Netgate SG-1000 microFirewall

Author Topic: Unable to access Internet from WIFI AP  (Read 337 times)

0 Members and 1 Guest are viewing this topic.

Offline mdahal

  • Newbie
  • *
  • Posts: 15
  • Karma: +0/-0
    • View Profile
Unable to access Internet from WIFI AP
« on: February 01, 2018, 05:58:40 am »
Hello everyone,

I have been unable to get my wifi AP to get to the internet.

It is connected to the different interface. DHCP works and I am able to get DHCP on the subnet. However, I cannot connect to the internet. Cannot ping subnet IP.

So far, I have LAN as 192.168.2.1
WIFI as 192.168.3.1
IPMI which I am planning to use for all my server management interface set as 192.168.4.1

I have set up rules for wifi to allow for any to any connection.

I have set up my outband NAT as automatic.

I cannot see anything getting blocked in firewall either.

My AP is the router provided by my ISP and DHCP has been turned off and Ethernet is connected to LAN.

Really appreciate if you could advise what to check for.

Cheers,

Offline NogBadTheBad

  • Sr. Member
  • ****
  • Posts: 502
  • Karma: +45/-0
    • View Profile
Re: Unable to access Internet from WIFI AP
« Reply #1 on: February 01, 2018, 06:15:44 am »
What happens if you connect a PC to the port you connect the ISP WiFi router to, does the PC work ?

Could be a default gateway / subnet mask issue, what does an ipconfig show ?

Offline Jackish

  • Newbie
  • *
  • Posts: 16
  • Karma: +0/-0
    • View Profile
Re: Unable to access Internet from WIFI AP
« Reply #2 on: February 01, 2018, 06:29:42 am »
Hello everyone,

I have been unable to get my wifi AP to get to the internet.

It is connected to the different interface. DHCP works and I am able to get DHCP on the subnet. However, I cannot connect to the internet. Cannot ping subnet IP.

So far, I have LAN as 192.168.2.1
WIFI as 192.168.3.1
IPMI which I am planning to use for all my server management interface set as 192.168.4.1

I have set up rules for wifi to allow for any to any connection.

I have set up my outband NAT as automatic.

I cannot see anything getting blocked in firewall either.

My AP is the router provided by my ISP and DHCP has been turned off and Ethernet is connected to LAN.

Really appreciate if you could advise what to check for.

Cheers,

Ethernet should be connected to WAN on your AP, or do you mean that Ethernet is conencted from LAN on pfsense?

Offline mdahal

  • Newbie
  • *
  • Posts: 15
  • Karma: +0/-0
    • View Profile
Re: Unable to access Internet from WIFI AP
« Reply #3 on: February 01, 2018, 06:35:35 am »
@NogBadTheBad I have tried connecting the cable directly to my laptop(Macbook Air). Still same issue ifconfig gives me

inet 192.168.3.7 netmask 0xffffff00 broadcast 192.168.3.255
   nd6 options=201<PERFORMNUD,DAD>
   media: autoselect (1000baseT <full-duplex,flow-control,energy-efficient-ethernet>)
   status: active

Furthermore, in the interface assignment IP is selected as 192.168.2.3/24 So, the subnet mask is correct. Using the same gateway I am able to get to the internet in "LAN" interface. Just not in "WIFI"

@Jackish Ethernet should be connected to LAN port so I can use it as a wireless switch I believe. Since, above is failing I think the issue is with pfsense interface somewhere. Unable to find exactly where.


Offline NogBadTheBad

  • Sr. Member
  • ****
  • Posts: 502
  • Karma: +45/-0
    • View Profile
Re: Unable to access Internet from WIFI AP
« Reply #4 on: February 01, 2018, 06:55:43 am »
Hello everyone,

I have been unable to get my wifi AP to get to the internet.

It is connected to the different interface. DHCP works and I am able to get DHCP on the subnet. However, I cannot connect to the internet. Cannot ping subnet IP.

So far, I have LAN as 192.168.2.1
WIFI as 192.168.3.1
IPMI which I am planning to use for all my server management interface set as 192.168.4.1

I have set up rules for wifi to allow for any to any connection.

I have set up my outband NAT as automatic.

I cannot see anything getting blocked in firewall either.

My AP is the router provided by my ISP and DHCP has been turned off and Ethernet is connected to LAN.

Really appreciate if you could advise what to check for.

Cheers,

Ethernet should be connected to WAN on your AP, or do you mean that Ethernet is conencted from LAN on pfsense?

No it shouldn't you'll get a double NAT if you use the WAN port, use one of the LAN port.
« Last Edit: February 01, 2018, 07:00:18 am by NogBadTheBad »

Offline NogBadTheBad

  • Sr. Member
  • ****
  • Posts: 502
  • Karma: +45/-0
    • View Profile
Re: Unable to access Internet from WIFI AP
« Reply #5 on: February 01, 2018, 06:57:35 am »
@NogBadTheBad I have tried connecting the cable directly to my laptop(Macbook Air). Still same issue ifconfig gives me

So your laptop can't access the internet when connected to the port the ISP router connects to then ?

If this is the case it's an issue with your config on the pfsense router.

What's the output from netstat -rn  when you connect the laptop to the wifi lan port ?
« Last Edit: February 01, 2018, 07:01:35 am by NogBadTheBad »

Offline mdahal

  • Newbie
  • *
  • Posts: 15
  • Karma: +0/-0
    • View Profile
Re: Unable to access Internet from WIFI AP
« Reply #6 on: February 01, 2018, 07:29:05 am »
@NogBadTheBad I have tried connecting the cable directly to my laptop(Macbook Air). Still same issue ifconfig gives me

So your laptop can't access the internet when connected to the port the ISP router connects to then ?

If this is the case it's an issue with your config on the pfsense router.

What's the output from netstat -rn  when you connect the laptop to the wifi lan port ?

Just so that we are on the same page want to clear something.

I have 4 interface in my pfsense.

WAN, LAN, WIFI, IPMI

LAN is connected to switch which has multiple computers connected which is connecting to internet fine. LAN interface has subnet 192.168.1.1/24

WIFI has ISP provided router connected as AP with DHCP disabled in LAN port with subnet 192.168.3.1/24. Wifi is on, I am able to connect devices to it get IP address assigned but unable to get internet access. Unable to ping 192.168.3.1 (WIFI interface IP). I have tried connecting my laptop instead of wifi AP and I wasn't able to get to the internet so same issue.

IPMI is not physically connected at the moment.

Furthermore, I also have two VPN client running which has selective routing enabled with two interface VPNIN and VPNUS, One VPN Server which is running perfectly fine.

The output of netstat is as follows:

Internet:
Destination        Gateway            Flags        Refs      Use   Netif Expire
default            192.168.3.1        UGSc            6        0     en0
127                127.0.0.1          UCS             0        0     lo0
127.0.0.1          127.0.0.1          UH              1      530     lo0
169.254            link#4             UCS             0        0     en0
192.168.3          link#4             UCS             0        0     en0
192.168.3.1/32     link#4             UCS             2        0     en0
192.168.3.1        ac:1f:6b:10:cf:e5  UHLWIir        29       71     en0   1191
192.168.3.3/32     link#4             UCS             1        0     en0
224.0.0/4          link#4             UmCS            2        0     en0
224.0.0.251        1:0:5e:0:0:fb      UHmLWI          0        0     en0
239.255.255.250    1:0:5e:7f:ff:fa    UHmLWI          0        4     en0
255.255.255.255/32 link#4             UCS             0        0     en0

This is with Wifi connected via AP.

Really appreciate your input so far.
« Last Edit: February 01, 2018, 07:33:25 am by mdahal »

Offline NogBadTheBad

  • Sr. Member
  • ****
  • Posts: 502
  • Karma: +45/-0
    • View Profile
Re: Unable to access Internet from WIFI AP
« Reply #7 on: February 01, 2018, 07:38:13 am »
Internet:
Destination        Gateway            Flags        Refs      Use   Netif Expire
default            192.168.3.1        UGSc            6        0     en0
127                127.0.0.1          UCS             0        0     lo0

Default gateway is fine too.

Offline Gertjan

  • Hero Member
  • *****
  • Posts: 2431
  • Karma: +191/-9
    • View Profile
Re: Unable to access Internet from WIFI AP
« Reply #8 on: February 01, 2018, 07:42:14 am »
So far, I have LAN as 192.168.2.1
Because your WAN is 192.168.1.x ?

WIFI as 192.168.3.1
Why ???
Make it's LAN IP 192.168.2.2/24 and you'll be fine


My AP is the router provided by my ISP and DHCP has been turned off and Ethernet is connected to LAN.
You should be able to stop all "router" functions. Your AP should be a dumb "electrical wire signal" to "radio signal" converter.
DHCP off - DNS off - gateway to IP pfSense LAN = 192.168.2.1 - DNS server set to 192.168.2.1 - mask /24


Offline mdahal

  • Newbie
  • *
  • Posts: 15
  • Karma: +0/-0
    • View Profile
Re: Unable to access Internet from WIFI AP
« Reply #9 on: February 01, 2018, 08:00:33 am »
@Gertjan

No for WAN I get DHCP from my ISP. And I had all my machines setup for 192.168.2.1/24 from long time ago that is why I have it set up as 2.1 no real reason.

WIFI is 192.168.3.1 because it I want it to be in different subnet. Unable to set IP as 192.168.2.2/24 as that would overlap with "LAN" interface.

My AP is definately a dump AP with all function turned off. (Apologies on using the term "router")

Appreciate your help.

Offline mdahal

  • Newbie
  • *
  • Posts: 15
  • Karma: +0/-0
    • View Profile
Re: Unable to access Internet from WIFI AP
« Reply #10 on: February 01, 2018, 08:02:16 am »
Internet:
Destination        Gateway            Flags        Refs      Use   Netif Expire
default            192.168.3.1        UGSc            6        0     en0
127                127.0.0.1          UCS             0        0     lo0

Default gateway is fine too.

Yeah, really pulling my hair out here. I have been using pfsense for a while the only difference is I had these interface bridged before. I want to setup different subnet so my wifi connection cannot talk to my LAN and IPMI subnets.

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 15168
  • Karma: +1413/-206
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Unable to access Internet from WIFI AP
« Reply #11 on: February 01, 2018, 09:25:25 am »
that is the outbound of your laptiop netstat?  Why do you have /32 bit mask set

"192.168.3.1/32"

And then this?

"192.168.3.3/32"

And you have that set on a wired interface en0

- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.2-RELEASE-p1 (work)
1x SG-4860 2.4.2-RELEASE-p1 (home)

Offline NogBadTheBad

  • Sr. Member
  • ****
  • Posts: 502
  • Karma: +45/-0
    • View Profile
Re: Unable to access Internet from WIFI AP
« Reply #12 on: February 01, 2018, 09:49:23 am »
that is the outbound of your laptiop netstat?  Why do you have /32 bit mask set

"192.168.3.1/32"

And then this?

"192.168.3.3/32"

And you have that set on a wired interface en0

The two /32's seem to be a MacOS thing, I see them on my Mac one is the default gateway the other the actual device.

mac-pro:~ andy$ netstat -rn
Routing tables

Internet:
Destination        Gateway            Flags        Refs      Use   Netif Expire
default            172.16.2.1         UGSc           50        6     en0
127                127.0.0.1          UCS             0        0     lo0
127.0.0.1          127.0.0.1          UH              8     3282     lo0
169.254            link#6             UCS             0        0     en0
172.16.2/24        link#6             UCS             4        0     en0
172.16.2.1/32      link#6             UCS             1        0     en0
172.16.2.1         0:8:a2:a:9d:cb     UHLWIir         7        1     en0    286
172.16.2.6         6c:70:9f:d8:3b:4e  UHLWI           0        0     en0   1074
172.16.2.20/32     link#6             UCS             0        0     en0
172.16.2.23        a8:20:66:10:fc:b7  UHLWI           0        0     en0   1075
172.16.2.40        40:9c:28:a2:e0:7e  UHLWI           0        6     en0   1060
172.16.2.41        d0:4f:7e:85:d9:be  UHLWI           0       41     en0    449
192.168.12         link#19            UC              1        0  vmnet1
192.168.33         link#20            UC              1        0  vmnet8
224.0.0/4          link#6             UmCS            1        0     en0
224.0.0.251        1:0:5e:0:0:fb      UHmLWI          0        0     en0
255.255.255.255/32 link#6             UCS             0        0     en0

What I see but don't in the OPs netstat is a /24 like my entry in green.
« Last Edit: February 01, 2018, 10:25:09 am by NogBadTheBad »

Offline Gertjan

  • Hero Member
  • *****
  • Posts: 2431
  • Karma: +191/-9
    • View Profile
Re: Unable to access Internet from WIFI AP
« Reply #13 on: February 01, 2018, 01:12:33 pm »
.....
WIFI is 192.168.3.1 because it I want it to be in different subnet. Unable to set IP as 192.168.2.2/24 as that would overlap with "LAN" interface.
All my AP's have IP's like 192.168.1.2 - 192.168.1.3 etc (LAN being 192.168.1.1/24) , because they are 'dumb' converters **.
On your Wifi network you mus have a DHCP server, is this pfSense ? So it hand out IPs from pool like 192.168.2.[x-y] == LAN ? Or is your AP handing out IPs from 192.168.3.[x-y] (and in that case your AP IS a router ... not a dumb device anymore)

** and I want my AP's using pfSense as a gateway for their internal domestic services like NTP, DNS etc. If the IP of a AP is not in the network where it is situated, your in trouble.

Offline mdahal

  • Newbie
  • *
  • Posts: 15
  • Karma: +0/-0
    • View Profile
Re: Unable to access Internet from WIFI AP
« Reply #14 on: February 01, 2018, 01:52:19 pm »

All my AP's have IP's like 192.168.1.2 - 192.168.1.3 etc (LAN being 192.168.1.1/24) , because they are 'dumb' converters **.
On your Wifi network you mus have a DHCP server, is this pfSense ? So it hand out IPs from pool like 192.168.2.[x-y] == LAN ? Or is your AP handing out IPs from 192.168.3.[x-y] (and in that case your AP IS a router ... not a dumb device anymore)

** and I want my AP's using pfSense as a gateway for their internal domestic services like NTP, DNS etc. If the IP of a AP is not in the network where it is situated, your in trouble.

This is exactly the case. NTP and DNS is definitely handled by pfsense. My AP is wireless switch in different subnet. If you have a look at my OP you can see the pfsense getting  DNS request. As discussed before even without the converted AP laptop getting connected to the pfsense port/interface directly I am having same issue. That rules out this as an issue with AP I believe.