Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    upgraded to pfsense 2.8.0, WiFi devices report intermittent 'no internet access'

    Scheduled Pinned Locked Moved Wireless
    44 Posts 3 Posters 3.3k Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S Offline
      skubany2 @johnpoz
      last edited by skubany2

      @johnpoz

      7423050b-6d02-43d7-9a48-ff29e26cde31-image.png

      1 Reply Last reply Reply Quote 0
      • S Offline
        skubany2 @stephenw10
        last edited by

        @stephenw10

        3006daeb-7a8d-4506-8b1d-46d62f5c655a-image.png

        Yes, I do have a bridge and I expect that I will have to remove it and connect interfaces LAN & WiFi via rules.

        1 Reply Last reply Reply Quote 0
        • stephenw10S Offline
          stephenw10 Netgate Administrator
          last edited by

          You shouldn't have to you just need to make sure traffic is opening states on the correct interface.

          Do you have bridge filtering set to the bridge members or the bridge itself?

          Do you have the bridge assigned?

          S 1 Reply Last reply Reply Quote 0
          • S Offline
            skubany2 @stephenw10
            last edited by

            @stephenw10
            I only have the bridge because when adding external AP the tutorials I looked at said I need it.
            I don't have it assigned to anything. I don't filter on it. I don't explicitly use it for anything.

            In 'Floating' rules I had entries because under WiFi interface I have a rule that WiFi should not go out to 'LAN subnet'. I don't want WiFi devices to reach my LAN in general, unless explicitly allowed (via rules). Sometimes, the "WiFi Client" from the picture with Floating rules I posted reached my LAN and I wasn't sure why so I put a Floating rule to forbid it. The Floating rules are executed before any other in the firewall.

            johnpozJ 1 Reply Last reply Reply Quote 0
            • johnpozJ Offline
              johnpoz LAYER 8 Global Moderator @skubany2
              last edited by

              @skubany2 your last rule there where you say don't allow lan access is wrong.. That is a ! lan subnets - it would block everything that is NOT the lan subnets.

              none of those rules show any hits..

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

              S 1 Reply Last reply Reply Quote 0
              • stephenw10S Offline
                stephenw10 Netgate Administrator
                last edited by

                I would guess that traffic from the clients is coming in the WIFI interface and going out the LAN because that's where the subnet is defined. The bridge allows that to work because everything uses the same subnet but pf sees that as asymmetric.

                Unless you need to filter between the wired and wireless segments you should move filtering to the bridge, assign the bridge and add the subnet on the bridge directly with neither member having a subnet defined.

                johnpozJ 1 Reply Last reply Reply Quote 0
                • johnpozJ Offline
                  johnpoz LAYER 8 Global Moderator @stephenw10
                  last edited by johnpoz

                  This is such a borked up config.. Why are you bridging? Why would you bridge if you don't want to allow wifi talk to lan?

                  I take it your again hiding your rfc1918 space where you put in wifi clients - so these are different networks - again why bridge?

                  What exactly are you trying to accomplish - there is almost never a good reason to bridge..

                  If you want to leverage a port on pfsense for your AP - then put it on its own network, and just allow what you want. If you want wifi on the same network as lan plug your AP into your switch.

                  If you want multiple networks on your AP via vlans and one of those is your lan network - then have a vlan capable switch and again plug your AP into your switch.

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                  S 1 Reply Last reply Reply Quote 0
                  • stephenw10S Offline
                    stephenw10 Netgate Administrator
                    last edited by stephenw10

                    Commonly such a setup is used when you want to have wired and wireless clients in the same subnet but also want to filter traffic between them.

                    I hadn't, until now, considered how interface bound states might affect that. 🤔

                    But, I agree, it's almost always better to just use two subnets and not bridge them.

                    1 Reply Last reply Reply Quote 0
                    • S Offline
                      skubany2 @johnpoz
                      last edited by

                      @johnpoz
                      You are right, I misspoke. The "WiFi Client" is not supposed to go out to the internet. I almost never use that client though.

                      1 Reply Last reply Reply Quote 0
                      • S Offline
                        skubany2 @johnpoz
                        last edited by

                        @johnpoz said in upgraded to pfsense 2.8.0, WiFi devices report intermittent 'no internet access':

                        This is such a borked up config.. Why are you bridging? Why would you bridge if you don't want to allow wifi talk to lan?

                        If you want to leverage a port on pfsense for your AP - then put it on its own network, and just allow what you want. If you want wifi on the same network as lan plug your AP into your switch.

                        If you want multiple networks on your AP via vlans and one of those is your lan network - then have a vlan capable switch and again plug your AP into your switch.

                        The config is at least 8 years old. I used to have pfSense run on a laptop with WiFi adapter. When moving my pfSense to a custom PC I decided that it is more flexible to have an external AP rather than internal. That way I can change AP in the future easily. Also choice of AP would not be dictated by support provided by Unix on which pfSense is based. To add an external AP to pfSense I jumped online to see how others do it. The tutorials I saw used bridging and so did I. I didn't really understand why but it worked so I was happy. I'm more versed now at working with pfSense and understand networking better than in the past, though as you can see I'm far from an expert.

                        I will be going (attempting) the route of running AP off of a dedicated pfSense port. This will give me the separation of LAN and WiFi and should work with 'Interface Bound States' in pfSense. I have an idea how to achieve that, so we'll see if it works.

                        1 Reply Last reply Reply Quote 1
                        • stephenw10S Offline
                          stephenw10 Netgate Administrator
                          last edited by

                          Yup that will work if you don't need them on the same subnet.

                          Or moving the filtering and subnet assignment to the bridge interface would also work.

                          1 Reply Last reply Reply Quote 0
                          • S Offline
                            skubany2
                            last edited by skubany2

                            I am now configured with 'Interface Bound States' and no longer bridged.

                            Thanks for your help guys.

                            I like this way better. Better organized and more precise.

                            1 Reply Last reply Reply Quote 1
                            • stephenw10S Offline
                              stephenw10 Netgate Administrator
                              last edited by

                              Nice. Yes that's a much better setup if you don't need them on the same subnet. 👍

                              1 Reply Last reply Reply Quote 0
                              • S Offline
                                skubany2
                                last edited by

                                A related question. As I moved to unbridged LAN and WiFi networks, I noticed that a device on WiFi interface can't reach a device on LAN interface using it's host name. Using IP works.

                                What do I need to change in my firewall to fix this? I assume DNS is not propagating correctly.

                                When the two networks were bridged, this was not an issue.

                                1 Reply Last reply Reply Quote 0
                                • stephenw10S Offline
                                  stephenw10 Netgate Administrator
                                  last edited by

                                  Hmm, by default both subnets would use the pfSense interface IP as the DNS server. The would be Unbound in pfSense and if LAN devices are registered there then they should resolve for both subnets.

                                  First try resolving from the wifi client and see how it fails. Perhaps that device is using a hardcoded DNS server? Did you ever include firewall rules to redirect DNS?

                                  1 Reply Last reply Reply Quote 0
                                  • S Offline
                                    skubany2
                                    last edited by skubany2

                                    When the WiFi client is wired (cable) then it can access the other device via it's host name, because they're both on LAN at that point.

                                    WiFi client is assigned DNS Servers by DHCP Server running on WiFi interface. I tried adding LAN's DNS Server as secondary entry under WiFi interface's DHCP Server but that did not change anything. I did notice at that point that WiFi client was showing two DNS Servers configured, instead of the usual one.

                                    I did not explicitly set any DNS redirection firewall rules.

                                    stephenw10S 1 Reply Last reply Reply Quote 0
                                    • stephenw10S Offline
                                      stephenw10 Netgate Administrator @skubany2
                                      last edited by

                                      @skubany2 said in upgraded to pfsense 2.8.0, WiFi devices report intermittent 'no internet access':

                                      I did notice at that point that WiFi client was showing two DNS Servers configured, instead of the usual one.

                                      And they are both the pfSense interface addresses? Or are you using other DNS servers?

                                      If you try to resolve one of these hosts on a wifi client what error do you see?

                                      S 1 Reply Last reply Reply Quote 0
                                      • S Offline
                                        skubany2 @stephenw10
                                        last edited by skubany2

                                        @stephenw10 said in upgraded to pfsense 2.8.0, WiFi devices report intermittent 'no internet access':

                                        And they are both the pfSense interface addresses?

                                        Yes.

                                        The issue is on my parent's network and they're far away from me. On my home network I have WiFi client running VNC Server so I'll use that for testing. Using VNC I can connect from LAN to WiFi client fine when using it's IP, but when I use it's host name VNC can't resolve the name.

                                        While testing with VNC when I capture packets on the LAN interface I see LLMNR (Link-local Multicast Name Resolution) requests and NBNS (NetBIOS Name Service) requests for the host name but don't think they're being responded to by anyone. Nothing of interest on WiFi or WAN interfaces.

                                        1 Reply Last reply Reply Quote 0
                                        • stephenw10S Offline
                                          stephenw10 Netgate Administrator
                                          last edited by

                                          How are you testing? Try to dig at pfSense on each address directly like:

                                          2.8.1-RELEASE][admin@cedev-2.stevew.lan]/root: dig @172.21.16.1 +short plusdev-2.stevew.lan
                                          172.21.16.167
                                          [2.8.1-RELEASE][admin@cedev-2.stevew.lan]/root: dig @192.168.126.1 +short plusdev-2.stevew.lan
                                          172.21.16.167
                                          

                                          One thing you might be seeing is the client device not sending the domain the in query automatically for servers outside the domain.

                                          But both IP addresses should be able to resolve the FQDN. The are both the same server server and data.

                                          1 Reply Last reply Reply Quote 0
                                          • S Offline
                                            skubany2
                                            last edited by

                                            I've done some testing yesterday. Testing was largely about reaching shared folder on LAN client from WiFi client. I was testing host name vs IP.

                                            I have to make sure that DNS queries are not blocked. In my configuration WiFi interface in general can only reach WAN, not LAN and I have many disabled rules that I activate (one at a time) when I need to reach a LAN client.

                                            I noticed that turning off Windows firewall on the LAN client helped in allowing WiFi client to reach it but I think this was in the case of using IP. Host name still did not work. Windows firewall was never an issue but that is when I only had Win7 machines at home. Now that I have added Win11 to the mix they might not be playing nice with each other with default settings.

                                            Adding secondary DNS (of the other interface) under each interface's DHCP Server may also be needed. I will also look at the DNS Resolver and Forwader to see if I need to change anything there.

                                            I will be testing DNS (rules/settings) and Windows firewall settings while running packet capture. This will take a few days but I know what to focus on and will report back with my findings.

                                            stephenw10S johnpozJ 2 Replies Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.