Wireless Router behind PFsense problem

lonevipr · Aug 23, 2011, 4:45 AM

I just got my new PFsense box setup. I have 4 NIC interfaces. One is Internet in, one is LAN, one is DMZ (not configured yet) & one is WLAN. I have messed with this WLAN setting for about 4 hours. I have a Netgear WNR-3500. The only thing I need it to do is wireless AP work. I can not get it to do this period. PFsense is being ridiculous with the router & vice versa. I manually input all info from PFsense into router. DHCP is already disabled on the router. PFsense sees router under DHCP lease option, but just keeps saying it's offline.

per another post from here: this is what i did- put this info from WAN settings of PFsense into the router.
IP Address: Same subnet as Pfsense connected interface.
Subnet Mask: Same subnet as Pfsense connected interface.
Gateway: Pfsense Ip
Static DNS: Pfsense Ip

LAN IP-192.168.1.1 (PFsense)
WLAN IP-192.168.2.1 (Netgear Router)

I have both on same subnet of 255.255.255.0. Is this a problem? Can both have the /24 designation? I don't understand the whole ip address/1-32 thing. If both can't have /24, what does WLAN need to be set as.

DHCP server under WLAN is enabled in PFsense. settings are:
Subnet - 192.168.2.0
Subnet mask - 255.255.255.0
Available range - 192.168.2.1 - 192.168.2.254

Wireless router has static route under services>DHCP Server>WLAN, at the bottom, static route of 192.168.2.1. What is the problem. This router is driving me nuts. I did enable the router in like bridge mode for a few minutes & something different happened, but then it got screwed up & I had to hard reset the whole router again.

wallabybob · Aug 23, 2011, 8:04 AM

Your pfSense box should be connected to a LAN port in your wireless router, not the WAN port - see http://doc.pfsense.org/index.php/Use_an_existing_wireless_router_with_pfSense

If your wireless router has a LAN IP address of 192.168.2.1 then your pfSense WLAN should not include this in its range of DHCP allowed IP addresses. The pfSense WLAN IP address needs to be a host address (e.g. 192.168.2.254/24) not a network address (192.168.2.0/24) and this address needs to be outside the range of DHCP allocated addresses on the interface. Suggest you allocate the WLAN IP addresses something like:
192.168.2.1 - Netgear router
192.168.2.100 to 192.168.2.199 DHCP (will probably be ample, but you have room to expand the range if you wish)
192.168.2.254 - pfSense

Test wireless clients can associate, get valid IP address by DHCP and get correct gateway (pfSense WLAN IP) and DNS (pfSense WLAN IP). Do this first with encryption disabled and then (if you want encryption enabled) repeat with appropriate encryption.

When you get your IP addresses and basic wireless sorted out you will need to add firewall rules to the pfSense WLAN interface to allow downstream systems to access anything off their subnet. (pfSense LAN interface gets a default firewall rule allowing access to anything; for security reasons other interfaces have nothing allowed.)

lonevipr · Aug 23, 2011, 2:26 PM

Sorry I didn't explain everything better last night. I was frustrated after working for like 4 hours straight on just getting my wireless router running. I posted more in detail about the setup I have. This should answer everything better.

@wallabybob:

Your pfSense box should be connected to a LAN port in your wireless router, not the WAN port - see http://doc.pfsense.org/index.php/Use_an_existing_wireless_router_with_pfSense

Yes I knew this from before I even started. I have ethernet running from PFsense WLAN NIC to Router LAN port. This is not the problem.

@wallabybob:

If your wireless router has a LAN IP address of 192.168.2.1 then your pfSense WLAN should not include this in its range of DHCP allowed IP addresses.

I changed my IP of the router (on the router itself) to 192.168.2.1, as it can't sit on the same interface as my PFsense router/firewall of 192.168.1.1. I can access router webGUI from 192.168.2.1 from a wireless client. Under Services>DHCP Server (in PFsense) WLAN tab is configured as follows

Subnet - 192.168.2.0
Subnet mask - 255.255.255.0
Available range - 192.168.2.1 - 192.168.2.254
Range - 192.168.2.10 through 192.168.2.126

I already have the first nine 192.168.2.x, reserved as such I have a static route configured at the bottom of the WLAN tab for the Router, which is the 192.168.2.1 address.

@wallabybob:

The pfSense WLAN IP address needs to be a host address (e.g. 192.168.2.254/24) not a network address (192.168.2.0/24) and this address needs to be outside the range of DHCP allocated addresses on the interface. Suggest you allocate the WLAN IP addresses something like:
192.168.2.1 - Netgear router
192.168.2.100 to 192.168.2.199 DHCP (will probably be ample, but you have room to expand the range if you wish)
192.168.2.254 - pfSense

I'm confused by what you mean WLAN IP needs to be a host address & not a network address?? Does the PFsense WLAN IP under interfaces>WLAN>IP Address need to be changed to 192.168.2.254? Remember first nine ranges of 192.168.2.x are reserved already (in my example), wouldn't one of those work for the WLAN IP? Does router IP need to be different than PFsense interface IP? i.e. 192.168.2.2 for interface IP & 192.168.2.1 for router?

@wallabybob:

Test wireless clients can associate, get valid IP address by DHCP and get correct gateway (pfSense WLAN IP) and DNS (pfSense WLAN IP). Do this first with encryption disabled and then (if you want encryption enabled) repeat with appropriate encryption.

The router was issuing correct IPs last night to my wireless client in the 192.168.2.x range. It would connect fine to the router, just router would not pass the internet to the wireless client. Wasn't even messing with the encryption yet. That's the easy part once internet connectivity is there.

@wallabybob:

When you get your IP addresses and basic wireless sorted out you will need to add firewall rules to the pfSense WLAN interface to allow downstream systems to access anything off their subnet. (pfSense LAN interface gets a default firewall rule allowing access to anything; for security reasons other interfaces have nothing allowed.

I tried to already do this, I believe i created a default allow all rule for the WLAN interface just like the LAN comes setup with. This shouldn't be the problem.

I just want ahead & changed the PFsense WLAN interface IP to 192.168.2.2 as I was writing this. I will give that a shot to see how that works. I know I almost have it connected right. I will post back after work tonight, on if it works.

Metu69salemi · Aug 23, 2011, 3:43 PM

Usually gateways has first or last ip-address of subnet. It can work also whatever you decide it to be.
Thats the reason it was mentioned to be .254 at wallabybobs post(aleast i think so)

You can post even if this setup doesnt't work

lonevipr · Aug 23, 2011, 6:26 PM

I adjusted the one IP like I said earlier for the interface on PFsense, & tried it before going to work. It didn't fix it. Been doing some reading while at work today. I was wanting to have separate subnets for each of my networks. i.e. 192.168.1.x for LAN, 192.168.2.x for WLAN, & 192.168.3.x for my DMZ (Server), however, this may not be possible, or at least easy to configure.

I was reading about bridging connections. I may have to bridge the wireless router to the LAN subnet to get it to actually work. I wouldn't prefer to run the WLAN on the 192.168.1.x subnet (for LAN) permanetly, but I need to be able to get WLAN up & running until I can figure out how to give WLAN it's own subnet of 192.168.2.x. Then while messing around trying to get WLAN on 192.168.2.x subnet, I can default back to the bridging connection if I need to.

wallabybob · Aug 23, 2011, 9:14 PM

@lonevipr:

@wallabybob:

The pfSense WLAN IP address needs to be a host address (e.g. 192.168.2.254/24) not a network address (192.168.2.0/24) and this address needs to be outside the range of DHCP allocated addresses on the interface. Suggest you allocate the WLAN IP addresses something like:
192.168.2.1 - Netgear router
192.168.2.100 to 192.168.2.199 DHCP (will probably be ample, but you have room to expand the range if you wish)
192.168.2.254 - pfSense

I'm confused by what you mean WLAN IP needs to be a host address & not a network address?? Does the PFsense WLAN IP under interfaces>WLAN>IP Address need to be changed to 192.168.2.254? Remember first nine ranges of 192.168.2.x are reserved already (in my example), wouldn't one of those work for the WLAN IP? Does router IP need to be different than PFsense interface IP? i.e. 192.168.2.2 for interface IP & 192.168.2.1 for router?

Perhaps I'm confused because you don't seem to have explicitly said what IP address you have assigned the pfSense WLAN interface. Its probably something OK (else you would have had a problem with the DHCP configuration). However the pfSense WLAN interface IP address must be different from the static IP address of any other system on your network. In particular, it must be different from the IP address of your wireless router.
You might find http://en.wikipedia.org/wiki/IP_address helpful reading on IP addresses.

@lonevipr:

@wallabybob:

When you get your IP addresses and basic wireless sorted out you will need to add firewall rules to the pfSense WLAN interface to allow downstream systems to access anything off their subnet. (pfSense LAN interface gets a default firewall rule allowing access to anything; for security reasons other interfaces have nothing allowed.

I tried to already do this, I believe i created a default allow all rule for the WLAN interface just like the LAN comes setup with. This shouldn't be the problem.

When you change firewall rules you also need to reset firewall states - see Diagnostics -> States and click on the Reset States tab.
If your firewall rule on the WLAN interface is too like the default LAN rule it won't work. For example, if you set source on the WLAN rule to LAN net then nothing will match the rule and hence nothing will be allowed to pass the firewall. (No system on WLAN net should have an IP address in LAN net.) If the firewall rules are blocking internet access attempts you should see that in the firewall log: Status -> System Logs, click on Firewall tab

Metu69salemi · Aug 24, 2011, 3:49 AM

Following screenshots would help a lot: wan, lan, wlan rules and assignments(without public ip)
and images of what you have + what you want to have. <– these images should contain ip-knowledge and port knowledge

lonevipr · Aug 24, 2011, 3:50 PM

Well the good thing is I got it to work. I peeked at the pfsense book under the Wireless part in a last ditch effort to understand what might need to be done. I'm also going to pick up the book (since I read it will be a while before 2.0 version of book is release).

It talked about 2 types of wiring. One is basically running a cord from LAN switch to WLAN router. However this would have the WLAN technically on the LAN side, which I don't want for security reasons. I have each network (LAN, WLAN, DMZ) there own NICs for a reason.

Then it talked about having separate NICs for each interface (like I wanted) & mentioned bridging. It talked about having to bridge WLAN to LAN. It also mentioned that then the WLAN could run off LAN IP subnet. I guess that's doable but not what I wanted.

After I got off work last night & tinkered with it. I did bridge WLAN to LAN, but got it to work & assign IPs to my WLAN in the 192.168.2.x range. Everything is now working like it should for my WLAN clients.

LAN IP (PFsense)-192.168.1.1
WLAN IP (PFsense)-192.168.2.2
WLAN Router IP-192.168.2.1
WLAN IP Range-192.168.2.10-192.168.2.166

However I want to know why internet was not being passed to the WLAN clients without bridging enabled. What exactly does bridging do, that wasn’t happening without it enabled? I was able to see my WLAN client connected under pfsense DHCP lease menu, but it wouldn’t pass the internet to it unless bridging was enabled. Does bridging present any security problems?

Darkk · Aug 24, 2011, 6:28 PM

By default any non-LAN interfaces won't have any rules to pass internet traffic, only the LAN can access any of the interfaces without rules. Take a look at the one for LAN and mirror it over to your wireless interface.

Dakrk

Metu69salemi · Aug 24, 2011, 6:28 PM

Did you bridge pfsense interfaces, or what you did?

lonevipr · Aug 25, 2011, 2:25 AM

@Darkk:

By default any non-LAN interfaces won't have any rules to pass internet traffic, only the LAN can access any of the interfaces without rules. Take a look at the one for LAN and mirror it over to your wireless interface.

Dakrk

I did set a firewall rule for the WLAN interface similar to the LAN firewall rule. I also did the firewall filter reload option & it still would not give internet to my WLAN unless i bridged the connections.

@Metu69salemi:

Did you bridge pfsense interfaces, or what you did?

Yes, I went to Interfaces>Assign>Bridges tab. Didn't select any advanced options. Just clicked, LAN & WLAN & clicked bridge & it magically worked.

Metu69salemi · Aug 25, 2011, 3:56 AM

bridged interfaces don't usually have ip's only the bridge is having ip-adress.
did you have external wireless router/accesspoint or buildin version?

lonevipr · Aug 25, 2011, 5:16 PM

@Metu69salemi:

bridged interfaces don't usually have ip's only the bridge is having ip-adress.
did you have external wireless router/accesspoint or buildin version?

My setup has a dedicated NIC in the PFsense box which connects to LAN port of dedicated wireless router (NetGear WNR3500). My router is not plugged into my LAN switch, which my desktop & PS3 are connected to. I think by bridging the connection, it fools my router into thinking that a ethernet cable is connecting my LAN switch to the router, even though they are on physically separate NIC interfaces.

I'm thinking that mabye when you create different subnets, each subnet needs a public IP to function on it's own, independent of other subnets/interfaces. I think upon initial configuration of the PFsense box it default assigns the LAN the only public IP I have (since i'm a home user with a single IP). So that when you create various physical subnets, they have to leach internet access off a single public IP (if you only have 1, in the case of most home users like me), then you have to bridge any other subnets made to your main subnet, ie LAN.

Now I did read that comcast offers extra IP addresses to it's customers. I'm sure I could purchase more IPs from comcast (there dynamic I heard) & then assign my WLAN a 2nd IP & it would work without being bridged.

But as far as i'm able to see right now, with only one public IP you must bridge any additional subnets to your main interface ie LAN, for additional subnets to have public internet access.

Metu69salemi · Aug 25, 2011, 8:08 PM

That is the reason NAT exists, it can handle multiple subnets into one public ip
So you don't have to bridge for that. Bridging is ok, if you like to have some rules for that network trafic(it does go thru firewall -> it will be checked)

Automatic outbound nat handles that one ip-address, if you like to have multpile ip's then you need manual outbound nat.

I'm sorry you're doing this hardway ;)