Are you authorised to have administrative access to the Netgear GS 724T?

If so, login to it.
Check the port membership for the RJ45 port on the switch that you are plugging in to is a member of the VLAN that you want the Wireless Access Point (WAP) to be in.
Also check that the port is enabled and that no access restrictions are in force.

Configure the second WAP with the static IP address that you require.

If you are new to VLANs. Download the Netgear GS 724T manual and read it.

@reggie14:

While the OP asked about blocking Windows 10 devices, it appears to either be based on: 1) a mistaken belief that it would help address the threat of WiFi Sense, or 2) general rage against Microsoft and/or Windows 10, resulting in a desire to block such devices out of spite.

I am treating Windows 10 devices just like I treat any unauthorised device that doesn't comply with or breaches our security policy. I don't think that my attitude is any different to Windows 10 as it would be to an unauthorised Wireless Access Point plugged in to the network.

AFAIK, WiFi sense isn't implemented on earlier Windows devices except on Windows phone. If I have a 'mistaken belief' are you saying you know that WiFi sense is implemented on other devices other than Windows 10?

Yes. I'm no longer a fan of Microsoft or any of its products. Perhaps my Windows Mobile experience scarred me for life. I'm not a fan of any technology or company that is privacy invasive, insecure, or just makes my life harder. We have Windows 7 and some Apple devices on our networks. They are not exactly sandboxed or quarantined but they are all actively monitored for suspicious activity. We have no plans to deploy Windows 10 yet and probably won't ever need to. From Windows 2.0 to Windows 7, I have been bitten enough times by Microsoft over the last 28 years to become spiteful.

Now that pfSense 2.2.4 has been released, I can continue purging PSK and rolling out cert logins again.

http://dd-wrt.com/phpBB2/ perhaps? (Note that the VLAN support in DD-WRT is hardware-specific.)

Well my first inkling was right:

http://www.lex.com.tw/products/BRIK2.5-3I270D.html

USB slot for WWAN

I am using an AR9227 based card with your rxbuf and txbuf settings and can confirm a noticeable throughput increase. I am experiencing other issues with the AR9227 chipset in hostap mode, but I'll be doing a writeup on that in another thread soon. Thank you for doing this research for the community!

Hi guys need to get the wifi adapter for usb for my pfsense which has usb 2.0.

There are several ways to do so. Buy a RaspBerry PI 2 for ~$30 and install the WLAN USB Stick
there and then use it as an WiFi Access Point.

I want to get max performance

UBNT WLAN APs are also really fine to handle and offers on top ac,
and the WLAN controller (software) is also able to run on Linux.

This will be my access point. Which to use?

UBNT, MikroTik or a Buffalo or Netgear with pre installed DD-WRT.

Thansk doktornotor, will do, see what comes from that…

BlueKobold, i think that is what i will do, guessing the easiest solution at the moment...

Cheers

From me on top please enable WiFi client isolation for the VLANs where the both WLANs are in.
So no one can snoop on the neighbors WiFi device.

Bump.

PFSensory, were you able to get the two WLANs up and running? I have essentially the same setup as you, except I have only one WAP (Netgear R7000 running DD-WRT) broadcasting three different SSIDs: (1) 2.4GHz network, (1) 5GHz network, and a "guest" network that I'm trying to get going. My problem is that I can't find good guidance on what needs be done in DD-WRT to make it work. Like you, I'm pretty good with computer hardware but rather new to firewalls. In researching this, I've found that there is a lot of conflicting info out there. Some guides say you need to create VLANs, some say that you don't. Some say use the WAN port for the second VLAN and some say explicitly do NOT use the WAN port. Others are written in the generic "it's so easy just do this" style. Very frustrating.

If it helps, my pfsense box has four NICs (two currently unoccupied) so I have plenty of overhead. I have another AP I can use if that makes things easier. What I'd like to do with my guest setup is have it isolated from the private LAN. Also, I'd like to configure it so that none of the guest clients can talk to each other. Basically nothing on the guest network is allowed except port 80 and 443 traffic.

Can anyone recommend a good "dummy proof" guide for accomplishing this?

Sorry for the long post, but this has been absolutely driving me up a wall….

sorry update. forget if I looked at that last walk-thought, but the laptop was not able to push out a strong enough signal for my needs.
I ended up getting a second old pc and putting pcfsense on that and then connected an old wireless router.

All VAPs must share the same channel. The settings in the common area on wireless cards state that those values are shared between all VAPs.

There is only one radio in the card, but you can run multiple VAPs (SSIDs, etc) on the same radio.

@Phishfry:

I can only suggest you use a version of pfSense above 2.2.1 because that beacon issue was resolved in 2.2.2.

I still got it with 2.2.2 and 2.2.3. I've now moved to an external AP (still have the card plugged in, though). No congestion, I was on channel 9 (from memory) and at least a couple of channels of room between mine and any possible neighbors. Suburbia with good distance between houses and only about 6 networks max visible. Most of the time 3 networks.

I'm still having my doubts about the failover capabilities of wifi with pfsync and carp.

Me too!


I'm authenticating users with AD, but not with wireless, but with OpenVPN.

System -> User Manager -> Servers

I have checked:
Bind credentials Use anonymous binds to resolve distinguished names
Because I allow anonymous access to AD, because I also needed that for Thunderbird autoconfiguration.

User naming attribute: sAMAccountName
Group naming attribute: cn
Group member attribute: memberOf

This is an ancient 2003 AD. I did nothing with any certificate services or other non-working shite.

In OpenVPN have used these options:
Server Mode: Remote Access (SSL/TLS + User Auth)
Backend for authentication: the name of the LDAP server in the 'servers' tab of the user manager.

Attacks on WPA/WPA2 are performed offline.
You will need to wait till a client authenticates (Or send out fake deauthentication request to force the client to reauthenticate) and then capture the four way handshake.
This four way handshake is brute-forced offline.
So lookout for deauthentication request but even better just chose a 25 random character passphrase.

Also see:
http://www.smallnetbuilder.com/wireless/wireless-howto/30278-how-to-crack-wpa-wpa2

Im with hda here sounds like you trying to scrape up some nonsense of network.  What are you running pfsense on?  Why can you not add a nic so it has wan and lan interfaces?  Then connect an AP to you lan switch and there you go – done..  Total cost like $10 for a nic for your pfsense box..

This is more cost effective than you even asking the questions in the first place ;)

If you want to add wifi hardware to your pfSense box stick to Atheros hardware for least issues and try to use older hardware that is more likely to be supported.
I have personally used two different Atheros cards in pfSense and they both worked well enough. However I also have a separate AP (just one currently) because, as johnpoz said, my pfSense box is located conveniently for my incoming WAN connections and not for wireless coverage.

Steve