Pf Access Point Help



  • I just got a pf box from Netgate with an Atheros miniPCI card.  I was able to get bridging working between the LAN port and the pf hosted access point. Hosts on LAN and WIFI were able to get leases from the pf DHCP server.

    The problem started when I tried to get auth/encryption working in the pfsense access point.  No matter what settings I tried, I could never get a host to work on the  wifi.  I tried WPA/WPA2/WEP, AES/TKIP, simple keys, etc.  Everything works great if I have no authentication or encryption.  I tried both with a Windows 7 desktop as well as my iPhone.  Neither could ever connect.

    Is there some trick? I've tried Google and the forums search, but haven't come across anything that works yet.

    Thanks,
    Ryan



  • @leadZERO:

    Everything works great if I have no authentication or encryption.

    That is a good start.

    Please post the output of the pfSense shell command ifconfig -a I'll compare your current parameters with mine.

    Did you reboot your pfSense box after setting encryption parameters? I don't know if it is required with change in encryption parameters but I have found a few instances where major parameter changes seem to require a reboot to take effect.



  • So, to test, I took the bridge out of the equation and just added a static IP to the wireless AP interface and set the DHCP server to hand out leases on it.  The only thing I have to switch between these settings working and not working is to enable/disable the WPA? check box.  (And yes, I'm also resetting my host to use/not use the passphrase.)

    I tried rebooting my pf in between just to try that, same thing.

    
    ath0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 2290
            ether ***
            media: IEEE 802.11 Wireless Ethernet autoselect mode 11g <hostap>status: running
    
    ath0_wlan0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
            ether ***
            inet6 ***%ath0_wlan0 prefixlen 64 scopeid 0x9
            inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
            nd6 options=3 <performnud,accept_rtadv>media: IEEE 802.11 Wireless Ethernet autoselect mode 11g <hostap>status: running
            ssid mixatmp channel 11 (2462 MHz 11g) bssid 00:0b:6b:23:0b:59
            country US ecm authmode WPA2/802.11i privacy MIXED deftxkey 2
            AES-CCM 2:128-bit txpower 25 scanvalid 60 protmode OFF burst -apbridge
            dtimperiod 1 -dfs</hostap></performnud,accept_rtadv></up,broadcast,running,simplex,multicast></hostap></up,broadcast,running,simplex,multicast> 
    


  • Here's ifconfig output from my working system:

    
    # ifconfig -a
    ath0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 2290
    	ether ***
    	media: IEEE 802.11 Wireless Ethernet autoselect mode 11g <hostap>status: running
    
    ath0_wlan0: flags=8943 <up,broadcast,running,promisc,simplex,multicast>metric 0 mtu 1500
    	ether ***
    	inet6 ***%ath0_wlan0 prefixlen 64 scopeid 0xd 
    	nd6 options=3 <performnud,accept_rtadv>media: IEEE 802.11 Wireless Ethernet autoselect mode 11g <hostap>status: running
    	ssid *** channel 1 (2412 MHz 11g) bssid ***
    	regdomain ROW country AU indoor ecm authmode WPA2/802.11i
    	privacy MIXED deftxkey 2 AES-CCM 2:128-bit AES-CCM 3:128-bit
    	txpower 30 scanvalid 60 protmode OFF burst dtimperiod 1 -dfs
    #</hostap></performnud,accept_rtadv></up,broadcast,running,promisc,simplex,multicast></hostap></up,broadcast,running,simplex,multicast> 
    

    Do you change the SSID when you switch from unencrypted to encrypted mode? If not, I wonder if that confuses the clients. (I presume you aren't completely clearing the clients memory of previous connections.) How about using a different SSID for the encrypted configuration?



  • I did try using a different SSID, same thing.  I also noticed that anytime I changed the parameters, Windows 7 noticed the change, so I doubt it's getting confused.

    Any idea what the "burst -apbridge" on mine is?



  • -apbridge means (I think) that the access point does NOT as a bridge between wireless clients.

    Other settings on my interface:

    | WPA Mode | | WPA2 |
    | WPA Key Management Mode | | Pre-Shared Key |
    | Authentication | | Open System Authentication |
    | WPA Pairwise | | AES |
    | Key Rotation | | 60 |
    | Master Key Regeneration | | 3600 |
    | Strict Key Regeneration | | unchecked |
    | Enable IEEE802.1X Authentication | | unchecked |


Log in to reply