Wireless AP setup 2.1 RC



  • Hello, everybody. I'm brand new to pfsense, and decided to jump in over my head by adding a wireless access point. With an internal wifi card.
    I purchased a wireless card, one that was on the approved chipset list.
    TP-LINK TL-WN881ND       
    http://www.newegg.com/Product/Product.aspx?Item=N82E16833704129

    It's an atheros based card, with the chipset being the AR9287 (I believe). I've installed it into the system, but am daunted by the wireless setup page.
    Here's what I've done so far.

    I installed the 2.1 RC1 version of pfsense. The 2.0 version didn't recognize the card, but the release candidate does.
    Then, I went to “Interfaces:(assign). I added a new interface, with the ath0 option. It is called OPT1.
    I then went to configure OPT1, and became hopelessly lost.

    A brief overview of some drop down boxes:
    IPv4 configuration type: None.
    IPv6 configuration type: None.
    MAC Address: Nothing.
    MTU: Nothing.
    MSS: Nothing.

    Standard: 802.11g.
    Protection Mode: Off.
    Transmit power: 99.
    Channel: Auto.

    Mode: Access Point
    SSID: Our Wifi.

    Everything from that point onward is left to default. No WEP, no WPA(2), I’ll fiddle with those once the wifi is actually working.

    I’ve done nothing with the DHCP Server, and don’t know what I should do.
    I can’t seem to find a manual for this, and the brief walkthroughs I found were for 2.0, not 2.1. The interface is significantly different, and DHCP Server only uses static IPv4 now (whatever that means.)

    Our devices see the signal, and can join it, but cannot access either the internet, or our internal lan. Would somebody please help me?

    Thanks,
    Odie

    P.S. Additionally, I can and will take screenshots as requested, and upload them.



  • @Arbiter:

    Everything from that point onward is left to default. No WEP, no WPA(2), I’ll fiddle with those once the wifi is actually working.

    Good plan! Get the basics working then tweak it towards what you really want.

    @Arbiter:

    I’ve done nothing with the DHCP Server, and don’t know what I should do.

    You need to configure DHCP server on the WiFi interface AND you need to add a firewall rule on the OPT1 interface to allow traffic to the internet. (Default firewall rules block all traffic from OPTx interfaces).

    DHCP Server: You need to assign OPT1 an IP address in a private subnet distinct from the other IP subnets used on the box. For example, if your pfSense WAN interface has IP address 192.168.0.10/24 and the LAN interface has IP address 192.168.1.1/24 then you could assign OPT1 IP address 192.168.7.1/24. Then enable DHCP server on OPT1,  configure an address range within the IP subnet of the OPT1 interface (e.g. if the OPT1 IP address is 192.168.7.1/24 then a suitable range would be 192.168.7.10 to 192.168.7.20) and leave other parameters default. Click Save then Apply

    When your WiFi clients next connect they should be allocated an IP address out of the range specified when you configured DHCP server on OPT1.

    You still need to configure a firewall rule to allow connections from WiFi clients to the Internet. On Firewall -> Rules click the OPT1 tab, click a "+"on the right to add a  new rule then fill in
    Action = Pass, Interface = OPT1,  TCP/IP version = IPv4, Protocol = any, Source = any, Destination = any then click Save.
    Then go to Diagnostics -> States, click on Reset States tab, read the explanation and click Reset. Then your WiFi clients should be able to access the Internet.

    If you get stuck part way along and don't know what to do post a screen shot.



  • @wallabybob:

    You still need to configure a firewall rule to allow connections from WiFi clients to the Internet. On Firewall -> Rules click the OPT1 tab, click a "+"on the right to add a  new rule then fill in
    Action = Pass, Interface = OPT1,  TCP/IP version = IPv4, Protocol = any, Source = any, Destination = any then click Save.
    Then go to Diagnostics -> States, click on Reset States tab, read the explanation and click Reset. Then your WiFi clients should be able to access the Internet.

    I think it's better not allowing WiFi clients to go everywhere with the rule Destination = any, because this is going to expose the internal LAN to possibly untrusted machines.



  • @panz:

    I think it's better not allowing WiFi clients to go everywhere with the rule Destination = any, because this is going to expose the internal LAN to possibly untrusted machines.

    Fair comment but given the original poster wrote:
    @Arbiter:

    I've installed it into the system, but am daunted by the wireless setup page.
    . . .
    I then went to configure OPT1, and became hopelessly lost.
    . . .
    No WEP, no WPA(2), I’ll fiddle with those once the wifi is actually working.
    . . .
    Our devices see the signal, and can join it, but cannot access either the internet, or our internal lan.

    I thought the simplest firewall rule that would give access was warranted.

    Arbiter Odie, do you want to restrict access from OPT1 to the LAN?



  • I think that a common misconception about pfsense, from a newbie point of view, is "I need to grant X_Interface access to my internal LAN to have immediate Internet connection for this (other) network".

    I often see this in VPN discussion, where firewall rules are dangerously set to allow VPN clients access to LAN just to route traffic to the Internet without headaches.



  • Hey guys, sorry for the delay. I kinda messed up the router on Sunday night whilst configuring it(I lost access to the internet), and then was busy yesterday. I'm back, and am ready to try again.

    Wallabybob, I want people using the wifi to have access to the file server on the lan. We make heavy use of our file server, and not having access to it would be a pain. This is also why I'm going to enable WPA2 as soon as I stop bricking the router  ;D

    panz, I'm very open to security concepts and implementation of said concepts. Would you advise two wifi networks, one that has access to the lan, and one that does not? Should the wifi simply not be allowed on the lan at all?

    Also, before I un-checked the wrong box and messed up the internet connection, the wifi was indeed working. The range was terrible, but I'm sure that's because of the card I bought. I'm still trying to figure out why the network went down at all. All I did was disable opt1 without shutting off it's dhcp server settings (I wanted to shut it off after the testing, since it's not secured at all). And then I lost connection to the router, and I has to manually revert to a backup.

    A


  • Banned

    @Arbiter:

    Wallabybob, I want people using the wifi to have access to the file server on the lan. We make heavy use of our file server

    That's a prime example of what WiFi is completely unsuitable for, esp. with "heavy use".



  • @doktornotor:

    @Arbiter:

    Wallabybob, I want people using the wifi to have access to the file server on the lan. We make heavy use of our file server

    That's a prime example of what WiFi is completely unsuitable for, esp. with "heavy use".

    Depends on how "heavy use" translates into numbers for quantities such as transfer rate, latency etc.



  • @Arbiter:

    Would you advise two wifi networks, one that has access to the lan, and one that does not?

    Yep!  ;D


Log in to reply