WPA2 when using TKIP is also affected.
Running a VPN on top of your wireless encryption can offer additional protection, and you may want to consider such a deployment regardless of the wireless encryption deployed in your network. Whether pfSense is your AP, or your APs connect to it, it can provide VPN services to internal users on your wireless network, and you can restrict all traffic coming in from your wireless network to only access the VPN. Then after successfully authenticating to the VPN, users can access your internal network and/or the Internet.
Edit: SANS has a good webcast on this topic for those interested in details.