How to connect pfsense WAN to a wireless access point



  • Hi,

    I'm trying to get my pfsense box to connect to my network to work as a bridge, like this: (( WIRELESS ACCESS POINT )) <–-> PFSENSE BOX <---> Switch with devices attached.

    There is NO way to connect any cables from the PFSense box to the access point, the connection MUST be wireless.

    Is there a way to connect the PFSense box I am using as the WAN interface to the Wireless Access Point?

    I have 2 USB wireless cards, the mobo NIC and a PCIE NIC

    (I'm also new to pfsense :P)

    Any help or referral to a solution is much appreciated!



  • Hey DrClutch,

    I've read your dilemma, and think I understand. I've (poorly) drawn out a network map for you that I think is what you have and how to fix your problem. I think you need another wireless device, specifically for bridging. and set it up in like an ad-hoc or similar fashion with your existing WAP. See the attached image and let me know if it makes sense.

    I reread and forgot about the part where you do have other wireless adapters. typically i think those would work, but from what I've read wireless on pfsense is garbage.

    Hope this helps

    ![wireless layout.png](/public/imported_attachments/1/wireless layout.png)
    ![wireless layout.png_thumb](/public/imported_attachments/1/wireless layout.png_thumb)



  • I would also like to know the steps, the details about using wireless as a WWAN to a AP that requires at minimum password to sign on. I live in Hotels, I constantly am traveling. I generally do not get a room anymore that has wired Ethernet to plug a router/firewall into. I usually have at least 3 or 4 laptops and a client laptop to use with this one connection as I need my private LAN between my machines. I fixed up a HP Thin client with pfSense 2.3.4-RELEASE-p1 and it is imperative I am able to configure the settings in the web interface to connect to the access point as my firewalls WAN port. All the articles and YouTube videos I watched all centered around making a AP with an attached Wi-Fi card or something like that. I should have done this 2 years ago when I bought a gold membership but i became so busy I didn't follow it up. So then it should be as easy as STEP 1, STEP 2, STEP 3… The WiFi card is available in the WiFi tab after I add it under "Interfaces Assign", I use run0 (some MAC Addr), Mode BBS, Description (Internet WWAN). Next I go to the OPT1 settings, WHAT do I configure here under each section? General the network is open and there is a login page that is not much problem, but how do you configure if password is required to connect to the AP OR if the AP is at the client site they will have certificates and generally user/pass with enterprise radius authentication???  A BIT OF HELP HERE FOR THE SCENARIOS WOULD BE GREATLEY APPRECIATED, i KNOW i AM NOT THE ONLY ONE IN THE WORLD WHO WANTS TO CONNECT MY WAN PORT TO AP BY WI-FI built into my pfSense machine!  THANK YOU IN ADVANCE!

    ![pfsense wifi wan.jpg](/public/imported_attachments/1/pfsense wifi wan.jpg)
    ![pfsense wifi wan.jpg_thumb](/public/imported_attachments/1/pfsense wifi wan.jpg_thumb)


  • Rebel Alliance Global Moderator

    You may not like this advice.. But to be honest if your lively hood is travel around and wanting to leverage local wifi networks as your wan, etc.  Pfsense most likely not the best suited product currently.  You should prob look into something like a cradlepoint.  There are other cheaper "travel" routers as well.

    This is designed to easy use wifi as your wan.  Along with - and here is the big plus!  Cell connections as the wan - so you can just pop in your sim or sims even on some model with multi carrier support,  etc.  It can plug into wire as well, etc.. With all the connection options for wan and the built firewalling and switching capabilities they make for great devices to drop into a location that needs internet now, or for someone that travels a lot and needs a device that can connect to many different options.

    Sure you could build your own with pfsense as your router/firewall.  Use of a cellular modem, wifi device to connect to the wifi in the area, etc.  But this does not seem to be pfsense goal in creating something that is easy to connected to multiple wan technologies.

    To me if I wanted a device that would make sure I could have a firewall/router/switch in 1 device and connect to pretty much any sort of wan I would look at cradlepoint..  Don't get me wrong I would suggest pfsense in almost any other setup.  But pfsense/freebsd wifi is not great and has no such integrated LTE support, etc..

    In all your travels I would guess that having the ability to just jump on a LTE connection would be good option - many hotel wifi is just utter shit ;)



  • I'm not looking for advice on what is good or what commercial router to use, what I am looking for are the directions I asked for. In the meantime I have purchased a wireless bridge, however I really don't want to be lugging another piece of equipment around. I have tried several times to connect to various networks, the best way so far I have found is to call the adapter wan from the beginning on the console but I am missing some still on the authentication end, someone has to know as someone created the interface so why can't they share what they have in their head when they designed this beast and I'm wondering if they ever looked at how others have done it for example ddwrt allowing a scan then you can select the access point you want to use… Anyone??


  • Rebel Alliance Global Moderator

    Well good luck then.. Freebsd which what pfsense runs on wifi support is just crap to be honest..

    Trying to help - The device I suggest is small, and also provides switch ports and MULTIPLE ways to connect your wan not just wifi.  For someone that travels a lot you would think cell access would be a huge plus.

    But good luck in your quest..



  • So no one knows what the developer had in mind making a connection as Wan to a access point then.?


  • Netgate Administrator

    Almost certainly your issue here is that you're using a run(4) based device. I have one that works just fine as an access point but I have never been able to connect it as a client usefully. It sometimes connects but doesn't pass traffic. Not useful!

    If you have a device that is capable of working, an older Atheros NIC for example, it should just be a matter of configuring in BSS mode with the settings required and making that the default gateway.

    Steve


  • Netgate

    Use something like a Ubiquiti AirMax to bridge between your ETHERNET WAN interface and the wifi.

    You can try and beat your head against the FreeBSD Wi-Fi wall but don't expect a lot of sympathy or assistance. johnpoz summarized the current environment pretty succinctly. It's crap.



  • I had hoped like I had said before back 3 years ago when I first got started with pfSense I gave up on the Wi-Fi side, maybe my expiations were too much for FreeBSD, I don't suppose anyone had thought of maybe making a pfSense installable package with other free Linux distribution bases or a package that could be installed on top of a paid version of RedHat Linux? as for now, I'm going to use my backup plan with the external bridge device and then I can enjoy the features I need while the ease of use with my embedded Ethernet ports in my firewall device. Thanks a lot for the assistance.


  • Netgate Administrator

    'FreeBSD is not Linux' to quote many others before me.  ;D

    So making it a package into a Linux distro would be a massive undertaking. Apart from anything else 'pf' does not exist in Linux. Some may argue that's a good thing.  ;)

    I would expect you could get something working with the right wifi hardware but it might be a bit flaky. The scan for and attach to an AP code is not really there for example.

    Steve



  • I've been using pfsense for several years to connect to the AP as a WAN. Used old WIFI NIC Atheros AR2417.
    2.3.4-RELEASE-p1 (i386) nanobsd (2g)

    Try my method, maybe with other NIC it will work out as well.

    For normal operation, three steps are required.

    1. Make changes to the file /etc/rc.linkup

    if ($ staticv4 === true && $ staticv6 === true) {
    $ friendly = convert_friendly_interface_to_friendly_descr ($ iface);
    log_error ("Hotplug event detected for {$ friendly} ({$ iface}) static IP ({$ ipaddr} {$ ip6addr})");
    interfaces_staticarp_configure ($ iface);
    switch ($ argument2) {
    case 'start':
    case 'up':
    $ iface = get_real_interface ($ iface);
    / * NOTE: Do not generate event for OpenVPN since the daemon does that for us. * /
    if (substr ($ iface, 0, 4)! = "ovpn") {
    send_event ("interface newip {$ iface}");
    }
    break;
    }
    } else {
    switch ($ argument2) {
    case "stop":
    case "down":
    log_error ("DEVD Ethernet detached event for {$ iface}");
    interface_bring_down ($ iface);
    break;
    case "start":
    case "up":
    log_error ("DEVD Ethernet attached event for {$ iface}");
    log_error ("HOTPLUG: Configuring interface {$ iface}");
    // Do not try to readd to bridge (4) has problems
    / * ******* My code * /
                                    $ realiface = get_real_interface ($ iface);
                                    if (! is_interface_wireless ($ realiface)) {
    / * ******* End of My code * /

    interface_configure ($ iface, true, true);
                                    / * ******* My code * /
    }
                                    / * ******* End of My code * /

    break;
    }
    }
    }

    2. Make changes to the file /etc/rc.newwanip

    $ oldip = "0.0.0.0";
    if (file_exists ("{$ g ['vardb_path']} / {$ interface} _cacheip")) {
    $ oldip = file_get_contents ("{$ g ['vardb_path']} / {$ interface} _cacheip");
    }

    / * ******* My code * /
    $ realiface = get_real_interface ($ interface);
    if ($ curwanip = $ oldip && is_interface_wireless ($ realiface)) {
    log_error ("rc.newwanip: on interface: {$ interface_descr} [{$ interface}] (real interface: {$ interface_real}) IP address update not needed.");
    return;
    }
    / * ******* End of My code * /

    / * regenerate resolv.conf * /
    system_resolvconf_generate (true);

    / * write the current interface IP to file * /
    if (is_ipaddr ($ curwanip))) {
    @file_put_contents ("{$ g ['vardb_path']} / {$ interface} _ip", $ curwanip);
    }

    3. Enter the required data into the WIFI interface configuration. It is IMPORTANT to specify a specific channel number if you use auto, there may be problems connecting to the desired AP in the presence of several APs.



    • Assign one LAN port as WAN port
    • set up a UBNT Nano Station or Nano Beam up to connect to the WISP
    • connect the UBNT wireless device to the WAN port and all is fine running

    Other may use a modem and here is a wireless AP or bridge needed, pretty easy to use, set up and
    in the USA more common based on the many WISP companies.



  • Yo k625 - this worked for me. I was able to define a second wireless WAN interface (WWAN), and then when enabling the interface, it connects to my phones tethering AP with WPA2. There were two issues: 1) there were a bunch of extra spaces in your posted code that needed to be cleaned up. 2) I had to set the auto option in the channel configuration, because there is no way to pull this info out of my phone, but it worked anyway even though there are 3 different WAPs to choose from - won't it do the right thing since I specified the SSID in the setup?

    Once connected,  I was then able to switch the default gateway in system/routing page to be WWAN.

    This should imply (I believe) that gateway groups could be configured either for fail-over or load balancing.

    i have a Ralink wifi card. I was hoping that I could have used the USB tethering option to avoid the wifi setup, but
    those drivers are not in the standard pfsense build (I think) - that would be nice though to have that option.  The code does
    run - specifically is_interface_wireless() correctly determines interface type and conditionally execute your code.
    I havn't completely dug into understand why you don't want to call interface_configure and to use the oldip for wireless
    connections.

    I'm largely going to use this for a backup link or maybe to use for dedicated access, as opposed to having to shutdown wifi access to every video streaming device in the house when I have to work….

    Would be interested to hear if anyone had a security concern with this. I did verify that the firewall was setup as I want. However, I suppose that
    someone might be able to trip-up the usb/wifi card driver in some way, since whats going on there isn't as well understood as an Ethernet driver. However, this seem to be low risk, and more likely to simply cause the system to panic, or the driver to fail.  Comments?

    2.4.2-RELEASE (amd64)
    built on Mon Nov 20 08:12:56 CST 2017
    FreeBSD 11.1-RELEASE-p4

    @k625:

    I've been using pfsense for several years to connect to the AP as a WAN. Used old WIFI NIC Atheros AR2417.
    2.3.4-RELEASE-p1 (i386) nanobsd (2g)

    Try my method, maybe with other NIC it will work out as well.

    For normal operation, three steps are required.

    1. Make changes to the file /etc/rc.linkup

    if ($ staticv4 === true && $ staticv6 === true) {
    $ friendly = convert_friendly_interface_to_friendly_descr ($ iface);
    log_error ("Hotplug event detected for {$ friendly} ({$ iface}) static IP ({$ ipaddr} {$ ip6addr})");
    interfaces_staticarp_configure ($ iface);
    switch ($ argument2) {
    case 'start':
    case 'up':
    $ iface = get_real_interface ($ iface);
    / * NOTE: Do not generate event for OpenVPN since the daemon does that for us. * /
    if (substr ($ iface, 0, 4)! = "ovpn") {
    send_event ("interface newip {$ iface}");
    }
    break;
    }
    } else {
    switch ($ argument2) {
    case "stop":
    case "down":
    log_error ("DEVD Ethernet detached event for {$ iface}");
    interface_bring_down ($ iface);
    break;
    case "start":
    case "up":
    log_error ("DEVD Ethernet attached event for {$ iface}");
    log_error ("HOTPLUG: Configuring interface {$ iface}");
    // Do not try to readd to bridge (4) has problems
    / * ******* My code * /
                                    $ realiface = get_real_interface ($ iface);
                                    if (! is_interface_wireless ($ realiface)) {
    / * ******* End of My code * /

    interface_configure ($ iface, true, true);
                                    / * ******* My code * /
    }
                                    / * ******* End of My code * /

    break;
    }
    }
    }

    2. Make changes to the file /etc/rc.newwanip

    $ oldip = "0.0.0.0";
    if (file_exists ("{$ g ['vardb_path']} / {$ interface} _cacheip")) {
    $ oldip = file_get_contents ("{$ g ['vardb_path']} / {$ interface} _cacheip");
    }

    / * ******* My code * /
    $ realiface = get_real_interface ($ interface);
    if ($ curwanip = $ oldip && is_interface_wireless ($ realiface)) {
    log_error ("rc.newwanip: on interface: {$ interface_descr} [{$ interface}] (real interface: {$ interface_real}) IP address update not needed.");
    return;
    }
    / * ******* End of My code * /

    / * regenerate resolv.conf * /
    system_resolvconf_generate (true);

    / * write the current interface IP to file * /
    if (is_ipaddr ($ curwanip))) {
    @file_put_contents ("{$ g ['vardb_path']} / {$ interface} _ip", $ curwanip);
    }

    3. Enter the required data into the WIFI interface configuration. It is IMPORTANT to specify a specific channel number if you use auto, there may be problems connecting to the desired AP in the presence of several APs.



  • For rbc831 and others

    I do not understand much about WIFI technology, even less in freeBSD, and even more so in the pfsense code. I'm just an old pensioner from Russia ;). Professionally was not associated with IT. Therefore, I can not give detailed explanations. All my corrections have been obtained empirically by trial and error.

    1. Make changes to the file /etc/rc.linkup

    Without this adjustment, from time to time we receive an emergency restart of pfsense, which is preceded by a large number of messages in the console.
    The content of these messages I now do not remember.
    Maybe I'm wrong, but it seems to me that in this case there is an error in pfsense logic when processing events specific for WIFI NIC.

    2. Make changes to the file /etc/rc.newwanip

    If you do not make this adjustment, then when you browse the sites there are no problems, but when you receive media streams, you have periodic connection discontinuities. This solution has a drawback. The system log is filled with useless messages like:
     /rc.newwanip: rc.newwanip: Info: starting on ath0_wlan0.
    /rc.newwanip: rc.newwanip: on (IP address: 10.251.xx.xx) (interface: WIFI [opt3]) (real interface: ath0_wlan0).
     /rc.newwanip: rc.newwanip: on interface: WIFI [opt3] (real interface: ath0_wlan0) IP address update not needed.
    The frequency of occurrence of such messages can vary from seconds to hours. Apparently, this is somehow related to the current quality of the WIFI connection.

    3. About the importance of specifying the desired channel number.

    Probably when a strong signal is not required, but in my case (> 40 AP and 3 of them on the channel I want with RSSI -90: -96) without it, if the connection is temporarily lost or when pfsense is rebooted, it automatically establishes a connection to an arbitrary AP on an arbitrary channel. Manual intervention is required for correction.
    Of course, in addition to the desired channel, you should also specify the required SSID.



  • You could use two Apple airport express APs (heresy, I know), one to connect as wifi client and then ethernet to pfSense WAN,  and one to provide in room WiFi connected to the pfSense LAN port. I have had generally good experience with Apple Airport Express as Wifi Client. Travel with your choice of pfSense…SG-1000, SG-3100, or roll your own.
    Not sure this will work with hotel captive portal, though.