VPNs, firewalls and VLANs for Home Automation – Part 4: WAPs and security

Introduction

Now we have a small network up and running with WAPs and VLANs we are going to take a look at the security around these. One major concern has been that many home automation devices that are off the shelf rely on existing home networking technologies. If these are misconfigured or use weak encryption and passwords, then your home automation devices can quickly become a target. This is in addition to any flaws that may exist in the product itself.

Therefore this post will include:

  • Discuss some of the security issues around WAP including:
    • WEP
    • WPS
    • WPA/WPA2/WPA-TKS
  • MAC white lists

Let’s start with looking at wireless security.

Wireless security and our WAP

The 802.11b standard offers us two security services, those being Authentication and Encryption. Authentication is handled through shared key authentication and encryption through WEP.

As you will see WEP was a weak implementation and has later been replaced. You should not use WEP but the WPA2 option in your AP.

Shared Key Autherntication

When a device (known as a station) wishes to authenticate with a WAP a shared key is used. Initially however there is a process in place to communicate what the shared key will be.

WAP Device (station)
Send a random number to the station
Encrypt random number using RC4 with a 40-bit shared secret ket and a non-secret 24-bit Initialization Value (IV)
Send encrypted random number
Decrypt received message using RC4, 40-bit shared secret key and 24-bit IV
Compare decrypted random number to transmitted one
If the two numbers match, then both station and WAP use same shared key

So this is the basic steps for authenticating a user, however the traffic between the WAP and device also needs to be encrypted. The older and less secure mechanism for doing this was WEP (Wired Equivalence Privacy).

WEP – how it works and why you shouldn’t use it

WEP in a nutshell works as follows:

WAP Device (station)
Computes the ICV (integrity check vector). This is a 32-bit cyclic redundancy check
 Append to message to create the plaintext
Use RC4, 40-bit secret key with 24-bit IV to create 64-bit key
Encrypt plaintext using RC4 by XORing with a key stream of pseudo-random bits
IV is concatenated with the ciphertext
Cipher text and the IV are sent to the station
Cipher text and the IV are received by the device
RC4 algorithm uses a 40-bit secret key and 24-bit IV as 64-bit key
The cipher text is decrypted by RC4 by XORing with key stream of pseudo-random bits
 Separate ICV from message
 Compute ICV for message
 If received ICV matches the computed ICV then the message integrity is retained.

So looking at this, you may notice that only 40-bits of this key are truly secret – and you’d be right. This of course is a problem.

As we can see the IV is sent in the clear as it is concatenated with the cipher text. Calculating what the next IV is can also be a massive security issue as some NICs:

  • Use a pseudo-random IV – likelihood of the same IV being generated is very high in a shirt window due to only 24-bits being used
  • Use an ascending counter for each IV – at only 24-bits this will reset after a few hours
  • Use a combination of ascending/descending counter – same as above, eventually the sequence will reset

Thus by capturing two messages with identical IV’s an attacked can attempt to crack the encryption. This is due to the fact both messages while having a different plaintext have been created from the same IV and key.

XORing the two cipher texts results in: plaintext 1 XOR key stream XOR plaintext2 XOR key stream. However the key streams cancel each other out. The result of this is the plaintext’s XOR’d together. These can then be attacked via statistical methods to ascertain the two separate plain texts.

If this wasn’t problem enough our 40-bit encryption key can be weakened further by poor WEP key entry implementation in the WAP.

The root of this is that a user using a weak password/limited alphanumeric character set passphrase, shrinks the set of possible keys considerably. A passphrase will therefore only generate 21-bits of entropy – yes that means the key strength which could be 40-bits is now only 21-bits. And what of the remaining 19 bits – these unfortunately predictable.

Thus the number of passwords possible is somewhere in the region of 2 million. This may sound like a lot, but in fact can be brute forced in seconds.

Even a 40-bit WEP key is crackable within a few hours, so some companies are now using 128-bit keys (104-bit key and 24-bit IV) which an unfeasible to crack with current technologies.

It doesn’t end here though. WEP has two other known weaknesses such as weak keys leaking into the key stream and partially exposed keys allow the whole key to be determined (called the IV weakness).

If you wish to setup a a WAP for testing out the weakness of WEP, you can try a number of tools that will crack the encryption including: WEPCrack and Aircrack-ng.

WPS – Don’t use it

WPS standards for WiFi Protected Setup (protocol). Some AP’s contains a button you can press which and the request a connection from your station. Following this an 8 digit code is used to authenticate. 8 digits only allows for 11,000 possible combinations which can be cracked within 4 hours.

If your WAP has WPS disable it. if you can’t disable it, it might be time to buy a new device.

WPA, WPA2 and WPA-TKS

The WPA protocol/security certificate program is a replacement for WEP and was put in place to bridge the gap until the full 802.11i standard was rolled out.

WPA stands for  WiFi Protected Access. You will see WPA and WPA2 as common security options on modern WAPs, where it is encouraged to be used instead of WEP.  For example WPA replaced the flawed cyclic redundancy check was saw in WEP.

An extension to WPA was the Temporal Key Integrity Protocol. This was designed to allow WPA to accommodate older NICs that do not support WPA. Unfortunately it uses RC4 which introduced a weakness into the protocol. A weak PSK (Pre-Shared Key) passphrase can therefore be attacked by tools such as Cowpatty.

Typically you will see home WAP’s use WPA2-Personal aka WPA-PSK. For the moment will will use this, however later posts will provide the option to switch to WPA2-Enterprise mode.

Now is a good time to consider changing the SSID of your wireless network if you used a default one and also strengthening the password. For the WAP being used for Home Automation devices you should consider using an extremely strong passphrase. Typically you will only be registering devices with this WAP when you add them (as opposed to having guests etc. connect regularly/randomly).

Having looked at some of the security issues around wireless protocols we will now look at how we can use white lists on AP’s so in theory only certain devices can connect.

MAC whitelist (ACL)

A whitelist (access control list) is literally a list of devices permitted to connect to the AP. A device whose MAC is in the list is permitted to join the network, those who aren’t are blocked. Essentially you filter out devices who aren’t in the list by MAC.

Login to your second WAP and look for a white listing option if it exists. Once you understand how to add devices to the list, new Home Automation devices should be enabled here.

If you are using UniFI you may need a later copy of the controller to find this feature.

Of course this is not a full proof system. MAC spoofing would allow an unauthorized device, which has also cracked your WPA key to access the network. However it adds an extra hurdle.

 

Conclusion

In this post we covered the basics of WiFi protocols to get you thinking about security. As this series of posts progresses we will look at further methods of hardening our home automation network.

Also in later posts we will look at Kerberos as a tickets granting system and how 802.1x EAP protocol can be used with RADIUS.

In the next post we will return to pfSense and review the security at the firewall level.

VPNs, firewalls and VLANs for Home Automation – Part 3: Setting up the VLAN

Introduction

So far we have setup pfSense and connected up our WAP to it. This has formed the basics of our home network.

However it would be good if we could use multiple access points each running on their own network, but sharing the pfSense router, firewall and WAN. We also need to consider locking down the network to improve security.

In this post we will expand our network further to incorporate these items by:

  • Configuring VLANs in both pfSense and our VLAN compatible switch
  • Move our existing WAP to a VLAN.
  • Leave our LAN as Ethernet only with no AP attached

To start with we will do a little digging into how switches work to provide some context for when we later setup the VLANs.

Switches

A switch is a hardware tool (located at the Data Link Layer on the OSI-7 layer model) which is responsible for routing packets from one machine to another. A switch relies on knowledge of the networked machines MAC addresses.

Typically a hardware unit will consist of multiple Ethernet ports that devices can be plugged into. Our setup so far relies on using the WAP connected to a single Ethernet port to assign IP addresses to machines on the network. Once a machines has connected to the switch via the WAP, a record of its MAC/IP combo is stored on the pfSense appliance.

Switches were a replacement to what are known as Hubs (found at Layer 1 of OSI-7 Layer model). A Hub broadcasts messages out the whole network and any device connected to the Hub can read the packets. If a NIC was placed into promiscuous mode, then sniffing the packets and viewing the data was possible. A switch on the other hand only routes traffic to the target machine.

Of course this also mean your network speed is affected by the speed of the switch! A faster switch with the right Ethernet cable and newer NICs for the devices running on the network, improves overall speed.

If you cast your mind back to an earlier post you will remember we discussed the ARP protocol. One issue some switch configurations are susceptible to is what is known as ARP and IP spoofing.

Each machine on the network will keep a copy of the IP/MAC combo in their ARP cache. An attacker can therefore use its own copy of the ARP cache to try and eavesdrop on communications between machines.

The way this works is to send out a Gratuitous ARP message to the machines on the network and replace the portion of the MAC mapping, with the MAC of the attacker. The attackers machine then sits in the middle (man-in-the-middle) eavesdrops on incoming messages, and then forwards them on to the other party.

If you are interested in trying this out yourself then take a look at the dsniff tool.

At the switch level there is another issue we need to be aware of – MAC flooding.

The switch as you will remember contains a table mapping MAC’s to IPs. We can see this mapping in pfSense under the Diagnostics > ARP Table link.

A MAC flooding attack attempts to overwhelm the switch so that no new MAC/IP pairs can be generated (a DoS attack), or worst the switch reverts into acting like a hub, thus allowing eavesdropping.

Thankfully aspects of the 802.11 protocol defend against MAC flooding.  When a device associates with a WAP it is MAC-based.  Therefore the WAP bridges traffic coming only to/from known MACs.

Therefore if a MAC flooding attack is directed from a wireless device to the network, any 802.11 frames with a random MAC address in the source not associated with the WAP are discarded.

So now we have a little understanding of how switches work and some of the security considerations, let’s look at VLAN compatible switches.

VLAN Switches

For this portion of the post I will be referring to a Dell PowerConnect 2808 VLAN compatible switch. The 2800 series switches start at around $129.00 USD. If you are using a different device, then modify the instructions below as applicable.

VLAN stands for Virtual LAN. As it’s name may suggest, the concept behind it is to take one set of hardware i.e. ‘n’ machines and one switch and create multiple LANs from this. Each LAN being its own subnet. The traffic on each of these LANs is then tagged so we know which VLAN it belongs to.

pfSense allows us to configure VLAN interfaces and then assign DHCP servers to each of them. We therefore can use our VLAN switch as a method for connecting multiple AP’s (or wired devices) and let the configuration of the IP range etc. be handled by pfSense.

Configuring VLANs in pfSense

Our first task is going to be to move our WAP off the LAN interface on pfSense. Going forward we would like the LAN to only be accessible for devices connected directly to the switch.

We therefore need to come up with an IP range for WAP to use, since it will no longer using 192.168.1.0/24.

Let’s start by plugging out laptop/PC directly into the  pfSense appliance, as the WiFI will shortly stop working. You can also power down the WAP for the moment.

We are going to use the range 192.168.3.0/24 for our new VLAN.

Let’s start by navigating to Interfaces > (assign)

On the screen that pops up select the VLANs option. You’ll now be presented with a list of VLANs which currently will probably be none.

Select the Add button from the bottom right.

The VLAN Configuration screen will now be presented. On this screen we can create our new VLAN and tag it.

From the Parent interface drop-down, select the LAN option.

Below this you will see the VLAN Tag input field

VLAN Tag

Set this value to an integer between 1 and 4094. I like to use a value derived from the subnet. So if the subnet is 192.168.3.0/24 I use the tag 3. Do not enter the value 1 however. This will become apparent why later.

You can ignore VLAN Priority for now. If you wish to add a Description now is your chance. For example “HomeAutomation”.

Return back to the Interface Assignments screen under Interfaces. This will be updated with an Available network ports drop-down. Listed here you will see your VLAN.

Select it and click the green Add button. Once added you will see it has a name similar to ‘Opt7’

Next navigate to the Interfaces drop-down. Your new VLAN interface with the Opt7 (or whatever was auto generated) will now appear.

Select this option to go to the interfaces configuration.

Interface config

We have now going to select the Enable interface checkbox.

Following this change the Opt7 value to something more intuitive e.g. HomeAutomation.

The IPv4 Configuration Type should be changed to Static IPv4.

Our final task is to scroll down the screen to the Static IPv4 Configuration.

Change the value of IPv4 Address to 192.168.3.1 and ensure the ‘/’ value is set at 24.

Save these values.

Now navigate to the Interfaces > Interface Assignments screen. Here you should see the new Interface HomeAutomation (or whatever you called it) and the Network port should be similar to: VLAN 3 on igb1 – lan (HomeAutomation) .

We now have an Interface setup for our VLAN. This will work over our LAN connection allowing us to run a virtual LAN with the 192.168.3.0 subnet.

Currently our WAP is setup however to use 192.168.1.0/24 so we will need to change this.

First let’s get the DHCP server running on the VLAN interface.

Navigate to Services > DHCP Server from the list of available interfaces, select the one corresponding to your VLAN e.g. HomeAutomation.

When this screen loads you will see some General Options.

Here you will need to do the following:

  1. Check the Enable checkbox
  2. Select the Range e.g. 192.168.3.60 to 192.168.3.199

Save these changes.

Now we are finally ready to update that static mapping we created before for our AP.

So navigate to Status > DHCP leases.

Next edit the Static mapping you added for the WAP. Change the IP address to a new one in the new subnet 192.168.3.0/24.

Make a note of the IP address you selected, as we now need to update the WAP.

Save the changes.

You can now unplug the laptop from the pfSense appliance, unplug the WAP from the LAN port and power up the WAP again.

Once it is up, login to the web interface and change the IP address for the AP to the one you selected above.

So we now have a VLAN configured on pfSense and the WAP configured with an IP address for the new VLAN. That leaves us with our final task – setting up the VLAN switch so we can plug our WAP back in.

Configuring the VLAN switch

Our final task is going to be to configure the VLAN switch. As mentioned for this I have selected a Dell PowerConnect 2808, so you will need to tweak the following instructions to your specific switch.

First we are going to plug the VLAN switch from LAN port 1 into the Ethernet port where the WAP was originally, then power up the VLAN switch. Also plug your laptop/PC into one of the other free ports on the pfSense appliance.

Once it has booted up, the LAN DHCP server will assign it an IP address in the 192.168.1.0/24 subnet. You can check on the DHCP leases screen in pfSense to find out what was assigned to it.

Navigate to the web console for your switch and log in. Remember after you login to change the username and password from the default values to something more secure.

Once logged in we need to configure a VLAN for our HomeAutomation interface.

Within the GUI located the VLAN configuration screen. In the Dell PowerConnect this is:

Switch > VLAN > VLAN Membership

Under this screen we can select an existing VLAN or configure a new one. By default you should need a VLAN tagged with 1 available. This acts as a the Trunk, that all traffic is sent over and is the configuration associated with the Ethernet port (1), you plugged the pfSense appliance into.

The Dell switch comes preconfigured with the VLAN tagged as 1 and will not allow you to edit any of the details here. This configuration is needed in order for the switch to communicate with a router etc. once plugged in.

VLAN default

Use the Add button to load up the screen for configuring a new VLAN.

Add VLAN

Let’s enter the tag value we set in pfSense for the VLAN ID. I recommended using 3 earlier, but this can whichever value you chose.

For the name enter HomeAutomation, or whatever you decided upon when setting up the VLAN interface.

You can leave the final value as is and click the Apply Changes button.

Back on the VLAN Membership screen select the Show VLAN drop-down and select VLAN 3 (or whatever you chose).

You’ll see a small table now appear which is called Ports.

Clicking on a square will insert a character (this is on the Dell machine, other switches will have a different interface).

Select the square for port 3 (this is where we will plug the WAP into) and click it until a U appears. Port 1 should show a T, if it doesn’t click it until a T appears.

On other models of switches you will need set port 1 as the Trunk where the tagged data passes over, and associate the physical Ethernet port you will plug your WAP into with the VLAN.

Save/Apply these changes.

Our final task is going to be to update the Port settings. On the Dell PowerConnect 2808 switch these settings can be reached via Switch > VLAN > Port Settings.

Select the relevant Ethernet port, in our case 3. Make sure the PVID is tagged as 3 and finally make sure the Frame Type is Admit All.

Save these changes.

Our VLAN switched is now configured so that Ethernet port 3 can be used for the WAP and all traffic running over it through the Dell switch to pfSense will be on VLAN 3 with IP addresses assigned from 192.168.3.0/24 subnet.

Let’s now power everything down.

Hook the WAP to Ethernet port 3 on the VLAN switch. Next make sure that the VLAN switch Ethernet port 1 is connected to the LAN on the pfSense appliance.

Now let’s start everything up.

Once booted, connect your laptop/PC to the WiFi SSID and bingo you should now have an Internet connection.

If you log into pfSense and check the DHCP leases – your laptop/PC should appear in the list.

Next Steps – Add another WAP

To add a second WAP and VLAN to your network, repeat the steps above and this time use a VLAN tag of 4 (or other acceptable value from the range). Associate this VLAN with the 192.168.4.0/24 subnet and assign the WAP a static IP from this subnet.

You absolutely must assign a different VLAN tag and subnet for this to work. If you encounter problems with VLAN not working with the second WAP ensure that:

  1. DHCP is disabled on the WAP and configured correctly for your new AP in pfSense
  2. The VLAN is configured in pfSense
  3. The Interface is configured correctly in pfSense
  4. That the DHCP server is running on the new Interface with a different subnet to the other interfaces
  5. That the VLAN is configured correctly in the Dell switch
  6. That the port in the Dell switch is set with the correct tag
  7. That the device is connected to the correct Ethernet port

 Summary

In this post we hooked up our VLAN compatible switch. In addition to this, we connected up our existing WAP and saw how we could add a second one by following the steps for configuring the first.

We now have a home network with:

  • pfSense firewall appliance
  • A Dell (or similar) VLAN switch
  • Two wireless access points

In the next post we will look at the WAPs in a little more detail and discuss security.

 

VPNs, firewalls and VLANs for Home Automation – Part 2: Setting up the WLAN

Introduction

In this post we will look at adding a Wireless Access Point (WAP) to our pfSense box, and setting up a LAN (local area network). We’ll cover some theory on how LAN’s work including DHCP and ARP and also some background on wireless technologies associated with the 802.11 standard.

Let’s start with an introduction to LANs and how they are configured in pfSense to get a foundation.

LAN Networks

LAN stands for Local Area Network. A LAN is essentially all the devices connected to our home network, sitting behind the firewall/switch combo (sometimes called an appliance) and which are assigned an IP by the DHCP server in it.

Our current setup consists of the pfSense box and the laptop/PC we connected to it for configuring access to the Internet.

Within the pfSense box is some software known as a DHCP (Dynamic Host Configuration Protocol) server. This is responsible for handing out IP addresses to the machines that connect to the Ethernet network.

We’ll dig into each of these technology in more detail now.

Ethernet

The cables that plug into your PC and pfSense box are known as Ethernet cables.

Ethernet is a standard and family of technologies used for creating networks such as the LAN in your home. Over the years the technology has evolved from using 10BASE5 coax cable (similar to a cable TV provider uses) to the Cat5 and Cat6 family of cables (Cat7 now being available and currently Cat8 is being developed) .

Cat6 cables are the newer of the two technologies we are interested in and supports up to 10-Gigabit Ethernet (10GBASE-T). Cat5/Cat5e which are also commonly found support speeds of 100Mps and 1000Mps.

Depending on what your network hardware supports you can choose the corresponding cable for maximizing speed. In all likelihood you will have an Ethernet cable as provided with your ISPs modem. This you can use to hook up your pfSense appliance to the modem.

As we saw in the previous post our TCP/IP protocol stack has 5 layers. The Network layer of this stack is where Ethernet can be found. At this layer the IP datagram is packaged up as an Ethernet frame.  At this point something called a MAC address is inserted into the header and the frame is passed to our network card (NIC) for transmission across the cabling (Cat5e, Cat6 etc.).

We’ll be covering a bit more about the MAC address next when we look at the DHCP server and ARP.

DHCP Server

On your pfSense box there is a service running called DHCP (Dynamic Host Configuration Protocol). You can access this from the main menu:

Main menu

Under the Services drop-down. Here you will find an option called DHCP Server.

Click on this link. You should now see the DHCP server options for your LAN.

DHCP

In the above screen shot we can see the DHCP server is enabled, this means that new machines connecting to the LAN will be dynamically assigned an IP address.

We can see next two values, those being the Subnet and the Subnet mask.

The Subnet(work) designates the subdivision of the network that our IP’s will be issued on. Using CIDR (Classless Inter-Domain Routing) notation we can specify the IP address assigned as the prefix, and then the range of IP’s available as hosts.

So for example 192.168.1.0/24 would be the CIDR notation of our current network. What this means in simple term is that all the IP’s will be prefixed with the 24 bits (192.168.1.0) and the hosts will be available in the remaining 8 bits (1 – 254). For example 192.168.1.10.

The value below this is called the Subnet mask. This is just another way of representing the /24 value.

When 255.255.255.0 is bitwise ‘AND’ with the IP address we get the routing prefix (192.168.1.0).

If you wish to change these values to a valid private IP address range you can use the subnet calculator to work out the values.

The final two fields tell us the range of IP’s we can allocate to hosts, and the selected range. For example we can allocate IP’s between 192.168.1.1 and 192.168.1.254, however for demonstration purposes I have set the range to only be between 192.168.1.100 and 192.168.1.199.

Therefore devices will only be allocated IP address dynamically between these two values.

If you have made changes to the values here, save them.

So what happens if we want to see which IP addresses are currently in use, and thus which machines on our network have an IP allocated to them?

Well pfSense provides a handy option under the Status > DHCP leases link.

This status report shows:

  1. IP address – The IP address assigned to your device e.g. 192.168.1.7
  2. MAC address – This is the hardware address of your device
  3. Hostname – Some devices will have a hostname configured e.g. raspberrypi or EvesMacBook
  4. Description – provides a description of the device if it exists
  5. Start – The start time and date of the DHCP lease
  6. End – The end time of the DHCP lease
  7. Online – Whether the device is online or not
  8. Lease type – If assigned by the DHCP server this will be active. If you assigned a static IP this will be static. More on this later!

So when a machine connects to the switch running pfSense, how does the DHCP server know how to assign an IP address and route packets to it?

That’s where the MAC address and ARP come in.

MAC address and ARP

The MAC (Media Access Control) is a unique 48 bit address assigned to your Network Interface Card (NIC) by the manufacturer. It will be in the format AB:CD:EF:12:34:56

The NIC operates at the Data Link Layer of the protocol stack and acts as an address on both wired and WiFI networks. Earlier we noted that the MAC address is inserted into the header of the Ethernet frame.

You’ll notice on the DHCP status page, your IP address is linked to your network cards MAC. How exactly does this work though? This is where ARP (Address Resolution Protocol) comes into play.

In pfSense click the Diagnostics drop-down and then select the ARP Table link.

You’ll the see screen presented shows similar information to that on the DHCP leases page.

The ARP protocol works by taking the IP address and translating it into the MAC. This allows for traffic to then be passed to the device in question.

First however a machine needs to register with the DHCP server to have a suitable IP addressed assigned to its MAC. It announces itself to the switch by sending a Discovery request.  This request is sent out to the network at the IP layer with a destination IP address of 255.255.255.255 and with a source IP address of 0.0.0.0.

This request of course is packaged up as an Ethernet frame, so a source MAC is included with a network broadcast destination of FF:FF:FF:FF:FF:FF – (in essence this will be the same location as where the DHCP server is listening).  Once the DHCP server receives the IP portion of the request, it will respond to the source MAC with an offer packet wrapped in an Ethernet frame.

Following this your machine requests a lease from the DHCP server, and subsequently the DHCP server acknowledges the release. Your machine is now associated with an IP address in the ARP table of the switch.

Thus other machines can send packets to the switch, which will in turn route them to your machine via the IP/MAC association.

When a client of the network wishes to update the ARP cache of other systems it sends out what is called a gratuitous ARP request. In this case both the source and destination IP address are that of the client. However the frame is send to the broadcast address, which you will remember is FF:FF:FF:FF:FF:FF. Thus the Ethernet frame is sent to all ports on the switch (pfSense in our case). No reply is expected however, and this is a useful feature.

Gratuitous ARP requests are handy for example when we wish to announce that a MAC address has moved physical ports on a switch. They can also help to debug IP collision conflicts. If a reply is received, then we know two devices are trying to use the same IP (for example two machines may have had their configuration hard coded to use the same IP address).

There are also some security risks inherent in Gratuitous ARP requests which will be looked at in later posts.

So this is a simplified overview if how your machine is assigned an IP address so it can communicate with other devices on the network.

Next we are going to hook up a Wireless Access Point so that we don’t have to rely upon the limited number of physical ports on our router.

Wireless Access Points (WAP)

A key component of an 802.11 wireless network (WLAN) is the access point (AP/WAP). The 802.11 standard supports two modes of operation. The first of these is known as infrastructure mode.

In this mode the network has at least one AP plus the clients that associate with it. This combination of clients and the AP is known as a Basic Service Set (BSS). It’s possible for us to have more than one AP runnings on the same WLAN. This can provide greater coverage for example. When we use more than one AP to create a single subnet, this is known as an Extended Service Set (ESS).

For the moment we will be dealing with the simpler of the two cases – the Basic Service Set.

The second mode, which we will not be dealing with in this post is Ad-hoc (aka peer-to-peer) mode. This allows for impromptu collections of wireless devices to communication with each other without using an AP. Typically this would be used if there was no need for these devices to require an onward connection to the Internet or local LAN. This set of devices is known as an Independent Basic Service Set (IBSS).

A wireless access point can also act as a DHCP server, handing out IP addresses like we saw with the pfSense appliance above or leverage the DHCP server running on pfSense itself.

For this tutorial we have going to use the DHCP server on pfSense. Later as we integrate VLANs into our home network it will become apparent why we wish to use pfSense offerings, rather than any built in features on our WAP.

My preferred brand of WiFi router/AP is Ubiquiti UniFI. In addition to AP’s they make a range of network gear that is perfect for home use.

Things to consider in an AP are the range. Typically you want to be within 100 meters of the AP. Antenna types also make a difference, with directional and omni directional devices being available. Those that are omni-directional should be placed towards the centre of the building.  Later in this series of posts we will consider some of the risks associated with the WAP and range.

Many readers may want to repurpose old WAPs they have or may have done this already if they followed my article Raspberry Pi powered TV and dd-wrt router configuration.

If you go this route and are new to open source router software you may be interested in replacing the firmware with dd-wrt. At the dd-wrt website you will be able to find a list of router/AP models supported. This software unlocks many of the features on your AP that are often hidden by default firmware offered by the manufacturer.

Once you have AP ready, we are going to power it up. Don’t connect it to your pfSense switch just yet however.

Users of the UniFI will probably need to download the UniFI controller in order to administer their WAP. You can read me about the software and options here.

By default many WAPs will use an IP address in the 192.168.1.0 subnet. This will collide with the IP addresses issued by the DHCP server on pfSense (this is an example where the Gratuitous ARP request may see a reply).

We therefore need to disable the DHCP server on the AP before we can plug it into pfSense.

Your powered up WAP should now be broadcasting its SSID (Service Set ID), which will be visible on your machines list of wireless networks. The SSID is the informal name that you have applied to your network e.g. MyHomeLAN.

Each AP regularly broadcasts a beacon which acts as an advert for the AP and contains information about the service set and the amount of noise on the channel the AP broadcasts on.

Select the SSID and connect. Note if there is a password you need to apply this to connect. We’ll touch a bit more on passwords later when we configure the AP.

Next navigate to the IP address the WAPs web administration page runs on.

For example this may be : 192.168.1.1

Login into the web console using the default credentials. If you don’t know these, you can normally find them via Google. For dd-wrt users, check here. After you login, make sure to change the password from the default one, to something stronger.

For UniFI users, you will be able to connect to an associated AP via the controller.

Once logged in we will want to disable the DHCP server on the AP.  The following guide provides comprehensive steps for this on dd-wrt:

https://www.dd-wrt.com/wiki/index.php/Wireless_Access_Point#Turn_Off_DHCP

The short universal version of this is for all WAPs is:

  1. Set the Local IP address to a valid IP from the range you configured in pfSense – for example 192.168.1.101. We are going to set this as a static IP pfSense.
  2. Set the subnet mask to be 255.255.255.0 – this is the same as we set in pfSense
  3. Disable the DHCP server. You may also need disable DNSmasq if it is enabled
  4. Set the Gateway to that of your router.

Save the changes. We can now power down the WAP and plug it into pfSense. Make sure you chose the LAN port and not WAN/Internet (which should be connected to your ISP modem). You can now power up the AP again.

You should now see that your laptop/PC is assigned an IP address in the 192.168.1.0/24 subnet. Going to 192.168.1.1 should present you with the pfSense login screen.

Go right ahead and login.

Your WAP now has an IP addressed assigned to it by the DHCP server. If you check the DHCP leases page, it should be the IP that was explicitly set in the AP when you configured it.

We can configure this static mapping in pfSense as well. Next to the entry for your WAP should be a small white button with a blue cross in it. Hovering over this will reveal the label “Add static mapping”.

Click this button and the Edit Static Mapping page will appear.

On this screen we are interested the following:

  • MAC Address – The value here should be preset with your AP MAC
  • IP Address – This should be pre-filled with the value from your AP
  • Hostname – If one was assigned by your AP it will appear here
  • Description – Feel free to add a brief description of what this device is e.g. WAP for LAN

After adding the Description Save you changes.

As with an 802.3 Ethernet device such as your laptop’s NIC, the AP has a 48-bit MAC address as we saw above. The AP’s MAC is also used as the BSSID i.e. Basic Service Set ID. This is the non-user friendly ID of the wireless network you mapped the SSID name to.

The MAC (located in the Data Link Layer) for your wireless devices cannot leverage something called CSMA/CD which is used by wired Ethernet. CSMA/CD stands for Carrier-Sense Multiple Access with Collision Detection.

CSMA/CD basically senses if there is traffic on the wire and uses a process (including a waiting period) to decide when to attempt to send/resend a packet.

Our AP and wireless devices thus use a variation on this technique called CSMA/CA where CA stands for collision avoidance.  We can aid the quality of our wireless network therefore by choosing which channel our AP broadcasts on and thus reduce the chances of a collision.

Open another tab in your browser or the controller for UniFI. For example http://192.168.1.101

Once logged in navigate to the options where you can set the AP channel. You may have to explore the menus to find this. Regardless if you are using dd-wrt or not, their website provides a handy guide to how channels work here.

The following site lists tools and techniques for checking what the WAP’s near you are using with regards to channels. We are going to use a tool like this to find a potentially less busy channel to run our WiFI connection over.

If you are using a Mac, this scanning tool is built in. Holding down the Option key and clicking the WiFi icon, will display a menu option called Open Wireless Diagnostics.

You can ignore the Wizard that appears and then from the Wireless Diagnostics menu that is displayed at the top of the screen select Window > Scan.

This will bring up a window with a list of Networks, BSSID’s Security protocols, Wireless Protocol i.e. 802.11a/n or 801.11b/g/n etc. RSSI, Noise, Channel, Band, Width and Country.

If you are using a third party tool on Windows or Linux, load it up and explore which channels are less used.

For 2.4 GHz WiFi channels 1, 6 and 11 are the most commonly used as these channels do not overlap with each other.

Based upon this you can choose a channel for your AP to run over that is unlikely to experience as much noise.

Once/if you change the channel, save the changes and reboot your AP.

You should now be able to hook devices up to the AP and receive and IP and Internet connection via pfSense. If you want to check which devices are now using the AP, remember you can always look at the DHCP leases status in pfSense.

Wrapping up

In this blog post we saw how to:

  • Hook up a wireless access point to pfSense,
  • Configure the WAP to use a static IP
  • Disable the WAP DHCP server so pfSense assigns the IP address to clients
  • Change the channel on the WAP
  • Learned a little bit of theory around 802.11, ARP and MAC addresses

Now we have the basics in place we can explore setting up VLANs and thus segment our home network in order to group devices.

For the next article you will need a VLAN compatible switch such as a PowerConnect 2808 and another WAP.