Which is the Best Practice for an Wireless Access Point?
-
Good day!! So I have Pfsense working. Pretty simple setup:
INTERNET –> PFSENSE -->Switch-->PC's
Nothing fancy.. My PFsense box has three NIC's. My question, with the thought that I want to have a wireless router act as an AP and with limited bandwith (traffic shaper), which is the best scenario?? to use that third NIC and connect the wireless AP to it or to connect the wireless AP to the switch?? Any changes that should be done in PFsense asides from enabling that third NIC??
Thanks
Regards Dan
-
A more basic consideration than "best practice" is "What do you want it to do?"
For example, PERHAPS you want to treat wireless clients exactly the same as wired clients, in which case it is quite appropriate to connect the AP to a switch connected to the pfSense LAN interface. PERHAPS you want to apply different firewall rules to wireless clients than apply to wired clients (for example, allow wireless clients to access the internet but not wired clients) then it would be appropriate to connect the AP to its own pfSense NIC.
Note that default firewall rules will block all access from OPTx interfaces so if you connect the AP to its own pfSense NIC you will almost certainly want to add appropriate firewall rules for that NIC then reset firewall states (see Diagnostics -> States and click on Reset States tab).
-
A more basic consideration than "best practice" is "What do you want it to do?"
For example, PERHAPS you want to treat wireless clients exactly the same as wired clients, in which case it is quite appropriate to connect the AP to a switch connected to the pfSense LAN interface. PERHAPS you want to apply different firewall rules to wireless clients than apply to wired clients (for example, allow wireless clients to access the internet but not wired clients) then it would be appropriate to connect the AP to its own pfSense NIC.
Note that default firewall rules will block all access from OPTx interfaces so if you connect the AP to its own pfSense NIC you will almost certainly want to add appropriate firewall rules for that NIC then reset firewall states (see Diagnostics -> States and click on Reset States tab).
You are right! treat them differently..I never thought about wireless clients not accessing the inside network but totally makes sense…I will give it a shot as said and post later.
Thanks!
-
I do both, my trusted wireless devices are on my LAN while untrusted ones and guests are on their own little network. I may put up the captive portal pfSense offers at some point but for now having two APs is working fine for me.
I also set the untrusted WiFi to use client isolation so devices there can't see each other.
-
Well I went ahead and gave it a try.. I used OPT1 as the NIC where I was going to put my AP. Went enabled it, chose static IP, used a different range 192.168.2.1. Went to FIrewall Rules set up my rule for everything outgoing (Any destination: Not in Type with Lan Subnet) . I also set up my OPT1 as a DHCP Server with range from 192.168.2.6 - 192.168.2.50 (My AP address is 192.168.2.5)..Then, hell broke loose!! Now PFsense does not give me any connection. I can access PFsense but there is no internet within. I ping outside from PFsense and it works. No error messages…nothing..I disabled my OPT1, deleted my firewall rule of my AP..set everything up as before..and still no internet... AGH..dammit...so frustrating.. By the way, I did have my AP with no NAT, no dhcp server running... Any leads??
Thanks
-
Without more information it is a bit hard to say what happened.
(Any destination: Not in Type with Lan Subnet) .
Presumably you mean: Destination: Not LAN subnet
I also set up my OPT1 as a DHCP Server with range from 192.168.2.6 - 192.168.2.50 (My AP address is 192.168.2.5)..Then, hell broke loose!! Now PFsense does not give me any connection.
Connection from where to where? from a computer on LAN port? on OPT1 port? a WiFi client? What sort of connection: png? web page? ssh? etc
What was reported on the connection attempt - timeout? unknown host? no route to host? etc
I can access PFsense but there is no internet within. I ping outside from PFsense and it works. No error messages…nothing..
Where did you look for error messages?
PERHAPS you didn't reset firewall states after adding the firewall rule for OPT1. See Diagnostics -> States, click on Reset States tab and read.
I disabled my OPT1, deleted my firewall rule of my AP..set everything up as before..and still no internet…
Again, without more details (see above for the details it would be helpful to have) it is hard to give an explanation.
Nothing you have described has any obvious reason to affect operation on the pfSense LAN network UNLESS you have chosen duplicate or overlapping IP address ranges.
Please tell us about your AP - is it a router, a router with network switch, a wireless bridge?
In addition to answering the questions above I suggest you take a more step wise approach:
1. You check all your IP subnets have distinct (non overlapping) IP address ranges. If they don't, fix that and reboot pfSense. (I have found it sometmies seems to be necessary to reboot pfSense to clear out memory of old IP subnet assignments.)
2. Save your pfSense configuration.
3. Configure OPT1 (distinct IP address range), configure its DHCP server, enable it, verify you still have access to the internet from a computer on the pfSense LAN interface.
4. Plug in a computer to the pfSense OPT1 interface (cross over cable if necessary) and verify it gets correct DHCP assigned IP address, DNS and gateway.
5. Plug in the AP to the OPT1 interface and verify a computer can associate with the AP and gets an IP address from the correct range and gets correct gateway and DNS. Since I don't know if you are using the AP as a router or WiFi bridge I can't say what the correct values are.
If you report back on which step you get to and what happened when you attempted to complete the next step I will try to assist you to get to the next step.
-
Without more information it is a bit hard to say what happened.
(Any destination: Not in Type with Lan Subnet) .
Presumably you mean: Destination: Not LAN subnet
I also set up my OPT1 as a DHCP Server with range from 192.168.2.6 - 192.168.2.50 (My AP address is 192.168.2.5)..Then, hell broke loose!! Now PFsense does not give me any connection.
Connection from where to where? from a computer on LAN port? on OPT1 port? a WiFi client? What sort of connection: png? web page? ssh? etc
What was reported on the connection attempt - timeout? unknown host? no route to host? etc
I can access PFsense but there is no internet within. I ping outside from PFsense and it works. No error messages…nothing..
Where did you look for error messages?
PERHAPS you didn't reset firewall states after adding the firewall rule for OPT1. See Diagnostics -> States, click on Reset States tab and read.
I disabled my OPT1, deleted my firewall rule of my AP..set everything up as before..and still no internet…
Again, without more details (see above for the details it would be helpful to have) it is hard to give an explanation.
Nothing you have described has any obvious reason to affect operation on the pfSense LAN network UNLESS you have chosen duplicate or overlapping IP address ranges.
Please tell us about your AP - is it a router, a router with network switch, a wireless bridge?
In addition to answering the questions above I suggest you take a more step wise approach:
1. You check all your IP subnets have distinct (non overlapping) IP address ranges. If they don't, fix that and reboot pfSense. (I have found it sometmies seems to be necessary to reboot pfSense to clear out memory of old IP subnet assignments.)
2. Save your pfSense configuration.
3. Configure OPT1 (distinct IP address range), configure its DHCP server, enable it, verify you still have access to the internet from a computer on the pfSense LAN interface.
4. Plug in a computer to the pfSense OPT1 interface (cross over cable if necessary) and verify it gets correct DHCP assigned IP address, DNS and gateway.
5. Plug in the AP to the OPT1 interface and verify a computer can associate with the AP and gets an IP address from the correct range and gets correct gateway and DNS. Since I don't know if you are using the AP as a router or WiFi bridge I can't say what the correct values are.
If you report back on which step you get to and what happened when you attempted to complete the next step I will try to assist you to get to the next step.
My bad for the short description on the problem. I figured it out. Pfblocker was blocking my Opt1. I chose Opt1 as inbound interface and everything worked back to normal