Wireless Access Point Configuration in pfSense

wireless access pointWith a wireless card that supports hostap mode, pfSense can be configured as a wireless access point. The following cards support hostap mode:

  • ath(4): Supports cards based on the Atheros AR5210, AR5211 and AR5212 chipsets.
  • ral(4): Ralink Technology wireless network driver – supports cards based on the Ralink RT2500, RT2501 and RT2600 chipsets.
  • wi(4): Supports cards based on Lucent Hermes, Intersil PRISM-II, Intersil PRISM-2.5, Intersil Prism-3, and Symblo Spectrum24 chipsets. These cards support only 802.11b.

In the past, the access point functionality in FreeBSD has suffered from serious compatibility problems with some wireless clients. With FreeBSD 7.0 and newer, this has improved significantly; however there may still be some incompatible devices. These difficulties with client compatibility are not necessarily just a FreeBSD issue. Nevertheless, you may find that a cheap consumer-grade wireless router running in access point mode may provide better compatibility than FreeBSD’s access point capabilities. There is the possibility of finding incompatible devices with any wireless access point, and FreeBSD is no exception. With every passing release of FreeBSD, wireless compatibility improves; however, it’s probably a good idea to check the ap compatibility list at pfsense.org.


As long as your wireless cards are compatible, configuring pfSense to act as a wireless access point is fairly easy. Many of the options should be familiar if you have configured other wireless routers before, and some options may be new unless you have used some commercial-grade wireless equipment. There are many different ways to configure access points. In this article, we will cover setting up pfSense as a basic wireless access point (AP) that uses WPA2 encryption.

Configuring pfSense as a Wireless Access Point

First, ensure that the wireless card is in the router, and the antenna is firmly attached. The wireless card must be assigned as an OPT interface and enabled before the remaining configuration can be completed. You need to navigate to Interfaces -> OPTn to begin configuration. Naming the access point “WLAN” (Wireless LAN) or “Wireless” will make it easy to identify a wireless interface in the list of interfaces. If you have a unique SSID, it may be a good idea to use that in the description instead. If pfSense will be driving multiple access points, there should be some way to distinguish them.

Next, since this will be a wireless access point on a dedicated IP subnet, you will need to set the “Type” to “Static” and specify an “IP Address”and subnet mask. Since this is a separate subnet from the other interfaces, it can be any subnet that is otherwise unused. For purposes of this example, assume our subnet is 192.168.10.x.

You need to set the “Wireless Standard” setting, and there are several choices, including 802.11b, 802.11g, 802.11g turbo, 802.11a, and possibly others. Here, assume we choose 802.11g. Set the “Mode” field to “Access Point”, and pfSense will use hostapd to act as an AP. Next you need to set the Service Set Identifier (SSID); this will be the name of the AP as seen by clients. This should be something readily identifiable, yet unique to your setup.

Another setting is “802.11 only”. This setting controls whether or not 802.11b clients are able to associate with this access point. Allowing 802.11b clients to use your wireless access point may be necessary in some environments if devices are still around that require it. Some devices such as the Nintendo DS are only compatible with 802.11b and require a mixed network in order to work. The down side of this is that you will see slower speeds as a result of allowing such devices on your network, as the access point will have to cater to the lowest common denominator when an 802.11b device is present.

Next, there is “Allow intra-BSS communication”. If you check this option, wireless clients will be able to see each other directly, instead of routing all traffic through the AP. If clients will only need access to the Internet, it is usually safer to uncheck this.

There is an option to “Disable SSID Broadcasting”. Normally, the AP will broadcast its SSID so that clients can locate and associate with it easily. However, this is considered by many network admins to be a security risk, as you are announcing to all who are listening that you have a wireless network available. In most cases the convenience outweighs the security risk. At the same time, the benefits of disabling SSID broadcasting are overblown, since it does not actually hide the network from anyone capable of using many freely available wireless security tools that easily find such wireless networks.

Next is “Wireless Channel Selection”. When selecting a channel, you want to be aware of any nearby radio transmitters in similar frequency bands. In addition to wireless access points, there are also cordless phones, Bluetooth, baby monitors, video transmitters, microwaves, and many other devices that use the same 2.4 GHz spectrum that can cause interference. The safest channel to use are 1, 6, and 11 since their frequency bands do not overlap each other. You can specify “Auto” to tell the card to pick an appropriate channel, but this does not work with all wireless cards.

Three types of encryption are supported for 802.11 networks: WEP, WPA, and WPA2. WPA2 with AES is considered the most secure. Even if you are not worried about encrypting the over-the-air traffic, it provides an additional means of access control. A WPA/WPA2 passphrase is also easier to work with and remember than a WEB key; it acts more like a password than a really long string of hexadecimal characters. Some older devices only support WEP or WPA, but most modern wireless cards and drivers will support WPA2. To enable WPA2, you need to uncheck “Enable WEP” and check “Enable WPA”, and set the “WPA Mode” to WPA2. To use WPA2+AES, set “WPA Pairwise” to AES.

This should be enough to get a wireless access point running with 802.11g with WPA2 + AES encryption. There are other settings you can use to tweak the AP’s behavior, but under most circumstances they are not necessary. Press the “Save” button to save the settings and on the next page press the “Apply Changes” button. Now your wireless access point should be up and running.


External Links:

One pfSense wireless config to rule them all at www.interspective.net

Ad Links:

© 2013 David Zientara. All rights reserved. Privacy Policy