Access Point2 - PFSenseDocs http://doc.pfsense.org/index.

php/Access_Point2

Search

Personal tools

Log in

Access Point2
From PFSenseDocs

Contents
1 Documenting Utilising Pfsense as a Wireless Access Point
1.1 Preconditions
1.2 Project Design
1.3 Security
1.4 Windows clients
1.5 Wireshark
1.6 Installation
1.7 DHCP
1.8 Firewall Rules
1.9 Conclusion
1.10 Feedback

Documenting Utilising Pfsense as a Wireless Access Point

Preconditions

I've been using pfsense 1.01 (now 1.2RC4) as a firewall for over a year now and am exceptionally pleased with
its reliability and functionality. I've also been using it as an internal router for a private ip network. I should also
add that I've been doing this on WRAP hardware because I wanted to eliminate the failure potential of hard
disks from a critical piece of infrastructure. WRAP plus Pfsense equals firewall with pptp without the expense
of name branding. Plus I'm getting old and lazy and whilst I recognise the networking capabilities of Freebsd and
packet filter, I'm an old linux user and learning a new set of commands is simply a bit daunting – the gui of
Pfsense works nicely and makes it reasonably simple to configure. I might add I keep a watching brief on the
mail list for any developments or problems.

However, I will comment that documentation is usually sparse to non-existent and/or outdated and that the level
of discussion on the mailing list is usually quite specific to some new development issue rather than how-to do
something simple. (Hence this page). This document will attempt to canvas some of the issues I had to work
through because I could not find the the material I needed – hopefully this fills a part of that gap.

1 of 5 24/01/2010 9:11
Access Point2 - PFSenseDocs http://doc.pfsense.org/index.php/Access_Point2

Our organisation recently had a nic failure at a branch office in an old linux box that acted as the router. As a
result I've been able to liberate some money to replace these old PC routers – so I bought some WRAPs – I
knew they would do the job, and I also knew I could add a Wistron CM9 wireless card into the mix and provide
wireless connectivity in the same device – added bonus.

I also have to admit that I made an assumption that has proven to be false – that I could utilise a radius server to
authenticate wireless connections but more on that soon.

So the plan is to replace the old pc boxes with Pfsense configured to act as an internal router and also to add a
wireless interface for low-volume intermittent use.

Project Design

In the background to this project, I'm configuring a freeradius server, because I want to connect our firewall
with it to authenticate our mobile users accessing the pptp server. Easier to manage centrally. I also wanted to
put freeradius in place to authenticate wireless users connecting to a Linksys WAP at the branch office
inhabited by the company's execs. (I assumed that because Pfsense had radius authentication for PPTP and the
Linksys had radius for wireless that Pfsense would also have this functionality – but I believe that is not the case
and the good thing about writing this down and posting it on the wiki is that if I'm wrong, someone will point it
out to me and hopefully provide me with directions on how to do it).

This documentation will cover my initial testing of a wireless AP and if the assumptions and design are
inelegant, please provide feedback. The first wireless AP was just that – the WAN interface was ignored. I
would like to have disabled it but I don't think its possible with Pfsense at the moment. I could configure the
wireless interface as the WAN interface but I wanted to test bridging the wireless interface with the LAN as
that's what I did with the routers on our internal ip network as I didn't want to create multiple new networks and
establish the routing required for them as it would only complicate matters and I can still filter the bridged traffic
by enabling that option in the Advanced System section of Pfsense. I should add that bridging with the LAN
means that DHCP is handled by the DHCP server on the LAN and the wireless clients happily ignore the WAN
interface and any superfluous default routing.

Security

At this point I should admit that I am not a security zealot. I suspect that I should be configuring a separate IP
network for the wireless interface and then restricting traffic from that network so that it only allows access to a
VPN server that authenticates each wireless user, however we aren't the NSA and so I'm limiting the security to
WPA with a pre shared key as that's manageable.

Windows clients

I'm also assuming that the target audience is Windows XP/Vista clients. I'm the only user in my company with
Linux on a notebook so that's a pretty safe assumption. This was the tricky bit. My notebook is a Dell with an
Intel Pro 3945ABG wireless interface on it. This comes with Intel Proset and also the standard Windows
wireless client on it. I had been having considerable difficulty getting a connection using the Windows client
(XP SP2) and then switched across to the Intel Pro wireless client and actually got it to work. Previously I was
unable to get an IP address despite windows telling me I was connected. Subsequently I've configured Pfsense
to connect to the standard windows client – recipe below.

On the windows client side I use WPA-Personal and TKIP - this is now with a Vista Business client - roll on
openSuse 11.

2 of 5 24/01/2010 9:11
Access Point2 - PFSenseDocs http://doc.pfsense.org/index.php/Access_Point2

Wireshark

I found it pretty useful to have wireshark on the notebook to track traffic on the wireless interface – just had to
work out that wireshark wouldn't capture traffic on the wireless interface unless promiscuous mode was turned
OFF.

Installation

This is pretty much covered in other documents. Basically don't bother with the getting started wizard and
configure the LAN interface with an IP address and netmask. Configure the WAN interface with an IP address
that is within the RFC 1918 space (I'm using 192.168.254.254/32 ) that won't conflict with any addresses on
your network (NB: this is a bit dodgy but its workable). I set the gateway of the WAN to the same gateway as
the LAN interface but I'm not whether that's important or not. The rest of the WAN options are ignored.

The critical part is the configuration of the OPT1 interface. When installing you will need to assign the OPT1
interface to the wireless interface. Once this is done, configure the interface as below:

Tick enable optional interface 1.

General configuration

Static not DHCP

MAC address and MTU – unconfigured

IP configuration

Bridge with LAN – therefore no IP address and no gateway

FTP Helper - I left it on

Wireless Configuration

Standard - 802.11g (pretty much most wireless cards at the moment - 2007)

mode – Access point

802.11g OFDM Protection Mode - Protection Mode off (This mode is relevant if you have 802.11b traffic on
your wireless network - if you don't then its probably better to turn it off)

SSID – mywirelessnetwork

802.11g only- box ticked

Allow intra-BSS communication – not ticked

Enable WME – box ticked

Enable Hide SSID – not ticked but probably useful for some security after you've got it working

Transmit power – 99

3 of 5 24/01/2010 9:11
Access Point2 - PFSenseDocs http://doc.pfsense.org/index.php/Access_Point2

Channel - auto

Distance setting – empty

WEP – not enabled (Prefer WPA encryption if you can – note windows xp pre sp2 can't do WPA)

WPA – enable WPA and enter your pre shared key (obviously use a strong password/key)

WPA Mode – Both (WPA worked as well but WPA2 didn't with windows standard wireless client)

WPA Key Management Mode – Preshared key

Authentication – Open System Authentication

WPA Pairwise – TKIP

Key Rotation – 60 (default)

Master Key Regeneration – 3600 (default)

Strict Key Regeneration – not set

Enable IEEE802.1X – not (to other readers – what does this do?)

DHCP client configuration – hostname – not set

DHCP

This configuration did not require any settings for either DHCP server or DHCP relay as this was provided by
the DHCP server on the LAN and once the wireless encryption protocol is negotiated, the client is allocated an
IP address and gateway and WINS server from the LAN DHCP server.

Firewall Rules

Make sure that you put a rule on the LAN interface to let traffic through and also on the OPT1 interface as
we've enabled packet filtering on bridged interfaces in the System Advanced menu. This will let you control the
traffic on the wireless interface if you so desire (not what I wanted to do).

The rules I utilise with this configuration are:

LA$ Interface

Protocols: *

Source: Lan net

Port: *

Destination: *

Port: *

Gateway: *

4 of 5 24/01/2010 9:11
Access Point2 - PFSenseDocs http://doc.pfsense.org/index.php/Access_Point2

Opt1 Interface

Protocols: *

Source: *

Port: *

Destination: *

Port: *

Gateway: *

Obviously this is wide open so you can put more restrictive rules in to your heart's content if you want.

Conclusion

This configuration is a bit clunky but its working for me (still after about 6 months). I have deployed it at 4 sites
with a WAN interface and despite some warnings about bridging even traffic shaping (on the non-wireless
interfaces) appears to work.

Feedback

Please post any feedback on the wiki as its all useful for the next poor sod who comes along and tries to do
something similar and of course if you have any comments or suggestions on a better way of doing it then feel
free.

This article is part of the HOWTO series.

Retrieved from "http://doc.pfsense.org/index.php/Access_Point2"
Categories: Wireless | Howto

Privacy policy About PFSenseDocs Disclaimers

This page was last modified on 15 February 2009, at 00:34. This page has been accessed 11,467 times.

5 of 5 24/01/2010 9:11