No Internet Access Through Netgear WNAP210 (Wireless Access Point)

Longhair

This is from a 2.1.5 (32-bit) clean install. I've only run the Setup Wizard. All the firewall rules are from the default setup. No packages installed.

WAN: 192.168.1.2
LAN:  192.168.2.1
OPT1: 192.168.3.1

LAN –> Computer A (192.168.2.2) --> Internet works.
OPT1 --> Computer B (192.168.3.2) --> Internet works.

Netgear WNAP210 (Wireless Access Point) Settings Without pfSense:

DHCP Client - Disable
IP Address 192.168.1.3
IP Submask 255.255.255.0
Default Gateway 192.168.1.1

Router --> Netgear WNAP210 (192.168.1.3) --> Computer C (192.168.1.4) Internet works.

So far everything works without any problems.

Netgear WNAP210 Settings With pfSense:

DHCP Client - Disable
IP Address 192.168.3.3
IP Submask 255.255.255.0
Default Gateway 192.168.3.1

OPT1 --> Netgear WNAP210 (192.168.3.3) --> Computer C (192.168.3.4) No Internet (page cannot be displayed).

I've rebooted pfSense, Netgear WNAP210 and Computer C but that has not helped.

Derelict

If you really did all that it would be working.  Double check everything.

Longhair

I've tried with 2.2 & 2.1.5 (64 & 32 bit) and ended up writing down all the steps down before making the post.

I decided to ping 8.8.8.8 on both the LAN and OPT1 - both behind pfSense 2.1.5 32-bit clean install.

LAN results:

Pinging 8.8.8.8 with 32 bytes of data:
Reply from 8.8.8.8: bytes=32 time 19ms TTL=55
Reply from 8.8.8.8: bytes=32 time 19ms TTL=55
Reply from 8.8.8.8: bytes=32 time 19ms TTL=55
Reply from 8.8.8.8: bytes=32 time 19ms TTL=55

Ping statistics for 8.8.8.8:
      Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
      Minimum = 18ms, Maximum = 19ms, Average = 18ms

OPT1 Results:

Pinging 8.8.8.8 with 32 bytes of data:
Reply from 192.168.3.2: Destination host unreachable.
Reply from 192.168.3.2: Destination host unreachable.
Reply from 192.168.3.2: Destination host unreachable.
Reply from 192.168.3.2: Destination host unreachable.

Ping statistics for 8.8.8.8:
      Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

I am able to browse web pages (random Google search & open link) on the Internet without problem with both LAN & OPT1.

Now with the wireless access point.

Netgear WNAP210 without pfSense:

Pinging 8.8.8.8 with 32 bytes of data:
Reply from 8.8.8.8: bytes=32 time 21ms TTL=56
Reply from 8.8.8.8: bytes=32 time 19ms TTL=56
Reply from 8.8.8.8: bytes=32 time 21ms TTL=56
Reply from 8.8.8.8: bytes=32 time 19ms TTL=56

Ping statistics for 8.8.8.8:
      Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
      Minimum = 18ms, Maximum = 21ms, Average = 20ms

Able to browse web pages.

Netgear WNAP210 with pfSense:

Pinging 8.8.8.8 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 8.8.8.8:
      Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

Unable to browse web pages - Server not found.

Derelict

I surrender to the "blame pfsense" stupidity for awhile.

Longhair

@Derelict:

I surrender to the "blame pfsense" stupidity for awhile.

Do you see something that I don't? It would be real helpful if you could point it out so i can get this setup working properly.

mikeisfly

Looks like 192.168.3.2 is sending back a icmp packet to your host machine saying destination host is unreachable. You would expect the router (192.168.3.1)to send that back. When you connect to the access point what IP information do you get on your machine? Do you have any listings in your arp table (arp -a from the command line if it is Windows, I think this works in Linux/Unix too)? How are you able to ping google without PfSense is there another upstream router that you are going through? If you could diagram your network that would help to determine your issue gifly.com

Longhair

The DHCP server is disabled on the access point. Computer C (the one using wireless) has a static IP address.

I will post the arp table tomorrow when I am back at the computer with issues.

Without pfSense i am plugged directly into the router/modem.

router/modem (10.0.0.1)
        |
        |
    switch (unmanaged)
        |
        |
        + –- Computer B (10.0.0.2)
        |
        |
        + --- Wireless AP (10.0.0.3)
                      |
                      |
                      + --- Computer C (10.0.0.4)

The network that pfSense is in is pretty simple - testing environment. There is no DHCP server running. All IP addresses are static - 192.168.x.x is only used for testing environments to avoid potential problems.

router/modem (10.0.0.1)
        |
        |
    switch (unmanaged)
        |
        |
  pfSense WAN (192.168.1.2)
        |
        |
        + –- LAN (192.168.2.1)
        |          |
        |          |
        |          + --- Computer A (192.168.2.2)
        |
        |
        + --- OPT1 (192.168.3.1)
                      |
                      |
                    + --- switch (unmanaged)
                                |
                                |
                                + --- Computer B (192.168.3.2)
                                |
                                |
                                + --- Wireless AP (192.168.3.3)
                                              |
                                              |
                                              + --- Computer C (192.168.3.4)

phil.davis

Netgear WNAP210 Settings With pfSense:

DHCP Client - Disable

That is good - the client should be getting its DHCP from pfSense OPT1 interface.

IP Address 192.168.3.3
IP Submask 255.255.255.0
Default Gateway 192.168.3.1

That is all good and handy for accessing and managing the WiFi box, but it will (should) have no effect on the client.
The WiFi device is simply acting as a dumb AP - bridging client packets to/from WiFi and pfSense OPT1.
The client should be getting DHCP from pfSense that includes pfSense OPT1 IP 192.168.3.1 as its default gateway.
Check the client IP settings, see if it can ping OPT1 IP 192.168.3.1
Make sure the cable is plugged in from a WiFi device LAN port to pfSense. The WiFi device WAN port is not used in this configuration.

Longhair

I didn't make any rules so if I tried to ping OPT1, it would not return anything. I will make a rule tomorrow and post the results.

There is only one port that can be plugged in on the Netgear WNAP 210  :)

I ended up making a new thread in the Wireless sub-forum: https://forum.pfsense.org/index.php?topic=89797.0 It has a little more information added.

phil.davis

There is only one port that can be plugged in on the Netgear WNAP 210

Sorry, I had assumed without looking that it was a combo WiFi AP/router. I see it is an AP that supports multi BSSID, multi VLAN.
In its AP mode it should "just work".
You need a pass rule on OPT! to allow traffic source OPT1 destination all - that will simply allow everything through to the internet.
But you already said you could plug a computer into OPT1 by cable and it works, so I assumed you have a pass rule on OPT1.

Derelict

Can the wireless client ping pfSense?

Did you disable block private networks on pfSense WAN like you have to do if you put it behind another router?

Put your modem in bridge mode and let pfSense get the public IP address from your ISP.

Longhair

Sorry for the late reply. Other things needed attention.

No, Computer C cannot ping pfSense.

Yes, did disable block private networks…

Currently pfSense is in a test environment while I try to get everything working properly.

Longhair

Sorry for the late reply. Other things needed my attention.

I did try the following: https://forum.pfsense.org/index.php?topic=47519.0

I thought this was created by default but if not:
If you look at the LAN tab, then the OPT1 tab they should look the same. 1 rule each.

Select from the Menu: Firewall -> Rules then click the OPT1 tab. There should be 1 rule, which is the same as the under the LAN tab, except that it is named OPT1.
  *    OPT1 net    *    *    *    *    none        Default allow OPT1 to Any rule

If not add it by clicking the little '+' sign in the small grey button to the right and it will open a rule form, 'e' to edit.
Select the following:
Interface: 'OPT1'
Protocol: 'Any'
Source: 'OPT1 subnet'
Destination: 'Any'
Description: 'Default allow OPT1 to Any rule' This will allow everything outbound.

If there is a rule pointing to LAN you may want to remove this, or modify it to allow only the traffic to access particular services.

But still no Internet access  :-\

Derelict

People who understand how things work have no problem getting pfSense to do what's expected.  People who don't have a grasp of the basics have trouble. Same with any networking appliance.

Longhair

@Derelict:

People who understand how things work have no problem getting pfSense to do what's expected.  People who don't have a grasp of the basics have trouble. Same with any networking appliance.

OK, why don't teach me what exactly I am doing wrong if it so painfully obvious to you that you need to look down on me?

hda

If you have cascading routers setup, well then 1st:

If ISP router-LAN ==10.0.0.1/24; pfSense-WAN =>10.0.0.2;
then pfSense-LAN =>192.168.1.1/24; pfSense-OPT1 =>192.168.2.1/24;

Longhair

@hda:

If you have cascading routers setup, well then 1st:

If ISP router-LAN ==10.0.0.1/24; pfSense-WAN =>10.0.0.2;
then pfSense-LAN =>192.168.1.1/24; pfSense-OPT1 =>192.168.2.1/24;

pfSense WAN is on the same subnet as the modem/router.

WAN: 192.168.1.2

LAN:  192.168.2.1

OPT1: 192.168.3.1

/24 was implied for all.

hda

That. is. not. good. for. clarity.

pfSense-box is a router. I gave you a solution.

Longhair

@hda:

That. is. not. good.

pfSense-box is a router. I gave you a solution.

Why is that not good? IP modem / router 192.168.1.1 –> pfSense WAN 192.168.1.2

Why does the pfSense WAN and LAN have to be on different bit block ranges?

hda

Clear & reliable config of the network is prerequisite. You make errors like in reply #6.