Thanks for the very clear answer!

I'm probably going to run 2.4GHz with WPA2 AES Personal and 5GHz with WPA2 Enterprise.
The devices I have that do not support WPA Enterprise are also devices that do not have 5GHz support (printer, Logitech Squeezebox).

Why are people such cheap bastards??  If what you want is captive portal - then do it the correct way and put your wifi network behind pfsense..

So does your current wifi router/modem/gateway even have the ability to change the gateway it hands out via dhcp?  Many soho devices do not..  The dhcp server on the device is very limited..

Let say you could do that.. So now your going to run pfsense just as lan client so all your packets your going to send through it, since its the gateway your going to hairpin and then just send back to the router as it is the one connected to the internet..

Dude turn off your wifi on your "modem" get an access point or 2 or 3 of them and put them behind pfsense.. There you go all your problems solved for a few bucks.. You do know any wifi router can be just an AP.. So for as little as like $20 you could have AP actually behind pfsense…

That sucks donkey balls.
Thanks for the reply though.

It is just a fun experiment for me. running -ifconfig wlan0 mediaopt ap ssid cornhole mode 11a channel 140- is a blast.
I am surprised how seemless the cross platform stuff is. Same instructions for any architecture.

Hostapd on the NAS4Free/Odroid was an interesting concept…2 birds with one stone. Jail kept wiping my setup. I am unfamiliar with their setup.

@doktornotor:

https://doc.pfsense.org/index.php/What_hardware_is_supported

Thank you, I checked the lists from different sources tons of times, but they seems don't even the same, some list shows WNA1000M is compatible, but in a google sheet I find that Realtek chip may not recognized on USB, and the only working USB dongle chip is RAlink, I'm going to get a EDIMAX EW-7711UAn to try…

haha ya wouldnt that be nice!!!
there isnt much to do in the area anyway! 30 mins to a mini zoo, steam train ride through the dandenong ranges and a small fun park!
ya from vagas is a bit to far for an expert to come from!! :P
external wifi hasnt really taken off here, both 3/4g and satellite are so expensive its a joke! i do assume that remote area satellite will get a government rebate!

That error code is for PPPOE.
How are you trying to connect?

Have you looked into software defined radios? Many free and open implementations that can likely be adapted for your scenario.

You wan connection that enters the router (new), is it PPOE? I mean, you have an username and password configured on the router to get your internet connection up?
If not, there is no point in having a router between the wan cable and Pfsense box. You can plug your cable straight into your pfsense box and setup wan interface as you have your router.

Thanks Derelict! I was a little confused about tagged and untagged VLANs so thanks for clearifying that for me. (And also pointing out my mistake with the WAN IP address). I appreciate your help.

Sometimes you adjust AP´s transmit power to max and it doesn´t change anything…

Remember that the wireless communication is bi-directional, and when you maximize power transmit on AP´s your wifi device (mobile, laptop, tablet) is listening harder, lets call "on download", for didactical purposes, but maybe you have a bottleneck on "upload" because the device doesnt have the enough power to the AP listen "clearly", this is common because AP´s antennas are better than antennas encapsulated on cellphones, for example...

In less words, with more power your device will  listen your AP far, but it doesnt mean that your AP will listen your device.

I prefer to upgrade AP´s antenna if its possible, the gain is both transmission and reception, instead of maximize power that the gain its just in transmission.

@Panja:

I have changed my guest network firewall rules according to your (iso70x) rule set and it's working great! :D
Made an alias for port 80, 443 and 22 and named it pfSense_admin.

Great, glad you got it working.  :)

My wireless has gone down for 30-60 seconds once or maybe twice a day. It's a fairly new setup so I'm hoping It's something I've missed with install or firewall settings.. I'm running 2.2.4 release, 3 seperate NIC's, wireless is managed on it's own NIC with 1 rule to allow "any" traffic as I've just got it setup.. Wireless ap is an Xclaim Xi3.. (little brother to Ruckus equipment). Has anyone got any ideas.. really don't want to fork out more cash for a router or AP if it keeps dropping out.

"I thought I read about a restrictive license for the software, tied to hardware, not-transferable"

What??  That sure an that hell has nothing to do with unfi..

The AP could care less what you use for your router, or even if there is a router.. It bridges wifi to the wired network its connected too.  I would suggest you fire up the controller software and setup your AP for your network and ssid you want to broadcast, any sort of vlans on specific ssids, etc.

So do you have the controller software running?  Can you see your AP?

I got it figured out.  The bridge was one of the issues - deleted it and used a switch (connected to opt1) for the APs.

Switched to WPA-PSK AES.  Got FreeRadius and Captive Portal configured with usernames and passwords so now the users connect with a shared passkey and then they have to log in via a captive portal page.

if your AP does not have a gateway option for its lan, all that means is you would not be able to manage it from a different network.  AP bridge wifi to wired, they are layer 2 devices - this is what an AP is ;)

I would guess this is not mentioned in many guides in using a wifi router as AP since its pretty much basic understanding of what an AP is ;)

If you did not have a dhcp server running on this network segment, how would you think a client would get an IP on that segment?

Check ip configuration on neighbors computer, it can be set to static ip, by default clients are on "obtain ip address" but if u change it and assign an ip address (out of pfsense's ip segment) to this interface, u can connect wifi link, but has no lan access.

Don't give up, If you have an ATH0 chances are it is fine. What exact Atheros module are you using?  Internal PCIe card or MiniPCIe Module? Brand? If generic -Atheros model# if you can find it. ie. AR5BXB112 is an example for generic laptop module.

So I just set this up to see how much of a hassle it was, went full blown eap-tls only because if your going to let something on your wifi might as well be freaking sure it's a device you want to let on so why just use peap with username and password ;)  And not someone that got your psk somewhere or shared it out via windows 10 ;)

There is problem you most likely can not fully get rid of psk because of consumer type devices.  So for example my nest thermostat, my harmony smart hub remote.  Chromecast, but I put this on a wire when they came out with the $15 ethernet.. The chromecast doesn't move so wire it! ;)

I wish I could do that with my thermostat and hub they don't move either..

Anyhoo - these sorts of devices are not going to suppport 802.1x or wpa/wpa2 enteprise so your going to have to leave up a psk network.

And iphone and ipad kind of suck getting certs installed.. There has to be a password on the .p12 to install your ca and cert and key for the device that you can download..  A feature improvement to the cert manager might be more control over what certs you put into a .p12 file so you could put in say the ca and server file and your clients crt and key for easy eap-tls stuff..  So to get on my apple ios had to use openssl pkcs12 -export to get a password on it.  While there is a nice handy download button for the ca and cert and key you can not put a password on it and might be nice if also contained the server cert all in 1 p12.. You can do it with openssl but might be nice if just handy click download in the ca manager.

My son's android nexus they force you to have a pin setup to install certs..  And was odd figuring out how to set it to tls vs default of peap since screen doesn't by default show you all options you have to hit advance checkbox, etc.

But got all my devices on eap-tls, 4 laptops, 3 phones, ipad and my desktop for when need to play with wireless for something with it.. But its a desktop so its wired gig wifi is only play/test tool on it.  I then created a new psk nework just for my nest and hub and any future things that might be connected that don't support eap-tls.  And then broke out another network and ssid just for guests.  So there are 3 different segments for wireless with their own firewall..  I let the eap-tls one in to some services on my lan, ntp, file share, printer.  But the psk is limited really only to dns from pfsense and ping the gateway, and then the guest can not even use my local dns they get handed isp dns.

I tested revoking a cert which works nice..  And it is kind of nice getting the wireless logins in the system logs which you could actually use to track users moving about the house depending on which AP they hit ;)
Sep 12 10:15:29 radiusd[57374]: Login OK: [s-android] (from client uap-ac-lr port 0 cli 40-B0-FA-71-AE-5B) s-android
Sep 12 10:11:37 radiusd[57374]: Login OK: [s-android] (from client uapac port 0 cli 40-B0-FA-71-AE-5B) s-android

So for example there was my son's phone logging into my AP in the hall uapac to the one out by the patio and in the kitchen area one of the new LR models uap-ac-lr

So while it was a bit of pain to setup, it didn't really take all that long.  Maybe I will put together a walk thru..  But to be honest anyone wanting to go this route shouldn't really need a walk thru, this sort of setup sure and the hell is not for billybob that just found pfsense and thought it might be fun and doesn't even understand what a vlan is.

I pulled the Dell out of my lappy.