Help! external AP set up for wireless



  • Hello All,

    Been browsing for weeks and have yet to find an actual solution. Please be aware i'm a newer user and not a great networker. I'm getting wired traffic only via a LAN connected to tplink switch and/or router set as switch. I'm confused as to how to set-up wireless with the router in AP mode so my wireless devices can connect. Thanks in advance!

    My hardware and setup:
    Dell PC (Pfsense box) - 2 recognized NICS (em0 and em1)
    Net-gear Router (DHCP disabled, acting in AP, statically assigned IP, gateway pointing to Pf-sense box, WAN port disabled)
    TP Link Switch

    WAN (em0) = Modem > Pfense box - (DHCP enabled)
    LAN (em1) = PfSense (192.168.1.19/24) > tplink managed switch
    router (set to AP) = switch (LAN) > router (AP - 192.168.2.35/24)

    Throwing everything out of the window that I've read so far as my brain is now fried. I knwo this is way simpler than what i'm making it out to be.

    1. What do I need to configure in order to simply get wifi via AP set on switch?

    2. Since router is in AP mode, is better to throw the tplink switch out and have my AP act as a switch?

    3. Does my AP need a IP in the same subnet as my pfsense box (e.g. 192.168.1.35/24)? - I think I may have done this incorrectly.

    4. Do I need to configure security (SSID, WPA2, Preshared etc.) on AP router prior to setting in on switch or can I do this via web GUI once it is all running? - this parts gets me as i haven't grasped how the AP will be recognized. I keep reading about bridged mode and

    Thanks!



  • Hello and welcome!  I know what it's like to beat at an issue for hours until your brain is fried.  Here's hoping the issues go away.  Until the next issue you run into.  :)

    Before I get to your questions, I wanted to say something about this:

    @nubascuba:

    LAN (em1) = PfSense (192.168.1.19/24) > tplink managed switch

    In my opinion, it's cleanest and best practice to give the interface the ".1" address (or whatever is the first available IP address on the subnet) just for sanity purposes.  So if your LAN interface (em1) is on the 192.168.1.0/24 subnet, the LAN IP address should be 192.168.1.1.

    This is changed in Interfaces –> LAN.  Set the "IPv4 Configuration Type" to Static IPv4 and the IPv4 Address to 192.168.1.1 /24.

    Also – again for cleanliness and sanity purposes -- any other devices like Access Points and managed switches should also be given static IP addresses.  For example, you may want to give your AP 192.168.1.2 /24 or 192.168.1.3 /24 and have its Gateway set to 192.168.1.1 and its DNS set to 192.168.1.1.

    @nubascuba:

    1. What do I need to configure in order to simply get wifi via AP set on switch?

    Honestly, if you don't need the extra ports at this point in time or don't need anything fancy (such as VLANs), don't even use the switch.  Just hook up your AP directly to the pfSense LAN interface.

    @nubascuba:

    2. Since router is in AP mode, is better to throw the tplink switch out and have my AP act as a switch?

    For simplicity, yes.  If you don't need the extra ports or VLANs, take the switch out of the equation.

    @nubascuba:

    3. Does my AP need a IP in the same subnet as my pfsense box (e.g. 192.168.1.35/24)? - I think I may have done this incorrectly.

    Yes.  This is probably the main reason nothing is working.  Your pfSense LAN is on the 192.168.1.0/24 network, and your AP is on the 192.168.2.0/24 network.  Without a router or Layer 3 switch in between the two devices, traffic won't flow.

    It's simplest to just keep it simple and have your pfSense LAN and AP on the same subnet.

    So pfSense LAN = 192.168.1.1 /24
    AP = 192.168.1.2 /24

    DNS and DHCP handled by pfSense only.

    Also double-check that your DHCP Range doesn't conflict with any static IPs.  Services –> DHCP Server --> LAN
    Where it says "Range," make sure it doesn't overlap anything.  For example, if your AP is set statically to 192.168.1.2, you may want to start your range from 192.168.1.10 - 192.168.1.whatever or 192.168.1.100 - 192.168.1.whatever.

    [Edited to Add:  Make sure DHCP is enabled on your pfSense LAN interface, if it already isn't.]

    @nubascuba:

    4. Do I need to configure security (SSID, WPA2, Preshared etc.) on AP router prior to setting in on switch or can I do this via web GUI once it is all running? - this parts gets me as i haven't grasped how the AP will be recognized. I keep reading about bridged mode and

    How are you getting to the pfSense WebGUI?  If you're using an ethernet cable plugged into your AP's switch ports, you can configure your Wireless settings later.

    If you're doing everything over Wireless, then yeah, you gotta make sure you can connect before you shoot yourself in the foot.

    pfSense LAN <–> AP <--> All your wired/wireless devices
    192.168.1.1 <--> 192.168.1.2 or 3



  • If in the future you need the extra switch ports, probably do something like:

    pfSense LAN <–> Managed Switch <--> AP
    192.168.1.1 <--> 192.168.1.2 <--> 192.168.1.3


  • LAYER 8 Global Moderator

    "Net-gear Router (DHCP disabled, acting in AP, statically assigned IP, gateway pointing to Pf-sense box, WAN port disabled)"

    That is how you would turn any typical wifi router into just an AP yes… Plug in one of its lan ports to the network you want the wifi to be on.  Set its LAN ip on this old wifi router to be on that network so you can access its gui interface and setup the wifi..

    Seems you have your AP setup with 192.168.2 network vis your lan network of 192.168.1 -- this wouldn't prevent wifi clients from connecting.. This would just prevent you from easy access the AP web gui to setup the wifi security, etc.

    Are you wanting to secure this wifi network from your pfsense lan network?  Or are you wanting to create more wifi networks (ssid) and isolate them from your other wired lan network and other wifi networks?

    If you want to create multiple wifi networks.. Using some old wifi router as just an AP prob not going to work - unless your running 3rd party firmware on it that supports VLANs??  If that is what you want to do - much easier to get a real AP.. unifi AP lite can be had for $78 and supports vlans, etc.  Then it seems you have a managed switch already... So your good to go..

    If you need help on setting up your switch with vlans - please post its exact make and model number.



  • Wow thank you both for the quick responses and detailed responses, I now feel like an idiot as i got caught up and lost in all the other posts regarding bridges, third interface etc.! Yes, there is so much information, I get distracted and start reading things that aren't relevant and which confuse me even more.

    I got rid of the switch for simplicity, for now. I have configured as directed.

    So pfSense LAN = 192.168.1.1 /24
    AP = 192.168.1.2 /24

    @finger79 I'm reaching GUI via cable plugged into your AP's switch port.

    @johnpoz my router (AP) is running DD-WRT (net gear r6300V2). In the future i'd like to secure the network as much as I can in terms of connected devices and have a separate guest network.

    My next questions (somewhat answered):
    1. Do I login to AP and configure wireless settings or can this be done via GUI? - this is the part i understand least
    2. What FW needs to be set to allow traffic?

    I'm sure these have both been answered, so to not waste your time please just point me to correct post if necessary.



  • @nubascuba:

    1. Do I login to AP and configure wireless settings or can this be done via GUI? - this is the part i understand least
    2. What FW needs to be set to allow traffic?

    1.  Yes, all wireless configuration should be done only in the AP (DD-WRT).  pfSense should have nothing to do with wireless at this point.  (Unless you wanna do WPA2-Enterprise in the future…)
    2.  The pfSense LAN interface by default allows all outgoing traffic, so everything should work by default.  You can follow a restrictive whitelisting approach in the future if you want to allow outbound ports one by one (such as 80/tcp and 443/tcp for web browsing, etc.).  This can be very tedious and granular depending on your needs.


Log in to reply