External AP bridged to External Radius server



  • Hi!

    I'm encountering some problems setting up a wireless accesspoint.
    Sorry if the problem has been already exposed but I can't find answer to my problem :-
    Or, maybe there's something I'm not understanding.. ???

    My config :
    I've got a PfSense box with 3 NICs. One WAN, one LAN, and one OPT1.
    I've bridged OPT1 to LAN, because they are one same network.
    (I'd just successfully upgraded to the 1.0.1-SNAPSHOT-02-21-2007.)
    But, on LAN I've got an independent radius server, and on OPT1 a wireless router.
    So, I'd setup my w-router to use my radius server.
    But, by sniffing packets directly on my radius server I can't see anything radius-related.
    And, if I capture packets directly on my wifi router I can see 3 radius request.

    So, my pfsense box seems to block radius authentification even if I've setup correct rules to permit traffic between opt1 & lan.
    Is there's something I had forget to do on my pfsense ? Or, is it pfsense that its not take care of my radius packets ?

    Thanks a lot for your help because I'm going to be crasy thanks to this problem  ;D



  • Do you see any blocks at status>systemlogs, firewall for the radius traffic? What does status>interfaces report for the bridge?



  • Thanks to reply! :-X
    There's no radius-related packets in status>systemlogs & firewall :-\ (all packets displayed)
    Even if I set the default port to 1812.
    I strongly suspect the bridge to not foward radius packets  ???
    And status>interfaces indicates me : "Bridge (bridge0) learning" as usual.
    So, WTH ??? ;D
    I don't know what I could forget :-[



  • if the pfsense bridge was not forwarding them then you found blocked or droped packets on the firewall tab
    maybe youre firewall rules are wrong ???

    opt1 interface accept * * * * * *    (opt is linkt with lan so on lan you set the rules)
    rules are seen from pfsense as incoming from that interface
    and if a rule is found then rule checking is halded
    and radius uses 1812 for access and for acounting 1813 and for radius proxy 1814



  • Please show us your firewallrules. Maybe you use sourceports in your firewallrules?



  • Nop! No source port on opt1, the only rule I got is :
    (Pass) *  PrivateNET  *  PrivateNET  *  *
    I'm just blocking & logging IPv6 before. That's all,
    and I can't see any radius packets droppeds.
    So, what can it be ?  ;D



  • We just found a problem with wireless interfaces and bridges and committed a fix. Please upgrade to the newest snapshot in about 2h from now and retest.



  • Hey your fast!  ;D Thanks a lot i will try it as soon as possible! ;)



  • Tested with pfSense-Full-Update-1.0.1-SNAPSHOT-02-21-2007.tgz 2007-Feb-25 16:09:01 without no changes  :-[

    I'm updating now to pfSense-Full-Update-1.0.1-SNAPSHOT-02-27-2007.tgz 2007-Feb-28 13:04:43 :)

    Updated! And nothing to do, it doesn't work :-\ I have many doubts now, I can't see where's the problem come from  ???
    On the first hand, I suspect my wireless AP to not sending radius packets on the good subnet, and on an other hand I think
    that it's the bridge which don't work as expected  :-X

    Thanks a lot for your help, I will test a last thing :
    shorcut directly opt1 and lan to know if its the bridge or not :) (Didn't know why I think to this only now and not before ;D )



  • yelt, did you get anywhere with your testing?

    I'm having a similar problem



  • Hi!

    I'm giving news ;)
    So, now, it works! :o
    I don't know what have changed since my last test, but everything seems to be like it was before… ???
    But now...it works ;D

    Historically (don't know if its English ^^'), theses are the steps I've done :
    0/ Initial test (Didn't work)
    1/ Upgraded PfSense to pfSense-Full-Update-1.0.1-SNAPSHOT-02-27-2007 (Didn't work even after reboot)
    2/ Test by plugging OPT1 directly on my switch plugged to LAN interface.  (Didn't work)
    3/ Replug OPT1 to OPT1.  (Forget to test)
    4/ Backup all AP settings/ Restore default settings/ Downgraded firmware/ Restore default settings(again)/ Upgraded firmware/ Restore AP settings  (Tested ==> Didn't work ...)
    5/ Shutdown everything.
    6/ Start everything, shutdown indepedants firewalls (Forget to test)
    7/ Start independants firewalls (Forget to test)
    8/ After 2 days, I test everything : AP works  :o ???

    So, as you can see, I don't know what may have changed between 0/ and 8/.
    I didn't have changed the settings : my AP is set like before, my server is in the same configuration too, and my PfSense box have the same settings too like before!! :-
    The only thing that have changed is the version of the SNAPSHOT of PfSense, so maybe the PfSense team is for something in my lucky adventure  ;D :D So : thanks a lot again! ;D

    Hoping this can help you! ;)
    If you have any question don't hesitate  :P

    Edit> I just want to specify something : when I say "Test", I want to say that I've setup a packet capture software directly on my radius server, so I can see what packets CAN reach my radius server :) And when I say that my test "didn't work" I what to talk about radius packet ACCES-REQUEST, that's all  ;)



  • Kill radiusd in status > services, start it again via the shell using /usr/local/etc/raddb/radiusd -x, I believe that is how you start radius in debugging mode.  There is no need to sniff when radius will tell you if it gets anything.  you may have to execute it with an X in caps though, I don't remember.  But ocassionally radius will recieve packets but ignore them, most commonly when it doesn't feel that the incoming packet is from a valid client device.  It sounds like you got it fixed, but this is a much easier way of troubleshooting radius for future reference.


Log in to reply