Wireless Access Point Configuration in

pfSense
October 27, 2013 by maximumdx Leave a Comment
With a wireless card that supports hostap mode, pfSense can
be configured as a wireless access point. The following cards support hostap mode:
ath(4): Supports cards based on the Atheros AR5210, AR5211 and AR5212 chipsets.
ral(4): Ralink Technology wireless network driver supports cards based on the Ralink
RT2500, RT2501 and RT2600 chipsets.
wi(4): Supports cards based on Lucent Hermes, Intersil PRISM-II, Intersil PRISM-2.5,
Intersil Prism-3, and Symblo Spectrum24 chipsets. These cards support only 802.11b.
In the past, the access point functionality in FreeBSD has suffered from serious compatibility
problems with some wireless clients. With FreeBSD 7.0 and newer, this has improved
significantly; however there may still be some incompatible devices. These difficulties with
client compatibility are not necessarily just a FreeBSD issue. Nevertheless, you may find that a
cheap consumer-grade wireless router running in access point mode may provide better
compatibility than FreeBSDs access point capabilities. There is the possibility of finding
incompatible devices with any wireless access point, and FreeBSD is no exception. With every
passing release of FreeBSD, wireless compatibility improves; however, its probably a good idea
to check the ap compatibility list at pfsense.org.
As long as your wireless cards are compatible, configuring pfSense to act as a wireless access
point is fairly easy. Many of the options should be familiar if you have configured other wireless
routers before, and some options may be new unless you have used some commercial-grade
wireless equipment. There are many different ways to configure access points. In this article, we
will cover setting up pfSense as a basic wireless access point (AP) that uses WPA2 encryption.
Configuring pfSense as a Wireless Access Point
First, ensure that the wireless card is in the router, and the antenna is firmly attached. The
wireless card must be assigned as an OPT interface and enabled before the remaining
configuration can be completed. You need to navigate to Interfaces -> OPTn to begin
configuration. Naming the access point WLAN (Wireless LAN) or Wireless will make it
easy to identify a wireless interface in the list of interfaces. If you have a unique SSID, it may be
a good idea to use that in the description instead. If pfSense will be driving multiple access
points, there should be some way to distinguish them.
Next, since this will be a wireless access point on a dedicated IP subnet, you will need to set the
Type to Static and specify an IP Addressand subnet mask. Since this is a separate subnet
from the other interfaces, it can be any subnet that is otherwise unused. For purposes of this
example, assume our subnet is 192.168.10.x.
You need to set the Wireless Standard setting, and there are several choices, including
802.11b, 802.11g, 802.11g turbo, 802.11a, and possibly others. Here, assume we choose
802.11g. Set the Mode field to Access Point, and pfSense will use hostapd to act as an AP.
Next you need to set the Service Set Identifier (SSID); this will be the name of the AP as seen by
clients. This should be something readily identifiable, yet unique to your setup.
Another setting is 802.11 only. This setting controls whether or not 802.11b clients are able to
associate with this access point. Allowing 802.11b clients to use your wireless access point may
be necessary in some environments if devices are still around that require it. Some devices such
as the Nintendo DS are only compatible with 802.11b and require a mixed network in order to
work. The down side of this is that you will see slower speeds as a result of allowing such
devices on your network, as the access point will have to cater to the lowest common
denominator when an 802.11b device is present.
Next, there is Allow intra-BSS communication. If you check this option, wireless clients will
be able to see each other directly, instead of routing all traffic through the AP. If clients will only
need access to the Internet, it is usually safer to uncheck this.
There is an option to Disable SSID Broadcasting. Normally, the AP will broadcast its SSID so
that clients can locate and associate with it easily. However, this is considered by many network
admins to be a security risk, as you are announcing to all who are listening that you have a
wireless network available. In most cases the convenience outweighs the security risk. At the
same time, the benefits of disabling SSID broadcasting are overblown, since it does not actually
hide the network from anyone capable of using many freely available wireless security tools that
easily find such wireless networks.
Next is Wireless Channel Selection. When selecting a channel, you want to be aware of any
nearby radio transmitters in similar frequency bands. In addition to wireless access points, there
are also cordless phones, Bluetooth, baby monitors, video transmitters, microwaves, and many
other devices that use the same 2.4 GHz spectrum that can cause interference. The safest channel
to use are 1, 6, and 11 since their frequency bands do not overlap each other. You can specify
Auto to tell the card to pick an appropriate channel, but this does not work with all wireless
cards.
Three types of encryption are supported for 802.11 networks: WEP, WPA, and WPA2. WPA2
with AES is considered the most secure. Even if you are not worried about encrypting the over-
the-air traffic, it provides an additional means of access control. A WPA/WPA2 passphrase is
also easier to work with and remember than a WEB key; it acts more like a password than a
really long string of hexadecimal characters. Some older devices only support WEP or WPA, but
most modern wireless cards and drivers will support WPA2. To enable WPA2, you need to
uncheck Enable WEP and check Enable WPA, and set the WPA Mode to WPA2. To use
WPA2+AES, set WPA Pairwise to AES.
This should be enough to get a wireless access point running with 802.11g with WPA2 + AES
encryption. There are other settings you can use to tweak the APs behavior, but under most
circumstances they are not necessary. Press the Save button to save the settings and on the next
page press the Apply Changes button. Now your wireless access point should be up and
running.