Wireless Access with an Existing Router in pfSense

wireless accessIf you have an existing wireless access point or a wireless router that you only want to use as an access point now that you have a pfSense router, there are several ways to incorporate wireless access into your network. We will discuss some of them in this article.

Wireless Access: Turning the Old Router into a WAP

When you replace a simple consumer-grade wireless router, the wireless functionality can be retained by turning the wireless router into a wireless access point (WAP) by following the steps described here. First, you will want to disable the DHCP server if it was previously in use. You will want pfSense to act as the DHCP server, and having two DHCP serviers on your network will cause problems.

Next, you will need to change the LAN IP to an unused IP on the subnet where your access point will reside (commonly the LAN interface). It is probably using the same IP address you will assign to the pfSense LAN interface, so it will require a different address. You will want to retain a functional IP address on the access point for management purposes.

Most wireless routers bridge the wireless onto the internal LAN port(s), which means the wireless will be on the same broadcast domain and IP subnet as the wired ports. For routers with an integrated switch, any of the switch ports will do. You do not, however, want to plug in the WAN or Internet port on your router. This will put your wireless network on a different broadcast domain from the rest of your network, and will result in NATing traffic between your wireless and LAN and double NATing traffic between your wireless and the Internet. This will lead to problems in some circumstances, especially if you need to communicate between your wireless clients and your wired LAN. Where you chose to plug in the LAN interface will depend on your chosen network design.

One means of deploying wireless is to plug the access point directly into the same switch as your LAN hosts, where the AP bridges the wireless clients onto the wired netwrk. This will work, but it offers limited control over the ability of your wireless clients to communicate with your internal systems. But if you want more control over your wireless clients, then adding an OPT interface to pfSense for your access point is the preferred solution. If you want to keep your wireless and wired networks on the same IP subnet and broadcast domain, you can bridge the OPT interface to your LAN interface. This scenario is essentially the same as plugging your access point directly into you LAN switch, except that since pfSense is in the middle, it can filter traffic from your wireless network to provide protection to systems connected to your LAN.

You can also put your wireless network on a dedicated IP subnet if you want, by not bridging the OPT interface on pfSense and assigning it with an IP subnet outside of your LAN subnet; this will enable routing between your internal and wireless networks, as permitted by your firewall rule set. This is done often on larger networks where multiple access points are plugged into a switch than in turn are plugged into the OPT interface on pfSense. It is also preferable when wireless clients must connect to a VPN first.

External Links:

pfSense: Associate with a Wireless Access Point at Addicted to IT

Ad Links:

Be Sociable, Share!

Speak Your Mind


© 2013 David Zientara. All rights reserved. Privacy Policy