Pf Access Point Help

leadZERO

I just got a pf box from Netgate with an Atheros miniPCI card. I was able to get bridging working between the LAN port and the pf hosted access point. Hosts on LAN and WIFI were able to get leases from the pf DHCP server.

The problem started when I tried to get auth/encryption working in the pfsense access point. No matter what settings I tried, I could never get a host to work on the wifi. I tried WPA/WPA2/WEP, AES/TKIP, simple keys, etc. Everything works great if I have no authentication or encryption. I tried both with a Windows 7 desktop as well as my iPhone. Neither could ever connect.

Is there some trick? I've tried Google and the forums search, but haven't come across anything that works yet.

Thanks,
Ryan

wallabybob

@leadZERO:

Everything works great if I have no authentication or encryption.

That is a good start.

Please post the output of the pfSense shell command ifconfig -a I'll compare your current parameters with mine.

Did you reboot your pfSense box after setting encryption parameters? I don't know if it is required with change in encryption parameters but I have found a few instances where major parameter changes seem to require a reboot to take effect.

leadZERO

So, to test, I took the bridge out of the equation and just added a static IP to the wireless AP interface and set the DHCP server to hand out leases on it. The only thing I have to switch between these settings working and not working is to enable/disable the WPA? check box. (And yes, I'm also resetting my host to use/not use the passphrase.)

I tried rebooting my pf in between just to try that, same thing.


ath0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 2290
        ether ***
        media: IEEE 802.11 Wireless Ethernet autoselect mode 11g <hostap>status: running

ath0_wlan0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
        ether ***
        inet6 ***%ath0_wlan0 prefixlen 64 scopeid 0x9
        inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
        nd6 options=3 <performnud,accept_rtadv>media: IEEE 802.11 Wireless Ethernet autoselect mode 11g <hostap>status: running
        ssid mixatmp channel 11 (2462 MHz 11g) bssid 00:0b:6b:23:0b:59
        country US ecm authmode WPA2/802.11i privacy MIXED deftxkey 2
        AES-CCM 2:128-bit txpower 25 scanvalid 60 protmode OFF burst -apbridge
        dtimperiod 1 -dfs</hostap></performnud,accept_rtadv></up,broadcast,running,simplex,multicast></hostap></up,broadcast,running,simplex,multicast>

wallabybob

Here's ifconfig output from my working system:


# ifconfig -a
ath0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 2290
	ether ***
	media: IEEE 802.11 Wireless Ethernet autoselect mode 11g <hostap>status: running

ath0_wlan0: flags=8943 <up,broadcast,running,promisc,simplex,multicast>metric 0 mtu 1500
	ether ***
	inet6 ***%ath0_wlan0 prefixlen 64 scopeid 0xd 
	nd6 options=3 <performnud,accept_rtadv>media: IEEE 802.11 Wireless Ethernet autoselect mode 11g <hostap>status: running
	ssid *** channel 1 (2412 MHz 11g) bssid ***
	regdomain ROW country AU indoor ecm authmode WPA2/802.11i
	privacy MIXED deftxkey 2 AES-CCM 2:128-bit AES-CCM 3:128-bit
	txpower 30 scanvalid 60 protmode OFF burst dtimperiod 1 -dfs
#</hostap></performnud,accept_rtadv></up,broadcast,running,promisc,simplex,multicast></hostap></up,broadcast,running,simplex,multicast>

Do you change the SSID when you switch from unencrypted to encrypted mode? If not, I wonder if that confuses the clients. (I presume you aren't completely clearing the clients memory of previous connections.) How about using a different SSID for the encrypted configuration?

leadZERO

I did try using a different SSID, same thing. I also noticed that anytime I changed the parameters, Windows 7 noticed the change, so I doubt it's getting confused.

Any idea what the "burst -apbridge" on mine is?

wallabybob

-apbridge means (I think) that the access point does NOT as a bridge between wireless clients.

Other settings on my interface: