https://forum.netgate.com/topic/183787/s0lved-squidguard-and-wireless-printer

Maybe add a DNS resolver for it also??

@stephenw10 PR created: BSSID entry on Network-Specific Wireless Configuration of Interfaces #14960

I wouldn't expect to have to make any other change there. You might try restarting Freeradius to be sure though.

The command to set that would be: sysctl dev.ath.0.tpack=99
But I can't set it on an ath card here. It may not apply to all hardware. It might be a loader value.

@provels

@provels Take a look at this file with the built in editor in pfsense GUI

Screenshot 2023-10-31 at 7.49.01 AM.png

This may have blocked you from turning it up. It might be limited by way of this file. . .

Scroll down and find WiFi 11g and check for something called max power

You guys all scare the hell out of me.
I've loads of APs without any passwords at all.

And at home neither, as I haven't seen yet any rabbits with some BYOD ....

In Diag > Packet Capture. Set it to filter for ports 67 or 68 to see the DHCP traffic.

Renew the lease in Status > Interfaces.

You will see the DHCP packets as it captures them and also can download the resulting capture to see what they contain.

Steve

@JonathanLee said in SG-2100 and Compex WLE200NX card:

I was reading FreeBSD has Intel support for AC and AX somewhere

They have support for that hardware BUT:
There is not support for .ac or .ax so the cards can only run in .na/g mode.
They an only run in station mode not hostap so cannot be access points.

@provels 802.11NG 20ht was really bad for me. It only works well with 802.11NA on -40ht with a 5dbi antenna set. The 8dbi was like a laser or point to point. The 5dbi is like an oval shape for coverage.

@Panja What kind of dbi is your antena? 7, 8 or 10?

https://dongknows.com/wi-fi-dbi-and-high-gain-antennas-explained/

Hello I wanted to share that I have found a possible solution to the stuck beacon on my SG-2100

Screenshot 2023-10-25 at 4.19.48 PM.png

Make sure all of the following are checked under SystemAdvancedNetworking

Hardware Checksum Offloading
Hardware TCP Segmentation Offloading
Hardware Large Receive Offloading

They must be disabled for Snort's inline mode to function. When I was testing trying to activate Snort's inline mode I left them like this and the stuck beacon error stopped all day. It is completely gone now.

@WaltW-0 said in No Internet with Wireless Access Point:

My computer's IP shows in the DHCP Leases in pfSense.

Is that true connected to the router both wired and wireless?

It sounds like it might be filtered in the Asus router.

Steve

If it's not working well in access point mode I wouldn't expect using it in router mode to help. Adding one layer of NAT can only confuse things normally.
If you're only seeing issues when connected to the extender that's probably the issue. The way extenders work by hiding the client MAC address is....ugly! Avoid them if you can.

Steve

Yup iwn(4) does not support hostap mode:

iwn supports station and monitor mode operation. Only one virtual interface may be configured at any time.

You can reassign the WAN to the wireless NIC. Or just rename the existing interface and set that as the default gateway in System > Routing.

Steve

@stephenw10

Yep, that's the way to go!

Cheers!

@datafaber & @weehooey So I have freeradius3 working on my pfsense fw, both as a ldap authentication under user manager and ldap over ssl with bind to ldap.google.com using google provided cert.
It involved manually editing the conf files, if you make any changes in the web ui it will over write with the incorrect settings.
I am documenting this as I need to take this from test env to real even for 2fa.

https://www.nasirhafeez.com/freeradius-with-google-g-suite-workspace-secure-ldap-for-wpa2-enterprise-wifi/
following this article I was able to get an ubuntu vm running and connecting freeradius3 to google ldap. then adapting it to follow how the pfsense freeradius wants it.

I uploaded the crt and key into cert manager on pfsense.
defined everything in the gui like bind user / pass

Setup the two interface ports
interface.png
I did the NAS/Client
nas-client.png
I checked disable weak EAP types: MD5 and GTC and set Default EAP type to TTLS
eap.png

Selected SSL Server Cert to my google imported cert
eap2.png
Set EAP TTLS Default EAP Type to GTC
eap3.png

Enabled both LDAP Auth
plugged in Server address ldap.google.com port 636 and bind user / password
ldaptopclean.png

Enable TLS support, selected my SSL Server Cert imported from google and set Verification to ALLOW
ldaptls.png

fun part editing manually:

Edit the default virtual server:

nano /etc/freeradius/3.0/sites-enabled/default which is /usr/local/etc/raddb/sites-enabled/default
In authorize section after pap add this:

if (User-Password) { update control { Auth-Type := ldap } }

making it look like this following the working config from the running freeradius3 server
default.png

once restarted the radiusd service I was able to authenticate using the radius server under Authentication Servers
authentication.png

testuser.png

What I could use help with is getting the syntax correct for groups membership in ldap to show up in freeradius.

ldap-groups.png

@stephenw10 Thanks. Figuring out what those units are capable of has been somewhat difficult. TP-Link support hasn't been very helpful. These are a consumer-grade product so I'm working with that level of support techs - and this is more of a business application.

Generally you need to use the BGW320 as a modem device for the AT&T connection. In that situation it must be on the WAN side of the 2100 so cannot also be an Access Point inside the 2100.

See: https://forum.netgate.com/post/1120881

@stephenw10 I went to plug a USB cable into the 8800 and noticed that the plastic back was kind of sticking out. I took off the back and the battery is bulged. I am thinking replacement is a great idea as those batteries aren't free. I tried plugging it in via USB to the PFsense and it didn't show up. Must be a windows only sort of device. I got the other router for $37.99 (it is on sale for 20% off)