WLAN Bridging to LAN Issue?

heaycekz

I can't seem to make the WLAN get internet access. I have been reading and trying out all the guides in this forum for five hours with no luck, am I missing something or is there a bug here?

I'm using pfSense 2.1.3-RELEASE (amd64) on a VMWare workstation 10.0 in a Windows 7 Professional Host.

Network interfaces:
em0: Physical Ethernet (The WAN connection)
em1: Loopback device (The virtual LAN connection, all Virtual Machines will connect via this port)
run0: USB Wireless (Act as wireless Access Point with internet and link to em1)

Things I've tried (all firewall rules any to any allowed)

Assigned:
em1:LAN with DHCP set as 10.10.1.1/24
run0:OPT1 setup with ip set to none
bridge0:(opt1 and lan), i stopped here and tested, all my virtual machines can get an ip and internet access, the wireless access point is stucked with obtaining ip address.
Then I've tried to assign the bridge0 to an OPT2 interface, enabled it with same results.

2)Assigned:
bridge0:LAN with DHCP set as 10.10.1.1/24
run0:OPT1 IP set to none
em1:OPT2 IP set to none
bridge0:(run0 and em0)
In this setup I can not access the internet anymore, but I CAN get the DHCP to work on all my devices and WLAN and LAN devices can not see each other.

3)Assigned:
em1:LAN with DHCP set as 10.10.1.1/24
run0:OPT1 with DHCP set as 10.10.2.1/24
bridge0:OPT1 and LAN
Here, both the LAN and OPT1 dhcp works, but again they can't see other and no internet access.

Also played with System tunables setting:
net.link.bridge.pfil_member 0
net.link.bridge.pfil_bridge 1

I've actually tried a lot more than this three I've given but I think this is enough to cover most of it as I have only been adjusting minor settings.

So basically the only problem is the bridging part. Is this a bug?

*BTW, I've never bothered to reboot the system when I do changes, that's okay right?

stephenw10

The system tunable settings only get applied to the bridge when it is built so if you change them afterwards they will have no effect unless you pull down and re-build the bridge or reboot.

You want to be using your config 2 above and have set the tunables as you've shown above (filtering moved to the bridge interface). Reboot if the set them afterwards. Make sure your firewall rules on LAN (bridge0) are allowing traffic.

Steve

Edit: typo

heaycekz

I solved this one by repeating the steps in my first config and just rebooting the system.
Also in Firewall, added any to any in FLOAT.

LAN and OPT1 can see each other and they both have internet access.

stephenw10

Hmm, well I would recommend using config 2.
If you don't assign the bridge interface but you apply the system tunables to move filtering to the bridge interface then you cannot apply firewall rules to it. You have worked around this by using a floating rule but be careful your rule isn't allowing all traffic including from the WAN!

Steve

heaycekz

@stephenw10:

be careful your rule isn't allowing all traffic including from the WAN!

Meaning? I can't port forward? Using the first config is a mess. Especially when I have to factory reset again when pfsense crashes. Its hard to access the webconfig in the second config.

stephenw10

Meaning that the floating rules are more powerful than the normal per interface firewall rules. There are all sorts of ways to get it wrong and in the worst case you may end up allowing in all traffic on the WAN interface. There should be no need to use the floating rules in your configuration and doing so just open you up to error.
The should be no reason you can't access the webgui in the second config from any device on the em1 or run0 NICs. The default allow rule on the LAN interface should allow all traffic on the bridge and having moved filtering to the bridge interface that should be the only rule you need.

It you choose not to assign the bridge interface you should not move filtering to the bridge interface and instead add rules to the LAN(em1) and OPT1(run0) interfaces.

Show us your floating rule and we can tell you if you've opened up any inadvertent holes.

Steve

heaycekz

Thank you for the help stephenw10, but I'm changing my configuration since the wireless USB cannot handle more than two clients. See -> https://forum.pfsense.org/index.php?topic=76778.new;topicseen#new

As for the floating rule, yes I believe I have allowed all the traffic (i'm using ipv4/ipv6, protocol any*, interface source: any, dest: any) I will take note of your advice once I have bought a new pcie gbe ethernet card.

stephenw10

I agree with Doctornotor (on this one point at least! :P) using a separate wifi access point will almost certainly give better throughput. However there isn't a hard limit on the number of clients with a USB wifi NIC. More likely you're hitting some sort of bandwidth limit due to the wifi signal strength. Are you in a crowded wifi area? Do you have good signal strength at each client device?
There are many other people using USB run(4) devices successfully.

Steve

heaycekz

I'm 100% sure it's the USB wife dongle. The clients are no more than 2 meters away from it. The strongest channel running is 13. The dongle is running on channel 1. From max 6mbps throughput going down to 4 mbps and starting to lag when the third client connects. Could be a driver issue though but installing new drivers on pfsense is just not worth the time.