OpenWRT APs / pfSense Router

Great forums. Thank to all those who spend their time creating this stuff and helping.

I'm pulling my hair out hoping someone can help...

My setup is:

  • 4 x OpenWRT dedicated APs (Zyxel NWA50AX Pro)
  • Connected over PoE to a QNAP managed switch with great functionality
  • Connected via the switch to a pfSense Router.
  • I have configured the APs via Luci to be identical in all but IP Address.
  • I have enabled 802.11r and matched mobility domains on both 2.4GHz and 5Ghz wireless setups.
  • I have 1 SSID per freq
  • I can access the WebUIs of the APs no problems.

Superficially, my clients see good signal throughout the area with 2 x SSIDs as expected.

My question:

Without boring everyone with what I've tried to do and failed!

How do I configure my interfaces (and other openWRT settings) and pfsense (if there is expertise here) to allow for a multi-AP, wired backhaul, 802.11r experience with DHCP provided by server located on the pfSense router to clients of the APs?

Sub questions:

  • Do I need to ensure all APs have identical configurations?
  • I see an option to "scan" and "join networks" in the Wireless section. Do I link them together like that in addition to the wired backhaul or is that only required for wireless meshing? My guess is I do not need to.

All of my reading on bridging and APs has lead to more confusion and contradiction than has helped.

Thank you in advance to anyone who spend their personal time helping a newbie clown.


If I understood correct, you have pfsense as your router, and 4 Zyxel as APs.
So, if is correct. You sholud setup look like: Pfsense setup with DHCP, the APs as Dumb AP. Fast Roaming - NAS ID - different on each APs, Mobility Domain, SSID, and Password (with security) the same. Channel on APs should be different.
Nothing else.
I had for 3 years OPNsense with openWRT Dumb AP, and the piHole as my DNS server.

1 Like

It sounds like you already have pfSense doing the routing and serving DHCP - is this correct?

802.11r is not handled by pfsense in your situation, it is a process that is coordinated by the APs themselves. However, my personal recommendation is to avoid 802.11r (as well as k and v) unless there is a demonstrated need for it because it can actually make roaming problematic for certain client devices. You should start by optimizing the APs for standard roaming, IMO.

No, and in fact, they should not be identical. It does help to have certain items the same.

  • Config items - different:
    • IP address (must)
    • Channel (should; neighboring APs should have non-overlapping channels)
    • Power (may; power should be optimized on each AP such that it covers the necessary area but reduces the amount of overlap between itself and the neighboring APs).
  • Config items - same:
    • SSID, encryption type, and password (must if you want to have seamless roaming)
    • subnet and subnet size/mask (must; all APs in the same subnet)
    • DHCP server disabled on the AP's lan interface (must since you have an upstream DHCP server)

This is for joining a wireless network as a client. You can ignore this.


Thanks. NAS ID. First mistake I've made.

Thank you for your response.

To clarify, my question about interfaces was more basic I think.

eg. Do I configure my single interface to br-lan OR lan with eth0 for example? How does that side of things work with the interface tabs and/or wireless tabs?

Correct. That's done. APs configured for no DHCP.

Confirm this is merely having the same SSID, encryption and password the same ( additionally optimizing channels and power as you mentioned)? Is that considered "standard roaming"?

Is this still true if my intent is to practice configuring a Radius Server, 802.1X and VLANs on the same SSID? (my next homelab learning event... that's why). Can(should) I configure 802.1x without utilising 11r? Is it only a problem for hotshots walking around buildings on important VoiP calls?! :wink:

I read that I should consider seperate 11r SSIDs for reasons I believe you're referring to; incompatible clients, most likely laptops rather than smartphones.

Understood. Thanks.

Thanks for your time.

Yes, use br-lan. The bridge will contain eth0

Yes, when 802.11k/v/r are disabled, it is standard roaming.

Yes. Those standards are about wireless roaming only.

Start by optimizing without 802.11r. Enable it if it is needed to improve performance of roaming.

The standard only applies when you have multiple APs with the same ssid.

1 Like

Hero. Great. :tumbler_glass:

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.