*AIO* All-in-one box



  • Hi guys,

    first of all, I already have a pfSense running with 2 NICs (1x WAN over cable, 1x external dlink router as AP over cable).

    Now I want to have a AIO, all-in-one box, so that there is no need for cables (except for power) or external APs.
    Reason: we have a WiFi in the building next to us and want to "repeat" it in our building, but with a CP for authentication.
    We can't use a normal repeater because the WiFi is open and binds a ticket (has own CP) to the MAC-address, so if we use a normal repeater it would be accessible by everyone.

    The solution would be a box with 2x WiFi NICs running pfSense (see attachment).
    1 NIC connects to the open WiFi
    1 NIC operates as AP (with CP) for my clients

    Available hardware:
    1 small PC with 1 NIC (100mbit, could be used for admin interface), 1 PCI-slot (not PCIe!) and some USB 2.0 Ports

    So, how do I get this to work?

    Thanks for your help!!



  • My first thought was to use an internal (PCI) wireless card for setting up my own WiFi (with CP) and then use an USB-wireless-stick for connecting to the open WiFi…

    Which components should I use for this to work?
    Or is there any other way?



  • With the correct one a single physical card can be virtualised to become many virtual wireless interfaces - https://docs.google.com/spreadsheet/ccc?key=0AojFUXcbH0ROdHgwYkFHbkRUdV9hVWljVWl5SXkxbFE&hl=en#gid=0

    How well this will work for you is another matter, I have never tried wireless on pfSense other than HostAP or infrastructure client, never both at the same time, and my requirements for it have always been trivial and for my own (single user) purposes. Many people here I think see wireless on pfsense as something that technically works but is not something they rush to advertise as a feature. I have also never tried putting one captive portal behind another.



  • Tanks for your reply!
    I think I will try this out.

    As I can see in the document the Marvell 802.11N or Atheros would be a good card to try…?

    one captive portal behind another

    The first CP is on the original WiFi and binds the ticket to the MAC-address, so that authentication is only made one time.
    If I set up a repeater for this WiFi and login over the CP the result is that all new connected clients on the repeater have automatically access with this ticket because it is bound to the MAC-address of the repeater-hardware and not the client pc/phone/…



  • I think you'd ultimately be much happier having separate wireless devices. One bridging to the other building and another one acting as an access point. You'll end up with much better and more reliable wireless connectivity… just my experience.



  • I have tried to connect to the WiFi in the other building with EDIMAX USB adapter (EW-7811Un as OPT1 in IS mode), but can't get a stable connection.
    Sometimes the interface connects and 1 minute later is disconnected and showing "autoselect" in the status.

    So getting 2 PCI cards is better?
    Then I would need to split (riser card) the PCI port, because I only have one.

    Do you have a favourite PCI card model?
    There are so many…  :o



  • I thought I would just point out the possibility of virtualised wireless adaptors - I have never tried it myself and I probably can't be a great deal more help to be honest, the only ones I have used are the ones I was lucky enough to pull out of laptops and found were supported (Atheros AR9285 card).

    Believe me I absolutely understand the desire for AIO, but with wireless on pfSense I think rjcrowder's advice is going to be the typical response. I don't like to discourage experimentation which can be rewarding for its own sake, but I based on what I have read of other people's experiences I would work on this with a solid Plan B in mind.

    Edit - see this thread, most of it repeats the warnings but the last post is a call for testing the development release which may have improved the situation https://forum.pfsense.org/index.php?topic=89340.0



  • @jonesr:

    With the correct one a single physical card can be virtualised to become many virtual wireless interfaces

    Even though this can be done, it is the worst case.

    Remember that even the air we send signals through only has limited bandwidth. Using multiple SSIDs on the same wireless NIC (one incoming, one sending) means each packet has to travel twice on the same channel and polluting it.
    Better receive on one channel and re-transmit on another. For b/g/n networks stick to channels 1, 6 and 11 only. Conduct a site-survey about channel usage first.
    Try to get your gear on 5GHz if possible since this space is a) bigger and b) less crowded.



  • Thanks for all your answers and tipps!!!

    Unfortunately I haven't found any (supported) wireless PCI card on amazon or ebay.
    I will try with 2 separate USB adapters (Ralink RT3072), which hopefully arrive tomorrow.



  • Don't use internal or usb solution.  Get an AP that attaches to your LAN with rj45 or just enjoy the pain…



  • Mh, I only have 1 port (RJ45)… so I will have to use at least 1 usb/internal solution.



  • Get a switch!



  • I get the impression this is an experiment for MrCount with a low or zero budget, which may develop in to something if it can be proved to work - correct me if I have jumped to conclusions. jahonix is entirely right, my idea is not a good one especially for what you want to achieve, but if you are trying to do this on the cheap it is an option.



  • Depending on current channel saturation it might not even be an option.
    If there are already numerous hosts using this channel (not necessarily this AP), it might not even be worth considering. You would just worsen the situation - for all of them!
    But maybe he's nearly the only one and nobody cares.



  • I get the impression this is an experiment for MrCount with a low or zero budget

    Yes, this is a "low-budget"-experiment.

    Used hardware:

    • HP Compaq t5720 Thin Client (1GHz CPU & 512 MB RAM) (~ $20)
    • 4GB USB-stick for booting pfSense (~ $5)
    • 2x wireless USB-adapter (~ $20 each)

    So if this is going to work the costs for this silent "AIO-box" would be at around $65.
    If not… bad luck  8)

    Get a switch!

    I want to have a small box without any other external switches/APs/cables/…, so that the only thing I need is a power outlet and some screws.

    If there are already numerous hosts using this channel

    This solution would first be for a small group of users (~ 5-8).

    Thanks for all your ideas and "warnings"!!
    The USB-devices should arrive today and I will test and report back later.



  • @MrCount:

    The USB-devices should arrive today and I will test and report back later.

    Not all wireless devices support HostAP, so fingers crossed for you they work. What do they show up as in pfSense? (ath0, for example). I didn't realise you were going to order them already so apologies if this advice comes too late.

    I looked at the thin client, you have a PCI slot but no bracket on the case to mount a card in so I suppose you really had no choice but USB. Even if you could fudge something with a low profile card and removing the bracket it looks like the NIC+USB sockets would be touching or blocking the card.

    If you are lucky enough to get this working with what you now have then I congratulate you, but tempting though it may seem to see this through I really would recommend you decide now not to put any more money behind this and go to Plan B.



  • You don't have to apologise, that is still in my planned budget.  ;)

    Right, there is not enough space inside the thin client. The USB+NIC block the card.
    Only solution would be to try with a PCI riser card…

    So the USB adapters have arrived and I plugged them in..... and... surprise surprise.... they seem to work...  ;D
    They show up as run0 and run1 (firmware RT3071 ver. 0.33).

    run0 connects successfully to the WiFi with DHCP (192.168.178.1 is the WiFi AP)
    run1 acts as AP and seems to work, only the DHCP does not give IPs to connecting clients (192.168.1.1 is the AP with new SSID), so I had to enter it manually on my connected laptop.

    The next thing is, that I had no connection to the internet through the AP, but I think this is cause I have no firewall rules set for the devices.
    If anyone could give me some tipps....  8)



  • I bought a cheap AIO myself and was thinking of turning it into a wireless rig. It has two full mini-pciE slots. I was planning on wifi/cellular but with two separate radios your project  is doable. Make sure to separate the two wireless networks the most you can. Put one on channel 36 and one on 165. For example. Maybe consider one network on 2.4 and one on 5ghz if your congestion is low on 2.4ghz.

    Here is the AIO i got for 40 bucks.
    http://www.ebay.com/itm/371262352319



  • @MrCount:

    run0 connects successfully to the WiFi with DHCP (192.168.178.1 is the WiFi AP)
    run1 acts as AP and seems to work, only the DHCP does not give IPs to connecting clients (192.168.1.1 is the AP with new SSID), so I had to enter it manually on my connected laptop.

    The next thing is, that I had no connection to the internet through the AP, but I think this is cause I have no firewall rules set for the devices.
    If anyone could give me some tipps….  8)

    Am at work, must be brief, how are your interfaces (WAN, LAN, OPTx) assigned? Also - https://forum.pfsense.org/index.php?topic=89045.0



  • If you think its a firewall rule issue you can turn of the firewall and use upstream firewall until you get it configured correctly.. Under System:Advanced:Firewall/NAT

    Obviously this is less than safe but it works.



  • MrCount, can you post a link to EXACTLY what you purchased and also tell me how well its functioning.

    I'm pretty down on USB wireless with pfsense but if it works well for you and is stable then I'd probably grab one for my own use.  If the cost isn't too much.



  • Obviously his definition of AIO is different than the industry norm.

    HP Compaq t5720 Thin Client

    Rather poor choice for the task.



  • Maybe a mikrotik card on a 90 degree riser could work with 2 radios.

    http://www.ebay.com/itm/121556421225



  • @Phishfry:

    Maybe a mikrotik card on a 90 degree riser could work with 2 radios.

    http://www.ebay.com/itm/121556421225

    I considered that but I wasn't sure that even with the bracket taken off it would fit comfortably inside. And then drilling holes for antenna aerials, adding cost for antennas/pigtails to the riser and adaptor card..

    I am very surprised to see Mini PCI (not PCIe) 802.11n cards though, I wouldn't have thought that would be a thing - http://store.netgate.com/miniPCI-Cards-C26.aspx



  • Sounds like he already bought the RAlinks so i am wondering how he will make out… I had less than stellar time with them. I would imagine that external directional antennas for the Site to Site link would be best and an omni for the AP...I wonder how an 150M single channel link is going to provide for 5-8 people. Maybe OK for light browsing..



  • I am using a mini pci card in my riverbed steelhead 100 with good results.

    http://routerboard.com/R52Hn



  • Looks like the Ralink RT3071 is only 802.11b/g/n as well…..(No 5 ghz)

    He also mentions Ralink RT3072 so who knows..



  • I wonder if this is the device he is using. I really wonder how the radio could put out 1000mw yet max draw from usb2 is 500ma. If I am correct. Sure seems like a large power draw to me. Mikrotik quotes 2-3 watts for their high output radio -for an example.

    http://www.amazon.com/Etekcity%C2%AE-Wireless-Integrated-Notebooks-Computers/dp/B006JWMOOI
    Here is an example of the generic RA3072



  • I wonder if this is the device he is using.




  • Can we get those any closer to each other?  hehe.

    Does it work well as an AP (not adhoc)?



  • I'm still in testing, but today I have not the time  :-\



  • Cool - Thanks!



  • I hope i didn't come across as to gruffy. I encourage all experimentation.. I just had problems with the RA3071. I think its less than top notch hardware.
    The Atheros usb is a no go I have found as well.

    I really think your USB solution could work but you got problems with a 2.4 ghz network. The channel spread is so small your going to have troubles. It might work but i see collisions ahead.

    Maybe consider a mimo cantenna arrangement for the backhaul. Since your on a budget..
    http://en.wikipedia.org/wiki/Cantenna



  • Okay, got it up and assigned all interfaces…

    run0 -> WAN (on USB1)
    IPv4: DHCP
    IPv6: none
    set SSID & WPA
    connects to the WiFi and gets IP

    run1 -> OPT1 (on USB2)
    IPv4: 192.168.1.1 /24
    IPv6: none
    set new SSID & WPA
    enabled DHCP 192.168.1.100 - .199 /24
    I am able to connet to that AP and get an IP

    vr0 -> LAN (onboard LAN)
    IPv4: 192.168.0.1 /24
    IPv6: none
    enabled DHCP 192.168.0.100 - .199 /24
    used for configuration

    The problem is that I can't get a connection to the internet on OPT1.
    What rules do I have to set??  :o

    The CP doesn't show either, but I think this is because there is no connection to the internet.
    Typing the address manually gets me to the CP.



  • I hadn't thought of that. How would your pfSense box authenticate itself to the upstream captive portal? If you logged it in with your credentials would not the rest of your office be sharing your authenticated session? Can you ask the admin of the upstream AP to create an exception for your WAN MAC address so you are not putting a CP behind a CP?

    Some of the CPs I have seen can be tricky as they grab the attention of the browser on your device and then have a string of automatic redirects. We are setting one up at work and when it works its works, when it doesn't trying to wrestle control of the browser for even basic toubleshooting is a nightmare, it just flips to wherever it is sent and trying to pause it to so much as show the URL or IP it is going to is impossible.

    The problem is that I can't get a connection to the internet on OPT1.
    What rules do I have to set??  :o

    The CP doesn't show either, but I think this is because there is no connection to the internet.
    Typing the address manually gets me to the CP.

    Can you get anything from LAN? If so check your firewall rules to make sure you have HTTP, HTTPS, DNS allowed (and ICMP for PING etc) from the OPT1 interface. Show screenshots from your config if you still have issues.

    Which CP can you acces by IP, the local one or the upstream one?



  • How would your pfSense box authenticate itself to the upstream captive portal? If you logged it in with your credentials would not the rest of your office be sharing your authenticated session?

    Yes, the authenticated session would be shared, but that is no problem.

    Which CP can you acces by IP, the local one or the upstream one?

    the local one

    Can you get anything from LAN?

    no, I have no access to the internet on LAN

    Firewall rules:
    WAN has actually no rules
    LAN has 3 (anti-lockout, 2x default LAN to any)
    OPT1 has no rules configured



  • Sorry MrCount, I think I started off by looking at this in terms of your pfSense box for you to configure rather than seeing it as a link in the chain. You may have covered all this but rather than me making assumptions lets start from scratch.

    Quote

    How would your pfSense box authenticate itself to the upstream captive portal? If you logged it in with your credentials would not the rest of your office be sharing your authenticated session?

    Yes, the authenticated session would be shared, but that is no problem.

    Perhaps not for you, but have you spoken to those responsible for the upstream network? I would strongly recommend you do so if you haven't. If they are aware of your project they may be able to help you (for example letting you bypass their CP) but if they are not and discover what you are doing the hard way they may get quite upset. Think of it this way, from their perspective you can either work with them or around them, and if your position were reversed which would you prefer?

    As I say if you already have some agreement for this great, carry on, but if not it should be the very next thing you do.

    Quote

    Which CP can you acces by IP, the local one or the upstream one?

    the local one

    Quote

    Can you get anything from LAN?

    no, I have no access to the internet on LAN

    Firewall rules:
    WAN has actually no rules
    LAN has 3 (anti-lockout, 2x default LAN to any)
    OPT1 has no rules configured

    You will need to configure the rules for OPT1 but ignore those until you have internet working from LAN.



  • have you spoken to those responsible for the upstream network? I would strongly recommend you do so if you haven't.

    There is an agreement.

    You will need to configure the rules for OPT1 but ignore those until you have internet working from LAN.

    LAN now connects to the internet.
    But how can I get the AP on OPT1 to let clients through to the internet??



  • @MrCount:

    have you spoken to those responsible for the upstream network? I would strongly recommend you do so if you haven't.

    There is an agreement.

    You will need to configure the rules for OPT1 but ignore those until you have internet working from LAN.

    LAN now connects to the internet.

    Glad to hear it and good to know LAN can now reach the internet.

    But how can I get the AP on OPT1 to let clients through to the internet??

    Only LAN is automatically set to allow traffic out. The default rule is to block all traffic unless there is a rule to allow it, so you must create rules for OPTx interfaces to allow the traffic you need. The minimum is often HTTP, HTTPS and DNS, the rest depends on what you need so consider ICMP for PING, FTP etc. If you find anything specific not working you will need to check the firewall logs to see what got blocked, and allow a rule for it.

    For example, webmail may work fine but an email client may not be able to send email. This will be because webmail is passing the rule for HTTPS, but the mail client is using SMTP. You would see in the logs that traffic on port 25 (SMTP) was blocked, so allow this and repeat for whatever other services you need.



  • Okay, so for testing it would be okay if I set the following?

    proto: IPv4
    Source: OPT1 address
    port: *
    destination: *
    port: *
    gateway: *

    and

    proto: IPv4
    Source: *
    port: *
    destination: OPT1 address
    port: *
    gateway: *


Log in to reply