How to connect pfsense WAN to a wireless access point
-
So no one knows what the developer had in mind making a connection as Wan to a access point then.?
-
Almost certainly your issue here is that you're using a run(4) based device. I have one that works just fine as an access point but I have never been able to connect it as a client usefully. It sometimes connects but doesn't pass traffic. Not useful!
If you have a device that is capable of working, an older Atheros NIC for example, it should just be a matter of configuring in BSS mode with the settings required and making that the default gateway.
Steve
-
Use something like a Ubiquiti AirMax to bridge between your ETHERNET WAN interface and the wifi.
You can try and beat your head against the FreeBSD Wi-Fi wall but don't expect a lot of sympathy or assistance. johnpoz summarized the current environment pretty succinctly. It's crap.
-
I had hoped like I had said before back 3 years ago when I first got started with pfSense I gave up on the Wi-Fi side, maybe my expiations were too much for FreeBSD, I don't suppose anyone had thought of maybe making a pfSense installable package with other free Linux distribution bases or a package that could be installed on top of a paid version of RedHat Linux? as for now, I'm going to use my backup plan with the external bridge device and then I can enjoy the features I need while the ease of use with my embedded Ethernet ports in my firewall device. Thanks a lot for the assistance.
-
'FreeBSD is not Linux' to quote many others before me. ;D
So making it a package into a Linux distro would be a massive undertaking. Apart from anything else 'pf' does not exist in Linux. Some may argue that's a good thing. ;)
I would expect you could get something working with the right wifi hardware but it might be a bit flaky. The scan for and attach to an AP code is not really there for example.
Steve
-
I've been using pfsense for several years to connect to the AP as a WAN. Used old WIFI NIC Atheros AR2417.
2.3.4-RELEASE-p1 (i386) nanobsd (2g)Try my method, maybe with other NIC it will work out as well.
For normal operation, three steps are required.
1. Make changes to the file /etc/rc.linkup
if ($ staticv4 === true && $ staticv6 === true) {
$ friendly = convert_friendly_interface_to_friendly_descr ($ iface);
log_error ("Hotplug event detected for {$ friendly} ({$ iface}) static IP ({$ ipaddr} {$ ip6addr})");
interfaces_staticarp_configure ($ iface);
switch ($ argument2) {
case 'start':
case 'up':
$ iface = get_real_interface ($ iface);
/ * NOTE: Do not generate event for OpenVPN since the daemon does that for us. * /
if (substr ($ iface, 0, 4)! = "ovpn") {
send_event ("interface newip {$ iface}");
}
break;
}
} else {
switch ($ argument2) {
case "stop":
case "down":
log_error ("DEVD Ethernet detached event for {$ iface}");
interface_bring_down ($ iface);
break;
case "start":
case "up":
log_error ("DEVD Ethernet attached event for {$ iface}");
log_error ("HOTPLUG: Configuring interface {$ iface}");
// Do not try to readd to bridge (4) has problems
/ * ******* My code * /
$ realiface = get_real_interface ($ iface);
if (! is_interface_wireless ($ realiface)) {
/ * ******* End of My code * /
interface_configure ($ iface, true, true);
/ * ******* My code * /
}
/ * ******* End of My code * /
break;
}
}
}2. Make changes to the file /etc/rc.newwanip
$ oldip = "0.0.0.0";
if (file_exists ("{$ g ['vardb_path']} / {$ interface} _cacheip")) {
$ oldip = file_get_contents ("{$ g ['vardb_path']} / {$ interface} _cacheip");
}/ * ******* My code * /
$ realiface = get_real_interface ($ interface);
if ($ curwanip = $ oldip && is_interface_wireless ($ realiface)) {
log_error ("rc.newwanip: on interface: {$ interface_descr} [{$ interface}] (real interface: {$ interface_real}) IP address update not needed.");
return;
}
/ * ******* End of My code * // * regenerate resolv.conf * /
system_resolvconf_generate (true);/ * write the current interface IP to file * /
if (is_ipaddr ($ curwanip))) {
@file_put_contents ("{$ g ['vardb_path']} / {$ interface} _ip", $ curwanip);
}3. Enter the required data into the WIFI interface configuration. It is IMPORTANT to specify a specific channel number if you use auto, there may be problems connecting to the desired AP in the presence of several APs.
-
- Assign one LAN port as WAN port
- set up a UBNT Nano Station or Nano Beam up to connect to the WISP
- connect the UBNT wireless device to the WAN port and all is fine running
Other may use a modem and here is a wireless AP or bridge needed, pretty easy to use, set up and
in the USA more common based on the many WISP companies. -
Yo k625 - this worked for me. I was able to define a second wireless WAN interface (WWAN), and then when enabling the interface, it connects to my phones tethering AP with WPA2. There were two issues: 1) there were a bunch of extra spaces in your posted code that needed to be cleaned up. 2) I had to set the auto option in the channel configuration, because there is no way to pull this info out of my phone, but it worked anyway even though there are 3 different WAPs to choose from - won't it do the right thing since I specified the SSID in the setup?
Once connected, I was then able to switch the default gateway in system/routing page to be WWAN.
This should imply (I believe) that gateway groups could be configured either for fail-over or load balancing.
i have a Ralink wifi card. I was hoping that I could have used the USB tethering option to avoid the wifi setup, but
those drivers are not in the standard pfsense build (I think) - that would be nice though to have that option. The code does
run - specifically is_interface_wireless() correctly determines interface type and conditionally execute your code.
I havn't completely dug into understand why you don't want to call interface_configure and to use the oldip for wireless
connections.I'm largely going to use this for a backup link or maybe to use for dedicated access, as opposed to having to shutdown wifi access to every video streaming device in the house when I have to work….
Would be interested to hear if anyone had a security concern with this. I did verify that the firewall was setup as I want. However, I suppose that
someone might be able to trip-up the usb/wifi card driver in some way, since whats going on there isn't as well understood as an Ethernet driver. However, this seem to be low risk, and more likely to simply cause the system to panic, or the driver to fail. Comments?2.4.2-RELEASE (amd64)
built on Mon Nov 20 08:12:56 CST 2017
FreeBSD 11.1-RELEASE-p4I've been using pfsense for several years to connect to the AP as a WAN. Used old WIFI NIC Atheros AR2417.
2.3.4-RELEASE-p1 (i386) nanobsd (2g)Try my method, maybe with other NIC it will work out as well.
For normal operation, three steps are required.
1. Make changes to the file /etc/rc.linkup
if ($ staticv4 === true && $ staticv6 === true) {
$ friendly = convert_friendly_interface_to_friendly_descr ($ iface);
log_error ("Hotplug event detected for {$ friendly} ({$ iface}) static IP ({$ ipaddr} {$ ip6addr})");
interfaces_staticarp_configure ($ iface);
switch ($ argument2) {
case 'start':
case 'up':
$ iface = get_real_interface ($ iface);
/ * NOTE: Do not generate event for OpenVPN since the daemon does that for us. * /
if (substr ($ iface, 0, 4)! = "ovpn") {
send_event ("interface newip {$ iface}");
}
break;
}
} else {
switch ($ argument2) {
case "stop":
case "down":
log_error ("DEVD Ethernet detached event for {$ iface}");
interface_bring_down ($ iface);
break;
case "start":
case "up":
log_error ("DEVD Ethernet attached event for {$ iface}");
log_error ("HOTPLUG: Configuring interface {$ iface}");
// Do not try to readd to bridge (4) has problems
/ * ******* My code * /
$ realiface = get_real_interface ($ iface);
if (! is_interface_wireless ($ realiface)) {
/ * ******* End of My code * /
interface_configure ($ iface, true, true);
/ * ******* My code * /
}
/ * ******* End of My code * /
break;
}
}
}2. Make changes to the file /etc/rc.newwanip
$ oldip = "0.0.0.0";
if (file_exists ("{$ g ['vardb_path']} / {$ interface} _cacheip")) {
$ oldip = file_get_contents ("{$ g ['vardb_path']} / {$ interface} _cacheip");
}/ * ******* My code * /
$ realiface = get_real_interface ($ interface);
if ($ curwanip = $ oldip && is_interface_wireless ($ realiface)) {
log_error ("rc.newwanip: on interface: {$ interface_descr} [{$ interface}] (real interface: {$ interface_real}) IP address update not needed.");
return;
}
/ * ******* End of My code * // * regenerate resolv.conf * /
system_resolvconf_generate (true);/ * write the current interface IP to file * /
if (is_ipaddr ($ curwanip))) {
@file_put_contents ("{$ g ['vardb_path']} / {$ interface} _ip", $ curwanip);
}3. Enter the required data into the WIFI interface configuration. It is IMPORTANT to specify a specific channel number if you use auto, there may be problems connecting to the desired AP in the presence of several APs.
-
For rbc831 and others
I do not understand much about WIFI technology, even less in freeBSD, and even more so in the pfsense code. I'm just an old pensioner from Russia ;). Professionally was not associated with IT. Therefore, I can not give detailed explanations. All my corrections have been obtained empirically by trial and error.
1. Make changes to the file /etc/rc.linkup
Without this adjustment, from time to time we receive an emergency restart of pfsense, which is preceded by a large number of messages in the console.
The content of these messages I now do not remember.
Maybe I'm wrong, but it seems to me that in this case there is an error in pfsense logic when processing events specific for WIFI NIC.2. Make changes to the file /etc/rc.newwanip
If you do not make this adjustment, then when you browse the sites there are no problems, but when you receive media streams, you have periodic connection discontinuities. This solution has a drawback. The system log is filled with useless messages like:
/rc.newwanip: rc.newwanip: Info: starting on ath0_wlan0.
/rc.newwanip: rc.newwanip: on (IP address: 10.251.xx.xx) (interface: WIFI [opt3]) (real interface: ath0_wlan0).
/rc.newwanip: rc.newwanip: on interface: WIFI [opt3] (real interface: ath0_wlan0) IP address update not needed.
The frequency of occurrence of such messages can vary from seconds to hours. Apparently, this is somehow related to the current quality of the WIFI connection.3. About the importance of specifying the desired channel number.
Probably when a strong signal is not required, but in my case (> 40 AP and 3 of them on the channel I want with RSSI -90: -96) without it, if the connection is temporarily lost or when pfsense is rebooted, it automatically establishes a connection to an arbitrary AP on an arbitrary channel. Manual intervention is required for correction.
Of course, in addition to the desired channel, you should also specify the required SSID. -
You could use two Apple airport express APs (heresy, I know), one to connect as wifi client and then ethernet to pfSense WAN, and one to provide in room WiFi connected to the pfSense LAN port. I have had generally good experience with Apple Airport Express as Wifi Client. Travel with your choice of pfSense…SG-1000, SG-3100, or roll your own.
Not sure this will work with hotel captive portal, though. -
My solution is to simply run pfSense in a virtualbox under a minimal linux host (I installed ubuntu from the minimal.iso and selected minimal mate desktop). I configured wpa_supplicant on the linux host to associate the wireless adapter to the AP, and then bridged it to pfSense as a WAN gateway. I have a triple-WAN setup with failover (not load balancing) with FiOS, xfinity and cellular broadband as the WAN gateways. All good, it works great.