[SOLVED] Strange issue with Access Point connected to pfSense



  • Just replaced my old wireless router acting as an access point with a new Tp-Link EAP225 AC1350 v3 AP.

    The new AP is up and running but I have run into a strange issue I am failing to understand.

    During the initial setup of the new AP I enabled a feature in it to only allow certain pc's by MAC address to access it's web management gui. I allowed only my laptop which I connect both by wire or wireless and my desktop pc which resides in a different subnet.

    I found that If I connect to the AP using my laptop wirelessly I can log into the AP as expected. I can also use the laptop when wired to the same un-managed switch that the AP is connected to and log into the AP without issue.

    Now here is the issue I cannot understand. If I try to log into the AP using a wired connection but from a different subnet, whether it be by my desktop or laptop, the AP's web login page would timeout and never load. My firewall logs showed nothing was blocked and actually showed a successful connection to the AP's IP address(turned on all logs even for passed traffic).

    This stumped me for hours. I finally tried disabling the MAC Authentication feature in the AP and bam.. I can now log into the AP from a different subnet.

    Its like the AP couldn't see or verify the MAC if coming from a different subnet. This will probably boil down to a mistake in my configuration of pfSense but I am unsure what that may be.

    I'm hoping someone can kindly help me understand what is going on here and yes I am certain I entered the MAC addresses into the AP correctly.



  • Hi,

    You just discovered that the MAC address do not travel over to other net work segments.
    When you connect to your AP from a different subject, the AP 'sees' the MAC of the router in front of it, the router between your desktop and the AP. The MAC filter will disallow the connection.

    See, for example https://superuser.com/questions/1083958/is-the-mac-address-needed-outside-of-the-lan

    Also : when you post a message on this forum, the (web) server of this forum will see your original WAN IP,, not even the LAN IP behind it, and never your device's MAC address.



  • @tagit446 said in Strange issue with Access Point connected to pfSense:

    Its like the AP couldn't see or verify the MAC if coming from a different subnet.

    This is basic networking. MAC addresses are used on the local network only and not passed through routers. Take a look at the TCP/IP stack and you'll find IP addresses and MAC addresses are at different levels. When a device sends an IP packet, it places it in an Ethernet frame on the local network. If the destination is on a different network, it has to pass through a router, which strips off the original Ethernet frame and places the IP packet in a new frame on the next network. This will happen at every router along the path to the destination.



  • @Gertjan and @JKnott , Thank you both for explaining this in a way that makes total sense.


Log in to reply