WI-FI AP not working in LAN



  • Good day everyone,

    Been using pfSense for a while now.  Everythig was working fine.  I changed the subnet to a bigger range (255.255.255.0 to 255.255.240.0), cleanded up a few rules and no more wireless in my internal Access Point.  I put back the /24 like it was originally (LAN interface, DHCP). Everything else works. 75 internal laptops connect through DHCP (wired) on the firewall and access the internet.

    Problem:
    WI-FI not working. Authentification problems and no IP address is released.

    Description:
    I'm trying to get an internal wireless solution within the LAN for DEV site testing to work again. I tried 3 different AP routers (Cisco WAP4410N and 2 different WRT54GS with DD-WRT in AP mode).  These AP work in a different zone (WLAN) for customers.  They just don't want to work in the LAN.

    It's as simple as it gets.  My AP is connected to a switch and connected to the LAN port of the pfSense like all other computers. (not a WLAN interface)

    Wired in AP extra ports - It works if I plug into the LAN ports of the AP.  I get and get the web.

    Wireless - I see the AP, enter my password, get an authentification problems and don't get an IP. A windows machine tells me it is authenticating and fails.

    • It used to work, I did clean up some firewall rules.

    Config:
    Running 2.0-RC3 on bare metal appliance
    firewall: 192.168.1.1 /24
    AP : 192.168.1.254 /24  (tried other free IP 192.168.1.2 /24 with no success)
    DHCP comes from Firewall.  DHCP disabled on AP devices.

    WAN subnet PUBLIC IP /29
    WLAN 192.168.111.0 /24
    DMZ 192.168.222.0 /24

    I can't seem to understand why I can't get an IP from a wireless connection when it works in the same box wired?  Can't wait to know what I'm doing wrong? A protocol I must allow in the firewall on the LAN interface?  I compare the LAN and WLAN (192.168.111.0 /24) and dont see anthing different in configurations?  Don't seem to see anything in Status/System logs under the firewall or DHCP when I try to connect from the laptop…

    Thanks Ahead for your time and knowledge...

    JP



  • It looks to me as if the encryption settings in the AP and the encryption settings in the wireless client are not compatible. Hence the DHCP request from the wireless client is not able to be processed. OR you have wireless signal issues.



  • Thanks for the reply wallabybob,

    If I move the AP to another interface (same AP, same firewall - different NIC), it works. If I unplug the AP from the network.  The laptop (or iPads) connect to the AP with 'limited network' because i never get an IP.  The moment I plug the AP back in the network switch, get this problem.  I've brought the box at my house and it works there.  Just not in the specific LAN interface???

    Could there be some sort of security setting that wouldn't allow the firewall to give an IP to the AP for the client?

    Thanks,

    JP



  • Do you have non-default firewall rules on the pfSense LAN interface? Do these rules include a block rule? Do the block rules have the Log option ticked? Do you see the DHCP requests is the pfSense firewall log (Status -> System Logs, click on Firewall tab)?

    Do you see the DHCP requests in the pfSense DHCP log (Status -> System Logs, click on DHCP tab)?



  • wallabybob,

    After another day of testing I think I will go with a WLAN interface solution that is bridged with the LAN.  Every documentation I find does it this way.  It's also, probably the right way to do it. I set one up and it works fine (havent briged it with the LAN yet, but i can access the WAN, say, ping www.google.com)

    em2 : LAN
    em3 : WLAN (new)
    em4 : WLAN_Clients

    I had looked at the rules once again and there are no rules on the LAN interface that could cause a problem.  Read up on the different Chanels (6, 1 or 11). I noticed that I do have many wireless networks around me (business tower: DDWRT has nice tools to mesure and see closest networks) but on test confirmed it all:  I took the wireless network that worked across the office (em4 : AP ping wired=.5ms / wireless=5ms from a laptop 5 feet from it) and moved it from it's zone (em4) to a switch in the LAN in the server room (nothing changed on the AP side - Channel, signal, collisions and all) and my problems came back (in switch in em2 : AP ping wired =>1ms / wireless=5000ms with 80% packet loss authentication problems, from the same laptop 5 feet from it - same untouched setup).  It now seems clear that there is something with the LAN interface?  Wether I use a Dell, MacBook Pro or iPad, with the same wireless set up, I have wifi problems???

    Since everything works normally on the new WLAN (em3), I'll bridge it up with LAN tomorrow and play with a new subnet mask (probably go from a /24 to /20) and see if everithing can talk well together with a machine running a static IP from the LAN (say 192.168.1.50 255.255.240.0) ?

    I'll come back and give you some news.

    Thanks again.  Your help is really appreciated.  I'm not pondering alone!



  • @jpcyrenne:

    After another day of testing I think I will go with a WLAN interface solution that is bridged with the LAN.  Every documentation I find does it this way.  It's also, probably the right way to do it.

    The "right" way depends on what you want to do. Its fine if you want to allow conversations between wireless client and LAN clients, but if you don't want to allow such conversations there is no point bridging.

    @jpcyrenne:

    I took the wireless network that worked across the office (em4 : AP ping wired=.5ms / wireless=5ms from a laptop 5 feet from it) and moved it from it's zone (em4) to a switch in the LAN in the server room (nothing changed on the AP side - Channel, signal, collisions and all) and my problems came back (in switch in em2 : AP ping wired =>1ms / wireless=5000ms with 80% packet loss authentication problems, from the same laptop 5 feet from it - same untouched setup).

    I suspect if you put an AP in a server room you expose its sensitive receiver to a lot of radio signal which interferes with reception of the signal you want. Same thing if the wireless client is in the server room. You might get a better result if you ran a cable from the switch to the AP outside the server room.



  • That's what I did.  The wireless router stayed 75 feet away from server room and never moved (staid in working environment/element).  No difference in AP exposure.  I only moved the patch cord in server room form zone port em4 to switch in em2 and back.  Weird eh?



  • Hi there !

    I have many 54GLxxx (Linksys/Cisco) with the latest DDWRT firmware.
    They are attatched to my Opt1 interface - my Public Wifi acces network, PfSense = 192.168.2.1 - AP1 192.168.2.2 AP2 192.168.2.3 etc etc
    I have also 54GLxxx (Linksys/Cisco) with the latest DDWRT firmware in my LAN - PfSense = 192.168.1.1 (which is default) , the AP being 192.168.1.15
    The gateway setting in the AP is (of course) 192.168.1.1 - DHCP server in the AP is set to off.
    Needles to say that I DO NOT use the "WAN" plug on the back of the 54GLxxx, but one of the four plugs of the built in switch.

    You could use one of your Pc's on your LAN section to see the web interface of the AP … and use the telnet (SSH) interface to see what happens in your AP. (Note that the AP DDWRT Firmware has a bare Linux kernel, so basic commands like ifconfig etc work).

    What I didn't understood from your wors is that you could put it (teh AP) to work when connected to your Opt1 network.
    Connecting it to the LAN network - and the AP stops working.
    DID you change the gateway when you switched ?
    If a connection on the switch from the AP always work, but not the Wifi part the the problem is situated in the AP.

    If I recall well, all I change to make a DDWRT AP work, is:
    Reset it. It should have a LAN IP that is 192.168.1.1 - dhcp server activated.
    Connect a PC to it - using LAN cable on the back. (NOT the WAN port).
    Change IP LAN from 192.168.1.1 to i.e. 192.168.1.2
    While your at it, on the same page:
    Switch "Connection type" to "Dissabled"
    Local IP Address = 192.168.1.2
    Mask 255.255.255.0
    Gateway 192.168.1.1 (points to pfsense)
    Local DNS : 192.168.1.1 (points to pfSense)
    Shut down its DHCP.
    (Think about using a NTP server ...)
    Validate.

    The AP should be up now. Mine is.


Locked