Pfsense and wireless router

larryinmi · Feb 19, 2008, 4:24 PM

I checked the boards and did not find this anywhere if it has been covered please point me in the right direction.

I just installed pfsense for the first time over the weekend I have it running on an old AMD K62 system that I had not been using.

The main reason I did this is because my current D-link DI-624 wireless router is acting funny, like its wireless radio is dieing. So I was going to buy a new router when I remembered I had this system and 2 extra NICs and an extra wireless card. So I thought I would try this before spending any money on a new router.

That being said my pfsense router is working very well, so I am going to replace my DI-624 with it. But since my router seams to be working fine right now I want to use it as a second wireless access point so my entire house will have wireless access.

So now what’s the best way to set this up? This is what I am thinking.

ISP cable modem => WAN (on pfsense) => LAN (on pfsense) => WAN (on DI-624)

Turn off DHCP on the D-link and have it pull a dynamic address from pfsence. Is this the best way or should I plug it into one of the LAN ports on the D-Link?

Thanks, very much in advance.

hoba · Feb 19, 2008, 5:59 PM

That's nearly correct but connect the uplink between the wlanrouter and the pfSense between pfSense LAN and wlanrouter LAN. If you connect it to the wlanrouter's wan it will do nat and other nasy stuff and won't let pfSense do the dhcpserver for the clients behind the router. Just leave the wlanrouter's wan unplugged, assign it manually an IP of the pfSense LAN subnet (only needed for management) that is not conflicting with the pfSense's dhcprange for clients and disable the dhcpserver at the wlanrouter. That's all you have to do to make it act like a switch with built in bridging accesspoint.

larryinmi · Feb 21, 2008, 4:12 PM

ok I completed this but had some issues when I tryed connecting to the pfsense wlan, I was able to connect to it but not access the pfsense system or ping it or anything else so I was checked to see how to bridge my wireless/opt1 interface, I had it bridged to LAN and WAN and there did not seam to be a differance. I also did not tell the LAN and WAN to bridge to each other and I am not sure what is the correct config for this, agen if there is a doc or if this is prevously posted please point me in the right direction.

one other thing I am running this on a system that has 128MB of ram how ever i keep getting messages on the pfsense webgui saying that 128MB is required and my config is not supported? any ideas why I would get this?

jahonix · Feb 21, 2008, 6:03 PM

;-)))
You don't have to bridge within pfSense at all! Leave it as it was before.
All Hoba ment was that the AP is now acting as a wireless bridge to your LAN subnet with an additional switch. That's all!

larryinmi · Feb 21, 2008, 7:24 PM

so my wireless/opt1 interface will atomaticly put me on the LAN and let me access the internet threw the WAN with out making any changes? what is happening is I am connecting to my WLAN and its pulling a DHCP address but then I can not ping or access pfsense or my other wireless router, like its not connected to the LAN, I also can not access the internet.

cybrsrfr · Feb 21, 2008, 7:29 PM

If I understand your config well enough I have a similar setup that is working. I will describe it bellow and hopefully it may provide information that you need.

My setup is like the following
WAN (Ethernet) Connected to ISP
LAN (Ethernet) Connected to Local wired network
OPT1 (Wireless) wireless access

Two Choices two configure this
1. Bridged:
You can bridge the OPT1 wireless interface to the LAN. This will allow DCHP, and I believe rules for LAN will apply to the wireless connection. The key to this config is the wireless interface has to be in Access Point mode and cannot be bridged to the WAN. Bridging the Opt1 to the LAN does work.

2. Non-Bridged:
This method is slightly more secure because you keep the LAN and the Wireless separate. Key thing to remember here is that you have to put in a Rule on the OPT1 interface that allows access to the WAN or the LAN or Both depending on what you want. In my network I have DHCP setup for the wireless network and a static IP for the wireless interface.

jahonix · Feb 21, 2008, 11:44 PM

@larryinmi:

so my wireless/opt1 interface will …

If you changed:
LAN (on pfsense) => WAN (on DI-624) to
OPT1 (on pfsense) => LAN (on DI-624)
then, of course, you have to add appropriet rules and a DHCP server to the OPT1 interface of pfSense unless you bridge it with LAN.
Depends on the amount of separation you need between your LAN and W-LAN subnets.

larryinmi · Feb 22, 2008, 3:32 PM

First of all thank you very much for the help.

So forgetting about the DI-624 for a moment, I have a couple questions about how the interfaces are interacting here.

My goal is that my wireless/opt1 interface is integrated into the LAN so the LAN and the WLAN would be the same subnet. So is there a reason I should not do this? I understand there is some additional security for having them on different subnets but I don’t have any non wireless systems on the LAN.

When I set the wireless/opt1 to AP to I need to assign it an IP?

As far as rules I haven’t even looked at them because I was still trying to get the interfaces correct. However I am wondering if that is part of my problem, is there default rules not allowing the interfaces to talk to each other.

If there is some please I can get this information other then the forums please let me know so I am not wasting anybody’s time, and agene thank you for the help.

cybrsrfr · Feb 22, 2008, 7:40 PM

@larryinmi:

My goal is that my wireless/opt1 interface is integrated into the LAN so the LAN and the WLAN would be the same subnet. So is there a reason I should not do this? I understand there is some additional security for having them on different subnets but I don’t have any non wireless systems on the LAN.

When I set the wireless/opt1 to AP to I need to assign it an IP?

If you want the Wireless on the same subnet as the LAN then from the Opt1 interface choose Bridge with LAN. You will notice when you bridge the Opt1 interface that it will not require an IP. The IP will actually be disabled. Then I believe it applies the LAN rules to the Optional interface.

@larryinmi:

As far as rules I haven’t even looked at them because I was still trying to get the interfaces correct. However I am wondering if that is part of my problem,

Yes. The non-bridged setup that you were doing requires a rule in order to allow the traffic. That is why it didn't work for you in your current setup.

hoba · Feb 22, 2008, 7:42 PM

If you want to have it on the same subnet just use the built in switch of the router to hook up the pfSense (which I already told you in my first post here ;) ). You don't need an additional interface in the pfSense nor a bridge then.

larryinmi · Feb 22, 2008, 9:42 PM

Hoba, I understand what you’re saying and when I do what you’re telling me it dose work.

This is my over all goal, is to use my pfsense system as my gateway and main AP, and have my DI-624 as a secondary AP on the opposite side of my house, so hopefully all of my devices will always have a wireless connection.

If I connect to my DI-624 as an AP and everything works ok, however when I connect to the AP in the pfsence system I get assigned an address from the DHCP server and it says I am connected but I can not ping or get to the webgui on pfsense.

My plan is that once I get both AP’s working I will give them the same SSID and the same WPA auth with one on channel 1 and the other on channel 11.

So at this point I will try agene setting my wireless/opt1 interface to bridge to my LAN interface, and see if I can get out to the internet.

Agene thanks for the help

jahonix · Feb 22, 2008, 10:23 PM

Sorry, just re-read your first post. I didn't realize that you were actually talking about TWO APs.
One W-LAN card within your pfSense router and an external D-Link. I was thinking of the latter only when posting…

Have you thought about using a higher gain (omni?) directional antenna on the pfSense W-LAN card trying to cover the entire house at once? This should be highly preferred over a second AP.

NO second user credentials,
NO handover issues (which in your case isn't possible anyway)
never being attached to the weaker/fading AP until connction is dropped
...

larryinmi · Feb 23, 2008, 4:35 AM

I am not sure about a different antiana, my issue is funding right now. The reason i am doing it with the router i have and the pfsense box is because i had all the hardware already. so far no money spent just time.

PoloB12 · Feb 23, 2008, 7:40 PM

http://home.comcast.net/~hqh/html/tworouters.htm

;)

BTW : I sometimes have no connection between secondary router/ap (DI-624) and primary router after a reboot of the DI-624 ; so also no internet connection as the DI-624's WAN port is not used.

A single ping from the DI-624 menu option to the primairy router's IP address is enough to make all ok again.