Infrastructure BSS works with no encryption and WEP, not WPA…
-
(pfSense driven Atheros WLAN client using BSS mode) –---> "WiFi_Net" wireless network AP, wired to -----> Local Area Network (LAN)
On the LAN also exists another pfSense box that is the Internet router, serving DHCP to LAN clients.
I've been testing with BSS mode to have the Atheros card ( I renamed the interface "WLAN") act as a client to a wireless network called "WiFi_Net")
With no encryption, and WEP, the pfsense box with the Atheros card (WLAN), the interface picks up an IP address from the DHCP server (another pfsense box, which does not manage the wireless network "WiFi_Net", it just exists on the LAN... wired network).
When I enable WPA on the wirelss network "WiFi_Net", (particularly WPA2 TKIP and WPA2 AES, I tried both), I see the dhcp request from the Atheros WLAN client hit the DHCP server pfsense box on the LAN / wired network. Then the pfsense box on the LAN / wired network replies and tries to hand off an IP address to the Atheros (WLAN client). I don't think that the Atheros WLAN client ever receives the DHCP reply from the server and it looks like it drops it's wireless association as this point. I also tried a static IP on the atheros interface "WLAN", no luck, (while testing with WPA2 TKIP / AES).
Does anyone have any thoughts or experience here? Thank you.
-
If you haven't already done so I suggest you try a pfSense 2.1 snapshot build since t has much more up to date device drivers than the pfSense 2.0.x series.
-
I will give this a shot tonight and report back.
Thx!
If you haven't already done so I suggest you try a pfSense 2.1 snapshot build since t has much more up to date device drivers than the pfSense 2.0.x series.
-
So I left 2.0.2 nanobsd and jumped to pfSense-2.1-BETA1-4g-i386-nanobsd-20130208-0538.
For the record, the settings that I filled or modified only, on the WLAN (atheros) adapter:
Description: WLAN
IPv4 Configuration Type: DHCP
Standard: 802.11g
Mode: Infrastructure (BSS)
SSID: WiFi_Net
Enable WPA: <checked>WPA Mode: WPA2
WPA Pre-shared Key: secret
WPA Pairwise: AESUsing DHCP on the WLAN adapter (atheros), I am able to connect with no encryption and WEP (same as 2.0.2). As soon as I apply WPA (in this case WPA2 w/ AES), the connection actually gets an IP address now via DHCP, and I can ping a wired host via the wireless connection (while logged into pfsense 2.1.x via ssh) about 6 times, then it drops out for another 12, then successful 6, then drop out for 12 consistently.
Using a static IP address on the WLAN adapter (atheros), in my case I just used the same IP that the DHCP server was providing me, the connection remains up permanently.
Going back to DHCP has the same negative result as above.
Here are some system logs from /var/log/system.log, an example of a successful connection using WEP, and a partially successful connection w/ WPA.
<successful connection="" with="" wep="">```
Feb 8 15:29:41 kypf kernel: ath0_wlan0: link state changed to UP
Feb 8 15:29:42 kypf dhclient: PREINIT
Feb 8 15:29:42 kypf dhclient: Starting delete_old_states()
Feb 8 15:29:42 kypf dhclient: Comparing Routers: Old: New:
Feb 8 15:29:42 kypf dhclient[12504]: DHCPDISCOVER on ath0_wlan0 to 255.255.255.255 port 67 interval 1
Feb 8 15:29:43 kypf dhclient[12504]: DHCPOFFER from 192.168.85.1
Feb 8 15:29:43 kypf dhclient: ARPSEND
Feb 8 15:29:45 kypf dhclient: ARPCHECK
Feb 8 15:29:45 kypf dhclient[12504]: DHCPREQUEST on ath0_wlan0 to 255.255.255.255 port 67
Feb 8 15:29:45 kypf dhclient[12504]: DHCPACK from 192.168.85.1
Feb 8 15:29:45 kypf dhclient: BOUND
Feb 8 15:29:45 kypf dhclient: Starting delete_old_states()
Feb 8 15:29:45 kypf dhclient: Comparing Routers: Old: New: 192.168.85.1
Feb 8 15:29:45 kypf dhclient: Removing states through old gateway '' (new gateway '192.168.85.1')
Feb 8 15:29:45 kypf dhclient: Starting add_new_address()
Feb 8 15:29:45 kypf dhclient: ifconfig ath0_wlan0 inet 192.168.85.167 netmask 255.255.255.0 broadcast 192.168.85.255
Feb 8 15:29:45 kypf dhclient: New IP Address (ath0_wlan0): 192.168.85.167
Feb 8 15:29:45 kypf dhclient: New Subnet Mask (ath0_wlan0): 255.255.255.0
Feb 8 15:29:45 kypf dhclient: New Broadcast Address (ath0_wlan0): 192.168.85.255
Feb 8 15:29:45 kypf dhclient: New Routers (ath0_wlan0): 192.168.85.1
Feb 8 15:29:45 kypf dhclient: Adding new routes to interface: ath0_wlan0
Feb 8 15:29:45 kypf dhclient: /sbin/route add default 192.168.85.1
Feb 8 15:29:45 kypf dhclient: Creating resolv.conf
Feb 8 15:29:45 kypf dhclient[12504]: bound to 192.168.85.167 -- renewal in 3600 seconds.<failed attempt="" using="" wpa="">``` Feb 8 23:13:28 pfSense check_reload_status: Linkup starting ath0_wlan0 Feb 8 23:13:28 pfSense kernel: ath0_wlan0: link state changed to UP Feb 8 15:13:28 pfSense dhclient: PREINIT Feb 8 15:13:28 pfSense dhclient: Starting delete_old_states() Feb 8 15:13:29 pfSense dhclient: Comparing IPs: Old: New: Feb 8 15:13:29 pfSense dhclient: Comparing Routers: Old: New: Feb 8 15:13:29 pfSense dhclient[2487]: DHCPREQUEST on ath0_wlan0 to 255.255.255.255 port 67 Feb 8 15:13:29 pfSense dhclient[2487]: DHCPACK from 192.168.85.1 Feb 8 15:13:29 pfSense dhclient: REBOOT Feb 8 15:13:29 pfSense dhclient: Starting delete_old_states() Feb 8 15:13:29 pfSense dhclient: Comparing IPs: Old: New: 192.168.85.167 Feb 8 15:13:29 pfSense dhclient: Comparing Routers: Old: New: 192.168.85.1 Feb 8 15:13:29 pfSense dhclient: Removing states through old gateway '' (new gateway '192.168.85.1') Feb 8 15:13:29 pfSense dhclient: Starting add_new_address() Feb 8 15:13:29 pfSense dhclient: ifconfig ath0_wlan0 inet 192.168.85.167 netmask 255.255.255.0 broadcast 192.168.85.255 Feb 8 15:13:30 pfSense dhclient: New IP Address (ath0_wlan0): 192.168.85.167 Feb 8 15:13:30 pfSense dhclient: New Subnet Mask (ath0_wlan0): 255.255.255.0 Feb 8 15:13:30 pfSense dhclient: New Broadcast Address (ath0_wlan0): 192.168.85.255 Feb 8 15:13:30 pfSense dhclient: New Routers (ath0_wlan0): 192.168.85.1 Feb 8 15:13:30 pfSense dhclient: Adding new routes to interface: ath0_wlan0 Feb 8 15:13:30 pfSense dhclient: Creating resolv.conf Feb 8 15:13:31 pfSense dhclient[2487]: bound to 192.168.85.167 -- renewal in 3600 seconds. Feb 8 23:13:31 pfSense check_reload_status: rc.newwanip starting ath0_wlan0 Feb 8 15:13:33 pfSense dhclient[14254]: Interface ath0_wlan0 is down, dhclient exiting Feb 8 23:13:33 pfSense kernel: ath0_wlan0: link state changed to DOWN Feb 8 15:13:33 pfSense dhclient: FAIL Feb 8 15:13:33 pfSense dhclient: Starting delete_old_states() Feb 8 15:13:33 pfSense dhclient: Comparing IPs: Old: New: Feb 8 15:13:33 pfSense dhclient: Comparing Routers: Old: New: Feb 8 15:13:33 pfSense dhclient[6901]: connection closed Feb 8 15:13:33 pfSense dhclient[6901]: exiting. Feb 8 15:13:33 pfSense ntpd_intres[83446]: host name not found: 0.pfsense.pool.ntp.org Feb 8 15:13:35 pfSense php: : DEVD Ethernet attached event for opt2 Feb 8 15:13:36 pfSense php: : HOTPLUG: Configuring interface opt2 Feb 8 15:13:37 pfSense php: : rc.newwanip: Informational is starting ath0_wlan0. Feb 8 15:13:37 pfSense php: : rc.newwanip: on (IP address: ) (interface: opt2) (real interface: ath0_wlan0). Feb 8 23:13:37 pfSense check_reload_status: Updating all dyndns Feb 8 15:13:37 pfSense php: : rc.newwanip: Failed to update opt2 IP, restarting... Feb 8 23:13:37 pfSense check_reload_status: Restarting ipsec tunnels Feb 8 23:13:37 pfSense check_reload_status: Restarting OpenVPN tunnels/interfaces Feb 8 23:13:37 pfSense check_reload_status: Reloading filter Feb 8 23:13:37 pfSense check_reload_status: Configuring interface opt2 Feb 8 15:13:38 pfSense dhclient[26884]: dhclient already running, pid: 23809. Feb 8 15:13:38 pfSense dhclient[26884]: exiting. Feb 8 15:13:38 pfSense php: : The command '/sbin/dhclient -c /var/etc/dhclient_opt2.conf ath0_wlan0 > /tmp/ath0_wlan0_output 2> /tmp/ath0_wlan0_error_output' returned exit code '1', the output was '' Feb 8 15:13:40 pfSense ntpd_intres[83446]: host name not found: 0.pfsense.pool.ntp.orgIn the successful WEP sequence /w DHCP, the dhclient log entry says BOUND.
In the failed WPA sequence /w DHCP, the dhclient log entry says REBOOT.Any thoughts guys? Thanks.
I will give this a shot tonight and report back.
Thx!
If you haven't already done so I suggest you try a pfSense 2.1 snapshot build since t has much more up to date device drivers than the pfSense 2.0.x series.</failed></successful></checked>
-
I'm having the same issue. I'm on 2.0.2 with an Atheros card in BSS mode. WPA or WPA2 I get associated but it will not grab the DHCP address which is offered to it. Conversely if I set it static and and configure a static gateway it will not pass traffic either (ping 8.8.8.8 to wireless interface inside pfsense GUI.) It shows the gateway 'offline'
Help.
(pfSense driven Atheros WLAN client using BSS mode) –---> "WiFi_Net" wireless network AP, wired to -----> Local Area Network (LAN)
On the LAN also exists another pfSense box that is the Internet router, serving DHCP to LAN clients.I've been testing with BSS mode to have the Atheros card ( I renamed the interface "WLAN") act as a client to a wireless network called "WiFi_Net")
With no encryption, and WEP, the pfsense box with the Atheros card (WLAN), the interface picks up an IP address from the DHCP server (another pfsense box, which does not manage the wireless network "WiFi_Net", it just exists on the LAN... wired network).
When I enable WPA on the wirelss network "WiFi_Net", (particularly WPA2 TKIP and WPA2 AES, I tried both), I see the dhcp request from the Atheros WLAN client hit the DHCP server pfsense box on the LAN / wired network. Then the pfsense box on the LAN / wired network replies and tries to hand off an IP address to the Atheros (WLAN client). I don't think that the Atheros WLAN client ever receives the DHCP reply from the server and it looks like it drops it's wireless association as this point. I also tried a static IP on the atheros interface "WLAN", no luck, (while testing with WPA2 TKIP / AES).
Does anyone have any thoughts or experience here? Thank you.
-
Have you tried a pfSense 2.1 snapshot build?
-
No I haven't because:
A. This is in a production environment so I'm concerned about running a beta version.
B. I thought that wm408 tried that and it didn't resolve it. However I reread his post and see that once he set it to static the issue was resolved.I might build a test box and try it. I have several in stock so it shouldn't take long. What has changed in the beta that resolves the issue?
-
fthomasr: So you're pinging from the pfSense gui, 8.8.8.8?
Oh… Make sure your system's default gateway is the gateway you use for the BSS (Infrastructure) adapter.
If you have WAN also... (the default),.. your searches for 8.8.8.8 will go through the WAN.
Go to: System > Routing > Gateways and make sure the gateway that you added when you configured the WLAN adapter is set as the system's "default gateway".
I suggest in production environment to have two separate storage media, if you use Compact Flash, get another one to test with so that you can jump back to your production with little work,
I jumped between some of the nightly's and there was some errors during boot up that were not so good.I am running:
2.1-BETA1 (i386)
built on Wed Feb 13 16:46:23 EST 2013And it has been stable, I think there's a newer version but I will wait a while before I upgrade. :)
With these beta builds, I've found a bad problem where if I try to do BSS (infrastructure) to link to a remote wireless network, and then also run a second interface on the same physical wireless adapter (atheros) as an Access Point (AP), during boot up, the process gets stuck trying to load the second, virtual interface adapter, and essentially bricks the install. So keep an eye out for that if you had any plans to do that, as I am NOT doing that right now.
No I haven't because:
A. This is in a production environment so I'm concerned about running a beta version.
B. I thought that wm408 tried that and it didn't resolve it. However I reread his post and see that once he set it to static the issue was resolved.I might build a test box and try it. I have several in stock so it shouldn't take long. What has changed in the beta that resolves the issue?
-
Yes ping from pfSense GUI.
I don't want the default gateway to be the WWAN. The WWAN is to be used for failover only.
The pings to 8.8.8.8 should not go through the WAN as I am choosing interface WWAN and it has it's own defined Gateway.
-
Yes ping from pfSense GUI.
I don't want the default gateway to be the WWAN. The WWAN is to be used for failover only.
The pings to 8.8.8.8 should not go through the WAN as I am choosing interface WWAN and it has it's own defined Gateway.
Yes but, pfSense GUI (or BSD for that matter) doesn't know to choose that. It assumes the system gateway to be the default if you have not changed it.
I suggest looking at the output of just typing "ping" or "traceroute", (or google), there are options to define: Through what INTERFACE should my ping/traceroute travel through.
Or, if you want to test your failover, and it is configured properly… try physically disconnecting the WAN and see if the traffic properly goes down the WWAN.
-
What has changed in the beta that resolves the issue?
The more up to date device drivers MIGHT resolve the issue.
-
There's a twist. Because the router is in a production evironment I decided to backup its configuration and restore it to an exact same model unit that I have in stock with the same firmware 2.0.1. I restored the config and it connected with DHCP with no issues to an access point I have at my office. Same Atheros wifi card, same Alix board, etc.
Differences between them since it doesn't seem to be pfSense:
At the customer site the access point is a Linksys WRT54GL with Tomato firmware with DHCP server on the access point.
At my office (where it works) is an old Buffalo WLAG54 also with Tomato firmware but DHCP is provided by my Windows server.Same WiFi security on both, Personal WPA2 with AES, with different shared keys of course.
So it's either the difference in access point radio's, version of Tomato, or DHCP(which is the least plausible since it wouldn't work with a static IP either.)
My next step is to take my test build to the site just to make sure it behave the same and fails to connect to the Linksys… Also wm408 what access point model are you connecting to?
-
Hey fthomasr:
Two cases: One of the access points was a Linksys E3000, the other was a Ruckus Wireless, (I don't know the model).
Both cases dumped me upon DHCP renewal between client (the pfsense box) and server (the remote AP(s)).
Only Static worked for me.
Also wm408 what access point model are you connecting to?
-
Ok so I took my lab router over to the site and it also could not connect to the WRT54GL no matter what WiFi security settings I tried(also DHCP or Static), despite being associated each time. I upgraded to 2.1 beta and tried DHCP. Just as wm408 no connection either. Also just as wm408 found the connection worked only with a static. This was fine for me as that's what I wanted in the end.
Thanks wm408 for starting this thread and posting your findings. It was helpful for me.
-
fthomasr:
Cool! Yeah I have one set up at my office now this way. Works good for me, I just wire to the router/nearby switch, (no wifi from my laptop).
Watch out for virtual interfaces on the same WiFi adapter. When I tried to make an AP it (with the BSS bridge), The Atheros I am using gets stuck on loading the interface during the boot sequence, bricking the router essentially. Heads up anyways.
Hopefully that gets worked on someday too.
Ok so I took my lab router over to the site and it also could not connect to the WRT54GL no matter what WiFi security settings I tried(also DHCP or Static), despite being associated each time. I upgraded to 2.1 beta and tried DHCP. Just as wm408 no connection either. Also just as wm408 found the connection worked only with a static. This was fine for me as that's what I wanted in the end.
Thanks wm408 for starting this thread and posting your findings. It was helpful for me.