Part 2: Advanced Configuration and WiFi Access Point
1. Context for Part 2
1.1 Recap of Part 1 Architecture
At the end of Part 1, we had a functional pfSense infrastructure with: - pfSense 2.8.1 installed and operational - Optimized Realtek Drivers (realtek-re-kmod) - Security packages installed (pfBlockerNG, Suricata, WireGuard, ACME, ntopng) - Temporary access via WAN interface for initial configuration
1.2 Objectives for Part 2
This second phase aims to: 1. Deploy a professional WiFi access point (Afoundry EW1200) 2. Migrate to the final network architecture with LAN segmentation 3. Configure pfBlockerNG for ad and malware blocking 4. Optimize dual-band WiFi performance 5. Secure the entire infrastructure
2. Added Hardware
2.1 Access Point Afoundry EW1200
Specifications: - Model: Afoundry EW1200 - WiFi: Dual-band AC1200 (300 Mbps @ 2.4GHz + 867 Mbps @ 5GHz) - VLAN Support: Native 802.1Q (up to 8 SSIDs) - Power: PoE 802.3af/at or AC adapter - Interfaces: 1x Gigabit Ethernet RJ45 - Mode: True Access Point (no router/NAT)
Acquisition Cost: 300 Moroccan Dirhams (~€27)
2.2 Advantages Compared to a Converted Router
Unlike converted ADSL routers (TD-W8960N), the EW1200 offers: - Native VLAN support for future network segmentation - 5 GHz WiFi (802.11ac) for better performance - Dedicated Access Point Mode with no NAT/DHCP configuration to disable - Multiple SSIDs for separate WiFi networks (LAN/IoT/Guest) - Stable performance in a professional environment
3. Access Point Installation
3.1 Initial Configuration Phase
We performed an isolated configuration of the EW1200 before integrating it with pfSense.
Step 1: Direct connection laptop → EW1200
We temporarily configured the laptop with a static IP in the AP's default subnet: Laptop IP: AP default Subnet Mask: /24 Gateway: AP default IP
text
Web interface access: Manufacturer's default IP
Step 2: AP Network Configuration
We reconfigured the IP address of the EW1200 to integrate it into the pfSense LAN network: IP Address Mode: Static IP IP Address: [Static IP in pfSense LAN subnet] Subnet Mask: /24 Default Gateway: [pfSense LAN IP] Primary DNS: [pfSense LAN IP]
text
After saving, the AP restarts and becomes accessible at its new address.
Step 3: Dual-band WiFi Configuration
2.4 GHz Band (maximum range): Enable Wireless: ✓ SSID: Homelab_2G Channel: Auto (recommended channels: 1, 6, 11) Channel Width: 20 MHz (better range) Transmit Power: High Security Mode: WPA2-PSK Encryption: AES Password: [Secure password min 12 characters]
text
5 GHz Band (maximum performance): Enable Wireless: ✓ SSID: Homelab_5G Channel: Auto (recommended channels: 36, 40, 44, 48) Channel Width: 40 MHz or 80 MHz Transmit Power: High Security Mode: WPA2-PSK Encryption: AES Password: [Same password as 2.4 GHz]
text
Step 4: Access Point Mode
We verified that the EW1200 is configured in pure Access Point mode: Operation Mode: Access Point (AP Mode) DHCP Server: Disabled NAT: Disabled Firewall: Disabled
text
3.2 Integration into the pfSense Infrastructure
Physical Cabling: pfSense [LAN Interface] ─── Ethernet Cable ─── [LAN Port] EW1200
text
Important: Exclusive use of the access point's LAN port, not the WAN/DSL port.
pfSense interface verification:
We checked the status of the LAN interface via Status > Interfaces: Interface: LAN (re0) Status: active (UP) IPv4 Address: [pfSense LAN IP]/24 Link: 1000baseT full-duplex
text
4. Tests and Validation
4.1 WiFi Connectivity
Test 1: Client Connection
We connected several devices to the WiFi networks: - Laptop → Homelab_5G - Smartphone → Homelab_2G - Tablet → Homelab_5G
All clients automatically obtained an IP address via the pfSense DHCP server.
Test 2: Address Verification
Verification command on clients: Windows ipconfig
Linux/Mac ifconfig ip addr show
text
Expected Results: IPv4 Address: [pfSense LAN DHCP Range] Subnet Mask: 255.255.255.0 Default Gateway: [pfSense LAN IP] DNS Servers: [pfSense LAN IP]
text
Test 3: Latency and Performance
Connectivity tests from WiFi clients: Ping pfSense (latency < 5ms expected) ping [IP LAN pfSense]
Ping access point (latency < 2ms expected) ping [IP EW1200]
Ping Internet ping 8.8.8.8
DNS Resolution ping google.com
text
4.2 pfSense Verifications
Active DHCP Leases:
Via Status > DHCP Leases, we verified the presence of all WiFi clients with their MAC addresses, hostnames, and lease duration.
Connection States:
Via Diagnostics > States, we confirmed active connections for WiFi clients (filtering by LAN subnet).
LAN Interface Statistics:
Console command to check the interface: ifconfig re0
text
Checks performed: - Status: active - Speed: 1000baseT full-duplex - Errors (Ierrs/Oerrs): 0 - MSI-X Interrupts: functional
5. pfBlockerNG Configuration (Integrated AdBlock)
5.1 Introduction to DNS Blocking
pfBlockerNG is the native pfSense solution for blocking ads, trackers, and malware. It works via DNSBL (DNS Blocklist), intercepting DNS requests to malicious domains before they reach the Internet.
Advantages vs. external solutions: - No need for a separate Pi-hole or AdBlock server - Native integration with DNS Resolver (Unbound) - Network-level blocking (all clients automatically protected) - No modification needed on clients - HTTPS support (no man-in-the-middle)
5.2 Initial DNSBL Configuration
Navigation: Firewall > pfBlockerNG > DNSBL
DNSBL Activation: ☑ Enable DNSBL DNSBL Mode: Unbound mode (recommended) DNSBL VIP: [Automatically created virtual IP]
text
Unbound Mode: Integration with the pfSense DNS Resolver for transparent request inspection.
Advanced Settings: DNSBL Blocking Mode: Unbound Python Mode Enable Logging: ✓ (for blocked traffic analysis) SafeSearch: ✓ (forces SafeSearch on search engines) Python: ✓ Enable (required for certain features)
text
Save configuration.
5.3 Activation of Block Lists
Navigation: Firewall > pfBlockerNG > Feeds
pfBlockerNG offers pre-configured lists of malicious domains and IPs.
Categories activated:
1. Ads (Advertisements): - Steven Black - EasyList - Energized Basic
2. Malicious (Malware and threats): - URLhaus Malware - Phishing Army - Threat Intel
3. Tracking (Trackers and analytics): - EasyPrivacy - Disconnect Tracking
4. Social (Social Networks - optional): - Facebook - Twitter/X - TikTok (depending on user needs)
Configuration for each feed: State: ON Action: Unbound Update Frequency: Once a day (via CRON)
text
5.4 Creating Custom Lists
Navigation: Firewall > pfBlockerNG > DNSBL > DNSBL Groups
We created a custom group to add specific domains:
Group: Custom_Blocklist DNS Group Name: Custom_Blocklist Description: Custom domains to block DNSBL: ON Custom Domain List: [Manual domains to block]
text
Example custom domains: doubleclick.net googleadservices.com facebook.com (if social network blocking is desired)
text
5.5 Update and Activation
Navigation: Firewall > pfBlockerNG > Update
Launching the first list synchronization: Click “Run” → Reload ALL
text
This operation downloads all activated lists and loads them into Unbound. Duration: 2-5 minutes depending on the number of lists.
Log verification:
Logs confirm the download and parsing of each list with the number of blocked domains.
5.6 Automatic Configuration (CRON)
Navigation: Firewall > pfBlockerNG > General > CRON Settings
Configuring automatic updates: Update Frequency: Once a day Update Hour: 03:00 (off-peak hours) Force Update on Reload: ✓
text
pfBlockerNG will update the lists daily without manual intervention.
6. WiFi Optimizations
6.1 AP Physical Placement
Optimal Placement: - Height: 2-2.5 meters from the floor (wall or ceiling mounting) - Centralization: In the center of the desired coverage area - Avoid: Reinforced concrete walls, microwaves, baby monitors, metal enclosures
Antenna Orientation (if external): - Vertical for omnidirectional horizontal propagation
6.2 5 GHz Optimizations
EW1200 Advanced Settings: Channel Width: 80 MHz (better throughput vs 40 MHz) Beamforming: Enable (focus signal toward clients) LDPC: Enable (advanced error correction) Short GI: Enable (reduced guard interval, +10% throughput) Legacy Rates: Disable (forces 802.11ac minimum)
text
6.3 2.4 GHz Optimizations
Maximum Range Settings: Channel Width: 20 MHz (better range than 40 MHz) Transmit Power: 100% (maximum power) Channel: Fixed to 1, 6, or 11 (avoids overlapping) Legacy Support: 802.11n minimum (no b/g)
text
6.4 Enhanced WiFi Security
Encryption Settings: WPA Version: WPA2-PSK only (no WPA/WPA2 mixed) Encryption: AES exclusively (never TKIP) Group Key Rekey: 3600 seconds PMF (Protected Management Frames): Enable if available WPS: Disable (known security flaw)
text
6.5 Advanced Features
Fast Roaming (if future multiple APs): 802.11r (Fast Transition): Enable 802.11k (Radio Resource Management): Enable 802.11v (BSS Transition Management): Enable
text
Client Isolation: AP Isolation: Disable (allows inter-client communication)
text
Activation only for Guest/IoT networks in future VLAN architecture.
7. Monitoring and Maintenance
7.1 pfBlockerNG Monitoring
Navigation: Firewall > pfBlockerNG > Reports
Available Statistics: - Top blocked domains (most frequent advertisements) - Clients generating the most blocked requests - Temporal trends (peak hours) - Percentage of blocked vs. total requests
Recommended Alerts:
Configure email alerts if the number of blocked domains is abnormal (potential malware).
7.2 WiFi Monitoring via ntopng
Navigation: Diagnostics > ntopng
Monitored Metrics: - Bandwidth used per WiFi client - Top talkers (highest consuming clients) - Protocols used (HTTP, HTTPS, DNS, etc.) - Abnormal throughput alerts
7.3 System Logs
Critical Logs to Monitor:
System > Logs > System: - Unexpected restarts - Kernel errors
System > Logs > Firewall: - Blocked connection attempts - Port scans
Services > DNS Resolver > Logs: - DNS requests blocked by pfBlockerNG - DNS resolution errors
7.4 Diagnostic Commands
Via Diagnostics > Command Prompt:
pfBlockerNG Status pfctl -t pfB_PRI1_v4 -T show
Blocked DNS Statistics pfctl -s rules | grep DNSBL
WiFi DHCP Clients cat /var/dhcpd/var/db/dhcpd.leases | grep lease
WiFi Performance (via AP - SSH connection if available) iwinfo wlan0 info
text
8. Backups and Documentation
8.1 pfSense Configuration Backup
Recommended Automation:
Navigation: Diagnostics > Backup & Restore
Automatic Backup Configuration: ☑ Enable Automatic Configuration Backups Backup Count: 30 (last 30 configurations)
text
Manual Backup: - Performed after each major modification - Format: XML - Storage: External cloud backup + local
8.2 EW1200 Configuration Backup
Via AP web interface:
Export the complete configuration in the proprietary format. Storage identical to pfSense backups.
8.3 Network Documentation
Maintained Files: - network_diagram.md: Complete architecture diagram - ip_allocation.md: Static IP allocation table - wifi_config.md: WiFi settings (SSID, channels, security) - changelog.md: Configuration modification history
9. Final Network Architecture
9.1 Complete Diagram
Internet (ISP) ↓ ┌─────────────┐ │ ISP Box │ └──────┬──────┘ │ ┌──────▼────────────────┐ │ Zotac ZBOX CI337 │ │ pfSense 2.8.1 │ │ │ │ WAN (re1): DHCP ISP │ │ LAN (re0): [Subnet] │ │ │ │ Services: │ │ - Firewall │ │ - DHCP Server │ │ - DNS Resolver │ │ - pfBlockerNG DNSBL │ │ - Suricata IDS │ └──────┬────────────────┘ │ ┌──────▼────────────────┐ │ Afoundry EW1200 │ │ Access Point │ │ │ │ 2.4GHz: Homelab_2G │ │ 5GHz: Homelab_5G │ └───────────────────────┘ │ WiFi ↓ ┌─────────────────────────────┐ │ Network Clients │ │ - Laptops │ │ - Smartphones │ │ - Tablets │ │ - IoT (pfBlockerNG protected)│ └─────────────────────────────┘
text
9.2 Traffic Flow
Web Browsing from WiFi client: WiFi Client → DNS Request → pfSense (Unbound)
pfSense → pfBlockerNG DNSBL Check
If domain blocked: Return VIP IP (block page)
If legitimate domain: Forward to upstream DNS
DNS Resolution → Return IP to client
Client → HTTP/HTTPS Request → pfSense Firewall
pfSense → Suricata IPS Inspection
Authorized Traffic → Forward to WAN → Internet
text
10. Performance and Statistics
10.1 Metrics Obtained
WiFi Latency (ping to pfSense): - 2.4 GHz: 2-5 ms - 5 GHz: 1-3 ms
WiFi Throughput (iperf3 tests): - 2.4 GHz: 80-120 Mbps actual - 5 GHz: 300-500 Mbps actual (depending on distance and obstacles)
Ad Blocking: - Blocked DNS requests: 20-40% of total traffic - Unique blocked domains: 500k-1M+ depending on activated lists
pfSense CPU Load (with Suricata + pfBlockerNG): - Idle: 10-20% - Standard web browsing: 25-35% - Saturated download: 40-60%
10.2 Electrical Consumption
Measurements Obtained: - pfSense Zotac CI337: 15-25W - EW1200 (via adapter): 10-12W - Total infrastructure: ~35-40W (24/7)
Annual Electrical Cost (at €0.15/kWh): 40W × 24h × 365d / 1000 × €0.15 = ~€52/year
text
11. Common Troubleshooting
11.1 Problem: No Internet Access from WiFi
Checks: 1. Are clients getting the correct DHCP IP? 2. Is the configured Gateway = pfSense IP? 3. Is the configured DNS = pfSense IP? 4. Does the LAN → Any firewall rule exist? 5. Is the pfSense WAN interface functional?
Typical Solution: - Check Firewall > Rules > LAN : “Default allow LAN to any” rule is active
11.2 Problem: Legitimate Sites Blocked by pfBlockerNG
Diagnosis:
Consult Firewall > pfBlockerNG > Reports to identify the blocked domain.
Solutions: 1. Add domain to whitelist: DNSBL > DNSBL Whitelist 2. Temporarily disable overly aggressive feed 3. Create exception per client (IP alias)
11.3 Problem: Invisible 5 GHz WiFi
Frequent Causes: - DFS Channel occupied (36-48 safe, 52+ may be blocked) - Incorrectly configured region (some channels prohibited) - Client device incompatible with 802.11ac
Solutions: - Fix 5 GHz channel to 36 or 40 - Check region = Morocco or Europe - Test with another 5 GHz compatible client
11.4 Problem: Frequent WiFi Disconnections
Optimizations: 1. Reduce Transmit Power if too strong (paradoxically) 2. Fix channels (avoid Auto) 3. Disable Power Saving on clients 4. EW1200 firmware update if available 5. Check for interference (WiFi Analyzer app)
12. Enhanced Security
12.1 Strict Firewall Rules
Philosophy: Deny by default, allow explicitly.
Automatic anti-lockout rule: - pfSense automatically creates a rule allowing WebGUI access from LAN
Custom Rules Created: LAN → pfSense (port 443/80): Allow (WebGUI)
LAN → pfSense (port 53): Allow (DNS)
LAN → Any (Internet): Allow
LAN → WAN address: Block (prevents direct box access)
text
12.2 Intrusion Prevention (Suricata)
Minimum Active Configuration: - WAN Interface: IPS inline mode (blocks attacks) - ET Open Rules: Activated (common signatures) - Logging: Enable for post-incident analysis
Categories activated: - emerging-attack_response - emerging-dos - emerging-exploit - emerging-malware - emerging-scan
12.3 Automatic Updates
pfSense: - Weekly check for update availability - Manual update after reading changelog
pfBlockerNG: - DNSBL Lists: Daily automatic update (03h) - IP Lists: Daily automatic update (03h)
Suricata: - ET Open Rules: Daily automatic update
13. Prepared Future Developments
13.1 Integrated VLAN Support
The EW1200 natively supports 802.1Q VLANs, allowing future segmentation: - VLAN 10: Main LAN (existing) - VLAN 30: IoT (isolated connected devices) - VLAN 99: Guest (guests without LAN access)
Future Configuration: Multiple SSIDs on EW1200 with VLAN tagging towards managed switch.
13.2 High Availability (HA)
CARP Preparation (Common Address Redundancy Protocol): - Future possibility to add a second pfSense in HA - Virtual IP shared between the two - Automatic failover if primary fails
13.3 Site-to-Site VPN
WireGuard already installed: - Future configuration for connecting remote sites - Or secure remote access (road warrior)
Conclusion Part 2
We successfully deployed a professional WiFi infrastructure with a high-performance dual-band access point, integrated with pfSense. The ad and malware blocking system via pfBlockerNG is operational, automatically protecting all network clients without individual configuration.
The current architecture offers: - Enhanced Security: pfSense Firewall + Suricata IDS + pfBlockerNG AdBlock - Optimal Performance: Theoretical 1200 Mbps dual-band AC WiFi - Scalability: Native VLAN support for future segmentation - Stability: Optimized drivers, professional hardware - Comprehensive Monitoring: ntopng + centralized logs
Cumulative Total Investment: €85 (pfSense) + €27 (EW1200) = €112 Configuration Time for Part 2: ~2-3 hours Status: ✅ Production-ready with advanced protection
Document written as part of a homelab project for network segmentation and infrastructure security with integrated ad blocking.