Computers on other side of wireless bridge on LAN network cannot access WAN

  • Hi,
    I have a simple pfSense setup with a single WAN and LAN with NAT. I've recently extended the LAN to another building by means of a wireless bridge. But clients on the other side of the wireless bridge cannot access the WAN network. They can access the pfSense box.

    This doesn't make sense to me, it is beyond my understanding.

    It would almost seem that the firewall is blocking them, but they are on the same subnet (The wireless is a bridge, not routed).

    Does anyone have any ideas?

    I think it may be to do with the way the wireless bridge messes with mac addresses. But it is odd that the clients can access everything internally and the pfSense box, but not outside.

    Any pointers, more information I can give, or things I could try?

    Running pfSense 2.0.1
    Wireless bridge is set up using an Access Point on one end and a Access Point in Client mode on the other end. This was preferred to WDS because of security and the fact that I couldn't get WDS to work :)

  • @kartweel:

    I think it may be to do with the way the wireless bridge messes with mac addresses.

    How does the wireless bridge mess with mac addresses?

    What is the brand and model of the bridge? Does it have some sort of filtering capability? If so, maybe it is not configured correctly for your environment?

  • They are TP-LINK WA701N

    I got it working. yay! Thanks for your help, I was focussing on pfSense instead of the bridge.

    There was a little checkbox on the client end of the bridge with "Enable WDS" and the explanation as

    "The AP client can connect to AP with WDS enabled or disabled. If WDS is enabled, all traffic from wired networks will be forwarded in the format of WDS frames consisting of four address fields. If WDS is disabled, three address frames are used. If your AP supports WDS well, please enable this option."

    It seems that extra address frame is what it needed :)

  • I've used a similar 802.11n TP-Link wireless access point and it also had that.  They call it WDS in the configuration, but others prefer to call it 4 address frame mode to distinguish it from what is typically called WDS.  It transmits an additional MAC address in the packets that allows bridging to work, but the access point on the other end must support it (and accept it).  The great thing about this mode is that it works with WPA/WPA2 and I think anything else that exists or will exist, since it is simply a normal connection with additional data in the packet headers (or something like that).  This particular mode is a Linux implementation and is compatible with any Linux-based device that uses it (I've used this mode to make a bridge with a TP-Link TL-WA901ND and another AP running OpenWrt, for example).  FreeBSD has a similar mode, but I've heard it is incompatible with the Linux implementation, unfortunately (so if pfSense eventually supports it, it will only work with other FreeBSD-based devices and not Linux-based devices).

Log in to reply