Wifi and LAN on same subnet (SOLVED)




  • SOLVED:  Here is the solution so you don't have to read all the pages:

    Got to give the Credit to "Derelict" for getting this working!  Thanks!!!

    This is to setup a WiFi card on the same subnet

    Here are the Steps. (After you get a pfsense box up and running, connected to the internet.)

    (I setup my LAN to 10.10.0.99 before I started this so when I got done my gateway would be 10.10.0.1) Remember after changing LAN IP you'll need to
    change your browser address to get back in on webConfigurator.

    (I renamed Opt1 and Opt2 You don't have too)

    1. Shut down install WiFi card (Card is on the recommended list of cards that work with Pfsense)
    2. Interfaces > Added WiFi card (Opt1) renamed it to WiFi. > Setup WiFi settings.
    3. Interfaces > WiFi > Allow intra-BSS communication > Check Box. < For WiFi devices to talk to each other
    4. Interfaces > Assign > Bridges > Created a Bridge > Renamed it to Bridge > Selected LAN and WiFi
    5. Interfaces > Added new Interface > Opt2 > Renamed to Bridge > Network Port = Bridge > IPv4 Configuration Type = Static IPv4 > IPv4 address = 10.10.0.1/24
    6. Services > DHCP Server > Turned on DHCP for Bridge > Enabled > Set Range. (No DHCP on LAN or WiFi)
    7. Firewall > Rules > Added New Rule > Interface > LAN > Source = Bridge Net > Protocol = ANY > Rest set to ANY.
    8. Firewall > Rules > Added New Rule > Interface > WiFi > Source = Bridge Net > Protocol = ANY > Rest set to ANY.
    9. Firewall > Rules > Added New Rule > Interface > Bridge > Source = Bridge Net > Protocol = ANY > Rest set to ANY.
    10. Interfaces > LAN > IPv4 Configuration Type = None  > IPv6 Configuration Type = None
    11. Interfaces > WiFi > IPv4 Configuration Type = None  > IPv6 Configuration Type = None

    My Configuration:

    Old:

    WAN > DHCP
    LAN > 10.10.0.99 >( Changed from .1 to .99 so when I finished it would be 10.10.0.1) > (Bridge becomes 10.10.0.1)

    New:

    WAN > DHCP
    LAN >
    WiFi >
    Bridge > 10.10.0.1> DHCP

    Again Thanks Derelict.


    Hi, 
    I need some help with this… First I know I need a Bridge. That's not an issue.

    My Setup.

    Pfsense

    WAN = DHCP from provider
    LAN = Static 10.10.0.1
    WiFi = Static 10.10.0.2
    Opt2 - Static 10.10.0.3

    1. I created new Interface Opt2
    2. Activated Opt2 and Setup the IP address for Opt2
    3. Created DHCP on Opt2
    4. Created a Bridge
    5. I edited Bridges and selected LAN and WiFi
    6. Made sure DHCP was Deactivated on LAN and WiFi
    7. Added Firewall Rule = Source = Bridge Net and the rest was Any
    8. Under Interfaces I made sure Opt2 network port Bridge was selected
    9. Under System Tuneables I set net.link.bridge.pfil_member> 0

    I can connect via WiFi and get an IP address with no problem. But that's about it.
    DHCP gave me and IP address of 10.10.0.41, But I can't ping anything and says my gateway is 10.10.0.3

    Anyone got any suggestions why this doesn't work? Or did I miss something?

    Thanks,
    Rick


  • Netgate

    All of your interfaces are on the same subnet.

    Remove the IP addresses from the bridge member interfaces.

    You will then need to set one interface address on BRIDGE0 instead.

    You will need pass any any any rules on the bridge members and normal LAN rules on BRIDGE0.

    Why are you messing with OPT2?  Do you want it to be a member of the bridge too?

    It looks like you want two interfaces.  BRIDGE0 (members LAN and WiFi) and OPT2.  If that's not the case please be more specific.

    Or are you trying to make your BRIDGE0 named OPT2?



  • I've done that and I can't access the web gui on the pfsense box.



  • I had it setup like this:

    WAN = DHCP from provider
    LAN = NONE
    WiFi = NONE
    Opt2 = 10.10.0.3

    Under bridge I Linked it to LAN and WIFI.

    I ended up locking myself out and still couldn't ping pfsense box. I was still able to connect to WiFi but go nowhere.


  • Netgate

    Done what?

    You will need pass any any any rules on the bridge members and normal LAN rules on OPT2 (assigned to BRIDGE0).

    You lose the benefit of the auto lockout rule when you stray from the normal LAN so you'll need to figure out how to add the right rules.

    Create a bridge containing only WiFi as a member.  Make sure it has all the rules you need.  See if you can get at pfSense over Wi-Fi, then add LAN to the bridge and make sure it has all the right rules.

    If you have another interface make it management and plug into it to make changed to the LAN bridge.

    Something.



  • Sorry kind of new to this.

    You will need pass any any any rules on the bridge members and normal LAN rules on BRIDGE0. > Not sure what you're asking me to setup here.

    Why are you messing with OPT2?  Do you want it to be a member of the bridge too? > Do I need to edit the bridge and add Opt2 so then LAN, WIFI, and Opt2 will be attached to the Bridge0?



  • Here are some of my settings

    ![Assign network ports.png](/public/imported_attachments/1/Assign network ports.png)
    ![Assign network ports.png_thumb](/public/imported_attachments/1/Assign network ports.png_thumb)







  • Other settings







  • Netgate

    @Rickinfl:

    Why are you messing with OPT2?  Do you want it to be a member of the bridge too? > Do I need to edit the bridge and add Opt2 so then LAN, WIFI, and Opt2 will be attached to the Bridge0?

    If that's what you want, yes.

    In a bridge there are two sets of firewall rules that dictate what traffic can pass into the bridge.  First is on the bridge members themselves.  These are typically pass any any any.

    Second is on the bridge itself.  This is the actual bridge interface that gets assigned an IP address, runs DHCP, etc.  These rules are just like the rules on a typical LAN interface.


  • Netgate

    I think you want to remove OPT2 from the bridge membership.  OPT2 is a bridge interface consisting of LAN and WIFI.



  • Well I'm a little confused now since you asked me about Opt2.  I got the information from a post on here and followed it.  Question I have no is do I need Opt2?

    Here is what this guy posted and I followed. Maybe this is wrong?

    Finaly i got it working but it was a hard peace of trail and error.

    1. create a new interface -> Opt2
    2. Setup the interface IP for Opt2 (interfaces ->Opt2) and change the name if you want
    3. Setup the DHCP Server for Opt2
    4. Create a "Source=Bridge subnet; rest=any" Firewall rule for Opt2
    5. create a bridge: Interfaces -> Bridges, and select LAN and Wifi
    6. Select the Bridge as "Network port" for Opt2; Interfaces-> asign
    7. Deactivate the DHCP server of LAN and Wifi
    8. Set the Type of LAN and Wifi to "None"

    Now your LAN and Wifi clients should get an IP from the DHCP server configured for Opt2 and these clients should be able to access the internet.

    But they are currently not able to access each other WLAN <-> LAN.

    So solve that i added two rules for the Firewall:
    1. LAN: Source=Bridge subnet; rest = any
    2. WLAB: Source= Bridge subnet; rest=any

    Instead of adding these two rules you can also change the value at : System -> Advanced -> System tuneables -> net.link.bridge.pfil_member->  "0"

    At that point my clients where able to ping each other and also wake up on lan from my tablet to a PC was working.

    If you have any hints what i can do better on my configuration feel free to let me know.
    « Last Edit: May 21, 2012, 04:28:12 pm by nimanic »


  • Netgate

    5. create a bridge: Interfaces -> Bridges, and select LAN and Wifi

    You selected LAN, WIFI, and OPT2, not LAN and WIFI.

    Change that and if you did everything else it should work.



  • Still not working.




  • This is a fresh Install of Pfsense. I've connected to it so it has internet access.

    Maybe if someone could give me the instructions on how to do this from start.

    Here is all I want.

    Pfsense on 10.10.0.1
    Wifi on 10.10.0.2

    Pretty simple. I must have gotten something messed up.


  • Netgate

    The instructions you already posted look pretty good.

    Typical debugging should probably be done.

    Do you get DHCP on the WIFI port?  On the LAN port?
    Can you ping the OPT2 address from the WIFI port?  From the LAN port?
    Can you ping the next hop gateway from the WIFI port?  From the LAN port?
    Can the Hosts on LAN ping the hosts on WIFI?  Vice versa?
    What DNS is being handed out to the DHCP clients?  Is that the DNS server actually in use by the clients? Can you resolve names using that address?
    Etc.



  • I am of the mind that things could be done easier in pfSense for the creation of bridges and wireless access points. I have considered requesting forum help for a wireless setup wizard -using something like what pfSense includes now at initial setup in WebConfigurator. I know everybody hates wizards but pfsense setup wizard is easy enough to click thru. I would like to see enhanced functionality with it. Is this something that seems logical to  anyone else? I hate doing the cable swap for bridge creation but it works..

    A suggestion for help is disable firewall from Advanced Settings on the Menu. It will prevent lockout until you figure it out what is what. And  i know i hate  re-imaging my  CF card -so i do the restore last backup from console - to save time on lockouts when i was  learning. pfsense  automatically saves backups at each settings change it seems. Very convenient.



  • Yes I'll have to do some debugging. Just keep cutting myself out.

    Do you get DHCP on the WIFI port?  On the LAN port? WiFi yes. Not sure about LAN since I static those.

    Can you ping the OPT2 address from the WIFI port?  From the LAN port? I can't ping anything but the wifi device I'm testing with

    Can you ping the next hop gateway from the WIFI port?  From the LAN port? No same as above.

    Can the Hosts on LAN ping the hosts on WIFI?  Vice versa? No. It's like the bridge blocks everything and isolates the wifi.

    What DNS is being handed out to the DHCP clients?  Is that the DNS server actually in use by the clients? Can you resolve names using that address? Even static with DNS still doesn't work.

    I'm going to have to do more research on this and try and break it down piece by piece and see what's going on. I've been driving myself crazy trying to figure this out. I know on paper its right and I drew it out many times then applied it.

    Just strange.

    Thanks for all your time and help.

    Rick


  • Netgate

    What firewall rules are on LAN and WIFI?

    Does anyone know for sure that the xl driver still works?

    Do you get DHCP on the WIFI port?  On the LAN port? WiFi yes. Not sure about LAN since I static those.

    Can you try?  If you can get DHCP (and have ARP, etc) then it's not a layer2 problem and we really need to look at rules.



  • Wow… Someone really needs to document how to do this!  Need Documentation on Normal setup of WiFi and then WiFi on the Same Subnet.

    I've been researching this for almost 2 weeks now and I'm really tied of trying to get this to work.

    I have read every post I could find on this. I've watched every Youtube Video and Even the one on Pfsense Site...  The problem is NOT 2 of any of the documentation is the same. Seems everyone does it different, but none of it works.

    Really wish someone could post how to do this that's done it already.  :(


  • Netgate

    It's just not that difficult.  Bridging works fine.

    The instructions you have already posted cover everything you need to do.

    If it doesn't work you need to be able to troubleshoot it to find out what was done incorrectly or where the problem otherwise lies.



  • Well I got as far as being able to ping anything on the network from wireless or static. The WiFi just can't get out.  WiFi gets an IP address from DCHP.


  • Netgate

    What are the firewall rules on wifi?  You need rules on all bridge members and the bridge itself.



  • LAN Net > Any
    WiFi Net > Any
    Bridge Net > Any



  • Here is all the steps I exactly took:

    Fresh Build Pfsense. Got it configured and connected my computer to it and have internet access and access to my LAN.

    1. Shut down install WiFi card (Card is on the recommended list of cards that work with Pfsense)
    2. Interfaces > Added WiFi card (Opt1) renamed it to WiFi. > Setup WiFi settings.
    3. Interfaces > Assign > Bridges > Created a Bridge > Renamed it to Bridge > Selected LAN and WiFi
    4. Interfaces > Added new Interface > Opt2 > Renamed to Bridge > Network Port = Bridge
    5. DHCP Server > Turned on DHCP for Bridge > Enabled > Set Range. (No DHCP on LAN or WiFi)
    6. Firewall > Rules > Added New Rule > Source = Bridge Net > Rest set to Any.
    7. System > Advanced > System Tuneables > net.link.bridge.pfil_member > Changed from 1 to 0
    8. Interfaces > LAN > IPv4 Configuration Type = None  > IPv6 Configuration Type = None
    9. Interfaces > WiFi > IPv4 Configuration Type = None  > IPv6 Configuration Type = None

    My Configuration:

    Old:

    WAN > DHCP
    LAN > 10.10.0.1

    New:

    WAN > DHCP
    LAN >
    WiFi >
    Bridge > 10.10.0.2 > DHCP

    I can connect my Phone and Laptop to WiFi. I can ping both from either one. No Internet Access.

    Now you know what steps I took to get here. I know them well I've rebuilt it about 20+ Times from scratch trying to get this to work.

    Thanks,
    Rick


  • Netgate

    @Rickinfl:

    LAN Net > Any
    WiFi Net > Any
    Bridge Net > Any

    What interfaces are those on?  There should be no more LAN net or WIFI Net - only Bridge Net.



  • Here are the Firewall Rules









  • Netgate

    First, change your bridge rules to any.  You have them set for TCP only.  DNS and many other things won't work like that.

    Second, make rules on LAN and WIFI that look EXACTLY like the rules on bridge.  (Not with source LAN net or WIFI net, but for BRIDGE net - yes, on LAN and WIFI, source BRIDGE net)



  • Still not working.









  • Netgate

    All your rules are still TCP only, bro.

    Change them all to this:

    ![Screen Shot 2014-11-18 at 8.56.33 AM.png](/public/imported_attachments/1/Screen Shot 2014-11-18 at 8.56.33 AM.png)
    ![Screen Shot 2014-11-18 at 8.56.33 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2014-11-18 at 8.56.33 AM.png_thumb)



  • Did that still not working.









  • Netgate

    What's not working?

    Do you get DHCP on the WIFI port?  On the LAN port?
    Can you ping the BRIDGE address from the WIFI port?  From the LAN port?
    Can you ping the next hop gateway from the WIFI port?  From the LAN port?
    Can the Hosts on LAN ping the hosts on WIFI?  Vice versa?
    What DNS is being handed out to the DHCP clients?  Is that the DNS server actually in use by the clients? Can you resolve names using that address?
    Etc.



  • Wait… From my phone I'm connected to Pfsense. I opened Chrome browser and can't get to any website, BUT I just accidentally went to my cloud and it loaded. At this point and some testing... I can access any https site, just not http sites.


  • Netgate

    Let me guess.  You're also trying to run squid or snort or both.



  • No actually it's a fresh install and no packages installed.

    Can't seem to figure out what it is. So Close!  smh


  • Netgate

    That doesn't make any sense. pf or otherwise.  Firewall logs logging anything?



  • I don't see anything,

    But the question I have is how long has WiFi worked just was blocking non secure websites?  I'll backup the config then rebuild it again from scratch and find out.

    I really appropriate all the help you've given me. Thank You for all your Help!

    Rick


  • Netgate

    Proxy configured in the web browser?  Weird.



  • Totally rebuilt it. Setup just like I did before. WiFi works on https only.  So this whole time it basically worked. Just not for non secure!

    I'm going over everything since now I have fresh log files.



  • Ok Got It!  I had a setting wrong on my phone. The LAN computers connected worked just fine.

    Got to give the Credit to "Derelict" for getting this working!  Thanks!!!

    This is to setup a WiFi card on the same subnet

    Here are the Steps. (After you get a pfsense box up and running, connected to the internet. (I renamed Opt1 and Opt2)

    1. Shut down install WiFi card (Card is on the recommended list of cards that work with Pfsense)
    2. Interfaces > Added WiFi card (Opt1) renamed it to WiFi. > Setup WiFi settings.
    3. Interfaces > Assign > Bridges > Created a Bridge > Renamed it to Bridge > Selected LAN and WiFi
    4. Interfaces > Added new Interface > Opt2 > Renamed to Bridge > Network Port = Bridge
    5. DHCP Server > Turned on DHCP for Bridge > Enabled > Set Range. (No DHCP on LAN or WiFi)
    6. Firewall > Rules > Added New Rule > Interface > LAN > Source = Bridge Net > Protocol = ANY > Rest set to ANY.
    7. Firewall > Rules > Added New Rule > Interface > WiFi > Source = Bridge Net > Protocol = ANY > Rest set to ANY.
    8. Firewall > Rules > Added New Rule > Interface > Bridge > Source = Bridge Net > Protocol = ANY > Rest set to ANY.
    9. Interfaces > LAN > IPv4 Configuration Type = None  > IPv6 Configuration Type = None
    10. Interfaces > WiFi > IPv4 Configuration Type = None  > IPv6 Configuration Type = None
    11. Interfaces > WiFi > Allow intra-BSS communication > Check Box. < For WiFi devices to talk to each other

    I have to come back and give the Answer! LOL  Trust me I've seached a lot of stuff on Cisco and I would find Headings that said "Solved!" and you read all the way to the end and all they would say is "Got it Working"  with no directions on how too!  lol

    Again Thanks Derelict.

    Rick


  • Netgate

    Glad it's working.

    One last little thing.  With this:

    9. System > Advanced > System Tuneables > net.link.bridge.pfil_member > Changed from 1 to 0

    This should be unnecessary:

    6. Firewall > Rules > Added New Rule > LAN > Source = Bridge Net > Protocol = ANY > Rest set to Any.
    7. Firewall > Rules > Added New Rule > WiFi > Source = Bridge Net > Protocol = ANY > Rest set to Any.

    With that sysctl set to 0 I'm pretty sure those rules on the bridge members aren't being looked at at all.