Simply put, wireless configurations for pfSense can be either standalone, or bridged. Standalone configurations use a unique address range which is different from the local area network (LAN). Bridged configurations have the wireless interface linked with another interface (usually the LAN), which extends the network address range across both interfaces. Most off the shelf firewall / routers are configured with the LAN and WiFi bridged and this is what most people are usually trying to replicate using pfSense.
Seems rather simple? Well it is really.. however where it gets tricky is deciding how to manage the traffic between these interfaces and where you apply your firewall rules.
Generally, people want to configure their LAN and WIFI interfaces in bridge mode with firewall rules for both interfaces. This allows a more granular configuration with a potentially different set of firewall rules for LAN and WiFi users while extending the network / broadcast domain over both interfaces.
Regardless of your configuration, the first thing you'll need to do is enable your wireless interface.
Navigate to Interfaces / OPT2, then select the enable check box on the interface configuration page. If you're following my pfSense on ALIX guide it will be OPT2, otherwise navigate to the interfaces / assign interfaces and make sure that you've added the physical interface into pfSense interface list. I recommend the following settings for your wireless interface.
- Set Name: WIFI
- Set Standard: 802.11g
- Set Channel: Auto
- Configure: Regulatory Settings; relevant for your country
- Set Mode: Access Point
- Set SSID: SSID of the wireless network
- Check: 802.11g only
- Check: Enable WPA
- Set The PSK: Your pre-shared key for clients to access the network
- Set WPA mode: WPA2
- Set WPA Key Management Mode: Pre Shared Key
- Set Authentication: Open System Authentication
- Set WPA Pairwise: AES
Click Save and then Apply Changes.
Standalone ConfigurationWith the wireless interface configure you're almost done. Navigate to the Services menu drop down and click on DHCP Server. You will need to select the WIFI tab and then fill out the DHCP options for your WiFi network.
Using this configuration you will probably want to allow your WiFi clients to access the Internet, pfSense and nothing else. You can do this with the following rules.
Just a note, the bottom rule has a destination of '! RFC1918', which is an Alias (see below). The exclamation mark at the beginning (!) means 'not', reversing the logic.
So the rule reads, any TCP/UDP traffic NOT destined for an RFC1918 (private network) address, stuff it out the WAN interface.
If you want to add an RFC1918 alias, navigate to the Firewall drop down and select Aliases. Create a new alias with the following options.
If you want to allow connectivity between your LAN and WiFi networks you will need to add the appropriate firewall rules for both interfaces.
Bridge ConfigurationThis configuration assumes that you already have a functioning LAN network with DHCP configured to assign IP addresses to connecting clients. Check my pfSense initial configuration with ADSL WAN post for instructions.
Navigate to Interfaces / (assign) and click on the Bridge tab. Create a new bridge like the following (hint you can select more than one interface by holding down the CTRL button).
*** UPDATE ***
You need to then navigate back to Interfaces / (assign) and on the Interface Assignment tab, assign the newly created BRIDGE interface to LAN. This is the address you want to assign your IP address to.
Click save and Apply Changes, then navigate to Firewall / Rules and make sure that you have Default allow all rules on both LAN and WIFI interfaces. You can add Reject rules as you see fit, or configure proper egress firewall rules for either interface. For example, you may want to reject SMTP connections for hosts on the WIFI segment.
If you have trouble with your wireless configuration, the first place to check is the firewall log. Navigate to Status / System Logs and click the Firewall tab and check what packets are being blocked. Nine times out of ten you will find that you're blocking traffic with a reject rule, or you don't have a valid allow rule for the interface.