Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Can't access second AP from clients connected to my main AP

    Scheduled Pinned Locked Moved General pfSense Questions
    17 Posts 5 Posters 1.5k Views 5 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • bthovenB Offline
      bthoven
      last edited by

      I attached my diagram here.

      I've been running my pfSense for a few years. Current version 2.4.5.
      I usually use my dd-wrt AP as my only AP with multi-ssid associated with VLANs. Now I'm setting my 2nd AP; and wish both APs to be able to communicate to each other.

      All clients connected to my dd-wrt AP (main AP) and my TPLink AP (2nd AP) can obtain IPs from my pfSense and can access internet without problem.

      What I can't do is to access my 2nd AP from clients connected to my main AP.
      My main AP LAN allows to access all destinations. I'm not sure what else I have to set on my pfSense.

      My intention is to replace my DDWRT AP with a more powerful/stable Wifi6 consumer wifi router (only use it as my main AP) which do not support VLAN and multi-ssd; and intend to use my 2nd AP for mult-issd (VLAN supported) for iot devices, testing, guest, etc...
      pfsense_tlwa801nd.jpg

      JKnottJ 1 Reply Last reply Reply Quote 0
      • JKnottJ Offline
        JKnott @bthoven
        last edited by

        @bthoven

        What addresses are on the DD-WRT? What are your rules?

        PfSense running on Qotom mini PC
        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
        UniFi AC-Lite access point

        I haven't lost my mind. It's around here...somewhere...

        bthovenB 1 Reply Last reply Reply Quote 0
        • bthovenB Offline
          bthoven @JKnott
          last edited by bthoven

          @jknott dd-wrt itself ip is 192.168.2.254
          pfSense main AP Lan rules
          pfsense_lan_rules.png

          pfSense 2nd AP Lan rules
          pfsense_2ndAP_rules.png

          GertjanG 1 Reply Last reply Reply Quote 0
          • GertjanG Offline
            Gertjan @bthoven
            last edited by

            @bthoven

            A question - and I hope it hides the answer ;)

            Your DD-WRT is using VLANs.
            So your pfSense should have as as many VLAN interfaces as the DD-WRT has - not only just one "LAN". Each VLAN interface should contain it's own pass rules.
            Right ,

            And just to be sure : This one shouldn't be checked :

            4198771c-e3d4-4e44-9b37-1d20612afc00-image.png

            No "help me" PM's please. Use the forum, the community will thank you.
            Edit : and where are the logs ??

            bthovenB 1 Reply Last reply Reply Quote 0
            • bthovenB Offline
              bthoven @Gertjan
              last edited by bthoven

              @gertjan All the vlans defined on my dd-wrt have corresponding VLAN interfaces on my pfSense; thus having their own firewall rules and dhcp servers.

              ps: you can access my dd-wrt admin page?

              GertjanG 2 Replies Last reply Reply Quote 0
              • GertjanG Offline
                Gertjan @bthoven
                last edited by Gertjan

                @bthoven said in Can't access second AP from clients connected to my main AP:

                ps: you can access my dd-wrt admin page?

                Oops.
                Ok, this is normally ruled by a very strict "Need to know" basis but I can guess I can inform you that :

                I have 3 DD-WRT devices running on my own Wifi network.

                😊

                No "help me" PM's please. Use the forum, the community will thank you.
                Edit : and where are the logs ??

                1 Reply Last reply Reply Quote 0
                • GertjanG Offline
                  Gertjan @bthoven
                  last edited by

                  @bthoven said in Can't access second AP from clients connected to my main AP:

                  thus having their own firewall rules

                  Well, inspect them all.
                  Can you see traffic coming in ? check the counter, make the rules log - or even "sniff" (packet capture) if you have to.

                  No "help me" PM's please. Use the forum, the community will thank you.
                  Edit : and where are the logs ??

                  1 Reply Last reply Reply Quote 0
                  • T Offline
                    ThatGuy
                    last edited by ThatGuy

                    @Gertjan and @bthoven

                    Just to clarify something, “AP isolation” in consumer grade routers doesn’t do everything you think it does. AP isolation only prevents wireless clients connected wirelessly to the same AP from talking to each other. It does not prevent Wireless Clients from talking to Wired Clients. Since @bthoven has two separate DD-WRT APs connected via hard wire, AP Isolation isn’t applicable when Client A is connected to AP1 and wants to communicate with Client B on AP2. DD-WRT doesn’t work like a true Mesh network, hence there is no “controller” that rules them all.

                    It’s easy to test by connecting a Wireless Client with AP Isolation turned on in DD-WRT and connecting a wired client to the switch or a free AP port. (I’m betting @bthoven has got 3 open ports on the APs as they are probably routers that have been turned into APs.) Disable the software firewalls on both wireless and wired clients. Try to ping each other and watch the replies flow. Yes, they can talk to each other even with AP isolation on. Only wireless clients attached to the same AP could not talk to each other.

                    Now products from Ubiquiti with “Controllers” have “Guest Policies” that can prevent wireless clients from talking to wireless and wired clients on the network. It’s probably because their APs have some managed switch/magic sauce in them.

                    ThatGuy

                    bthovenB 1 Reply Last reply Reply Quote 0
                    • bthovenB Offline
                      bthoven @ThatGuy
                      last edited by

                      @thatguy Thank you.

                      Only my main AP (Archer C9 wifi router turned to DD-WRT AP) is running DD-WRT.
                      My 2nd wifi AP is a one-ethernet-port AP (Tplink TL-WA801ND with its stock firmware) which supports 4 multi-ssids with associating VLAN ids.

                      1 Reply Last reply Reply Quote 0
                      • stephenw10S Offline
                        stephenw10 Netgate Administrator
                        last edited by

                        What IPs are you actually trying to connect between?

                        I assume you have those NICs bridged in pfSense? Or at least the VLANs bridged?

                        You have something there that seems to be labelled 'VLAN1 tagged'.
                        Is that actually a VLAN tagged 1? You should avoid using VLAN1 if at all possible.

                        Steve

                        bthovenB 1 Reply Last reply Reply Quote 0
                        • bthovenB Offline
                          bthoven @stephenw10
                          last edited by bthoven

                          @stephenw10
                          What IPs are you actually trying to connect between?
                          e.g. 192.168.2.90 (main AP LAN)---> 192.168.8.254 (my 2nd AP network IP for admin)

                          I assume you have those NICs bridged in pfSense? Or at least the VLANs bridged?
                          no. Do I have to, why?

                          You have something there that seems to be labelled 'VLAN1 tagged'.
                          Is that actually a VLAN tagged 1?
                          I don't know because my 2nd AP VLAN ID settings do not have tagged option

                          You should avoid using VLAN1 if at all possible.
                          As mentioned in my previous reply, I did try replacing VLAN id 1 with other id number, I can no longer access internet from any clients connected to all ssids.

                          bthovenB 1 Reply Last reply Reply Quote 0
                          • bthovenB Offline
                            bthoven @bthoven
                            last edited by

                            Update: The only IP address on my 2nd AP that I can't access from hosts on my main IP is 192.168.8.254 which I assign as my 2nd AP network IP (to manage my 2nd AP via 192.168.8.254).
                            I can ping from hosts connected to my main AP to other hosts connected my 2nd AP.

                            GertjanG 1 Reply Last reply Reply Quote 0
                            • GertjanG Offline
                              Gertjan @bthoven
                              last edited by

                              @bthoven said in Can't access second AP from clients connected to my main AP:

                              Update: The only IP address on my 2nd AP that I can't access from hosts on my main IP is 192.168.8.254 which I assign as my 2nd AP network IP (to manage my 2nd AP via 192.168.8.254).

                              You set the gateway on this AP2 ?
                              It should be the IP of the pfsense LAN where it is connected to .

                              No "help me" PM's please. Use the forum, the community will thank you.
                              Edit : and where are the logs ??

                              1 Reply Last reply Reply Quote 0
                              • stephenw10S Offline
                                stephenw10 Netgate Administrator
                                last edited by

                                If you're just routing between subnets there is no need to bridge anything. That should work fine as long as there are rules to pass the traffic in pfSense.

                                The most likely cause here is that AP2 does not allow connections to it's management interface from outside it's own subnet. At least by default, you may be able to enable it.

                                You could work past that with an outbound NAT rule in pfSense if you have to.

                                Steve

                                bthovenB 1 Reply Last reply Reply Quote 0
                                • bthovenB Offline
                                  bthoven @stephenw10
                                  last edited by bthoven

                                  @stephenw10 Thanks. I start to believe what you said that my AP2 does not alow connections to its management interface from outside its own subnet. My Aruba AP connection with similar manner doesn't have such problem.

                                  I'm not sure how to set outbound NAT rule in pfSense. Could you elaborate more? I intend to allow my main AP LAN 192.168.2.0/24 to access 192.168.8.254 (my 2nd AP).

                                  Update: I create this outbound NAT, and now I can access the 2nd AP admin page from my main LAN client...Do you think the setting needs to be tweak? Will it have any side effect to any other access?
                                  pfsense_tlwa801nd_outbound_nat.jpeg

                                  1 Reply Last reply Reply Quote 0
                                  • stephenw10S Offline
                                    stephenw10 Netgate Administrator
                                    last edited by

                                    That looks good if you need to be able to access it from any IP in the main LAN subnet.

                                    You can set the address family to IPv4 only.

                                    Of course it would still be better to just set that subnet as allowed in the AP if possible.

                                    Steve

                                    bthovenB 1 Reply Last reply Reply Quote 0
                                    • bthovenB Offline
                                      bthoven @stephenw10
                                      last edited by

                                      @stephenw10 Thanks. I changed it to ip4 only as you suggested. I may be limiting only one main LAN ip to access it.
                                      I can't do anything else on my 2nd AP because it has limited setting options.
                                      Thanks again.

                                      1 Reply Last reply Reply Quote 1
                                      • First post
                                        Last post
                                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.