192.168.3.1.192: UDP, length 4
 23:37:25.062321 IP 192.168.3.3.65264 > 192.168.3.1.53: UDP, length 34
 23:37:25.063264 IP 192.168.3.3.30159 > 192.168.3.1.53: UDP, length 32
 23:37:25.457114 IP 0.0.0.0.68 > 255.255.255.255.67: UDP, length 300
 23:37:25.457435 IP 192.168.3.1.67 > 192.168.3.3.68: UDP, length 300
 23:37:25.502920 IP 192.168.3.3.59259 > 192.168.3.1.53: UDP, length 42
 23:37:25.533404 IP 192.168.3.3.47607 > 192.168.3.1.53: UDP, length 37
 23:37:25.918699 IP 192.168.3.3.16403 > 17.173.254.222.16384: UDP, length 16
 23:37:25.919224 IP 192.168.3.3.16403 > 17.173.254.222.16385: UDP, length 16
 23:37:25.919245 IP 192.168.3.3.16403 > 17.173.254.223.16386: UDP, length 16
 23:37:26.061372 IP 192.168.3.3.44341 > 192.168.3.1.53: UDP, length 39
 23:37:26.062385 IP 192.168.3.3.27684 > 192.168.3.1.53: UDP, length 35
 23:37:26.563862 IP 192.168.3.3.55736 > 192.168.3.1.53: UDP, length 57
 23:37:26.563955 IP 192.168.3.3.56214 > 192.168.3.1.53: UDP, length 58
 23:37:26.564059 IP 192.168.3.3.53338 > 192.168.3.1.53: UDP, length 58
 23:37:26.564180 IP 192.168.3.3.56221 > 192.168.3.1.53: UDP, length 40
 23:37:26.564286 IP 192.168.3.3.61273 > 192.168.3.1.53: UDP, length 41
 23:37:26.564403 IP 192.168.3.3.52096 > 192.168.3.1.53: UDP, length 41
 23:37:26.564678 IP 192.168.3.3.56400 > 192.168.3.1.192: UDP, length 4
 23:37:26.796549 IP 192.168.3.3.50352 > 192.168.3.1.53: UDP, length 46
 23:37:26.895081 IP 192.168.3.3.53145 > 192.168.3.1.53: UDP, length 27
 23:37:26.895316 IP 192.168.3.3.54839 > 192.168.3.1.53: UDP, length 31
 23:37:26.895988 IP 192.168.3.3.54295 > 192.168.3.1.53: UDP, length 50
 23:37:26.896813 IP 192.168.3.3.61340 > 192.168.3.1.53: UDP, length 42
 23:37:26.896988 IP 192.168.3.3.55505 > 192.168.3.1.53: UDP, length 30
 23:37:26.899847 IP 192.168.3.3.49284 > 192.168.3.1.53: UDP, length 50
 23:37:26.909471 IP 192.168.3.3.63063 > 192.168.3.1.53: UDP, length 43
 23:37:26.945472 IP 192.168.3.3.65212 > 192.168.3.1.53: UDP, length 48
 23:37:26.948210 IP 192.168.3.3.56222 > 192.168.3.1.53: UDP, length 48
 23:37:26.953529 IP 192.168.3.3.50907 > 192.168.3.1.53: UDP, length 35
 23:37:27.064980 IP 192.168.3.3.56400 > 192.168.3.1.192: UDP, length 4
 23:37:27.083498 IP 192.168.3.3.63089 > 192.168.3.1.53: UDP, length 34
 23:37:27.084380 IP 192.168.3.3.49699 > 192.168.3.1.53: UDP, length 32
 23:37:27.129341 IP 192.168.3.3.52371 > 192.168.3.1.53: UDP, length 42
 23:37:27.555757 IP 192.168.3.3.53540 > 192.168.3.1.53: UDP, length 37
 23:37:27.573832 IP 192.168.3.3.5353 > 224.0.0.251.5353: UDP, length 676
 23:37:27.775351 IP 192.168.3.3.55105 > 192.168.3.1.53: UDP, length 39
 23:37:27.799915 IP 192.168.3.3.50352 > 192.168.3.1.53: UDP, length 46
 23:37:28.084606 IP 192.168.3.3.63089 > 192.168.3.1.53: UDP, length 34
 23:37:28.084660 IP 192.168.3.3.49699 > 192.168.3.1.53: UDP, length 32
 23:37:28.084937 IP 192.168.3.3.57463 > 192.168.3.1.53: UDP, length 39
 23:37:28.085387 IP 192.168.3.3.62478 > 192.168.3.1.53: UDP, length 35
 23:37:28.133873 IP 192.168.3.3.52371 > 192.168.3.1.53: UDP, length 42
 23:37:28.559770 IP 192.168.3.3.53540 > 192.168.3.1.53: UDP, length 37
 23:37:28.779774 IP 192.168.3.3.55105 > 192.168.3.1.53: UDP, length 39
 23:37:29.088963 IP 192.168.3.3.57463 > 192.168.3.1.53: UDP, length 39
 23:37:29.089067 IP 192.168.3.3.62478 > 192.168.3.1.53: UDP, length 35In this I have tried to go to a website and tried pinging the server. Somehow the DNS request is getting to the server but not the ICMP. And there is no TCP traffic just DNS. I am perplexed why pfsense is not answering. Please note the packet capture file is in cap format. 
- 
 How about doing the same test but packet capture on the wan interface, is traffic exiting? 
- 
 How about doing the same test but packet capture on the wan interface, is traffic exiting? You mean for traffic originating in WIFI Interface going out of WAN ? As LAN interface is working there are around 30 odd devices using internet via LAN interface. So, traffic is definately exiting WAN. 
- 
 Not sure if the interface is busted. This pfsense is running in Supermicro SYS-E200-9B box with 4 intel NIC. I have just moved the AP over to IPMI interface which was sitting there unused and voila it is working. I can connect to internet. Ping pfsense and do everything!! I will now have to perform further testing to see if this interface is playing up. Really appreciate all your help. Specially, NogBadTheBad you have been extremely helpful. Cheers!! 
- 
 The good news is interface is not busted. I deleted the interface and recreated it. Swapped the name around and created this interface as IPMI added rule in the interface to allow any to any. And now it works. Must have been some config in there from my previous days of bridging the interface. Really happy to have this resolved now. Cheers. 
- 
 192.168.3.1.53: UDP, length 39 So that is your client at 192.168.3.3 asking for dns.. Pfsense does not answer - so no how would the client go to any website? if can not look it up. So looks you do not have unbound running or forwarder working at all. Or you don't have any firewall rules on this interface to allow access? The lan interface would have a default any any rule on it. Some new interface you created would not have any rules you would have to put either an any any or the rules you would like to allow. Pfsense will create behind the scene firewall rules to allow for dhcp to work.. But I only see this 
 23:37:25.457114 IP 0.0.0.0.68 > 255.255.255.255.67: UDP, length 300
 23:37:25.457435 IP 192.168.3.1.67 > 192.168.3.3.68: UDP, length 300there should be more.. from what have to assume is the discover there to FF:67, the answer would be a offer - but you should then see a request and ack.. But clearly from this whatever .3 is sending traffic to .1 (pfsense).. I take it .3 is a wifi client? So where are the rules on this interface on pfsense? 


