Locking up for no real reason

[ks98330q]

Hello there.  Ive installed an external AP-nothing fancy just an old computer running a small install of Debian with hostapd.  Ive configured everything, but when I plug the AP into the port on the opnsense then entire machine stops responding.  I can get an IP but cant access admin interface or surf.  Disconnecting the AP does nothing.  Rebooting with the AP disconnected doesnt help.  The only recovery is to console in, and disable the interface the AP was attached to,  reboot, then everything will work.

So here is how I have my stuff setup:
bge0 <wan static IP> (built in NIC.  Broadcom Xtreme Gig ethernet)
bce0 <10.220.0.1/24 with DHCP turned on.  Pool is .2-.75>
bce1 <10.220.0.100/24 with DHCP turned on.  Pool is .101-.150>
bce0, bce1 are together on one card.

I can make any combination of the interfaces, and all is well, until the AP comes to the party.  So it <shouldnt> a flaking interface

[bartjsmit]

Run tcpdump on the AP computer and a packet trace on the firewall and see what's going on between them

Bart...

[Vilhonator]

Is your AP running it's own password protection?

Opnsense doesn't support wifi by itself (unless you have compatible Wifi module installed on it), for that you need to configure Captive Portal (https://docs.opnsense.org/manual/captiveportal.html)

[Vilhonator]

If Wifi isn't what you are looking for, but instead of searching a way to restrict access to your opnsense from AP network, simple way to do so, is assign different IP to your AP network (like 10.220.1.1/24).

For that, first backup your opnsense.

1. Assign interface for AP with IP 10.220.1.1 with subnetmask 255.255.255.0 and give it a name like "AP"

2. Clone Default firewall rules from LAN (change interface from "LAN" to "AP", Source from "LAN net" to "AP net" then click apply and after that, save changes)

3. Configure DHCP for AP interface.

4. Add your LAN interface IP to gateways

3. Add static route, network is 100.220.0.0/16 and gateway is LAN (this is part which can go wrong, don't remember which mask bit is correct one, but for default private ranges are 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16)

After this, reboot OpnSense and if you are locked from system and don't have internet connection, then most likely route is wrong and you have to remove it.

If all works as they should, go to Firewall ---> Aliases, add new alias, give it a name like "Https, Http and SSH" choose ports option from the list, on the field type "22", "443" and "80" (press tab after typing each number, hence quotation symbols on each number), then save and apply changes.

After that, go to firewall ---> Rules ---> AP and add new rule, choose either block or reject, source is "AP net", destination is "This firewall" destination port is the alias you just created, type description like "Block access to firewall", then apply. After that move the block rule above the "Default allow all" rule and save changes.

After that, clone the block rule you created and change destination from "this firewall" to "LAN net", change description to something like "Block access to LAN" then apply and save changes.

Now only way you should be able to connect to opnsense via web or ssh, is by physically connecting your computer to LAN port on the opnsense, so finally connect your PC to AP interface, and see if firewall blocks you from accessing Webgui and SSH on both 100.220.1.1 and 100.220.0.1 addresses, both are blocked, then see if your PC gets connected when you attach it to LAN port.

If all goes well, things should work and you can attach your AP to the AP port on OpnSense

[ks98330q]

Vilhonator
I’ll give this a try later today or tomorrow and report back

[ks98330q]

Vilhonator-
I was able to make this work by allowing DHCP on the AP interface for the router which has a 10.220.0.X address, then I was able to change the network for the AP provided by hostapd to the 10.220.1.X network.  All is working now with that section.  I applied the rules you mentioned and the wireless clients are off limits to any admin interface and any peers on the network.  I decided to abandon the Debian install, and used OpnSense as the access point.

-> A new concern:  I have 2 WLAN cards installed, but only one is recognised by OPNSense.  pciconf -lv shows:

Code: [Select]

none6@pci0:3:0:0:       class=0x028000 rev=0x00 hdr=0x00 vendor=0x168c device=0x003c subvendor=0x0000 subdevice=0x0000
    vendor     = 'Qualcomm Atheros'
    device     = 'QCA986x/988x 802.11ac Wireless Network Adapter'
    class      = network
ath0@pci0:4:0:0:        class=0x028000 rev=0x01 hdr=0x00 vendor=0x168c device=0x002e subvendor=0x168c subdevice=0x30a4
    vendor     = 'Qualcomm Atheros'
    device     = 'AR9287 Wireless Network Adapter (PCI-Express)'
    class      = network

the none6 item is not working.  ath0 is functioning correctly.  How to get the none6 to work?

[Vilhonator]

the none6 item is not working.  ath0 is functioning correctly.  How to get the none6 to work?

You either have to install drivers manually or buy another wifi card. As I mentioned, OpnSense doesn't support wifi out of the box, you need to install compatible Network NIC for that, if both of your wifi modules are same model, then you faced something many do, which is that some of them work and some of them won't

Though you only need 1 wifi module, so there's no loss of not being able to use 1 out of 2 modules.

[Vilhonator]

Code: [Select]

none6@pci0:3:0:0:       class=0x028000 rev=0x00 hdr=0x00 vendor=0x168c device=0x003c subvendor=0x0000 subdevice=0x0000
    vendor     = 'Qualcomm Atheros'
    device     = 'QCA986x/988x 802.11ac Wireless Network Adapter'
    class      = network
ath0@pci0:4:0:0:        class=0x028000 rev=0x01 hdr=0x00 vendor=0x168c device=0x002e subvendor=0x168c subdevice=0x30a4
    vendor     = 'Qualcomm Atheros'
    device     = 'AR9287 Wireless Network Adapter (PCI-Express)'
    class      = network


There's the issue, one that works is right type of wireless adapter. I think you need to replace PCI-express adapter if you REALLY want 2 wifi modules, just check all the features working one has, and get one with same features.

[Vilhonator]

Further more, if working one uses bluetooth or infrared, then I wouldn't bother having wifi on the opnsense, you can install any AP (for example https://www.ui.com/wi-fi) or router with AP support (like https://www.asus.com/fi/networking-iot-servers/wifi-routers/asus-wifi-routers/rt-ac86u/) and have wifi there