1. Those two connectors should be labeled MAIN and AUX. If you use only one antenna, use the MAIN connector. 2. Using two antennas you can take benefit of antenna diversity (assuming you are using omnidirectional antennas).

Didn't notice that the first time - I think you may be right (the gateway entry.)

Tell us about your clients. I'm aware of a couple of quirky issues with wireless encryption with my pfSense acting as an access point 1). A Windows Vista laptop that suddenly stopped seeing DHCP responses. It needed a registry tweak to get it working again. I can't say for certain but my guess is that an automatic Windows Update broke something. A tcpdump on pfSense showed the DHCP requests from the windows client (suggesting the encryption wasn't the problem) but there was no sign the client was acting on the DHCP response I could see in the trace. A netbook running gOs (based on Ubuntu 8.04) worked fine with WAP2 encryption and pfSense WPA Pairwise set to Both. The netbook was upgraded to Ubuntu Netbook 10.04 and the WAP2 encrypted wireless link wouldn't come up using the internal VIA WiFi adapter. The WAP2 encrypted wireless link came up when I plugged in a Ralink based USB WiFi adapter. I changed the pfSense AP WPA Pairwise setting to AES and the internal WiFi adapter worked fine on the encrypted link.

I should mention the repeater config: <pfsense><version>3.0</version> <lastchange><theme>pfsense</theme> <system><optimization>aggressive</optimization> <hostname>node2</hostname> <domain>wifi.local</domain> <username>root</username> <password>pass</password> <timezone>EST5EDT</timezone> <time-update-interval><timeservers>pool.ntp.org</timeservers> <webgui><protocol>https</protocol> <port><certificate><private-key></private-key></certificate></port></webgui> <disablenatreflection>yes</disablenatreflection> <enablesshd>yes</enablesshd> <maximumstates>20000</maximumstates> <dnsserver>10.0.1.1</dnsserver></time-update-interval></system> <interfaces><lan><if>ath0</if> <mtu><media><mediaopt><bandwidth>100</bandwidth> <bandwidthtype>Mb</bandwidthtype> <wireless><standard>11g</standard> <mode>adhoc</mode> <protmode>rtscts</protmode> <ssid>WiFi</ssid> <channel>6</channel> <authmode><txpower>99</txpower> <distance>9000</distance> <wpa><macaddr_acl><auth_algs>1</auth_algs> <wpa_mode>1</wpa_mode> <wpa_key_mgmt>WPA-PSK</wpa_key_mgmt> <wpa_pairwise>CCMP TKIP</wpa_pairwise> <wpa_group_rekey>60</wpa_group_rekey> <wpa_gmk_rekey>3600</wpa_gmk_rekey> <passphrase><ext_wpa_sw></ext_wpa_sw></passphrase></macaddr_acl></wpa></authmode></wireless> <spoofmac><ipaddr>10.129.0.1</ipaddr> <subnet>24</subnet> <bridge><disableftpproxy></disableftpproxy></bridge></spoofmac></mediaopt></media></mtu></lan> <wan><if>vr0</if> <media><mediaopt><bandwidth>100</bandwidth> <bandwidthtype>Mb</bandwidthtype> <bridge><use_rrd_gateway><spoofmac><mtu><disableftpproxy><ipaddr>10.0.1.1</ipaddr> <subnet>24</subnet> <gateway>10.0.1.1</gateway></disableftpproxy></mtu></spoofmac></use_rrd_gateway></bridge></mediaopt></media></wan></interfaces> <staticroutes><route><interface>lan</interface> <network>0.0.0.0/1</network> <gateway>10.129.0.1</gateway></route> <route><interface>lan</interface> <network>10.0.0.0/24</network> <gateway>10.129.0.1</gateway></route></staticroutes> <pppoe><pptp><bigpond><dyndns><type>dyndns</type> <username><password></password></username></dyndns> <dhcpd><lan><range><from>192.168.1.100</from> <to>192.168.1.199</to></range> <defaultleasetime><maxleasetime><netmask><failover_peerip><gateway></gateway></failover_peerip></netmask></maxleasetime></defaultleasetime></lan></dhcpd> <pptpd><mode><redir><localip></localip></redir></mode></pptpd> <ovpn><dnsmasq><enable></enable></dnsmasq> <snmpd><syslocation><syscontact><rocommunity>WiFi</rocommunity> <modules><mibii><netgraph></netgraph></mibii></modules> <enable><pollport>161</pollport> <trapserver><trapserverport><trapstring></trapstring></trapserverport></trapserver></enable></syscontact></syslocation></snmpd> <diag><ipv6nat></ipv6nat></diag> <bridge><syslog><nat><ipsecpassthru><enable></enable></ipsecpassthru> <advancedoutbound><rule><source> <network>10.129.0.0/24</network> <sourceport><descr>Auto created rule for LAN</descr> <target><interface>lan</interface> <destination><any></any></destination> <natport></natport></target></sourceport></rule> <rule><source> <network>10.129.0.0/24</network> <sourceport><descr>Auto created rule for LAN</descr> <target><interface>wan</interface> <destination><any></any></destination> <natport></natport></target></sourceport></rule> <rule><source> <network>any</network> <sourceport><descr><target><interface>lan</interface> <destination><any></any></destination> <natport></natport></target></descr></sourceport></rule> <rule><source> <network>any</network> <sourceport><descr><target><interface>wan</interface> <destination><any></any></destination> <natport></natport></target></descr></sourceport></rule></advancedoutbound></nat> <filter><rule><type>pass</type> <interface>wan</interface> <max-src-nodes><max-src-states>5000</max-src-states> <statetimeout><statetype>keep state</statetype> <os><protocol>tcp/udp</protocol> <source> <address>10.0.1.0/24</address> <destination><address>10.0.1.0/24</address> <port>698</port></destination> <descr>olsr:,sta:5k,tim:u</descr></os></statetimeout></max-src-nodes></rule> <rule><type>pass</type> <interface>wan</interface> <max-src-nodes><max-src-states>5000</max-src-states> <statetimeout>3600</statetimeout> <statetype>keep state</statetype> <os><source> <address>10.0.1.1</address> <destination><any></any></destination> <descr>gw-from:,sta:5k,tim:1h</descr></os></max-src-nodes></rule> <rule><type>pass</type> <interface>wan</interface> <max-src-nodes><max-src-states>2000</max-src-states> <statetimeout>3600</statetimeout> <statetype>keep state</statetype> <os><source> <any><destination><address>10.0.1.1</address></destination> <descr>gw-to:,sta:2k,tim:1h</descr></any></os></max-src-nodes></rule> <rule><type>pass</type> <interface>wan</interface> <max-src-nodes><max-src-states>2000</max-src-states> <statetimeout>3600</statetimeout> <statetype>keep state</statetype> <os><source> <network>lanip</network> <destination><any></any></destination> <descr>gw-to:,sta:2k,tim:1h</descr></os></max-src-nodes></rule> <rule><type>pass</type> <interface>wan</interface> <max-src-nodes>40</max-src-nodes> <max-src-states>1000</max-src-states> <statetimeout>1800</statetimeout> <statetype>keep state</statetype> <os><source> <any><destination><any></any></destination> <descr>*,con:40,sta:1k,tim:30m</descr></any></os></rule> <rule><type>pass</type> <interface>lan</interface> <max-src-nodes><max-src-states>5000</max-src-states> <statetimeout>3600</statetimeout> <statetype>keep state</statetype> <os><source> <address>10.0.1.1</address> <destination><any></any></destination> <descr>gw-from:,sta:5k,tim:1h</descr></os></max-src-nodes></rule> <rule><type>pass</type> <interface>lan</interface> <max-src-nodes><max-src-states>2000</max-src-states> <statetimeout>3600</statetimeout> <statetype>keep state</statetype> <os><source> <network>lanip</network> <destination><any></any></destination> <descr>gw-to:,sta:2k,tim:1h</descr></os></max-src-nodes></rule> <rule><type>pass</type> <interface>lan</interface> <max-src-nodes>40</max-src-nodes> <max-src-states>1000</max-src-states> <statetimeout>1800</statetimeout> <statetype>keep state</statetype> <os><source> <any><destination><any></any></destination> <descr>,con:40,sta:1k,tim:30m</descr></any></os></rule> <rule><interface>enc0</interface> <type>pass</type> <source> <any><destination><any></any></destination> <descr>Permit IPSEC traffic.</descr> <statetype>keep state</statetype></any></rule></filter> <ipsec><preferredoldsa></preferredoldsa></ipsec> <aliases><proxyarp><wol><installedpackages><revision><description>/system_routes_edit.php made unknown change</description></revision> <cron><minute>0</minute> <hour></hour> <mday></mday> <month></month> <wday></wday> <who>root</who> <command></command>/usr/bin/nice -n20 newsyslog <minute>1,31</minute> <hour>0-5</hour> <mday></mday> <month></month> <wday></wday> <who>root</who> <command></command>/usr/bin/nice -n20 adjkerntz -a <minute>1</minute> <hour>3</hour> <mday>1</mday> <month></month> <wday></wday> <who>root</who> <command></command>/usr/bin/nice -n20 /etc/rc.update_bogons.sh <minute>/60</minute> <hour></hour> <mday></mday> <month></month> <wday></wday> <who>root</who> <command></command>/usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 sshlockout <minute>1</minute> <hour>1</hour> <mday></mday> <month></month> <wday></wday> <who>root</who> <command></command>/usr/bin/nice -n20 /etc/rc.dyndns.update <minute>/60</minute> <hour></hour> <mday></mday> <month></month> <wday></wday> <who>root</who> <command></command>/usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 virusprot <minute>/60</minute> <hour></hour> <mday></mday> <month></month> <wday></wday> <who>root</who> <command></command>/usr/bin/nice -n20 /usr/local/sbin/expiretable -t 1800 snort2c <minute>/5</minute> <hour></hour> <mday></mday> <month></month> <wday>*</wday> <who>root</who> <command></command>/usr/local/bin/checkreload.sh</cron> <rrd><enable></enable></rrd></installedpackages></wol></proxyarp></aliases></syslog></bridge></ovpn></bigpond></pptp></pppoe></lastchange></pfsense> dnsmasq is: Save file as: /root/dnsmasq.conf Find ".N." Replace "N" with IP Number (2-254). domain-needed bogus-priv interface=vr0 interface=ath0 bind-interfaces expand-hosts domain=olsr dhcp-range=sis0,10.0.1.10,10.1.0.250,255.255.255.0,7200 dhcp-range=ath0,10.129.0.10,10.129.0.250,255.255.255.0,300 dhcp-option=119,olsr dhcp-lease-max=254 no-negcache Started with: #!/bin/sh Save file as:  /usr/local/etc/rc.d/dnsmasq.sh TURN OFF DHCPD - Verify DHCP Server is disabled on all interfaces. killall dnsmasq /usr/local/sbin/dnsmasq -C /root/dnsmasq.conf -l /var/dhcpd/var/db/dhcpd.leases -s wifi.local olsrd is: Save file as: /root/olsrd.conf Find ".N." Replace "N" with IP Number (1-254). DebugLevel 0 IpVersion 4 ClearScreen yes Hna4 {     #0.0.0.0 0.0.0.0     10.0.1.0 255.255.255.0     10.129.0.0 255.255.255.0 } AllowNoInt yes Willingness 6 IpcConnect {     MaxConnections  0     Host            127.0.0.1 } UseHysteresis no LinkQualityLevel 2 LinkQualityWinSize 100 Pollrate 0.1 TcRedundancy 2 MprCoverage 7 LoadPlugin "/usr/local/lib/olsrd_httpinfo.so.0.1" {     PlParam    "port"  "8069"     PlParam    "Net"    "0.0.0.0 0.0.0.0" } Interface "ath0" {     HelloInterval 5.0     HelloValidityTime 90.0     TcInterval 2.0     TcValidityTime 270.0     MidInterval 15.0     MidValidityTime 90.0     HnaInterval 15.0     HnaValidityTime 90.0 } Interface "vr0" {     HelloInterval 5.0     HelloValidityTime 90.0     TcInterval 2.0     TcValidityTime 270.0     MidInterval 15.0     MidValidityTime 270.0     HnaInterval 15.0     HnaValidityTime 90.0 } Started with: #!/bin/sh Save file as: /usr/local/etc/rc.d/olsrd.sh Optional: mount -w /  chmod 555 /usr/local/etc/rc.d/olsrd.sh cp /root/olsrd.conf /var/etc/ killall olsrd sleep 1 olsrd -f /var/etc/olsrd.conf &

I'm not aware of any other way to check signal levels under FreeBSD than via ifconfig. I don't think wlandebug helps at all with signal strengths, and I don't think any of the driver sysctls do either.

as he says in the post: windows itself has no native eap-ttls support. you have to go with  third party like w2secure which is free. (at least the eap-ttls-implementation) to simplify: on eap-tls the client is in need of a certificate to authenticate the machine over a certificate authority to the server, then authenticate the user with password through a secure connection in a more or less secure way (MS-CHAP). on eap-ttls (tunneled) to client pushes its credentials trough a tunnel where ONLY the server has to prove authentication (therefore you have to install the CA on the clients), then establishes a secure connection. (a bit like https) since the user credentials are sent trough a secure tunnel, it doesn't matter that auth. for the user are doing PAP which is unencrypted ASCII. you can see ttls often a university's or companys, with regular changing users..

Ah yea, thanks for that. Wish the search function would have brought that up. Must have missed the right keywords. :P Seems like 2.0 might resolve the issue all together. Might give that a try since this is just a research system at the moment. So far its quite impressive even with the occasional quirk.

@wallabybob: Your LAN shouldn't be bridged with WAN. (But that may not be your only problem.) Your physical setup is very similar to mine. Have you been able to access the pfSense web GUI? If so, I suggest you enable DHCP server on the LAN interface and (if you have a switch) connect a switch to the LAN interface then plug a client computer in the switch and configure the client computer to get IP address by DHCP. After restarting the client computer it should have an IP address and a default route to 192.168.2.3 Thanks, you put me in the right direction. Everything works as expected. Now I will tweak with Rules for better protection.

Is your AP a bridge or a router? If its a bridge then you shouldn't have DHCP server running on both pfSense and the AP unless you take care to ensure they don't conflict in their address assignments  but it would be less hassle to have only the one DHCP server. If the AP is a router and the DHCP server is running only on the downstream interfaces then that shouldn't be a problem. DHCP clients typically get their IP address, name server IP address and default gateway from the DHCP server. My guess is that things go bad when your client renews its DHCP lease and gets a new (different) name server address and/or default gateway. I suggest you use pfSense as your only DHCP server (you might need to enable DHCP forwarding on your AP) and see how things go OR restart everything and record your client computer's IP address, name server IP address and default gateway and then when things go bad chek the current values against the original values to see if any of them have become incorrect.

Not really helpful, but I heard a long time ago a story (which was likely a tall tale) about ranchers running ARCnet over their fence wiring. Too bad you couldn't use wire fences as a giant antenna :-)

use more nic's on your pfsense box ;) and have them configured each for different gateways, subnets, and smaller group of computers. do not bridge any of them. and if you are an administrator, install on each computer a robust firewall, antivirus, and internet security software.

I've had good results with a Marvell 88W8363.  Note that the driver was not available until FreeBSD 8, however.  This means it will not work on pfSense 1.2.3, only 2.0.

Thanks all, I have managed to get things up and running…  Had to reconfigure all interface the other way round : LAN –> WAN WAN --> WLAN Things are running smoothly, I only had to force the gateway for It to work. But now It seems ok… Thx.

Mini-pci to pci adapters (with more than one slot) are not very common.  At the moment I can only find a 4 slot adapter.  The adapters have bridge chips so I guess it comes down to OS support for the bridge.

Ok. I follow what you are saying regarding the N card. It would seem I would be better off with one of these then: http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&item=370387009123 http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&item=330430725233 <–This one is a 5212 http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&item=270581080563 Correct? Thanks for the help. Once I get all the parts I will post about using a mini-pcie card if it works. Bob

As I said, it is not possible if both have the same gateway. Interface routing might work only in rare cases where the WAN is an actual point-to-point link which does not require a gateway.

I do understand WME was the original name for WMM but I guess my question should be can I set the following settings somehow for WMM devices (ie, wireless voip phone) WMM access category WMM Power Save WMM Admission Control DSCP (Differentiated Services Code Point) In the GUI config for the interface it only has a check box to enable or disable WME.  I'm not apposed to logging in through a shell and adjusting a config file I just have no experience in this particular realm. Thanks

I have three ap's 2 are operating on G and the other is on B/G Yes I have followed every step, I am way ahead keeping track of notes in updates in src/sys/UPDATING Well, I even added a 6dbi omni antenna attached to a pigtail. I am expecting for atleast the two ap's in G mode would appear in the list? What could it be? Does anyone have the same card running on freebsd 7.2?