Wireless Bridge between two pfSense boxes (with WPA)?



  • I'm thinking about using a pair of EPIA (Mini-ITX) setups with pfsense and
    turning them into a wireless bridge setup to join my and my brother's network.

    He wants the link to be protected by WPA (RADIUS server), but I want to use
    VPN. So I'm just wondering if its possible to do both?
    (Assuming the wireless card I'll use supports WPA under FreeBSD 6.0)

    Alternatively, would it be better just to buy an wireless access point or a Linksys
    WRT54G (use a third-party firmware for bridge mode with WPA) and have
    pfSense act as VPN endpoint?



  • If you go IPSEC you need some horsepower at both endpoints to do the encryption. Without it you get bad throughput. I would suggest using atheros chipset based wireless cards on both ends and use WPA with AES mode (with AES it basically is as secure as IPSEC) and the atheros chipsets are doing the AES-encryption in hardware which means you should get good throughput.



  • I see…

    The reason I thought of using IPSec is because the EPIA mobos I have feature the
    VIA C3 CPUs that have Padlock technology. (Meaning they can do AES encryption
    in hardware already). And since FreeBSD 6.0 Release has listed this feature as being
    supported, I naturally assumed it would be cool to use it in VPN role.

    Anyway, I looked around the FreeBSD's Hardware Compatibility list and noticed that
    some of those wireless cards may not use Atheros chips in some versions.
    (eg : I hear that some use Texas Instruments, Atheros, and PRISM ones in
    three different versions!)

    Is there a brand of wireless NIC that is guaranteed to be using the Atheros based solution?
    (Because I don't wanna buy something and end up finding out that it ain't using an Atheros
    chipset anymore because the manufacturer changed chipsets because of economic reasons).



  • pfSense is not supporting padlock at the moment as it is not yet fully working so we had to disable it to not break IPSEC support with platforms that have this feature. What wifi nics do you need? miniPCI, PCI, PCMCIA? lsf might have some info on supported cards and jump in here  ;D



  • Just PCI based ones. Nothing fancy, as long as they're using the
    Atheros AR5212 chipset (as mentioned in the FreeBSD HCL)



  • Well, it was simply fustrating trying to find the "right NIC", I gave up after about 20 tries.
    (Damn those companies for changing chipsets and not providing labelling for changes! How hard
    is it to add a character to show that its a slightly different version?)

    Anwyay, I went with a pair of Linksys WRT54G routers instead. I used HyperWRT (third-party firmware)
    and was able to get both routers talking to each other with WPA-PSK (AES). Works pretty darn good.
    (Interestingly, it supports RADIUS in this bridging mode as well).

    Gonna be using pfSense for VPN end-points.
    Thanks for your help.



  • @Aussie_Bear:

    Well, it was simply fustrating trying to find the "right NIC", I gave up after about 20 tries.
    (Damn those companies for changing chipsets and not providing labelling for changes! How hard
    is it to add a character to show that its a slightly different version?)

    Anwyay, I went with a pair of Linksys WRT54G routers instead. I used HyperWRT (third-party firmware)
    and was able to get both routers talking to each other with WPA-PSK (AES). Works pretty darn good.
    (Interestingly, it supports RADIUS in this bridging mode as well).

    Gonna be using pfSense for VPN end-points.
    Thanks for your help.

    Our friends at NetGate do not do this…  http://www.netgate.com/  Everything is labelled and you get what you pay for.  Check em' out.

    NOTE: NetGate is a sponsor of pfSense, so they deserve your business!



  • Any card marked with a+b+g 108mbit is atheros based. 3com pci card is atheros based. if you check out google and search for atheros based cards you will find loads of them. But as I said, any 108mbit a+b+g card is atheros based. The madwifi guys maintains a rather large list of supported cards: http://www.madwifi.org/wiki/Compatibility


Log in to reply