How to use a consumer wireless router with pfSense

Derelict

Did you make a loop by connecting two cables from the switch to the AP or was there another bridge device joined to wi-fi and also connected to wired?

Layer 2 loops break networks.

This is the proper way to do this absent a real access point.

zylithi

@Derelict:

Did you make a loop by connecting two cables from the switch to the AP or was there another bridge device joined to wi-fi and also connected to wired?

Layer 2 loops break networks.

This is the proper way to do this absent a real access point.

That was my first thought. Actually it threw me off pretty good, I was going all over the place looking for a loop but couldn't find one. The access point only had one wire plugged into it, and there was no bridge device on the wifi. I plugged the cord into the WAN side of the access point and that immediately fixed the problem. Plugging it back into the switch port, the problem came back. I even replaced the wire entirely, thinking there was a short of some kind causing some kind of backscatter, nope, same problem.

Derelict

That AP is broken then and has nothing to do with this config.

edmund

@Derelict:

Anyway, we're both talking about exactly the same thing.  Disable all router functionality in the wireless device and plug your wireless router's LAN port into your LAN and leave its WAN port disconnected.

This is my procedure - I start with the AP disconnected from the network and perform a Factory Reset of the AP - this way I have a known configuration to start.

Then I use a laptop and connect to the AP via a LAN port for the initial AP configuration.  I use a standard browser without any plugins like No-Script running so that nothing gets in the way of the setup.  Depending on the AP you may be able to log straight in, or you may have to accept a license agreement first.  I always skip any setup wizards and set up the AP manually.

Once you are logged into the AP you can connect the AP WAN to the internet and check for any firmware updates - I try to do this once a year and I've just finished running this process on two of my three AP's at home. Once you have the AP updated then disconnect the AP WAN cable.

Open the AP administration/manual setup and configure the Wireless LAN in your AP with SSID and password.

Ensure that all services except DHCP - like DNS, NAT, etc are disabled on your AP.  In general, if the AP offers a service then you probably want to disable it, but make sure that changing the LAN DHCP settings is the last thing that you do.  It's a good idea to check that the settings that you enter on any of the AP configuration pages are actually saved before you move on to the next step.  Make sure that you go through all the setup screens.

Finally - and this is always the last step - set the LAN IP in the AP to an unused, static address on your LAN subnet outside the PfSense DHCP range so that you will be able to admin the AP from this address afterwards.  Now disable DCHP on the LAN and save the configuration - the AP will disconnect from your laptop.

Unplug the laptop and connect the AP LAN port to the LAN port on PfSense.  Leave the AP WAN port disconnected!

You should now have Wi-Fi access on the PfSense LAN and you should be able to admin the AP via the static address that you assigned for any fine-tuning.  If you can't reach the AP via the assigned address then you've done something wrong - the safest thing is to do a factory reset and start again.

Finally, from a security point of view:

• Always change the admin password on the AP.

• Always disable Wi-Fi Protected setup.

• Never configure the AP to use WPA or TKIP.

• Always use strong passwords on your AP.

There's no sense in making it easy to hack.

Derelict

That all looks really solid.  Thanks.

rjcrowder

@edmund:

Unplug the laptop and connect the AP LAN port to the LAN port on PfSense.  Leave the AP WAN port disconnected!

At risk of confusing some… but if the router configuration has an option for "Assign WAN port to LAN" (such as dd-wrt) then you can select the option and use the WAN port - gives you another  port back...

TAC57

The the picture at the beginning of this post is how I have my Wireless Router set up.  But I have some questions.

1. I used to be able to log into 192.168.1.2 and get the Netgear configuration screen, but now the connection just times out.

2. I had to spoof a MAC address in my pfSense box to get it to work with my Comcast cable modem.  This is the same MAC address of my wireless modem. Problem?

My setup is as follows
192.168.1.1    - pfSense box
192.168.1.2    - Netgear WRN3500L, same MAC address as pfSense box.  Not using WAN port, only the 4 IP ports. Disabled HCP and DNS.
192.168.1.234 - Amped Wireless access point

I also have a Amped Wireless SR10000 access point that connect through the Netgear WRN3500L.  Both wireless access points work just fine, but I can log into the Ampped access point either.

Derelict

Yes, having two devices with the same MAC on the same network will cause you problems like that.  I would either:

Call Comcast and let them know you need to change the MAC address of your device and change it to the native MAC on pfSense.

See if you can set the MAC of the wireless router to something else.  You can probably only do this on the WAN interface, though.

XanALaOM00

@Derelict:

Here's a diagram generally describing how to connect a typical consumer wireless router as an access point/switch for use with pfSense.

how about… turn off NAT on the consumer router, turn the consumer router into AP mode, use the WAN port as an "access port" to Pfsense and configure the AP with a static IP address on the same subnet as the Pfsense Opt1 range (make sure to not hand out the same IP address in the DHCP range).

or how about go all out and install TomatoUSB or DDWRT, configure the wireless routers WAN port for 802.1q trunking, trunk vlans 10,20 or whatever, create vlans 10,20 etc.. on pfsense and configure trunking on pfsense, assign vlans to given ports on the accesspoint, have fun with your Pfsense on a stick configuration.

edmund

@XanALaOM00:

how about… turn off NAT on the consumer router, turn the consumer router into AP mode, use the WAN port as an "access port" to Pfsense and configure the AP with a static IP address on the same subnet as the Pfsense Opt1 range (make sure to not hand out the same IP address in the DHCP range).

In theory that would work - but in practice it doesn't unless your network is very simple.  All the consumer wireless routers that I've tried that approach with over the years will allow wireless devices to access the local network and the internet WAN via pfSense - but devices on the local network LAN often have subtle problems talking to the wireless devices.