Thanks Derelict! I was a little confused about tagged and untagged VLANs so thanks for clearifying that for me. (And also pointing out my mistake with the WAN IP address). I appreciate your help.

Sometimes you adjust AP´s transmit power to max and it doesn´t change anything…

Remember that the wireless communication is bi-directional, and when you maximize power transmit on AP´s your wifi device (mobile, laptop, tablet) is listening harder, lets call "on download", for didactical purposes, but maybe you have a bottleneck on "upload" because the device doesnt have the enough power to the AP listen "clearly", this is common because AP´s antennas are better than antennas encapsulated on cellphones, for example...

In less words, with more power your device will  listen your AP far, but it doesnt mean that your AP will listen your device.

I prefer to upgrade AP´s antenna if its possible, the gain is both transmission and reception, instead of maximize power that the gain its just in transmission.

@Panja:

I have changed my guest network firewall rules according to your (iso70x) rule set and it's working great! :D
Made an alias for port 80, 443 and 22 and named it pfSense_admin.

Great, glad you got it working.  :)

My wireless has gone down for 30-60 seconds once or maybe twice a day. It's a fairly new setup so I'm hoping It's something I've missed with install or firewall settings.. I'm running 2.2.4 release, 3 seperate NIC's, wireless is managed on it's own NIC with 1 rule to allow "any" traffic as I've just got it setup.. Wireless ap is an Xclaim Xi3.. (little brother to Ruckus equipment). Has anyone got any ideas.. really don't want to fork out more cash for a router or AP if it keeps dropping out.

"I thought I read about a restrictive license for the software, tied to hardware, not-transferable"

What??  That sure an that hell has nothing to do with unfi..

The AP could care less what you use for your router, or even if there is a router.. It bridges wifi to the wired network its connected too.  I would suggest you fire up the controller software and setup your AP for your network and ssid you want to broadcast, any sort of vlans on specific ssids, etc.

So do you have the controller software running?  Can you see your AP?

I got it figured out.  The bridge was one of the issues - deleted it and used a switch (connected to opt1) for the APs.

Switched to WPA-PSK AES.  Got FreeRadius and Captive Portal configured with usernames and passwords so now the users connect with a shared passkey and then they have to log in via a captive portal page.

if your AP does not have a gateway option for its lan, all that means is you would not be able to manage it from a different network.  AP bridge wifi to wired, they are layer 2 devices - this is what an AP is ;)

I would guess this is not mentioned in many guides in using a wifi router as AP since its pretty much basic understanding of what an AP is ;)

If you did not have a dhcp server running on this network segment, how would you think a client would get an IP on that segment?

Check ip configuration on neighbors computer, it can be set to static ip, by default clients are on "obtain ip address" but if u change it and assign an ip address (out of pfsense's ip segment) to this interface, u can connect wifi link, but has no lan access.

Don't give up, If you have an ATH0 chances are it is fine. What exact Atheros module are you using?  Internal PCIe card or MiniPCIe Module? Brand? If generic -Atheros model# if you can find it. ie. AR5BXB112 is an example for generic laptop module.

So I just set this up to see how much of a hassle it was, went full blown eap-tls only because if your going to let something on your wifi might as well be freaking sure it's a device you want to let on so why just use peap with username and password ;)  And not someone that got your psk somewhere or shared it out via windows 10 ;)

There is problem you most likely can not fully get rid of psk because of consumer type devices.  So for example my nest thermostat, my harmony smart hub remote.  Chromecast, but I put this on a wire when they came out with the $15 ethernet.. The chromecast doesn't move so wire it! ;)

I wish I could do that with my thermostat and hub they don't move either..

Anyhoo - these sorts of devices are not going to suppport 802.1x or wpa/wpa2 enteprise so your going to have to leave up a psk network.

And iphone and ipad kind of suck getting certs installed.. There has to be a password on the .p12 to install your ca and cert and key for the device that you can download..  A feature improvement to the cert manager might be more control over what certs you put into a .p12 file so you could put in say the ca and server file and your clients crt and key for easy eap-tls stuff..  So to get on my apple ios had to use openssl pkcs12 -export to get a password on it.  While there is a nice handy download button for the ca and cert and key you can not put a password on it and might be nice if also contained the server cert all in 1 p12.. You can do it with openssl but might be nice if just handy click download in the ca manager.

My son's android nexus they force you to have a pin setup to install certs..  And was odd figuring out how to set it to tls vs default of peap since screen doesn't by default show you all options you have to hit advance checkbox, etc.

But got all my devices on eap-tls, 4 laptops, 3 phones, ipad and my desktop for when need to play with wireless for something with it.. But its a desktop so its wired gig wifi is only play/test tool on it.  I then created a new psk nework just for my nest and hub and any future things that might be connected that don't support eap-tls.  And then broke out another network and ssid just for guests.  So there are 3 different segments for wireless with their own firewall..  I let the eap-tls one in to some services on my lan, ntp, file share, printer.  But the psk is limited really only to dns from pfsense and ping the gateway, and then the guest can not even use my local dns they get handed isp dns.

I tested revoking a cert which works nice..  And it is kind of nice getting the wireless logins in the system logs which you could actually use to track users moving about the house depending on which AP they hit ;)
Sep 12 10:15:29 radiusd[57374]: Login OK: [s-android] (from client uap-ac-lr port 0 cli 40-B0-FA-71-AE-5B) s-android
Sep 12 10:11:37 radiusd[57374]: Login OK: [s-android] (from client uapac port 0 cli 40-B0-FA-71-AE-5B) s-android

So for example there was my son's phone logging into my AP in the hall uapac to the one out by the patio and in the kitchen area one of the new LR models uap-ac-lr

So while it was a bit of pain to setup, it didn't really take all that long.  Maybe I will put together a walk thru..  But to be honest anyone wanting to go this route shouldn't really need a walk thru, this sort of setup sure and the hell is not for billybob that just found pfsense and thought it might be fun and doesn't even understand what a vlan is.

I pulled the Dell out of my lappy.

Yeah client to the AP is 450 PHY..  But now next client you would have /2 of that automatically..  I can see how they can report PHY.. But come on – your wired interface is not even capable of half of your PHY your talking 1/4 of what your PHY is reported as so WTF would be the point???

Well you could get more if your client could do more than 1 stream.. Seems that is your limit.. You could in theory be seeing mid 90's with that AP but not if your client is only 1 stream..

3 streams at 20mhz with 800ns gi is 195 so do /2 of that to get you in real world your bottleneck would be the 10/100 interface on the device.  But if your client only has 1 stream, low end laptop wifi, phones, etc.. very common to only have 1 stream..  What is your client in this testing??

Disconnecting from AC/DC power will not lose any setting because these are stored in EEPROM.

I am also using few routers ( Linksys, TPLINK ) as switches and WIFI AP and I have even separate LANs - WIFI on the same router each connected with separate Ethernet cable to pfsense but in my case are with DD-WRT,Tomato firmware and I can also turn WIFI ON/OFF remote, I have them on schedule OFF at night.

If you don't have free PCI slots for an Ethernet card but you have USB you can use an USB-Ethernet adapter and have your AP-router connected to a different NIC, from pfsense 2.2.4 I found that cheap USB-Ethernet adapter with chipset AX-88772b works OK at 100Mbs in pfsense 2.1.5 that adapter did not worked.

It is defiantly a valid config…...

stumbled on this one, might fit your budget. (no idea on quality/features/…)

http://www.smallnetbuilder.com/wireless/wireless-news/32816-trendnet-shipping-ac1200-access-point

johnpoz,
Yes this is now the plan. I will reuse my existing wireless router as AP. But I need to buy another NIC to setup as either WAN or LAN. My existing PC only have one NIC and one wireless card.

The Newegg photo shows RALink, but i cannot see the number on chip. Have you checked to see if your chip is supported by FreeBSD and then Access Point mode? RALink actually works some.

Have you setup wifi before?

Post your dmesg.boot file for help.

Thanks for that Phishfry. I will have a closer look at this. It seems that this is what iam looking for. thx

I checked out an entry-level home AP and it, too, had a transmit power setting.  Thanks for the reply and screenshot.

I live in a small apartment so the family and one small child is often < 1m away from the wifi base station now.  I've read reports on both sides of the EMF-will-kill-you-and-burn-your-house-down camp, and I know I won't be able to eliminate it entirely (especially with cell phones, wifi from the neighbors, etc).  I'm not wearing a tin-foil hat, but I still prefer to reduce or eliminate EMF when I have the choice.

I will go with a dedicated AP that officially supports adjusting the tx power level.