Unable to access internet from AP

  • I have setup PS 2.2 with 4 ethernet cards/interfaces:

    1. WAN - DHCP from ISP
    2. LAN - 192.168.1.X with DHCP from ->
    3. Blue - 192.168.2.X with DHCP from ->
    4. Orange - DMZ 192.168.3.X

    I have connected the blue interface to a netgear 3400 ( setup as an AP thru its LAN port. The idea is to have an AP which is isolated from the other interfaces and only have internet access.

    I am able to connect my devices to the AP, but I cannot access the internet.

    I have also created the following firewall rule.

    What am I missing?


  • LAYER 8 Netgate

    Your firewall rules should first block things you don't want your wi-fi clients to be able to access then pass from source BLUE net to dest any, not WAN net.

  • Thanks for the quick reply.

    Do I still need to block traffic for the blue network given that it is on its own subnet?

    Sorry for the trivial questions but I am very new to this.


  • LAYER 8 Netgate

    You need to block the traffic you want to block or it will be allowed by the pass destination any.

    Maybe it would help if you describe what you're doing and what you want wi-fi users to NOT be able to access.

    Nevermind.  I see.

    Yeah.  Below the DNS rule you want something like:

    reject IPv4 any source BLUE net dest ORANGE net
    reject IPv4 any source BLUE net dest LAN net
    reject IPv4 any Source BLUE net dest This Firewall (self)

    then your pass IPv4 source BLUE net dest any

    And you probably want to make your DNS rule TCP/UDP.

  • Like this?

    Thanks again for your help.


  • LAYER 8 Netgate

    Looks good.  It really doesn't matter, but you might want to be consistent for consistency's sake on the source addresses.  Either from BLUE net or from any.  For me, I like rules that do the same thing to look the same.

    That should be working pretty well for you.

  • Derelict

    Thanks for your help. Now I have the AP working.

    Here is another question. I clearly must not understand firewall rules!

    I am trying to access the AP from the LAN network. I have the following rule on the lan.  I would have thought that these rules could allow any device on the LAN to connect to any of the other Interfaces including the BLUE interface.

    If I try and go to I should be able to see the netgear page. I get nothing, "The connection was reset".

    What am I missing?


  • LAYER 8 Netgate

    Is the AP set on  Does the AP have the proper netmask?  Can you set a default gateway on the LAN interface (that can be trouble). If not can you set static routes in the AP?  It needs to know to send traffic for anything but its own subnet ( to pfSense for routing.  Maybe set a static route for with a gateway of pfSense's address on that segment.

  • Derelict

    Here is a screenshot from the AP.


  • LAYER 8 Netgate

    Hmm.  What happens with https?

  • Does it matter/help if you give the AP a Static, outside the pool, i.s.o. a Dynamic. ?
    I use a Zyxel 3205v2 wired to pfSense. Clients of this AP get the dynamic IP from the pfSense DHCP-server.

  • LAYER 8 Netgate

    There should be no DHCP server on the AP.

  • Trying to access the AP thru the https, it fails as well.

    I have setup DHCP ( -> and a list of allowed MAC addresses on the Blue Interface.  Both the AP and my wireless devices are listed as allowed MAC addresses.

    Right now I am only enforcing MAC addresses to control who connects to the blue Interface.

    The AP gets a fixed IP address and my ipad gets an address from the DHCP. The AP has the DHCP disabled as it is being handled by the Blue interface.

    The ipad connects to the AP and is able to access the internet in addition to the Netgear web page.

    My laptop connected to the LAN still cannot.

    I am at a loss!


  • LAYER 8 Netgate

    Why are get address/dns dynamically both checked?

  • That's how I had it setup with IpCop.  So that the AP would get the information from the IPCOP DHCP.


  • LAYER 8 Netgate

    Then look in your DHCP leases for the APs MAC address and see what address your AP got and try to connect to that.

    I have no idea what sort of cockamamie schemes your AP manufacturer concocted.  I would give it a static.

  • @renatohtpc:

    The AP gets a fixed IP address

    W.r.t. screenshot of your post #8. First within the AP-box you should set the Static addressing and DNS to pfSense-server. So not a double entry in pfSense DHCP-leases due to dynamic & static. Do not allow the AP address as a dynamic. Secondly set the AP static in pfSense DHCP-server, of course with the correct MAC.

Log in to reply