pfSense Wi-Fi Setup - Access Point and Security
The built-in Wi-Fi support in pfSense enables the system to function as a wireless access point without additional hardware. A wireless interface is created on top of a physical Wi-Fi adapter and configured through the pfSense web GUI in the same manner as wired interfaces. Once configured, the wireless interface receives its own firewall rules, DHCP server, and can be integrated with VLANs and Captive Portal .
Supported Wireless Chipsets
pfSense runs on FreeBSD, so wireless adapter compatibility is determined by drivers available in the FreeBSD kernel. Not all Wi-Fi adapters are supported, and not all supported adapters can operate in access point (hostap) mode.
Recommended Chipsets
| Chipset | FreeBSD Driver | AP Mode | Band | Notes |
|---|---|---|---|---|
| Atheros AR9280 | ath(4) | Yes | 2.4/5 GHz | Most compatible, dual-band |
| Atheros AR9287 | ath(4) | Yes | 2.4 GHz | Stable operation, 2.4 GHz only |
| Atheros AR9380 | ath(4) | Yes | 2.4/5 GHz | 802.11n 3x3 MIMO |
| Atheros AR9485 | ath(4) | Yes | 2.4 GHz | Common in laptops |
| QCA9565 | ath(4) | Yes | 2.4 GHz | Budget option |
| Ralink RT2860 | run(4) | Limited | 2.4 GHz | Not all AP features available |
Unsupported and Problematic Chipsets
Adapters based on Intel Wi-Fi (iwlwifi/iwm), Broadcom (bwn), Realtek (rtwn), and Mediatek do not support access point mode under FreeBSD or have significant limitations. USB-based adapters generally exhibit lower stability compared to PCIe and mini-PCIe variants.
Before purchasing an adapter, verify its compatibility in the FreeBSD wireless driver documentation. An Atheros AR92xx/AR93xx chipset in mini-PCIe form factor is the optimal choice for pfSense.
Creating a Wireless Interface
Verifying Adapter Detection
After installing the wireless adapter, confirm that pfSense recognizes the device. Navigate to Interfaces > Assignments and check for a wireless interface in the list of available network ports. Wireless adapters appear with a wlan suffix - for example, ath0 (physical adapter) and ath0_wlan0 (wireless interface).
If the adapter does not appear in the list, verify the physical connection and chipset compatibility. Device detection information is available through Diagnostics > Command Prompt by running:
sysctl net.wlan.devicesThis command displays all wireless devices recognized by the kernel.
Assigning the Interface
- Navigate to Interfaces > Assignments
- Select the wireless adapter from the Available network ports dropdown
- Click Add to create a new interface (e.g., OPT1)
- pfSense automatically creates a
wlan0interface on top of the physical adapter
Configuring Interface Parameters
Navigate to the assigned interface configuration page (Interfaces > OPTn) and set the following parameters.
General settings:
- Enable - check the box to activate the interface
- Description - enter a descriptive name such as
WIFI_CORPorWIRELESS - IPv4 Configuration Type - select
Static IPv4 - IPv4 Address - assign an IP address for the wireless interface (e.g., 192.168.100.1/24)
Wireless configuration (Common Wireless Configuration):
- Standard - select the Wi-Fi standard:
802.11ngfor 2.4 GHz or802.11nafor 5 GHz - Mode - select
Access Pointto create an AP - SSID - enter the wireless network name
- Channel - choose a broadcast channel (Auto or a specific channel free from interference)
- Channel Width - channel width:
20 MHzfor stability or40 MHz (HT40)for throughput
Wireless Interface Operating Modes
pfSense supports several wireless interface operating modes, each designed for a specific use case.
Access Point (hostap)
The primary mode for creating a wireless network. pfSense acts as an access point to which client devices connect. All security features (WPA2/WPA3), channel management, and transmit power controls are available in this mode.
Infrastructure (BSS/Station)
Wireless client mode. pfSense connects to an existing access point as an ordinary client device. This is used in scenarios where pfSense receives its WAN connection over Wi-Fi - for example, when no wired internet connection is available.
Ad-hoc (IBSS)
Peer-to-peer networking mode without an access point. Devices communicate directly with each other. Practical applications are limited and this mode is not recommended for production environments.
Wireless Security
Security settings are configured in the wireless interface section under the Wireless Security tab (or the Authentication and Encryption section on the interface page).
WPA2 (Recommended Minimum)
WPA2 with AES-CCMP encryption represents the minimum acceptable security level for wireless networks.
| Parameter | Value |
|---|---|
| Enable WPA | Check the box |
| WPA Mode | WPA2 |
| WPA Key Management Mode | Pre-Shared Key |
| WPA Pre-Shared Key | Password of at least 12 characters |
| WPA Pairwise | AES (CCMP) |
Do not use TKIP - this encryption protocol is deprecated and contains known vulnerabilities. Mixed-mode encryption (TKIP+AES) is also inadvisable, as it reduces the overall security posture to the TKIP level.
WPA3
WPA3 provides enhanced protection through the SAE (Simultaneous Authentication of Equals) protocol, which eliminates vulnerabilities in the WPA2 four-way handshake. WPA3 support in pfSense depends on the FreeBSD version and wireless adapter driver. At the time of writing, full WPA3 support in AP mode remains limited.
For networks requiring WPA3, the recommended approach is to deploy an external access point with WPA3 support and connect it to pfSense as a wired interface or through a VLAN .
802.1X (RADIUS)
For enterprise wireless networks, pfSense supports 802.1X authentication through an external RADIUS server (FreeRADIUS). In this mode, each user or device authenticates individually, providing granular access control and the ability to revoke credentials without changing the shared network key.
RADIUS parameters are configured in the Authentication section of the wireless interface:
- WPA Key Management Mode - select
Enterprise (802.1X/RADIUS) - Authentication Server - enter the RADIUS server IP address
- Authentication Port - RADIUS port (default 1812)
- Authentication Secret - shared secret for RADIUS communication
Multiple SSIDs with VLAN Binding
pfSense supports creating multiple virtual wireless interfaces (VAP - Virtual Access Point) on a single physical adapter, provided the driver supports this functionality. Each VAP has its own SSID and can be bound to a separate VLAN .
Creating an Additional Wireless Interface
- Navigate to Interfaces > Assignments > Wireless (tab)
- Click Add to create a new virtual wireless interface
- Select the parent physical adapter (e.g.,
ath0) - Set the mode to Access Point
- Save the configuration
The new virtual interface (e.g., ath0_wlan1) will appear in the list of available ports on the Interfaces > Assignments page, where it must be assigned as a separate interface.
Example Configuration with Two SSIDs
| Parameter | Corporate Network | Guest Network |
|---|---|---|
| Interface | ath0_wlan0 (OPT1) | ath0_wlan1 (OPT2) |
| SSID | CORP-WIFI | GUEST-WIFI |
| Security | WPA2-Enterprise (802.1X) | WPA2-PSK |
| Subnet | 192.168.100.0/24 | 192.168.200.0/24 |
| VLAN | 100 | 200 |
| DHCP | 192.168.100.10-254 | 192.168.200.10-254 |
| LAN Access | Permitted | Denied |
| Captive Portal | No | Yes |
For the guest network, configure firewall rules that deny access to internal subnets and permit only internet-bound traffic. Integration with Captive Portal enables a login page for guest authentication.
Captive Portal Integration
A pfSense wireless interface can be bound to a Captive Portal zone to require user authentication before granting network access. Detailed Captive Portal configuration is covered in the Captive Portal section.
To bind a wireless interface to a Captive Portal:
- Navigate to Services > Captive Portal
- Create a new zone or select an existing one
- In the zone settings, select the wireless interface from the Interfaces list
- Configure authentication parameters and the login page
Performance Considerations
Deploying pfSense as a Wi-Fi access point involves several limitations that must be factored into network planning.
Built-in Wi-Fi Limitations
- Antennas - built-in or stock antennas provide limited coverage compared to dedicated access points with external antennas and MIMO technology
- Processing overhead - wireless traffic processing places additional load on the CPU, which may reduce routing and firewall throughput
- Standards - support is limited to 802.11a/b/g/n; 802.11ac (Wi-Fi 5) and 802.11ax (Wi-Fi 6) are unavailable due to FreeBSD driver limitations
- Scalability - the number of concurrent clients is constrained by adapter and driver capabilities (typically 10-30 devices)
Recommended Architecture for Production Environments
For production networks, the following architecture is recommended:
- Dedicated access points (Ubiquiti UniFi, Aruba, Ruckus) serve wireless clients
- Access points connect to a managed switch via access ports or trunk ports (when using multiple SSIDs/VLANs)
- pfSense handles inter-VLAN routing, firewall rule enforcement, and network services ( DHCP , DNS)
This approach delivers maximum wireless performance while keeping pfSense free from radio-frequency traffic processing overhead.
Troubleshooting
Adapter Not Detected
Symptom: the wireless adapter does not appear in the interface list.
Resolution:
- Verify the physical connection (remove and reseat the adapter)
- Run
sysctl net.wlan.devicesvia Diagnostics > Command Prompt to check kernel device recognition - Confirm that the adapter chipset is supported by FreeBSD (Atheros AR9xxx series is recommended)
- For USB adapters, check the output of
usbconfig list
Access Point Mode Unavailable
Symptom: selecting Access Point mode causes the interface to fail to start or produces an error.
Resolution:
- Not all supported adapters operate in hostap mode - consult the driver documentation
- Intel and Broadcom adapters do not support AP mode under FreeBSD
- Use an Atheros-based adapter supported by the ath(4) driver
Low Throughput
Symptom: data transfer speeds are significantly below expectations.
Resolution:
- Verify the selected Wi-Fi standard - ensure 802.11n (ng or na) is in use rather than 802.11b/g
- Increase channel width from 20 MHz to 40 MHz (HT40) if interference levels are low
- Select a channel with the least interference (use a Wi-Fi analyzer to survey channel congestion)
- Check transmit power settings (Regulatory Domain and TX Power)
- Confirm that encryption uses AES rather than TKIP
Intermittent Client Disconnections
Symptom: clients periodically lose their connection to the access point.
Resolution:
- Review system logs (Status > System Logs > Wireless) for driver errors
- Ensure stable power supply (especially for USB adapters)
- Reduce the number of concurrent connections
- Update pfSense to the latest version to obtain driver fixes
- Check for interference from neighboring networks on the same channel
- When using multiple VAPs, confirm that all operate on the same channel (a hardware-level requirement)
Clients Connect but Do Not Receive an IP Address
Symptom: devices associate with the SSID but do not obtain an IP address via DHCP.
Resolution:
- Confirm that the DHCP server is enabled on the wireless interface
- Verify the DHCP pool address range
- Ensure that firewall rules on the wireless interface permit DHCP traffic (UDP ports 67/68)
- Check that the interface has an IP address assigned from the correct subnet