Wired APs drop internet access but not LAN, help
-
Yes, everything is connected to the same device and the same interface.
By default, everything goes through open vpn, however the firewall rules I have specific IPs that I can allow to pass by the VPN and be routed without VPN.
It does not matter if the wifi device has been granted the ability to not go through openVPN or not, it will not have internet access.
-
@Live4soccer7 said in Wired APs drop internet access but not LAN, help:
Yes, everything is connected to the same device and the same interface.
Please draw how you have this connected... And lets be 100% sure that these devices are actually AP.. Since what you say makes zero sense...
What are the IPs in play here? Pfsense doesn't know if a client is wired or wireless... So if your policy routing device with IP 1.2.3.4 out your vpn, and your vpn goes down then sure that makes sense. So all of your wireless devices get IP in range that you policy route out? Lets see your actual rules..
And if I change rule for IP 1.2.3.4 to not policy route, then it would not policy route it.. You will want to make sure you kill any old states for that IP.
-
I've been baffled myself as it has never made much sense to me either in the way that it happens.
I have changed some openVPN settings/configurations. I am not seeing any errors or weird things in the logs, so I think I'll be watching to see if it goes down again.
It is possible that it was only traffic going through the VPN that was effected. I swore I checked a device that wasn't routed through the VPN and it didn't work, but I'm starting to think I must be wrong on that.
-
Reading this guide on PIA and OpenVPN: https://www.ovpn.com/en/guides/pfsense
I'm not quite sure what these are or if they are necessary to change as suggested. I have not seen them mentioned in any other guide.
Deselect, so that Allow DNS server list to be overridden by DHCP/PPP on WAN is not checked
Select, so that Do not use the DNS Forwarder or Resolver as a DNS server for the firewall is checked
-
You would not ant dns from your isp - this is a given, and really should always be checked.. Since its pointless when you resolve which is pfsense default.
If you uncheck to let pfsense to use itself for dns - then it would have to be able to use something else for dns.. And it wouldn't be able to resolve any of your local stuff if not asking itself for dns. ie resolver or forwarder - 127.0.0.1
Neither of those two optioins have anything to do with your issue!!
-
@Live4soccer7 said in Wired APs drop internet access but not LAN, help:
Deselect, so that Allow DNS server list to be overridden by DHCP/PPP on WAN is not checked
Select, so that Do not use the DNS Forwarder or Resolver as a DNS server for the firewall is checkedThanks!
If I'm reading your statement correct, then the following would be the correct selection for those two options:
Check This Box: Allow DNS server list to be overridden by DHCP/PPP on WAN
Do NOT Check this Box: Do not use the DNS Forwarder or Resolver as a DNS server for the firewall
Edit, I believe the issue was a cert/security algorithm issue with PIA. For whatever reason it wasn't negotiating the correct algorithm, but was still compensating for it on the PIA side. I was seeing an error associated with this. I had to change the cert, port, algo etc... Since doing that, I haven't seen any errors.
Jul 9 00:50:56 openvpn WARNING: 'cipher' is used inconsistently, local='cipher AES-128-CBC', remote='cipher BF-CBC'
I currently have a ticket open with them to hopefully get the correct algos working properly. As of now, I have not seen near as much in the logs.
-
Your not reading it right - why would you want dhcp to override your dns - that should always be unchecked to be honest.. And by default should be unchecked.
Both boxes should be UNchecked..
In pretty much any configuration. Its going to be very odd setup to check those..
-
Thanks! So far the connection is still good and hasn't dropped. I would say if it stays up a few weeks then the issue is resolved.
-
Hmm. No idea how that could affect things coming over wifi only....
-
it couldn't!!
-
The last setting discussed is just an afterthought on something I saw online. It wasn't really too relevant to the issue or setup.
Here's a question. By DEFAULT all traffic is routed through VPN with openVPN on pfsense. I have setup manual rules to route traffic around the VPN. Is there any way that the address of the AP (not set to be routed around VPN, nor am I even sure that would work that way) could be getting misinterpreted when it goes down and making all traffic from the AP go through the VPN, hence making it appear that everything wireless is not able to connect to the internet.
One thing I did not try was connecting a device via ethernet to the back of the AP when wifi devices can't connect.
-
@Live4soccer7 said in Wired APs drop internet access but not LAN, help:
By DEFAULT all traffic is routed through VPN with openVPN on pfsense.
No not by "default" if you do not pull routes, or your vpn server doesn't hand that out then no it all traffic is not sent out the vpn.
Most vpn services do want all your traffic though - how else would they make any money if info was given to them that they could monetize ;)
Not sure what you think the AP IP has to do with anything? The only reason an "access point" has an IP is for management of that AP... It has zero to do with clients connecting to that AP.. Unless your natting and NOT actually using it as an AP..
Your policy routing if using the AP IP it would only route the AP traffic, maybe it checking for an update?? Have no idea why an AP would need to talk to anything other than the IP of its controller.. It has zero reason to talk to the internet - unless maybe you told it to pull an update or something.. Or it checks on its own for update? Or maybe sync time with ntp?
I think your AP are more than like natting your traffic and not actually AP.
-
@Live4soccer7 said in Wired APs drop internet access but not LAN, help:
Is there any way that the address of the AP (not set to be routed around VPN, nor am I even sure that would work that way) could be getting misinterpreted when it goes down and making all traffic from the AP go through the VPN, hence making it appear that everything wireless is not able to connect to the internet.
Not a chance. The router address is only used to access the management interface. In AP mode, it's 100% irrelevant. A device attached via WiFi AP appears exactly as though it were wired to the network. There is absolutely no difference.
-
@JKnott said in Wired APs drop internet access but not LAN, help:
There is absolutely no difference.
Not sure I would say that ;) Its going to be slower and have more latency then its wired buddies ;) heheh
-
Thanks. It was just a though of possibility. I'll post up if it drops again and with some more relevant troubleshooting info/logs.
-
@johnpoz said in Wired APs drop internet access but not LAN, help:
@JKnott said in Wired APs drop internet access but not LAN, help:
There is absolutely no difference.
Not sure I would say that ;) Its going to be slower and have more latency then its wired buddies ;) heheh
haha, that's the truth. I wired the house last year for that reason.
-
@Live4soccer7 said in Wired APs drop internet access but not LAN, help:
haha, that's the truth. I wired the house last year for that reason.
The point of my comment was there is no difference in the addressing of the packet or frame. I could also reduce the performance by putting a 10 Mb hub on the network. I have one here.
-
Very true - pfsense not going to be able to tell if wired or wireless device...
-
For sure.
Thank you to everyone here. I appreciate the assistance. You have helped my sanity for the time being. pfSense is great and by far the best experience I've had with a router in any setting I've worked in, which isn't a whole lot. Still, I always recommend pfSense to anyone that has the ability to install and work with it.
