Adding an autonomous Cisco wireless access point to pfSense

newUser2pfSense · Sep 12, 2016, 10:26 PM

I’m currently using pfSense 2.3.2-RELEASE (amd64) and I would like to connect my standalone/autonomous Cisco wireless access point (no wireless LAN controller needed) to my pfSense firewall/router. I’ve given my wireless access point an IP of 192.168.2.1/24, segregating it from my internal private LAN of 192.168.1.1/24. I'll setup Rules later on for allowing wireless device traffic into my private LAN.

I went to Interfaces | (assign) and chose the network port I wish to use and clicked on +Add and Save which gave me an OPT1 interface. Clicking on the OPT1 interface, I’ve changed the default settings to the below and saved:

General Configuration

check Enable interface
Description: WLAN
IPv4 Configuration Type: Static IPv4
IPv6 Configuration Type: None
MAC Address: not configured
MTU: not configured
MSS: not configured
Speed and Duplex: 1000baseT full-duplex

Static IPv4 Configuration

IPv4 Address: 192.168.2.1
IPv4 Upstream gateway: None

Reserved Networks

Block private networks and loopback addresses: left unchecked
Block bogon networks: check

I then went to Interfaces | Bridges and clicked on +Add and I configured the Bridge and saved it as:

Bridge Configuration

Member interfaces: highlighted WAN and WLAN
Description: WLAN to WAN Bridge

I’ve done quite a bit of targeted searching and couldn’t find any current posts about adding a wireless access point to pfSense 2.3.2. Most older posts talked about making the pfSense box itself a wireless router which I’m not doing.

Is my configuration correct for the addition of a standalone wireless access point or do I need to make some adjustments? Any suggestions would be helpful.

johnpoz · Sep 13, 2016, 2:10 AM

why are you trying to create a bridge???

Your wireless network would be your 192.168.2 network..

and why in the world would think you should block bogon on your own network?

newUser2pfSense · Sep 13, 2016, 11:24 PM

Hi johnpoz. Thank you for the response. I guess I should’ve qualified my initial post. I’m very new to pfSense and I’m dumping my current Enterprise equipment specifically for pfSense. Once I get pfSense configured to my requirements, I can finally put it in use. Some of pfSense’s features can be spread around on the GUI and can be little hard to find at times.

I believe I now see what you mean by creating a bridge. Why create a bridge when you can go to Firewall | Rules and select WLAN? You can be very granular when adding a rule in the Source and Destination areas. I like that ability. However, I’m wondering how I can allow a wireless streaming media device, such as a Roku or AppleTV, that has a dynamic IP address, or any wireless device that has a dynamic IP address, to access the internet? What would the Source and Destination of the rule look like? From Firewall | Rules | WLAN | Add:

Edit Firewall Rule

Action: Pass
Disabled: not checked
Interface: WLAN
Address Family: IPv4
Protocol: TCP (I think for a streaming media device)
Source
Source: ??
Destination
Destination: ??

This info would be most helpful. Any suggestions?

johnpoz · Sep 14, 2016, 1:52 AM

Why would you not just set a reservation for whatever device you want to create specific rules for? My roku and rokustick are always the same IPs.. Plus pretty much every other device on my network, my AP for example use dhcp and always the same, my nest and protect always the same IP. etc. etc.

newUser2pfSense · Sep 14, 2016, 11:03 PM

On both my wireless and private LAN, I set DHCP ranges so I have room to set static IPs for devices like webcams. It’s more of a practice for me to set each individual device I want to remote to with a static IP and other devices I just leave as dynamic.

Looking at the Services | DHCP Server | LAN , the section DHCP Static Mappings for this Interface, it uses a Mac address to map the static IP; seems normal for a DHCP reservation. My WLAN is on a different network than my LAN though. I’m wondering why the Firewall | Rules | WLAN | Add rule doesn’t have a Mac entry in Source or Destination drop down menus? That would be helpful.

For devices to have access to the internet from my WLAN, do I select WLAN net or WLAN address for the Destination?

n3by · Sep 15, 2016, 10:17 AM

Why don't you use VLAN ? Cisco also recommend use of VLAN for security.
There is nothing special required from pfSense to integrate this WIFI AP if you will use VLAN.

johnpoz · Sep 15, 2016, 12:04 PM

"Add rule doesn’t have a Mac entry in Source or Destination drop down menus?"

because its not layer 2, its a layer 3 firewall. So you have to set rules based upon IP.

newUser2pfSense · Sep 16, 2016, 9:18 AM

n3by…thank you for the response. Cisco's TAC and I have discussed this but I don't have a layer 3 managed switch.

johnpoz...Will pfSense allow me to set a DHCP reservation for wireless devices outside of my LAN network? In other words, my LAN network is 192.168.1.x and my WLAN network is 192.168.2.x. If I can set a DHCP reservation for hosts on 192.168.2.x, will pfSense recognize them? If pfSense is able to see those hosts, I should be ok.

johnpoz · Sep 16, 2016, 4:18 PM

While pfsense can not currently provide dhcp for downstream networks, you have stated you don't have a downstream layer 3 switch so where exactly would this downstream network be coming from?

Why would pfsense not just have a 192.168.1 network and a 192.168.2 network?