Conect 3 building with PFSENSE & ALIX PC at 5GHz



  • I would like to conect 3 builiding like in diagram below. I have CM9 Atheros cards, Alix 2c2 and PFSENSE installed.

    So far I have setup PFSENSE AP with addresses on diagram and one PFSENSE BBS (client).
    From client I can ping PFSENSE AP address on OPT1 interface, but from PFSENSE AP interface I can't ping client IP address. I have enabled Advanced Outbonding NAT and deleted rules that were created automaticly, and created rules pass any from lan and pass any from opt1.

    Am I doing something wrong?

    Is this kind of conection between three buildins that every computer from office1 and office2 must see every computer in main office possible?

    Can someone help?

    Thanks



  • Your problem is that PF SENSE AP doesn't know about either of the client LAN segments, so the return traffic is going out to the default gateway and not back to the proper network.

    To fix this you either need to enable RIP on all 3 pfSense machines, or create static routes defining your network. If you do static routes, they should look like this:

    PF SENSE - AP:

    dest: x.y.12.0/24 gateway: x.y.11.11
    dest: x.y.13.0/24 gateway: x.y.11.12

    PF SENSE - BBS (1) - you don't need these routes if x.y.11.10 is your default gateway on these boxes

    dest: x.y.10.0/24 gateway: x.y.11.10
    dest: x.y.13.0/24 gateway: x.y.11.10

    PF SENSE - BBS (2) - you don't need these routes if x.y.11.10 is your default gateway on these boxes

    dest: x.y.10.0/24 gateway: x.y.11.10
    dest: x.y.12.0/24 gateway: x.y.11.10

    You'll also need to make sure your firewall rules are set up to allow the traffic to pass.



  • Thanks for the fast reply!
    Before I add static routes does PFSENSE AP from OPT1 interface must ping PFSENSE BBS1 IP address, or not?



  • You won't be able to ping BBS1 LAN address until you set up the static routes. But yes, you must have wireless connectivity and be able to ping the BBS OPT1 interface.



  • I think this is the main problem.
    From PFSENSE AP interface OPT1-AP I can't ping PFSENSE BBS interface OPT1-BBS.
    From PFSENSE BBS interface OPT1-BBS I can ping PFSENSE AP interface OPT1-AP.

    I think this means that PF BBS is conected to PF AP.
    First step that I need to solve is to ping from AP to BBS, or not?
    And how to do that?
    Again thanks for the fast reply.



  • First step that I need to solve is to ping from AP to BBS, or not?

    Just to be clear, I presume you mean that from the console of PFSENSE-AP you give the command

    ping x.y.11.12

    How does it fail? What does it report?

    I don't know if this matters, but I assume the wireless interface on PFSENSE-AP is in Access Point mode and the wireless interface on PFSENSE BBS is in Infrastructure mode.



  • not from console, from web interface on PFSENSE AP.
    Yes,
    Wireless interface on PFSENSE AP is in AP mode,
    Wireless interface on PFSENSE BBS is in BBS (infrastructure) mode.

    From web interface on BBS PFSENSE I can ping AP.
    Thanks for reply.



  • What do your firewall rules look like?



  • First:
    Thanks to ALL who answered on my post. Thanks to people on this forum and ofcourse thanks to builders of PFSENSE
    I have been out of town from couple days and yesterday I have continue my work.
    My PFSENSE AP had some strange behaviour and I decided to start from scratch.
    Factory default on all pf-s and after a short configuration everything is working.
    I will deal with the security issues after I put PF-s and antena in place
    here is my PFSENSE AP config

    STATIC ROUTES
    Interface    Network       Gateway
    LAN         x.y.12.0/24     x.y.11.11

    Advanced Outbound NAT
    interface|source|source port|destination|dest port|nat address|nat port|staticport
    lan           any          *               *             *            *              *           no
    opt1         any          *               *             *            *              *           no

    firewall rules
    lan default rule
    opt1
    protocol|sourceport|destination|port|gateway|schedule
         *          *               *          *         *

    If I complite my goal I will put detailed description here.

    Thanks again



  • I am trying to set up this same configuration, as I have a similar need.  I have a strange problem however…

    Both PF boxes can ping each other across the wireless link (Diagnostics>ping menu) on both LAN & OPT1.  However, the laptop I have connected cannot ping the PF on the other side of the wireless link (in either direction) or access the pf webserver.

    If my laptop is connected to the BBS1 network on x.y.12.22, what should the gateway be? I would think x.y.12.10.  (I have tried x.y.12.10, x.y.10.205, x.y.10.11, x.y.10.10 and none of them worked.)

    I have firewall rules on AP and BBS1 with allow all for LAN and OPT1 for testing.  I also set up the Advanced Outbound Nat (Manual) for OPT1 and LAN as shown in the example by the main poster.

    I need machines at the BBS1 site to be able to communicate with machines at the AP site.  Do I need RIP to get this to work correctly?

    Thanks!



  • @chmodman:

    Both PF boxes can ping each other across the wireless link (Diagnostics>ping menu) on both LAN & OPT1.  However, the laptop I have connected cannot ping the PF on the other side of the wireless link (in either direction) or access the pf webserver.

    If my laptop is connected to the BBS1 network on x.y.12.22, what should the gateway be? I would think x.y.12.10.  (I have tried x.y.12.10, x.y.10.205, x.y.10.11, x.y.10.10 and none of them worked.)

    You didn't say enough about how the laptop's networking is configured. I presume its interface is x.y.12.22/24. If so, the pfSense box at x.y.12.10/24 is on the same subnet and the two should be able to communicate. Have you tried that? To get off the same subnet the laptop needs a default route or (possibly) a number of more specific routes. Does it have suitable routes? (If the laptop got its IP address from pfSense by DHCP then the default route would normally be setup correctly.)

    A good way to get a better idea of what is going on is to use the traceroute utility (linux/BSD) or tracert utility (windows). For example,

    traceroute x.y.11.12

    will list you the IP addresses on the way to x.y.11.12 On windows type tracert at a command prompt.



  • Yes, my laptop is configured as x.y.12.22/24 - and I am able to pull up the local pf box at x.y.12.10 just not the pf box at the other side of the wireless link.

    I was able to resolve this problem by disabling the firewall on the AP, which I guess is ok for this setup as the AP is behind another firewall.  (Advanced>Disable all Packet Filtering)

    Any idea why this would need to be disabled?

    Thanks



  • @chmodman:

    Any idea why this would need to be disabled?
    Thanks

    Guess your AP had a firewall rule (or rules) that blocked your traffic from the laptop.

    Looking at the firewall log on the AP or pf statistics can sometimes give a clue as to which rule is causing the blocking.


Log in to reply