Problem configuring AP with atheros card



  • Hi everyone. I have an Alix board with pfsense functioning well but when I trie to configure a wireless AP with an Atheros mini PCI card I can't obtain an ip address with any laptop.

    I bridged my LAN interface with the Wireless one but I still not obtain any address. The DHCP server is activated and works well on LAN.

    If I trie to put manually an address on the client laptop the connexion still not work with the gateway or external website.

    I tried many possibility but I found nothing on the net about this kind of problem. It seems to be simple for everyone except me.

    A friend have exactly the same problem with the same conf.

    Can anyone help me?


  • Rebel Alliance Developer Netgate

    The most common error in setting up that scenario is not having proper firewall rules on the wireless interface.



  • Ok thanks, I tried many solution including creating rules but some people say that when we bridge the WAN and the WIFI interface we don't need to create any rule, others say we need it.

    What's the good answer?



  • If an interface is bridged with LAN and it is desired to serve DHCP on that interface, then firewall rules to allow DHCP on that interface are required. This is true in pfSense 1.2.3. If I recall correctly, the firewall rules were not required in pfSense 1.2.2.


  • Rebel Alliance Developer Netgate

    @freetomfr:

    Ok thanks, I tried many solution including creating rules but some people say that when we bridge the WAN and the WIFI interface we don't need to create any rule, others say we need it.

    What's the good answer?

    Unless you disable pf completely, you always need firewall rules, even on a bridged interface. Rules have been required on bridges by default since pfSense 1.2.1 at least.



  • Ok I understand but I tried many rule and nothing work.

    Logs look like this :

    block
    	Jan 24 17:20:33 	WIFI 	169.254.211.104 	224.0.0.251 	IGMP
    block
    	Jan 24 17:20:33 	BRIDGE0 	169.254.211.104 	224.0.0.251 	IGMP
    block
    	Jan 24 17:20:33 	WIFI 	169.254.211.104 	224.0.0.251 	IGMP
    block
    	Jan 24 17:20:33 	WIFI 	169.254.211.104 	224.0.0.251 	IGMP
    block
    	Jan 24 17:20:33 	BRIDGE0 	169.254.211.104 	224.0.0.251 	IGMP
    block
    	Jan 24 17:20:33 	WIFI 	169.254.211.104 	224.0.0.251 	IGMP
    block
    	Jan 24 17:20:33 	WIFI 	169.254.211.104 	224.0.0.2 	IGMP
    block
    	Jan 24 17:20:33 	BRIDGE0 	169.254.211.104 	224.0.0.2 	IGMP
    block
    	Jan 24 17:20:33 	WIFI 	169.254.211.104 	224.0.0.2 	IGMP
    block
    	Jan 24 17:20:28 	WIFI 	0.0.0.0:68 	255.255.255.255:67 	UDP
    block
    	Jan 24 17:20:28 	BRIDGE0 	0.0.0.0:68 	255.255.255.255:67 	UDP
    block
    	Jan 24 17:20:28 	WIFI 	0.0.0.0:68 	255.255.255.255:67 	UDP
    

    What kind of rule do i need?

    Is it necessary to create a NAT rule too?



  • those are not necessarily bad.  we can't really help unless you post the actual rules you have.  on the WLAN you could just create an any => any rule and that should work.  there are posts about this, where some prefer a LAN => any rule and a specific rule to allow dhcp request.



  • I tried an any -> any rule and I get an IP from my DHCP server! ;D

    But when I tried to go on the internet it don't work. Noting blocked in firewall log.

    My rules look like that :

    On LAN :

    Proto  	Source  	Port  	Destination  	Port  	Gateway  	Schedule  	Description  	
    * 	        LAN net 	* 	* 	                * 	* 	  	Default LAN -> any  
    

    On WLAN

    Proto  	Source  	Port  	Destination  	Port  	Gateway  	Schedule  	Description  	
    TCP/UDP 	* 	        * 	* 	                * 	* 	
    ```   
    
    The internet acces works well on LAN but nothing on WLAN in spite of my rule allowing all traffic from this interface.
    
    I am just a step from the solution, does anyone have an idea?


  • Can you show interfaces? e.g.' ifconfig -a'?



  • # ifconfig -a
    vr0: flags=8943 <up,broadcast,running,promisc,simplex,multicast>metric 0 mtu 150                                                                             0
            options=2808 <vlan_mtu,wol_ucast,wol_magic>ether 00:0d:b9:14:1d:50
            inet 192.168.100.254 netmask 0xffffff00 broadcast 192.168.100.255
            inet6 fe80::20d:b9ff:fe14:1d50%vr0 prefixlen 64 scopeid 0x1
            media: Ethernet autoselect (100baseTX <full-duplex>)
            status: active
    vr1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
            options=280b <rxcsum,txcsum,vlan_mtu,wol_ucast,wol_magic>ether 00:0d:b9:14:1d:51
            inet6 fe80::20d:b9ff:fe14:1d51%vr1 prefixlen 64 scopeid 0x2
            inet 192.168.200.254 netmask 0xffffff00 broadcast 192.168.200.255
            media: Ethernet autoselect (100baseTX <full-duplex>)
            status: active
    vr2: flags=8802 <broadcast,simplex,multicast>metric 0 mtu 1500
            options=280b <rxcsum,txcsum,vlan_mtu,wol_ucast,wol_magic>ether 00:0d:b9:14:1d:52
            media: Ethernet autoselect (none)
            status: no carrier
    ath0: flags=8943 <up,broadcast,running,promisc,simplex,multicast>metric 0 mtu 15                                                                             00
            ether 00:11:f5:88:18:28
            inet6 fe80::211:f5ff:fe88:1828%ath0 prefixlen 64 scopeid 0x4
            media: IEEE 802.11 Wireless Ethernet autoselect mode 11g <hostap>
            status: associated
            ssid CheckPoint channel 2 (2417 Mhz 11g) bssid 00:11:f5:88:18:28
            authmode WPA privacy MIXED deftxkey 2 AES-CCM 2:128-bit
            AES-CCM 3:128-bit txpower 31.5 scanvalid 60 bgscan bgscanintvl 300
            bgscanidle 250 roam:rssi11g 7 roam:rate11g 5 protmode OFF burst
            -apbridge dtimperiod 1
    enc0: flags=0<> metric 0 mtu 1536
    lo0: flags=8049 <up,loopback,running,multicast>metric 0 mtu 16384
            inet 127.0.0.1 netmask 0xff000000
            inet6 ::1 prefixlen 128
            inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6
    pfsync0: flags=41 <up,running>metric 0 mtu 1460
            pfsync: syncdev: lo0 syncpeer: 224.0.0.240 maxupd: 128
    pflog0: flags=100 <promisc>metric 0 mtu 33204
    tun0: flags=8051 <up,pointopoint,running,multicast>metric 0 mtu 1500
            inet6 fe80::20d:b9ff:fe14:1d50%tun0 prefixlen 64 scopeid 0x9
            inet 192.168.69.1 --> 192.168.69.2 netmask 0xffffffff
            Opened by PID 426
    bridge0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
            ether 12:23:d3:86:f1:2b
            id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
            maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200
            root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
            member: vr0 flags=143 <learning,discover,autoedge,autoptp>ifmaxaddr 0 port 1 priority 128 path cost 200000
            member: ath0 flags=143 <learning,discover,autoedge,autoptp>ifmaxaddr 0 port 4 priority 128 path cost 370370
    #</learning,discover,autoedge,autoptp></learning,discover,autoedge,autoptp></up,broadcast,running,simplex,multicast></up,pointopoint,running,multicast></promisc></up,running></up,loopback,running,multicast></hostap></up,broadcast,running,promisc,simplex,multicast></rxcsum,txcsum,vlan_mtu,wol_ucast,wol_magic></broadcast,simplex,multicast></full-duplex></rxcsum,txcsum,vlan_mtu,wol_ucast,wol_magic></up,broadcast,running,simplex,multicast></full-duplex></vlan_mtu,wol_ucast,wol_magic></up,broadcast,running,promisc,simplex,multicast>
    


  • @freetomfr:

    The internet acces works well on LAN but nothing on WLAN in spite of my rule allowing all traffic from this interface.

    At the risk of being pedantic, the rule you displayed doesn't allow all traffic from the WLAN interface, only TCP and UDP. But I don't think thats your problem.

    Your log shows traffic from 169.254.211.104 which is one of a range of addresses for systems that need to dynamically assign themselves an address. Its not an address in the vr0/ath0 subnet. There isn't enough information to say the system that can't access the internet over WLAN is using that address so you should check its address. Is it supposed to be assigned an address by DHCP? If so, perhaps that isn't happening and thats the start of your problem.



  • Yeah, I've been misled by that tcp/udp before.  I think you're right, the autoconfigure IPs are suspicious.



  • I tried a rule allowing all traffic (not only TCP/UDP) and nothing more. I can acces the LAN but no internet.

    My log is from when I didn't get an IP adress by DHCP. Now I can get a valid address (from 192.168.100.0/24) and I don't have blocked traffic from 169.254.211.104 anymore.



  • please try doing a packet capture on the WLAN when you try to go to the internet with a good IP.



  • I really want to do it but I can't because it seems it's not possible to do it on WLAN Interface. The 2 possible choices are WAN or LAN.



  • you can do it from the CLI.  like 'tcpdump -i ath0'



  • Ok, that is what I get :

    # tcpdump -i ath0
    tcpdump: WARNING: ath0: no IPv4 address assigned
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on ath0, link-type EN10MB (Ethernet), capture size 96 bytes
    22:13:03.966422 IP 192.168.8.36.57844 > pfsense.local.domain: 39691+ A? configuration.apple.com. (41)
    22:13:04.456128 IP 192.168.8.36.54334 > pfsense.local.domain: 41057+ A? safebrowsing.clients.google.com. (49)
    22:13:04.492732 IP 192.168.8.36.50277 > pfsense.local.domain: 44508+ A? www.google.fr. (31)
    22:13:04.965649 IP 192.168.8.36.57844 > pfsense.local.domain: 39691+ A? configuration.apple.com. (41)
    22:13:05.458960 IP 192.168.8.36.54334 > pfsense.local.domain: 41057+ A? safebrowsing.clients.google.com. (49)
    22:13:05.497076 IP 192.168.8.36.50277 > pfsense.local.domain: 44508+ A? www.google.fr. (31)
    22:13:07.977642 IP 192.168.8.36.57844 > pfsense.local.domain: 39691+ A? configuration.apple.com. (41)
    22:13:08.468652 IP 192.168.8.36.54334 > pfsense.local.domain: 41057+ A? safebrowsing.clients.google.com. (49)
    22:13:08.502863 IP 192.168.8.36.50277 > pfsense.local.domain: 44508+ A? www.google.fr. (31)
    22:13:16.998226 IP 192.168.8.36.57844 > pfsense.local.domain: 39691+ A? configuration.apple.com. (41)
    22:13:17.486522 IP 192.168.8.36.54334 > pfsense.local.domain: 41057+ A? safebrowsing.clients.google.com. (49)
    22:13:17.523476 IP 192.168.8.36.50277 > pfsense.local.domain: 44508+ A? www.google.fr. (31)
    ^C
    12 packets captured
    12 packets received by filter
    0 packets dropped by kernel
    


  • Looks like pfSense is expected to be the name server but its not responding. Do you have DNS forwarder enabled?

    Do you get a response to ping by IP address?



  • I try just now after a reboot and it work well!!  ??? I don't understand everything but after all it work.

    Thanks everyone for your help. ;D


Locked