pfSense Gold Subscription

Author Topic: pf Access Point Help  (Read 1590 times)

0 Members and 1 Guest are viewing this topic.

Offline leadZERO

  • Newbie
  • *
  • Posts: 4
    • View Profile
pf Access Point Help
« on: November 16, 2011, 09:00:06 pm »
I just got a pf box from Netgate with an Atheros miniPCI card.  I was able to get bridging working between the LAN port and the pf hosted access point. Hosts on LAN and WIFI were able to get leases from the pf DHCP server.

The problem started when I tried to get auth/encryption working in the pfsense access point.  No matter what settings I tried, I could never get a host to work on the  wifi.  I tried WPA/WPA2/WEP, AES/TKIP, simple keys, etc.  Everything works great if I have no authentication or encryption.  I tried both with a Windows 7 desktop as well as my iPhone.  Neither could ever connect.

Is there some trick? I've tried Google and the forums search, but haven't come across anything that works yet.

Thanks,
Ryan

Offline wallabybob

  • Hero Member
  • *****
  • Posts: 5262
    • View Profile
Re: pf Access Point Help
« Reply #1 on: November 17, 2011, 03:39:18 am »
Everything works great if I have no authentication or encryption.
That is a good start.

Please post the output of the pfSense shell command ifconfig -a I'll compare your current parameters with mine.

Did you reboot your pfSense box after setting encryption parameters? I don't know if it is required with change in encryption parameters but I have found a few instances where major parameter changes seem to require a reboot to take effect.

Offline leadZERO

  • Newbie
  • *
  • Posts: 4
    • View Profile
Re: pf Access Point Help
« Reply #2 on: November 17, 2011, 06:53:35 pm »
So, to test, I took the bridge out of the equation and just added a static IP to the wireless AP interface and set the DHCP server to hand out leases on it.  The only thing I have to switch between these settings working and not working is to enable/disable the WPA? check box.  (And yes, I'm also resetting my host to use/not use the passphrase.)

I tried rebooting my pf in between just to try that, same thing.

Code: [Select]
ath0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 2290
        ether ***
        media: IEEE 802.11 Wireless Ethernet autoselect mode 11g <hostap>
        status: running

ath0_wlan0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        ether ***
        inet6 ***%ath0_wlan0 prefixlen 64 scopeid 0x9
        inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
        nd6 options=3<PERFORMNUD,ACCEPT_RTADV>
        media: IEEE 802.11 Wireless Ethernet autoselect mode 11g <hostap>
        status: running
        ssid mixatmp channel 11 (2462 MHz 11g) bssid 00:0b:6b:23:0b:59
        country US ecm authmode WPA2/802.11i privacy MIXED deftxkey 2
        AES-CCM 2:128-bit txpower 25 scanvalid 60 protmode OFF burst -apbridge
        dtimperiod 1 -dfs

Offline wallabybob

  • Hero Member
  • *****
  • Posts: 5262
    • View Profile
Re: pf Access Point Help
« Reply #3 on: November 17, 2011, 07:52:45 pm »
Here's ifconfig output from my working system:
Code: [Select]
# ifconfig -a
ath0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 2290
ether ***
media: IEEE 802.11 Wireless Ethernet autoselect mode 11g <hostap>
status: running

ath0_wlan0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
ether ***
inet6 ***%ath0_wlan0 prefixlen 64 scopeid 0xd
nd6 options=3<PERFORMNUD,ACCEPT_RTADV>
media: IEEE 802.11 Wireless Ethernet autoselect mode 11g <hostap>
status: running
ssid *** channel 1 (2412 MHz 11g) bssid ***
regdomain ROW country AU indoor ecm authmode WPA2/802.11i
privacy MIXED deftxkey 2 AES-CCM 2:128-bit AES-CCM 3:128-bit
txpower 30 scanvalid 60 protmode OFF burst dtimperiod 1 -dfs
#

Do you change the SSID when you switch from unencrypted to encrypted mode? If not, I wonder if that confuses the clients. (I presume you aren't completely clearing the clients memory of previous connections.) How about using a different SSID for the encrypted configuration?

Offline leadZERO

  • Newbie
  • *
  • Posts: 4
    • View Profile
Re: pf Access Point Help
« Reply #4 on: November 17, 2011, 08:31:02 pm »
I did try using a different SSID, same thing.  I also noticed that anytime I changed the parameters, Windows 7 noticed the change, so I doubt it's getting confused.

Any idea what the "burst -apbridge" on mine is?

Offline wallabybob

  • Hero Member
  • *****
  • Posts: 5262
    • View Profile
Re: pf Access Point Help
« Reply #5 on: November 17, 2011, 09:30:46 pm »
-apbridge means (I think) that the access point does NOT as a bridge between wireless clients.

Other settings on my interface:
WPA Mode WPA2
WPA Key Management ModePre-Shared Key
AuthenticationOpen System Authentication
WPA PairwiseAES
Key Rotation60
Master Key Regeneration3600
Strict Key Regenerationunchecked
Enable IEEE802.1X Authentication unchecked