Wireless - can only access local network and not able to access internet
-
I am new to pfSense. I started with version 1.2.2. Upgraded using ssh and url to 1.2.3 no problem. I am attempting to separate ethernet and wireless networks with 1.2.3.
pfSense is configured with 3 interfaces, xl0, xl1 and em0 and all are configured and up. em0 WAN is connected to charter via dhcp, xl0 is local LAN static IP address with Linksys ethernet router (192.168.1.0 /24) and xl1 is OPT1 Wireless static IP address using Linksys WRT54G wireless router (192.168.2.0 /24). BTW the tutorial for Wireless shows an AP interface wi0 which does not exist in either 1.2.2 or 1.2.3 at least on my installation.
I can access the internet from xl0 LAN ethernet no problem. OPT1 Wireless xl1 connections are getting dhcp addresses from pfSense, and can access the local network only, I can log into the WRT54G and pfSense for example, but I cannot access the internet with any wireless device. I have a firewall rule for OPT1 that is wide open (any) right now. I have looked through the system and firewall logs and do not see any entries as to my issue. What I have determined is that I cannot ping the WAN IP address. The configuration on the WRT54G looks correct, another words nothing being blocked.I originally was using Astaro, which is a great product, but pfSense is really in my opinion easier and much better interface. Any help is appreciated.
-
Can you show us your rules and NAT (outbound too?)
-
LAN
Proto Source Port Destination Port Gateway Schedule Description-
* * * * *
WAN
Proto Source Port Destination Port Gateway Schedule Description
* RFC 1918 * * * * blocked
networks
* Reserved/ * * * * blocked
not
assigned
by IANA -
* * * * *
OPT1
Proto Source Port Destination Port Gateway Schedule Description -
* * * * *
NAT
Automatic outbound NAT rule generation (IPsec passthrough)
Interface Source Source Port Destination Destination Port NAT Address NAT Port Static Port Description
WAN any * * * * * NO Auto created rule for LAN -
-
Hmmm, looks okay. Show the interface definitions too?
-
BTW, thanks for your help Dan. Is this what you are looking for?
WAN interface (em0)
Status up
DHCP up
MAC address xx:xx:xx:xx:xx:xx
IP address xxx.xxx.xxx.xxx
Subnet mask 255.255.248.0
Gateway xxx.xxx.xxx.xxx
ISP DNS servers xxx.xxx.xxx.xxx
xxx.xxx.xxx.xxx
Media 100baseTX <full-duplex>In/out packets 1741648/70643 (165.30 MB/8.51 MB)
In/out errors 0/0
Collisions 0
Bridge (bridge0) learningLAN interface (xl0)
Status up
MAC address 00:0a:5e:4c:6a:cf
IP address 192.168.1.6
Subnet mask 255.255.255.0
Media 100baseTX <full-duplex>In/out packets 53501/56373 (8.42 MB/46.89 MB)
In/out errors 0/0
Collisions 0OPT1Wireless interface (xl1)
Status up
MAC address 00:01:03:e9:b1:4f
IP address 192.168.2.5
Subnet mask 255.255.255.0
Gateway 192.168.2.5
Media 100baseTX <full-duplex>In/out packets 8029/221568 (5.24 MB/12.84 MB)
In/out errors 0/0
Collisions 0
Bridge (bridge0) learning</full-duplex></full-duplex></full-duplex> -
NAT
Automatic outbound NAT rule generation (IPsec passthrough)Interface Source Source Port Destination Destination Port NAT Address NAT Port Static Port Description
WAN any * * * * * NO Auto created rule for LANAre you sure that automatic is selected? When Automatic Outbound NAT is on, there should be no rules present. Try creating a rule for your OPT1 network to NAT to the WAN and see if that works.
-
I am also confused - it looks like you have opt1 and lan bridged, but they each have an IP address, which is not right (AFAIK).
-
I missed the bridging the first time, that should definitely not be there if LAN and OPT1 are on different subnets.
-
I have no bridging enable on any interface
LAN Interface
IP configuration
Bridge with none
IP address 192.168.1.6 /24
FTP Helper
FTP Helper Disable the userland FTP-Proxy applicationOPT1 Interface
IP configuration
Bridge with none
IP address 192.168.2.5 /24
Gateway 192.168.2.5
If this interface is an Internet connection, enter its next hop gateway (router) IP address here. Otherwise, leave this option blank.
FTP Helper
FTP Helper Disable the userland FTP-Proxy application -
you did before, it seemed to be saying wan and opt1 were bridged. that said, who is serving up IP address for the opt1? the linksys? if so, is it pointing wireless hosts at the pfsense for the gateway?
-
Honest Dan bridging is not enabled on LAN or OPT1. I did try to bridge OPT1 to the WAN last night but it did nothing and I changed it back to none immediately (didn't make sense to do this but I tried anyway). Is Bridge (Bridge0) in the interface status of WAN and OPT1 indicating that bridging is on to you? dhcp on pfSense is enabled for OPT1 with the gateway as the OPT1 interface IP and dhcp is disabled on the Linksys and I have the Linksys WAN configured for static IP with a bogus addressing scheme as it is not used.
DHCP server OPT1
Subnet 192.168.2.0
Subnet mask 255.255.255.0
Available range 192.168.2.0 - 192.168.2.255
Range 192.168.2.11 to 192.168.2.20
WINS servers
DNS serversNOTE: leave blank to use the system default DNS servers - this interface's IP if DNS forwarder is enabled, otherwise the servers configured on the General page.
Gateway 192.168.2.5
The default is to use the IP on this interface of the firewall a -
I have rebooted pfSense and now the interfaces don't even show bridging. Still not able to connect to the Internet with wireless.
-
Per Jimp's post Auto outbound NAT rule generation is enabled and I deleted the WAN rule.
-
Can you post your DHCP configuration?
-
OPT1Wireless
x Enable DHCP server on OPT1Wireless interface
Deny unknown clients
If this is checked, only the clients defined below will get DHCP leases from this server.
Subnet 192.168.2.0
Subnet mask 255.255.255.0
Available range 192.168.2.0 - 192.168.2.255
Range 192.168.2.11 to 192.168.2.20
WINS servers
DNS serversNOTE: leave blank to use the system default DNS servers - this interface's IP if DNS forwarder is enabled, otherwise the servers configured on the General page.
Gateway 192.168.2.5
The default is to use the IP on this interface of the firewall as the gateway. Specify an alternate gateway here if this is not the correct gateway for your network.
(nothing is configured below all fields are blank)
Default lease time seconds
This is used for clients that do not ask for a specific expiration time.
The default is 7200 seconds.
Maximum lease time seconds
This is the maximum lease time for clients that ask for a specific expiration time.
The default is 86400 seconds.
Failover peer IP:
Leave blank to disable. Enter the REAL address of the other machine. Machines must be using CARP.
Static ARP
Enable Static ARP entries
Note: Only the machines listed below will be able to communicate with the firewall on this NIC.
Dynamic DNS- Show Dynamic DNS
Enable registration of DHCP client names in DNS.
Note: Leave blank to disable dynamic DNS registration.
Enter the dynamic DNS domain which will be used to register client names in the DNS server.
NTP servers- Show NTP configuration
Enable Network booting
- Show Network booting
LAN
x Enable DHCP server on LAN interface
Deny unknown clients
If this is checked, only the clients defined below will get DHCP leases from this server.
Subnet 192.168.1.0
Subnet mask 255.255.255.0
Available range 192.168.1.0 - 192.168.1.255
Range 192.168.1.11 to 192.168.1.20
WINS servers
DNS serversNOTE: leave blank to use the system default DNS servers - this interface's IP if DNS forwarder is enabled, otherwise the servers configured on the General page.
Gateway 19.168.1.6
The default is to use the IP on this interface of the firewall as the gateway. Specify an alternate gateway here if this is not the correct gateway for your network.(nothing is configured below all fields are blank)
Default lease time seconds
This is used for clients that do not ask for a specific expiration time.
The default is 7200 seconds.
Maximum lease time seconds
This is the maximum lease time for clients that ask for a specific expiration time.
The default is 86400 seconds.
Failover peer IP:
Leave blank to disable. Enter the REAL address of the other machine. Machines must be using CARP.
Static ARP
Enable Static ARP entries
Note: Only the machines listed below will be able to communicate with the firewall on this NIC.
Dynamic DNS- Show Dynamic DNS
Enable registration of DHCP client names in DNS.
Note: Leave blank to disable dynamic DNS registration.
Enter the dynamic DNS domain which will be used to register client names in the DNS server.
NTP servers- Show NTP configuration
Enable Network booting
- Show Network booting
- Show Dynamic DNS
-
okay that looks sane. if you do a traceroute to a numeric IP outside the network, what does it look like?
-
I'm going to have to stop for today. Not sure when I will get back to this. For now I will have to remove the firewall and go back to my old setup so I can use wireless. Thank you so much for your time and help today Dan. Will you know by a post when I get back on this?
-
yes, i have this thread on notify.
-
Great. It may be a while. I'll do some Wireshark traces next time I fire this up as well. Should have been using Wireshark all along. Happy New Year to you Dan!!
-
I have the same problem but it is specific to wireless clients using Win7. XP & Vista clients connect fine and can access the internet through a Buffalo WZR2-G300N wireless router running in AP mode. Win7 clients are able to get an IP address from pfSense box and access local network but unable to access internet. I swapped out the Buffalo with a Linksys WRT54GC I had laying around and the Win7 clients can now get access to the internet. In my mind this is pointing to a prob with Win7 (or as some people call it SP3 for Vista ;D ) and not the Buffalo as Win7 will not let me change the "Network Type" from "Public" to "Work or Home".
So my question would be what OS are your wireless clients running?