Can't get it to work

soul710

I've just upgraded from 1.2.x to 2.0, because i had issues with my ipad (it began to refuse connections to my wlan some days ago). since then i somehow cannot get the wireless access to work at all.
i'm on a soekris board (full install on hdd tho) and atheros minipci card, and im using this box as router and wlan access point. my LAN interface IP is 10.0.0.1. my WLANs interface ip is 10.0.0.7, and it is bridged with LAN.
i'm using 802.11g and WPA2 auth, all of the client devices support wpa2.

symptoms: clients successfully connect to the WLAN, but are unable to transfer any data. initially, i managed to actually load a webpage on my iphone, but now (without changing configurations) just nothing will happen anymore.

in the system logs i can see lots of those:

Oct 15 23:12:08 hostapd: ath0_wlan1: STA a4:d1:d2:35:7b:a7 WPA: group key handshake completed (RSN)
Oct 15 23:12:08 hostapd: ath0_wlan1: STA a4:d1:d2:35:7b:a7 WPA: received EAPOL-Key 2/2 Group with unexpected replay counter
Oct 15 23:13:08 hostapd: ath0_wlan1: STA a4:d1:d2:35:7b:a7 WPA: group key handshake completed (RSN)
Oct 15 23:13:08 hostapd: ath0_wlan1: STA a4:d1:d2:35:7b:a7 WPA: received EAPOL-Key 2/2 Group with unexpected replay counter
Oct 15 23:14:08 hostapd: ath0_wlan1: STA a4:d1:d2:35:7b:a7 WPA: group key handshake completed (RSN)
Oct 15 23:14:08 hostapd: ath0_wlan1: STA a4:d1:d2:35:7b:a7 WPA: received EAPOL-Key 2/2 Group with unexpected replay counter

do i have do make any additional settings? whats going wrong? i basically just added a new interface, and entered all my wlan details (IP, authentication, bridge)

[edit] Note: i can ping e.g. my iphone from my computer, when it is connected to wlan

wallabybob

You haven't supplied the subnet mask so I'm guessing that LAN and WLAN are on the same subnet which is an invalid configuration. At a minimum you probably need to change the Type of WLAN to None.

soul710

I set the type to none, but didnt help.

What should the IP adress/subnets configuration be like? My LAN interface has IP adress 10.0.0.1 (no DHCP), and all LAN attached clients have IPs in the 10.0.0.x subnet.

Should i set the WLAN interface IP adress to like 10.0.1.1 and also bridge WLAN with LAN? what should the WLAN client IP adresses be like then?

wallabybob

@soul710:

I set the type to none, but didnt help.

It might also be necessary to reboot to ensure the kernel has no memory of the previously specified IP address.

@soul710:

What should the IP adress/subnets configuration be like? My LAN interface has IP adress 10.0.0.1 (no DHCP), and all LAN attached clients have IPs in the 10.0.0.x subnet.

I think it is easier to use DHCP to configure clients. Most clients seem to default to DHCP and if you change something crucial (e.g. subnet details, DNS) you can adjust clients automatically by DHCP lease renewal or reboot.

@soul710:

Should i set the WLAN interface IP adress to like 10.0.1.1 and also bridge WLAN with LAN? what should the WLAN client IP adresses be like then?

If you want free access between your LAN and WLAN it is probably best to bridge your wireless and wired LANs.  If you want to restrict access from any of the wireless clients (e.g. they should be able to access the internet but not the wired network) then the two interfaces should not be bridged and should have distinct IP subnets (e.g. 10.0.10.0/24 and 10.0.13.0/24). If you are using DHCP you will need a DHCP rule on the corresponding interface to pass DHCP. You will also need appropriate firewall rules on the interface that isn't called LAN in pfSense. (pfSense LAN has default firewall rule allowing access anywhere, other interfaces have default rules blocking every access.)

You didn't say much about what you were attempting to when clients successfully connect to the WLAN, but are unable to transfer any data What did the clients report?

I don't know what @soul710:

Oct 15 23:12:08 hostapd: ath0_wlan1: STA a4:d1:d2:35:7b:a7 WPA: received EAPOL-Key 2/2 Group with unexpected replay counter

means or its implications. My system log has an occasional message of that form but is nearly full of messages of the form @soul710:

Oct 15 23:12:08 hostapd: ath0_wlan1: STA a4:d1:d2:35:7b:a7 WPA: group key handshake completed (RSN)

soul710

Ok I want to have the WLAN and the LAN clients in the same subnet, and able to connect to each other (e.g. file shares). Therefore I bridged LAN and WLAN, where the LAN interface IP adress of the box is 10.0.0.1, and the WLAN interface (mini-pci card) of the box has IP 10.0.0.7.

The connection can be established on the WLAN client (e.g. laptop), but the client is unable to, for example, access the internet using 10.0.0.1 as gateway/dns server (as do all of the wired clients). Trying to ping anything from the WLAN client will just timeout all the time. I can, however, ping the WLAN client from my wired clients (I'm not using DHCP but static IPs).

I think there might still be some firewall issue that blocks traffic to the WLAN interface. I've added a rule on the WLAN interface that permits all destinations from the WLAN net, which is 1:1 the rule that was already configured for LAN. I think i need another rule to permit traffic from LAN, WAN(?) towards the WLAN interface, but I'm unsure of how this rule should look like. A wildcard rule allowing all traffic would essentially turn off all filtering for the WLAN clients, wouldnt it?

podilarius

create a rule in the WLAN that allows all anywhere and see if that helps. It sounds like you have a bridging firewall with no allow rule on the WLAN interface side.

wallabybob

and after you meddle with firewall rules you should reset firewall states. See Diagnostics -> States and click on Reset States tab.

soul710

Manually reset states, rebootet, no change:

http://i55.tinypic.com/adkm5u.png

LAN rules (unmodified):

WLAN rule (added by me):

Bridge:

Any ideas?

soul710

Just changed the WLAN rule to:

And things seem to work. Is this the correct configuration?

wallabybob

@soul710:

Just changed the WLAN rule to:

It looks as if you merely changed the source IP in the allow rule from WLAN net to * which suggests the source IP in your traffic wasn't in WLAN net. If you are now content to have a configuration that "works" leave it alone. If you want to understand what was going on I suggest you restore the old rule, reset firewall states, attempt an Internet access from the WLAN and look in the firewall log to see what is reported for your access attempt.

AhnHEL

You're missing the rule I pictured below to get wireless working.  Your bridge shouldnt contain LAN, it should contain the interface that your LAN is connected to (eg: em0, or re0, or whatever interface your LAN cable goes to).  Sounds confusing but I'll post screenies so you can see my bridge setup that is working with wireless bridged to LAN.  ATH0 is my wireless and RE0 is the interface that connects to my LAN.

I have fw rules on LAN interface only, no rules on ATH0 or RE0.  Both ATHO and RE0 interfaces are enabled with Type None.  Place the Bridge DHCP Pass Rule above your LAN to Any Rule.


soul710

Switched to your setup. Works now, even without additional rules on the wifi device. Also I didnt need the dhcp rule as Im using static IPs.

Only problem was that the box (= all internet/wifi traffic) was not reachable after switching LAN interface assignment from vr0 to bridge0. Rebooting (= pulling the plug) solved this issue however.

en1gma

i figured it out guys
thanks anyhow