PfSense Wireless Access Point Use Setup



  • I currently have a fresh install of pfSense 2.3.2-RELEASE-p1 (amd64); the installation went smoothly.  I have an Intel 4 port Gigabit NIC in the computer with one of the ports set for my LAN.  I’ve assigned another port on the NIC specifically for my wireless access point (WAP); my WAP has a static IP and connected directly to the NIC port I assigned for it - DHCP is disabled on the WAP.  My WAP is not a wireless router, it's a dedicated WAP.  I’m very new to pfSense.  What settings would I need to configure in pfSense to provide internet access to my wireless devices?  Is there anything I need to configure in the Interfaces menu for the interface I created for the wireless?  Do I need to configure a rule in the Firewall | Rules menu for internet access, and if so, what would the rule look like?

    LAN IP:  192.168.1.1/24
    WAP IP:  192.168.2.1/24

    Suggestions would be very helpful.  Thank you.



  • @newUser2pfSense:

    Do I need to configure a rule in the Firewall | Rules menu for internet access, and if so, what would the rule look like?

    Yep, you got it.  pfSense uses "default deny," so everything is blocked until a firewall rule allows it through.

    Out of the box, you can look at the LAN interface for two example rules.  There's one called "Default allow LAN to any rule" and another called "Default allow LAN IPv6 to any rule."  You can create new rules on your Wi-Fi interface that look similar to those rules but change the source IP to "WiFi net" instead of "LAN net" obviously (or whatever your named your WAP/WLAN/Wireless interface).

    Those rules allow all traffic out, but it's your quickest path to victory right now.  A better practice to lock things down is to only allow traffic to the ports that you use, like 80/tcp, 443/tcp, 53/udp (DNS), and whatever other services you use in your environment.  I did this by making a new "Alias" (Firewall –> Aliases) and creating one alias called "Allowed TCP ports" and another called "Allowed UDP ports" then a couple firewall allow rules that refer to those aliases.  I then went in and manually added the ports that I use.  Oh, 993/tcp for IMAPS e-mail.  5228/tcp for Google Play to work.  It's a bunch of trial and error but it helps lock down your outbound traffic.

    I also use the package called pfBlocker and have a few lists for malware and ransomware and known malicious hackers.  Those lists get updated every day and update Firewall Aliases with thousands of "bad" IP addresses, so I made rules on my LAN interface that deny traffic out to the rest of the world, and I placed those rules above my "Allowed TCP" and "Allowed UDP" rules.  That way, if a computer is infected with malware, it can't phone home to those bad IPs even if it's trying to sneak through port 443, for example.



  • Finger79 - thank you for the response.  Before I posted, I actually tried what you mentioned.  I checked the default Firewall | Rules | LAN rule settings and created a rule for the wireless interface I created and changed the Source to my wireless interface; everything else was the same.  It didn’t work.  Is there anything I need to change in the Interfaces menu for the wireless interface I created to make this work?  The default settings are:

    General Configuration

    • check Enable interface
    • Description:  WLAN
    • IPv4 Configuration Type:  None
    • IPv6 Configuration Type:  None
    • MAC Address:  not configured
    • MTU:  not configured
    • MSS:  not configured
    • Speed and Duplex:  Default

    I don’t know if this is the problem or not.

    I'm wondering as well in the Firewall | Rules menu for the wireless rule I created, just for internet access, should the Destination be set to "any"?



  • Your WLAN interface may be "enabled," but since it doesn't have an IP address, it doesn't exist yet.  :P

    IPv4 Configuration Type:  None  <– change this to Static IPv4

    Down below where it says "Static IPv4 Configuration":
    IPv4 Address:  192.168.whatever.1 <-- give it any new IP address you want.  Any subnet you want like /24

    So if your LAN interface is 192.168.1.1 /24, you can make your WLAN inteface 192.168.2.1 /24 or whatever you desire.

    In other words, 192.168.2.1 is the IP address for pfSense on the WLAN interface.  You can give your Access Point a static IP address of 192.168.2.2 for example and tell it the gateway is 192.168.2.1, DNS is 192.168.2.1, etc.

    Edit:  After doing this, probably want to go to Services --> DHCP Server --> WLAN tab and "Enable DHCP server on WLAN interface" and give it a range, so your wireless devices can get an IP address when they connect.



  • @newUser2pfSense:

    Before I posted, I actually tried what you mentioned.  I checked the default Firewall | Rules | LAN rule settings and created a rule for the wireless interface I created and changed the Source to my wireless interface; everything else was the same.  It didn’t work.

    Are these new rules on the Firewall | Rules | WLAN page?  They shouldn't be on the LAN Rules page.  It helps to think of the direction of traffic, so you'll then know where the rule should belong.

    Wi-Fi Device –> Wireless Access point --> pfSense WLAN interface --> anywhere

    So you want the rules to be on Firewall | Rules | WLAN since that's where it's coming into.

    Here's an example rule that allows everything to go through WLAN interface to anywhere:

    Source:  WLAN net
    Source Port:  *
    Destination:  *
    Destination Port:  *
    Description:  Default allow WLAN to any rule



  • Finger79 - Yes, the new rule was entered in the WLAN page; my rule matched yours.

    I followed your instructions on the WLAN interface.  The configuration of the WLAN interface was actually the missing piece.  I now have wireless.

    Thank you very much for taking time to guide me in the setup!  Awesome!



  • Hi,
    I’m new to pfsense and was following your walkthrough on here with a bit of success but at the end I get no internet access.  When I go to DHCP leases the router/WAP either doesn’t show up or it shows the IP address of 192.168.2.10.  I tried to then connect my phone to the router/WAP and it connected but no internet.

    Hardware/Configuration as follows

    TP-Link Archer C5 (will be replacing, not sure what with yet)
    4xIntel NIC
    Em3 – WAN
    Em2 – LAN – IP: 192.168.1.1/24
    Em1 – WLAN – IP: 192.168.2.1/24
    Em0 – not configured
    WAP – 192.168.2.2

    I’ve setup the WLAN as described above, copied the firewall rules over from the LAN interface, disabled DHCP on the router/WAP, and assigned the router/WAP an ip address of 192.168.2.2 (this router/WAP only allowed me to input the subnet mask and not a gateway).  Physical connection was ethernet from WLAN interface to LAN port on router/WAP.

    I have enabled DHCP on the WLAN interface and given it a port range from 192.168.2.10 > 192.168.2.254.

    At the end of all this, I can see the SSID for both 2.4Ghz & 5Ghz but get no internet when connected.  Am I missing something really obvious here or have I configured something wrong?
    Any help would be much appreciated.


  • Galactic Empire

    Can you ping the device acting as an AP from pfSense ?

    Does its show anything IP wise on the clients ?

    Have you allowed traffic out the Em1 interface ?

    I'd be tempted to use the pfSense router as the DHCP server, you'll be able to do much more with the DHCP server.

    I've just purchased a Ubiquity AC Pro and I'm impressed with the results.



  • Hi,

    Yip, i can ping 192.168.2.2 with no packet loss.

    When I do a dhcp lease the WAP doesn't show up at all (192.168.2.2) but I can see the SSID on my phone and when I connect to that I can see my mobile phone connecting and it gets an IP address of 192.168.2.10 (but still no internet access)

    I added the same firewall rules to the WLAN as the LAN interface has "Default allow WLAN to any rule" & "Default allow WLAN IPv6 to any rule" only one i couldnt copy over was the "Anti-lockout rule"

    I have set the pfsense to be my dhcp server and switched dhcp off on the WAP.

    I've just bought an ASUS RT-n66u (very good price lol) and put that into AP mode. Changed to static IP

    IP: 192.168.2.2
    SUB MASK: 255.255.255.0
    GATEWAY: 192.168.2.1
    DNS: 192.168.2.1

    Im stumped!!! Help please…..



  • @stuart.greig1978:

    When I do a dhcp lease the WAP doesn't show up at all (192.168.2.2)

    1.  What do you mean by this?  Your Access Point has a static IP of 192.168.2.2 so it shouldn't even need its own DHCP lease.  Just your wireless clients (like your phone) should get an IP between 192.168.2.10-192.168.2.254 in your case.

    @stuart.greig1978:

    Em1 – WLAN – IP: 192.168.2.1/24

    2.  Also, em1 interface is correctly set up, right?  Static IP?

    3.  Are your firewall rules for WLAN interface correct?  Pass rules, not block/reject?


  • Galactic Empire

    @stuart.greig1978:

    Hi,

    Yip, i can ping 192.168.2.2 with no packet loss.

    When I do a dhcp lease the WAP doesn't show up at all (192.168.2.2) but I can see the SSID on my phone and when I connect to that I can see my mobile phone connecting and it gets an IP address of 192.168.2.10 (but still no internet access)

    I added the same firewall rules to the WLAN as the LAN interface has "Default allow WLAN to any rule" & "Default allow WLAN IPv6 to any rule" only one i couldnt copy over was the "Anti-lockout rule"

    I have set the pfsense to be my dhcp server and switched dhcp off on the WAP.

    I've just bought an ASUS RT-n66u (very good price lol) and put that into AP mode. Changed to static IP

    IP: 192.168.2.2
    SUB MASK: 255.255.255.0
    GATEWAY: 192.168.2.1
    DNS: 192.168.2.1

    Im stumped!!! Help please…..

    Try connecting the AP to the LAN port switch, do you get an IP from the LAN range and have internet connectivity ?

    Disconnect the AP and plug in a laptop to the Em1 interface, does that work ?

    It should, if it doesn't it most likley to be firewall rules, mine looks like this, ignore the middle rule, it trying to figure out where some of my IOT stuff goes before I move it into the IOT LAN :-

    If anyone thinks my traffic on the middle rule is a bit high, its 4K Netflix :)




  • @Finger79:

    1.  What do you mean by this?  Your Access Point has a static IP of 192.168.2.2 so it shouldn't even need its own DHCP lease.  Just your wireless clients (like your phone) should get an IP between 192.168.2.10-192.168.2.254 in your case.

    So i shouldnt see a dhcp lease?  ok, thats good to know.

    @Finger79:

    2.  Also, em1 interface is correctly set up, right?  Static IP?

    em1 setup with static IP.  Pretty much a copy of my LAN interface.

    @Finger79:

    3.  Are your firewall rules for WLAN interface correct?  Pass rules, not block/reject?

    All rules are set as "Pass"



  • @NogBadTheBad:

    Try connecting the AP to the LAN port switch, do you get an IP from the LAN range and have internet connectivity ?

    Connected the AP to my switch (which is connected to em2/LAN) tried my phone and it connected and I have internet access.  Designated IP: 192.168.1.140

    @NogBadTheBad:

    Disconnect the AP and plug in a laptop to the Em1 interface, does that work ?

    Disconnected the AP from the switch, connected my laptop straight into my em1/WLAN port and i get no connection at all.

    @NogBadTheBad:

    It should, if it doesn't it most likely to be firewall rules, mine looks like this, ignore the middle rule, it trying to figure out where some of my IOT stuff goes before I move it into the IOT LAN :-

    I can't connect at all now.  Think it could be my firewall rules.  I'll add a screenshot.



  • Rebel Alliance Global Moderator

    your firewall rules are ANY ANY..  I see no hits on them, that 0/0 number..  When you connected your laptop to em1 port did get a 192.168.2.x did its gateway point to 192.168.2.1 - what was it using for dns?  Could it ping 192.168.2.1?



  • @johnpoz:

    When you connected your laptop to em1 port did get a 192.168.2.x

    connected to em1 and it dhcp lease my laptop got IP: 192.168.2.10

    @johnpoz:

    did its gateway point to 192.168.2.1

    Yes, gateway shows IP: 192.168.2.1

    @johnpoz:

    what was it using for dns?

    local.domain???  Not sure how to find this out, I'm far from technical I'm afraid :-(

    @johnpoz:

    Could it ping 192.168.2.1?

    Yes, i can ping IP: 192.168.2.1 with no packet loss but still no access to the internet????


  • Rebel Alliance Global Moderator

    Well are you outbound nats natting this 192.168.2 network.. Do you have them set for auto or did you set them to manual or something.

    When you say no internet.. Does that mean you can not resolve stuff or just can not get to www.pfsense.org?

    From your laptop try to ping say 8.8.8.8

    try and ping say www.pfsense.org, does it come back with an address or give something about could not find host.



  • OMG its sorted.

    Thanks johnpoz and everyone else for your help.  It was to do with my natting.  I had it set to manual as I was having issues with a "strict" nat on the xbox, playstation & PC networks.  I created some outbound rules to sort out my strict NAT.  I switched them back to automatic and hay presto i got connected.

    Solving this issue though im guessing will now put me back onto a strict NAT when my son connects to his online gaming!

    Solved one issue, may now have created another but that's another problem for another forum post.

    Thanks again.  really appreciate all your help.



  • And it has.  Straight back to strict NAT…...bugger.  Took me ages to fix that issue.


  • Rebel Alliance Global Moderator

    dude post up your outbound nat rules



  • Managed to sort it out pretty easy.  There's a Hybrid option in the outbound NAT rules.  I clicked that and still got wifi and now an "open" NAT and not moderate as before.  Hopefully that's me sorted for now.  Boys happy he has wifi and gaming I'm happy I've got it sorted with you guys help.

    Cheers



  • I have been checking the web whether pfsense supports wireless NICs and wireless usb devices. And I found even a supported device list. Most of them are ralink chips, so I got an old one that supports wireless n standard and is listed.
    Inserting the usb went well, even dmesg shows me that pfsense detected the device and gave it a device node run0 which is a good sign.
    Going to the web interface and in the interfaces section of pfsense run0 is being listed. Only when I start setting up a wpa2 hotspot with the usb device and hit the apply button, the terminal dumps lots of output for like 10 seconds the restarts. When booting again it reaches to the point where it detects the usb device and wants to create the device node, then… the same thing over! Lots of dumping then it restarts. This cycle keeps on repeating till I take out the usb stick.
    When pluging out the usb stick pfsense boots normaly. When logging into the webinterface, pfsense tells me that it has to report a critical error.
    Now, it is easy to start to setup a wifi hotspot with another dumb router but I would like to keep everything central, isn't there a safe way how to setup a usb wlan device??


  • Rebel Alliance Global Moderator

    What are you doing for the static nats?  I sure hope your not just setting his IP to use all ports static?  That sort of config is borked on a device that does napt for other devices.

    What if client asks for say port xyz, and that has already been used by another client in a napt connection?