Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Which is the Best Practice for an Wireless Access Point?

    Wireless
    3
    7
    8.1k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      greenpoise
      last edited by

      Good day!! So I have Pfsense working. Pretty simple setup:

      INTERNET –> PFSENSE -->Switch-->PC's

      Nothing fancy.. My PFsense box has three NIC's. My question, with the thought that I want to have a wireless router act as an AP and with limited bandwith (traffic shaper), which is the best scenario?? to use that third NIC and connect the wireless AP to it or to connect the wireless AP to the switch?? Any changes that should be done in PFsense asides from enabling that third NIC??

      Thanks

      Regards Dan

      1 Reply Last reply Reply Quote 0
      • W
        wallabybob
        last edited by

        A more basic consideration than "best practice" is "What do you want it to do?"

        For example, PERHAPS you want to treat wireless clients exactly the same as wired clients, in which case it is quite appropriate to connect the AP to a switch connected to the pfSense LAN interface. PERHAPS you want to apply different firewall rules to wireless clients than apply to wired clients (for example, allow wireless clients to access the internet but not wired clients) then it would be appropriate to connect the AP to its own pfSense NIC.

        Note that default firewall rules will block all access from OPTx interfaces so if you connect the AP to its own pfSense NIC you will almost certainly want to add appropriate firewall rules for that NIC then reset firewall states (see Diagnostics -> States and click on Reset States tab).

        1 Reply Last reply Reply Quote 0
        • G
          greenpoise
          last edited by

          @wallabybob:

          A more basic consideration than "best practice" is "What do you want it to do?"

          For example, PERHAPS you want to treat wireless clients exactly the same as wired clients, in which case it is quite appropriate to connect the AP to a switch connected to the pfSense LAN interface. PERHAPS you want to apply different firewall rules to wireless clients than apply to wired clients (for example, allow wireless clients to access the internet but not wired clients) then it would be appropriate to connect the AP to its own pfSense NIC.

          Note that default firewall rules will block all access from OPTx interfaces so if you connect the AP to its own pfSense NIC you will almost certainly want to add appropriate firewall rules for that NIC then reset firewall states (see Diagnostics -> States and click on Reset States tab).

          You are right! treat them differently..I never thought about wireless clients not accessing the inside network but totally makes sense…I will give it a shot as said and post later.

          Thanks!

          1 Reply Last reply Reply Quote 0
          • stan-qazS
            stan-qaz
            last edited by

            I do both, my trusted wireless devices are on my LAN while untrusted ones and guests are on their own little network. I may put up the captive portal pfSense offers at some point but for now having two APs is working fine for me.

            I also set the untrusted WiFi to use client isolation so devices there can't see each other.

            1 Reply Last reply Reply Quote 0
            • G
              greenpoise
              last edited by

              Well I went ahead and gave it a try.. I used OPT1 as the NIC where I was going to put my AP. Went enabled it, chose static IP, used a different range 192.168.2.1. Went to FIrewall Rules set up my rule for everything outgoing (Any destination: Not in Type with Lan Subnet) . I also set up my OPT1 as a DHCP Server with range from 192.168.2.6 - 192.168.2.50 (My AP address is 192.168.2.5)..Then, hell broke loose!! Now PFsense does not give me any connection. I can access PFsense but there is no internet within. I ping outside from PFsense and it works. No error messages…nothing..I disabled my OPT1, deleted my firewall rule of my AP..set everything up as before..and still no internet... AGH..dammit...so frustrating.. By the way, I did have my AP with no NAT, no dhcp server running... Any leads??

              Thanks

              1 Reply Last reply Reply Quote 0
              • W
                wallabybob
                last edited by

                Without more information it is a bit hard to say what happened.

                @greenpoise:

                (Any destination: Not in Type with Lan Subnet) .

                Presumably you mean: Destination: Not LAN subnet

                @greenpoise:

                I also set up my OPT1 as a DHCP Server with range from 192.168.2.6 - 192.168.2.50 (My AP address is 192.168.2.5)..Then, hell broke loose!! Now PFsense does not give me any connection.

                Connection from where to where? from a computer on LAN port? on OPT1 port? a WiFi client? What sort of connection: png? web page? ssh? etc

                What was reported on the connection attempt - timeout? unknown host? no route to host? etc

                @greenpoise:

                I can access PFsense but there is no internet within. I ping outside from PFsense and it works. No error messages…nothing..

                Where did you look for error messages?

                PERHAPS you didn't reset firewall states after adding the firewall rule for OPT1. See Diagnostics -> States, click on Reset States tab and read.

                @greenpoise:

                I disabled my OPT1, deleted my firewall rule of my AP..set everything up as before..and still no internet…

                Again, without more details (see above for the details it would be helpful to have) it is hard to give an explanation.

                Nothing you have described has any obvious reason to affect operation on the pfSense LAN network UNLESS you have chosen duplicate or overlapping IP address ranges.

                Please tell us about your AP - is it a router, a router with network switch, a wireless bridge?

                In addition to answering the questions above I suggest you take a more step wise approach:

                1. You check all your IP subnets have distinct (non overlapping) IP address ranges. If they don't, fix that and reboot pfSense. (I have found it sometmies seems to be necessary to reboot pfSense to clear out memory of old IP subnet assignments.)

                2. Save your pfSense configuration.

                3. Configure OPT1 (distinct IP address range), configure its DHCP server, enable it, verify you still have access to the internet from a computer on the pfSense LAN interface.

                4. Plug in a computer to the pfSense OPT1 interface (cross over cable if necessary) and verify it gets correct DHCP assigned IP address, DNS and gateway.

                5. Plug in the AP to the OPT1 interface and verify a computer can associate with the AP and gets an IP address from the correct range and gets correct gateway and DNS. Since I don't know if you are using the AP as a router or WiFi bridge I can't say what the correct values are.

                If you report back on which step you get to and what happened when you attempted to complete the next step I will try to assist you to get to the next step.

                1 Reply Last reply Reply Quote 0
                • G
                  greenpoise
                  last edited by

                  @wallabybob:

                  Without more information it is a bit hard to say what happened.

                  @greenpoise:

                  (Any destination: Not in Type with Lan Subnet) .

                  Presumably you mean: Destination: Not LAN subnet

                  @greenpoise:

                  I also set up my OPT1 as a DHCP Server with range from 192.168.2.6 - 192.168.2.50 (My AP address is 192.168.2.5)..Then, hell broke loose!! Now PFsense does not give me any connection.

                  Connection from where to where? from a computer on LAN port? on OPT1 port? a WiFi client? What sort of connection: png? web page? ssh? etc

                  What was reported on the connection attempt - timeout? unknown host? no route to host? etc

                  @greenpoise:

                  I can access PFsense but there is no internet within. I ping outside from PFsense and it works. No error messages…nothing..

                  Where did you look for error messages?

                  PERHAPS you didn't reset firewall states after adding the firewall rule for OPT1. See Diagnostics -> States, click on Reset States tab and read.

                  @greenpoise:

                  I disabled my OPT1, deleted my firewall rule of my AP..set everything up as before..and still no internet…

                  Again, without more details (see above for the details it would be helpful to have) it is hard to give an explanation.

                  Nothing you have described has any obvious reason to affect operation on the pfSense LAN network UNLESS you have chosen duplicate or overlapping IP address ranges.

                  Please tell us about your AP - is it a router, a router with network switch, a wireless bridge?

                  In addition to answering the questions above I suggest you take a more step wise approach:

                  1. You check all your IP subnets have distinct (non overlapping) IP address ranges. If they don't, fix that and reboot pfSense. (I have found it sometmies seems to be necessary to reboot pfSense to clear out memory of old IP subnet assignments.)

                  2. Save your pfSense configuration.

                  3. Configure OPT1 (distinct IP address range), configure its DHCP server, enable it, verify you still have access to the internet from a computer on the pfSense LAN interface.

                  4. Plug in a computer to the pfSense OPT1 interface (cross over cable if necessary) and verify it gets correct DHCP assigned IP address, DNS and gateway.

                  5. Plug in the AP to the OPT1 interface and verify a computer can associate with the AP and gets an IP address from the correct range and gets correct gateway and DNS. Since I don't know if you are using the AP as a router or WiFi bridge I can't say what the correct values are.

                  If you report back on which step you get to and what happened when you attempted to complete the next step I will try to assist you to get to the next step.

                  My bad for the short description on the problem. I figured it out. Pfblocker was blocking my Opt1. I chose Opt1 as inbound interface and everything worked back to normal

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.