OPT1 - Unifi Access Point - No Internet Access



  • Hi folks,

    hopefully someone can help me out because i'm about to throw my Unifi AC Pro out the window in a Frisbee fashion!

    Here's my current setup;

    Dell Optiplex 3020 SFF
    4Port Intel NIC

    igb0= WAN
    igb1= LAN > 8Port Unmanaged Switch > R7000 in AP Mode (192.168.33.1/24)
    igb2= WIFI > Unifi AC PRO (192.168.66.1/24)

    So i have setup igb2 interface, enabled, set gateway IP(192.168.66.1), configured DHCP server and range(192.168.66.100-200), configured an allow all rule in firewall settings and my NAT Outbound rule was created automatically using Hybrid mode.

    I have setup my Unifi AC PRO unit via SDN Controller and is now connected directly into igb2 port on my pfSense machine.

    Everything seems to be working perfectly, i connect to the new WIFI network AP and i'm served an IP from my configured DHCP range from pfSense, i can also ping devices on my LAN network and my LAN network can ping devices connected to my new WIFI network - perfect!

    My LAN network is working flawlessly, at the moment i have some ethernet connected devices and a R7000 in AP mode connected to my LAN's unmanaged switch and any wireless devices connected to the R7000 are getting access to the internet. (i hope to remove the R7000 once i get the Unifi working correctly)

    My new WIFI network on igb2 however is not giving my internet access, i can connect to the Unifi AP and i am served an IP address from pfsense and i am able to ping across my entire network including my LAN network but just no internet access through this igb2 interface???

    i checked my firewall logs to hopefully find the problem but all i am seeing for this interface is Default Deny for IPv6 communications which is fine as i do not use IPv6 and neither does my ISP.

    When i connect to my LAN network my DNS address on my devices are automatically assigned 192.168.33.1 (pfSense)

    When i connect to my WIFI network my DNS is assigned but is given 192.168.66.1 which is the static address i gave for this interface so i'm assuming this is correct?

    Am i missing something here?

    Please help
    Regards
    W



  • @wireis said in OPT1 - Unifi Access Point - No Internet Access:

    So i have setup igb2 interface, enabled, set gateway IP(192.168.66.1), configured DHCP server and range(192.168.66.100-200), configured an allow all rule in firewall settings and my NAT Outbound rule was created automatically using Hybrid mode.

    You should not have set any Gateway for this interface. Only set the Gateway for WAN Interface because this is your Upstream.
    Maybe post screenshots showing your Interface Configuration, Firewall Rules and NAT.

    -Rico



  • Sorry i may have worded that incorrectly regarding the gateway, hopefully these are more useful..

    alt text

    alt text

    alt text

    Regards,
    W



  • Can you resolve domain names on your WIFI clients? If not, can you ping public IP addresses?



  • No i am unable to resolve any domains, i can only ping internal addresses not external addresses such as 8.8.8.8



  • Any floating rules that may mess with the WIFI net, do a filter reload on Status -> Filter Reload and check if there are any errors. If you recently updated to 2.4.4 check that the default gateways are properly set at System -> Routing.



  • there was two rules in floating but i have disabled them and reset states with no luck...

    Filter reload did not return any errors and my firmware is 2.4.3-RELEASE-p1

    Gateways are configured correctly in Routing

    should i try updating to 2.4.4?

    alt text



  • @wireis said in OPT1 - Unifi Access Point - No Internet Access:

    should i try updating to 2.4.4?

    Sooner or later you will have to, but make sure you read the release notes and the update guide before you do.

    Do a packet capture on your WIFI interface and check if any request for the internet arrive there, if not it's a problem with your client. Also you are running two wireless LANs at the moment, make sure the test client is only connected to one at a time. If it's connected to both you may end up with routing problems on your client, the same goes for wired connections.

    You can also disconnect the R7000 and connect the Unifi AP to your switch, this should put clients connecting to it into your working LAN network. If they then still fail to connect to the Internet you need to check the AP configuration.

    Edit: You mentioned you have Outbound NAT in hybrid mode, in that case show your user rules for it too.



  • @Grimson thankyou for your advice on this so far i really appreciate it, i'll try this out and will report back tomorrow, yes my Unifi AP does work simply connecting to my LAN Ethernet switch however i intend to use VLAN on the Unifi AP and my switch doesn't support it so i thought i would use one of my two spare OPT ports on my NIC

    Regards,
    W



  • alt text



  • Ok, quite a few superfluous rules in there. Do you pull the default routes via OpenVPN, so that all the traffic is routed over it? In that case you need to add a outbound NAT rule for your WIFI network too, or specify your normal WAN gateway in the default rule of the WIFI network.



  • @grimson said in OPT1 - Unifi Access Point - No Internet Access:

    Ok, quite a few superfluous rules in there. Do you pull the default routes via OpenVPN, so that all the traffic is routed over it? In that case you need to add a outbound NAT rule for your WIFI network too, or specify your normal WAN gateway in the default rule of the WIFI network.

    Ok we have this solved @Grimson, i am using OpenVPN at default across my main LAN network and i create static leases and force WAN Gateway for devices i wish to bypass the VPN otherwise anything else that connects to my LAN network gets forced down the tunnel.

    I changed the gateway from "default" to "WAN_DHCP" under the advanced settings tab in Firewall > Rules > WIFI and this has fixed my issues!

    See below screenshot;

    alt text

    Many thanks for the support, i am not an IT technician i am merely an enthusiast when it comes to this sort of stuff.

    Apologies if i have been a total idiot with this but hopefully it will help out another idiot some day.

    Regards
    W



  • Ok, now that we found the cause you need to make sure your rules on the WIFI net are right. If you don't intend to route the devices on that network through your VPN connection, but want them to talk to devices on another local network you will need an additional rule. That rule needs to be placed above the default rule, with the source of your WIFI net, the destination will be your local network(s) and it's gateway needs to be "default". That is because currently all connections coming from your WIFI net will be routed out of your WAN gateway.

    For more in-depth details you better read up on policy routing.