Solution



  • hello,
    I have a small office network with few computers. I have set up pfsense firewall and a proxy server for my previous employer and it worked well for me. Now the situation is different and WiFi has also comes into play.

    Devices :
    300M Wireless N Access Point Model No. TL-WA801N / TL-WA801ND
    TP link router (300Mbps Wireless N USB ADSL2+ Modem Router Model No. TD-W8968)

    A server computer with virtualization.
    I want wifi clients to go through the pfsense firewall.
    What are the options it has. ?
    Do I have to use WPA enterprise with radius ? or is there any other way ?

    Please help



  • What are your requirements?

    Do you need Enterprise WPA or will WPA2 suffice?

    All you do is plug your access point into an interface to get basic wifi service.

    Do you need segmentation?  Etc etc


  • LAYER 8 Global Moderator

    W4RH34D brought up all good points.  How you set it up depends on what you want/need.  If its a small office there nothing saying you need to use enterprise, wpa2 with a good psk is just fine.  Only issue with this is that now if someone leaves the company you most likely have to change this psk, or he could just sit out in the parking lot and gain access to your wifi since he would know the psk.

    Prob a good practice to change the psk now and then just because of leakage of to people that you might not want to have access.  Changing of the psk can be a bit of a logistic problem making sure all the users know what the new psk is, or pushing it out to your devices configs, etc.

    Enterprise can make this easier, since users just use their normal auth creds.  If someone leaves you just disable that account and the other users go about their business as normal.

    As to going through pfsense, yeah if you just plug in a AP to your normal network all the wifi users would just be like they are plugged in with a wire, only slower.  Or you can get fancy and put this wifi on its own network.  Or even fancier and have multiple wifi networks via vlans if your AP support that.  Or even with multiple AP.  You could have 1 that is guest and 1 that is normal users, etc.  You could use enterprise on your normal users, and psk or guest type access (captive portal) for your visitors, etc.

    All comes down to what you want to do.  Plenty of people here to help just need to know what you want.

    I don't think your wireless devices support vlans, do you have switch that supports vlans.  If not you prob want to look into getting those verses just your typical off the shelf home stuff.  Does not have to be a lot of money.  Vlan supporting switches are very reasonable priced.. Can be found for as little as $40 depends on the port count you need.  How many users in your office?  AP that support vlans also very cheap - the unifi stuff you can get an AC lite model for under $90.

    If you do not have something external that can auth your users for enterprise, you can always just install the freerad package on pfsense and let it do that for you.  I run eap-tls auth for my personal devices on my home network.  So they all have to have a cert installed to even get on the network.  And then I run other wifi segments that just use psk for my iot devices that do not support enterprise (sure wish the makers of such devices would add this support) and guests to my network.  All of the different wifi segments are on their own vlans with firewall rules to limit their access to my normal networks.



  • Dear all,
    Thank you for your replies.
    The requirement is to control web access (web proxy) in my office. I can do it for the computers that are connected with cables. It is difficult to achieve that goal for WiFi users. At the moment I am using FreeDNS and it has vulnerabilities that users can sneak through.  Remember the devices that I have.
    TPlink ADSL router (it will support the WPA enterprise version) and an TP link access point. Aslo it is bit difficult to add  certificates to each and every mobile device.

    Need some support.

    Thank you


  • LAYER 8 Global Moderator

    WPA2 enterprise does not require certs to every device, eap-tls does..  There are many eap options when using wpa enterprise..

    If you have a proxy, and you force users out this proxy and filter them, and or only use some dns blocking service.  Does not matter how your clients connect to your network be wire or wireless, etc.

    How you filter has nothing to do with how your users auth either.  You can filter them be it using psk or enterprise to authenticate to the wifi..



  • Thank you for the reply.
    In-fact i will user free radius on my both access points with captive portal. This is not exactly what i wanted as you have mentioned in your reply. once it is done, how can I force those wifi users to go through my the pfsense proxy. For LAN users, I configure the firewall allowing only web and dns ports and can I apply this for wifi users as well ?


  • LAYER 8 Global Moderator

    "how can I force those wifi users to go through my the pfsense proxy"

    Same exact why you force your normal Lan users.. Pfsense can not tell if the user is a wifi user or a wired user - nor does it care..



  • Thank you for the reply.
    Basically for LAN users, I configure on the web browsers and set the gateway and DNS servers as my pfsense server IP address. but for mobile devices, how can i do that ? once a wireless client is authenticated by the radius + captive portal, the web proxy function should work.


  • LAYER 8 Global Moderator

    If you set the web proxy as transparent then sure.. Or if you only allow proxy to use the internet and hand out your proxy via auto discovery or let your users know they need to set abc for their proxy, etc..

    But to be honest, if they are guests why should you filter them via a proxy.



  • you mean setting up a transparent proxy will make mobile devices to pass throuh and filter the web traffic ? I will try then. Earlier  set up a proxy (transparent ) for my LAN users and tried the transparent proxy without configuring their proxy settings on the browsers and it does not work. I would like to do minimum configuration work for proxy settings on my end users because they use their laptops outside the office as well. Every time they use it they have to change proxy settings on their web browsers.

    "ut to be honest, if they are guests why should you filter them via a proxy."

    We need to filter youtube facebook etc…"


  • LAYER 8 Global Moderator

    "for my LAN users and tried the transparent proxy without configuring their proxy settings on the browsers and it does not work"

    Well you did it wrong then.

    "We need to filter youtube facebook etc…""

    For your guests on wifi - why???  Seems freaking pointless to me..  Might well not even provide internet to guests if your just going to say what they can and can not go to.. They can just use the data plan off their phone ;)



  • lets start like this.

    For PC that are connected to the switch;
    Once they are connected to the network, does transparent proxy proxies web contents immediately without any web browser proxy configuration changes ? (I am not very fluent in transparent proxy) ?

    If yes, it should work for wifi users as well (free radius and captive portal).


Log in to reply