Well vs saying strong and weak signals.. What are the actual numbers? You mention linux, how about simple iwscanner output.. What is the actual signal strength?  What channel are you using, does this happen both at 2.4 and 5ghz?  Are you using using 20mhz or 40?

Exactly my concern! That the AP is allowing connectivity without waiting for a response from FreeRadius.

I have 2 I'm using for testing, a Cisco AP1142 (white square) and a D-Link DIR-615 home router (with routing turned off, just using wireless AP feature)

The AP's would only allow me on IF pfSense was running (even though Freeradius and certificates on pfSense were not installed)

This time when I nuked the pfSense install, I also formatted the disk, ensuring a completely clean installation. So far the AP's have not allowed my laptop back on to the network.

Vendor and Model: Atheros AR5B225 WB225
Chipset: Atheros AR9485
Form factor: Mini-PCIe (half-size)
Version of pfSense: Pfsense-2.2.5 amd64

https://wikidevi.com/wiki/Atheros_AR5B225

If I have time, I'll post more informations.

there is no such thing as a ADSL AP that I have ever heard of…  What is the make and model number of the device?

yes I would recommend the unifi line.. The new AC lite model is $89..  Or again any wifi router you have laying around be it ethernet or dsl based, if it has a modem its actually a gateway (dsl, adsl, etc..)  Still can be used as AP...  Just disable its dhcp server, change its LAN IP to be on whatever network you going to connect it to.  Connect it to your network with one of its lan ports.. access the IP you gave it and setup the wifi how you want.

When using a wifi router as AP you don't use its WAN port, since its not going to be routing or natting anything.  So unless the device has mode to bridge its wan to its lan the use of that port is lost.  But what does it matter if just using it as wireless AP.. You can also leverage the remaining lan ports if you want for wired connections to your network.

But a decent AP is going to be POE and designed to mount in the ceiling for better coverage.. Your typical wifi routers are rarely poe and not really good for design for proper placement for good wifi coverage.  While some can hang on a wall, etc..  since they need power source they make it more difficult to place in proper area for best coverage normally.

Do yourself a favor and get a real AP, maybe a few of them if area your wanting to cover warrants it.  The unifi line use a software based controller, or you can buy a little key to run the controller on, or run it on any pc you have or vm, you can run it in the cloud on aws, etc. etc..  The controller is going to give you lots of insight into clients connectivity, bandwidth used, etc.. etc..  There are even some guides on running the controller software on pfsense itself - but I would not recommend that.

You don't have to use the controller if you don't want to either if your not using its captive portal feature, etc.  They are even releasing a APP to quick configure the AP with if you don't even want to run the controller for initial setup of the AP.

https://www.ubnt.com/unifi/unifi-ap-ac-lite/

@bikemike:

ipfire supports 802.11g/n without any issue or at least that is what I am set at.  I have no issues with integrated WiFi using ipfire.  Most of my connections are around 130mb or less.  So, not quite N.  This is more than enough to support what we do.

I find the ipfire interface a bit unrefined with some odd behavior in certain areas .  pfsense is simply more mature and is much more refined with the ability for more advanced features, etc.  Plus, I wanted to try something new  :)  The pfsense is much more intuitive and simply makes sense.

For some reason, pfsense does not like the Atheros AR9283 chipset.  Being close to the access point, things worked.  Being further away, the signal strength was good, but the mass frequency of stuck beacons were too much for things like facetime, etc.  Changing channels reduced the beacon errors, but not enough for a reliable connection at distance.

In short, I simply like pfsense better, but ipfire worked without much tinkering after the fact.  Looks like an external AP may be the way to go here unfortunately.

yes external are aweseome..

you can buy an tplink i am using tlwr740v1.1 since it came out . and its still running great .. i have loaded it with ddwrt and using it as ap so it is just a connecting point for my clients all other things are forwarded to pfsense..
it hardly costs 15 USD

is above ok or bug ?
i have made a video screencast .. i will share it  to demonstrate/reproduce above problem ..  (hardly 7 minute video )
i cannot share it here in open due to the fact that that contains live ips..  but will upload and share via pm ..
just pm me i will share it.

@Phishfry:

You noticed there seems to be some problems with the RaLink and pfSense. I am have tested with RT5572/5592 and they have issues too, but the the pfSense 2.3 testing branch works well. Have you tried the nightly build. They are pretty solid.

The run driver does not support 802.11n mode.

Ya, I tried the latest 2.3 snapshot as of about two days ago and it has the same kernel panic and reboot as soon as the interface attempts to come up. Actually I've tried about four different pfSense versions from pre-2.0 to 2.3 alpha. All have the same crash with the run driver.

I was looking at USB but would it be too slow?

Actually even the MC7700 is a USB device internally.

The speeds will be around 5-6megabytes/sec.

@ILLCOMM:

When is this getting fixed, or should we assume never? It seems suboptimal to disallow a WAP to choose the best channel…

Ask the FreeBSD guys, perhaps. Or just get a proper access point and stop wasting time.

If you have several external AP seems kind of pointless to run AP on the pfsense box itself..

Nice..  Now if we could get enterprise support on devices like nest, harmony hub, game consoles, etc..  Could completely get rid of wpa2-psk…  Well still might need it for guests, since would be a bit difficult to explain installation of certs to most users..  But guess could just run open with a captive portal for them as well, and not even need a psk ssid.

Sorry for such a late reply - didn't know there was a question about the AR9280. But for completeness and general knowledge sharing the AR9280 has been working great for me with a guest SSID as well.

Only problem (not sure if its related) is that pfsense locks up hard after 30+ days uptime (happened twice). Console and everything unresponsive. Not had time to chase down or diagnose. A reboot fixes for now.

If you notice here

https://wikidevi.com/wiki/Atheros_AR5BXB72

This one is 802.11 AGN so 5ghz.

It does use the older AR5xxx series chip but it is a good card being a extreme(X) version of the reference design used commonly in Mac's

The AR5B91 is newer but only offers 2.4ghz coverage.
https://wikidevi.com/wiki/Atheros_AR5B91

My question for the guru's would be: Is each VAP using a separate instance of hostapd? Or one instance with 3 configs.

I am finding it connects faster, probably due to external antenna. It also has no 802.11a mode either.

http://www.ebay.com/itm/271508002615

Why would you post in a thread from 2013.. Did you read
https://doc.pfsense.org/index.php/Is_802.11n_wireless_supported

pfSense 2.2-RELEASE is based on FreeBSD 10.1, which does have 802.11n support in general, but support may still vary by card and driver.

And my advice still stands - your best option here is use a REAL AP.. There is no way that any device in pfsense would come close to the coverage you would get with an actual AP..  When you can get AC devices for under a $100 not sure why this would not be anyone first choice??  The wifi option in in the sg-2440 which is $75, I would go with the new ac lite at a couple of bucks and does 2x2 AC

Are you asking how to detect downstream NATs that are using multiple clients?  Normally this is done by looking at the TTL of the traffic coming from the hosts..  Since any nat routers, even pfsense normally removes 1 from the TTL value.

So windows for example normally sends packets with TTL of 128, if your seeing packets at pfsense with TTL of 127, then that packet went through a router(hop) that did or did not do nat..  You could do this automatically with switch before pfsense sending sflow to some sort of analyzer that was looking for this and logging/alerting on it.

You could also use some form of OS fingerprinting on the traffic and looking at other details in the traffic look for something that points to different OSes being used from the same IP at the same time.  Since it is possible to configure your router not to decrement the TTL if your trying to hide your NAT…  Have done this back in the day when some ISPs where saying you could only have 1 device connected, etc..

Do a simple google for nat discovery/detection

Channel 1 on 11g is the default and you defiantly want to checkout other channels. Depending on your hardware you could have either 802.11ng network or 802.11na network if your card supports 5ghz frequency.

I would recommend you do a Wifi survey with software like nutstumbler and run it on a laptop and find out what you have that could interfere with your radio signal. So find any channel holes and use them. Less congestion and fighting neighbors radios for optimal signal.

Short and sweet: 802.11NG is crowded with many consumer products using it and 802.11NA is pretty empty where I live. I have no competing signals in 5ghz.

2.4ghz offers more range at lower speeds. 5ghz offers better speed but less distance.

Looking at your output you have 2.4 and 5ghz radio. I would pick an 5ghz channel and try to connect with a client device and checkout connection speed in the Wireless Status page of pfSense. Go through the upper channels and see what works best….