After finding Lawrence’s videos on YouTube as a valuable source of information, I installed a Netgate 5100 with pfSense between my cable based ISP and my LAN including servers to replace a previous solution. Recently my building has started installing a mandatory community wifi with underlying fiber which supposedly will increase “speed and reliability.” While the netgate device has a mini-pcie slot where I can install a WiFi device, it seems that chip/driver compatibility leaves me destined to a lot of trial and error (please correct me if you know better). Alternatively I should be able to plug in a WiFi AP in bridge mode, but I wont have control over the WiFi AP network for administration after deployment and having administration available over WiFi post deployment would pose a security risk since it would be on a WAN. Are you aware of any existing device that can reliably provide such an uplink?
Netgate has a list of supported cards here Wireless — Recommended Wireless Hardware | pfSense Documentation but this type of configuration is not something we often run into or test. The bridge is probably the better option and you should be able to put IP based restrictions or setup a management VLAN on the bridge to keep it secure.
Thank you for your thoughts, I appreciate it. I’ll do more research on the bridge solution. I had trouble restricting administration of my cisco WAP (Mobility Express) to my management VLAN and discounted it’s viability, but maybe another brand like Unifi is better for my usage case.
I did this in the past with OpenWRT and an old LinkSys wireless router. I had the AP act as a client on the Wifi which would then NAT all outbound traffic via its assigned IP. If you put this device as a WAN interface on your FW you would be able to protect traffic the same way as a wired internet connection.
Thank you. I may similarly end up using a Raspberry Pi 4 I have laying around as a WiFi bridge to evaluate the configuration, but I really don’t want the netgate device behind a NAT and I want to maximize my potential bandwidth and reliability with WiFi 6.
This is some information I have found so far for anyone else looking at this:
-
pfSense doesn’t currently support 802.11ac or 802.11ax and is limited to 802.11n, substantially limiting such an uplink’s bandwidth. Support for 802.11ac is in development with significant progress made for anyone that can hold out for that option.
-
Unifi uses a proprietary bridging technology in their 802.11ac and 802.11ax devices making them incompatible for a generalized setup or is limited to 802.11n bridging devices, which again substantially limiting such an uplink’s bandwidth.
-
It seems that Cisco also won’t support this configuration by locking usage to a proprietary technology chain. This information was extrapolated from the mechanism I found online for configuring a bridge on their hardware, but wasn’t tested since my existing Cisco AP doesn’t support bridging and the overhead of purchasing one isn’t currently an acceptable risk for exploration.
-
I obtained an older linksys 802.11ac range extender and was able to configure it as a bridge by disabling the extension networks and as many of the other features I could. I have yet to evaluate it’s actual bandwidth and how secure/isolated it is from the uplink AP, but may make better use of my time doing so with a current 802.11ax range extender given this success.