Things that tripped me with Unifi APs before were:

Make sure your clients firewall is off…I couldn't access my AP when using a Mac unless I turned off my Mac firewall(I have read similar issues with a PC firewall) Unifi doesn't work well on VLANs i.e. controller and AP need to be on a non VLAN and on the same L2(same IP interface)

Also explore their CloudKey pretty slick and despite the name doesn't require you to access it via the "Cloud"....

Good luck....

And the culprit is….. the NIC :(

I've disabled it and used a - gasp - USB3 one I had knocking around.
So far, so good. Get a shade over 200Mb/s throughput which is more than ample for my needs (IoT wifi)

not unless you'd install a browser & X11 on pfsense itself …. so no

I wanted to follow up on this issue.  I noticed some of my other 2.4Ghz devices were offline after a few days and restarted the router I was using as a wireless AP.  That seems to be the issue.  It has dropped service again after just a day but only the 2.4Ghz band.  It looks like it may be on the way out.

If you have a network 192.168.x/24 lets call it - and your on 192.168.x.100 and plex is on 192.168.x.101 - no pfsense would never see that traffic.  The only thing plex might have to do is resolve plex.whatever.tld your using to 192.168.x.101

Yes if your .100 box is talking to your .101 plex server the dest would be 32400.. That is IT.. and the source would be whatever random high port your client is using for that session.. Something above 1024 and below 65515..

The only time pfsense would be involved in the traffic is if it was routing it.. so clients on 192.168.x/24 while your plex is on 192.168.y/24

It looks like your currently just running a specific vlan for each AP based on what switch you plugged it into.  Any dumb AP could do that, even some wifi router being used an AP.  The brief 2 seconds I looked at the specs of that AP model is it supports vlans.  So you should be able to run I would think at least 4 different vlans on the AP based upon SSID.

Depending on the AP features - you could also do dynamic vlans based upon auth or mac, etc.

But sure each of your AP should be able to do all 4 of those vlans.

SSIDA - vlan5
SSIDB - vlan10
SSIDC - vlan15
SSIDD - vlan20

you should be able to do that on each AP..  Not sure how many SSID those AP support.  The unifi stuff can do 8 per band.. So if you wanted you could do 8 on 2.4 and 8 on 5ghz.. for a total of 16..  You will have to read the specs on your specific AP on how many SSID you can use on the same AP.

I think you are correct, but I chose a random name for my example as if it were a plain ethernet port.

Thanks for your input!

–jason

192.168.3.1.53: UDP, length 39

So that is your client at 192.168.3.3 asking for dns.. Pfsense does not answer - so no how would the client go to any website? if can not look it up.  So looks you do not have unbound running or forwarder working at all.

Or you don't have any firewall rules on this interface to allow access?  The lan interface would have a default any any rule on it.  Some new interface you created would not have any rules you would have to put either an any any or the rules you would like to allow.

Pfsense will create behind the scene firewall rules to allow for dhcp to work.. But I only see this
23:37:25.457114 IP 0.0.0.0.68 > 255.255.255.255.67: UDP, length 300
23:37:25.457435 IP 192.168.3.1.67 > 192.168.3.3.68: UDP, length 300

there should be more.. from what have to assume is the discover there to FF:67, the answer would be a offer - but you should then see a request and ack..

But clearly from this whatever .3 is sending traffic to .1 (pfsense)..  I take it .3 is a wifi client?  So where are the rules on this interface on pfsense?

After to clear the cache, the problem was solved.

Thanks.

It is always usefull to run a fsck on a system.
At best, it finds nothing to do. Your disk is marked clean again and the system will boot.
At worst, it will tell you it could repair things and you know you won a trip to the local "new disk store".

The situation is pretty identical to what we have been seen the last two decades with a non-clean shutdown of a Windows PC. It's CHKDSK time ;)

Hi,

Can you detail what method you have chosen for authentication ?

Try this:

Read https://doc.pfsense.org/index.php/Captive_Portal_Troubleshooting (this is the doc that explains everything - never leave home without it)

Access console and run

ipfw table all list

See that _auth_up tableand _auth_down table contains IP AND MAC of every authenticated device.

Disconnect all users.

Set soft time out on portal interface to 10 minutes.
Set hard time out on portal interface to 15 minutes.

Use a device (the PC, Smartphone, pad, whatever) to authenticate.
Run

ipfw table all list

again and see that your device is on the list - the two tables. Is this MAC and IP the IP and MAC of your device ??

Shut down wifi on your device.

After 10 minutes probably and 15 minutes sure the tables will be empty.
Run

ipfw table all list

every minute or so to to check.

Activate wifi on device and check that connection to the Internet is lost.

No.

Thanks Guys

actually got it to work :)

I have a same issue

I'm not saying more than one DHCP server is needed on a small network, but many people are of the opinion that you can't have more than one and that's nonsense.  As I mentioned, it is possible and is done for redundancy.  Incidentally, today I was working in the Bell Canada lab, and guess what I saw.  Lots of redundant everything, including DNS servers.  I didn't specifically see them for DHCP, but I wouldn't be surprised if they were there..

As I mentioned, one issue that may occur with DHCP servers is multiple servers handing out the same address.  These days, the trend is to Duplicate Address Detection, which avoids that problem.  While DAD is mandatory on IPv6 and commonly used on IPv4, you can't guarantee every IPv4 device uses it, so it's best to have different address ranges for each DHCPv4 server.

Thanks guys! =)