Can somebody give a noob friendly rundown of using a dedicated AP with pfSense?

Every guide I can find online talks about how to configure an internal PCIx NIC as an access point. Even Tek Syndicate's own pfSense video! But I have a unit from EnGenius that needs to be hooked up to the router via ethernet. I have already set the AP system IP as, gateway as (to pfSense router) all /24. Beyond that, I'm pretty sure I have no idea what I'm doing. Help?

The easiest configuration for pfSense would be to have one connection go to the WAN and one to the LAN. Then use an old router as a switch/WAP (There are tutorials online on how to do that)

All you need to do is connect it to your LAN, you don't need to do anything in pfsense for it to work.

That's what I thought but trying to access the AP configuration through with the router in between doesn't work in contrast to connecting the AP directly to a PC.

How do you have it set up? What you want is pfsense LAN - switch - AP with all your other LAN devices on the switch. If you have the AP on a different interface than your LAN then you need to set up firewall rules to allow access between the two networks.

Currently: pfSense LAN - AP and other LAN devices connected right to pfSense interfaces.

The router machine has three rj-45 ports. My intention was to have a port for WAN, a port for a server and the last port to the wireless AP.

Okay. The simple solution is to have one port for wan and one for lan and then use a switch to connect everything. You can have it the way you have it now but that will be a much simpler solution.

If you don't want to use a switch the first thing you need to do is make sure you have both the interfaces set up properly. Have you assigned an interface to both NICs? By default pfsense will configure one for WAN and one for LAN so if you haven't set up the OPT1 interface yet you'll need to do that first. Go to interfaces>assign and then add the other NIC there. Then go to interfaces>OPT1 and enable the interface and configure it. You'll need to give it an IP address which will need to be in a different subnet to the one you're using for LAN. (You'll also need to set up a separate DHCP range for this interface as well if you want to use DHCP). And you'll need to make sure that the IP address of the AP is also part of the subnet of whichever interface you choose to connect it to.

Once you have that set up you need to make firewall rules. If you just want to allow traffic between both interfaces then create a rule like this on both interfaces (by default the LAN interface will already have this rule)

Basically you want to set the action to pass the protocol to any and the source and destination to any as well. You need a rule like this on both the LAN and OPT1 interfaces (but not the WAN interface).

If you want to restrict traffic between the interfaces then you need to make rules for that. You can allow access only from certain IPs or devices or only on certain ports. But the allow any rules will let all traffic between the interfaces.

The configuration done here is all really on the AP.

If this is a WiFi router that you are using as an AP then you need to look how to set the router to just be a AP, and connect a LAN port or the WiFi router to a port on your switch.

I would set up a static IP for the device that is out side of your DHCP scope but inside your subnet.
Should be able to work with a Dynamically assigned IP from the pfSense box.

Neat, extremely thorough. Reading that, I realize one of my mistakes was to have LAN and OPT1 (WiFiAP) on the same subnet. I will try this firewalling method first since my only network switch is only 10/100. Which leads me to other questions:

  1. Is it usually the case for router, switch and AP to be totally separate in real network deployments?

  2. If I do add a switch, which unit would be responsible for governing bandwidth of various MAC addresses?

1: Yes

2: I would say the access point, although you could also do it in pfsense.

So update: I now understand how to configure it without a switch, thanks. However, considering the amount of babying it will take to maintain that configuration as I add packages, rules, updates and whatnot, I can see the value everyone places on using switches.

I plugged in my crappy, unmanaged switch and everything just worked! No tweaking necessary. If I decide that it needs gigabit later there are 10/100/1000 switches for dirt cheap. Thanks for all the assistance everybody.

TP Link makes nice unmanaged switches that are really nice and stupid cheap. Actually there Smart switches.

8 port

5 port

9K frames QoS, MTU/Port/Tag based VLANs, and IGMP support all under $30.

Buy the one you need it's worth it.