Having trouble with DHCP and access point



  • Hello all,
    I am brand new to pfSense, and am finding how relatively limited my knowledge is. So, I apologize now if I out myself as a total newb, but I reserve that right for myself.
    I recently installed pfSense on a i5 2500K machine with about 8gb ram. This machine has an onboard GB NIC which I use for LAN, and 2 Intel Pro100+ cards. One is WAN, and the other I am trying to use as OPT1. WAN connects an ADSL connection by PPPOE. I have DHCP running. The wired clients on LAN however, are not getting any DHCP info (or not all of it, far as I can tell)
    ALso, I am trying to hook up a router running just as an access point on OPT1. LAN interface is 192.168.46.1 with DHCP is serving up IP's to wired clients (kinda?) at 192.168.46..0 subnet. I also have the AP on OPT1 set as IP 192.168.46.5 (or maybe 3 now) and OPT1 interface is 192.168.46.2. However, wireless clients do not currently connect to the network at all, and I can not even log into the router admin page while its attached to the pfsense box. I have to unplug it and hook it up directly to my computer. MAybe the gateway address is wrong? I seem to be confused about what address that is supposed to be. is it the same as the external address on WAN? I had assumed it was supposed to be the same as the lan address (192.168.46.1) but Nothing seems to work.
    Few extra bits that are probably relevant.. the wireless router is kinda buggy, and the firmware boots  you out once you try to change settings after it's DHCP server is shut off.. but DHCP is off and I am not connecting it to OPT1 via the wan connection, it's one of the client ports on the router. Could the wireless router itself (Linksys E2500) be the issue? or is it more likely the pfsense dhcp server? or something else entirely?

    Your help is appreciated,
    Thanks.



  • This is one you are looking for:
    @magu2k:

    ….or something else entirely?

    This is ok:
    @magu2k:

    LAN interface is 192.168.46.1

    [but, I'm just curious, why not keeping the default 192.168.1.1 IP as provided
    Normally, your LAN interface runs from 192.168.46.1 up to 192.168.46.254.
    This:
    [quote author=magu2k link=topic=93113.msg516574#msg516574 date=1430266479]OPT1 interface is 192.168.46.2
    is where you blow up things.
    It should be something like: 192.168.47.1 (usable IP's: 192.168.47.2 up to 192.168.47.254)

    LAN and OPT1 have both of them a DHCP server.
    The first is serving (example) 192.168.46.10 to 192.168.46.254 - reserving 192.168.46.2 to 192.168.46.9 for static devices like your APs etc
    Th second DHCP server is running on OPT1 - using the 192.168.47.x range.

    Btw: do not forget to add firewall rules to the OPT1 interface. By default, its empty, so no communication goes in and out.

    A LinksysE2500 : do yourself a favor, and blow away the default firmware. Visit https://www.dd-wrt.com, read about how to upgrade this router, and flash it using a DD-WRT firmware. Its rock solid.



  • Hello, and thank you for your reply. That makes sense, I will change that. the 46 is more vanity and or uniqueness than anything technical. So that 2nd interface does have to be on a different.. subnet I guess. As far as the firewall rules go.. I do have some.. but I suspect there may be an error in them. but once I get to change my settings (I'm at work right now) I will test that. Regarding the E2500, I appreciate the input. I was actually looking for info on how well a 3rd party firmware works on that particular model, but I will take your advice, its most appreciated.

    Two quick follow up questions, in the interface configuration window, where you can select the IP type, IE static IP, I do not understand, is that relating to the IP for that interface, or how IP's are to be assigned to devices connected to that interface, (IE allowing an interface that does not use DHCP while others do)?
    Lastly, Can anyone fill me in on the gateway address, is it the IP of the interface the devices are connected to IE LAN, OPT2, or the address of the external connection, or something else?



  • now that I sit and think about it
    "IP for that interface, or how IP's are to be assigned to devices connected to that interface, (IE allowing an interface that does not use DHCP while others do)?
    "
    I have answered it for myself, seems kinda silly now haha. But my other question remains open.



  • You want to set up the AP to pull an IP from your DHCP server (pfSense) and you probably want to use an Ethernet port other than the WAN port on the back of the AP, unless you have the option to turn it into just another LAN port. Turn off routing and DHCP service on the AP and make it pull an IP from pfSense and that will extend to all the users connecting to the AP and they will each get an IP lease from your DHCP.



  • Well, I flashed dd-wrt to my router, but it's not workign, says wireless is on, but it never shows up. I may try reflashing, with another build that (should be) compatible with it. If it doesn't work, then I will probably just by a proper access point



  • I know it's not the best place to ask this, but if it's acceptable, and anyone has any thoughts or input, I'd like some direction on an AP. I am considering the Cisco WAP121, and while the flexibility of a router box with wireless is ok, I do not plan to ever go back to that sort of solution, as, even though I (still) have issues with pfsense, I plan to stick with this sort of solution long term and just need to add wireless capability to the network. So, any suggestions?



  • An AP to start with : Linksys (Cisco now), throw out the original firmware, use the DD-WRT firmware.


  • Rebel Alliance Global Moderator

    unifi makes some decent AP.. Entry level is $70 pro is 200, AC is 300.



  • running pfSense 2.2.2 with ddwrt accesspoint kong build r7000 runs great. Try this link to see if it helps you. Personally why not just have it modem–pfSense--ddwrt--computers (or switch)--more computers

    also in the guide it will show you how to create a separate guest with its own dnsmasq

    Read the guide and tell me how it goes

    http://www.mediafire.com/view/vn61b93b0yv7x12/Setting_up_Virtual_Interface_guest_as_access_point_behind_ddwrt_or_pfsense.docx


  • Netgate

    How does that prevent your guests on 192.168.10.0/24 from accessing everything on your LAN on 192.168.1.0/24.



  • in ddwrt i save to firewall rule

    #Block access between private and guest
     iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP
     iptables -I FORWARD -i br1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP
    
    


  • also on a side note the guest handles its own dnsmasq but funny thing that if i block youtube though pfSense in dns fowarder it blocks it on the guest too, been trying to unblock it no luck  :-[



  • @killmasta93:

    running pfSense 2.2.2 with ddwrt accesspoint kong build r7000 runs great. Try this link to see if it helps you. Personally why not just have it modem–pfSense--ddwrt--computers (or switch)--more computers

    also in the guide it will show you how to create a separate guest with its own dnsmasq

    Read the guide and tell me how it goes

    http://www.mediafire.com/view/vn61b93b0yv7x12/Setting_up_Virtual_Interface_guest_as_access_point_behind_ddwrt_or_pfsense.docx

    Well, my setup will be fairly similar to that, it's just we have a number of cell phones in the house that usually want to be connected to wifi. Otherwise, very similar except for the plan to add a nas box. Just in the process of building a 4x HDD box from some old parts (And some new(er) ones that we need to get.



  • Well, my setup will be fairly similar to that, it's just we have a number of cell phones in the house that usually want to be connected to wifi.

    but arent you trying to do that with the ddwrt as an access point?

    Otherwise, very similar except for the plan to add a nas box. Just in the process of building a 4x HDD box from some old parts (And some new(er) ones that we need to get.

    Also if your router supports usb which im not sure, you can have a small NAS. I love DDWRT but it sometimes lacks in blocking sites. And to utilize it fully you would need to get AC router with 256mb but besides that its amazing.  :)



  • Yes, well the current situation on wireless/AP is that the lil router I flashed works, but wireless doesn't. I can't find any right now where it does work on the E2500 V3, but looking in the dd-wrt forums, it seems tehre are a number of complaints about it being just fine except the wifi. So, at this point, I jsut plan to buy an AP.



  • ohh then in that case i suggest buying R7000  ($140) or a unifi LR ($80)



  • I've looked into them, that unifi actually looks pretty good. Only thing is here, I would have to order it in, but I probably will. thanks for the tip on that.



  • unifi is awesome if you have dead spots (no wifi or low wifi signal)  in the house. But usually that's not the case in America unless you have a huge house. The unifi can also have ddwrt but I haven't tried it and not sure how stable it is but wouldn't change it to ddwrt because the webGUI is awesome. If you do change it to ddwrt tell me how it goes  ;)



  • Thanks, I ordered the unifi AP-LR today, on rush. Pretty excited. Thats cool it can take dd-wrt too.. but I will probably stick with the mfg interface


  • Rebel Alliance Global Moderator

    if you put dd-wrt on it I don't think there is a way to put it back.. So think carefully about that, or validate that you can put it back.



  • Yeah I looked, only briefly, but I think you are right, it seems there is no way (currently) to revert back. I still plan to stick with the original firmware.
    I guess my plan, right now is to have 2 different SSIDS and 2 VLANs. Not too experienced with VLANs, but if I get the gist, I will ahve to configure the same (2) vlans on the router and the AP, and assign /link the SSID's to their respective vlan?


  • Rebel Alliance Global Moderator

    yeah exactly.. So I have my guest wlan run on it a vlan.. Simple enough to do with the unif software.  The only 1 complaint that I hear is there is no way to change the management vlan from 1.

    I don't see a problem with that in my setup, but it would be a nice feature to be able to do that.

    You can run 4 SSIDs with unifi per radio.  Then in pfsense you just create that vlan assign it to a physical interface and on your switch trunk the connections so you can carry the vlans you want.




  • actually you can use VLANS if you get the nighthawk with DDWRT. I have 3 access points unifi and 2 VLANS configured on the nighthawk. The only bad thing about that is trying to block webpages because the nighthawk has its own DNSmasq. Its possible to block pages but if lets say VLAN 1(192.168.3.1) i block facebook it will also block VLAN 2 (192.168.40.1).

    If you do get the nighthawk ill help you out








  • I have received the Unifi AP-LR. I am trying to configure it but having some issues. However, firstly, I need to sort out this…. When I connect the AP-LR to LAN interface it will detect in Unifi software. but when attached to OPT1 which I want to use for wireless devices, it does not show up. So it seems communication is not working between the 2 interfaces.
    My first thought is firewall rules? I did mess around with them a bit.. so I probably screwed it up myself. And a few I added based on some articles but they didn't seem(?) to turn out as the articles suggested. I think this is because the version used for the article was older.
    My current FW rules are attached

    As a few additional notes, DHCP is enabled, and I can connect to WAN fine through LAN (Don't know yet with OPT1) I have a domain set, and a router name set and DNS forwarding seems to be working right(I think)





  • Netgate

    From my limited experience with the ubiquitis they like to be managed on the untagged (primary) VLAN.  So your management VLAN should reach the access points untagged.  If that is in place you can create SSIDs on tagged VLANs to your heart's content.

    Other than that, please be more specific.



  • hmm…the lack of experience i have with OPT on pfSense not sure  what you did wrong but what i know it should work essentially is first install the software(has its own web server) to configure the unifi https://www.ubnt.com/download/unifi/ install it ( you need java ) after connect it to the the LAN of the pfSense. It should give an IP ex: (192.168.1.80) to find the IP check either in ARP or download a network scanner like netscan. enter the IP on the url and configure the AP. Now if you want to create more SSID with different pool its possible though VLANS but they have to be tagged. If you look at the pic before you can see the config of DDWRT. Tag means that the unifi gets the DHCP of (192.168.1.80) but can also handle another DHCP (192.168.3.80), and untagged it can only handle on DHCP Pool (192.168.1.80).  The only thing now is to find how to tag the LAN on pfSense lets say VLAN 3 And VLAN 4 then you put VLAN 3 And 4 on the unifi as the picture before.


  • Rebel Alliance Global Moderator

    Ok couple things on your rules - the rule on our lan that allows you to opt1 net is pointless since the rule above that lets you go anywhere.

    The rules on your opt 1 you don't need that rule that allows to opt1 net, devices on opt1 don't talk to pfsense to access opt1 network.  Your allowing them access to lan net so what is the point of saying !rfc1918 and using ppoe gateway??  Where do you think they are going to go with that 53 rule, when you told them if they are going anything not rfc1918 go out your ppoe gateway?

    What exactly do you want to accomplish for this wifi segment?

    As mentioned management of the unifi is native vlan 1, no tagging.  While you can have your controller on your lan and your AP on opt1 - its easier to put your controller and AP on the same network, atleast for setup - then you can move the AP to different segment if you want.  L3 managment http://wiki.ubnt.com/UniFi_FAQ#L3_.28Layer_3.29_Management

    But if you run both controller and ap on opt1 network is very simple to get going and you can play with changing that after you get some more experience with it.  If you then want to put a ssid on vlan then create vlan on pfsense put it on your opt1 interface and trunk the ports on your switch and then trunk the port going to your AP and your good.



  • Yeah, like I said, some of those rules are farked up, but the one with RFC and PPPOE was something an article had siggested. but not even sure if I had entered it right anyway


  • Rebel Alliance Global Moderator

    And again what exactly do you want to happen, and what article did you read that suggested such rules?



  • Good question.. there is a few things I was trying to do, it may have been a attempt at bridging OPT1 to LAN or otherwise getting them to talk. The only link I can find now that I still have in my cache is http://www.cyberciti.biz/faq/how-to-pfsense-configure-network-interface-as-a-bridge-network-switch/
    But it was not this link, however, it's going back to the firest day I started running pfsense.. so its' sorta fuzzy now. But I do know the RFC points to an alias which is 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16

    Anyways, what I want to do is get LAN and OPT1 to communicate.
    My roadmap, so to speak is
    Get communication between LAN and OPT1
    Add VLANs and 2nd distinct wireless networks (SSID's)
    (Maybe) Add radius on one VLAN (Not sure yet if it will be the best solution)
    Add Security Network VLAN (Probably just a couple cameras, recorder. but it may expand over time)
    Add NAS (Abt 16TB)
    in the future, I intend to have a web server on a DMZ, and an internal sql server. But that is way off, currently.


  • Netgate

    If you need a switch get a switch.  Don't waste router ports.  You'll just end up with a hub anyway.  Not a switch.


  • Rebel Alliance Global Moderator

    Yeah bridge is not something you want to do.. And clearly it would not be a "switch" it would be as already stated HUB.. It is very RARE that you would actually want to do something like that.. I really don't understand the fascination with taking a highly valuable interface on your router/firewall and using it as switch port when you can get a 8 port get "SWITCH" for like 20$ if you need more ports.  The only time I could see bridging interfaces would be if you want to do a transparent firewall sort of setup.  And not a fan of that setup either ;)

    The very nature of creating opt1 means it can talk to lan – and vice versa if you want devices to talk between these segments then create the rule on opt1 that allows that, by default lan is any any.  Have you changed that?

    Post up your rules for lan and opt1 and describe what you want to allow or not to allow devices on each segment or even other vlans to do to the other vlans..

    What I would suggest you do any any rules get your stuff talking, have your ssid with its own vlan, etc..  And then lock down your rules to how you want them..  Example my wlan can not talk to my lan except for ntp to my ntp server on that segment, my ipad can do what it wants.  My guest wireless on its own vlan can not talk to anything not even pfsense for dns - I hand out public dns for the guest.  Only thing it can do is ping the wlanguest pfsense interface for connectivity testing, etc.

    So example rules



  • Netgate

    https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting

    Read and understand that first.  You have all sorts of nonsense rules in there.

    After that, if you move the AP to another interface, you will almost certainly lose the ability to auto-discover the AP from other networks and will need to specify it by IP address in the unifi "controller" software.



  • ok thanks I'll read that. but yeah, at that time, I didn't know bridging wasn't really a good thing, but found out later, so stopped trying, but at this point, I am looking at keeping it on this interface, and maybe have the security network on a different interface.

    My original plan, was to have 3 interfaces (I have more network cards I can add if I want, they have no other real uses right now) one lan, one for wireless and one for home media devices like PS3, netflix boxes etc, and the Nas box would be able to stream on it, (Not sure yet if it will be able to without being physically attached to both interfaces?)  then the security would get placed accordingly (Kinda assumed I'd add another nic)  But, the more I look at it, the more it seems there isn't much value in having wireless on a separate interface, and it works better in terms of vlan + SSID vs seperate interface + VLAN + SSID… as wifi be needed on both, so might as well just use seperate SSID's and VLAN, and use the other interface for security, eliminating the need for an additional nic.