Help with Wireless Traffic



  • I have an access point connected to 1 of 3 interfaces on my PFsense box, along with a WAN and LAN interface. The LAN is split into 3 vlans. Everything is working great. I am new with PFsense and firewalling and I am stuck in the weeds on wireless traffic filtering. The current configuration allows all wireless clients to connect to the access point and go out to the internet with no access to my vlans. So far, so good. That is the desired outcome, however, I would like to have 1 laptop, when connected to the wireless access point, to have access to the vlans, as well as, the wireless side. My problem is that all the wireless traffic, cell phones and laptops, are seen as 1 IP address when it goes through the access point to the interface on the PFsense box. The access point has WAN port connected to the interface on the PFsense box, with a static IP address of 192.168.2.1, and the LAN side of the access point is doing DHCP for the clients using a narrow range of addresses starting at 192.168.1.160 to 170, and the access point LAN management IP address is 192.168.1.140. All of the wireless traffic I see in the log files is from the 192.168.2.1 interface (wireless interface). I tried giving a laptop a static IP address that did not fall in the DHCP range of the access point and created a rule on the wireless interface to allow the 1 laptop access to one of my vlans, but that did not work. Any thoughts on this?



  • You don't specify what hardware is doing AP.

    I have a same configuration at home, using a Netgear R7000 as AP (DD-WRT firmware allows me to set Router mode and set VLANs, too). I simply disabled NAT/Firewall and DHCP on R7000, connected LAN port on R7000 to LAN port on pfSense. pfSense is doing DHCP. I can track all clients, I can assign rules and control the clients.
    R7000 stays in the same subnet of pfsense LAN.



  • The problem is that your access point (AP) is being a lot more than just an AP. It is also being a router, doing NAT and DHCP.
    Make it just an AP

    1. Plug a LAN port of the AP into the pfSense interface.
    2. Turn off DHCP on the AP
    3. Turn on DHCP on the pfSense interface, with some reasonable range of IP pool
    4. Add a static mapping for the laptop that you want to give special treatment
    5. Add rules for that static-mapped laptop IP to allow it to other LAN subnets as needed.


  • Seen with another set of eyes. That makes perfect sense. Excellent! That works for me.