Isolated WiFi AP



  • I have an older PC at home that I'd like to turn into a UTM using pfSense and a few of its packages. The PC has 2 NICs (one for the LAN and one for the WAN) and a WiFi card. I'd like to set up the system to have 2 WiFi APs over that single WiFi card. One AP that will have a hidden SSID that would be the "trusted" AP which will have all the home wireless clients attached. That AP will have an "unrestricted" access thru the network (clients will be able to talk to each other and the internet). The second AP will be the "untrusted" one that will have a different SSID. That AP will have a Captive Portal and won't allow any clients connecting to it to talk to anyone else on the LAN (especially on the trusted side) as well as block things like warez/bittorrent sites, VPN connections, P2P programs, etc. Basically it's for any friend/person that comes over to be able to connect to without risking the rest of the computers on the network.

    Is there a way to do that using pfSense?



  • Only SOME WiFi cards are supported in pfSense and only SOME of those have support for multiple virtual access points on the one card.

    So assuming your WFi card is suitable, you can create two virtual Access Points on the WiFi card by creating two virtual interfaces on the WifI card then setting the appropriate parameters for each. Captive portal can be enabled on the required interface. Appropriate firewall rules can be created on each interface to control the traffic as you describe.

    What chipset is in your WiFi card? If you don't know that, what make, model and revision is your card?



  • My WiFi card is an old Netgear USB adapter, so it sounds like it won't work. Is there anything that I should be looking for when buying a card (or do you know a card that would work for this kind of setup)?



  • @Heli0s:

    My WiFi card is an old Netgear USB adapter, so it sounds like it won't work. Is there anything that I should be looking for when buying a card (or do you know a card that would work for this kind of setup)?

    I don't know of any USB adapters that work in pfSense and provide multiple Access Points. There are some supported USB chipsets that support AP mode but then only one AP. If you want multiple APs on the one adapter I think you will have to use a PCI or PCI-e card with Atheros chipset or a mini-PCI or mini-PCI-e card with Atheros chipset or a mini-PCI card with a particular modem Marvell chipset.

    "Older PC" suggests to me PCI-e is not an option. I suggest you look on eBay for an Atheros PCI card or an Atheros mini-PCI card and a mini-PCI to PCI adapter. I use a PCI card with Atheros chipset on my home pfSense but that particular card seems to have disappeared from retail outlets a couple of years ago.



  • I don't mind using a PCI/PCIe card (I'd actually prefer it). The computer is a C2D and I'm pretty sure it has a PCIe slot. Sorry for being vague. I looked online, but couldn't find a card with a chipset that supports multiple APs. I've checked this spreadsheet, but couldn't find a card online (Newegg/Amazon) that has that chipset (unless I'm missing something):

    https://docs.google.com/spreadsheet/ccc?key=0AojFUXcbH0ROdHgwYkFHbkRUdV9hVWljVWl5SXkxbFE&hl=en



  • http://forum.pfsense.org/index.php/topic,58264.msg311985.html#msg311985 reports that the TP-Link WN881ND works with pfSense 2.1 and has Atheros chipset. I suggest you try that.



  • Despite the heroic efforts by Adrian Chadd, FreeBSD 8.x (the operating system pfSense in based on) Wifi support isn't very good. So unless you are very knowledgeable and/or have a lot of free time to experiment and learn, my suggestion would be to just get a stand-alone wireless AP or a consumer Wifi-router and load it with *WRT (DDwrt, Tomato, OpenWRT etc) firmware.

    Finally, "hidden" BSSID doesn't offer any security, so make sure you use WPA2 over your Wifi network.


Log in to reply