Wireless AP + VLAN = No internet access

Zygote · Wed Aug 05, 2015 5:53 pm

So, here's a bit of a nutter.

I have a Mikrotik 2011UAS-2HnD. And Ive just created a second Virtual AP. I want all traffic on that Virtual AP to go through my pfsense VM which is running on a server connected to the Mikrotik. So what Ive done is as follows:

* Created Virtual AP
* Created VLAN and assigned it to the interface the pfsense VM is connected to
* Created a bridge and assigned the virtual AP and vlan interface

This works, kinda. Clients connecting to the Virtual AP gets an IP assigned by the DHCP server from pfsense, and I can see traffic running through the VLAN Firewall on pfsense. The clients can ping any part of the network (that the pfsense firewall permits), however the clients can not get any internet access. A traceroute shows the following:

traceroute to 8.8.8.8 (8.8.8.8), 64 hops max, 52 byte packets
 1  10.10.60.1 (10.10.60.1)  1.399 ms  1.163 ms  0.984 ms
 2  10.0.0.1 (10.0.0.1)  2.887 ms  1.298 ms  1.359 ms

10.10.60.1 is the pfsense vlan address, and 10.0.0.1 is on the Mikrotik side. The next jump should be to my ISP.

I'm assuming I'm missing something obvious here, but I cant figure out what it is.

Thanks!

Zygote · Wed Aug 05, 2015 11:53 pm

I've been wrapping my head around this all day long. So frustrating as Im sure there's something fundamental Im not getting. Clients can connect to the virtual AP, they get an IP from the pfsense DHCP, they pass the proper pfsense VLAN firewall, and reach the Mikrotik Gateway, but then it stops there instead of proceeding out the internet.

JB172 · Thu Aug 06, 2015 12:07 am

Put an export of your mikrotik configuration

Zygote · Thu Aug 06, 2015 11:21 am

 #    INTERFACE                                     BRIDGE                                    PRIORITY  PATH-COST    HORIZON
 0    ether2                                        bridge-lan_trusted                            0x20         10       none
 1 I  ;;; Trusted WLAN
      wlan_clients                                  bridge-lan_trusted                            0x80         10       none
 2    wlan_untrusted                                bridge_untrusted                              0x80         10       none
 3 X  vlan-106                                      bridge_untrusted                              0x80         10       none
 4    ether6                                        bridge-lan_trusted                            0x80         10       none

 #    NAME                                           MTU ARP        VLAN-ID INTERFACE                                       
 0 R  ;;; VLAN 99 - pfSense WAN 
      vlan-99                                       1500 enabled         99 ether7                                                                
 6 R  ;;; VLAN 106 - Primary WiFi Network
      vlan-106                                      1500 enabled        106 ether7

#     NAME                                TYPE  
 0  R  ;;; WAN Interface
       ether1-gateway                      ether 
       ether2                              ether
       ether3                              ether
       ether4                              ether 
       ether5                              ether
       ether6                              ether 
       ether7                              ether
       ether8-slave-local                  ether 
       ether9-slave-local                  ether
       ether10-slave-local                 ether
10     sfp1                                ether  
       wlan_clients                        wlan 
       wlan_untrusted                      wlan 
       bridge-lan_trusted                  bridge
       bridge_untrusted                    bridge
15  R  ;;; VLAN 99 - pfSense WAN 
       vlan-99                             vlan
16  R  ;;; VLAN 106 - Primary WiFi Network
       vlan-106                            vlan

 #   ADDRESS            NETWORK         INTERFACE                                                                           
 0   ;;; mikrotik LAN
     192.168.xx.1/24    192.168.xx.0    bridge-lan_trusted                                                                                                                                  
 2   ;;; pfsense WAN
     10.0.0.1/24        10.0.0.0        vlan-99                                                                             
 3 D xx.xx.xx.xx/24     xx.xx.xx.xx      ether1-gateway

Any insight here would be much appreciated!

JB172 · Thu Aug 06, 2015 12:48 pm

Did you have any rule in IP - Routes for 0.0.0.0/0 going to Eth1-gateway ?

Zygote · Thu Aug 06, 2015 1:04 pm

Did you have any rule in IP - Routes for 0.0.0.0/0 going to Eth1-gateway ?

Yep, it's there. All other interfaces have a working internet connection, it's just traffic on that Virtual AP that has this issue, and that issue is only there when using the vlan, routing it through pfsense.

JB172 · Thu Aug 06, 2015 1:18 pm

Please make an /ip firewall nat export.

Zygote · Thu Aug 06, 2015 1:22 pm

Please make an /ip firewall nat export.

/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" out-interface=ether1-gateway
add action=masquerade chain=srcnat comment="Guest network masquerade" out-interface=ether1-gateway src-address=\
    10.10.20.0/24

The Guest network masquerade is what I used for that Virtual AP before deciding to set up a vlan and route it through pfsense.

JB172 · Thu Aug 06, 2015 1:47 pm

Change to 10.0.0.0/24 and try it.

Zygote · Thu Aug 06, 2015 1:54 pm

Change to 10.0.0.0/24 and try it.

Thanks for the suggestion, but do I really want to apply that masquerade to all traffic coming from 10.0.0.0/24? I have a bunch of other vlans on the pfsense box and they all go through the mikrotik on 10.0.0.1.

Zygote · Thu Aug 06, 2015 2:12 pm

Change to 10.0.0.0/24 and try it.

And also, do I really need that masquerade rule there at all, given that I already have the default one on ether1?

add action=masquerade chain=srcnat comment="default configuration" out-interface=ether1-gateway

JB172 · Thu Aug 06, 2015 11:10 pm

Propably you don't needed. Did you setup pfsense as transparent proxy?

Zygote · Thu Aug 06, 2015 11:26 pm

Propably you don't needed. Did you setup pfsense as transparent proxy?

No, it's not a transparent proxy. But again, since I have the following default masquerade rule, all traffic out through eth1 is masqueraded, no?

add action=masquerade chain=srcnat comment="default configuration" out-interface=ether1-gateway

Adding masquerading for 10.0.0.0/24 wont have any effect as the above rule pre-empts. Or am I missing something here?

JB172 · Fri Aug 07, 2015 12:03 am

But again, since I have the following default masquerade rule, all traffic out through eth1 is masqueraded, no?
Code: Select all
add action=masquerade chain=srcnat comment="default configuration" out-interface=ether1-gateway
Adding masquerading for 10.0.0.0/24 wont have any effect as the above rule pre-empts. Or am I missing something here?

Yes, all out traffic through eth1 is masquaraded. But the traffic from pfsense seems don't go to eth1

Zygote · Fri Aug 07, 2015 12:07 am

But again, since I have the following default masquerade rule, all traffic out through eth1 is masqueraded, no?
Code: Select all
add action=masquerade chain=srcnat comment="default configuration" out-interface=ether1-gateway
Adding masquerading for 10.0.0.0/24 wont have any effect as the above rule pre-empts. Or am I missing something here?
Yes, all out traffic through eth1 is masquaraded. But the traffic from pfsense seems don't go to eth1

Yea, except all traffic apart from the wifi vlan traffic from pfsense goes to eth1 just fine. So I'm a bit at a loss here.

JB172 · Fri Aug 07, 2015 12:24 am

Put an export from IP - Routes

Zygote · Fri Aug 07, 2015 12:34 am

Put an export from IP - Routes

/ip route
add comment="Web Services Network" distance=1 dst-address=10.10.10.0/24 \
    gateway=10.0.0.10
add comment="Primary Wifi Network" distance=1 dst-address=10.10.60.0/24 \
    gateway=10.0.0.10

JB172 · Fri Aug 07, 2015 11:50 am

What is 10.0.0.10 ip address ?

Zygote · Fri Aug 07, 2015 12:02 pm

What is 10.0.0.10 ip address ?

pfsense WAN interface ip which is connected to the Microtik eth7 interface on vlan 99.

Zygote · Mon Aug 10, 2015 5:47 pm

No one have any ideas? Just to clarify, this should work, right?

Zygote · Mon Aug 10, 2015 8:57 pm

I have figured out what the issue is. If I ping 8.8.8.8 (Google DNS) from a wifi client, this happens:

wifi client --> vlan 106 --> pfsense --> vlan 99 --> mikrotik --> internet

However, the response from the ping, goes as follows:

internet --> mikrotik --> vlan 106.

On the other pfsense connected vlan's, the response comes in on the mikrotik and is correctly routed through VLAN 99, to the pfsense gateway, and then into the correct network.

Im assuming this is due to the fact that the virtual AP is bridged with vlan 106 and hence incoming traffic is not being routed correctly. Any ideas on how to work around this?

Wireless AP + VLAN = No internet access

Wireless AP + VLAN = No internet access

Re: Wireless AP + VLAN = No internet access

Re: Wireless AP + VLAN = No internet access

Re: Wireless AP + VLAN = No internet access

Re: Wireless AP + VLAN = No internet access

Re: Wireless AP + VLAN = No internet access

Re: Wireless AP + VLAN = No internet access

Re: Wireless AP + VLAN = No internet access

Re: Wireless AP + VLAN = No internet access

Re: Wireless AP + VLAN = No internet access

Re: Wireless AP + VLAN = No internet access

Re: Wireless AP + VLAN = No internet access

Re: Wireless AP + VLAN = No internet access

Re: Wireless AP + VLAN = No internet access

Re: Wireless AP + VLAN = No internet access

Re: Wireless AP + VLAN = No internet access

Re: Wireless AP + VLAN = No internet access

Re: Wireless AP + VLAN = No internet access

Re: Wireless AP + VLAN = No internet access

Re: Wireless AP + VLAN = No internet access

Re: Wireless AP + VLAN = No internet access

Who is online