How to configure Wi-fi+Lan bridged access point in pfSense firewall router

Posted on in Categories , , , last updated August 17, 2016

I have installed wireless mini-PCIe card for my pfSense firewall. How do I configure a bridged LAN wifi access point (AP) network and setup pfSense?

In this tutorial, I will explain how to setup a bridged LAN Wi-fi network access point using pfSense. I am going to assume that you need to configure access point in a bridged mode. Our current setup look as follows on console:
Fig.01: The default WAN (igb0) and LAN (igb1) interfaces
Fig.01: The default WAN (igb0) and LAN (igb1) interfaces

The bridge will include LAN (igb2) and Wifi (ath0) interfaces:

bridge0 = LAN + WIFI

You need to configure additional interface (OPT1) and swap them as follows:

  1. WAN = Public IP/upstream router IP
  2. LAN = bridge0
  3. OPT1 = LAN (igb2)
  4. OPT2 = ath0 (wifi) (I’m using this Atheros AR9280 Chipset based mini pcie from Amazon)

You do not want to lose connectivity to your web interface. Hence you need to take help of OPT1. Do not assign an IP address to bridge0 or ath0 (wifi) interfaces. Make sure DHCP server enabled for LAN interface. Let’s get our hands dirty and make pfSense based all in one access point.

Step #1: Add OPT1 and OPT2 interface

Click on the Interfaces > Assign

Fig.02: The default WAN, LAN, and unconfigured ath0 wifi interfaces
Fig.02: The default WAN, LAN, and unconfigured ath0 wifi interfaces

Select igb3 network port from drop down menu (or which ever is free in your router) and click on the Add button to create OPT1:
Fig.03:  Adding OPT1 interface
Fig.03: Adding OPT1 interface

Next repeat the same step to add OPT2 interface with ath0 as a network port. At the end you should have four interfaces as follows:
Fig.04: Four interfaces
Fig.04: Four interfaces

Step #2: Enable OPT1 interface

Click on the Interfaces > Assign > OPT1 and set it as follows:

Fig.05: Enable OPT1 with no IPv4 or IPv6 settings
Fig.05: Enable OPT1 with no IPv4 or IPv6 settings

Make sure you SAVE the changes.

Step #3: Enable OPT2 (ath0 wifi AP) interface

Click on the Interfaces > Assign > OPT2 and set it as follows (i.e activate access point):

Fig.06: Enable OPT1 with no IPv4 or IPv6 settings. Make sure you set  standard and channel too.
Fig.06: Enable OPT1 with no IPv4 or IPv6 settings. Make sure you set standard and channel too.

Scroll down a little bit and set mode to ACCESS POINT, SSID, select WME, enable WPA, set WPA pre-shared key (wifi password), WPA mode to WPA2, WPA pairwise to AES as follows:
Fig.07:  Set Wi-fi (OPT2/ath0) settings
Fig.07: Set Wi-fi (OPT2/ath0) settings

Make sure you SAVE the changes. Please note that setup a different and strong pre-shared key and SSID for your network.

Step #4: Create a bridge (OPT1+OPT2)

Click on the Interfaces > Assign > select Bridges tab > click on Add button:

Fig.08: Add a new bridge (OPT1+OPT2)
Fig.08: Add a new bridge (OPT1+OPT2)

Make sure you select both the OPT1 and OPT2 interfaces under Member Interfaces. Click on the save button.

Step #5: Assign correct interface

You need to swap and set correct network port for LAN and OPT1 interfaces as follows:

InterfaceOld Network portNew Network port
LANigb2BRIDGE0
OPT1igb3igb2

Fig.09:  Note down old network port values for LAN and OPT1 before swap
Fig.09: Note down old network port values for LAN and OPT1 before swap

Next, assign the BRIDGE0 port to your LAN interface. And assign the port that was originally assigned to your LAN interface:
Fig.10:  Set LAN  interface network port to BRIDGE0 and old value of LAN interface to OPT1
Fig.10: Set LAN interface network port to BRIDGE0 and old value of LAN interface to OPT1

Click on the save button. The pfSense take a little time to reload all changes, and there is no loss in network connectivity. You just finished configuring with the bridge that includes your LAN and wifi interfaces. Finally click on the pfSense logo to see your network status from dashboard:
Fig.11:  pfSense wifi access point configured and working
Fig.11: pfSense wifi access point configured and working

Finally, tweak the wireless settings as per your needs. Also, don’t forget to setup the firewall rules for traffic to pass.

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin and a trainer for the Linux operating system/Unix shell scripting. He has worked with global clients and in various industries, including IT, education, defense and space research, and the nonprofit sector. Follow him on Twitter, Facebook, Google+.

8 comment

  1. Do you need additional LAN port to complete this interface swapping? i.e do you need to place temporarily additional network card to make Step#1 (need to make free network port available) and remove this card after everything is configured as described ?

  2. Great instructions that actually work. Some other posts out there talk about bridging, but they don’t do it correctly.

    Unless I am misunderstanding it looks we are essentially applying all of the firewall rules originally set up on the LAN interface to the newly created bridge.

    Thanks for creating this tutorial, donation sent!

Leave a Comment