Access Point2
From PFSenseDocs
Contents |
Documenting Utilising Pfsense as a Wireless Access Point
Preconditions
I've been using pfsense 1.01 (now 1.2RC4) as a firewall for over a year now and am exceptionally pleased with its reliability and functionality. I've also been using it as an internal router for a private ip network. I should also add that I've been doing this on WRAP hardware because I wanted to eliminate the failure potential of hard disks from a critical piece of infrastructure. WRAP plus Pfsense equals firewall with pptp without the expense of name branding. Plus I'm getting old and lazy and whilst I recognise the networking capabilities of Freebsd and packet filter, I'm an old linux user and learning a new set of commands is simply a bit daunting – the gui of Pfsense works nicely and makes it reasonably simple to configure. I might add I keep a watching brief on the mail list for any developments or problems.
However, I will comment that documentation is usually sparse to non-existent and/or outdated and that the level of discussion on the mailing list is usually quite specific to some new development issue rather than how-to do something simple. (Hence this page). This document will attempt to canvas some of the issues I had to work through because I could not find the the material I needed – hopefully this fills a part of that gap.
Our organisation recently had a nic failure at a branch office in an old linux box that acted as the router. As a result I've been able to liberate some money to replace these old PC routers – so I bought some WRAPs – I knew they would do the job, and I also knew I could add a Wistron CM9 wireless card into the mix and provide wireless connectivity in the same device – added bonus.
I also have to admit that I made an assumption that has proven to be false – that I could utilise a radius server to authenticate wireless connections but more on that soon.
So the plan is to replace the old pc boxes with Pfsense configured to act as an internal router and also to add a wireless interface for low-volume intermittent use.
Project Design
In the background to this project, I'm configuring a freeradius server, because I want to connect our firewall with it to authenticate our mobile users accessing the pptp server. Easier to manage centrally. I also wanted to put freeradius in place to authenticate wireless users connecting to a Linksys WAP at the branch office inhabited by the company's execs. (I assumed that because Pfsense had radius authentication for PPTP and the Linksys had radius for wireless that Pfsense would also have this functionality – but I believe that is not the case and the good thing about writing this down and posting it on the wiki is that if I'm wrong, someone will point it out to me and hopefully provide me with directions on how to do it).
This documentation will cover my initial testing of a wireless AP and if the assumptions and design are inelegant, please provide feedback. The first wireless AP was just that – the WAN interface was ignored. I would like to have disabled it but I don't think its possible with Pfsense at the moment. I could configure the wireless interface as the WAN interface but I wanted to test bridging the wireless interface with the LAN as that's what I did with the routers on our internal ip network as I didn't want to create multiple new networks and establish the routing required for them as it would only complicate matters and I can still filter the bridged traffic by enabling that option in the Advanced System section of Pfsense. I should add that bridging with the LAN means that DHCP is handled by the DHCP server on the LAN and the wireless clients happily ignore the WAN interface and any superfluous default routing.
Security
At this point I should admit that I am not a security zealot. I suspect that I should be configuring a separate IP network for the wireless interface and then restricting traffic from that network so that it only allows access to a VPN server that authenticates each wireless user, however we aren't the NSA and so I'm limiting the security to WPA with a pre shared key as that's manageable.
Windows clients
I'm also assuming that the target audience is Windows XP/Vista clients. I'm the only user in my company with Linux on a notebook so that's a pretty safe assumption. This was the tricky bit. My notebook is a Dell with an Intel Pro 3945ABG wireless interface on it. This comes with Intel Proset and also the standard Windows wireless client on it. I had been having considerable difficulty getting a connection using the Windows client (XP SP2) and then switched across to the Intel Pro wireless client and actually got it to work. Previously I was unable to get an IP address despite windows telling me I was connected. Subsequently I've configured Pfsense to connect to the standard windows client – recipe below.
On the windows client side I use WPA-Personal and TKIP - this is now with a Vista Business client - roll on openSuse 11.
Wireshark
I found it pretty useful to have wireshark on the notebook to track traffic on the wireless interface – just had to work out that wireshark wouldn't capture traffic on the wireless interface unless promiscuous mode was turned OFF.
Installation
This is pretty much covered in other documents. Basically don't bother with the getting started wizard and configure the LAN interface with an IP address and netmask. Configure the WAN interface with an IP address that is within the RFC 1918 space (I'm using 192.168.254.254/32 ) that won't conflict with any addresses on your network (NB: this is a bit dodgy but its workable). I set the gateway of the WAN to the same gateway as the LAN interface but I'm not whether that's important or not. The rest of the WAN options are ignored.
The critical part is the configuration of the OPT1 interface. When installing you will need to assign the OPT1 interface to the wireless interface. Once this is done, configure the interface as below:
Tick enable optional interface 1.
General configuration
Static not DHCP
MAC address and MTU – unconfigured
IP configuration
Bridge with LAN – therefore no IP address and no gateway
FTP Helper - I left it on
Wireless Configuration
Standard - 802.11g (pretty much most wireless cards at the moment - 2007)
mode – Access point
802.11g OFDM Protection Mode - Protection Mode off (This mode is relevant if you have 802.11b traffic on your wireless network - if you don't then its probably better to turn it off)
SSID – mywirelessnetwork
802.11g only- box ticked
Allow intra-BSS communication – not ticked
Enable WME – box ticked
Enable Hide SSID – not ticked but probably useful for some security after you've got it working
Transmit power – 99
Channel - auto
Distance setting – empty
WEP – not enabled (Prefer WPA encryption if you can – note windows xp pre sp2 can't do WPA)
WPA – enable WPA and enter your pre shared key (obviously use a strong password/key)
WPA Mode – Both (WPA worked as well but WPA2 didn't with windows standard wireless client)
WPA Key Management Mode – Preshared key
Authentication – Open System Authentication
WPA Pairwise – TKIP
Key Rotation – 60 (default)
Master Key Regeneration – 3600 (default)
Strict Key Regeneration – not set
Enable IEEE802.1X – not (to other readers – what does this do?)
DHCP client configuration – hostname – not set
DHCP
This configuration did not require any settings for either DHCP server or DHCP relay as this was provided by the DHCP server on the LAN and once the wireless encryption protocol is negotiated, the client is allocated an IP address and gateway and WINS server from the LAN DHCP server.
Firewall Rules
Make sure that you put a rule on the LAN interface to let traffic through and also on the OPT1 interface as we've enabled packet filtering on bridged interfaces in the System Advanced menu. This will let you control the traffic on the wireless interface if you so desire (not what I wanted to do).
The rules I utilise with this configuration are:
LAN Interface
Protocols: *
Source: Lan net
Port: *
Destination: *
Port: *
Gateway: *
Opt1 Interface
Protocols: *
Source: *
Port: *
Destination: *
Port: *
Gateway: *
Obviously this is wide open so you can put more restrictive rules in to your heart's content if you want.
Conclusion
This configuration is a bit clunky but its working for me (still after about 6 months). I have deployed it at 4 sites with a WAN interface and despite some warnings about bridging even traffic shaping (on the non-wireless interfaces) appears to work.
Feedback
Please post any feedback on the wiki as its all useful for the next poor sod who comes along and tries to do something similar and of course if you have any comments or suggestions on a better way of doing it then feel free.
