Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PfSense as DHCP server and DD-WRT as access points: DHCP not passing thru DD-WRT

    Scheduled Pinned Locked Moved DHCP and DNS
    35 Posts 5 Posters 12.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R Offline
      rjcrowder
      last edited by

      There is a tutorial somewhere on the dd-wrt site that tells you how to set it up as an access point… I don't have a link, but I've definitely seen it. That said, the process is basically to disable the DHCP server, disable any firewall functions, mac filtering, etc. Optionally, you can check the box to "assign WAN Port to LAN". Then plug into one of the LAN ports (or WAN port if you did "assign WAN to LAN").

      1 Reply Last reply Reply Quote 0
      • R Offline
        riahc3 Banned
        last edited by

        For more details:

        I can ping the pfSense box at 192.168.1.1
        but
        I cannot access the web interface thru a web browser

        This only happens on a wireless client. I can do it thru a wire client (everything works perfectly on a wired client)

        1 Reply Last reply Reply Quote 0
        • R Offline
          riahc3 Banned
          last edited by

          Are you talking about this:

          http://www.dd-wrt.com/wiki/index.php/Wireless_Access_Point

          1 Reply Last reply Reply Quote 0
          • johnpozJ Offline
            johnpoz LAYER 8 Global Moderator
            last edited by

            I use to run dd-wrt on a couple different old routers for AP.  As mentioned it as simple as turning off the dhcp server on the AP and connecting it to your network via one of the LAN ports on the wifi router being used as AP.

            If your saying you get dhcp from pfsense if you plug in with a wire to your dd-wrt ap, but wireless clients don't then clearly something with dd-wrt..  Do you have your SSID in dd-wrt as guest or vlan?

            You should get help on the dd-wrt site to be honst.  Since you have shown that dhcp from pfsense is working to a wired box on the dd-wrt device with something else connected to something else plugged in to lan.  Atleast that is how I read your comments.

            As an off the wall suggestion, where you say you can ping 192.168.1.1 but not access the gui.  You sure your on your wifi?  ;)  I have seen more times than anyone would think possible..  Where I am on wifi and can get to internet, but not able to get to device X..  Or something that should have gui is not working yet it pings.  Problem is they are on the wifi next door that is using the same ip range - but no they they don't have a printer at 192.168.1.14 like you do for example ;)

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

            1 Reply Last reply Reply Quote 0
            • G Offline
              gjaltemba
              last edited by

              In DD-WRT Setup - Basic Setup
              Network Setup - Network Address Server Settings (DHCP)
              In the drop-down select DHCP Forwarder
              Enter the pfsense DHCP Server IP
              Click Apply Settings

              1 Reply Last reply Reply Quote 0
              • R Offline
                riahc3 Banned
                last edited by

                @johnpoz:

                I use to run dd-wrt on a couple different old routers for AP.  As mentioned it as simple as turning off the dhcp server on the AP and connecting it to your network via one of the LAN ports on the wifi router being used as AP.

                If your saying you get dhcp from pfsense if you plug in with a wire to your dd-wrt ap, but wireless clients don't then clearly something with dd-wrt..  Do you have your SSID in dd-wrt as guest or vlan?

                You should get help on the dd-wrt site to be honst.  Since you have shown that dhcp from pfsense is working to a wired box on the dd-wrt device with something else connected to something else plugged in to lan.  Atleast that is how I read your comments.

                As an off the wall suggestion, where you say you can ping 192.168.1.1 but not access the gui.  You sure your on your wifi?  ;)  I have seen more times than anyone would think possible..  Where I am on wifi and can get to internet, but not able to get to device X..  Or something that should have gui is not working yet it pings.  Problem is they are on the wifi next door that is using the same ip range - but no they they don't have a printer at 192.168.1.14 like you do for example ;)

                Great to hear from you :)

                My SSID in the DD-WRT is setup as normal. I dont have any difference between guest and/or VLAN.

                I think you are correct in saying this is a DD-WRT configuration issue but I could have kids, have them die, and still I wouldnt get a answer. It is a very slow forum to get answers.

                The wired PCs Im talking about is to a wired switch which is also connected to the DD-WRT AP. Those get DHCP leases as normal. A wireless client connected thru wireless does not get a DHCP least but if I set static IP settings to that wireless client, I do get access thru wireless. The only cable connected to the DD-WRT AP is from itself to a switch.

                Yeah, Im pretty sure its MY wifi because of the name of the SSID. I doubt anyone else would put that name and with a wireless scanner, I really cant see any other APs besides 1 or 2 (small neighborhood) so I dont think anyone else is using my SSID. Also, it asks me for my password. Also, since you mentioned it, I pinged other clients and they all reply so it would be REALLY odd that another person selects the exact same IPs I did for certain devices.

                @gjaltemba:

                In DD-WRT Setup - Basic Setup
                Network Setup - Network Address Server Settings (DHCP)
                In the drop-down select DHCP Forwarder
                Enter the pfsense DHCP Server IP
                Click Apply Settings

                I checked that out and yup, its exactly like that. Also checked off this: http://www.dd-wrt.com/wiki/index.php/Wireless_Access_Point and it seems to be the same of my settings as well….

                1 Reply Last reply Reply Quote 0
                • johnpozJ Offline
                  johnpoz LAYER 8 Global Moderator
                  last edited by

                  To troubleshoot I would do a sniff on pfsense to see if dhcp discover is even getting there.  And if is what mac its coming from.

                  But what seems odd is you can not open the pfsense gui when you set static?  Do you have rules on the interface that would block that?  But normal internet access works if set static on wireless device?

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                  1 Reply Last reply Reply Quote 0
                  • R Offline
                    riahc3 Banned
                    last edited by

                    @johnpoz:

                    To troubleshoot I would do a sniff on pfsense to see if dhcp discover is even getting there.  And if is what mac its coming from.

                    Ill try that when I get a chance.

                    @johnpoz:

                    But what seems odd is you can not open the pfsense gui when you set static?  Do you have rules on the interface that would block that?  But normal internet access works if set static on wireless device?

                    Yes. Normal internet access works once I set static and if set static I can also access the pfSense GUI so it should not be a firewall issue.

                    BTW, I know (99%) its a DHCP issue because the IP gets set to 169.XX.XX.XX

                    1 Reply Last reply Reply Quote 0
                    • R Offline
                      riahc3 Banned
                      last edited by

                      Woah, now this is weird: Wireshark does indeed show that there is a request from my wifi card's mac address….but it seems it doesnt give it a IP address.....

                      There is the conversation. That .13 is my wired PC that Im doing the sniff from.

                      1 Reply Last reply Reply Quote 0
                      • DerelictD Offline
                        Derelict LAYER 8 Netgate
                        last edited by

                        @gjaltemba:

                        In DD-WRT Setup - Basic Setup
                        Network Setup - Network Address Server Settings (DHCP)
                        In the drop-down select DHCP Forwarder
                        Enter the pfsense DHCP Server IP
                        Click Apply Settings

                        No, no, no.

                        Get the wireless clients on the dd-wrt device on the same layer 2 network with the pfSense interface and turn off all DHCP in dd-wrt.

                        Chattanooga, Tennessee, USA
                        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                        Do Not Chat For Help! NO_WAN_EGRESS(TM)

                        1 Reply Last reply Reply Quote 0
                        • DerelictD Offline
                          Derelict LAYER 8 Netgate
                          last edited by

                          @riahc3:

                          BTW, I know (99%) its a DHCP issue because the IP gets set to 169.XX.XX.XX

                          I see Discover, Offer, Request, Ack.

                          Where in the network is that capture taken from?

                          Chattanooga, Tennessee, USA
                          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                          Do Not Chat For Help! NO_WAN_EGRESS(TM)

                          1 Reply Last reply Reply Quote 0
                          • G Offline
                            gjaltemba
                            last edited by

                            @Derelict:

                            No, no, no.

                            Get the wireless clients on the dd-wrt device on the same layer 2 network with the pfSense interface and turn off all DHCP in dd-wrt.

                            My dd-wrt router has a static ip on my lan with pfsense as the gateway. For some unknown reason, my wireless clients are unable to obtain an ip without dhcp forwarder.

                            1 Reply Last reply Reply Quote 0
                            • johnpozJ Offline
                              johnpoz LAYER 8 Global Moderator
                              last edited by

                              You would not need a forwarder, the wifi is bridged to the lan in dd-wrt.. You clearly see the discover and offer from that sniff

                              Why would you do the sniff from your wired client?  Just do it on pfsense interface under diag.  You have a release highlighted But under that I see discover, offer and request..  Which have to assume is your wifi client.

                              An intelligent man is sometimes forced to be drunk to spend time with his fools
                              If you get confused: Listen to the Music Play
                              Please don't Chat/PM me for help, unless mod related
                              SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                              1 Reply Last reply Reply Quote 0
                              • DerelictD Offline
                                Derelict LAYER 8 Netgate
                                last edited by

                                @gjaltemba:

                                @Derelict:

                                No, no, no.

                                Get the wireless clients on the dd-wrt device on the same layer 2 network with the pfSense interface and turn off all DHCP in dd-wrt.

                                My dd-wrt router has a static ip on my lan with pfsense as the gateway. For some unknown reason, my wireless clients are unable to obtain an ip without dhcp forwarder.

                                There is no "for some unknown reason" about it.  It's because your wireless clients and your pfSense interface are not on the same layer 2 network.  Your ddwrt is still being a router, not a bridge.

                                Chattanooga, Tennessee, USA
                                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                1 Reply Last reply Reply Quote 0
                                • R Offline
                                  riahc3 Banned
                                  last edited by

                                  Just to make sure this is the screen that is being talked about to sniff and this is the settings that have to be in place:

                                  1 Reply Last reply Reply Quote 0
                                  • R Offline
                                    riahc3 Banned
                                    last edited by

                                    Doesnt really show anything different really. Opening the packet file in Wireshark shows this:

                                    BTW, I did it from a wired client the first time around because I have port mirroring enabled on the switch and everything is mirrored to this wired client so it should be picking up anything that passes thru the LAN interface.

                                    The switch is a Netgear GS108E

                                    1 Reply Last reply Reply Quote 0
                                    • DerelictD Offline
                                      Derelict LAYER 8 Netgate
                                      last edited by

                                      Look at the MAC address of the DHCP server in your capture.  I'd bet it's not your pfSense LAN port.

                                      I'll also bet you have pfSense on 192.168.1.1 and ddwrt WAN port getting an IP address from pfSense, then you have the ddwrt LAN also set on 192.168.1.1 with DHCP enabled and it's giving IP addresses to your wireless clients.

                                      That just can't work.

                                      Put your ddwrt in bridge mode (I think they stupidly call it "router" mode or something, which confuses everyone involved.)

                                      Chattanooga, Tennessee, USA
                                      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                      1 Reply Last reply Reply Quote 0
                                      • R Offline
                                        riahc3 Banned
                                        last edited by

                                        @Derelict:

                                        Look at the MAC address of the DHCP server in your capture.  I'd bet it's not your pfSense LAN port.

                                        And no, I wouldnt spoof the mac address as a NIC from a VMWare vendor. The server is the pfSense LAN.

                                        (On a side note, do I have to hide the mac address from my ESXi machine or can it still be identified?)

                                        @Derelict:

                                        I'll also bet you have pfSense on 192.168.1.1 and ddwrt WAN port getting an IP address from pfSense, then you have the ddwrt LAN also set on 192.168.1.1 with DHCP enabled and it's giving IP addresses to your wireless clients.

                                        @Derelict:

                                        That just can't work.

                                        Put your ddwrt in bridge mode (I think they stupidly call it "router" mode or something, which confuses everyone involved.)

                                        1 Reply Last reply Reply Quote 0
                                        • johnpozJ Offline
                                          johnpoz LAYER 8 Global Moderator
                                          last edited by

                                          YOu don't have to hide a mac address from any machine..  Only thing you might want to hide mac from would be radio of AP wifi router that could be in some war driving database, etc.  While mac are unique - unless we were going to track down by the maker of said device where that product got sold, then with them who they sold it to and such, etc..  While they might be able to do that on TV and the movies with a few clicks of the mouse - in real life its a bit harder ;)

                                          Well there you go pfsense is seeing discover and sending offer..  What IP is being offered? Also since you see the request the client got the offer - so seems more like a client issue to me.  So why don't you post up that sniff so we can take a look at the details.  Or atleast email it to me - you know me from way back ;)

                                          From that discover, offer, request, ack sure looks like a complete dhcp transaction to me.  So you have multiple clients that can not get an IP from dhcp, or just 1 device?  Or type of device like your ipads, or such..  Post up that actual sniff so can follow the details.  Why don't you sniff on the wifi client now..  Maybe just the ack is not being seen?  Lets see a longer sniff - does it just keep asking and asking.. It should ask a few times before it goes to APIPA if its not seeing the ack.

                                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                                          If you get confused: Listen to the Music Play
                                          Please don't Chat/PM me for help, unless mod related
                                          SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                                          1 Reply Last reply Reply Quote 0
                                          • R Offline
                                            riahc3 Banned
                                            last edited by

                                            @johnpoz:

                                            So why don't you post up that sniff so we can take a look at the details.  Or atleast email it to me - you know me from way back ;)

                                            I can attach it here. In theory, it shouldn't have any identifiable information as it just looks at DHCP information.

                                            @johnpoz:

                                            From that discover, offer, request, ack sure looks like a complete dhcp transaction to me.  So you have multiple clients that can not get an IP from dhcp, or just 1 device?  Or type of device like your ipads, or such..  Post up that actual sniff so can follow the details.  Why don't you sniff on the wifi client now..  Maybe just the ack is not being seen?  Lets see a longer sniff - does it just keep asking and asking.. It should ask a few times before it goes to APIPA if its not seeing the ack.

                                            Ive done diagnostics more on my Windows 8.1 laptop than my Android smartphone but I do not have internet access on my Android smartphone either so I GUESS the issue is the same.

                                            OK so Im gonna do the following:

                                            1: Set my laptop as DHCP client again (im typing this to you from the laptop since it is static)
                                            2: Start a packet sniff from pfSense
                                            3: ipconfig /release
                                            4: ipconfig /renew
                                            5: Wait about a minute
                                            6: Stop the packet sniff from pfSense
                                            7: Post it here

                                            Does that sound good?

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.