Bump.

PFSensory, were you able to get the two WLANs up and running? I have essentially the same setup as you, except I have only one WAP (Netgear R7000 running DD-WRT) broadcasting three different SSIDs: (1) 2.4GHz network, (1) 5GHz network, and a "guest" network that I'm trying to get going. My problem is that I can't find good guidance on what needs be done in DD-WRT to make it work. Like you, I'm pretty good with computer hardware but rather new to firewalls. In researching this, I've found that there is a lot of conflicting info out there. Some guides say you need to create VLANs, some say that you don't. Some say use the WAN port for the second VLAN and some say explicitly do NOT use the WAN port. Others are written in the generic "it's so easy just do this" style. Very frustrating.

If it helps, my pfsense box has four NICs (two currently unoccupied) so I have plenty of overhead. I have another AP I can use if that makes things easier. What I'd like to do with my guest setup is have it isolated from the private LAN. Also, I'd like to configure it so that none of the guest clients can talk to each other. Basically nothing on the guest network is allowed except port 80 and 443 traffic.

Can anyone recommend a good "dummy proof" guide for accomplishing this?

Sorry for the long post, but this has been absolutely driving me up a wall….

sorry update. forget if I looked at that last walk-thought, but the laptop was not able to push out a strong enough signal for my needs.
I ended up getting a second old pc and putting pcfsense on that and then connected an old wireless router.

All VAPs must share the same channel. The settings in the common area on wireless cards state that those values are shared between all VAPs.

There is only one radio in the card, but you can run multiple VAPs (SSIDs, etc) on the same radio.

@Phishfry:

I can only suggest you use a version of pfSense above 2.2.1 because that beacon issue was resolved in 2.2.2.

I still got it with 2.2.2 and 2.2.3. I've now moved to an external AP (still have the card plugged in, though). No congestion, I was on channel 9 (from memory) and at least a couple of channels of room between mine and any possible neighbors. Suburbia with good distance between houses and only about 6 networks max visible. Most of the time 3 networks.

I'm still having my doubts about the failover capabilities of wifi with pfsync and carp.

Me too!


I'm authenticating users with AD, but not with wireless, but with OpenVPN.

System -> User Manager -> Servers

I have checked:
Bind credentials Use anonymous binds to resolve distinguished names
Because I allow anonymous access to AD, because I also needed that for Thunderbird autoconfiguration.

User naming attribute: sAMAccountName
Group naming attribute: cn
Group member attribute: memberOf

This is an ancient 2003 AD. I did nothing with any certificate services or other non-working shite.

In OpenVPN have used these options:
Server Mode: Remote Access (SSL/TLS + User Auth)
Backend for authentication: the name of the LDAP server in the 'servers' tab of the user manager.

Attacks on WPA/WPA2 are performed offline.
You will need to wait till a client authenticates (Or send out fake deauthentication request to force the client to reauthenticate) and then capture the four way handshake.
This four way handshake is brute-forced offline.
So lookout for deauthentication request but even better just chose a 25 random character passphrase.

Also see:
http://www.smallnetbuilder.com/wireless/wireless-howto/30278-how-to-crack-wpa-wpa2

Im with hda here sounds like you trying to scrape up some nonsense of network.  What are you running pfsense on?  Why can you not add a nic so it has wan and lan interfaces?  Then connect an AP to you lan switch and there you go – done..  Total cost like $10 for a nic for your pfsense box..

This is more cost effective than you even asking the questions in the first place ;)

If you want to add wifi hardware to your pfSense box stick to Atheros hardware for least issues and try to use older hardware that is more likely to be supported.
I have personally used two different Atheros cards in pfSense and they both worked well enough. However I also have a separate AP (just one currently) because, as johnpoz said, my pfSense box is located conveniently for my incoming WAN connections and not for wireless coverage.

Steve

@jimp:

Might be similar to mine:
https://redmine.pfsense.org/issues/4722

maybe, but different chip, the idProduct of my ASUS (idVendor 0b05) USB-N53 is 179d, MAC/BBP RT3572, RF RT3052, firmware RT3071

It works with extra debugging options in the kernel that slow other parts down, but not with our "optimized" kernel. You can read in the redmine entry that it happens on FreeBSD also with a pared-down kernel.

If/when OPNsense removes WITNESS and other debugging from their kernels it will likely start crashing there also until the driver is fixed in FreeBSD.

as is, it has been working fine since the release of FreeBSD-10.0, so for more than one year. No troubles no crashes as wireless AP. As I have never experienced slow performances nor stability issues with FreeBSD I just stay there.

Until I downloaded the source from the ESF portal, I didn't realize that pfSense is not just a configuration GUI like basically OPNSense, but also a partial kernel fork of FreeBSD.

There are multiple versions of these as well for different carriers. There is an ATT version and a Verizon version. The ATT using the MC7700 and the Verizon version using an MC7750 module. The label on the bottom tells all the details. The Wifi module is an option they call X-Card. I was able to swap the module between Verizon version and ATT version. The firmware picks it up automatically.
I was  hoping on crossflashing the firmware&modules between ATT and Verizon versions but that don't work. Circuit Board does has same model number and revision. The Sierra flash rom is a bin file when expanded looks like Linux with uboot file..

The device has a very nice interface and it has the best information about cellular signals and tower data I have ever seen. Very useful in pointing directional antennas.

"Using linux and screen shots take multiple monitors and dont know how to edit them."

What?? Are you using a desktop, console - what flavor of linux what desktop? Gnome, KDE, ?

When it's not detected and available for assignment, it's not supported. Do yourself a favour and get a supported miniPCI card instead or plug an AP into the ethernet port.

Oh I see, thanks for the information. If I don't have any spare PCI, PCI-e, or mPCI-e slots left and USB is out of the picture; would my only option left be an access point?

What AP would be the best in terms of compatibility & security? I have heard Ubiquiti or Xclaim works well?

Is this a wise method? If bus wasn't a limitation, which option would be the best? Thanks.

No,  I never did.  I'm at 2.2.1 now,  but I can upgrade again and try rebooting the switch.  I'm ok testing now that I now I can get it fixed easily.

Thanks,

I have found that the half sized modules don't seem to perform as well as the full length modules. I don't think the radio puts out as much power. My AP clients connection speeds are consistently lower with half sized modules. Not unusable but defiantly noticeable.
I still need to checkout  the Dell/Bigfoot Networks half sized Atheros AR9380 with 3XMIMO-AR5BHB112. It should be best in class…Have just received one, they are costly at 30 bucks used...I am only expecting so much from a half card..

What I said was…

"I can't imagine that an internal card would function as well (range, stability, config options, etc.) as a mid-range access point or router"

That statement doesn't say that it "won't" or "can't" work in the right situation or that it can't be setup to be stable. However, it is completely illogical to argue that an internal wireless card purposed as an access point will EVER function as well as a quality, purpose built wireless access point. In addition, in older versions, I personally experienced situations where changing values in the pfSense GUI caused kernel core dumps - and I was using wireless cards recommended on these forums…

So... say what you want. I'll stand by my statement.

Is it even detected?