Secure Wireless Gateway Setup Guide

Disclaimer: This guide does not provide cut-and-paste terminal instructions. Its purpose is to explain the setup process step by step.


This guide outlines the creation of a secure wireless IoT or WPA3 enterprise gateway on a budget. By purchasing a compatible WPA3 Unifi AP and a PC capable of virtualization, you can establish a highly secure wireless gateway. This setup serves as a foundation for both WPA3 enterprise wireless gateways and public WiFi access points, with the added benefit of isolating the network appliance from your local network.

Technical Skills Required

  • MongoDB setup for Unifi compatibility
  • Manual NAT configuration
  • Knowledge of pfSense firewall rules
  • Firewall VPN clients
  • Radius configuration
  • Public Key Infrastructure (PKI)

WPA3 Enterprise Consideration: This setup has been tested with EAP-TLS. Implementing PKI is crucial to protect against evil twin attacks. An authentication back-end may be required if the internal pfSense user manager is insufficient. For more information on EAP-TLS, refer to this link.


  • pfSense CE
  • Unifi Network Application
  • Ubuntu LTS VM image capable of running MongoDB
  • x86 hardware with at least 2 NICs
  • Unifi AP (required for the Unifi VM)
  • Hypervisor capable of running on Ubuntu LTS

Unifi Network Server: Download here

Step-by-Step Guide

  1. Set Up Unifi Network Application:
  2. pfSense Setup:
  3. VPN Providers:
  4. Networking Options:
    • Option 1 (IDS): Bridge the Unifi VM to the LAN adaptor connecting directly to the AP. This is faster but less secure. Isolate the Ubuntu VM within the client OS for security reasons.
    • Option 2 (IPS): Create an internal or virtual adaptor shared by pfSense and Unifi. Set up appropriate firewall rules for IPS capability using Snort or Suricata.
  5. Port Forwarding:
    • Port forward from pfSense to the Unifi controller.
  6. Security Considerations:
    • Set up firewall rules for your IP configuration.
    • Change usernames and passwords to strong ones.
    • Open a port on the WAN interface to the internal firewall GUI and block local access.
    • Block pfSense’s webGUI from within the isolated environment to enhance security.
  7. WPA3 Enterprise EAP-TLS (Optional):
    • Set up Radius for those extending the platform to a WPA3 enterprise network.
    • pfSense has optional packages like FreeRADIUS, which is WPA3 enterprise-ready.
    • The Radius package with pfSense provides LDAP integration or local user accounts managed in pfSense.
    • Using EAP and PEAP with FreeRADIUS

Once set up, you can access the pfSense web GUI and Unifi controller from your local network. Any Unifi AP plugged into Bridge 2 can be adopted by the standalone controller.