Netgate is offering COVID-19 aid for pfSense software users, learn more.

Using an External Access Point

Most SOHO-style wireless routers can be used as an access point if a true Access Point (AP) is not available. If pfSense® replaced an existing wireless router, it could still be used to handle the wireless portion of the network if desired. This type of deployment is popular for wireless because it is easier to keep the access point in a location with better signal and take advantage of more current wireless hardware without relying on driver support in pfSense. This way an 802.11ac wireless network may still be used and secured by pfSense at the border, even though pfSense does not yet have support for 802.11ac cards.

This technique is also commonly used with wireless equipment running *WRT, Tomato, or other custom firmware for use as dedicated access points rather than edge routers.

Turning a wireless router into an access point

When replacing a simple wireless router such as a Linksys, D-Link or other home grade device with pfSense as a perimeter firewall, the wireless functionality can be retained. To convert the wireless router into a wireless access point, follow these generic steps for any device. To find specifics for a particular wireless router, refer to its documentation.

Disable the DHCP server

Disable the DHCP server on the wireless router to prevent a conflict. pfSense will handle this function for the network, and having two DHCP servers on the same broadcast domain will cause problems.

Change the LAN IP address

Change the LAN IP address on the wireless router to an unused IP address in the subnet where it will reside (commonly LAN). If the firewall running pfSense replaced this wireless router, then the wireless router was probably using the same IP address now assigned to the pfSense LAN interface, so it must be changed. A functional IP address on the access point is required for management purposes and to avoid IP address conflicts.

Plug in the LAN interface

Most wireless routers bridge their wireless network to the internal LAN port or switch ports. This means the wireless segment will be on the same broadcast domain and IP subnet as the wired ports. For routers with an integrated switch, any of the LAN switch ports will typically work.


Do not plug in the WAN or Internet port on the wireless router! This will put the wireless network on a different broadcast domain from the rest of the network and the wireless router will perform NAT on the traffic between the wireless and LAN. This also results in double NAT of traffic between the wireless network and the Internet. This is an ugly design, and will lead to problems in some circumstances, especially if communication must occur between wireless and wired LAN clients.

Deciding where to connect the LAN interface from wireless router depends on the chosen network design. The next sections cover options and considerations for selecting the best deployment style.

Bridging wireless to the LAN

One common means of deploying wireless is to plug the access point directly into the same switch as the LAN hosts, where the AP bridges the wireless clients onto the wired network. This will work fine, but offers limited control over the ability of the wireless clients to communicate with internal systems. See Choosing Routing or Bridging for details on bridging in this role.

Bridging wireless to an OPT interface

For increased control over wireless clients, adding an OPT interface to the firewall for the access point is the preferred solution. To keep wireless and wired networks on the same IP subnet and broadcast domain, the OPT interface may be bridged to the LAN interface. This scenario is functionally equivalent to plugging the access point directly into the LAN switch, except pfSense can filter traffic from the wireless network to provide protection to LAN hosts and vice versa.


A configuration with the bridge assigned as LAN is optimal here, rather than only having the OPT bridged to the existing wired LAN.

Routed segment on an OPT interface

The wireless network can also be placed on a separate IP subnet if desired. This is done without bridging the OPT interface on pfSense, instead assigning it with an IP address in a separate subnet different from the LAN. This enables routing between internal and wireless networks, as permitted by the firewall ruleset. This is commonly done on larger networks, where multiple access points are plugged into a switch that is then plugged into the OPT interface on pfSense. It is also preferable when wireless clients will be forced to connect to a VPN before allowing connections to internal network resources.