Wireless interface support



  • I'm having a little trouble getting my 1st wireless client on the internet with a release1.0 install (clean), although he's fine on LAN (wired), and via wireless he can get to the pfsense webconfig.

    1. Does pfSense 1.0 support simple AP bridging with the LAN like an off-the-shelf Linksys, Dlink, Netgear Wireless router?

    1a. Do you say 'bridge with' in both OPT1 and LAN interface setups?

    2. If so, are all/most features avail to the interface (like IPSEC)?

    3. Is putting the wireless in a different subnet a better idea? but will things like ipsec break?

    4. Is the Rule for OPT1 to pass for any, LAN, or WAN?

    Thanks!



  • 1 yes
    1a no only at the opt1 interface
    2 all but trafficshaping that won't work on bridged interfaces
    3 thats up to you
    4 thats depending on the rule you make



  • I just plugged in my new atheros (29€) card today and tried to get a bridged wlan running.

    Took me quite some time. It only works when I bridge OPT1 with LAN in the OPT1 settings page and then again bridge LAN with OPT1 in the LAN settings page.
    So I think jeroen234's answer for 1a might not be correct. Can someone please clarify me?



  • Jroen's answer is correct. You usually only need to bridge one interface to a non bridged interface. Maybe you were missing some firewallrules?



  • Yeah seems I was wrong…

    My setup worked only sporadically. I just can't get it to work proper.
    Main problem is, that I cant get a lease from DHCP on the Wlan  (OPT1).

    I just want a simple bridged AP and according to the wiki/forum/doku the bridge in pfsense is a NON filtering one if I dont specifically activate filtering. So no Firewall rules should be needed when I just activate bridging of OPT1 to LAN in the OPT1 interface settings tab.

    DHCP doesn't even get a discover in the logs. It works on LAN but definitely not on the bridged OPT1.
    Same problem discussed here with no result...
    http://forum.pfsense.org/index.php/topic,2584.msg15607.html#msg15607

    I did the following again:
    -Installed pfsense from scratch
    -Basic config for DSL access on WAN
    -Basic config for open WLAN on OPT1 and activating bridging of OPT1 to LAN in the OPT1 settings tab.
    -Setting up DHCP Server for LAN
    -Took one Windows XP client at the LAN and tried to open pfsense.org. It works, so internet access is functional
    -Set one XP Client at the OPT1 Wireless LAN to a static IP
    -Ping from XP Client at LAN to the XP Client at OPT1 (Wireless LAN) and the other direction work both
    -Ping or web access from the XP Client at OPT1 to internet does not work (timeout)

    So there seem to be two problems. I can't get an IP from DHCP and even with an proper IP I won't get access to WAN.
    It looks like there#s a firewall rule in place that blocks traffic from LAN to OPT1 so the Client behind OPT1 won't get an answer for his requests?

    So what am I doing wrong?

    EDIT:  After sitting idle for about five minutes I turned DHCP config on the WLAN Client on while playing around and the following happened. (Logging of default rule is still active and I also activated logging of the standard rule for LAN)

    Nov 11 04:44:39 	pf: 50\. 634705 rule 44/0(match): block in on ath0: 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request [|bootp]
    Nov 11 04:44:43 	pf: 4\. 017108 rule 44/0(match): block in on ath0: 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request [|bootp]
    Nov 11 04:44:50 	pf: 1\. 670757 rule 44/0(match): block in on ath0: 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request [|bootp]
    Nov 11 04:44:50 	pf: 007035 rule 44/0(match): block in on ath0: 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request [|bootp]
    Nov 11 04:44:53 	pf: 1\. 719664 rule 37/0(match): pass in on bridge0: 192.168.1.31.137 > 192.168.1.255.137: NBT UDP PACKET(137): REGISTRATION; REQUEST; BROADCAST
    Nov 11 04:44:55 	pf: 2\. 766248 rule 44/0(match): block in on ath0: 192.168.1.31.1068 > 212.243.221.199.80: S 1045103172:1045103172(0) win 16384 <mss 1452,nop,nop,sackok="">Nov 11 04:44:58 	pf: 1\. 423629 rule 44/0(match): block in on ath0: 192.168.1.31.1068 > 212.243.221.199.80: S 1045103172:1045103172(0) win 16384 <mss 1452,nop,nop,sackok="">Nov 11 04:45:02 	pf: 3\. 285387 rule 37/0(match): pass in on bridge0: 192.168.1.31.138 > 192.168.1.255.138: NBT UDP PACKET(138)
    Nov 11 04:45:02 	pf: 002739 rule 37/0(match): pass in on bridge0: 192.168.1.250.138 > 192.168.1.255.138: NBT UDP PACKET(138)
    Nov 11 04:45:04 	pf: 2\. 717526 rule 44/0(match): block in on ath0: 192.168.1.31.1068 > 212.243.221.199.80: S 1045103172:1045103172(0) win 16384 <mss 1452,nop,nop,sackok="">Nov 11 04:45:16 	pf: 12\. 013837 rule 44/0(match): block in on ath0: 192.168.1.31.1069 > 212.243.221.209.80: S 3145792390:3145792390(0) win 16384 <mss 1452,nop,nop,sackok="">Nov 11 04:45:19 	pf: 3\. 000235 rule 44/0(match): block in on ath0: 192.168.1.31.1069 > 212.243.221.209.80: S 3145792390:3145792390(0) win 16384 <mss 1452,nop,nop,sackok="">Nov 11 04:45:25 	pf: 6\. 005608 rule 44/0(match): block in on ath0: 192.168.1.31.1069 > 212.243.221.209.80: S 3145792390:3145792390(0) win 16384 <mss 1452,nop,nop,sackok="">Nov 11 04:45:36 	pf: 10\. 780848 rule 37/0(match): pass in on bridge0: 192.168.1.20.138 > 192.168.1.255.138: NBT UDP PACKET(138)
    Nov 11 04:45:36 	pf: 000166 rule 37/0(match): pass in on bridge0: 192.168.1.20.137 > 192.168.1.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST</mss></mss></mss></mss></mss></mss> 
    

    So the client got a IP at last from the DHCP even when some parts of the request got blocked by default rule? (192.168.1.31 is it's IP)
    And another strange thing happened. I were able to ping a host on the internet for a few times before this test with the dynamic IP when the client still had it's static IP.

    I'm really lost now. What the heck is happening  ???



  • Got it to work at last…

    Reasons for the trouble were two things.

    1. The documentation says theres no filtering between bridged interfaces. But I have to set a rule on the OPT1 interface to allow all traffic to all nets like this to make it work (especially for DHCP request).

    
    Proto Source Port    Destination    Port    Gateway    Description  	
    *     *      *       * 	          *       *          OPT1 -> Any
    
    

    So there IS filtering between bridged interfaces.

    2. Flaky Wlan driver on the client side. Nasty Netgear WG511 PCMCIA Card. Forced it to eat a newer driver for an 3Com Office Connect Card and works now without problems and even has AES support now.

    So for all people with the same problem:

    If you want to create the following setup:
    WAN -> Internet
    LAN -> Local wired network
    OPT1 -> AP Wireless LAN bridged to Local wired Network
    just do the following

    -Get your WAN and LAN running. Then go to the OPT1 settings page and set it to be bridged with LAN. Leave the IP configuration for the OPT1 interface to static.

    -Setup the remaining wifi stuff (WPA,WEP,Keys etc) and save the settings.

    -Next go to the Firewall Rules settings page and click on OPT1 interface. Add a new rule to allow traffic from any to any.

    This did the trick for me.


Log in to reply