• I'm having trouble getting wifi on the pfSense router going. My ideal setup is to have the router behind my modem, with a secondary router behind the pfSense router. My mySense router has wifi built in, and I am trying to set them up because I want to drive my VPN service through it (and not through the secondary router).

    I can connect to the router via the LAN port, but when I try to get on the WiFi, it can't connect and won't assign me the IP. I also can't access the routers web config.

    I took some screenshots of my settings here: http://imgur.com/a/uMGTd

    Could anyone shed some light on what I'm missing?

    Thank you!


    1. Your WAN only has an upstream gateway for IPv6. You need to give it an IPv4 gateway if you are hoping to use IPv4 out to the internet.
    2. DHCP server is enabled on WAN - that is an odd thing to do.
    3. What firewall rules are on the WiFi interface? It will need some pass rules, otherwise no chance to connect anything from there.

  • Thanks for your input.

    I now have my pfSense router properly connecting to the internet via the LAN and WIFI interfaces. Additionally, I've installed OpenVPN and that is also working correctly. All traffic is going through the VPN.

    What I'm trying to do is:
    WIFI -> VPN -> WAN
    LAN -> WAN

    So that any, and only, devices connected to WIFI interface are using the VPN. Is this a Firewall rule, or a NAT configuration?

    Here are those current settings: http://imgur.com/a/wYzwV


  • a) NAT Outbound Mappings - that first entry for LAN, NATing it to LAN Address, is odd. You should not need to do that. The client LAN IPs will get NATed as they go out WAN or PIAVPN anyway.

    b) WAN Rules - there should be no need for any pass rules on WAN - that rule you have is allowing a load of incoming connects from the public internet.

    c) PIAVPN Rules - you should not need pass rules there either, since I don't expect you want to allow any incoming connects from the remote (PIA) end of the VPN. (Rules apply to allow/block of new connections, and are put on the interface that will receive the new connection attempts - so normally LAN and WiFi would have the pass rules. Once a connection is established, the firewall automagically allows the traffic in both directions for that connection (state))

    d) I expect that you have made PIAVPN gateway the default gateway, as you say all traffic is flowing across the VPN, good. If you want to divert some traffic out WAN (e.g. traffic from LAN) then put a rule on LAN that matches the traffic and (in the advanced rule section) select the WAN gateway. That will force the matching traffic out WAN (rather than via the VPN). If you want this to apply to all LAN traffic, then you can just edit the existing pass all rule on LAN.

    Then test with tracert from various devices to various places on the internet to verify that traffic is routing as you specified.


  • a) Removed
    b) Removed
    c) Removed
    d) What is the benefit of using the OpenVPN as the default gateway? I can get everything to work right now with the WAN as default gateway, and restricting the WIFI to use the VPN Gateway. Here are those settings: http://imgur.com/a/PTKI9

    This is a home setup. Are there additional rules I should be setting up for more strict protection, is there too much traffic allowed?


  • d) You can do it either way around. For people who by default want to pass everything through the VPN (for security, privacy, whatever…) and just make some exceptions, they would make the VPN the default gateway. Then whatever traffic they have forgotten about will by default go across the VPN. Using WAN as the default gateway, then when you make some new interface/traffic pattern... it will flow across WAN and you have to think about it to push it across the VPN.

    I see there is a GW_WAN_IPv4 that is on interface LAN - that looks like a dud thing that might have happened if you added a gateway to LAN some time when playing around. There normally should not be any gateway on LAN - LAN traffic comes in and is then routed out to gateway(s) on WAN-type links.

    The fully open rules on LAN and WiFi are fine if you don't want to restrict any internal users. If you don't want the WiFi users to access stuff on LAN then you will need some restrictions there (e.g. if you give your WiFi for guests and don't want their virus-laden devices trying to break into your own devices on LAN...). Also if you want to restrict people to using the pfSense DNS (e.g. if you are going to do some filtering of DNS names with a service that "blocks out" translations of names that have content in unacceptable categories...), or want to actually put blocklists to filter "bad" sites (e.g. using the pfBlockerNG package) - then you make more complex block and pass rules.


  • Got it. Thank you so much for the help.