Pfsense настройка wi fi

Обновлено: 09.01.2025

Сейчас мы настроим wifi точку доступа на системе pfsense. Настраивать ее будем на реальном, а не на гипотетическом железе.
Pfsense у нас уже установлен и работает он в качестве шлюза между провайдером, и внутренней сетью 192.168.1.0 / 24. Инструкцию по установке и настройке можно посмотреть на этой странице: установка и настройка pfsense в качестве шлюза
Перед началом настроек сделайте резервное копирование в веб - конфигураторе на странице diagnostics - backup/restore.

У нас есть:
Компьютер с железом (шлюз):
CPU - Intel® Celeron® Processor E3300 (1M Cache, 2.50 GHz, 800 MHz FSB)
NIC - внешняя - TP - link TG - 3269
NIC - встроенная - Realtek
NIC - wifi внешняя - D - link DWL - G510
RAM - 2 GB
HDD - Samsung HD160HJ
Motherboard - Asustek P5KPL-AM IN/ROEM/SI
Компьютер (рабочая станция)
Два патч - корда: один подключен к провайдеру и во встроенную сетевую карту шлюза, другой к рабочей станции и к внешней, сетевой карте шлюза.

Настройки будем производить с учетом наличия у нас динамического (l2tp) ip - адреса.

Подключаем в pci слот внешнюю wifi карту и запускаем pfsense. Если карта не определилась, то пробуем переназначить интерфейсы - assign interfaces, где в конце, отказываемся от сохранения настроек нажав клавишу n, после того как на экране появится вопрос Do you want to proceed [y|n]?. Смортим на экран. Интерфейс у меня определился как ral0 (Ralink Technology RT2561)
Открываем веб - конфигуратор и на странице interfaces - (assign), во вкладке interface assignments активируем наш интерфейс нажатием кнопки с крестиком.

Настраиваем интерфейс. В блоке general configuration, в поле description даем понятное название интерфейсу, а в поле IPv4 configuration type выбираем staic IPv4. В блоке static IPv4 configuration, в поле IPv4 address прописываем ip - адрес и маску интерфейса.
Внимание! Прописываем сеть 10.1.2.0! У меня по непонятным причинам происходила аварийная перезагрузка, если я прописывал другую сеть, отличную от этой и подключался к ней через wi - fi. Crash reports, появившийся после сбоя я не изучал, если хотите, то проведите эксперимент и узнайте причину, но сначала, просто укажите сеть 10.1.2.0 и все будет работать.
В блоке common wireless configuration - cettings apply to all wireless networks on ral0, настройка persist common settings сохраняет конфигурацию беспроводной сети (я ее не включал). В поле standard выбираем 802.11g, в случае если ваш wi - fi адаптер поддерживает такой стандарт передачи данных (а скорее всего поддерживает).
В поле transmit power можете указать мощность сигнала (я оставил по умолчанию). В поле chanell, кто - то выбрает канал связи (я оставил по умолчанию).

Добавляем беспроводной интерфейс. В главном меню: Interfaces > Assign > Wireless > Add

Infrastructure (BSS)
Ad-hoc (IBSS)
Access Point

Добавляем интерфейс в pfsense: Interfaces > Interface Assignments

Настраиваем беспроводную сеть:

Если в сети есть старые устройства стандарта 802.11g, необходимо выбрать режим 802.11ng, иначе старое оборудование не увидит новую точку доступа. Если в сети нет старого оборудования, которые должны использовать эту точку доступа, то рекомендуется использовать режим 802.11na, потому что пропускная способность и производительность будут намного лучше.

Настраиваем сервер автоматической выдачи сетевых настроек: Services > DHCP Server

Включаем DHCP сервер:

Enable (Enable DHCP server on WIFIAP interface) уставим галочку

Указываем диапазон адресов адресов для выдачи:

Range
- From 192.168.2.100
- To 192.168.2.200
Теперь необходимо настроить Firewall > Rules > выбираем созданный ранее беспроводной интерфейс (WIFIAP) > Add

Необходимо разрешить трафик из локальной беспроводной сети в интернет. Настраиваем:

With a wireless card that supports hostap mode (See Cards Supporting Access Point (hostap) Mode ), pfSense® software can be configured as a wireless access point.

Should an external AP or pfSense be used for an access point?¶

The access point functionality in FreeBSD, and thus pfSense, has improved dramatically over the years and is considered stable currently for most uses. That said, many use cases behave better with an external access point, especially deployments that have requirements such as 802.11ac, concurrent operation in 2.4GHz and 5GHz, wireless mesh networks, or rare cases with clients that will not associate with an access point run using pfSense.

Access points on pfSense have been used with success in small-to-medium deployments, with gear such as a MacBook Pro, Apple AirTunes, iPod Touch, iPad, Android phones and tablets, various Windows laptops, Xbox, and FreeBSD clients and it works very reliably across all these devices. There is the possibility of finding incompatible devices with any access point, and FreeBSD is no exception.

The main deciding factor these days is 802.11n or 802.11ac support; Support for 802.11n hardware in pfSense is somewhat limited and 802.11ac support does not exist. This is a deal breaker for some, and as such using an external access point would be best for networks requiring 802.11ac and in some cases 802.11n if suitable hardware cannot be obtained.

The next most common factor is location of the antennas or the wireless access point in general. Often, the firewall running pfSense is located in an area of the building that is not optimal for wireless, such as a server room in a rack. For ideal coverage, the best practice is to locate the AP in an area that is less susceptible to wireless interference and that would have better signal strength to the area where wireless clients reside. If the firewall running pfSense is located alone on a shelf in a common area or other similar area conducive to good wireless signal, this may not be a concern.

Configuring pfSense as an access point¶

The process of configuring pfSense to act as a wireless access point (AP) is relatively easy. Many of the options will be familiar to anyone who has configured other wireless routers before, and some options may be new unless commercial-grade wireless equipment has been used. There are dozens of ways to configure access points, and they all depend upon the environment in which it will be deployed. In this example pfSense is configured as a basic AP that uses WPA2 encryption with AES. In this example, ExampleCo needs wireless access for some laptops in the conference room.

Preparing the Wireless Interface¶

Before starting, ensure that the wireless card is installed in the firewall and the pigtails and antennas are firmly attached.

Create the wireless instance as described in Creating and Managing Wireless Instances if it does not already exist. When working as an access point, it must use Access Point mode. The wireless card must be assigned as an OPT interface and enabled before the remaining configuration can be completed.

When in use as an access point, naming the interface WLAN (Wireless LAN) or Wireless, or naming it after the SSID makes it easier to identify. If pfSense will be driving multiple access points, there should be some way to distinguish them, such as “WLANadmin” and “WLANsales”. In this example, it is named ConfRoom .

Since this example will be an AP on a dedicated IP subnet, the IPv4 Configuration Type must be set to Static IPv4

An IPv4 Address and subnet mask must be specified. This is a separate subnet from the other interfaces. For this example it can be 192.168.201.0/24 , a subnet that is otherwise unused in the ExampleCo network. Using that subnet, the IPv4 Address for this interface will be 192.168.201.1 .

Common Wireless Settings¶

These settings are shared for all VAPs on a given physical wireless card. Changing these settings on one interface will change them on all other virtual interfaces using the same physical adapter.

Persist common settings

By checking Persist common settings, the configuration values in this section will be preserved even if all the interfaces and VAPs are deleted or reassigned, when they would otherwise be lost.

Depending upon hardware support, there are several choices available for the wireless Standard setting, including 802.11b, 802.11g, 802.11g turbo, 802.11a, 802.11a turbo, 802.11ng, 802.11na, and possibly others. For this example, we will choose 802.11ng for an 802.11n access point operating in the 2.4GHz band.

802.11g OFDM Protection Mode

The 802.11g OFDM Protection Mode setting is only useful in mixed standard environments where 802.11g and 802.11b have to interact. Its primary use is for avoiding collisions. Given the age of 802.11b and scarcity of working devices that use it, the setting is best left at Protection mode off. There is a performance penalty for using it, since it has some overhead on each frame and also requires extra steps when transmitting frames.

Wireless Channel Selection

When selecting a Channel, knowledge of nearby radio transmitters in similar frequency bands is required to avoid interference. In addition to wireless access points, there are also cordless phones, Bluetooth, baby monitors, video transmitters, microwaves, and many other devices that utilize the same 2.4 GHz spectrum that can cause interference.

Often any channel will work so long as the AP clients are near the antenna. With 802.11g and before, the safest channels to use were 1 , 6 , and 11 since their frequency bands did not overlap each other. This is no longer true with 802.11n and later or even some 802.11g setups which use wider ranges of frequencies to attain higher speeds. For this network, since there are no others around, channel 1 is a fine choice.

Always pick a specific channel. Do not select Auto for the channel of an Access Point. The input validation on current versions of pfSense prevents this from being selected.

When using other standards, or using wireless in countries other than the US, there may be many more channels available than described here. Cards that support 802.11a or 802.11n may also support channels in the 5 GHz spectrum.

The full list of channels supported by the card is shown in the Channel drop- down and must agree with the chosen Standard. For example, do not choose 802.11ng for the Standard and then pick a Channel used only for 802.11na. The channel list also includes some information about the standard, frequency of the channel, and the maximum transmit power both of the card and in the regulatory domain for that particular channel. Be careful to watch the power when selecting a channel, because some channels, especially in the 5GHz band, vary widely in their allowed power levels.

Survey tools such as NetSurveyor, InSSIDer, Wi-Spy, and countless other apps for various operating systems, phones, tablets, and so on may help to choose a less busy channel or area of the spectrum. Mileage may vary.

Measured in meters, and only supported by Atheros cards, The Distance Setting field tunes ACK/CTS timers to fit the distance between AP and Client. In most cases it is not necessary to configure this value, but it may help in certain tricky wireless setups such as long-range clients.

Regulatory settings¶

The Regulatory settings section controls how the card is allowed to transmit legally in a specified region. Different countries typically have different regulatory settings, and some countries have none. If unsure, check with the local government to see which laws apply in a given area. The default values are usually OK, as the cards may be set to a specific region already. In some cases Regulatory settings must be set manually if the card has a default not understood by the driver. Similar to the previous section, these values are applied to the card itself and cannot vary between VAPs on the card.

While it may be tempting to set the card to Debug in order to use settings not otherwise allowed, this action could result in legal trouble should it be noticed. The likelihood of this happening varies greatly by country/area so use that with caution.

The Regulatory Domain is the governmental body that controls wireless communications in a region. For example, the US and Canada follow FCC regulations while in the UK it’s ETSI. If unsure of the regulatory domain in a region, see the Country setting.

Sometimes specific countries inside a regulatory domain have different restrictions. The Country option contains a drop-down list of many countries throughout the world and their associated country codes and regulatory domains.

Certain restrictions exist for Indoor and Outdoor transmissions as well. Setting the Location of the transmitter will further adjust the allowed transmission power and/or channels.

Network-specific wireless configuration¶

These settings are unique per interface, even on virtual wireless interfaces. Changing these settings does not affect any other interfaces.

Set the Mode field to Access Point , and pfSense will use hostapd to act as an AP.

Service Set Identifier (SSID)

The SSID is the “name” of the AP as seen by clients. Set the SSID to something readily identifiable yet unique. Keeping with the example, ConfRoom is a good name to use.

Minimum wireless standard

The Minimum wireless standard drop-down controls whether or not older clients are able to associate with this access point. Allowing older clients may be necessary in some environments if devices are still around that require it. Some devices are only compatible with 802.11g and require a mixed network g/n in order to work. The flip side of this is that slower speeds may be seen as a result of allowing such devices on the network as the access point will be forced to cater to the lowest common denominator when an 802.11g device is transmitting at the same time as an 802.11n device. In our example conference room, users will only be using recently purchased company-owned laptops that are all capable of 802.11n, so 802.11n is the best choice.

If Allow intra-BSS communication is checked, wireless clients will be able to see each other directly. If clients will only need access to the Internet, it is typically safer to uncheck this option. In this scenario, users in the conference room may need to share files back and forth directly between laptops, so this will stay checked.

Wireless Multimedia Extensions, or WME, is a part of the wireless standard that provides some Quality of Service for wireless traffic to ensure proper delivery of multimedia content. It is required for 802.11n to operate, but is optional for older standards. This feature is not supported by all cards/drivers.

Normally the AP will broadcast its SSID so that clients can locate and associate with it easily. This is considered by some to be a security risk, announcing to all who are listening that a wireless network is available, but in most cases the convenience outweighs the (negligible) security risk. The benefits of disabling SSID broadcasting are overblown by some, as it does not actually hide the network from anyone capable of using many freely available wireless security tools that easily find such wireless networks. For our conference room AP, we will leave this unchecked to make it easier for meeting attendees to find and use the service.

Wireless Encryption (WPA)¶

Two types of encryption are supported for 802.11 networks: WPA, and WPA2. WPA2 with AES is the most secure. Even when not worrying about encrypting the over-the-air traffic (which should be done), it provides an additional means of access control. All modern wireless cards and drivers support WPA2.

Wireless Encryption Weaknesses

WEP has serious known security problems for years, and support for WEP has been removed from pfSense. It is possible to crack WEP in a matter of minutes at most, and it should never be relied upon for security. If WEP is required, an external AP must be used.

TKIP (Temporal Key Integrity Protocol), part of AES, became a replacement for WEP after it was broken. It uses the same underlying mechanism as WEP, and hence is vulnerable to some similar attacks. These attacks have become more practical and TKIP is no longer considered secure. TKIP should never be used unless devices are present that are incompatible with WPA or WPA2 using AES. WPA and WPA2 in combination with AES are not subject to these flaws in TKIP.

In this example, the ConfRoom wireless must be secured with WPA2.

This checkbox enables WPA or WPA2 encryption, so it should be checked

WPA Pre-Shared Key

Enter the desired wireless key, in this example excoconf213 .

WPA or WPA2, in this example, WPA2

WPA Key Management Mode

Can be Pre-Shared Key (PSK) or Extensible Authentication Protocol (EAP). In this example, PSK is sufficient.

This should almost always be set to AES, due to the weaknesses in TKIP mentioned previously.

Group Key Rotation

This option allows setting how often the broadcast/multicast encryption keys (Group Transient Key, GTK) are rotated, in seconds. It can be any value from 1 to 9999 but it should be shorter than the Group Master Key Regeneration value. The default value of 60 seconds (one minute) is adequate. Lower values may be more secure but may bog things down with frequent rekeying.

Group Master Key Regeneration

This parameter controls how often, in seconds, the master key (Group Master Key, GMK) used internally to generate GTKs is regenerated. It can be any value from 1 to 9999 but it should be longer than the Group Key Rotation value. The default value of 3600 seconds (one hour) is adequate.

Strict Key Regeneration

This option causes the firewall to change the GTK whenever a client leaves the access point, much like changing the passwords when an employee leaves. There may be a slight performance penalty in cases where there is a high turnover of clients. In cases where security is not a primary concern, this can be left disabled.

IEEE 802.1X Authentication (WPA Enterprise)¶

Another type of supported wireless security is known as IEEE 802.1X Authentication, or more commonly referred to as WPA Enterprise or WPA2 Enterprise. This mode allows using a more traditional username and password entry in order to gain access to the wireless network. The downside is that this authentication must be done via RADIUS servers. If an existing RADIUS server is already present or easily deployed, it may be a viable source of wireless access control. In this example, 802.1X is not used but the options are explained.

The FreeRADIUS package ( FreeRADIUS package ) can fulfill this purpose.

Some older operating systems may not properly handle 802.1X or may have long delays after failed authentication attempts, but there are typically workarounds for those issues via OS updates or patches.

Clients must also be configured to properly access the service. Some may pick up the proper settings automatically, others may need set for a specific mode (e.g. PEAP) or may need certificates loaded. The specific values depend on the RADIUS server settings.

To get started with 802.1X authentication, first set WPA Key Management to Extensible Authentication Protocol.

Enable 802.1X Authentication

When checked, 802.1X authentication support is enabled and required of clients.

Primary 802.1X Server

The preferred server for 802.1X authentication.

The IP address of the preferred RADIUS server to use for 802.1X client authentication.

The port upon which to contact the RADIUS server for authentication requests, typically 1812 .

The password to use when communicating with the RADIUS server from this firewall. This must match the shared secret defined for this firewall on the RADIUS server.

Secondary 802.1X Server

The same parameters as above, but for a secondary RADIUS server in case the first one is unreachable.

Authentication Roaming Preauth

This option sets up pre-authentication to speed up roaming between access points. This will perform part of the authentication process before the client fully associates to ease the transition.

Finishing AP Settings¶

The previous settings are enough to get a wireless access point running with 802.11n with WPA2 + AES encryption. When the settings are complete, click Save, then Apply Changes.

Configuring DHCP¶

Now that an entirely separate network has been created, DHCP must be enabled to automatically provide associating wireless clients an IP address. Browse to Services > DHCP Server, click on the tab for the wireless interface (ConfRoom for this example). Check the box to Enable, set whatever size range will be needed, and any additional options desired, then click Save and Apply Changes. For more details on configuring the DHCP service, see DHCP .

Adding Firewall Rules¶

Since this wireless interface is an OPT interface, it will have no default firewall rules. At the very least a rule must be added to allow traffic from this subnet to any destination. Since the conference room users will need internet access and access to other network resources, a default allow rule will be fine in this case. To create the rule:

Navigate to Firewall > Rules

Click on the tab for the wireless interface (ConfRoom for this example).

Click Add and configure a rule as follows:

A wireless card in a firewall running pfSense® software can be used as the primary WAN interface or an additional WAN in a multi-WAN deployment.

Interface assignment¶

If the wireless interface has not yet been assigned, there are two possible choices: Add it as an additional OPT interface or reassign it as WAN.

Before starting, create the wireless instance as described in Creating and Managing Wireless Instances if it does not already exist. When working as a WAN, it must use Infrastructure mode (BSS).

To add the interface as a new OPT interface:

Browse to Interfaces > Assignments

Select the wireless interface from the Available network ports drop-down below the other interfaces

Click Add to add the interface as an OPT interface

To reassign the wireless interface as WAN:

Browse to Interfaces > Assignments

Select the wireless interface as WAN

Figure Wireless WAN Interface Assignment shows an Atheros card assigned as WAN.

Wireless WAN Interface Assignment ¶

Configuring the wireless network¶

Most wireless WANs need only a handful of options set, but specifics vary depending on the Access Point (AP) to which this client interface will connect.

Browse to the Interfaces menu for the wireless WAN interface, for example Interfaces > WAN

Select the type of configuration (DHCP, Static IP, etc.)

Scroll down to Common Wireless Configuration

Set the Standard to match the AP, for example 802.11g

Select the appropriate Channel to match the AP

Scroll down to Network-specific Wireless Configuration

Set the Mode to Infrastructure (BSS) mode

Enter the SSID for the AP

Configure encryption such as WPA2 (Wi-Fi Protected Access) if in use by the AP

Review the remaining settings if necessary and select any other appropriate options to match the AP

Click Save

Click Apply Changes

Checking wireless status¶

Browse to Status > Interfaces to see the status of the wireless interface. If the interface has successfully associated with the AP it will be indicated on the status page. A status of associated means the interface has connected to the AP successfully, as shown in Figure Associated Wireless WAN Interface

Associated Wireless WAN Interface ¶

If the interface status shows No carrier, it was unable to associate. Figure No carrier on wireless WAN shows an example of this, where the antenna was disconnected so it could not connect to a wireless network that was some distance away.

No carrier on wireless WAN ¶

Showing available wireless networks and signal strength¶

The wireless access points visible by the firewall may be viewed by navigating to Status > Wireless as shown in Figure Wireless Status .

A wireless interface must be configured before this menu item will appear.

Читайте также: