Cannot access AP web ui

nopfsense · Jul 1, 2022, 7:08 AM

Hello clever people, I'm unsure what the problem I'm experiencing is so I dont know which forum is applicable if this is the wrong one I apologise in advance.
I am having a terrible time getting access to my AP, I cant access the web ui, the problem is I dont know what the exact problem is to begin to be able to search for a solution. I'm hoping somebody can tell me where to look.

Setup pfsense opt1>AP1

there was a rule on opt1 to allow all traffic except to LAN interface, I thought that this might have been the problem, so I replaced it with an allow all traffic to any interface.

AP1 is a meraki mr33 flashed with openWRT. It is setup so that pfsense handles the DHCP leases for the AP and the devices that attach to it. so typically the AP takes the first free ip address 192.168.22.2, first device to sign on to the AP192.168.22.3 etc

It works fine as an AP. The problem is that I cant get in to the Luci web ui interface on the AP, the default ip is 192.168.1.1 but since I have reconfigured it that is no longer the case. If i try to access the assigned IP 192.168.22.2 it times out, tried with :80 and :8000, no luck, however every now and again on 8000 I get a "server is running....." message. (I've even cleared the browser cache and cookies which I remember could cause problems with Luci)

I've tried to all these steps from the LAN interface that has an allow all traffic on all interfaces rule, and from devices connected to the AP1

If I disconnect the AP and try to access it straight from a pc is it wont/doesnt get an IP so is not contactable.

So it looks like I need to access the AP while its attached to the PFsense box but I have run out of ideas how to do it. Can anybody help me?

Gertjan · Jul 1, 2022, 1:23 PM

@nopfsense said in Cannot access AP web ui:

the default ip is 192.168.1.1

That is what is was in the past.
You've - as you've said - activated a DHCP-client on the LAN part.
Is that really so ? Normally, a DHCP-client is activated on a WAN type interface. Your setup is AP mode only, so no WAN usage.

I advise you to set it up with a static IP.
192.168.22.2 network 255.255.255.0 or /24
Gateway 1921.168.22.1 - DNS 192.168.22.1

@nopfsense said in Cannot access AP web ui:

It is setup so that pfsense handles the DHCP leases for the AP and

That is what you want.
Never ever stop there. Do some fact checking.

Check that "what you see" is what you want : Visit this page : pfSense :: Status > System Logs > DHCP
Now, remove the cable between the pfSense 192.168.22.1 and your AP., and put it back in place.
Refresh the pfSense page "Status > System Logs > DHCP".
Do you see a device with MAC == the MAC of the AP asking for IP 192.168.22.2 ??
If so, issue solved.
If not, you know your AP DHCP-client setup isn't right.

I'm using AP's (DDWRT) for the better part of this century, and I've always set them up using static settings. I can visit their GUI just fine.

This is typical for an AP :

IP assigned + /24
Gateway.
DNS.
DHCP server ( ! ) shut down (pfSense does the DHCP attribution).
WAN interface shut down.

You can even ditch all firewall related stuf.
An most simple AP device transforms radio signals to electric signals. Nothing more, nothing less.
Later on, you can use VLAN's, separate SSIDs for each VLAN, AP-client-isolation etc etc

nopfsense · Jul 10, 2022, 4:36 PM

@gertjan hi, thanks for taking the time to reply, it took some time for me to reply as I really wanted to be sure about things. It's taken days to pedantically go through all the settings, fail, recheck, fail, repeat till I just had to accept there was something else wrong. Wiped the pfsense box wiped the AP. Repeat.

To recap;
I setup the pfsense box with wan on interface opt0, lan on opt1 192.168.11.1 and AP on opt3 ip 192.168.22.3-254 (have also tried out of despiration 192.168.22.2-254, it made no difference)

On the AP I changed the default IP to http://192.168.22.2/24 pfsense handles the DHCP. Wireless Devices can connect. Wireless Devices can surf the internet. Wireless devices to the AP show up under the DHCP log.

I followed these instructions to setup the AP as a dumb AP.
https://www.scribd.com/doc/275293481/How-to-Create-a-Dumb-OpenWRT-AP-by-Using-the-Routers-LAN-Port

And now I can also get to the Luci web ui on 192.168.22.2 whilst connected to the AP. But not from the LAN network 192.168.11.1/24

For ease of troubleshooting OPT3 AP has a pfsense rule to allow all traffic.

Interestingly i checked the DHCP log as you suggested and neither the APs ipaddress 192.168.22.2 or the MAC address appear anywhere. But devices that connect to the AP do appear. As I understand it from the dumb AP guide the static IP should be outside the DHCP range? DHCP will only issue 192.168.22.3-254. So 22.2 will never be issued so never will be logged? But even if i set DHCP range to 22.2-22-254 it still doesnt show in the log. (As it doesn't issue an ip address because the AP has a fixed ip?)

If i look at the Diagnostics> ARP Table there i can see;

AP 192.168.22.2, the wirelss AP its MAC address the status expires in 943 seconds
AP 192.168.22.1 its MAC address and the status is permanent, link type Ethernet

The same for LAN

LAN 192.168.11.2, itself attached computer, its MAC address the status expires in 1048 seconds
LAN 192.168.22.1 its MAC address and the status is permanent, link type Ethernet

So now i can administer the AP, if i log on to the AP, which is a significant leap forwards.

Interestingly whilst I've been endlessly changing the settings. The pfsense interface on 192.168.22.1 has stopped responding, even after restarts, unsure if that's significant.

In my most probably naive understanding of how Pfsense works i thought that because the LAN has a rule that allows it to connect to all interfaces over all protcols it would be easy, and if there was a problem it would be solved by creating a rule on the opt3 AP interface to allow all traffic.

So I'm out of ideas and actually less sure of how to proceed, the fact that it doesnt work undercuts all i thought i knew about pfsense,
I'm aware it could also be the smallest change in settings that could make it work but I've no idea where to begin looking.

Does anything stand out to you as significant and worth a look, or have i miss understood anything? Grateful in advance. Kind regards

the other · Jul 10, 2022, 4:36 PM

@nopfsense
Hey there,
Just a shot in the dark...
You said you changed the fixed IP on your AP.
Have you tried doing that on pfsense (interface, dhcp, host override bottom of page, there enter ap's Mac and wanted ip...

What exactly do you mean by "now interface is not responding " any more??

Gertjan · Jul 11, 2022, 6:18 AM

@nopfsense said in Cannot access AP web ui:

and AP on opt3 ip 192.168.22.3-254

What do you mean with 168.22.3-254 ?

The pfSense interface OPT3 : ste it to 192.168.22.1 netmask /24
No gateway.
Like this :

Set the DHCP server setting, the pool, to for example :

On the AP, attached to network OPT3 set the static IP of the IP like this :

Take note :
If there is a WAN interface on the AP, don't use it / disable it. Use one of the LAN switched ports to connect to pfSense.
DNS == Gateway == interface IP OPT3 of pfSense.
Give the first AP the IP 192.168.22.2 - the next IP .3 etc.

In short : set up static IP (IP, mask, gateway and DNS) and you'll be fine.

rcoleman-netgate · Jul 11, 2022, 4:18 PM

@nopfsense said in Cannot access AP web ui:

To recap;
I setup the pfsense box with wan on interface opt0, lan on opt1 192.168.11.1 and AP on opt3 ip 192.168.22.3-254 (have also tried out of despiration 192.168.22.2-254, it made no difference)

Did you open the rules up on those interfaces to allow 443 (or whatever TCP port you moved the GUI to)? Often this is a missed step.

Additionally unless you have a very specific use-case for it you probably want to keep your DHCP on the firewall.

nopfsense · Jul 12, 2022, 8:12 AM

@gertjan ok thanks went back and checked all that, i think everything matches

WAN not configured

IP address reserved under DHCP server for AP_01 interface as 192.168.22.2

So this part works fine. Thanks for helping me get this part straight.

I still can't access the AP on the 22.2 network from the 11.1 network.

I am assuming that traceroute is telling me that there is no problem with making a connection because it ignores all rules?

However i believe I've made the rules for interfaces LAN and AP_01 AS wide open as possible?

Ipv6

Ipv4

I can't get to 192.168.22.1 pfsense webgui on the AP_01 interface. Whilst connected to 192.168.22.53

Or 192.168.11.1

Do you have any further ideas?

nopfsense · Jul 12, 2022, 8:15 AM

@the-other hi, I have tried adding the AP under DHCP static mapping for this interface under The DHCP server for the AP interface, his that what you mean?

nopfsense · Jul 11, 2022, 11:10 PM

@the-other also by interface i mean, before if connected to the AP on the 192.168.22,x net i could get to the pfsense web gui interface... but no longer

rcoleman-netgate · Jul 11, 2022, 11:35 PM

@nopfsense what interface is the 11.0/24 network on?

and 22.0/24?

what are the Firewall rules for each network?

Gertjan · Jul 12, 2022, 8:12 AM

@nopfsense said in Cannot access AP web ui:

I can't get to 192.168.22.1 pfsense webgui on the AP_01 interface. Whilst connected to 192.168.22.53

What are the 192.168.22.1 ( AP_01 ?) firewall rules ?

Gertjan · Jul 12, 2022, 8:15 AM

@nopfsense said in Cannot access AP web ui:

I have tried adding the AP under DHCP static mapping for this interface under The DHCP server for the AP interface, his that what you mean?

Not need as the AP will never initiate a DHCP request : it has a static IP set up.
But the DHCP static mapping on pfSense is still useful, as you now have a host name for your AP, and you can use this name instead the IPv4.

Btw : your LAN firewall rules are fine, it's not the LAN firewall that blocks you from accessing the AP on 192.168.22.2 from LAN.
IPv6 (rule) is not needed if you do not use IPv6.

nopfsense · Jul 12, 2022, 10:10 AM

@gertjan Ok, good to know, thanks, so it's the AP_01 rules that block access to the AP? But the rules look ok? So why can't i access the AP from the LAN?

nopfsense · Jul 12, 2022, 10:14 AM

@rcoleman-netgate hi. LAN on opt1 and AP_O1 on opt3.

Opt1

Opt3

Gertjan · Jul 13, 2022, 1:14 PM

@nopfsense said in Cannot access AP web ui:

so it's the AP_01 rules that block access to the AP?

No. Never.

Read Docs » pfSense software » Firewall

this is the important word :

"enters" means : traffic going into the pfSense device.

So, all traffic coming into (like entering) is filtered by the firewall.

When you initiate a connection from a device on your LAN interface, and you want to connect to a device on some other local (or remote !) , like AP_01 interface, the traggic enters the LAN interface, and is filtered by the firewall.

Then, the traffic is 'in' pfSense, and pfSense is a router and knows that the traffic destinated for 192.168.22.x/24 has to be placed on the AP_01 interface to reach a device on the 192.168.22.x network.
When doing so, your traffic is only filtered by one interface, the LAN interface, using the LAN firewall rule set.
And not the AP_01 firewall rule set, because, again, only incoming traffic is filtered, not outgoing traffic.

Of course, the AP will send info back. You could say : that's incoming traffic for the interface AP_01 !?
Noop.
You are now very close to discover what a state-full firewall actually is, as explained on the page mentioned above.

There is an exception : read ```
https://docs.netgate.com/pfsense/en/latest/firewall/floating-rules.html but don't worry : write it on the wall : "Whatever happens, never ever use floating rules set" and you will be fine ;)

nopfsense · Jul 13, 2022, 1:14 PM

@gertjan Ok, thanks i had a read and I'm not sure if I'm any closer to finding the answer, on other forums they suggest that local firewalls should be disabled, which they are, windows Defender is off for domain and local.

I've factory defaulted the pfsense box, now LAN is on 192 168.10.1

Wide open rule on interface AP_001

Can ping 192.168.10.1

But something in my view strange is happening when i ping 192.168.22.1

I get a reply from 192.168.1.24 that it's unreachable. That's odd? There is no interface with with that address range. On the pc or the pfsense box.

Is this a clue?

johnpoz · Jul 13, 2022, 1:26 PM

@nopfsense unreachable normally means there was no answer to the arp.

example if I ping some IP that doesn't exisit.

You can see that my machine was arping for that - but got no response

You can not arp for stuff that is not on your same local network.. You pinging a IP outside your network would be sent to your router (default gateway, pfsense)..

Gertjan · Jul 13, 2022, 1:25 PM

@nopfsense said in Cannot access AP web ui:

I've factory defaulted the pfsense box, now LAN is on 192 168.10.1

Not a real issue, but after a reset LAN would be 192.168.1.1/24.

Screenshot the settings of your LAN and AP_01 interface settings please.
Both have a /24, right ?

Both have an empty = "None" here:

Right ?

Who is 192.168.1.24 ?

johnpoz · Jul 13, 2022, 1:28 PM

@gertjan yeah who is 192.168.1.24? And why is he answering at all, if on the 192.168.10 network??

I would think maybe you have multiple networks on the same actual L2?

nopfsense · Jul 13, 2022, 4:11 PM

@gertjan yes, both have none in upstream