Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Wireless on same subnet while using a non-PfSense DHCP Server

    Scheduled Pinned Locked Moved Wireless
    18 Posts 4 Posters 11.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W Offline
      weediez
      last edited by

      Hello, I'm trying to get wireless working on the same subnet and using a different DHCP server than PfSense.

      Our main subnet is 192.168.0.x  –-->  I had the wireless interface setup as 192.168.1.x so it was on its own subnet and then I enabled DHCP on the interface.  I was able to connect to the AP, get an IP and browse the web.  We want to have the Wireless setup so that its on our main subet 192.168.0.x and have DHCP disbaled so that the DHCP server we already have in place can dish out IP's to whomever connects to the wireless AP.

      When I turn off DHCP on the interface and set the OPT1(Wireless) IP to 192.168.0.250 and then I try to connect to the AP setup it gives me a 169, limited or no connectivity.

      I then set the OPT1 IP to one that is on our subnet and then I enabled the DHCP for the OTP1 device.  I then was able to connect no problem with a valid IP in the range I had set.  However, I am not able to get on the Web or connect to any of our network shares.  I can ping the router @ 192.168.0.1.

      I then tried going into the OPT1 settings and bridged it with the LAN device which points to the ip of 192.168.0.1.  I saved those settings and I am still able to get a valid IP, it refreshes the proper DNS and Gateway IP's but I cant connect to the web or any network shares.

      Anyone have any insight on this?  Anything would be greatly appreciated.

      1 Reply Last reply Reply Quote 0
      • O Offline
        OMEN
        last edited by

        Firstly:
        Hey :)

        What version of pfsense are you using ?
        Is the wireless interface on the PFS box taking internet from another access point ? or is the wireless interface providing AP (access point service ) ?

        If you are providing AP service on the wireless interface you need to enable DHCP relay agent and may need to enable some additional options.

        domain/shares should be solved by typing in correct hostname say PFSBOX.yourdomain

        The best advice would be, to create another subnet;
        so:
        ethernet LAN = 192.168.0.x
        wifi LAN = 192.168.1.x

        Creating a different subnet for WIRELESS users gives you more granular control and you can implement more stingent security measures. Having the WIRELESS LAN and your ETHERNET LAN on the same subnet is just an all you can eat for anyone trigger happy with a copy of Backtrack 3..

        I apologise I can't give the exact directions to where what settings are, I will when I get home to my PFS box :)

        1 Reply Last reply Reply Quote 0
        • GruensFroeschliG Offline
          GruensFroeschli
          last edited by

          Dont set an IP on the wireless OPT interface.
          Bridge the OPT-interface with the interface on which the DHCP is running.
          Create rules that allow traffic from the bridged OPT interface or you wont be able to get a DHCP lease fromthe DHCP on the other side of the bridge.

          We do what we must, because we can.

          Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

          1 Reply Last reply Reply Quote 0
          • W Offline
            weediez
            last edited by

            1.2.2

            yes its setup as its own AP.  Whenever I would set it as AD-Hoc it would shutdown before I even saved anything and keep looping on the reboot at configuring OPT1 device.

            1 Reply Last reply Reply Quote 0
            • W Offline
              weediez
              last edited by

              i know it works for sure when i create a subnet for it.  and i used 192.168.1.1 instead of 192.168.0.1 and i was able to get internet, network shares everything.

              We just would rather have it on the same subnet.  I mean even when it is on the same subnet I can connect to the network and I can get our DHCP server to give it a free IP but we just cant get online or access any network resources.  It refreshes the proper DNS and points to the right gateway as well but like I said it will not let us connect to the internet at all but it has a valid open IP from our separate DHCP server.

              Even if I enable DHCP on the OPT1 it connects to the wireless network and it gives me the right IP in the range I give it but it still doesnt let us get online.  Thats where were stuck.

              1 Reply Last reply Reply Quote 0
              • O Offline
                OMEN
                last edited by

                in the dns and gateway settings point to YOUR DNS SERVER AND YOUR GATEWAY

                so if you have w2k3 - us that as the dns server in dhcp server options on your WIRELESS ap interface.
                if your gateway is a router then set the gateway for your PFS box to that router, and leave gateway blank on the dhcp server options on your WIRELESS ap interface.

                1 Reply Last reply Reply Quote 0
                • W Offline
                  weediez
                  last edited by

                  ok I'll try all of those suggestions and let you know how it goes.

                  1 Reply Last reply Reply Quote 0
                  • K Offline
                    ktims
                    last edited by

                    @weediez:

                    We just would rather have it on the same subnet.  I mean even when it is on the same subnet I can connect to the network and I can get our DHCP server to give it a free IP but we just cant get online or access any network resources.  It refreshes the proper DNS and points to the right gateway as well but like I said it will not let us connect to the internet at all but it has a valid open IP from our separate DHCP server.

                    Even if I enable DHCP on the OPT1 it connects to the wireless network and it gives me the right IP in the range I give it but it still doesnt let us get online.   Thats where were stuck.

                    Configure the interface so it is bridged to your LAN interface, then create rules to allow the traffic. You need to explicitly create a rule to allow DHCP in addition to rule(s) to allow other traffic. Depending on how strict your LAN ruleset is you may need to adjust the rules there as well.

                    If you've done this and it's still not working, let's see what your rules do look like.

                    1 Reply Last reply Reply Quote 0
                    • W Offline
                      weediez
                      last edited by

                      Can you give me a example or give me the information that I would need to set that sort of rule up?

                      1 Reply Last reply Reply Quote 0
                      • K Offline
                        ktims
                        last edited by

                        Here's what I have set up at one install. It uses a DHCP server running on the pfSense box, but since DHCP is broadcast traffic it should work with an external DHCP server as well (obviously it must be on the LAN segment). The DHCP rule is a bit less granular than it could be, and obviously the allow all rule is less than optimal, but this config should work. As mentioned, you'll need to bridge the interfaces as well.

                        rules.png
                        rules.png_thumb

                        1 Reply Last reply Reply Quote 0
                        • W Offline
                          weediez
                          last edited by

                          ok ya we tried bridging it as well at one point but we didnt create any rules.  thanks alot I'll give your suggestion a try and let you know how it goes.

                          1 Reply Last reply Reply Quote 0
                          • W Offline
                            weediez
                            last edited by

                            I posed screenshots of my Rules for my LAN device and my Opt1 (Wireless AP).  OPT1 is bridged with LAN.

                            I havent put the box live again since yesterday, just wanted insight on these rules before I do go live with it.

                            ![OPT1 rules.JPG_thumb](/public/imported_attachments/1/OPT1 rules.JPG_thumb)
                            ![OPT1 rules.JPG](/public/imported_attachments/1/OPT1 rules.JPG)
                            ![LAN Firewall Rules.JPG_thumb](/public/imported_attachments/1/LAN Firewall Rules.JPG_thumb)
                            ![LAN Firewall Rules.JPG](/public/imported_attachments/1/LAN Firewall Rules.JPG)

                            1 Reply Last reply Reply Quote 0
                            • K Offline
                              ktims
                              last edited by

                              If you don't want traffic to be able to pass from the wireless LAN to the wired LAN, I would prefer to explicitly create a block or reject rule. The effect is the same, but it's more 'self documenting' than letting that traffic default out. Put all your reject rules first, then you can get rid of the 'not LAN subnet' destination specification.

                              This is more personal preference than anything (I don't like using NOTs in my firewall rules, or letting traffic intentionally hit the policy rules) as your ruleset should work as you expect.

                              1 Reply Last reply Reply Quote 0
                              • W Offline
                                weediez
                                last edited by

                                Well I can get DHCP to give me Ip's when I conenct devices to my AP, which is OPT1.  But I cant access network shares or the Internet.  So thats why I'm just asking what rule I need to put in place to be able to access the web and get network access.  I also need to know where I add the rules.  Thanks.

                                1 Reply Last reply Reply Quote 0
                                • K Offline
                                  ktims
                                  last edited by

                                  It may be the NOT LAN Net rule that's causing the problem, it's probably blocking traffic to the default gateway (on the LAN net), and what you're seeing makes sense. Keep things simple when testing, and just add an allow all rule and see if that works before you try anything else.

                                  Though really, if you want the WLAN and LAN segregated, it makes a lot more sense to just have a separate subnet. If the machines on the segment can't talk to each other, why do they need to use the same DHCP, seems a bit of a strange requirement.

                                  1 Reply Last reply Reply Quote 0
                                  • O Offline
                                    OMEN
                                    last edited by

                                    Forgive me for this but a quick google:

                                    http://geekswithblogs.net/TSCustomiser/archive/2007/05/09/112357.aspx
                                    you need certain port forwarded to get funtionality,

                                    netbios 137 and 138 and 139
                                    smb (shares) 445
                                    dns 53

                                    1 Reply Last reply Reply Quote 0
                                    • W Offline
                                      weediez
                                      last edited by

                                      Yea, I'm not too sure to be honest.  It's what my boss wants done.  I will try removing that rule and see if that helps at all.  Thanks guys.

                                      1 Reply Last reply Reply Quote 0
                                      • W Offline
                                        weediez
                                        last edited by

                                        Thanks Omen, appreciate that man.

                                        1 Reply Last reply Reply Quote 0
                                        • First post
                                          Last post
                                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.