No AP does this - when you move between AP that are using the same SSID..  WDS or not…

You really should get a switch... The interfaces are router interfaces they are not switch interfaces.. While you could bridge them to be in the same vlan.. Its not an optimal sort of setup.. Just get a smart switch connect your AP to it.. Could be something as cheap as a $30 smart switch...  Connect your interfaces in from your different networks/vlans from pfsense to the same switch..Now any wireless client be on any network you want it to be on.

okay then the rule of using freebsd hardware documentation isn't valid, as stated here that all freebsd hardware is supported in pfsense:

https://www.pfsense.org/products/#requirements

Hardware Compatibility List
As pfSense is based on FreeBSD, its hardware compatibility list is the same as FreeBSD's. The pfSense kernel includes all FreeBSD drivers.

.  I am only wanting to use this as a client, not as an AP.  Is there a way to load the driver other than recompiling the kernel?  Also, do you plan to add it to pfsense at any point in the future?  If not do you have a list of wifi devices supported by pfsense?

If you want help with openwrt - go there… Not going to waste my time sorry, its been over 10 years since used it..  Back when put it on a wrt54g... How to setup eap-tls with freerad on pfsense has been gone over multiple times.. I have posted config I use multiple times.. If you want me to post it again sure..

"I need to ask what are their pros and cons?"

Running you authentication on your AP.. Might be fine if you had 1 AP... After that it doesn't scale at all..  Have you run it on your switch?  Its PITA to configure such stuff..

Yes pfsense would be your router/firewall - doesn't matter how you get your clients on the network via wire or wireless.. It would route all your traffic.

"Wifi rules separately into the AP itself?[/"

Your confusing what a AP does with some wifi router device - your stuck in the openwrt mindset where everything is done on the little box... a AP does nothing more than bridge the wifi client to the wired network.. It does not route, it does not filter it does not do anything but bridge the wireless devices to the network..

Find a USB WiFi adaptor that will work with FreeBSD / pfSense or use the LAN port on the XPS.

Try looking on the FreeBSD web site.

And there is no integration…  pfsense doesn't give 2 shits what your AP does.. Or how it does it... There is ZERO to do with pfsense...

Pfsense doesn't know if wifi client or wired - doesn't know what SSID you connected to, be it 2.4 or 5ghz, etc..

There is ZERO to do on pfsense to get your AP to work... The only thing you would have to know is if your going to use vlan and what the IDs are so you could setup those networks on pfsense..  But that is more on your AP then pfsense.

Pfsense would do the same setting be it wired vlan or wireless vlan, etc.

"Do all router have the option to be an AP?"

Yes… Since they are actually an AP with a switch and router function.. Any wifi router as AP is as simple as connect it to your network via one of the lan ports, turn off its dhcpd - there you go AP..  You will prob want to set its lan IP to be on your network your connecting it to so its easier to configure ;)

This is getting a bit overblown. Especially as, while we don't always agree 100%, I think you (johnpoz), and Derelict are two of the most helpful people on the board. Yes, I suggested a user contact the reseller- for a hardware issue.
The point I was trying to make, is that a wireless board exists, where people can presumably ask questions about using wireless cards in the actual firewall. Telling them it is not best practice is fine. What I thought was out of line was (and perhaps I was reading too much into it) that a new user was being told that he was not deserving of help because he bought some hardware that a mod did not approve of. I have lots of 'official' hardware, and have in the past told people that they should get some decent hardware (like an adi) when they were running on flaky garbage. The OP had a configuration question. I don't like the implication that if you don't have approved hardware, you are not welcome to ask questions. I don't think Derelict meant that, but his response was not in his usual character. How about I buy the fist round of  Old Man Grumpy Ale http://www.gooseisland.com/our-beers/old-man-grumpy and we can all get back to normally scheduled programming?

Is this AP you going to be using a wifi client itself, ie wireless uplink vs a wire?

AP are only open to this krack is if they are using wireless uplink, ie they are a wifi client themselves.  If your AP is connected to the network with a wire - and not acting as a wifi "client" then it is not open to this problem..

You need to make sure all your wifi clients are patched..

When using a AP, pfsense has zero to do with wireless.  A wireless extender is something that would be open because it has a wireless uplink.. If you are using any of those in your wifi then yes they should be patched.

"Its stopping the users from accessing key systems in timely fashion."

So these key systems on on the internet or your network?

"Override for DNS, from general setup is on."

That doesn't really tell us what the client is using.. Out of the box pfsense would be using unbound - resolver and not forwarding.  Letting your dhcp override what pfsense uses for its dns wouldn't have anything to do with what clients use for dns.  Which normally would be unbound running on pfsense, which would then resolver and not forward.

tmaan222 question number 2 would be of interest for sure. Use your fav dns client nslookup, dig, host, etc.  Try and resolve something www.google.com… After you get a response what was the time?  Do it again you should get it cached answer that should be at most a few ms..

Dude this is just like any other opt interface.

Give it a network, setup dhcp.  Setup the firewall rules you want on the optX interface you create.. Done..  It is that simple.. Unless you have turned off automatic outbound nat.

"but it's variable and drops out and if I transfer a file or watch a movie on the NAS, it'll slow way down."

And this traffic goes over pfsense?  Or is that just from wifi to wired on the same network.. You mention only 192.168.1… So I assume your wifi and wired on the same layer 2... If that it the case pfsense has zero to do with that traffic at all, would never go through pfsense.

Try rolling you firmware back.. Its not uncommon for unifi firmware to have issues that effect performance.  What sort of features are you using on the wifi - any advanced features.  Airtime fairness for example can be a huge hit on wifi speed.

You don't really need their little key you can run the controller on anything really.. A Pi, any sort of desktop you have running OS X, Windows or Linux - I run it on a VM on my esxi host for example.

If your wired speed through pfsense is showing fine - then its something with your wifi or the switching the wifi is connected too, etc.

Thats the $h1++y thing about Unifi AP…in order to configure the VLANs in a Unifi AP you need to use a computer. You can't setup VLANs using the App(at least IOS).

Here is a post on how to set it up:
https://forum.pfsense.org/index.php?topic=137134.msg750913#msg750913

Hang in there!!

You would need to change nothing on the tomato, other than you should set its lan IP to be on whatever network you plug it into..

If your going to be using vlans, vs native untagged network on the lan side of your wifi router (ap) then you would have to setup that in tomato as well… But if not using vlans with tags.. Then just plug it into interface on pfsense and your done.. It does come in handy to set the tomato lan IP and gateway to work with your network your plugging it into..

Then connect to that tomato IP and setup your wifi.

well I read a topic bout wireless on this forum and now it works so perfect.

Big thanks for both of u  :) :)

"None of that stuff is EVER going to get patched.  "

Why would you say that.. You mean you won't take the time to patch it when the maker releases the patch.. Or that there is no method to update them?  DVRs and TVs all have ways to update the firmware they run, etc.  Same with printers.

I have some lights and such, that were a concern of mine.  But tp-link has stated they will be updated.  You can check responses and such from many a company that create devices that use wifi here.
https://github.com/kristate/krackinfo

What I would be more concerned with is some oddball device made in china that has not real link to any sort of support page or info or even what company you could check with on it being updated, etc.  If it a major player I would have to assume at some point it will be fixed.  But it could be months, etc.  And yeah it quite possible might be a PITA for some of the devices.  TVs for example can be a pain to update.. Have to boot from a usb quite often, etc.

I am a fan of using a wire for any sort of device that isn't mobile.. My printers and TV for example rarely move..  Shoot even when playing with the old chromecast devices - I had gotten the optional hardware option when it came out for $15 ;)

"throw up my hands and say "I give up" and not worry about it."

Not sure I would agree with the not worry about it statement.. But I sure wouldn't be loosing any sleep over it either.. But something to let simmer on the back burner for a bit and give the manufactures a bit of time to get their act together.

I have been researching about setting up VLANs over wifi access points.

It would be not really clear to me about what you are talking here exactly! Do you want;

set up one or more SSIDs and put each in a VLAN or set up a WiFi bridge between to networks and transfer over that WiFi radio link VLANs?

Looks like the common recommendation is to get the Unifi AP series.

It all depends on many points here what to give the right advise. fast roaming or not, roaming or not,
distances between the links, area that must be captured and sorted, a/b/g/n or ac WiFi and so on…..

MikroTik has nice and stable running equipment for any kind of budget Internal WiFi cards should work too, Compex WNE200X, SR71-Eand many Atheros based cards refurbished Ruckus APs are able to be a controller and AP for a smaller WiFi network or as single device Buffalo, Netgear and TP-Link are selling consumer WiFi routers that can be turned into AP mode or able to be
sorted with OpenWRT, DD-WRT or the OpenWRT replacement LEDE distribution if you want it, all are mostly VLAN
capable but not supporting it on all devices! So you might be looking more and/or do more research on the wished
functions you need. A small RaspBerry PI 2/3 can be easily turned into a WiFi AP with internal miniPCI(e) cards or USB WiFi sticks
by installing and using Linux on it.

So you see there is many equipment on the market from 20 € - till open end.

But we don't get that here where I am from.

A RaspBerry PI is for ~20 € - 35 € able to get the hands on and used or new WiFi USB sticks will be
less then 20 € too, or some internal cards for WiFi ac will be able to get for 12 € - 30 € so you will fit
all with your budget as I see it right.

Are there any alternatives? This is for home use, and I am looking from something in the sub $200 range.

Have a look over well known and good working OpenWRT consumer routers, capable of VLANs.
Or build your own with a RaspBerry PI and Linux and miniPCIe cards or USB sticks.

Also, is there anyway to turn a regular AP to support VLAN by adding some extra hardware between the AP and pfSense?

VLANs should be supported at three points in the network or more if needed or whished;

the router or firewall should be able to support it the network switch should be support it well too for sure the WiFi APs should be supporting; single SSID and VLAN or multi-SSID and multi or more VLANs

Max as you can use on pfSense now - it 450 mbit N speed, for example - something on Qualcomm-Atheros AR9380 chip.

@Finger79:

I noticed in System Logs that php-fpm is signalling to restart other packages, including radiusd.

Simple to answer this one : pfSEnse is using a GUI for setuo.
This means it uses a web server and some "extension" that executes scripts that make the GUI web pages. As you might guess, this PHP (half of the Interweb web sites uses PHP).
"php-fpm" is you the name of the mode how PHP is executed and communicates web the web server (nginx).

Somehow, pfSEnse IS actually all these PHP scripts (well, not entirely, but mostly). So, yes, it is PHP that restarts packages is some system wide settings are changed, interface drop and repop and other conditions.
Should it restart "radiusd', that is the real question : it depends what happened. A new WAN IP is such a condition. It's probably non needed to restart radiusd when the WAN IP restarts ….
Of course, the time radiusb restarts, all communication (authentication) is out of business. If this happens very often, well, the issue would pop up more often.

Btw : I'm not using radius myself, but your question proves me that it wouldn't be a bad idea NOT to run radius on the firewall - if possible (needs another local (LAN) server device).

I have seen that amazon and nest and tp-link have announced working on it and patches to follow, etc….  Have not seen anything from logitech (harmony hub) as of yet..

Lot of freaking iot wifi devices ;)