Adding an autonomous Cisco wireless access point to pfSense

  • I’m currently using pfSense 2.3.2-RELEASE (amd64) and I would like to connect my standalone/autonomous Cisco wireless access point (no wireless LAN controller needed) to my pfSense firewall/router.  I’ve given my wireless access point an IP of, segregating it from my internal private LAN of  I'll setup Rules later on for allowing wireless device traffic into my private LAN.

    I went to Interfaces | (assign) and chose the network port I wish to use and clicked on +Add and Save which gave me an OPT1 interface.  Clicking on the OPT1 interface, I’ve changed the default settings to the below and saved:

    General Configuration

    • check Enable interface
    • Description:  WLAN
    • IPv4 Configuration Type:  Static IPv4
    • IPv6 Configuration Type:  None
    • MAC Address:  not configured
    • MTU:  not configured
    • MSS:  not configured
    • Speed and Duplex:  1000baseT full-duplex

    Static IPv4 Configuration

    • IPv4 Address:
    • IPv4 Upstream gateway:  None

    Reserved Networks

    • Block private networks and loopback addresses:  left unchecked
    • Block bogon networks:  check

    I then went to Interfaces | Bridges and clicked on +Add and I configured the Bridge and saved it as:

    Bridge Configuration

    • Member interfaces:  highlighted WAN and WLAN
    • Description:  WLAN to WAN Bridge

    I’ve done quite a bit of targeted searching and couldn’t find any current posts about adding a wireless access point to pfSense 2.3.2.  Most older posts talked about making the pfSense box itself a wireless router which I’m not doing.

    Is my configuration correct for the addition of a standalone wireless access point or do I need to make some adjustments?  Any suggestions would be helpful.

  • LAYER 8 Global Moderator

    why are you trying to create a bridge???

    Your wireless network would be your 192.168.2 network..

    and why in the world would think you should block bogon on your own network?

  • Hi johnpoz.  Thank you for the response.  I guess I should’ve qualified my initial post.  I’m very new to pfSense and I’m dumping my current Enterprise equipment specifically for pfSense.  Once I get pfSense configured to my requirements, I can finally put it in use.  Some of pfSense’s features can be spread around on the GUI and can be little hard to find at times.

    I believe I now see what you mean by creating a bridge.  Why create a bridge when you can go to Firewall | Rules and select WLAN?  You can be very granular when adding a rule in the Source and Destination areas.  I like that ability.  However, I’m wondering how I can allow a wireless streaming media device, such as a Roku or AppleTV, that has a dynamic IP address, or any wireless device that has a dynamic IP address, to access the internet?  What would the Source and Destination of the rule look like?  From Firewall | Rules | WLAN | Add:

    Edit Firewall Rule

    • Action:  Pass
    • Disabled:  not checked
    • Interface:  WLAN
    • Address Family:  IPv4
    • Protocol:  TCP (I think for a streaming media device)
    • Source:  ??
    • Destination:  ??

    This info would be most helpful.  Any suggestions?

  • LAYER 8 Global Moderator

    Why would you not just set a reservation for whatever device you want to create specific rules for?  My roku and rokustick are always the same IPs..  Plus pretty much every other device on my network, my AP for example use dhcp and always the same, my nest and protect always the same IP.  etc. etc.

  • On both my wireless and private LAN, I set DHCP ranges so I have room to set static IPs for devices like webcams.  It’s more of a practice for me to set each individual device I want to remote to with a static IP and other devices I just leave as dynamic.

    Looking at the Services | DHCP Server | LAN , the section DHCP Static Mappings for this Interface, it uses a Mac address to map the static IP; seems normal for a DHCP reservation.  My WLAN is on a different network than my LAN though.  I’m wondering why the Firewall | Rules | WLAN | Add rule doesn’t have a Mac entry in Source or Destination drop down menus?  That would be helpful.

    For devices to have access to the internet from my WLAN, do I select WLAN net or WLAN address for the Destination?

  • Why don't you use VLAN ? Cisco also recommend use of VLAN for security.
    There is nothing special required from pfSense to integrate this WIFI AP if you will use VLAN.

  • LAYER 8 Global Moderator

    "Add rule doesn’t have a Mac entry in Source or Destination drop down menus?"

    because its not layer 2, its a layer 3 firewall.  So you have to set rules based upon IP.

  • n3by…thank you for the response.  Cisco's TAC and I have discussed this but I don't have a layer 3 managed switch.

    johnpoz...Will pfSense allow me to set a DHCP reservation for wireless devices outside of my LAN network?  In other words, my LAN network is 192.168.1.x and my WLAN network is 192.168.2.x.  If I can set a DHCP reservation for hosts on 192.168.2.x, will pfSense recognize them?  If pfSense is able to see those hosts, I should be ok.

  • LAYER 8 Global Moderator

    While pfsense can not currently provide dhcp for downstream networks, you have stated you don't have a downstream layer 3 switch so where exactly would this downstream network be coming from?

    Why would pfsense not just have a 192.168.1 network and a 192.168.2 network?

Log in to reply