Ok, I think I will create a new post regarding the OpenVPN issue. This post is already too long and initially was intended for a different purpose.

For the ftp functionality, I've found this project. I just copied all files to /var/www/html and configured default limitations. Actually, you don't even need to host this script on your own server since it can be accessed directly from their web-page. Unless you are ok with 25MB size limitation for each file.

I really don't know about the OpenVPN issue as I don't see why you are getting the problem. I can only google to find answers which you can do as well. The problem seems to stem from the client and not ClearOS. Are you running the client as administrator in your connecting from a WIndoze box?

The work issue I referred to was if you get caught, it is your responsibility for the consequences. The tunnels may be traceable if they are monitoring port 1194 or use some sort of protocol filter.

I don't know much about ftp. I serve up files from my server at http://www.howitts.co.uk/clearos/ just by putting the following php code in a file called index.php in each folder with the following contents:

<?php

$files = scandir('.');

sort($files); // this does the sorting

foreach($files as $file){

	if($file != "index.php" && $file != "."){

		echo'<a href="'.$file.'">'.$file.'</a><br>';

	}

};

?>

I don't know anything about php. It is just something I cribbed from the internet and made a slight modification to. Clearly this is read only rather than read/write. I also have an index.html in /var/www/html which gives the menu on the top level landing page - again cribbed.

I checked this card in a regular mode. It has a very poor performance (at least in 2.4GHz range). So I decided to suspend this question until I purchase a Compex card based on AR9880 chip mentioned in the article you posted earlier.

There are 2 more things still to configure.

1) Openvpn.
I'm still getting this error message:

Fri Sep 09 19:42:16 2016 VERIFY ERROR: depth=0, error=certificate signature failure: C=**, ST=****, L=******, O=****, O=****, OU=*****, CN=gateway.myksok.home, emailAddress=security@gateway.myksok.home

Fri Sep 09 19:42:16 2016 OpenSSL: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Fri Sep 09 19:42:16 2016 TLS_ERROR: BIO read tls_read_plaintext error

Fri Sep 09 19:42:16 2016 TLS Error: TLS object -> incoming plaintext read error

Fri Sep 09 19:42:16 2016 TLS Error: TLS handshake failed

Fri Sep 09 19:42:16 2016 SIGUSR1[soft,tls-error] received, process restarting

Fri Sep 09 19:42:16 2016 MANAGEMENT: >STATE:1473439336,RECONNECTING,tls-error,,

Fri Sep 09 19:42:16 2016 Restart pause, 2 second(s)

Here it says it has something to do with MD5 certificates, I'm not sure that it is relevant to me.
You also mentioned some issues can rise if I use Openvpn at my workplace. Could you be more specific? Are Openvpn tunnels traceable? I'm not planning to use it during whole day. Basically I need to have access to few forums including this (starting from this week it's been banned). Facebook I can easily access from my phone.

2) FTP.
I would like to run a very simple web-page with a possibility to download and upload files from the web interface. I found an interesting project which works well with my FTP server, but I would like to deploy it on my server.

You know about as much as me now. I nearly hosed my system I'm building by removing my wireless NIC - /boot ran out of space as the default size is too small for three kernels then a change.

From your link, it says "The RTL8812AU driver requires the Linux wireless extensions (wext) driver", so try configuring hostapd to use wext rather than nl80211. BTW this is all new stuff for me as well.

Yes, that is exactly what I have been doing for a while now. I can manually edit the corresponding icfg file after it's been created using the Web interface and assign Wireless in the field "TYPE". Then it appears in the Wireless section and I can choose it from the drop-down menu. However I can't run my usb NIC as an access point. Here is the "service hostapd status":

[root@gateway ~]# service hostapd status

Redirecting to /bin/systemctl status  hostapd.service

● hostapd.service - Hostapd IEEE 802.11 AP, IEEE 802.1X/WPA/WPA2/EAP/RADIUS Authenticator

   Loaded: loaded (/usr/lib/systemd/system/hostapd.service; enabled; vendor preset: disabled)

   Active: failed (Result: exit-code) since Fri 2016-09-09 18:48:54 IDT; 22s ago

  Process: 32418 ExecStart=/usr/sbin/hostapd /etc/hostapd/hostapd.conf -P /run/hostapd.pid -B (code=exited, status=1/FAI

LURE)

 Main PID: 26711 (code=exited, status=0/SUCCESS)



Sep 09 18:48:54 gateway.myksok.home hostapd[32418]: nl80211: Could not configure driver mode

Sep 09 18:48:54 gateway.myksok.home hostapd[32418]: nl80211: deinit ifname=enp0s20u2 disabled_11b_rates=0

Sep 09 18:48:54 gateway.myksok.home hostapd[32418]: nl80211 driver initialization failed.

Sep 09 18:48:54 gateway.myksok.home hostapd[32418]: enp0s20u2: interface state UNINITIALIZED->DISABLED

Sep 09 18:48:54 gateway.myksok.home hostapd[32418]: enp0s20u2: AP-DISABLED

Sep 09 18:48:54 gateway.myksok.home hostapd[32418]: hostapd_free_hapd_data: Interface enp0s20u2 wasn't started

Sep 09 18:48:54 gateway.myksok.home systemd[1]: hostapd.service: control process exited, code=exited status=1

Sep 09 18:48:54 gateway.myksok.home systemd[1]: Failed to start Hostapd IEEE 802.11 AP, IEEE 802.1X/WPA/WPA2/EAP...ator.

Sep 09 18:48:54 gateway.myksok.home systemd[1]: Unit hostapd.service entered failed state.

Sep 09 18:48:54 gateway.myksok.home systemd[1]: hostapd.service failed.

Hint: Some lines were ellipsized, use -l to show in full.

So go ahead and configure it through the webconfig. I assume this will create the ifcfg file.

Here is the output for "lsmod | grep 8812":

[root@gateway ~]# lsmod | grep 8812

8812au               1011637  0

Just tried what you suggested (removing the NIC, removing the module, reloading the module, plugging the NIC). Unfortunately it didn't help.
In the list of network devices I can see only the second one "enp0s20u2".
There is no corresponding ifcfg file and no option in the Web menu to use this NIC.

UPD. Just noticed that it is present in the Ethernet interfaces section of the Web menu. As I said earlier it was recognised as a wired NIC in CentOS 7.

Has the driver loaded ("lsmod | grep 8812")? If not, try loading it initially with a "modprobe 8812au" or "insmod 8812au".

Your link suggests the drivers may not load correctly if they are loaded before the NIC is plugged in. This may give a bit of an issue for boot up, but we may be able to force it to load quite early during boot up rather than wait for ClearOS to detect it. Have you tried removing the NIC, removing the module ("rmmod 8812au"), reloading the module then plugging in the NIC?

Did you mean enp0s20u or is enp0s20u2 different? Is there a corresponding ifcfg file in /etc/sysconfig/network-scripts?

Finally I've managed to compile the wireless driver for ClearOS, CentOS and Ubuntu following steps described in this manual. First two OSs are based on kernel version 3.x. During installation I got the same error which was successfully solved after a brief googling. However both installation ended with the same result: the system recognizes the wifi card as an ethernet device. "iw list" output contains only information regarding the Intel 7260 minipci-e card. Here is the "iwconfig" output:

[root@gateway ~]# iwconfig

tun0      no wireless extensions.



tun1      no wireless extensions.



br0       no wireless extensions.



enp0s20u2  unassociated  Nickname:"<WIFI@REALTEK>"

          Mode:Auto  Frequency=2.412 GHz  Access Point: Not-Associated

          Sensitivity:0/0

          Retryff   RTS thrff   Fragment thrff

          Encryption keyff

          Power Managementff

          Link Quality:0  Signal level:0  Noise level:0

          Rx invalid nwid:0  Rx invalid crypt:0  Rx invalid frag:0

          Tx excessive retries:0  Invalid misc:0   Missed beacon:0



wlp2s0    IEEE 802.11abgn  Mode:Master  Tx-Power=20 dBm

          Retry short limit:7   RTS thrff   Fragment thrff

          Power Managementn



lo        no wireless extensions.



enp3s0    no wireless extensions.



enp4s0    no wireless extensions.

The one interface we are looking for is enp0s20u. (On my main PC where I've reinstalled the broken Centos "iw list" gives "nl80211 not found"). It seems that the driver has not been properly configured/installed.

In Ubuntu everything works fine (the driver used for kernel >4.0 from the above article). I've not tried yet creating an AP, just checked if it can establish a connection with my router.

Any ideas?

Kernel modules compiled on Centos will not run on ClearOS due to kernel differences. You should be able to compile by fixing the error messages one by one as you follow the instructions or, much easier, install the development environment. Follow the instructions but don't bother with the editor. You might as well run "clearos setup", but in this case you may find it much easier to compile the module as root as it should copy the module into the correct place. Also note that every time there is a minor kernel upgrade you will need to recompile the driver. There is not a kmod version of the driver to get round the issue.

Thanks Nick. I've already opened both ports for Transmission. Now Transmisiion reports the ports as open!

The next big thing I would like to realize is a wireless AP working in 5GHz range (ac mode). After some googling I've found that my Comfast wifi card based on Realtek RTL8812au chip can do the job. The first thing is to install the driver. It compiles without any warning message on my Centos 7 (which is the most similar to ClearOS) installed on the main PC. However after I copied the compiled kernel module to the specific system folder (accordingly to the given instructions) it's crashed the system Now it can only boot in the safe mode. The system can see the card but recognizes it as an Ethernet device. The "iw list" output is "nl80211 not found". I'm completely baffled and confused.

Could you please try to compile the driver against the ClearOS 7 (Centos 7 version is also well appreciated) or at least give some ideas where to dig?

I've checked up about Transmission and it looks like miniuppnpd only works for forwarding. You have to manually open the port in the firewall. There is a Standard Service called Transmission which will open tcp and udp port 51413. Transmission then reports the port as open.

You have the same version as I have on my play VM and it is the only version in the repos. I have never tried using it as I don't have ClearOS 7 in production yet, but I assume it works.

I suspect a certificate problem, but, short of lots of googling, I don't know where to look. I'm sure you can do the googling yourself. One thing worth checking is your certificate expiry. I don't know how - prebumably using openssl somehow.

Here is the output:

Installed Packages

openvpn.x86_64                                    2.3.11-1.el7                                    @clearos-epel-verified

Can you give the output to "yum list openvpn"? I'm unlikely to be able to follow up you reply until I'm home.

Yes, I did. I also tried to recreate the certificates as was suggested in another forum branch dedicated to OpenVPN configuration.

Did you copy all three certificates (CA, user cert and user key) to the config folder on the PC?

Here is a part of the messages output:

Aug 31 23:12:49 gateway openvpn[25786]: 192.168.10.144:53547 TLS: Initial packet from [AF_INET]192.168.10.144:53547 (via [AF_INET]84.108.1.4%br0), sid=46f40f69 6427a17f

Aug 31 23:12:51 gateway openvpn[25786]: 192.168.10.144:65249 TLS: Initial packet from [AF_INET]192.168.10.144:65249 (via [AF_INET]84.108.1.4%br0), sid=41f3a1e3 059d91d8

Aug 31 23:12:52 gateway openvpn[25786]: 192.168.10.144:58350 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)

Aug 31 23:12:52 gateway openvpn[25786]: 192.168.10.144:58350 TLS Error: TLS handshake failed

Aug 31 23:12:52 gateway openvpn[25786]: 192.168.10.144:58350 SIGUSR1[soft,tls-error] received, client-instance restarting

This pattern repeats many times. The port 1194 is opened in the system firewall.

What can you see in /var/log/messages when you connect? Have you opened udp:1194?

It had been changed already. I also tried to use the local LAN IP address which didn't help as well.

In the .ovpn file you downloaded, edit the "remote" line to point to your WAN FQDN or IP address. If you have a dynamic IP use your poweredbyclear.com FQDN.

Having problems with the OpenVPN configuration. I have created a user and its certificates. Then when I run the OpenVPN client on my PC I'm getting this message:

Wed Aug 31 22:52:20 2016 VERIFY ERROR: depth=0, error=certificate signature failure: C=IL, ST=Central, L=Ness-Ziona, O=ClearOS, O=Payton, OU=Engineer, CN=gateway.myksok.home, emailAddress=security@gateway.myksok.home

Wed Aug 31 22:52:20 2016 OpenSSL: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Wed Aug 31 22:52:20 2016 TLS_ERROR: BIO read tls_read_plaintext error

Wed Aug 31 22:52:20 2016 TLS Error: TLS object -> incoming plaintext read error

Wed Aug 31 22:52:20 2016 TLS Error: TLS handshake failed

Wed Aug 31 22:52:20 2016 SIGUSR1[soft,tls-error] received, process restarting

Wed Aug 31 22:52:20 2016 MANAGEMENT: >STATE:1472673140,RECONNECTING,tls-error,,

Wed Aug 31 22:52:20 2016 Restart pause, 2 second(s)

I think there is a mess in the domain and gateway which I've chosen for the system. The specified domain - gateway.myksok.home - simply doesn't exist in the Internet. Maybe I need to replace it with the external WAN IP address?

You are correct that you would open a port and not forward it. From memory miniupnpd looks after it but Transmission may not make the request too often. I'd need to check my system but that won't happen until Sunday at the earliest. In the meantime there is no problem opening the port (51413?).

Still fighting with the closed port of Transmission.

Found a minor but probably crucial difference between Windows and ClearOS configuration of the Transmission client. In the former it is written: "Use UPnP or NAT-PMP port forwarding from my router", while in the ClearOS client it is written: "Use port forwarding from my router". I'm attaching both screenshots to this post. By the way Windows version perfectly utilizes UPnP functionality of the miniupnpd daemon. So the question is whether it is possible to manually force the ClearOS Transmission client to use UPnP functionality? If the answer is negative, what is the safer option: 1) to open a specific port on the router; 2) manually do a portforwarding (I don't think this will help at all since the Transmission client is installed directly in the ClearOS, hence it has my external IP, nevertheless it is still not clear for me why the port is closed).

Any ideas?

I opened a port in Incoming Firewall section, I have not configured port forwarding. I simply chose the application and OS picked up the correct port to open. In the INPUT chain I can see this port. There are many different ports including the ones dedicated to my uTorrent clients listed in MINIUPNPD chain. Nothing regarding the Transmission client Again this

In the main menu of Serviio is written that there is an evaluation period of 14 days. I've checked the web page and found that there is a free version. Will see what happen in two weeks.

I'm away from my system for a while now so I can't give specifics. I use Transmission on the server and I think miniupnpd looks after it OK. If goodness a port I presume you opened the incoming port and did not do a port forward. You can check with a "iptables -nvL". Check the INPUT and miniupnpd chains.

I use Plex but don't transcode. I would guess you can turn it off. Aren't both Plex and Serviio free?

I've no idea about the torrent dropouts. I don't think I get any.

For VPN Openvpn is good for workstation to server. PPTP is possible but not very secure. If work catch you then remember it is your problem.

It's been a week from my last post.

During this week there was no problem with the access to the Internet! After I turned off access to the SSH service from the outside, that attack has finished. The log is clean since then.

Next thing was to run Transmission on the router and play directly movies on my Samsung Smart TV. Installation of Transmission was pretty simple as well as setting up a Serviio DLNA server. Few mouse clicks and I can watch movies without any extra action such as copying it to a usb drive. And it seems that the tv is taking care of transcoding the video, which is great since I prefer this mode. In my opinion, the Samsung chip knows better the job. At least I prefer its picture rather than the one from a PC connected by HDMI (probably I need to play with confiigurations of my video player). The only question here is whether there is a free version of DLNA server available for ClearOS? I installed PLEX but it seems that the transcoding is on the server side.

Another thing related to the Transmission client is frequent speed drops while downloading torrents. It can go up to 10MBytes/sec and then drop to 0 for some time. I opened the corresponding port in the system firewall but without any success. By the way it seems that Transmission doesn't support upnp port forwarding as the uTorrent installed on my working PC under Windows 10. At least it was written that the port is closed in the configuration menu.

And the last thing I would like to run on my router is a VPN server. At my work there are strict Internet rules prohibiting social networks, some forums etc. I want to have some freedom

Glad miniupnpd is working.

By default ClearOS is completely open to all machines on the LAN. Opening SSH on the WAN is dangerous but some people like to do it. There are bots out there (one notorious Chinese subnet and others) which spend a huge amount of time trying to crack SSH passwords to compromise routers/firewalls. If you do open SSH to the internet you must make sure you have a very strong password and install something like fail2ban which can lock out repeat offenders. Note, though, that fail2ban is not very effective against the Chinese subnet as each attempt comes from a different IP in the subnet and f2b cannot pick up on that type of attack. If you really want SSH access from the WAN it is worth investigating using keys, but, much easier, to set up is OpenVPN. This will give you remote access to your whole LAN and you'll be able to access ClearOS as if you are connected directly to the LAN. OpenVPN uses certificates and user/pass which makes it very difficult to crack.

Configured miniupnpd for automatic port forwarding. Now uTorrent shows that the port is open

I turned off the SSH service in the Incoming Firewall options. Will check the log tomorrow. I'm pretty much sure that in order to establish a connection with my router via ssh I had to mark this option in the firewall settings. Now it is off and I still can connect remotely from my local network.

Here is the requested output:

[root@gateway ~]# iptables -nvL INPUT

Chain INPUT (policy DROP 3766 packets, 259K bytes)

 pkts bytes target     prot opt in     out     source               destination

  134 11453 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID

    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x12/0x12 state NEW r

eject-with tcp-reset

   79 15036 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:!0x17/0x02 state NEW

    0     0 DROP       all  --  enp3s0 *       127.0.0.0/8          0.0.0.0/0

    0     0 DROP       all  --  enp3s0 *       169.254.0.0/16       0.0.0.0/0

  131 13508 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0

    0     0 ACCEPT     all  --  pptp+  *       0.0.0.0/0            0.0.0.0/0

    0     0 ACCEPT     all  --  tun+   *       0.0.0.0/0            0.0.0.0/0

 4774 1589K ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0

    6   174 ACCEPT     icmp --  enp3s0 *       0.0.0.0/0            0.0.0.0/0            icmptype 0

    0     0 ACCEPT     icmp --  enp3s0 *       0.0.0.0/0            0.0.0.0/0            icmptype 3

   42  2856 ACCEPT     icmp --  enp3s0 *       0.0.0.0/0            0.0.0.0/0            icmptype 8

    0     0 ACCEPT     icmp --  enp3s0 *       0.0.0.0/0            0.0.0.0/0            icmptype 11

  173 61474 ACCEPT     udp  --  enp3s0 *       0.0.0.0/0            0.0.0.0/0            udp spt:67 dpt:68

    0     0 ACCEPT     tcp  --  enp3s0 *       0.0.0.0/0            0.0.0.0/0            tcp spt:67 dpt:68

    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            84.108.161.57        tcp dpt:81

  245 36236 ACCEPT     udp  --  enp3s0 *       0.0.0.0/0            0.0.0.0/0            udp dpts:1024:65535 state RELAT

ED,ESTABLISHED

   48 42817 ACCEPT     tcp  --  enp3s0 *       0.0.0.0/0            0.0.0.0/0            tcp dpts:1024:65535 state RELAT

ED,ESTABLISHED

.

More usual than 1-to-1 NAT would be to use port forwarding or upnp with the app miniupnpd. The advantage of upnp is that if utorrent randomises its port each time it starts up, upnp will always track to port and forward the correct one. Because ClearOS is the only machine I have on 24/7, I run Transmission on it for my torrents.

I don't like your failed login attempts. They are from a known hostile or compromised IP, featuring in the Emerging Threats emerging-compromised-BLOCK.rules. Which apps or ports have you opened to the internet? What is the output of:

iptables -nvL INPUT

- in code tags, please.

If you have opened the SSH port, please closet again for the moment.

[edit]
1-to-1 NAT will fail if you have a dynamic IP and it changes. The other two solutions would still work.
[/edit]

I 've googled a bit and it seems to be that my wireless card doesn't work in ac mode as a WAP. This is because some regulation politics which Intel (and other companies) should follow. There are some hacks to bypass these restrictions for Atheros cards but none for Intel. Probably will buy an external WAP

Ok, so finally I've replaced my ISP router (it is configured as a bridge)! Did a bridge between wired and wireless interfaces, so all my devices are in the same local network. Again, thanks to your tips, Nick Found and run through the web-interface an OpenLDAP server. Now I can add users.

Nevertheless I have few concerns:
1) Want to forward one port on my main PC for normal work of utorrent. Found tutorial on the ClearOS portal and installed the 1-to-1 NAT application from the Marketplace. Filled in an external IP (WAN IP), LAN IP and the chosen port. It seems that it works since utorrent can easily connect to other peers, however when I check the port status in the program it says that the port is closed.
2) There is a big list of unsuccessful connections to my system:

Failed login attempt by invalid user ubuntu from 120.237.232.6	2016-08-20 17:06:44

Failed login attempt by invalid user oracle from 120.237.232.6	2016-08-20 17:06:37

Failed login attempt by invalid user oracle from 120.237.232.6	2016-08-20 17:06:31

Failed login attempt by invalid user a from 120.237.232.6	2016-08-20 17:06:24

Failed login attempt by invalid user oracle from 120.237.232.6	2016-08-20 17:05:11

Failed login attempt by invalid user a from 120.237.232.6	2016-08-20 17:04:59

By the moment it counts 378 total attempts (uptime is one and a half day) to connect to my router. I'm a bit concerned whether this is some kind of a hacker attack, since there are connections from the same IP but from a different user.

I did my bridge years ago when I last did wireless and I can't remember the details. I know if I got it wrong I had to resort to the console and nano editor to recover, go be prepared.

When you do a bridge you don't give IP's to the individual NIC's, just to the bridge interface, and that is the only one you configure as a DHCP server. Remember that the DHCP server must hand out IP's in the bridge interface subnet. The thing that appears to be missing to me in the instructions is giving the bridge the LAN role. You can do this by editing /etc/clearos/network.conf directly and changing LANIF to BR0 then, presumably restarting networking but be careful. I have vague memories that there is a watcher on the file so if it changes, networking may restart anyway. If you have not edited your ifcfg files fully at that point you can lose all LAN connectivity and have to resort to the console (or, if the server is inside your LAN for the moment, open the firewall on its WAN interface, just in case you need to access it via the WAN which you are not bridging)

I've googled a bit and found that this particular Intel wifi card doesn't work as an AP in 5GHz ac mode. Here is the output of "iw list":

Frequencies:

                        * 2412 MHz [1] (20.0 dBm)

                        * 2417 MHz [2] (20.0 dBm)

                        * 2422 MHz [3] (20.0 dBm)

                        * 2427 MHz [4] (20.0 dBm)

                        * 2432 MHz [5] (20.0 dBm)

                        * 2437 MHz [6] (20.0 dBm)

                        * 2442 MHz [7] (20.0 dBm)

                        * 2447 MHz [8] (20.0 dBm)

                        * 2452 MHz [9] (20.0 dBm)

                        * 2457 MHz [10] (20.0 dBm)

                        * 2462 MHz [11] (20.0 dBm)

                        * 2467 MHz [12] (20.0 dBm) (passive scanning, no IBSS)

                        * 2472 MHz [13] (20.0 dBm) (passive scanning, no IBSS)





Frequencies:

                        * 5180 MHz [36] (22.0 dBm) (passive scanning, no IBSS)

                        * 5200 MHz [40] (22.0 dBm) (passive scanning, no IBSS)

                        * 5220 MHz [44] (22.0 dBm) (passive scanning, no IBSS)

                        * 5240 MHz [48] (22.0 dBm) (passive scanning, no IBSS)

                        * 5260 MHz [52] (22.0 dBm) (passive scanning, no IBSS, radar detection)

                          DFS state: usable (for 3563 sec)

                        * 5280 MHz [56] (22.0 dBm) (passive scanning, no IBSS, radar detection)

                          DFS state: usable (for 3563 sec)

                        * 5300 MHz [60] (22.0 dBm) (passive scanning, no IBSS, radar detection)

                          DFS state: usable (for 3563 sec)

                        * 5320 MHz [64] (22.0 dBm) (passive scanning, no IBSS, radar detection)

                          DFS state: usable (for 3563 sec)

                        * 5500 MHz [100] (disabled)

                        * 5520 MHz [104] (disabled)

                        * 5540 MHz [108] (disabled)

                        * 5560 MHz [112] (disabled)

                        * 5580 MHz [116] (disabled)

                        * 5600 MHz [120] (disabled)

                        * 5620 MHz [124] (disabled)

                        * 5640 MHz [128] (disabled)

                        * 5660 MHz [132] (disabled)

                        * 5680 MHz [136] (disabled)

                        * 5700 MHz [140] (disabled)

                        * 5720 MHz [144] (disabled)

                        * 5745 MHz [149] (disabled)

                        * 5765 MHz [153] (disabled)

                        * 5785 MHz [157] (disabled)

                        * 5805 MHz [161] (disabled)

                        * 5825 MHz [165] (disabled)

I'll google which mini-pcie or usb card can operate in the ac mode.

At the end of testing of my new router I will install it in the middle of my apartment besides the ISP router. Hence I'm not worried about signal coverage. It already shows higher bitrates compare to the regular ISP router.

Another thing is bridging. I want to have devices connected by wire and wirelessly to be on the same network. I followed this instruction and configured my bridge interface with a static IP (on different from wired and wireless subnet) and using DHCP. All my efforts always ended with errors in launching the network service and consequently I'm losing the network connection.
Any ideas?

That is good news.

It looks like you can run multiple WiFi interfaces. See this doc and scroll down to the "Host AP configuration for IEEE 802.1X" section. You'll need to run multiple configuration files. If you're in luck hostapd will start all configuration files it finds in /etc/hostapd.

Now for something you may not want to hear. It is often not ideal to put WiFi NIC's in the server. This is because a server is often not in a good location for WiFi coverage. It is often better to use a router as a WAP (connect LAN to LAN and disable the router's DHCP server). It also has a possible advantage of having the WiFi on the same subnet as the wireless LAN. You can get different NICs onto the same subnet by bridging the interfaces.

Your Intel card is Dual Band. Can that not be configured on both at the same time? You'll need to search the internet, but here is one example.

Nick, you are a genius! Finally, I've got my system working thanks to your last advices.

For enp0s4 I assigned an IP 192.168.10.1 with a subnet mask 255.255.255.0. For my wireless network I assigned 192.168.20.1 with a subnet 255.255.255.128. After I corrected gateways for both DHCP servers all my devices finally received real IP addresses with the possibility to access the Internet!

Sorry for the mess I did. I am new to networking. Need to study this question thoroughly.

I'm just wondering is there a possibility to run 2 wireless AP simultaneously? I would like one to work in 2.4GHz range and another in 5GHz.

Nevertheless, thanks again for your assistance and prompt answers during these two weeks! I really appreciate it! I think I can mark this issue as solved

Your settings are a bit messed up but I can't give a definitive answer as I don't know what netmasks you're using.

I'm struggling with keeping up with your posts! I'm writing one answer and another message comes in.

For enp0s4 and wlp2s0 they both need to be on subnets like 255.255.255.128 and not 255.255.255.0 otherwise they are on the same subnet. From your next post they are not and, even worse, the subnnet of 255.255.0.0 takes the whole range of 192.168.0.0-192.168.255.255 so also covers enp0s3's subnet.

I always advise to keep clear of 192.168.0.x and 192.168.1.x. Please can you configure all your LANs to something different, and perhaps start with a 255.255.255.0 subnet, at least until you get everything working. Also remember not to use the first or last address in the subnet.

Is enp0s3's IP address 192.168.1.20? If so then its DHCP server settings look OK apart from the subnet clash.

enp0s4 looks wrong as the gateway is not in its subnet. I'd guess you NIC has an address of 192.168.0.129 and that is probably what your gateway should be unless you have a fairly fancy network.

wlp2s0 is a mess. It has the DNS server of enp0s4 rather than its own IP address and the gateway is also wrong. The IP range would be OK if you did not have the subnet clash, but the IP range is huge. You'd be allowed about 40k different IP addresses!

I did say the 6.x app was basic! It is hard to check as my server is tucked out of the way in the loft. It is also my proper server so I'd rather not mess with it. It is probably better to persist with 7.x.

From memory, in the IP settings I checked the DHCP Server box. I'm not sure why it is there or what its function is. I then went over to the DHCP server configuration page (Webconfig > Network > Infrastructure > DHCP server) and checked the settings there. I think they had been populated in an acceptable way, presumably by checking the box in IP settings, but, if not, set them yourself.

Subnet for enp4s0 is 255.255.255.128, for wlp2s0 - 255.255.0.0

UPD. I think I've found what you were talking about. My configuration you can find attached. Please take a look on it, maybe you can find a mistake which doesn't allow me to connect to the WAP.