pfSense as an Access Point

With a wireless card that supports hostap mode (See Cards Supporting Access Point (hostap) Mode), pfSense can be configured as a wireless access point.

Should an external AP or pfSense be used for an access point?

The access point functionality in FreeBSD, and thus pfSense, has improved dramatically over the years and is considered stable currently for most uses. That said, many use cases behave better with an external access point, especially deployments that have requirements such as 802.11ac, concurrent operation in 2.4GHz and 5GHz, wireless mesh networks, or rare cases with clients that will not associate with an access point run using pfSense.

Access points on pfSense have been used with success in small-to-medium deployments, with gear such as a MacBook Pro, Apple AirTunes, iPod Touch, iPad, Android phones and tablets, various Windows laptops, Xbox, and FreeBSD clients and it works very reliably across all these devices. There is the possibility of finding incompatible devices with any access point, and FreeBSD is no exception.

The main deciding factor these days is 802.11n or 802.11ac support; Support for 802.11n hardware in pfSense is somewhat limited and 802.11ac support does not exist. This is a deal breaker for some, and as such using an external access point would be best for networks requiring 802.11ac and in some cases 802.11n if suitable hardware cannot be obtained.

The next most common factor is location of the antennas or the wireless access point in general. Often, the firewall running pfSense is located in an area of the building that is not optimal for wireless, such as a server room in a rack. For ideal coverage, the best practice is to locate the AP in an area that is less susceptible to wireless interference and that would have better signal strength to the area where wireless clients reside. If the firewall running pfSense is located alone on a shelf in a common area or other similar area conducive to good wireless signal, this may not be a concern.

Configuring pfSense as an access point

The process of configuring pfSense to act as a wireless access point (AP) is relatively easy. Many of the options will be familiar to anyone who has configured other wireless routers before, and some options may be new unless commercial-grade wireless equipment has been used. There are dozens of ways to configure access points, and they all depend upon the environment in which it will be deployed. In this example pfSense is configured as a basic AP that uses WPA2 encryption with AES. In this example, ExampleCo needs wireless access for some laptops in the conference room.

Preparing the Wireless Interface

Before starting, ensure that the wireless card is installed in the firewall and the pigtails and antennas are firmly attached.

Create the wireless instance as described in Creating and Managing Wireless Instances if it does not already exist. When working as an access point, it must use Access Point mode. The wireless card must be assigned as an OPT interface and enabled before the remaining configuration can be completed.

Interface Description:
 When in use as an access point, naming the interface WLAN (Wireless LAN) or Wireless, or naming it after the SSID makes it easier to identify. If pfSense will be driving multiple access points, there should be some way to distinguish them, such as “WLANadmin” and “WLANsales”. In this example, it is named ConfRoom.
Interface Type:Since this example will be an AP on a dedicated IP subnet, the IPv4 Configuration Type must be set to Static IPv4
IP Address:An IPv4 Address and subnet mask must be specified. This is a separate subnet from the other interfaces. For this example it can be 192.168.201.0/24, a subnet that is otherwise unused in the ExampleCo network. Using that subnet, the IPv4 Address for this interface will be 192.168.201.1.

Common Wireless Settings

These settings are shared for all VAPs on a given physical wireless card. Changing these settings on one interface will change them on all other virtual interfaces using the same physical adapter.

Persist common settings:
 

By checking Persist common settings, the configuration values in this section will be preserved even if all the interfaces and VAPs are deleted or reassigned, when they would otherwise be lost.

Wireless Standard:
 

Depending upon hardware support, there are several choices available for the wireless Standard setting, including 802.11b, 802.11g, 802.11g turbo, 802.11a, 802.11a turbo, 802.11ng, 802.11na, and possibly others. For this example, we will choose 802.11ng for an 802.11n access point operating in the 2.4GHz band.

802.11g OFDM Protection Mode:
 

The 802.11g OFDM Protection Mode setting is only useful in mixed standard environments where 802.11g and 802.11b have to interact. Its primary use is for avoiding collisions. Given the age of 802.11b and scarcity of working devices that use it, the setting is best left at Protection mode off. There is a performance penalty for using it, since it has some overhead on each frame and also requires extra steps when transmitting frames.

Wireless Channel Selection:
 

When selecting a Channel, knowledge of nearby radio transmitters in similar frequency bands is required to avoid interference. In addition to wireless access points, there are also cordless phones, Bluetooth, baby monitors, video transmitters, microwaves, and many other devices that utilize the same 2.4 GHz spectrum that can cause interference.

Often any channel will work so long as the AP clients are near the antenna. With 802.11g and before, the safest channels to use were 1 , 6 , and 11 since their frequency bands did not overlap each other. This is no longer true with 802.11n and later or even some 802.11g setups which use wider ranges of frequencies to attain higher speeds. For this network, since there are no others around, channel 1 is a fine choice.

Note

Always pick a specific channel. Do not select Auto for the channel of an Access Point. The input validation on current versions of pfSense prevents this from being selected.

When using other standards, or using wireless in countries other than the US, there may be many more channels available than described here. Cards that support 802.11a or 802.11n may also support channels in the 5 GHz spectrum.

The full list of channels supported by the card is shown in the Channel drop- down and must agree with the chosen Standard. For example, do not choose 802.11ng for the Standard and then pick a Channel used only for 802.11na. The channel list also includes some information about the standard, frequency of the channel, and the maximum transmit power both of the card and in the regulatory domain for that particular channel. Be careful to watch the power when selecting a channel, because some channels, especially in the 5GHz band, vary widely in their allowed power levels.

See also

Survey tools such as NetSurveyor, InSSIDer, Wi-Spy, and countless other apps for various operating systems, phones, tablets, and so on may help to choose a less busy channel or area of the spectrum. Mileage may vary.

Distance setting:
 

Measured in meters, and only supported by Atheros cards, The Distance Setting field tunes ACK/CTS timers to fit the distance between AP and Client. In most cases it is not necessary to configure this value, but it may help in certain tricky wireless setups such as long-range clients.

Regulatory settings

The Regulatory settings section controls how the card is allowed to transmit legally in a specified region. Different countries typically have different regulatory settings, and some countries have none. If unsure, check with the local government to see which laws apply in a given area. The default values are usually OK, as the cards may be set to a specific region already. In some cases Regulatory settings must be set manually if the card has a default not understood by the driver. Similar to the previous section, these values are applied to the card itself and cannot vary between VAPs on the card.

While it may be tempting to set the card to Debug in order to use settings not otherwise allowed, this action could result in legal trouble should it be noticed. The likelihood of this happening varies greatly by country/area so use that with caution.

Regulatory domain:
 The Regulatory Domain is the governmental body that controls wireless communications in a region. For example, the US and Canada follow FCC regulations while in the UK it’s ETSI. If unsure of the regulatory domain in a region, see the Country setting.
Country:Sometimes specific countries inside a regulatory domain have different restrictions. The Country option contains a drop-down list of many countries throughout the world and their associated country codes and regulatory domains.
Location:Certain restrictions exist for Indoor and Outdoor transmissions as well. Setting the Location of the transmitter will further adjust the allowed transmission power and/or channels.

Network-specific wireless configuration

These settings are unique per interface, even on virtual wireless interfaces. Changing these settings does not affect any other interfaces.

Wireless Mode:Set the Mode field to Access Point , and pfSense will use hostapd to act as an AP.
Service Set Identifier (SSID):
 The SSID is the “name” of the AP as seen by clients. Set the SSID to something readily identifiable yet unique. Keeping with the example, ConfRoom is a good name to use.
Minimum wireless standard:
 The Minimum wireless standard drop-down controls whether or not older clients are able to associate with this access point. Allowing older clients may be necessary in some environments if devices are still around that require it. Some devices are only compatible with 802.11g and require a mixed network g/n in order to work. The flip side of this is that slower speeds may be seen as a result of allowing such devices on the network as the access point will be forced to cater to the lowest common denominator when an 802.11g device is transmitting at the same time as an 802.11n device. In our example conference room, users will only be using recently purchased company-owned laptops that are all capable of 802.11n, so 802.11n is the best choice.
Intra-BSS Communication:
 If Allow intra-BSS communication is checked, wireless clients will be able to see each other directly. If clients will only need access to the Internet, it is typically safer to uncheck this option. In this scenario, users in the conference room may need to share files back and forth directly between laptops, so this will stay checked.
Enable WME:Wireless Multimedia Extensions, or WME, is a part of the wireless standard that provides some Quality of Service for wireless traffic to ensure proper delivery of multimedia content. It is required for 802.11n to operate, but is optional for older standards. This feature is not supported by all cards/drivers.
Hide SSID:Normally the AP will broadcast its SSID so that clients can locate and associate with it easily. This is considered by some to be a security risk, announcing to all who are listening that a wireless network is available, but in most cases the convenience outweighs the (negligible) security risk. The benefits of disabling SSID broadcasting are overblown by some, as it does not actually hide the network from anyone capable of using many freely available wireless security tools that easily find such wireless networks. For our conference room AP, we will leave this unchecked to make it easier for meeting attendees to find and use the service.

Wireless Encryption (WPA)

Two types of encryption are supported for 802.11 networks: WPA, and WPA2. WPA2 with AES is the most secure. Even when not worrying about encrypting the over- the-air traffic (which should be done), it provides an additional means of access control. All modern wireless cards and drivers support WPA2.

Warning

Wireless Encryption Weaknesses

WEP has serious known security problems for years, and support for WEP has been removed from pfSense. It is possible to crack WEP in a matter of minutes at most, and it should never be relied upon for security. If WEP is required, an external AP must be used.

TKIP (Temporal Key Integrity Protocol), part of AES, became a replacement for WEP after it was broken. It uses the same underlying mechanism as WEP, and hence is vulnerable to some similar attacks. These attacks have become more practical and TKIP is no longer considered secure. TKIP should never be used unless devices are present that are incompatible with WPA or WPA2 using AES. WPA and WPA2 in combination with AES are not subject to these flaws in TKIP.

In this example, the ConfRoom wireless must be secured with WPA2.

Enable:This checkbox enables WPA or WPA2 encryption, so it should be checked
WPA Pre-Shared Key:
 Enter the desired wireless key, in this example excoconf213.
WPA Mode:WPA or WPA2, in this example, WPA2
WPA Key Management Mode:
 Can be Pre-Shared Key (PSK) or Extensible Authentication Protocol (EAP). In this example, PSK is sufficient.
WPA Pairwise:This should almost always be set to AES, due to the weaknesses in TKIP mentioned previously.
Group Key Rotation:
 This option allows setting how often the broadcast/multicast encryption keys (Group Transient Key, GTK) are rotated, in seconds. It can be any value from 1 to 9999 but it should be shorter than the Group Master Key Regeneration value. The default value of 60 seconds (one minute) is adequate. Lower values may be more secure but may bog things down with frequent rekeying.
Group Master Key Regeneration:
 This parameter controls how often, in seconds, the master key (Group Master Key, GMK) used internally to generate GTKs is regenerated. It can be any value from 1 to 9999 but it should be longer than the Group Key Rotation value. The default value of 3600 seconds (one hour) is adequate.
Strict Key Regeneration:
 This option causes the firewall to change the GTK whenever a client leaves the access point, much like changing the passwords when an employee leaves. There may be a slight performance penalty in cases where there is a high turnover of clients. In cases where security is not a primary concern, this can be left disabled.

IEEE 802.1X Authentication (WPA Enterprise)

Another type of supported wireless security is known as IEEE 802.1X Authentication, or more commonly referred to as WPA Enterprise or WPA2 Enterprise. This mode allows using a more traditional username and password entry in order to gain access to the wireless network. The downside is that this authentication must be done via RADIUS servers. If an existing RADIUS server is already present or easily deployed, it may be a viable source of wireless access control. In this example, 802.1X is not used but the options are explained.

See also

The FreeRADIUS pfSense package may be used for this purpose.

Note

Some older operating systems may not properly handle 802.1X or may have long delays after failed authentication attempts, but there are typically workarounds for those issues via OS updates or patches.

Clients must also be configured to properly access the service. Some may pick up the proper settings automatically, others may need set for a specific mode (e.g. PEAP) or may need certificates loaded. The specific values depend on the RADIUS server settings.

To get started with 802.1X authentication, first set WPA Key Management to Extensible Authentication Protocol.

Enable 802.1X Authentication:
 

When checked, 802.1X authentication support is enabled and required of clients.

Primary 802.1X Server:
 

The preferred server for 802.1X authentication.

IP Address:The IP address of the preferred RADIUS server to use for 802.1X client authentication.
Port:The port upon which to contact the RADIUS server for authentication requests, typically 1812.
Shared Secret:The password to use when communicating with the RADIUS server from this firewall. This must match the shared secret defined for this firewall on the RADIUS server.
Secondary 802.1X Server:
 

The same parameters as above, but for a secondary RADIUS server in case the first one is unreachable.

Authentication Roaming Preauth:
 

This option sets up pre-authentication to speed up roaming between access points. This will perform part of the authentication process before the client fully associates to ease the transition.

Finishing AP Settings

The previous settings are enough to get a wireless access point running with 802.11n with WPA2 + AES encryption. When the settings are complete, click Save, then Apply Changes.

Configuring DHCP

Now that an entirely separate network has been created, DHCP must be enabled to automatically provide associating wireless clients an IP address. Browse to Services > DHCP Server, click on the tab for the wireless interface (ConfRoom for this example). Check the box to Enable, set whatever size range will be needed, and any additional options desired, then click Save and Apply Changes. For more details on configuring the DHCP service, see IPv4 DHCP Server.

Adding Firewall Rules

Since this wireless interface is an OPT interface, it will have no default firewall rules. At the very least a rule must be added to allow traffic from this subnet to any destination. Since the conference room users will need internet access and access to other network resources, a default allow rule will be fine in this case. To create the rule:

  • Navigate to Firewall > Rules
  • Click on the tab for the wireless interface (ConfRoom for this example).
  • Click fa-plus Add and configure a rule as follows:
    Interface:ConfRoom
    Protocol:Any
    Source:ConfRoom Net
    Destination:Any
  • Click Save
  • Click Apply Changes

See also

For more information about creating firewall rules, see Firewall.

Associating Clients

The newly configured pfSense AP should appear in the list of available access points from a wireless device, assuming broadcasting of the SSID was not disabled. A client should now be able to associate with it as it would with any other access point. The exact procedure will vary between operating systems, devices, and drivers, but most manufacturers have streamlined the process to make it simple for everyone.

Viewing Wireless Client Status

When a wireless interface is configured for access point mode, the associated clients will be listed on Status > Wireless.