Unable to get wireless printer to work.

  • I've got a multi-wan setup on a NetGate m1n1wall, including a wireless card bridged to the LAN.  I have set up a DHCP rule to always give my wireless printer the address  It doesn't seem to matter what rules I put into the firewall, I simply cannot get any packets to go from the LAN into the WIFI.  A simple ping results 100% packet loss.  Is there some trick to getting the WIFI and LAN interfaces to interoperate?


  • Rebel Alliance Developer Netgate

    What do your current LAN rules look like?

    Since you have multi-WAN, if you have a rule with a gateway set matching LAN traffic it may be hitting that and leaving WAN, rather than going to your printer.

    Add a rule at the TOP of your LAN rules to pass from LAN net to LAN net with no gateway set, see if that helps.

  • Thanks for the suggestion.  No, that didn't seem to have any effect.  I can see the printer on the network to set it up, but printing to it simply doesn't work.

    I'm having a similar problem with a set of Sonos wifi speakers, but I'm posting separately about that, because it seems to have something to do with IGMP.

  • LAYER 8 Global Moderator

    Since you have a bridge wouldn't you need to do your rules on the bridge?

  • Rebel Alliance Developer Netgate


    Since you have a bridge wouldn't you need to do your rules on the bridge?

    That depends on the values of the filtering sysctl oids, it can work either way.

  • I honestly can't recall what guide I followed when creating the bridge, but I ended up with rules mostly on the LAN (bridge) interface.  WIFI and ETHERNET are bridged to create LAN, if that helps any.  I'm not averse to publishing information here to get help.  I just didn't want to overload with a lot of useless stuff.  This gets deeper than my actual knowledge of networking.  So, I'm definitely swimming in deep waters.  What else can I provide that will be helpful?

  • LAYER 8 Netgate

    In System > Advanced > System Tunables what are the settings for these?

    net.link.bridge.pfil_member Set to 0 to disable filtering on the incoming and outgoing member interfaces. default (1)
    net.link.bridge.pfil_bridge Set to 1 to enable filtering on the bridge interface default (0)

    It is my understanding that for it to behave more like a switch, the LAN interface needs to be assigned to the bridge interface and
    net.link.bridge.pfil_member should be 0 and net.link.bridge.pfil_bridge should be 1.

  • net.link.bridge.pfil_member = 1
    net.link.bridge.pfil_bridge = 0

    So, it sounds like I should try reversing each of those.  I'll give that a try and report back.

  • LAYER 8 Netgate

    I would expect that with those reversed packets among the member interfaces will be unfiltered. It is no secret that I pretty much despise these bridges and much prefer an access point on LAN.

    The very fact that jimp suggested a firewall rule source LAN net dest LAN net demonstrates how convoluted it can be.

  • Bingo! And, as a bonus, my Sonos wifi speakers are working now, too.

    Yes, it's somewhat confusing, especially to a newbie.  I considered adding an access point, but I wasn't sure how to make it work seamlessly with the rest of my network.  This seems to be doing the trick, though.


  • LAYER 8 Global Moderator

    A true AP just connected to your lan network would be a much easier setup to be sure.  I am with derelict here, bridges are the LAST resort and have really little use in most networks.  If you want to use pfsense as AP, why not just leave the wireless on its own segment??  Why do you feel you need to bridge it to your LAN?

    I use actual AP and they are still isolated from my normal LAN (edited from WAN typo) network..  I just don't see why your wireless devices need to be bridged to your wired lan network.  Put them on their own segment.  Devices that make sense to put on that for wireless broadcasting, multicasting, etc. put on that segment.  For example I have a printer that mobile devices like to use airprint to find..  So I just put the printer on the wlan segment, my wired devices can much easier to just install the driver and point to the IP, and then open the firewall to the printer port.

    Just my take on the subject.. If you think bridge is the answer to some problem, you should prob step back and evaluated the problem again - bridging is almost never the best solution that is for sure.

  • OK.  Let's turn this into a teaching moment, for myself and anyone else who comes along.

    I bridged the WIFI and ETHERNET together to create LAN so that my wireless and wired devices would all share the same subnet and be accessible to one another.  Granted, I'm sure that ease of access could be accomplished with the right set of routing rules, but as I mentioned before, I'm not exactly a networking guru.  I know more than the average home owner with a router appliance from Xfinity or AT&T, but if I had to merge 192.168.1.x with 192.168.2.x, I'm not sure I would know how to make that happen.  So, perhaps, I made a poor decision in the name of simplicity, which turned out not to be as simple as I thought it would be?

    This is actually a perfect time to talk about it, because I'm considering an upgrade of my pfSense router.  I've got an older NetGate m1n1wall with the wifi card added internally.  It works, but it sometimes struggles to keep up.  So, I've been looking at the new appliances from pfSense that have a little more RAM and a little faster CPU.  Maybe, this time, it's better to leave out the wifi card and instead purchase a third-party access point to handle my wireless needs.  What would be the right equipment and suggested way to configured it all?

    The one thing that I must keep is my 2-WAN setup.  I work from home, and I do this in order to, hopefully, always have some kind of connectivity.  If the cable (primary) goes down, the Uverse is there to catch me.



  • LAYER 8 Global Moderator

    For ease of keeping it simple you could of accomplish the same network for your wireless and wired by just using your old wifi route as AP and connecting it to your wired network.

    You turn of the soho routers dhcp server, you give it a IP on your network for its lan.  And then connect it to your network via a lan port on it vs its wan.  There you go 30 second AP..  That sure and the hell is much easier than creating a bridge..

    There are no routing rules if you just put the pfsense wifi on its own segment - firewall rules yes..  But if you make the them any any you pretty much have 1 network with just broadcasts not passing between them.

    As to getting a home budget AP, I would look towards the unifi stuff.. https://www.ubnt.com/unifi/unifi-ap-ac-lite/

    You can have as many WAN connections you want, that has nothing to do with number of local network segments you run or don't run.

Log in to reply