Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Can't get it to work

    Scheduled Pinned Locked Moved Wireless
    13 Posts 5 Posters 4.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      soul710
      last edited by

      I've just upgraded from 1.2.x to 2.0, because i had issues with my ipad (it began to refuse connections to my wlan some days ago). since then i somehow cannot get the wireless access to work at all.
      i'm on a soekris board (full install on hdd tho) and atheros minipci card, and im using this box as router and wlan access point. my LAN interface IP is 10.0.0.1. my WLANs interface ip is 10.0.0.7, and it is bridged with LAN.
      i'm using 802.11g and WPA2 auth, all of the client devices support wpa2.

      symptoms: clients successfully connect to the WLAN, but are unable to transfer any data. initially, i managed to actually load a webpage on my iphone, but now (without changing configurations) just nothing will happen anymore.

      in the system logs i can see lots of those:

      Oct 15 23:12:08 hostapd: ath0_wlan1: STA a4:d1:d2:35:7b:a7 WPA: group key handshake completed (RSN)
      Oct 15 23:12:08 hostapd: ath0_wlan1: STA a4:d1:d2:35:7b:a7 WPA: received EAPOL-Key 2/2 Group with unexpected replay counter
      Oct 15 23:13:08 hostapd: ath0_wlan1: STA a4:d1:d2:35:7b:a7 WPA: group key handshake completed (RSN)
      Oct 15 23:13:08 hostapd: ath0_wlan1: STA a4:d1:d2:35:7b:a7 WPA: received EAPOL-Key 2/2 Group with unexpected replay counter
      Oct 15 23:14:08 hostapd: ath0_wlan1: STA a4:d1:d2:35:7b:a7 WPA: group key handshake completed (RSN)
      Oct 15 23:14:08 hostapd: ath0_wlan1: STA a4:d1:d2:35:7b:a7 WPA: received EAPOL-Key 2/2 Group with unexpected replay counter

      do i have do make any additional settings? whats going wrong? i basically just added a new interface, and entered all my wlan details (IP, authentication, bridge)

      [edit] Note: i can ping e.g. my iphone from my computer, when it is connected to wlan

      1 Reply Last reply Reply Quote 0
      • W
        wallabybob
        last edited by

        You haven't supplied the subnet mask so I'm guessing that LAN and WLAN are on the same subnet which is an invalid configuration. At a minimum you probably need to change the Type of WLAN to None.

        1 Reply Last reply Reply Quote 0
        • S
          soul710
          last edited by

          I set the type to none, but didnt help.

          What should the IP adress/subnets configuration be like? My LAN interface has IP adress 10.0.0.1 (no DHCP), and all LAN attached clients have IPs in the 10.0.0.x subnet.

          Should i set the WLAN interface IP adress to like 10.0.1.1 and also bridge WLAN with LAN? what should the WLAN client IP adresses be like then?

          1 Reply Last reply Reply Quote 0
          • W
            wallabybob
            last edited by

            @soul710:

            I set the type to none, but didnt help.

            It might also be necessary to reboot to ensure the kernel has no memory of the previously specified IP address.

            @soul710:

            What should the IP adress/subnets configuration be like? My LAN interface has IP adress 10.0.0.1 (no DHCP), and all LAN attached clients have IPs in the 10.0.0.x subnet.

            I think it is easier to use DHCP to configure clients. Most clients seem to default to DHCP and if you change something crucial (e.g. subnet details, DNS) you can adjust clients automatically by DHCP lease renewal or reboot.

            @soul710:

            Should i set the WLAN interface IP adress to like 10.0.1.1 and also bridge WLAN with LAN? what should the WLAN client IP adresses be like then?

            If you want free access between your LAN and WLAN it is probably best to bridge your wireless and wired LANs.  If you want to restrict access from any of the wireless clients (e.g. they should be able to access the internet but not the wired network) then the two interfaces should not be bridged and should have distinct IP subnets (e.g. 10.0.10.0/24 and 10.0.13.0/24). If you are using DHCP you will need a DHCP rule on the corresponding interface to pass DHCP. You will also need appropriate firewall rules on the interface that isn't called LAN in pfSense. (pfSense LAN has default firewall rule allowing access anywhere, other interfaces have default rules blocking every access.)

            You didn't say much about what you were attempting to when clients successfully connect to the WLAN, but are unable to transfer any data What did the clients report?

            I don't know what @soul710:

            Oct 15 23:12:08 hostapd: ath0_wlan1: STA a4:d1:d2:35:7b:a7 WPA: received EAPOL-Key 2/2 Group with unexpected replay counter

            means or its implications. My system log has an occasional message of that form but is nearly full of messages of the form @soul710:

            Oct 15 23:12:08 hostapd: ath0_wlan1: STA a4:d1:d2:35:7b:a7 WPA: group key handshake completed (RSN)

            1 Reply Last reply Reply Quote 0
            • S
              soul710
              last edited by

              Ok I want to have the WLAN and the LAN clients in the same subnet, and able to connect to each other (e.g. file shares). Therefore I bridged LAN and WLAN, where the LAN interface IP adress of the box is 10.0.0.1, and the WLAN interface (mini-pci card) of the box has IP 10.0.0.7.

              The connection can be established on the WLAN client (e.g. laptop), but the client is unable to, for example, access the internet using 10.0.0.1 as gateway/dns server (as do all of the wired clients). Trying to ping anything from the WLAN client will just timeout all the time. I can, however, ping the WLAN client from my wired clients (I'm not using DHCP but static IPs).

              I think there might still be some firewall issue that blocks traffic to the WLAN interface. I've added a rule on the WLAN interface that permits all destinations from the WLAN net, which is 1:1 the rule that was already configured for LAN. I think i need another rule to permit traffic from LAN, WAN(?) towards the WLAN interface, but I'm unsure of how this rule should look like. A wildcard rule allowing all traffic would essentially turn off all filtering for the WLAN clients, wouldnt it?

              1 Reply Last reply Reply Quote 0
              • P
                podilarius
                last edited by

                create a rule in the WLAN that allows all anywhere and see if that helps. It sounds like you have a bridging firewall with no allow rule on the WLAN interface side.

                1 Reply Last reply Reply Quote 0
                • W
                  wallabybob
                  last edited by

                  and after you meddle with firewall rules you should reset firewall states. See Diagnostics -> States and click on Reset States tab.

                  1 Reply Last reply Reply Quote 0
                  • S
                    soul710
                    last edited by

                    Manually reset states, rebootet, no change:

                    http://i55.tinypic.com/adkm5u.png

                    LAN rules (unmodified):

                    WLAN rule (added by me):

                    Bridge:

                    Any ideas?

                    1 Reply Last reply Reply Quote 0
                    • S
                      soul710
                      last edited by

                      Just changed the WLAN rule to:

                      And things seem to work. Is this the correct configuration?

                      1 Reply Last reply Reply Quote 0
                      • W
                        wallabybob
                        last edited by

                        @soul710:

                        Just changed the WLAN rule to:

                        It looks as if you merely changed the source IP in the allow rule from WLAN net to * which suggests the source IP in your traffic wasn't in WLAN net. If you are now content to have a configuration that "works" leave it alone. If you want to understand what was going on I suggest you restore the old rule, reset firewall states, attempt an Internet access from the WLAN and look in the firewall log to see what is reported for your access attempt.

                        1 Reply Last reply Reply Quote 0
                        • AhnHELA
                          AhnHEL
                          last edited by

                          You're missing the rule I pictured below to get wireless working.  Your bridge shouldnt contain LAN, it should contain the interface that your LAN is connected to (eg: em0, or re0, or whatever interface your LAN cable goes to).  Sounds confusing but I'll post screenies so you can see my bridge setup that is working with wireless bridged to LAN.  ATH0 is my wireless and RE0 is the interface that connects to my LAN.

                          I have fw rules on LAN interface only, no rules on ATH0 or RE0.  Both ATHO and RE0 interfaces are enabled with Type None.  Place the Bridge DHCP Pass Rule above your LAN to Any Rule.

                          ![Screen Shot 2011-10-23 at 1.53.39 AM.png](/public/imported_attachments/1/Screen Shot 2011-10-23 at 1.53.39 AM.png)
                          ![Screen Shot 2011-10-23 at 1.53.39 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2011-10-23 at 1.53.39 AM.png_thumb)
                          ![Screen Shot 2011-10-23 at 2.00.51 AM.png](/public/imported_attachments/1/Screen Shot 2011-10-23 at 2.00.51 AM.png)
                          ![Screen Shot 2011-10-23 at 2.00.51 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2011-10-23 at 2.00.51 AM.png_thumb)
                          ![Screen Shot 2011-10-23 at 2.01.21 AM.png](/public/imported_attachments/1/Screen Shot 2011-10-23 at 2.01.21 AM.png)
                          ![Screen Shot 2011-10-23 at 2.01.21 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2011-10-23 at 2.01.21 AM.png_thumb)

                          AhnHEL (Angel)

                          1 Reply Last reply Reply Quote 0
                          • S
                            soul710
                            last edited by

                            Switched to your setup. Works now, even without additional rules on the wifi device. Also I didnt need the dhcp rule as Im using static IPs.

                            Only problem was that the box (= all internet/wifi traffic) was not reachable after switching LAN interface assignment from vr0 to bridge0. Rebooting (= pulling the plug) solved this issue however.

                            1 Reply Last reply Reply Quote 0
                            • E
                              en1gma
                              last edited by

                              i figured it out guys
                              thanks anyhow

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.