Routing between two pfsense boxes via wireless bridge

drummer_adair

Hi, just as the subject says i am trying to route traffic between two networks using pf.

Here is my config.
Site A: pfSense 1.2.3RC1
WAN: PPOE DSL Connection with working internet.
LAN: 192.168.3.0/24
OPT1: 172.16.10.3/24. Gateway for OPT1 is 172.16.10.2
Static route: OPT1 192.168.2.0/24 via 172.16.10.2

Site B: pfSense 1.2.3Release
WAN: DHCP Cable Connection with working internet.
LAN: 192.168.2.0/24
OPT1: 172.16.10.2/24. Gateway for OPT1 is 172.16.10.3
Static route: OPT1 192.168.3.0/24 via 172.16.10.3

Here is a graphic of the above. http://www.gliffy.com/publish/2170869/

From either router I can ping any address in the 172.16.10.0 network or the 192.168.2/3.0 network interface of the router but I can not ping any devices on the LAN.
I.e. from Site A, I can ping 192.168.2.254 (router) but not 192.168.2.100 (Desktop).
From Site B, I can ping 192.168.3.254 (router) but not 192.168.3.200 (Desktop)

I have spent an entire day watching the firewall logs and playing with individual rules that had it working the way i described above, however it seems to work just as good with * * * * * * (any's) on the LAN and OPT1 interfaces.
I have checked the "bypass firewall rules for traffic on the same interface" just to test.

I should also note that the Wifi link is perfect and both radio are in bridge mode. Signals on both sides are -62 or less. Without the routers I can move traffic all day long.

I thought about turning routing on in them thinking that might help make more sense but it does add another router that i shouldn't technically need.

What gives? why wont pfsense pass traffic from opt1 out the lan interface? it's getting far enough to ping the lan interface but not leave it to go out on the network.
Watching the firewall log with logging enabled on the LAN and OPT1 it shows that both routers are passing my pings and trace routes and nothing is being blocked.
I have even played around with RIP today.

The route table for both sides show:
Site A: 192.168.2.0/24 172.16.10.2 UGS 0 4 1500 re0
Site B: 192.168.3.0/24 172.16.10.3 UGS 0 2301 1500 rl2

Any ideas or comments to help get this working would be much appreciated.

BTW, I have been using pfSense for over a year now and have about 10 sites using it in various configurations. I Love it! Keep up the good work guys!

GruensFroeschli

I think you mixed the concepts of routing and bridging and because of this confused yourself.

It is not possible to bridge a WLAN interface in Infrastructure (client) mode.
Also with a bridge you have the same subnet on both sides of the bridge.

You configured a subnet between the two sites so already setup a routed scenario.

Could you maybe post screenshots of your firewall rules?
Did you enable logging for the allow rule on the OPT interface?

drummer_adair

@GruensFroeschli:

I think you mixed the concepts of routing and bridging and because of this confused yourself.

It is not possible to bridge a WLAN interface in Infrastructure (client) mode.
Also with a bridge you have the same subnet on both sides of the bridge.

You configured a subnet between the two sites so already setup a routed scenario.

Could you maybe post screenshots of your firewall rules?
Did you enable logging for the allow rule on the OPT interface?

Ok you may be right but I'm pretty sure I understand what is going on, but maybe not? So please help me understand if I am wrong.

I think what you think I am doing is hanging an actual WLAN adapter off the back of my pfsense box, but that is not the case.
This is an ethernet connection to a wifi radio 40' in the air on a tower at my house. connected to another radio on a tower at my friends house that also come in to his box via ethernet.

Really all I'm attempting is this
http://forum.pfsense.org/index.php/topic,19991.0.html

my crossover cable just happens to be me a 3 mile wireless link that is functional.

I can post screen shots of my firewall rules for the LAN and OPT1 interfaces but all your going to see is a bunch of any's all the way across.
I noticed on another project that having broad any rules didn't work correctly (it might have been me doing something wrong at the time) but now I always try to build rules that are as specific as possible. So I had 4-5 various rules on the OPT1 interfaces allowing traffic from all the various subnets to each others various subnet. With logging enabled on each rule I diligently watched the logs on both sides show me I had traffic passing in one box, over the link and returning but never leaving the LAN interface to ping a local host. I ended up removing all the individual rules in case i didn't  have something ordered right and just going back to * * * * * * for LAN and OPT1.

Again the setup works except for the fact I can't reach hosts on the LAN from either side. However I can, for example ping the LAN and OPT1 interfaces of each router from either side.

danswartz

Can you run something like wireshark on a PC on one LAN and then try pinging that host from the other side and see if anything at all shows up?  The firewall packet logging doesn't seem to be useful since you know you can see each pfsense's LAN.

drummer_adair

Thanks danswartz, I had not thought about that. I will set this up and get back with results.

Adair

drummer_adair

I'm waiting for the other end of the link to get connected back up correctly to fully test.

But a ping from my wireless device back to my desktop was failing, I fired up wireshark and saw that the ping was reaching my desktop but my desktop was not responding…...Yep you guessed it, bone head move. Windows firewall was blocking the pings. I turned if off and can ping my desktop thru my router from my wireless bridge.
This tells me that PF is setup correctly and should mean everything will work ok once the link is back up.

Damn windows!

I will test and post back a final outcome.

Next time I will test pinging hostes other than windows devices!

Thanks,
Adair

danswartz

good to hear!  everything i was seeing looked 'impossible' :)

drummer_adair

@danswartz:

good to hear!  everything i was seeing looked 'impossible' :)

Why do you say 'impossible'?

danswartz

I mean it all looked correct - i couldn't see how you could be pinging the LAN IP of  the pfsense but not the host, given what the rules and such looked like.

drummer_adair

Now I have everything setup just like before and when I try to ping the a host on the other LAN I get a TTL expired in transit..
Trace routing shows the ip address of the OPT interface of my router.
From either side I can ping the bridge IP's and bridge interface but not the LAN router or any host IP's.

this is beginning to get really frustrating.

Adair

danswartz

What I wanted to see was the results of a wireshark trace on the host on the remote LAN when you try pinging…

drummer_adair

That's just it, I can't even get as far as I was getting before.
Before I could ping the LAN interface of the each others router but not a host on the LAN (because of the windows firewall)
I'll still do some captures with wireshark later.

Thanks,
Adair

drummer_adair

This is old but I now have this working. (it's actually been working for awhile, just didn't think to update the thread)

I had two major problems the entire time I was trying to get this working

First with the Ubiquity Bullets you have to put them in Client/Server WDS mode in order for them to do layer two bridging. DOH!

Second, at someone in a midst all the testing I screwed my my static route to the other subnet.

What I needed was LAN  192.168.2.0/24 via 172.16.10.2.
172.16.10.2 being the pfsense routers opt interface on the other side of the bridge.

Somehow I had put 172.16.10.3 (my routers opt interface address)

Getting the bullets our of a semi/mini nat mode and putting the correct routing statement on each pfsense box fixed everything right up!

danswartz

Cool.