Noob question - PFS 2.3.5 - fixed KRACK



  • Security / Errata for v2.3.5: Fixes for the set of WPA2 Key Reinstallation Attack issues commonly known as KRACK in wpa_supplicant and hostapd

    Can somebody explain me (as for dummy), if we dont use native wifi card in pfsense (but separate AP or router), what is fixed an why?

    Thx.


  • LAYER 8 Global Moderator

    If your not using wifi card in pfsense then the fix included in pfsense has ZERO do with fixing the issue in your network.

    The issue is with clients.. So if you were using a wifi card in pfsense, and using it as a client to some wifi network then the fix would address the problem..

    To fix the issue you need to make sure that all your wifi clients are updated to address the problem.  Routers and AP do need the fix if they are using say a wireless uplink.  But if they are just being the AP and not using wifi as an uplink themselves then they are not really open to the issue anyway.  But should be updated so that if they do use wireless uplink in the future they are not open to the attack.



  • Thx sir for quick answer, i also finded this on forum: https://forum.pfsense.org/index.php?topic=139003.0

    It's a pity that pfsense does not support any Wifi AC card. It would be nice to have everything in one box.


  • LAYER 8 Global Moderator

    "It would be nice to have everything in one box."

    Not really no.. Only people that like this sort of setup are the most basic of home users..  I don't want my wifi where my router is - you don't get good wifi coverage that way.. You get good wifi coverage by placing the AP in the best place..

    Where pfsense is, ie where the internet comes into the house would be a horrible place for AP..

    What you going to do when wifi goes to 802.11ad and your going to need an AP in every single room.. How you going to do that in your router?  It makes zero sense to want everything in box.. Especially when it comes to wifi..



  • There are some other methods to get a fast and cheap as can ac WIFi if it is urgent needed by you, and it
    is matching to every budget too. So it could be used by many peoples.
    1 UBNT UniFi ac lite WiFi AP for around ~$74
    One RaspBerry PI 3.0 with internal ac WiFi card or together with an external USB ac WiFi stick for ~$60
    An old and used WiFi ac Router that is broken or mismatching from the dump, with installed DD-WRT or OpenWRT (lede) for nothing ($$$) with some luck!

    It's a pity that pfsense does not support any Wifi AC card. It would be nice to have everything in one box.

    At first pfSense is based on  FreeBSD as the underlying OS and so it is a must be that FreeBSD is supporting it
    well and first, then this could also be working on pfSense, but also with some adjustments or code writing to
    realize it well and fine working out of the box.
    Well working internal miniPCIe cards for pfSense, supporting the following standards a/b/g/n are;

    • Compex WLE200NX ~20 €
    • UBNT SR71-E ~50 €

    FreeBSD 11.1 special files (firmware and driver for Intel wireless-ac cards) over 12 month ago!
    Outlook to version 2.4 and Intel Wireless-AC cards 12 month old
    Bug report on reddit about wireless ac (solved) 12 month old
    FreeBSD 11 and Intel Dual Band Wireless-AC 8260 8 month old

    So if you own or have a miniCPIe card such as the following named cards from Intel;

    • Intel Dual Band Wireless AC 3160
    • Intel Dual Band Wireless AC 3165
    • Intel Dual Band Wireless AC 7260
    • Intel Dual Band Wireless AC 7265
    • Intel Dual Band Wireless AC 8260

    You could have luck that it is working under FreeBSD, but with no guarantee and for sure for working well in pfSense.
    pfSense is not or only something sitting on FreeBSD, after growing up more and more there was a bigger code
    change under the roof as we all perhaps could imagine as I see it right.


Log in to reply