Wireless router (access point) firewall block logs cannot ping out no NTP

aGeekhere

Hi all,

The setup
bridge modem to pfsense router (WAN).
Switch to pfsenes router (LAN).
Wireless router (asus dsl-n55u) to switch.

Whats working
Users that connect through the Wireless router (either through wifi or cable) can access the internet.

The issue
The Wireless router its self cannot access the internet or ping out (the NTP on the Wireless router cannot connect).
In pfsense I am getting a firewall block error form the router

re1 192.168.1.3 224.0.0.12 IGMP

Tried creating a lan rule to allow the router

IPv4 *	192.168.1.3	*	*	*	*	none

Still getting blocked error
Tried using easy pass rule, get error

Firewall: EasyRule help

This is the Easy Rule status page, mainly used to display errors when adding rules. If you are seeing this, there apparently was not an error, and you navigated to the page directly without telling it what to do.

This page is meant to be called from the block/pass buttons on the Firewall Logs page, Status > System Logs, Firewall Tab.

The goal
To have the wireless router be able to connect to the NTP server so it can update its time.
Remove the block logs in pfsense.

Thanks

doktornotor

The IGMP log flood is NOT the problem and is completely unrelated both to NTP and ping. Kindly post the LAN FW rules screenshot.

aGeekhere

See attachment,
However it is very simple, i tried it with the other rules turned off. I am at a loss on this issue, it seems that the only way the ntp connects is when the router is directly connected to the internet.

firewallRule.png_thumb

doktornotor

1/ Censoring entire rules does not help. The first rule is pointless for NTP, pointless for ping as well. If you want to get rid of the IGMP noise, use latest 2.2.3 snapshots.
2/ If you recycled a DSL router for wifi AP, it most likely won't use anything but the no-op WAN for NTP and ping. So, unless you are pointing it to NTP on LAN and pinging LAN, it probably won't ever work. Has nothing to do with pfSense.

aGeekhere

1/ Censoring entire rules does not help. The first rule is pointless for NTP, pointless for ping as well.

I thought as much.

If you want to get rid of the IGMP noise, use latest 2.2.3 snapshots.

Good to know it is fixed in 2.2.3 (will wait for stable).

2/ If you recycled a DSL router for wifi AP, it most likely won't use anything but the no-op WAN for NTP and ping

This is what I was thinking as well.

So, unless you are pointing it to NTP on LAN and pinging LAN, it probably won't ever work.

Hmm going to look into this.

Thanks

phil.davis

You must have the DSL "router" currently with just one of its LAN ports connected to the general LAN switch/pfSense LAN, and with its DHCP off - so the WiFi clients on it get thorough to pfSense LAN and get DHCP/DNS… direct from pfSense. All good.
I expect you could connect DSL router WAN to the pfSense LAN-side switch also. It would get DHCP from pfSense LAN and see that as an upstream gateway to the internet. For its own internal functions (NTP whatever) it would have internet access that it understands. This should not effect WiFi clients - they should continue to slip their packets straight through from the WiFi to ordinary LAN and pfSense.
The only issue I see with this is confusion - someone else who comes along and sees 2 cables from the DSL router connected to LAN will be confused and need to ave it explained.

aGeekhere

You must have the DSL "router" currently with just one of its LAN ports connected to the general LAN switch/pfSense LAN, and with its DHCP off - so the WiFi clients on it get thorough to pfSense LAN and get DHCP/DNS… direct from pfSense. All good.

That is correct, wireless router with DHCP off connected to a switch (which is then connected to the lan port to pfsense)

I expect you could connect DSL router WAN to the pfSense LAN-side switch also. It would get DHCP from pfSense LAN and see that as an upstream gateway to the internet. For its own internal functions (NTP whatever) it would have internet access that it understands. This should not effect WiFi clients - they should continue to slip their packets straight through from the WiFi to ordinary LAN and pfSense.

Will try it and see how i go.

doktornotor

@phil.davis:

I expect you could connect DSL router WAN to the pfSense LAN-side switch also.

That won't even work. DSL is not Ethernet.

aGeekhere

Yeah that does not look like its working, think i am getting a loop.

phil.davis

@doktornotor:

@phil.davis:

I expect you could connect DSL router WAN to the pfSense LAN-side switch also.

That won't even work. DSL is not Ethernet.

Yes, it depends what the physical-electrical interface is on that device, I did not check that. Here in Nepal people call it a "DSL router" when it has an RJ45 Ethernet WAN and 1 or more RJ45 Ethernet LAN ports - probably not the right terminology :)

doktornotor

Well, the connector may be RJ45… but the device just "doesn't speak Ethernet" there.