Pfsense Guest Wifi Alt Setup

I will preface this article by saying the setup used in this article is more or less the defacto  corporate setup I have used for years. I know there are many ways to skin this cat, however this setup is time tested and in my opinion has proven itself worthy of an article. In this article we will be using a single Linksys WRT-54GL as an access point connected to an OPTx interface on our Pfsense Firewall.

Note: As of Pfsense 2.1.5, while wireless interfaces are supported, wireless interfaces with AP + WDS are not supported. This severely limiting factor is our main motivation for using the above setup since nearly every setup we have deployed has been extended using WDS. Information on AP + WDS is available here.
The first step in our setup is to login to your firewall and go to interfaces > assign and add an interface as shown highlighted below in the picture. interface

Once the interface is added you will want to edit the interface and assign a static IP and interface name which in this case is and GWN (Guest Wireless Network) respectively. firewall-rulesOnce that is complete you will want to navigate to Firewall > Rules and assign a base rule on the GWN tab that allows traffic over the interface as seen above. Note that under the source column you will see NETS_GWN which is an alias that will hold the IP address of the wireless router. NETS_GWN can be replaced with the IP address assigned to the wireless router as described below. Now login into your wireless router and assign a static IP to wrls-wanthe WAN interface as seen on the picture to the left. Note that the static IP is Once the IP is assigned you will want to up-link your wireless router to the GWN Pfsense interface using a network cable. Once up-linked, connect to the wireless router via the wireless interface and ensure you have network connectivity to the internet. Once you have verified internet connectivity you can move on to the next step which is adding blocking rules to all other interfaces except the WAN on your firewall as seen highlighted in the picture below. Information on adding firewall rules to Pfsense can be found here. firewall-rules-blockOnce again, connect to the wireless router via the wireless interface and ensure you have network connectivity to the internet and then ensure your access to your other Pfsense networks is being blocked by trying to ping a known good IP address in the blocked network that is not the gateway address as seen below. Once you have verified that, the last step will be to disable access ping-rulesto the Pfsense admin interface from the Guest Wireless Network. See the picture below and note that firewall-rules-reject“GWN address” in the destination represents the GWN Interface IP and PORTS_HTTP is an alias placeholder for ports 80 and 443.  That is it. You should now have a Guest Wireless Network that is totally isolated from the rest of your internal networks in Pfsense.

Note: If you would like to throttle the bandwidth on your Guest Wireless Network, please see Pfsense Wifi Bandwidth Limiter.

Did you find this article useful? Why not share it with your friends?

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.