Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Configure wireless AP to have WIFI and LAN on the same network

    Wireless
    4
    9
    7013
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      d82k last edited by

      Dear all,

      I would like to configure my pfsense so that it will act also as wifi access point: wifi clients will undergo the same rules of LAN clients (e.g. DHCP, firewall, routing, …) and have one network LAN and wifi.
      This is my current configuration, but I'm not sure that this is the correct or best one.
      In this way the LAN and WIFI clients are using the DHCP, and both clients can ping each other.

      Interface: assign:

      • WAN igb0
      • LAN BRIDGE0 (LAN WIFI Bridge)
      • WIFI ath0
      • LAN_PORT igb1

      Interface: Wireless:

      • none

      Interface: Bridge:

      • BRIDGE0 WIFI, LAN_PORT

      Interface: LAN
      Enabled, IP config: static

      Interface: LAN_PORT
      Enabled, IP config: none

      Interface: WIFI
      Enabled, IP config: none

      Services: DHCP server
      DHCP enabled

      Firewall rules: LAN


      | Proto | Source | Port | Destination | Port | Gateway | Queue |
      | IPv4* | LAN net | * | * | * | * | none |


      Firewall rules: WIFI


      | Proto | Source | Port | Destination | Port | Gateway | Queue |
      | IPv4* | * | * | * | * | * | none |


      Firewall rules: LAN_PORT


      | Proto | Source | Port | Destination | Port | Gateway | Queue |
      | IPv4* | * | * | * | * | * | none |


      I'm not convinced by the bridge and firewall rules.
      I was not able to find a tutorial or a guide that describes how to do it.

      Can you please suggest me how to improve?

      Thank you for your support,
      dk

      1 Reply Last reply Reply Quote 0
      • ?
        Guest last edited by

        My 2 cents on this would be the following;

        • do a fresh install 64Bit version 2.2.6 or 2.3RC
        • configure the WAN and LAN part as usual
        • set up the WiFi card in AP mode
        • give the LAN and the WiFi a dedicated IP address range
        • activate the client isolation in WiFi
        • the matching create rules according the set up

        If a client likes a laptop is able to connect over WiFi or the coper based LAN and he gets two IP addresses
        from the same IP address range it would be more or less getting even trouble with that config. With to different
        IP address ranges it will be ok! Why you were bridging the WAN port too? You were asking about bridging the
        LAN and WiFi part together, but why the WAN interface is also bridged?

        1 Reply Last reply Reply Quote 0
        • D
          d82k last edited by

          Thank you for your reply.

          I'm not sure I have understood correctly what do you mean…
          The idea is to have one network 192.168.1.0/24 where both LAN and WIFI interfaces are connected sharing the same DHCP service and one GW 192.168.1.1
          Your suggestion is to have LAN on 192.168.1.0/24 and WIFI on 192.168.2.0/24 with two different gateways an two different DHCP services righ?
          Plus why should I activate the wifi client isolation if I want clients from LAN and WIFI to see and connect each others?

          For the bridging, BRIDGE0 is between WIFI and LAN and not ivolving WAN.

          I currently run 2.2.6-RELEASE (amd64).
          Thank you for your support,
          dk

          1 Reply Last reply Reply Quote 0
          • P
            pLu last edited by

            I've done it the easy way where LAN is still assigned to the LAN (igb1) with the drawback that wifi goes down if the LAN port goes down, but that's not really an issue since I have a switch on that port and bigger issues if the switch goes down. So my BRIDGE0 is LAN, WIFI. A configuration that is easy to back out of.

            Not saying you're doing it wrong! It looks good to me but your firewall rules can be hardened.

            1 Reply Last reply Reply Quote 0
            • ?
              Guest last edited by

              Your suggestion is to have LAN on 192.168.1.0/24 and WIFI on 192.168.2.0/24 with two different gateways an two different DHCP services righ?

              This is right and pending on my security settings, perhaps you are running other things then me
              but with one big LAN for LAN and WiFi I would not be happy with.

              • LAN clients connected over LAN cables are secured over LADAP in some separate VLANs
              • WLAN clients connected over WiFi are secured over Radius server with certificates in a separate VLAN
              • WLAN clients from guests are secured over a Captive Portal with vouchers in a separate VLAN

              Plus why should I activate the wifi client isolation if I want clients from LAN and WIFI to see and connect each others?

              The WiFi client isolation is only for the WiFi clients that you are not able to search inside the tablet computers
              or Smart-phones of user WiFi users! From WiFi to LAN you can touch according to your firewall rules what you
              want to.

              For the bridging, BRIDGE0 is between WIFI and LAN and not ivolving WAN.

              This was not really clear to me from your first post, sorry for that, I was thinking also the WAN port
              was bridged.

              I would even try to narrow down the size of the broadcast domain to get fast success in finding issues or
              failures out and solve them and based on the security level I prefer the rest is self explaining.

              1 Reply Last reply Reply Quote 0
              • D
                d82k last edited by

                Your answer makes sense I understand your point of view now.
                This is my fault I forgot to specify that I'm in a home environment with a few lan and wifi connected clients, so that's why I'm thinking of having one single network for both lan and wifi clients.

                1 Reply Last reply Reply Quote 0
                • johnpoz
                  johnpoz LAYER 8 Global Moderator last edited by

                  "so that's why I'm thinking of having one single network for both lan and wifi clients."

                  Why what do you think that buys you??  Make no sense to put your wired and wifi on same broadcast domain other than no wanting any sort of control at all..

                  1 Reply Last reply Reply Quote 0
                  • D
                    d82k last edited by

                    Thank you for your replies.
                    So the best thing, also in a home environment, would be to have WIFI interface with an assigned IP (192.168.2.1) on a different network from the LAN interface (192.168.1.1) with a separate DHCP and than have FW rules allowing traffic from LAN to WIFI and viceversa.
                    In this way LAN clients will use one gateway (.1.1) and while wifi clients will use another one (.2.1).
                    Did I understood correctly?

                    ps: in the meantime I updated to 2.3

                    1 Reply Last reply Reply Quote 0
                    • ?
                      Guest last edited by

                      Did I understood correctly?

                      Pending on your firewall rules the pfSense will route the entire traffic between this two IP ranges.

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post

                      Products

                      • Platform Overview
                      • TNSR
                      • pfSense Plus
                      • Appliances

                      Services

                      • Training
                      • Professional Services

                      Support

                      • Subscription Plans
                      • Contact Support
                      • Product Lifecycle
                      • Documentation

                      News

                      • Media Coverage
                      • Press
                      • Events

                      Resources

                      • Blog
                      • FAQ
                      • Find a Partner
                      • Resource Library
                      • Security Information

                      Company

                      • About Us
                      • Careers
                      • Partners
                      • Contact Us
                      • Legal
                      Our Mission

                      We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                      Subscribe to our Newsletter

                      Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                      © 2021 Rubicon Communications, LLC | Privacy Policy