@nubascuba:

1. Do I login to AP and configure wireless settings or can this be done via GUI? - this is the part i understand least
2. What FW needs to be set to allow traffic?

1.  Yes, all wireless configuration should be done only in the AP (DD-WRT).  pfSense should have nothing to do with wireless at this point.  (Unless you wanna do WPA2-Enterprise in the future…)
2.  The pfSense LAN interface by default allows all outgoing traffic, so everything should work by default.  You can follow a restrictive whitelisting approach in the future if you want to allow outbound ports one by one (such as 80/tcp and 443/tcp for web browsing, etc.).  This can be very tedious and granular depending on your needs.

I wanted to set up vpn so you had to establish a vpn tunnel to the pfsense box or the wireless access point before you would be able to see the captive portal for radius.

I ended up getting different hardware. I didn't want to have to run the ubiquity cloud software especially since it's a java program.  I ended up getting a Cisco WAP121 ethernet access point. I can't get wireless clients to see the internet.

I have an optional interface in the pfsense box with an internal static ip with dhcp on. 192.168.2.1  The access point has a static ip in this address range I have the mac address added to the filtering table for allowance the client is getting an ip address but not getting internet connectivity.  Is there anything special I have to do when plugging in an ethernet access point into a pfsense box to get wireless up?

I don't yet have radius, nor vpn running I'm just using a regular ssid, mac filtering, and wpa2 personal.

I'm guessing these need to be bridged some way?  I don't necessarily want to share the lan with wifi users unless I allow to do so with vlans or firewall pin holes. I'm try to keep wifi traffic separate but still get internet connectivity.

Thanks again for help!

-Jon

Hi Chris,
I do not know what happened the last night but now I have access to the AP's management interface as well as from the pfSense WAN and LAN I can successfully ping google.ca but on the end devices connected to the AP, still no internet - when I ping from 192.168.88.0/24 to 172.24.50.0/24, no response.
I am guessing I need to change some rules and NAT? Do you think you can give a hand with the pfSense tuning?
Thanks and Best Regards,
Asen

well if pfsense is your edge only, and you have downstream router.. ie your core switch.. Then pfsense would be connected via a transit.

Pfsense could give two shits about vlan IDs then.  And you are correct the connection from pfsense to your switch, and then the connection from that switch to your core switch would/could be untagged.

You would just need to configure routing with pfsense, so it knows about this downstream networks and the gateway IP to get there - ie the IP of your core switch on that transit network

you would then need to adjust the firewall rules on this transit interface (lan I assume in pfsense) to allow your downstream networks.  And you would need to make sure your outbound nat rules on pfsense are doing the natting of these downstream networks.

Pfsense will not be able to do dhcp for these downstream networks.. Pfsense can only be dhcp for networks that are attached to it.

Get AP that are not crap ;) heheeh

@TheWaterbug:

Is there any sort of step-by-step guide to setting up a USB cellular modem on pfsense?

Something like a guide, but for good modems, not ZTE, sorry ;)
Please check here.

@remlei:

really? there's a recent updated lately which is DD (designated driver) and if you want the most updated version, there's also LEDE you can rely on which is just a fork of openwrt to be honest.

Played with LEDE in VMs (works fine), will be installing it alongside pfSense on top of Alpine Linux with KVM. I hoped for easier setup, but looks like this is what I'll end up with.

Perhaps one of those VPN services is pushing a set of default routes.

If you don't want to route all traffic all the time out a VPN client it is probably best to check don't pull routes there and policy route just what you want out of it. Else you have to understand that the VPN is your default gateway.

How I've set up it. Pfsense box –-> switch and then router connected from LAN port to switch. I've turned off DHCP from the router..

"I decided to go ahead and install a wle200nx atheros mini pci wireless module onto the apu2c4 motherboard."

Bad choice - get yourself a real AP, or just use some old wifi router as one, which could be picked up for like 20$ Cheaper or the same cost as your wle200nx with WAY fewer problems!

"block mobile devices"

How would these mobile devices be accessing your wifi in the first place?  How do they have the creds?  So are you talking about a user that has a laptop and he knows how to auth to your wifi, so you want to stop him from adding his phone/tablet to your wifi network?

Are these laptops issued by you.. Are they of specific model what software do they run.  Would be simple enough to create a mac based listed for these devices, so other vendors would have different mac, etc.  Why not just use a auth method that requires a cert on the devices you want to join, etc.  There are plenty of ways to skin a cat.  But missing the details of what cat this actually is to know the best way to skin it.

If you could give more details of your setup, and what these mobile devices are your wanting to keep off your network..  How do they know how to auth to your wifi network?  If they are your users why not just tell them to not join their mobile devices, and if caught doing so they will be fired or all of their wifi access will be blocked, etc.

Ok, I will go for UAP-AC-LITE, it seem to do what i want (wpa2 enterprise with radius backend)
Thank you,

Long story short, my setup is working now. I think a bridge is the best way to go, and I'm impressed at the way pfSense handles it. I was wrong about the IPv4/IPv6 split; having them combined is fine.

Now:

Neither LAN nor WLAN has an IP address The bridge interface LANBR has static IP addresses for IPv4 and IPv6 No firewall rules for LAN or WLAN Firewall rules on LANBR only Tunable net.link.bridge.pfil_member=0, net.link.bridge.pfil_bridge=1

No internet access for my LAN/pfSense management computer. I update the software periodically.

Thanks again Johnpoz…I think just using the phone AP after setup seems the most sense.

Wondering if my issue is related.  I have an MC7700 and trying to get GPS to work with the NTP server on pfSense.  I dont seem to be able to get NTP to see GPS data on any of the ports.  LTE on 0.3 works fine.  Nothing else though.

"to use at tradeshows or to use as an emergency internet connection for customers."

Why and the F would you need a transparent proxy for such a connection.. Cradlepoint would be a perfect solution for these sorts of things btw!!!  We have been playing with some of their hardware at work for an upcoming project.  They are slick ;)