Credit goes to Rickinfl for this solution.

What I have here is based upon what Rickinfl has typed up, but I've changed things up just a bit and added a few steps.  I kept getting locked out when changing settings on the LAN IP, but finally got it figured out.  This works for 2.2.6.

I'm posting because I thought it may be helpful for those trying to bridge the LAN and WIFI so they're on the same subnet.  Hope this helps.

Bridging Wifi to LAN Interface

1- Set up wizard - set the initial LAN IP address to be higher than the final LAN IP, and set the netmask to /30.
For example, if you want the LAN IP to be 192.168.1.1, set the IP for the LAN to be 192.168.1.50 /30  during this step.
2- Interfaces > Assign > Add (it will be auto-named Opt1)
3- Click on Opt1 to set up Wifi Settings
3.1 Rename to Wifi
3.2 Enable interface
3.3 Under “Network-Specific Wireless Configuration” Set mode to “Access Point”
3.4 Set channel to Operate on
3.5 Select WIFI name and passphrase
3.6 Check “Allow intra-BSS Communication”
3.7 Check “Enable WME”
4- Interfaces > Assign > Bridges > Create a Bridge [+ Add] >  Selected LAN and Wifi as the interfaces on this bridge > Save
5- Interfaces > Add new Interface [+ Add] > Opt2 > Set Network port = Bridge > Save
6- From Interfaces, click on Opt2 to change options
6.1 Enable Interface
6.2 Rename to “Bridge”
6.3 IPv4 Configuration Type = Static IPv4 >
6.4 IPv4 address = acutual desired IP address of LAN  [must set netmask to 30 for now - will change to 24 later] (example above would be 192.168.1.1)
6.5 Save
7- Services > DHCP Server > Turn on DHCP for Bridge > Enabled > Set Range (range with a /30 netmask will be small)
8- Disable DHCP on LAN and WiFi (if they are enabled)
9- Firewall > Rules > Added New Rule > Interface > LAN > Source = Protocol = ANY > Bridge Net > Reset to ANY.
10- Firewall > Rules > Added New Rule > Interface > WiFi > Source = Bridge Net > Protocol = ANY > Rest set to ANY.
11- Firewall > Rules > Added New Rule > Interface > Bridge > Source = Bridge Net > Protocol = ANY > Rest set to ANY.
12- From “Interfaces” set the IPv4 Configuration Type for both LAN and Wifi to None.
13- Router is now reachable by the Bridge IP address (192.168.1.1) and the LAN and WIFI are bridged.
14- Log into router by Bridge IP and change the netmask to /24
15- Change DHCP scope options

Maybe silly but do you have a switch or a button to turn wifi on if it is a laptop.

Once i was reinstalling os on a Hp and could not get wifi to work and all drivers ok .

And then i found out there is a switch on the side to enable wifi :)

@johnpoz:

CA package?  You mean the built in pfsense CA?

So your wanting to auth your wifi with eap-tls?  I have this running currently, guess I could throw together a how to.  I ran into one little issue with IOS devices like ipads and iphones and the .p12 package for the ca cert and user cert and key not having a password.  But easy enough to work around with openssl to create a .p12 and put a password on.

I have windows 7 machines, android nexus phone and iphones and ipads all using eap-tls to auth to my wifi.  Keep in mind that not all devices support wpa/wpa2 enterprise and you will still need to maintain a psk wifi ssid for these types of devices.

John, if you could put together a how-to what would be greatly appreciated. I have been trying to get the same setup as the OP.

I have been trying for years to get a backup "WiFi_WAN" link working.  Every time I start to tackle the problem, I have problems & no one is able to help.  I want to use my cell phone Hot Spot as a backup in case my cable modem goes down.  I have never had a wireless card in a pfSense box successfully see (much less connect) to my phone's SSID.  All of my other devices see and use the phone.  Good luck!

Great. Thank you.

Why exactly do you think you need to bridge your wifi network to your lan?

I have multiple wifi networks via vlans and different ssid, none of which are bridged to anything.  There is like zero need to bridge these networks, other than not understanding how name resolution works and wanting to be able to broadcast for a netbios name or something.  Wanting to use say airprint since doesn't really work out of the box across segments.  So use avahi or setup the records you need in dns, etc.

If you buy a supported card that can be an AP and is supported by pfsense then sure you could do that.  Why would be the question.  Pfsense no longer offers wifi cards as option when you purchase from pfsense.  I personally think that is a good direction, some wifi card in your router does not make for good AP.. Coverage and location for starters - it would be rare that your router is in best location for AP.. They normally are not mounted in the ceiling for starters ;)

As to twinning - you mean run the same ssid, sure you could do that.

Why exactly do you want to bridge your interfaces??  If you need more ports on a specific network use a switch.  A router interface is not a switch port trying to use it as such not going to provide you anywhere near the performance and just complicates the setup for why?  Because your too cheap to buy a switch??  Any $40 for a 8 port gig - can even get vlan support at that price would be better than trying to use a nic as a switch port.

Ohh good to know,
I though the card Dual Radio..
Now I understand why, when I'm trying to setup the parental wireless interface on a other frequenz, it keeps saving the same parameters for both IPs.
Anyway, I think I will better go for getting a new AP for this goal.

Got it working. Thanks for the help. I don't know why but VLAN's are confusing topic for me. Kinda like driving directions are for my wife.

While pfsense can not currently provide dhcp for downstream networks, you have stated you don't have a downstream layer 3 switch so where exactly would this downstream network be coming from?

Why would pfsense not just have a 192.168.1 network and a 192.168.2 network?

I'm going to give 2.4 alpha a test.. see how it pans out…. fingers crossed..

I wish i knew how to backport etc i would have give it ago...

I'd probably look at ubiquiti. I would call them and see how much they will help you with actually surveying your needs and developing a real implementation plan. Unfortunately they generally sell either 2.4 or 5GHz radios for their outdoor line, not dual-band. Looks like the exception is the UniFi UAP AC Outdoor but it is Omni-only with no sectoral option.

I have never liked EnGenius much, though my opinion was developed years ago.

With that density something like Ruckus is probably out of the question.

https://www.cdw.com/shop/products/ZONEFLEX-T710S-120X30-DEG-OUT-DB-AP/4242939.aspx

Only US$3000 per unit, though you would probably be amazed at how well something like that pole-mounted angled 15-20 degrees downward would cover an open area.

The T301S (120deg) and T301n (30 deg) are about half that. You would probably find that the 120deg unit with BeamFlex would do just fine.

http://a030f85c1e25003d7609-b98377aee968aad08453374eb1df3398.r40.cf2.rackcdn.com/datasheets/ds-t301-unleashed.pdf

Looking at those BeamFlex antenna arrays is almost arousing.

If you're not afraid of used and don't need AC, you might be able to find some good deals on used gear on ebay.

well, the dropouts are also half of the problem.

For me, beacon errors appear generally only on 2,4Ghz because there are bunch of other stations in air plus hell knows how many microwave ovens, car alarms etc which are all sitting on that band..

5-5,8Ghz band hasn't been an issue, except for some devices not "seeing" it..

if your method allows me solve half ot, it deserves hearty "Thank you".

at the moment log is clean..

Is there some reason you need broadcast traffic between lan and wifi?  Why do you not just put wifi on its own network, and create firewall rules to allow the traffic you want from your wifi to your lan?  This is much simpler setup, vastly easier to maintain as well.

For what reason do you need your wifi and lan on the same broadcast domain?  ie same L2 network?

What you described is the expected behavior. Wireless client traffic does not flow back through pfSense in a way it can be filtered when the clients talk directly. It's the same as any other wired network in that regard.

If you want to filter between sets of clients, place them in different networks. Separate SSIDs on distinct VLANs for example.

Have you try to configure Wi-fi again? I would configure the LAN bridge to the Wi-fi interface I think.