Pages

Tuesday, July 10, 2012

One pfSense wireless config to rule them all

Configuring wireless for pfSense has been the cause of some confusion for many an unsuspecting first time user. I think this probably has something to do with pfSense being so flexible and the myriad of different ways wireless can be configured. In this post, I'll detail two different configurations and the howto of each so you can decide which is right for your setup.



Simply put, wireless configurations for pfSense can be either standalone, or bridged. Standalone configurations use a unique address range which is different from the local area network (LAN). Bridged configurations have the wireless interface linked with another interface (usually the LAN), which extends the network address range across both interfaces. Most off the shelf firewall / routers are configured with the LAN and WiFi bridged and this is what most people are usually trying to replicate using pfSense.

Seems rather simple? Well it is really.. however where it gets tricky is deciding how to manage the traffic between these interfaces and where you apply your firewall rules.
Generally, people want to configure their LAN and WIFI interfaces in bridge mode with firewall rules for both interfaces. This allows a more granular configuration with a potentially different set of firewall rules for LAN and WiFi users while extending the network / broadcast domain over both interfaces.

Regardless of your configuration, the first thing you'll need to do is enable your wireless interface.

Navigate to Interfaces / OPT2, then select the enable check box on the interface configuration page. If you're following my pfSense on ALIX guide it will be OPT2, otherwise navigate to the interfaces / assign interfaces and make sure that you've added the physical interface into pfSense interface list. I recommend the following settings for your wireless interface.
Set Name: WIFI
Set Standard: 802.11g
Set Channel: Auto
Configure: Regulatory Settings; relevant for your country
Set Mode: Access Point
Set SSID: SSID of the wireless network
Check: 802.11g only
Check: Enable WPA
Set The PSK: Your pre-shared key for clients to access the network
Set WPA mode: WPA2
Set WPA Key Management Mode: Pre Shared Key
Set Authentication: Open System Authentication
Set WPA Pairwise: AES
If you're configuring your WiFi network as standalone then you will need to set the Type as 'Static' and enter a unique IP address for the pfSense router's WiFi interface. For bridged configuration leave it as 'None'.

Click Save and then Apply Changes.

Standalone Configuration

With the wireless interface configure you're almost done. Navigate to the Services menu drop down and click on DHCP Server. You will need to select the WIFI tab and then fill out the DHCP options for your WiFi network.
Using this configuration you will probably want to allow your WiFi clients to access the Internet, pfSense and nothing else. You can do this with the following rules.


Just a note, the bottom rule has a destination of '! RFC1918', which is an Alias (see below). The exclamation mark at the beginning (!) means 'not', reversing the logic.
So the rule reads, any TCP/UDP traffic NOT destined for an RFC1918 (private network) address, stuff it out the WAN interface.
If you want to add an RFC1918 alias, navigate to the Firewall drop down and select Aliases. Create a new alias with the following options.


If you want to allow connectivity between your LAN and WiFi networks you will need to add the appropriate firewall rules for both interfaces.

Bridge Configuration

This configuration assumes that you already have a functioning LAN network with DHCP configured to assign IP addresses to connecting clients. Check my pfSense initial configuration with ADSL WAN post for instructions.

Navigate to Interfaces / (assign) and click on the Bridge tab. Create a new bridge like the following (hint you can select more than one interface by holding down the CTRL button).



*** UPDATE ***
You need to then navigate back to Interfaces / (assign) and on the Interface Assignment tab, assign the newly created BRIDGE interface to LAN. This is the address you want to assign your IP address to.

Click save and Apply Changes, then navigate to Firewall / Rules and make sure that you have Default allow all rules on both LAN and WIFI interfaces. You can add Reject rules as you see fit, or configure proper egress firewall rules for either interface. For example, you may want to reject SMTP connections for hosts on the WIFI segment.


If you have trouble with your wireless configuration, the first place to check is the firewall log. Navigate to Status / System Logs and click the Firewall tab and check what packets are being blocked. Nine times out of ten you will find that you're blocking traffic with a reject rule, or you don't have a valid allow rule for the interface.

4 comments:

  1. Thanks for the post. My wireless now works in Standalone mode!

    ReplyDelete
  2. You Bridge Configuration doesn't work. I would get weird results, e.g. DHCP would assign an address, but nothing seemed to work reliably from the bridged interfaces.

    I found this works like a charm:

    You have to assign each interface, set the type to none (including LAN).

    Assign the interfaces to a bridge.

    Go back to Interfaces > Assign, and assign the bridge interface you just created.

    Add the default allow from LAN rule to the bridge interface. Possibly a good idea to disable the rule on the original LAN interface?

    This bridge interface is now your "LAN" interface, set type to static IP, configure per a standard LAN interface, goto you DHCP settings, the bridge interface should be the only one available to configure, configure as required.

    Now everything just works.

    ReplyDelete
    Replies
    1. Yes you're quite right. That's one step I've left out. You need to assign the bridge interface (usually to LAN). That way you can assign an IP address to the bridge interface. I will update the post to reflect this.

      Also, don't forget to check your firewall rules. If you have issues accessing the network, it will be because you have deny rules on one of the interfaces, either LAN, WIFI or BRIDGE.

      Josh.

      Delete
  3. Thank you for the great tutorial! I was searching for a way to make my computer on the LAN network connect to the laptop on the Wifi network and use the MS Network for File and Printer Sharing.

    ReplyDelete