PfSense network topology question

  • Hi friends!

    I came here to ask a question about the proper way to set up a network with a server running pfSense. My problem is than I have a server running pfSense. This server has one WAN and one LAN interface. Now the LAN interface is connected to a Fast Ethernet switch. A few ports on the switch are connected to LAN ports on wireless routers, using them as APs. Now, the question would be, is there a method with which i can connect my wireless routers to the switch using the routers WAN port instead of the LAN ports. Also, if possible, would there be a difference in performance, stability etc. Thank you in advance for your replies. Have a nice day!

  • LAYER 8 Global Moderator

    Why would you want to use the wifi routers WAN ports if your using them as AP?  Do you want to nat all your different wifi connects?  Or are you asking how to bridge the wan to the lan to get a extra port?  What model of wifi router are you using, many have this feature or if using 3rd party firm its possible.

    The 1  wan and 1 lan is a very common setup of pfsense..

    You ask about proper way, but then just ask about using WAN port on your AP??

  • Hi!

    My current setup uses the routers as APs, but it is not a requirement. The routers are TP Link TL-WR841N. I would like to use the WAN port to gain an extra LAN port, and to see if it is possible to use the WAN port instead of the LAN port.

  • LAYER 8 Global Moderator

    What does that have to do with network topology?

    Well don't see anything in the manual - but looks like that is supported by dd-wrt, this should allow you leverage the wan physical port as just another lan port.

    But if you ask me if you need more ports, just get a switch.. You state you only have fast, why not go gig..  To be honest even gig is getting slow for the home - I don't see how anyone could be using 100mbit on their local network..  I would go insane..  Unless you like watching paint dry, or grass grow sort of thing

  • So if I understand correctly, there is no way of using the WAN port for what it is built for. It bugs me a lot that I have to plug my cable to the LAN port instead of the WAN port, like a small home network. It just feels weird. Also, while we are here, can you clarify as for why i can not use the WAN port like a LAN port(on stock firmware)? What is the difference?

  • Banned

    TL-WR841N is meaningless. There are like zillions of revisions of this… Useless info. (You cannot install DD-WRT or pretty much anything else on the überjunky variants with 2MB of flash.)

    why i can not use the WAN port like a LAN port(on stock firmware)

    Dude, ask TP-Link. Not us.

  • LAYER 8 Global Moderator

    "like a small home network. It just feels weird. "

    What??? Its a FREAKING port that since your not using it as a router, your not using.. Who cares.. Are you using all the other lan ports?

    Any wifi router can be used as AP, as I expect you know turn of its dhcp, connect it to your network via lan = AP.

    While it might not be exactly like the tp suff - here is example breakdown of internal wifi router

    So you see how the wan port is in a different vlan of the other switch ports.  This is why you can not use it like normal port - if the native firmware does not allow you to change that setup, or 3rd party does not then you can not use it.  As dok so gracefully stated - ask them!

    Its possible the cheap little devices your using do it a bit different, but this is one example of why you can not use them, unless you have way to change the config.

    Again - get a real switch, not some 100mbit thing if you need ports.  Get some real AP if you don't like having that WAN port stare out at you - real AP don't have "WAN" ports ;)

  • Thank you for your contribution johnpoz!

    Your answer and drawing made it clear to me as why I can not use the WAN as LAN. BTW we are currently planning the upgrade to our system, that is why I wanted to make some things clear.

  • LAYER 8 Global Moderator

    What is the stuff your looking for upgrade?  What kind of budget do you have..  Can really get some good stuff for home budgets these days..

    Huge FAN of the sg300-10 switch from cisco, $180 on amazon is a steal!  Unifi make some very reasonable priced almost enterprise level AP $70, loaded features - controller in software, etc. etc..

  • We are planning on going all wireless. Having one server running pfsense and a switch (not cisco grade), and wireless routers would connect to a GE switch and act as APs probably. This would be the network of a dormitory with ~170 people. We think 10 routers would be enough for 50 rooms each having 3-4 people. What do you guys think? The budget is unknown. they told us to plan it and they will see. I think the routers would be TP-Link TL-WR1043ND.

  • LAYER 8 Global Moderator

    so you would buy wifi routers to use for AP.. When your going to have 170 people??  WTF???

    Get REAL AP, with REAL controller..

    And does not cisco grade me like a dumb switch, not managed?  Dude those wifi routes are not even 5ghz??

    I would be looking a POE switch and real AP to setup such a network..

  • I've had great success with e2000 linksys with DDWRT using all 5 ports including the WAN, as LAN switch with wireless also.

    I do agree with other's comments though - For so many people I would get a serious switch and a serious AP.

    DDWRT doesn't make the best use of the hardware's ability where wireless is concerned.

    It works, but not as well as a good dedicated AP that hasn't been tampered with would work.

  • LAYER 8 Netgate

    People sweat the strangest shit.

  • LAYER 8 Netgate


    We are planning on going all wireless. Having one server running pfsense and a switch (not cisco grade), and wireless routers would connect to a GE switch and act as APs probably. This would be the network of a dormitory with ~170 people. We think 10 routers would be enough for 50 rooms each having 3-4 people. What do you guys think? The budget is unknown. they told us to plan it and they will see. I think the routers would be TP-Link TL-WR1043ND.

    You only need one router.  You probably need about 10 access points.  Maybe a couple more.  Depends on the building construction and your flexibility in radio placement.

    In that situation you can use just about any AP.  Your problem is going to be coverage, noise, and signal strength, not density of clients.  In a dorm/apartment/hotel scenario, you can't get enough clients connected to a decent AP to stress it (compared to, say, a stadium or a ballroom full of people).

    Look at Ubiquiti.  UAP-ACs (or UAP-PROs) will be more than good enough.  In fact, with a bunch of walls between your APs, You might even be able to get 4 (or even 8) channels together in a reasonable manner and actually take advantage of AC.

  • "People sweat the strangest shit."

    Depends on budget usually and application.  I use DDWRT for small home purposes only.

    Its definitely not an industrial strength solution.

  • I did some research about the mentioned UAP-AC and other APs and just wow… Amazing performance, specs etc. They claim that this AP can support 200+ users(if that is what concurring user means) at a time (if i read this correclty The building is a 90m long and is a two storey building with 50 dorm rooms and some other rooms. With these specs one UAP-AC would be enough but wouldn't that limit the bandwidth of one user (if we assume all people are on the network at one time) to 450 Mbps / 170 people = 2.65 Mbps? Because that is very low. This is of course when looking at the 2.4 GHz spectrum. Since we have a gigabit connection our theoretical maximum is somewhere around 0.75 MBps. I know we can not exceed this limit, when everybody is on the network. However i believe if we had only one router it would be under heavy load. I think 5 APs would be enought (tell me if not) to cover the whole building (not because of the range, these babys support up to 120m each) decently. The final setup would be something like Internet -> pfSense server -> 8 port GE switch -> POE adapters -> APs. Is this viable, what do you guys think? I need to plan this good because these cost 300 USD a piece.

  • If it were me i would stay away from PoE injectors, makes for a messy install. First your switch something like this will do: although me myself I would use this :

    as far as the access point I have this one and it works quite well : But choose what ever you like.

    Wireless can be a little tricky so you have to do your homework. What you need is a site survey, So if you have a android phone get a app called "wifinder" and install it on your android phone. Then get a dual band Wi-Fi router and plug it in on your top floor and then wall around the floor and see how your signal is, if anywhere it falls down to 1 or 2 bars then I would mark the ceiling with a sticker or something indicating that a access point is needed there. If you are all good then go down the next floor and repeat the steps. You want to have a 10% - 15% overlap of your Wi-Fi signal that way your users will never drop a connection (If you name your SSIDs the same across APs)

  • I would like to know that can i use a poe switch with just regular devices? I think yes, but just wanted to make sure. I looked at the items you linked. They are good, but I can't just by them on ebay, they have to be sourced publicly. This network architecture has to be good for at least 5 years, that is why I think I will need the ac support and 5 GHz support.

  • If you want to take benefit of POE you need devices which is POE enabled. A POE switch can be used for none-POE devices but remember to disable POE on the ports in question.

  • I get it now, thank you.

  • LAYER 8 Global Moderator

    Agree unifi would be low cost solution here..

    As to density of clients.. I would think you would stress the shit out of hom router device..  Everyone with their phones, and tablets and game consoles, etc..  Those 170 people are clearly going to have more than 1 wifi device..

    Those home routers are not even designed for mounting or good coverage.  They are designed to sit on your desk in a room in your house and give a very shitty area shitty coverage ;)

  • Good. Then I will start looking around for APs like the ones mentioned before (Unifi, EnGenius) plus a POE+ switch. Yes, the clients all have multiple devices. That is why I am not sure about the number of APs. If we count all devices, that is about 340 device. That is a LOT!

  • Thats a lot of APs potentially a lot of band crowding.

  • Yes, so is there a magic formula to determine the require number of APs for a network with given number of users or devices?

  • LAYER 8 Global Moderator

    No there is no "magic" anything..  Taking a look at the layout and composition of building, what type of performance you want to provide along with number of devices and density of devices you determine number and location of the AP.

    This may need tweaking once network goes live with either addition, movement or settings for minrssi, etc. to provide best network for all users.

    Do a POC, get 1 or a few of the AP your interested in and test their performance in your real world setup is what I would suggest.  Maybe even get a few different ones by brand or model, etc.

    Do you have any sort of real number of wifi devices to work with that have connected to your current network?  Do you have a listing of mac addresses?  Do you have users register their device to be able to get on?  Or we just taking a guess to number and type of devices that will be using the wifi?

    So your not going to provide any sort of wire to the room?  This can take a load of your wifi if you allow users to say plug in some of their devices like laptops or pcs, etc.

  • I think you can get maximum density by using more APs at lower power settings.

  • @mir:

    If you want to take benefit of POE you need devices which is POE enabled. A POE switch can be used for none-POE devices but remember to disable POE on the ports in question.

    You don't have to disable the PoE on a switch to hook it up to non PoE devices. Please do some homework before you get started with this job or just hire someone with some experience or you will be spending more money to have them fix what you put in. The way PoE not "Some Power Injectors" work is that the device request for power If my memory serves me correctly it is via a signal that if not reflected back to the switch will tell it to not to send power to the device (I might have that reversed, look it up). PoE is designed to be compatible with non-PoE devices, regardless of polarity but again I would caution do some homework. If I were you not to be discouraging but I would get some students from the computer science department to come over and take care of the job. Wireless can be tricky and like I said previously, and I think Johnpoz has mentioned you need to do some research first. Since you will be pulling wire like Johnpoz has mentioned why not put a data drop in every dorm room that way your are covered for the future. It goes with out saying, but it sound like you are just starting out in this IT infrastructure stuff but when you pull wire either for the APs and/or the dorm rooms make sure that you label each drop and punch them down onto a punch down block (Patch Panel) hopefully in a closet some where, where you have security (a door with a lock).

  • LAYER 8 Netgate

    You are not going to cover that space with one access point.  Absolutely no way.  If you have acceptable coverage more than two or three rooms away and possibly from floor to floor directly above and below I would be surprised.

    Many pros use Fluke AirMagnet to do their surveys.  It's too expensive for only one job like this.  I bought a Mac app called NetSpot.  It allows you to upload a map or drawing of your space and walk around clicking where you're standing.  It will do passive (listening to the signal) or active (transmitting data and taking other metrics) surveys and you end up with what's known as a heat map.  Even the free version will probably do what you need (no active surveys and a 50 sample limit on surveys plus some other limitations in the data available I think.)

    You should really look at signal-to-noise ratio (in a high-noise environment you need more signal for the same throughput) but if you just look at the dBm and plan for nowhere in your space being lower than about -67 in the 5GHz band, you should be fine.  2.4GHz penetrates construction better so if you plan for 5 you'll be good on 2.4.

    Use that to determine placement of your APs and the number needed.

    Yes, use PoE switches.  Make sure you buy a good switch and buy APs that accept standard PoE or PoE+.  I have some of the bigger Ruckus APs and it's hit or miss if my little Cisco SF302P on my bench will power them, even though the Cisco says it meets the PoE+ specs (802.3at).  The Brocade 6430Ps and 6450Ps power them every time.

    Also, if you don't NEED AC, don't BUY AC.  You have to stack 4 or 8 channels together to get the extra throughput.  You will be limited to using 20Mhz channels on 2.4Ghz (channels 1, 6, and 11) and maybe 40Mhz channels on 5Ghz.

    You'll need to set the channels ensuring that the 2.4 channels are spaced as far away from each other as possible.  You can only do so much with only 3.

    1           11              6                1
           6             1               11


    Lock your channels down and turn off auto.

    In this environment you might or might not be better lowering power.  Probably not to minimize the number of APs needed.

    Note also that your AP placement should minimize the angles of penetration through walls as much as possible.  A piece of drywall can look like it's 6 inches thick to a radio wave if it's at a steep angle.

  • LAYER 8 Netgate


    You don't have to disable the PoE on a switch to hook it up to non PoE devices.

    That depends on whether you want wired users to be able to pull PoE if they ask for it.

    Many PoE switches support power on every port but only have a power budget for a subset of ports at once.  In that situation if you were using the same switch for your APs and some public wired locations, it would probably be sound design to disable PoE on the wired ports.  Usually really easy to do with something like int eth 1/1/1 to 1/1/12; no inline power.

    Get a good switch.

  • Ok, so there are a lot of replies so I hope I will not forget anything. First of all, I am a computer science student, but very new to IT. Only been doing this for like 6 months or so and nothing serious so far. I do have a list of MAC addresses. There are no guests allowed, unless they are registered in the table. We have approximately 340 devices registered currently. So I have and exact number. The problem with testing some AP to see how it would fit our need is that I don't have a budget for it. Either we buy everything once or we don't buy anything. Stupid public sourcing thing… About the heath map. I can do it with the existing infrastructure, and it would give me some better understanding of the situation. The thing with POE is if I stick with Unifi they ship their modules with POE (i think injection maybe) modules, so i got that covered. The problem with cables is that i don't want to pull a cable to every room, or even to any room, because there are 3-4 students/room and each room would need a switch for everyone to be able to use cable. I want to go all wireless, plan for the future. Things are little different here sadly :( They want people to create castles from dirt, and they expect us to do this network planning and construction with only 2-3 people. No technicians, no nothing, just 2-3 guys doing everything. So this is sad. I want ac because it will be good even after a few years, and we will not get budget for a new network only in maybe 2025... The current architecture is built in, prepare for it, 2001-2003! So... I will try to dive deeper into networking architecture, but there are too much variables and a too money-grubbing leadership.

  • And sorry if i came off a little rough, I don't want you to solve my problems, I only want you to help me a little along the way, and I also want to thank you everything you did so far, because without you I would still be thinking about routers as APs and woud not know there are waaaay better solutions than that :)

  • LAYER 8 Netgate

    I want ac because it will be good even after a few years, and we will not get budget for a new network only in maybe 2025…

    The physics of the bands are what they are.  Time is not going to change them.  I would focus on delivering solid N in 2.4 and 5 and you'll be ahead of most.  All AC does is stack more channels together to increase throughput.  If you want to reduce your available channels on 5GHz to make it like 2.4, 11ac is for you.

    There are some density improvements in 802.11ac (MU-MIMO) in the second wave of AC products.  I don't know who's shipping wave 2 yet, if anyone.

    If you want to build for AC, that's your decision.  Know that what you buy today will be obsolete (the old AC) in 6 months.

    You might call Ubiquiti and see if they'll send you a 30-day loaner.  Don't know if your project is large enough to get their attention, but worth a try.

  • Thank you for your information. If ac is not really worth is, does the 5 GHz ban worth it? And how long do you guys think N will hold on? couple of years? Will it be old in say 5 years. Because if I am not mistaken G was released in 2003 and N in 2009 and we are still supporting them. So yeah, meybe we should get a decent AP on the N channel. But 2.4 is getting crowded. At N rate in 2.4 or 5 GHz standard APs can do around 300 mbps. Some claim 450 mbps. They need AC in 5 GHz for 1300 mbps if I am not mistaken. We have a gigabit connection. My opinion now is that we should go for the 2.4 / 5 GHz N capable APs. Am I right? 5 GHz to get some stress of the 2.4 band with the clients supporting 5 GHz.

  • Also, If money is not a question, then I would only gain with buying an AP supporting AC, or not?

  • LAYER 8 Netgate

    You are going to have to do 2.4 and 5 regardless.  AC is 5 only.  N is not going anywhere.

    You have lots of decisions to make.  Who cares if N or AC can to 1300Mbit/s if your internet pipe is only, say, 1000Mbits?  Remember that everyone has to share that.  A benefit to having faster wi-fi is reduced air time to get the same data onto the wire.

    Are your clients going to be isolated from each other or be able to communicate?  Do you want someone to be able to see everyone's network shares if they're both connected to the Wi-Fi or not?

    And people aren't going to get that if they're not in the same room with the AP.  And they won't get it anyway.  It's marketing hype.

  • WiFi is half duplex …. 1300mbit/s will "only" result in around 500-600mbit actual throughput in ideal circumstances.

    also the 1300mbit/s will only be achieved by using 80Mhz  channels.
    in europe only 5 non-overlapping-80Mhz-channels are available for use on the 5ghz band .... Only 1 of those can be used all the time, the other 4 are DFS channels and have to make way for other radio/radar interferences when detected. (= loss of connection for clients, until the reconnect).

    imho the current 802.11ac is never gonna be a huge success in a corporate environment, when dealing with multiple AP's .... it might be OK if you just use one at home and don't have many neighbours.

  • LAYER 8 Netgate

    Yup.  Build for N.  20Mhz channels on 2.4 and 40Mhz channels on 5.  If you get that solid your users will be happy.

    If you really want them to be happy, budget in a small, low-power ESXi or XenServer platform (C2758?) so you can host things like the Ubiquiti controller, an additional caching DNS server, maybe a documentation web site or wiki, a dorm forum, or whatever, and, of course, your pfSense (which pretty much eliminates XenServer at the moment).

    Your biggest problem is going to be getting cat to where you should be mounting the APs.

    Figure $1000 for the switch, $1000 for the C2758, and 10 UAP-Pro APs at $220 each.  Assorted racks, jacks, cables, etc and you're looking at about $5k + labor to pull the cat.

  • @jkristof94:

    Also, If money is not a question, then I would only gain with buying an AP supporting AC, or not?

    You will only get full AC speed in close proximity to the AP (5-10m) with free line-of-sight and no obstacles/walls in-between. It is more likely to end up with N speed for most of your users anyway.
    And AC needs a hell lot of bandwidth in the pipeline - which is air. You cannot reserve it for you exclusively. So everything using these channels as well will have a negative effect on your throughput. And you will be amazed of what's in the air competing with you!
    BTW, you would need to connect two 1Gb/s cables bonded to each AP to push the full 1300Mbit/s between switchports and AP.
    Forget about AC, it's neither worth it nor doable in close density installs.

    Having said that, have a look at the Ruckus Wireless APs.
    Their ZoneFlex series uses beam-forming extensively to "shoot" to hosts, not crowding unnecessary areas.
    Look at the 7372 or R300 series devices.
    Have a look and some good reading at their TechTalk and White/Black Paper sections. Lots of knowledge there!

    Finally, you will want to "look" into your wireless domain for planning and solving problems.
    I found Metageek quite useful. If you cannot afford the Wi-spy spectrum analyzer then go with their WiFi-card only option, which is inSSIDer scan.

  • LAYER 8 Netgate

    7372s are amazing.  But they're about double the cost and with 10 I'd suggest a ZD1100 to go along with it.  Yes, it would work great.  A little spendy for this install.  The $5k quoted above will quickly become $10k plus annual maintenance.

    I'm sort of surprised OP's school doesn't have an overall wireless policy to follow.

  • Thank you for all the suggestions. I will reply to them as soon as i will have time. Probably sometime in the evening (in my time zone).

Log in to reply