Configure wireless AP to have WIFI and LAN on the same network



  • Dear all,

    I would like to configure my pfsense so that it will act also as wifi access point: wifi clients will undergo the same rules of LAN clients (e.g. DHCP, firewall, routing, …) and have one network LAN and wifi.
    This is my current configuration, but I'm not sure that this is the correct or best one.
    In this way the LAN and WIFI clients are using the DHCP, and both clients can ping each other.

    Interface: assign:

    • WAN igb0
    • LAN BRIDGE0 (LAN WIFI Bridge)
    • WIFI ath0
    • LAN_PORT igb1

    Interface: Wireless:

    • none

    Interface: Bridge:

    • BRIDGE0 WIFI, LAN_PORT

    Interface: LAN
    Enabled, IP config: static

    Interface: LAN_PORT
    Enabled, IP config: none

    Interface: WIFI
    Enabled, IP config: none

    Services: DHCP server
    DHCP enabled

    Firewall rules: LAN


    | Proto | Source | Port | Destination | Port | Gateway | Queue |
    | IPv4* | LAN net | * | * | * | * | none |


    Firewall rules: WIFI


    | Proto | Source | Port | Destination | Port | Gateway | Queue |
    | IPv4* | * | * | * | * | * | none |


    Firewall rules: LAN_PORT


    | Proto | Source | Port | Destination | Port | Gateway | Queue |
    | IPv4* | * | * | * | * | * | none |


    I'm not convinced by the bridge and firewall rules.
    I was not able to find a tutorial or a guide that describes how to do it.

    Can you please suggest me how to improve?

    Thank you for your support,
    dk



  • My 2 cents on this would be the following;

    • do a fresh install 64Bit version 2.2.6 or 2.3RC
    • configure the WAN and LAN part as usual
    • set up the WiFi card in AP mode
    • give the LAN and the WiFi a dedicated IP address range
    • activate the client isolation in WiFi
    • the matching create rules according the set up

    If a client likes a laptop is able to connect over WiFi or the coper based LAN and he gets two IP addresses
    from the same IP address range it would be more or less getting even trouble with that config. With to different
    IP address ranges it will be ok! Why you were bridging the WAN port too? You were asking about bridging the
    LAN and WiFi part together, but why the WAN interface is also bridged?



  • Thank you for your reply.

    I'm not sure I have understood correctly what do you mean…
    The idea is to have one network 192.168.1.0/24 where both LAN and WIFI interfaces are connected sharing the same DHCP service and one GW 192.168.1.1
    Your suggestion is to have LAN on 192.168.1.0/24 and WIFI on 192.168.2.0/24 with two different gateways an two different DHCP services righ?
    Plus why should I activate the wifi client isolation if I want clients from LAN and WIFI to see and connect each others?

    For the bridging, BRIDGE0 is between WIFI and LAN and not ivolving WAN.

    I currently run 2.2.6-RELEASE (amd64).
    Thank you for your support,
    dk



  • I've done it the easy way where LAN is still assigned to the LAN (igb1) with the drawback that wifi goes down if the LAN port goes down, but that's not really an issue since I have a switch on that port and bigger issues if the switch goes down. So my BRIDGE0 is LAN, WIFI. A configuration that is easy to back out of.

    Not saying you're doing it wrong! It looks good to me but your firewall rules can be hardened.



  • Your suggestion is to have LAN on 192.168.1.0/24 and WIFI on 192.168.2.0/24 with two different gateways an two different DHCP services righ?

    This is right and pending on my security settings, perhaps you are running other things then me
    but with one big LAN for LAN and WiFi I would not be happy with.

    • LAN clients connected over LAN cables are secured over LADAP in some separate VLANs
    • WLAN clients connected over WiFi are secured over Radius server with certificates in a separate VLAN
    • WLAN clients from guests are secured over a Captive Portal with vouchers in a separate VLAN

    Plus why should I activate the wifi client isolation if I want clients from LAN and WIFI to see and connect each others?

    The WiFi client isolation is only for the WiFi clients that you are not able to search inside the tablet computers
    or Smart-phones of user WiFi users! From WiFi to LAN you can touch according to your firewall rules what you
    want to.

    For the bridging, BRIDGE0 is between WIFI and LAN and not ivolving WAN.

    This was not really clear to me from your first post, sorry for that, I was thinking also the WAN port
    was bridged.

    I would even try to narrow down the size of the broadcast domain to get fast success in finding issues or
    failures out and solve them and based on the security level I prefer the rest is self explaining.



  • Your answer makes sense I understand your point of view now.
    This is my fault I forgot to specify that I'm in a home environment with a few lan and wifi connected clients, so that's why I'm thinking of having one single network for both lan and wifi clients.


  • LAYER 8 Global Moderator

    "so that's why I'm thinking of having one single network for both lan and wifi clients."

    Why what do you think that buys you??  Make no sense to put your wired and wifi on same broadcast domain other than no wanting any sort of control at all..



  • Thank you for your replies.
    So the best thing, also in a home environment, would be to have WIFI interface with an assigned IP (192.168.2.1) on a different network from the LAN interface (192.168.1.1) with a separate DHCP and than have FW rules allowing traffic from LAN to WIFI and viceversa.
    In this way LAN clients will use one gateway (.1.1) and while wifi clients will use another one (.2.1).
    Did I understood correctly?

    ps: in the meantime I updated to 2.3



  • Did I understood correctly?

    Pending on your firewall rules the pfSense will route the entire traffic between this two IP ranges.


Log in to reply