>Assign static IPs for infrastructure like access points. This makes them easy to reach when reconfiguration is needed
Am I missing something, or did they buy consumer routers to use as access points?
Triplebyte, I can save you a ton of management, troubleshooting, and learning time: switch to Ubiquiti Unifi or an equivelant now, youll have one pane of glass to reconfigure every device. The devices will talk to each other, to help hand off clients between them. All channel management will be by the devices working together, they can throttle down power if they are causing each other interference. I cant even begin to list all the different benefits with a single set of settings vs devices that dont work together. Even an asus aimesh network would likely be better. Youre asking for a troubleshooting nightmare.
You can either pay a couple hundred a year for the management interface, or $80 for an on prem tiny little stick that hosts it. (paying for the cloud hosted one, has its benefits, and is my recommendation.)
You should never need to track down or log into individual devices to configure them.
I dont mean to be a complete ballsack, but isnt it weird for a company thats mission is matching talent to problems, to fail to find the talent to adequately address their problem, and to be giving authoritative (mis)advice on something they are not remotely domain experts in. It doesnt seem like the best advertisement.
That said, this is the KIND of post companies should be making when their seo expert says to use keywords. Good job writing about improving the internals of your company, and not just what your company does. Write a V2 of this post once you upgrade, and rename the old one, "How we Created (and then mitigated a Device Management and Troubleshooting Nightmare)
Fine, I'll say it: Ubiquiti is not suitable for a business environment. They don't have a good track record of pushing out security fixes. They've blatantly violated the GPL (and introduced security vulns in the process). Their "enterprise" features don't work well (e.g. hardware acceleration, WPA+Radius). Depending on what you buy the PoE may be non-standard passive or it may not.
Unfortunately because they're primarily in the business of slapping a slick web interface on Vyatta they don't have the skill required to debug the hardware acceleration. They don't have a single clue how to get RADIUS to work with their fork of Vyatta. And their support is fine for a home lab situation.
And let's not speak of the chronically overheating stuff.
>And let's not speak of the chronically overheating stuff.
Some-time wireless installer here, I bring a snippet of anecdata.
A recent client had the full Unifi experience for an outdoor network, including 3x EdgeSwitch XP (formerly known as ToughSwitch) in a single IP65-rated, largely airtight enclosure.
The network would go offline on summer afternoons. It was overheating, those models run hot and are not recommended for low ventilation areas, but they weren't convinced.
I fitted a thermometer, went back three days later and checked the logs. The temperature peaked at 143 Celsius.
In fact if it was actually reaching 143 C, I'd say that ironically I'm more positively impressed by the fact the hardware works at all at that temperature than I am negatively surprised by the fact that its thermal controls are that bad.
The heat problems are real. I mounted one to the underside of a cabinet, and it melted the plastic lining on the opposite side of the wood. They run extremely hot.
For completeness, that was when the summer sun was shining directly on the enclosure in the hottest part of the day, during a country-wide hot spell. Still, no airflow, heat generation, etc.
Every day, cut out. When it cooled down, it worked again. This continued for about two months, then they failed.
Sure that's kind of a worst case scenario there. One of the bigger problems with the ER-L design, IMO, is that they don't have any sort of temperature measuring device inside the case itself. They run hot even without extreme ambient temperatures so you'd think there'd be some baked in way to monitor the temperatures, but no.
If memory serves the ER-L idles at around 40C exterior temp. That was the primary reason I went with the ER-X despite hooking it up to a gigabit uplink.
Most electronic devices say operate between x and y degrees and if in full sunlight the temp may have exceeded y, which in a device that generates heat itself led to runaway overheating?
Either way plastic could melt at that temp and you'd definitely burn your hands touching it. Pretty crazy.
The housing of the switch is metal with rubberised feet and bumpers. Thankfully I wasn't handling it when it was offline (and hottest), but the rubber was completely destroyed after the fact
I assume the soldered innards failed, though I never did open it up to check properly.
Ubiquiti is not suitable for a business environment
I'd say that Ubiquiti is perfectly suited for a small business environment -- definitely a big step up from discrete consumer Asus routers throughout the office with no central management (and probably haven't been patched since the day they were installed).
Ubiquiti may not be suitable for a mid to large sized business, but for up to a ~100 person office or so, they come in at a great price point and have decent performance and manageability.
But can you easily roll out that new firmware to 20 Wifi nodes spread over 3 offices in 3 different cities?
Just because patches are available, doesn't mean that someone's going to take the time to apply them. Having a central management console makes this much easier. Upgrade one node, make sure it works, then roll out to the rest of the nodes one by one with one click.
Yup. The network engineer in me would never recommend Ubiquiti for any scenario. Maybe it works for WISP because of the price point; I'd have to be convinced.
They run an embedded Mongo DB on their UniFi hardware that (at least in the deployment I've inherited) requires occasional direct interventions[1] to keep running. That's just one example of the many baffling/wrong things they do.
I know Mongo gets quite a bit of undeserved hate, but it really just doesn't seem suitable for this use case.
My IT MSP solely sells and supports unifi WAPs, and I have no idea what you're talking about.
We have dozens of WAPs under management across the city and state, and I've never seen any of the issues you guys are talking about. We don't have issues with database crashing or overheating. The wap controllers are configurable for automatic firmware updating, so I don't know what the issue is with patching. They definitely support wpa-e/radius because I've configured it and we use it in my my office.
A personal goal of mine is to buy a unifi wap and a modem (already have a router and firewall) and divorce from ISP equipment altogether. Then I can start posting on /r/homelab :)
> They definitely support wpa-e/radius because I've configured it and we use it in my my office.
Sure, and problems with RADIUS auth have been well documented. How much of the not seeing issues is simply a matter of users assuming your setup (or their phones or computers) is flakey? Issues with Mongo are also pretty well documented.
> The wap controllers are configurable for automatic firmware updating, so I don't know what the issue is with patching.
The issue with patching is that Ubnt is in a bad position. They're on their own completely to create and issue patches even for stock packages. That's just what happens when you distribute EOL'd software. So, sure, it's not that hard to apply patches* from Ubnt but it's a lot more work for Ubnt to generate these patches — and last I checked they were pretty well behind with the excuse of "there are no known exploits for ABC in the wild".
* Let's not forget the ER-X bootloader for which end users are entirely on their own. Ubnt has a patch but hasn't applied it to the devices they ship. It's just lazy and sloppy.
I have an office with a few of those and they are not great and do overheat. I am quite surprised you having been exposed to a great number of them never had an issue.
You have dozens of devices in what sounds like small locations across your state. I have 11k users online in North America and I would never trust Unifi for any part of my network. They have their place but enterprise is not one of them. SMB is not the same.
All parents and responses to my posts are probably right, and I'm probably wrong!
My experiences aren't wrong, of course, but it's an apples to oranges comparison. My IT MSP is only small to medium sized businesses (as I think all IT MSPs are since Enterprise level environments don't contract out it and hire their own department - this is an educated guess). We do very little Enterprise work and have no single client with more than 300 users.
However, I will defend my position and consumer grade ubiquitis on a (significant) technicality. Higher models beyond what my company sells are not cost effective. Buying higher grade waps at no less than double the price is more expensive than just running cables. If you WANT to make everyone get 200mbps wifi, you will pay for it, but that's a convenience you pay for, not a requirement. UAP-AC-Pros are perfectly capable of handing out up to 50mbps pipes to multiple endpoints without huge (or even medium) upfront capital investments, overheating or DB problems. In my opinion, just run cat6 lines. Itll be cheaper than spending thousands on Enterprise waps for only 30 people.
I loved the ubiquiti stuff for years. Then one day two years ago macs suddenly could no longer reliably connect to the outside world even with a strong wifi connection to the AP. I would send pings and have 40% packet loss. Weirdly I could ssh into any of the APs and ping with 0% packet loss.
We could never fix it and switched over to google appliances. We rarely have over 20 people in the office.
I've heard great things about Ubiquiti's products, so I recently evaluated both their USG security gateway and EdgeRouter4 products using only wired gigabit ethernet.
I found it weird that the UniFi line of products and the EdgeMAX line of products while very similar in terms of specs and their target markets, use completely different remote management systems (UniFi vs. UMNS).
While some really folks like their management GUI, I found that once you wanted to do anything not bog standard with it, you were on your own. I had to SSH into both devices and enter EdgeOS (Vyatta) commands for even relatively simple things like disabling NAT on the ER4 or configuring mutual TLS with OpenVPN. With IpSec there are so many different possible parameters that the GUI just didn't have enough widgets to cover them all.
I found the USG security gateway too underpowered for my purposes. I wanted a device I could use for IDS/IDP as well as a dedicated VPN. With hardware offloading disabled (which you need for IDS/IDP) the throughput of the USG is limited to around 130 Mbps.
Using IpSec on the USG (ESP:AES-128-SHA1) I was able send (encrypt) data at 70 Mbps and 56 Mbps on receive (decrypt). Don't even think about using OpenVPN with this device, as it's single-threaded and can't take advantage of any crypto offload -- only managing around 14 Mbps of throughput.
If you are using the USG for a VPN you can get much better performance with WireGuard. I managed to get 90 Mbps encrypt, 111 Mbps decrypt with it, which is likely good enough for a lot of folks.
The EdgeRouter4 was faster, but it had a weird issue with IpSec. I was able to get it to encrypt at 631 Mbps, but only decrypt at 229 Mbps. On encrypt (send) I could see that the CPU was 376% utilized (it has 4 cores) with most of that spent dealing with software interrupts. On decrypt (receive) it only 167% utilized -- so something was wrong there.
The EdgeRouter4's OpenVPN single core performance was more than 3x faster than the USG, clocking in at 43 Mbps, and best with WireGuard at 636/597 Mbps encrypt/decrypt.
I used iperf3 on a remote host on my simulated WAN for measuring throughput like:
Ultimately I found the whole dance of having devices being adopted by the controller software and then being provisioned by it to be tedious and unnecessarily faffy -- especially considering how often I had to drop into EdgeOS to get things done.
_Thank you_. I'm constantly astonished to see folks extolling UBNT gear for anything other than WISP purposes (where it admittedly fits a price profile that's unmatchable). Read about the first ~10 months of the ES16-XG DAC support issues. Read about how EdgeRouters could never approach even 40% of line rate with fq_codel running. Read about how they lied about the future of the mFi line for 8+ months before abandoning it entirely. Not to mention the GPL stuff you note, the inconsistent and semi-nonfunctional PoE, and general lack of support or consistency.
At some level, you really do get what you pay for. They are great for people who want to set up a "homelab" without learning anything about actual networking, though.
Mikrotik suffer from a gross amount of "Not invented here" reinventing existing open source protocols such as OpenVPN, a custom sshd and web server, and it shows with their amount of issues (how many years has it taken to add UDP to their OpenVPN server?). In some ways I think their no better then UBNT in some ways.
Tell you what. I used to have a Mikrotik CRS125 switch in my home office, and by default if you have a set of ports where one has no VLAN assigned, and the others have untagged VLAN assignmnets, any broadcast traffic on the untagged port(s) without a VLAN leaks to the ports with an untagged VLAN. This isn't well documented in the manual, and to fix it you either disable "Invalid VLAN Forwarding" (I think) and/or move said ports without a VLAN to a VLAN.
My CRS issue suggests otherwise (could just be CRS), but ignoring OpenVPN I haven't had many issues with RouterOS. It's good to have the option though.
I have run it at 2 startups and it works great. Current startup is all Unfi stuff including 3 switches and 8 APs for with around ~150 devices connected to Wifi. We use RADIUS just fine for auth for the users. No issues at all. We do not use their firewalls, we use PFSense. I do use a USG at home with no issues.
RADIUS support is a well known issue. In my case it works better with some Apple hardware than others. Conversely, the Cisco gear at megacorp has never given me any authentication problems.
Sources for all of these claims? I have and recommend their products wholeheartedly. This isnt something that is opinionated. Their pro products are amazing. Maybe you are referencing outdated or consumer level product offerings? Giving you benefit of the doubt and just going to say, right and roll my eyes.
Really depends IMHO, at least when it comes to the APs. Yes, it's not enterprise-grade, but their APs are also way cheaper than anything enterprise and do the basics well enough. Average small business office use doesn't require much in the way of features, although how long various RADIUS features took was a bit embarrassing (I seem to remember putting clients in different, RADIUS-controlled VLANs wasn't possible for a long time).
How much does the price difference really matter? An Ubiquiti AC HD is $300. You can get an equivalent Ruckus AP (R710) for about $815. In a small office, that might add up to a couple of thousand dollars extra for APs. That's like a week's rent for a Bay Area office.
Which network vendor has better security updates? Can you point to a specific example of them not fixing a security issue that was addresssd by others?
> Which network vendor has better security updates?
I'd imagine pretty much any network vendor doing business in the enterprise sector (e.g. HP, Cisco, Juniper, Dell, etc, etc)
> Can you point to a specific example of them not fixing a security issue that was addresssd by others?
I haven't looked recently, but when I last updated my ER-X I noticed that the latest available packages included a large number that were not up-to-date with the latest available security fixes.
One of the problems is that the version of Debian that the hardware (MIPS) Ubnt uses is end-of-lifed on the old version of Debian that EdgeOS is based on. Where most vendors could simply track the official Debian repositories, Ubnt is stuck rolling their own packages. If Ubnt has finally moved on to an officially supported version of Debian then this is less of an issue.
This is one of those I wish I had a better solution moments. For the home user this may not pose a challenge, but in a business environment I'd say that it's probably worth spending the big bucks on a vendor with a better track record. That's not to say there aren't other bad vendors, but it is to say that Ubnt gear does not belong outside of a home lab.
I haven't evaluated Mikrotek because the Ubnt stuff works well enough (but certainly not great) for me in the two locations I've got it deployed.
This is actually good news. Cisco has been doing real security audits, where they go through the source code with a fine tooth comb and look for hidden backdoors. And even better they're actually telling us about them instead of turning them off silently. You can bet that a significant number of competitors have similar issues with backdoors. This is a case where a vendor is actively looking for security problems and putting in place processes to prevent them vs the normal vendors who just respond to security reports.
The issue has more than one dimension. Apart from them being nice and auditing now, there is still the fact that their internal processes have allowed (and probably encouraged) stashed passwords in such a manner that 6 of them has been found in a really short time. Unless your process is total garbage you don't end up with 6 backdoor passwords like that without knowing it.
So for any company that prides themselves with having a device in the middle of LOTS of networks, its a very poor track record to figure out security and backdoors don't really mix in 2018.
> Ubiquiti EdgeRouter Lite (not ER-X) is apparently supported by vanilla OpenBSD.
The ER-L is what I spoke of when I referred to the chronic overheating problems. From a different reply to my comment it sounds like there may be other Ubnt devices that suffer the same fate. The ER-L also has issues with reordering UDP packets.
The downside of the vendors you listed (and Cisco) is they require a support contract for software updates. If you lack said contract, you do not receive security updates.
Imo ubiquiti works fine for smaller offices. If you don't have enough people to justify an IT org it makes sense.
> If you don't have enough people to justify an IT org it makes sense.
Disagree, and not just because of the GPL violations and security issues. There are enough subtle bugs (e.g. data corruption with hardware acceleration) and design flaws (e.g. overheating) that you are setting yourself up for intermittent bugs (a.k.a. trouble) if you don't have someone well versed in diagnosing network issues. It's powerful enough to do fun things in a home lab, but it's way too complex for a professional setting where there's nobody around with the skills to troubleshoot it.
Note that nearly all of Ubiquiti's offerings are running modified OpenWRT, with a handful running a fork of VyOS which happens to be Debian plus some packages.
> Note that nearly all of Ubiquiti's offerings are running modified OpenWRT, with a handful running a fork of VyOS which happens to be Debian plus some packages.
EdgeOS is a Vyatta fork. Has Ubnt abandoned EdgeOS? It's been a few months since I've looked, but the version of Debian that's being used was end-of-lifed on MIPSLE hardware a while back so security updates are entirely incumbent upon Ubnt. There is no upstream support.
The next version of EdgeOS , 2.0 that is currently in alpha, was rebased to Strech so this should be fixed soon enough.
Their Unifi APs have option of a LEDE based firmware option, but think it is just beta at the moment. You can choose between the LEDE version and the regular version.
On the one hand it's good they're updating to a supported version of Debian. On the other, how is it still in alpha? Wheezy was EOL'd on all architectures in May.
All of their wireless gear is OpenWRT based, EdgeOS is only used on the switching hardware. Their wireless gear has been mmuch more popular and has significantly more variety than the switches/routers Ubiquiti offers.
Yup, all of this. Their HW really is that good for the cost.
Ars' article[1] was the thing that pushed me over the edge and don't regret it at all. Rock solid APs, central management, isolated vlan+ssid just for IoT, just all around good. Was about $300 to get all setup and outstripped all my "pro-sumer" gear by miles.
The very start of a strong network is a solid Dynamic DNS + DHCP setup. The only IPs that should be static are the router's.
In a small office, using your firewall/router is not a bad choice to DNS+DHCP. For companies < 100 and WAN connections <1gig pfsense is perfect.
Segment your APs and servers etc into different VLANs with distinct IP pools, bonus point for different subdomain. This allows your to firewall it off to prevent prying eyes. It also means that if something were to get into your VPC, and then over the VPN, they can't fiddle with your APs quite so easily.
As for ethernet always buy in cables, but get good sockets and patch panels. It is worth the money to hire a wireman/woman to do that for you. Unless you've been practising its a long boring slog, time you should be spending doing your real job....
Ubiquity again is a solid choice for wifi. I've deployed ~50 to cover 1800 person office. Beware, the non "pro" versions of the APs don't use proper PoE, so you'll be stuck either using their injectors(ok for small places) or buying their switches.
The above may sound like an Ubiquiti ad, but I've tested a few top specs routers about 2 years ago and settled with unifi for my home installation. I needed a good coverage and reliability for my home automation, e.g. when I switch lights on/off I want a consistent few milliseconds latency.
I agree. Right now I have the edge router lite. I have it setup so 4 ports are switched together and then I use poe pass-through to power my access point. Then I run the unifi software on a raspberry pi.
I would love at least a gateway/cloud key combo to simplify things. The separate switch doesn't bother me as much though.
one more thing to go wrong in the field, one more cable to get unplugged. a key/gateway/24portPOEswitch would be a single device people can run ethernet to for APs, and plug their office pcs into. If you have a rack its irrelevant, but for some kind of trailer where its sitting on the floor... or mounted to a wall.
I just ran both UNMS and the UniFi controller on a gcp instance (free credits). Their software is unconsistent though (the fact that there’s separate UNMS for the edgerouter and UniFi for the aps should already tell you that) but for example: the UNMS container sets up letsencyrpt etc but unifi does not.
Had to modify it to mount bind a shared cert location.
This drives me insane! I get that in a commercial environment those are typically treated differently, but at home I want one device that I can manage everything from.
I'm currently commandeering a R-Pi as a controller, but I tend to misplace it when it gets pulled into other projects.
Amplifi is apples to oranges with their full setup.
I installed an Amplifi AP/Router at my parent's house. It works absolutely phenomenally for their use case, but is basically plug and play. The Ubiquiti gear is worlds more configurable.
which tends to fair poorly compared to orbi, asus, velop and others. a bottom of the pack product at the moment. its also not part of the unifi family, and doesnt have the advanced management interface.
I love my Ubiquiti gear. Range isn't great, but in range it's absolutely rock solid. The only time I have downtime is when I upgrade or tinker too much an mess something up. I've had it for 3 years and don't see it petering out anytime soon. 3 to 5 years is the most I've had my consumer grade stuff last.
The fact that I can run VPN/Wireguard/Basic Network apps on my router is fantastic. If I ever get tired of the range (which is only an issue in my garage on the other side of the house), I'll simply get another AP.
I installed Ubiquiti at home and it was a terrible experience. I really wanted it to work, but my wife teased me long enough about my "professional grade" installation that I gave up. She was right.
The biggest issue was range, which was much worse than what I got with I had with a traditional consumer access point (I had a TP-Link Archer C7.) It was not even close.
The handover didn't work very well either. Much older UniFi products used Qualcomm wifi chipset which had excellent hand-over, the later versions used Broadcom which didn't have that yet.
I replaced everything with Eero, which just worked.
The AmpliFi product line of Ubiquiti supposedly offers similar features as Eero, but that didn't exist yet when I made the switch.
The problem with UniFi is people read about how great it was for someone who somewhat haphazardly flung a few APs around their house and lived happily ever after... and for many it's just not going to work out that way.
A lot of work can go into making WiFi work well.
With multiple APs you've got to adjust the Transmit power (defaults to Auto, which means High, which is generally bad). For good roaming, increasing the minRSSI is critical. 5G and 2.4G have very different propagation characteristics so they need to be optimized individually. With several APs you may even want to disable 2.4G on some of them.
Band Steering may or may not play nicely with the devices you have. Some devices have trouble if they can see many APs advertising the same SSID -- Ring Doorbells are notorious for not being willing to associate to an SSID at all if many APs are advertising the same SSID.
At my old house I got away with one AP placed centrally in the attic and another in my detached garage. At my new house, at about 2.5X the size, I'm running 5 APs and it has taken me a solid month of fiddling to get my devices consistently associating to the best AP and roaming appropriately.
> For good roaming, increasing the minRSSI is critical.
This! I thought the UAPs sucked until I played with transmit power and especially min RSSI.
I’ve been using the UniFi line for about a year now, covering the whole property and house in rock-solid WiFi. It took a few hours of walking around with a laptop and tinkering with settings/placement but I couldn’t be happier now.
Came here to say this. No networking engineer would ever buy consumer hardware for an office of this size. It will cost a lot more in management, debugging, and downtime. Spend the slightly more it will cost for devices that are able to work together.
At work I have a two sites of Unifi with cloud keys and an edge router. All visible on one management screen and super easy to configure.
Fabulous kit. Make sure you take a backup of the cloud key btw, they can get corrupted by a power interruption, and then you have to install from scratch. You can do this from the browser.
I wanted to caution people who are choosing Mikrotik at home. A lot of network engineers find their interface a bit weird, and by default they have way too much open on their public interfaces. I have seen one in the process of being brute-forced from ssh, that was installed by a qualified Mikrotik installer. If you want to plug and play the Unifi routers are a better option. Many have packet inspection features built in too.
The vast majority of peoples' houses don't have WAN connections that need the capabilities of the higher-spec mikrotik routers anyways. An RB3011 or RB4011 is overkill for a residential cablemodem or VDSL2 based last mile service, in terms of pps and Mbps capacity, and NAT pps ability. The ubnt ER-X ($48) is good for up to about 700 Mbps of traffic, and comes with sane defaults.
If you have truly symmetric 1 Gbps full duplex at home maybe you need the capabilities of an RB4011. But you should learn how to lock down its WAN facing interface.
The ubnt EdgeOS based devices are based on a fork of Vyatta. Ubiquiti hired most of the Vyatta software development team years ago when Brocade acquired Vyatta (the corporation). Ultimately they are little tiny Debian based boxes, since that's the foundation vyatta was built on.
I wouldn't recommend an edgerouter for a small office, maybe something a bit more serious. I was describing what I'd recommend for a residential/personal small home office setup. Mine is basically a 32x8 capable DOCSIS3.0 cable modem that is a dumb L2 bridge to the cable ISP's CMTS, an ER-X router, a managed mikrotik fanless L2 switch for the LAN, and several $79 UAP-AC-Lite (802.11ac not wave2, 2x2 MIMO, dual band APs).
$110, and same management interface as the AP's and switches. As you can tell, im prioritizing all-in-one management very heavily. One, managed, cloud, location for all my devices (minus sdwan, hosted by that vendor.) But the USG can do Auto IPSEC, so if you have 5 of them, you can tell all 5 to automatically keep connections to each other open. I havent fully tested a complex mesh of USG's yet, but id like to. It's getting close to even sdwan being expensive, compared to what these things can do.
One of the things I like the least about the Unifi management interface, is having to edit each site separately. If i want to make a router or ap/ssid change, I have to open each site.
From what I understand, some features on the USG aren't available unless you manipulate some JSON files, whereas they're exposed in the UI in the Edge Routers.
> by default they have way too much open on their public interfaces
They used to. Since about a year or so ago, the public interface is so completely locked down by default that I've heard people wondering if they've bought defective units (because they're trying to access management through eth1.)
> isnt it weird for a company thats mission is matching talent to problems, to fail to find the talent to adequately address their problem, and to be giving authoritative (mis)advice on something they are not remotely domain experts in.
> All channel management will be by the devices working together, they can throttle down power if they are causing each other interference.
UniFi does not do this. At all. The Auto settings are the same as basically every other commodity AP out there -- look for the least noisy channel at boot, transmit full power, allow any client to remain associated regardless of signal strength.
UniFi has an ok tool for on-demand RF scans. It has all the appropriate knobs to tweak for optimizing coverage and encouraging devices with weak signal to associate with a better AP. But you have to do all of that yourself. Manually. Trial-and-error. There's absolutely no magic there.
I have a full UniFi setup in my home office/house and it is glorious. It Just Works!
Well, with the one exception which is the Cloud Key. I’ve yet to see it run for more than 24 hours before soft rocking and requiring a total re-setup of the network.
The new (but not widely available) Cloud Key Gen 2+ model is much more stable. It also has a battery so it can gracefully shut down mongodb after 10 seconds of no power. The + model replaces the cloud key and nvr. There is a non-plus model coming as well but that hasn't been released yet.
Having spent too much time on HN today, I’m going to try put a PiHole on the same Pi as a home controller that is especially under taxed. Will see if this combo works.
https://news.ycombinator.com/item?id=18075159
Same as this , except with one change. For the router, use the (cheaper and more powerful) Mikrotik Routerboards. We don't use a Poe switch - we just use cheap Poe adapters and connect directly to the routerboard.
For those who have never touched a Ubiquiti, configuring it could be a little iffy . I normally advise setting up DHCP 43 advertisement on the router before trying to setup the access points.
There was a 0-day winbox bug this year that was being actively exploited in the wild. They definitely have their share of security issues, and more are likely to come since they write their own versions of httpd, sshd, smbd, etc instead of using well tested open source versions.
As long as you aren't exposing the device itself to the internet, you should be safe from most exploits if your LAN is semi-trusted.
I'm currently using Mikrotik happily for AP and router needs, but considering switching to a Ubnt setup for ease of management that does not depend on Windows/Wine and without having to write my own configuration management tooling. As central management is somewhat lacking.
What are your considerations for not choosing Ubnt for routing?
- My only experience with UBNT's support was exceptionally poor. When I ran into the above issue, I was using a third party SFP module and support stonewalled me, saying I had to buy one of their modules. They wouldn't loan me one or guarantee a refund if the module didn't resolve the issue. Unsurprisingly, buying their module didn't help at all (though they finally let me RMA the equipment).
Mikrotik's gear has been solid for me. Zero problems whatsoever.
I mostly manage my device setups with CLI/webfig. Sometimes winbox in wine as it is a little more reliable in mac-telnet then 'non-official' clients. But I long for some centralised configuration management. Even on small networks. Its just nice to come back to a complete overview instead of spread out configuration and out-of-date documentation for stuff you did months back for a friend or family. I don't know if Ubnt will fill this need, but what I've been hearing about it should.
The web interface works fine for me on macOs, as well as the CLI. But it's far from centralised configuration management. Sometimes you want to tinker, but sometimes you just want to deploy something (at friends/family) that works and when you return to it in a few months, to continue where you left off without going through every device's configuration or the documentation that is obvious not there as those side projects often don't allow you to 'allocate' time for that.
which router is iffy for you, Edge or Unifi? The Auto VPN tunnel being right in all my other network and wireless settings is nice. its fairly obvious from my posts im awarding a lot of value to consolidated management.
If you buy the APs individually, they come with power injectors, if you buy a 5 pack, they dont and its easier to home run back to a single switch. Less things to get unplugged.
Mikrotik routers were just hacked pretty badly. I'm not so sure they are competent enough with the security of their routers now, even if their routers are otherwise good value.
The CVE-2018-14847 was responsibly disclosed and patched. However, the problem happened with routers that did not get updated.
This is no different than any other unpatched software.
You can also 'cloud' host a unifi controller on a VM somewhere and set up the APs for "layer 3" management, where when you originally provision them you tell each AP to register to a specific hostname. It's all done over TLS. Each AP just needs to be able to get a DHCP lease, default route out to the internet, and to resolve hostnames. A small Unifi controller can run on a $10/month VM if you don't want the 'cloud key' device on premises.
Or if you happen to have your own hardware on premises a unifi controller on debian can be a really small Xen VM that runs at an average load of 0.02, your xen or KVM hypervisor can be as small as an Intel NUC stuck to a plywood board on the wall of a telecom room in the building.
I agree with this, I don't even use a VM somewhere I just run it on a system I already had at home and point a lot of other sites at it L3, no issues in a few years. Obviously it depends on the kind of uptime and home setup you've got, but the take home should be that running a Unifi controller doesn't inherently have to cost anything, not even for L3 adoption. There is zero cloud tie-in needed, or even colo/VPS or whatever, not via Ubiquiti and not for any other 3rd party either. You certainly can use any of those if you consider the advantages they offer (which can certainly be very real!) worth it, or just plain like to do it that way.
Unifi absolutely has flaws and missing parts that are easy to run into if you push into more powerful aspects of networking, but overall it's a delightful foundation, and critically to me was the feature of zero online dependencies. I feel like that's the Net at its best, a smooth progression from your own random kit all the way up to multi region failover hosting or whatever but purely based on bandwidth/uptime/maintenance/cost considerations, never any permanent ties. Can centralize/decentralize/move around/selfhost/colo/contract out at will. Unifi can match where you're comfortable with, is has pleasant pretty safe defaults, and they're great about long term updates and support. At the end of the day I can forgive a lot over that, particularly given the contrast it is with so many other offerings.
My home unifi controller doesn't even 'run' 99.9% of the time, it's not necessary to have the controller online once the APs are provisioned. It's just a debian stretch virtualbox VM that lives on my laptop, with its virtual ethernet interface bridged to the laptop's physical interface. I bring it up on the same L2 fabric as the APs if I need to make any changes, and then suspend it again.
>My home unifi controller doesn't even 'run' 99.9% of the time, it's not necessary to have the controller online once the APs are provisioned.
That's also a good point, the reliability is solid and things won't fall apart even without a controller. That said the controller is necessary for certain nice extras like stats, guest portal, etc. Granted the average HN crowd may have other appliances or systems to manage that, and plenty of people do use a controller locally installed on a notebook purely to adopt and setup APs and then never worry about it again, but given how cheap the minimal VM needed would be or Ubiquiti's local "cloudkey" (worst name ever, has nothing to do with the cloud, it's just a stick computer dedicated for this), I think it's worth considering having a controller running if someone was going that way anyway. Might as well have the management console up all the time. My only point was that running it is highly, highly flexible.
When I include my time, one less things to break or be misconfigured, one less vendor involved, etc... $299+ a year is worth it vs $120 a year + AWS/Azure, but if youre trying to do it on the cheap, I agree with you.
Does the Unifi mobile app work with the setup you described?
For me, that's really overpriced, since the ongoing maintenance and updates on a debian stretch based unifi controller (which is just a JRE and a blob of ubnt provided software) is super simple and takes maybe 20 minutes of my time a year. I have a ton of things doing different network infrastructure purposes that are also based on debian stretch amd64 so it's barely any additional effort.
You can easily control 50 to 100 ubnt APs on the cpu, ram and disk resources of a $10/month VM. Big difference between like $700-900/year and $120/year.
Does the Unifi mobile app work with the setup you described? If you are outside the network? Do you use a vpn client to connect your phone back inside the network?
Yes, it should. Assuming you're running your unifi controller on a public ipv4 /32 somewhere on the internet (at some commodity VM host), it's entirely up to you how you want to lock down access to it. Some people do leave the TLS1.2 web browser admin control panel login exposed, but on a non standard port, other people set up iptables ACLs to only allow traffic from a certain IP range, other people set it up so that you can only reach the admin control panel login page over openvpn. Entirely up to you and depends on your level of experience with linux sysadmin/firewalling tasks.
However I am more in favor of having the unifi controller on the same premises as the APs, or at least in the same metro area network as the APs, in your own private network. Just throwing the L3 management option out there for people who truly want 'cloud' hosted everything.
>more in favor of having the unifi controller on the same premises as the APs
But when your premise is MANY sites across the country, and you are using a single controller, only ONE site gets the controller on prem, OR you have many controllers running.
>Big difference between like $700-900/year and $120/year.
At the end of the day, it comes down to what my time is worth doing other things (not how much im paid, but the opportunity cost of me managing management interface infrastructure, stability, and resources. Unifi cloud, for lack of a better phrase, just works.)
> But when your premise is MANY sites across the country, and you are using a single controller, only ONE site gets the controller on prem, OR you have many controllers running.
yes, totally agree, in that sort of scenario with many premises you would set up your own internal L3 management of the APs, in your own management VRF, in RFC1918 IP space.
For the cost, I'd agree that Ubnt gear is quite good. I use it at home, and rarely have any problems.
That said, I'd like to provide one caveat: In my experience, they tend to not do great in very noisy RF environments. Twice now I've deployed Unifi APs in offices with RF spectra similar to what the OP has going on, and we had nothing but problems. In each case, we ripped out the Ubnt gear, replaced with equivalent Ruckus APs (with their cloud controller) and haven't had a single problem.
I admit this is not a large sample size, but thought it worth mentioning.
I've had similar issues with Ubiquiti in a noisy RF environment. The 2.4GHz spectrum was extremely saturated and people were frequently dropped whenever they were on it. Thankfully, the neighbors aren't using 5GHz too much--I just turned off 2.4GHz for our own WiFi and it seems to have solved the issue. Still, very annoying and took a long time to figure out.
Yes, we actually considered that. Unfortunately in our use case, there were many 2.4GHz-only IOT-type devices that needed to be on the network, so we couldn't turn off 2.4GHz. It helped a bit when we turned down the 2.4GHz Tx power - that seemed to encourage more devices to jump over to 6GHz, but even that didn't solve the problems altogether.
I'm not an RF design engineer, but for this type of equipment, I do feel like there's some truth to "you get what you pay for". It's plain to me that the Ruckus APs have superior RF front-ends that are better able to deal with the noise. They're more expensive than Ubnt for sure, but that extra cost was very much worth it for us, to avoid the frequent disconnects that the users were having to deal with.
As a counterpoint, we run Ubiquiti gear at large conferences (NAB in Vegas, IBC in Amsterdam). Thousands of people, hundreds of WiFi networks - pretty much a nightmare.
At NAB we're often the only booth with functional WiFi. Not using anything special really, just well configured UniFi mesh APs.
We went also from Unifi APs indoor gear to Ruckus gear. The difference is like night and day. I don't understand why, but we never had luck with the Unifis or Ubnt indoor. The Ruckus units we deployed just work brilliantly from the beginning.
My company do a lot of Ruckus deployments and they are brilliant, they have a radio built in just for spectrum analysis so each point can choose the perfect channel, none of this manual setting stuff.
I wish OpenWRT came with easy-to-configure out of the box fast roaming and a centralized configuration solution. It’s otherwise excellent, and my home network based on OpenWRT works quite well.
> You can either pay a couple hundred a year for the management interface, or $80 for an on prem tiny little stick that hosts it.
Or save more and put it in a Pi. If you have no idea what your doing it’s a great intro into the world of networking, ssh, Linux and docker, Ansible etc. But yes, this loses the cloud features.
IIRC, depending on your use case, you don't need the controller running 24-7.
Before I got deeper in the Unifi ecosystem, I just ran the controller on Windows when I needed to (when I only ran 2 APs -- in that case, you only needed an always-on controller if you wanted to run the captive portal).
I always second a Ubiquiti recommendation. They have a great range of products that can serve people wanting robust home networks up to small business scale networks. In college I setup our fraternity to run on a edgerouter lite and 4 UAP-ACs and we went through 2.8TB a month with no issues.
Yes, this is a really technical looking article, with exactly the wrong approach. I wrote up a quick thing a few weeks ago about how we set up our office WiFi (tiny office - ~25 people), on Ubiquiti:
https://blog.uncommon.is/dr-ubiquti-or-how-i-learned-to-stop...
I've found that the threshold depends not so much on number of APs but on number of simultaneously active users/devices (arguably the ratio of those per AP, rather than total).
An office of 30 people sharing 3 APs will encounter problems even if those same APs would have worked just fine for a family of 4 living in the same space.
I've even found this to be true in a residential setting with consumer APs, where reducing the number of devices (by plugging into wired ethernet things that don't often move, such as media players and printers) tends to improve range and throughput for others, without adding more APs.
I sincerely question the value of a managed wifi system for less than 5 hotspots, I also am even more dubious of the need for a cloud service. wifi should function without the need to phone home.
> I sincerely question the value of a managed wifi system
I'm not suggesting that there's necessarily value in "managed", but your parent comment was about the Ubiquiti product being overkill, which is a much broader statement.
The GP certainly advocates for management, but that's neither the primary value delivered by the overall product, nor the majority cost (even with a single AP). IIRC, this may not hold for competitors, such as Ruckus, where even the lowest-end "controller" is quite pricey.
> wifi should function without the need to phone home.
AFAIK, Ubiquiti's products can be run standalone, only requiring management software for initial configuration.
> AFAIK, Ubiquiti's products can be run standalone, only requiring management software for initial configuration.
This is correct. I only power on the controller VM when I want to make a change. I do think a few features, like the captive portal require the controller to be online.
No, this is where they really shine. Ubiquiti is often referred to as “enterprise lite”, where if you really need scale usually other options are better. But at a small scale, they are excellent.
Generally pretty solid advice. I say that as someone who is known for solving tough wireless problems. :-)
On the cable termination part: I've (mostly) stopped crimping cables because I've had too many go flaky and don't have 4-5 figure testing equipment. One thing I'll add is that there are ends for solid conductor and stranded, make SURE you have the right ones for the cable you are using.
These days I always just put on keystone ends and then use commercial patch cables from there. I've had very good luck. I'd recommend against the advice to use a screw driver to punch them down, the Leviton ones I prefer you just put the cap on and they punch down themselves. The random ones I get from Ace Hardware have a little punch tool included.
One additional recommendation I have is to put 5GHz radios in each space. 5GHz has more spectrum, and less interference, but it penetrates drywall significantly worse. But that's a good thing, because it cuts down on interference from your neighbors.
Beware of microwave ovens, baby monitors, cordless phones (last 2 more in residential areas). They can be intermittent interference, and won't show up on the non-commercial spectrum analyzers. Our 2.4GHz used to go out when we'd run our brand new microwave. But it would also go out at other times, possibly when a neighbor ran theirs? 2.4GHz penetrates buildings quite well, which kind of sucks.
>> I've (mostly) stopped crimping cables because I've had too many go flaky and don't have 4-5 figure testing equipment.
I just redid a lot of the ethernet wiring in my house, and it's super easy compared to how I did it 10+ years ago.
If you use EZ-RJ45 jacks (the only way to go, imo), it's super easy to get cables working properly the very first time. The wires feed through the jack so you can verify wire order before crimping.
I spent less than $200 on the tools I used to do my wiring:
* EZ-RJ45 crimper
* RJ45 cable tester with probe and toner (this was easily the most important tool I bought)
* Punchdown Tool
* An adjustable Cat 5 stripper
Out of the several cables I did, I only had one with problems, I wired one end backwards (it was before I had my morning coffee), and it was quickly "debugged" with my cable tester.
I did a look at those EZ-RJ45 ends when another replied about them in this thread and notice that they are rated for solid or stranded, which I think would help. They look pretty good.
I've installed a few (and have a few more to install) of the Ubiquiti cameras, and I've been using keystone at the end and then patch cables. That has worked well, but I'd be tempted to just crimp the outside end. I'd have to see how the shielding works with the crimping, that gear is all on shielded cable per spec. Shielded plenum rated cable is kinda spendy...
I just finished installing the G3AFs (outside) and G3 Flexes (inside) at my house, and I crimped the outside ends.
For my outdoor cameras, I used outdoor rated cat6 solid. It's a little harder to work with, and I had to buy a spool of 1000 feet because the 500 feet spools were out of stock when I needed them.
Are you using back boxes? I think it would be extremely hard to use keystone and patch cables given how little room the cameras have for running the cables, especially the G3AFs with the shielded cables if you are not using back boxes.
I'm not using boxes, I'm putting them under the eaves, mounted to the plywood. I drilled a hole just big enough to fit the keystone through (1"? 1.25"? I forget), then I put the keystone on it, put a grounded patch in that, and pushed it up inside the hole. Then I mount the ring and plug the camera in, and mount the camera. The cable runs are in the attic.
This is all the G3 Dome, they didn't have anything else when I bought the cameras. I thought about putting a G3AF mounted from the upper eaves to get another view, but haven't done that yet. That'll be a bit more of a project.
I'm fairly happy with the setup, but it's kind of a bit flaky. The motion detection fires all the time, with wind blowing trees or the like. Then it'll sometimes cut off in the middle of a recording when it seems like it should be detecting motion. I've been wanting to put an SSD in their little appliance, or just migrate that appliance to a Ubuntu host of my own, but haven't done that yet. The hardware seems solid, but the software seems flaky.
A coworker has the Nest cams and those seem to be a bit less flaky. I may need to reevaluate this before I go further in, and it's been a year, maybe there's something else I should look at.
For the G3/AFs, you feed the wire into the mount, which is tight especially if you're not aiming straight ahead (which I assume few people are doing). The Flex gives you more leeway, but because the cameras are inexpensive, the wall mounts for them are reflective of the cost savings, which means "not great".
The motion sensing is quite sensitive and there's no machine learning behind the analysis like there is with Nest. I prefer the Unifi Video's motion sensing set up over that of Zoneminder which I was using before.
I find myself creating less-sensitive motion sensing zones where I know there are plants/trees that are going to blow plus where they might cast shadows.
The "before" and "after" settings for motion detection are pretty important if you think your footage is getting cut off at the beginning or the end of the clip. I use a setting of 5 seconds.
Since I came from crappy wifi IP cams, I've been very happy with my setup.
I'm currently using an inexpensive NUC as my Unifi Controller and NVR. I have four cameras recording on motion sensing (the others are for monitoring only). The only time I have issues is when I run Duplicati in the background to backup the video files to a NAS. Duplicati is a bit of a pig, but I'm not a Linux expert, and Duplicati was familiar and easy to set up.
From everything I've seen and heard, Nest is great, but I find the subscription fees to be excessive, but ymmv based on your own needs.
Solid core is generally for premise wiring (PVC jacketed in walls, PTFE-jacketed through ducts); stranded is typically for patch cables. If you try like the first place I worked at in the mid-90's trying to put stranded ends on solid-core wire, breaking of tools and unreliable cables will make.
There's cheapo Chinese cable tester kits on eBay, AliBaba and Amazon that do a good-enough impedance at GbE spectrum testing to not have to spring for a Fluke "will-survive-nuclear-winter" "official" tester. Backfilling connectors with epoxy is another idea to avoid corrosion... as long as it doesn't affect the impedance or dielectric values much. No-snag boots, axial aligned label zipties are also a big help. Barcode label and floorplan everything.
Finally, always test every cable with iperf3 (two laptops or one laptop w two ethernet ports) and reject for reworking/replacment any cable with abnormal latency or bandwidth figures.
PS: our head-office networking guy was awesome; worked 10% time just to keep benefits since his wife was GOOG's first admin.
It might be worth mentioning that CCA (copper clad aluminum) cable which is sometimes sold with misleading descriptions in places like eBay and Amazon, is not the same as solid copper and should be avoided for power over ethernet applications.
Fluke is one of those used-to-be-good now-abuses-their-reputation companies anyway. They're in a mode of milking consumer trust for what it's worth until it's gone.
It’s only sort of passively mentioned in the article but I am AMAZED at the number of people who don’t hardwire everything they can.
Obviously phones are out, but why not hardwire every laptop when it’s at the desk? If someone’s using a actual desktop computer like an iMac then what’s the point of Wi-Fi? Clear up the signal space and get a 100% reliable and ultra fast connection.
Because gigabit wifi turns to 50mbps when the office gets big enough. There is only so much spectrum to use. Plus if you're already connecting monitors when you have your laptop at your desk the Ethernet adapter can be part of the dock.
Even a single AP, single client, 160 MHz AC wave 2 2x2 connection in clear airspace has less max theoretical throughput than a gigabit hardware (1.7 vs 2).
What makes a sane high density 5 GHz office design with 40 MHz channels (theoretical 400 mbit/s, real usually ~200-300) work is that office workers don't actually need that decent of a connection, just a guarantee voice jitter won't be >10 ms and that throughput will be "fast enough".
Although I'm skeptical (though see below), as the sibling comment is, that this small an increase in best case latency would make a difference in a typical office environment, I'm curious if it was (as close to) apples-to-apples as possible. That is, was it comparing 802.11ac to gigabit ethernet (or 54/108 Mb/s Wifi to 100Mb ethernet), and were the interfaces connected the same way (e.g. both via USB or both via PCIe/Thunderbolt)?
Despite my skepticism, I've seen that, in the typical office setting, wireless latencies can vary much higher. It stands to reason that, no matter how well-engineered, it's still a shared medium, which means that congestion or interference caused by a neighbor can ruin someone's VoiP call during the time it's happening.
Both computers are connected the same Unifi network. One was a Macbook Pro using the builtin wireless (ac; listed as 144 Mbps in the Unifi controller iirc) and the other a Mac Mini connected via cable (1Gbps). They both pinged the router, so all traffic was local. There are no other wifi networks nearby (single family house area, 50+ meters between houses), and basically no other traffic on the network.
I've never heard that, but I also don't use SMB heavily (especially over Wifi) to begin with.
Is there a site you can point to that details the protocol's latency-sensitivity?
If something like bulk file transfer is at issue, a ping test with sizes closer to the MTU (e.g. 1480 bytes) would be a closer simulation of those latencies.
It's just what I've experienced myself when copying a lot of files. E.g. "add 50k photos from network drive to Photos" or "perform initial Time Machine backup". Over cable I'd say it's at least twice as fast, haven't done any measurements though.
That also raises the question of if it's implementation-dependent (especially if Apple optimizes AFP over everything else), rather than generally applicable to SMB, not that this would negate the validity of the example.
> Over cable I'd say it's at least twice as fast
That could be be because of the bandwidth difference, if wireless isn't 802.11ac (or if the cable isn't 100Mb/s).
Is it also the case that copying a single file of comparable size doesn't show the same speedup?
We're about to move ~800 people into a new office and we're going Wi-Fi only when we do. Several reasons:
- Cost avoidance. Hard wiring a new fitout is expensive, and in our case costs $200k for the structured cabling alone (ignoring the switch port cost, and the fact that we'd be deploying Wi-Fi anyway for roaming)
- Better roaming experience. USB3 docking made the desk experience better for staff but USBC has made it worse again, to the point that we get all kinds of random crap happening when roving from wired to wireless. This could (and will eventually be) fixed with some attention, but when we were considering Wi-Fi only for the office, mitigating this issue was a nice bonus.
- Reduced end-user network requirements. With most end-user applications being moved behind a web interface, the trend is for far lower fat-client throughput requirements. I don't see that changing any time soon despite the additional bloat being introduced to a lot of web front-ends. There are still special cases that do have high throughput requirements (raw media work, mostly) but it's a fraction of the user base.
- ROI on existing wireless infrastructure. We have significant investment in a proven enterprise wireless infrastructure (Aruba) that we can extract far more value out of by bumping up access point density and attaching all clients onto.
- Competing nonsense avoidance. In my sector, fibre to the desk is the current load of bollocks that we're being railroaded into adopting. I've side-stepped that whole debacle by shifting us entirely across to something we had to deploy anyway - Wireless.
- It fits a theme. We're doing wireless stuff in a ton of other places at the same time: Wireless bluetooth headsets for telephony. Wireless screen casting (Miracast, Airplay and Chromecast) for meeting presentation. Wireless bluetooth conference phones for audio conferencing. If I could nail some kind of bluetooth webcam for vid conferencing, I probably would push for that that too.
- We have the underlying capabilities to effectively support wireless-only, such as dedicated network staff with appropriate skills (Wi-Fi is it's own specialist subject aside from conventional networking) and the right investigative/monitoring tools (in our case, Spectrum analysis, heatmapping, air monitoring and such all come out of the Aruba mobility controller/Airwave systems we already operate.
There are risks to doing this, and you want to run a solid proof-of-concept ahead of committing your organisation to it. But that's achievable, and there's no reasons a sufficiently mature organisation that's trying to work more flexibly can't treat wireless as a first-class connectivity option.
As a fellow large Aruba user I'd recommend extreme caution with how much you're pushing the BT stuff for telecommunications in a high density wireless environment. We've had that bite us in the ass a few times already. A lot of stuff doesn't mind running slower but telecommunication/video hates jitter, loss, and delay far more than anything else and you're putting it on the lowest end wireless infrastructure you have.
Yeah all of this coincides with moving people across to soft phones and headsets. Most users are heading to wired headsets which will keep a lot of Bluetooth out of the airspace, but a few will have BT headsets (and many have just obtained their own).
The other big gotcha with wireless is catering adequately for guest devices. In more permissive environments (such as ours), catering for 3 devices per staff member is a good starting point.
You also have to decide how/if you want to prioritize corporate over guest traffic, and that's not as straightforward as it first looks.
We're fortunate that our user base (800) is spread over a significant floor area, and four separate large floors. We're also pretty much alone in our space, so less outside interference to handle. It was far worse at my last organisation (also Aruba), where not only were we surrounded by very noisy neighbours but we also had far higher floor density, coupled with the navy docking right next to the building which would regularly wipe out our wireless, site-wide, for random amounts of time.
If you're based in SF and want to have a high quality boutique IT shop work with you, without hiring IT staff yourself, then I can't recommend https://www.boxit.net/ enough.
I was managing consumer grade routers for the company since its inception until we switched to Aruba APs (which are awesome <3) and then eventually to an office with a real firewall, several APs, and a switch for 100+ cabled desks. The folks at BoxIT were a real life-saver at that stage, both for the initial setup and proactive monitoring of your network's health over time. Having your staff spend brain cycles on this stuff isn't the best ROI IMO.
The one thing to watch out for is VoIP in SF office buildings. Our APs conflict with about 300 other APs in the area, so getting reliable VoIP for your sales people over WiFi is not even worth trying. We got lucky and inherited an office where the previous company learned that the hard way and wired every nook and cranny with ethernet.
My startup purchased Meraki, and we don't have to deal with many of these issues. We also paid an electrician to do wiring and crimping. SDE time is expensive and we want the team focused on building our product, so we made the tradeoff to pay more for the network gear and installation. As a result our entire team, engineering and everyone else, has network access that "just works". This was true when the 35 person team showed up at our last office for the first time, and continues to be true.
The configuration is done through a hosted dashboard that also provides monitoring. We're in a heavily regulated field, and the Meraki dashboard provides a lot of evidence for compliance audits. It also enables us to remotely control devices (e.g. lock, wipe, locate) and ivestigate issues when integrated the Meraki MDM solution.
We did have to tune the bitrate for wireless.
We also cannot setup redundant VPN tunnels to AWS (Meraki only supports one tunnel for non Meraki VPNs), so we have to do manual faiilover. This is my biggest gripe with Meraki. We are investigating adding a Cisco ASA to handle site-to-site VPN to AWS with redundant tunnel support.
I use GRC's DNS Benchmark tool[1] for this whenever I set up DHCP somewhere, and the results are sometimes surprising. If you're on a *nix or macOS, it runs well under Wine.
This is great if you're at home or there's no IT team like in the article (a dream come true!) but if you're in a more corporate network these kinds of tools will usually ping NSFW servers.
What sort of DNS server is NSFW? I can't imagine that any DNS benchmark would need to reach out to anything other than a DNS server. If I recall correctly, the GRC DNS benchmark uses a set of domains set up expressly for the benchmark itself.
Disclaimer, I haven't looked at GRC explicitly, but often tools like this will
* check whether a range of domains are censored by the DNS
* lookup a bunch of domains and ping them to check whether the DNS server is returning properly localized addresses using EDNS - Cloudflare DNS is a good example of one that was not (at least a few months ago)
Biggest issue I have with the solution proposed is the recommendation to avoid DFS channels. These channels are much more "cleaner" as adoption is less due to added cost caused by extra design and certification.
Radars are pretty static and does not come and go (especially weather radars), so the router does not need to move from channel pretty much. False alarm can be an issue but if one has a decent quality router, it should not be very often. Furthermore, after a radar detection (false alarm or actual), routers can switch to non-DFS channels and and start operating immediately.
With the caveat that some clients really have trouble with DFS channels. Generally not a problem if you're refreshing your office with new wireless though.
UniFi is already mentioned elsewhere in the comments already, so this whole post is likely redundant. If you're at the level of cobbling together consumer routers, even flashed to DD-WRT/Tomato/whatever, change. If someone your team is Cisco certified from a previous life as a network engineer, and insists you use Meraki kit and pay the fees, well, you're in SF and paying SF salaries anyway, so probably just go for it.
If you run a full UniFi stack, you can view your entire topology in the dashboard--it'll tell you which switch port or access point/SSID a client is connected to. Here's my home topology:
Note that most switches are double-uplinked for 2000Mbps throughput, and there's a 10-gigabit core router. 10gbe isn't nearly as expensive as you might think, especially for very small teams. It is possible to get access points to deliver 500-700Mbps speeds, too--that's going to depend a lot more on your device's radios than anything. See speed benches for UniFi kit at: https://goo.gl/RL4kkW
This guide doesn't cover VLANs, but it probably should mention they exist. Any IOT or networked camera type devices that don't need Internet access shouldn't be allowed egress, and VLANs are an easy way to implement network segregation. You almost certainly want a guest network too, both wired and wireless.
I work for an MSP servicing small businesses, Triplebyte sounds like one of our clients. I guess since they're developers they think IT is optional and they can save on costs (and/or their time is worth less than ours, which I doubt). And then later those decisions come home to roost and it costs more to pay some company like ours to come in and do things properly. I mean hell with modern wifi like Ubiquiti or Meraki you shouldn't even have to think about half the stuff in this article.
This is easier said than done, even if they're convinced it's worth the money.
Not only are startup founders faced with the usual problems associated with hiring competent technical people (ironically a problem the OP is attempting to help), but this would be hiring someone whose competence they'd be much less qualified to evaluate.
This effect can be seen in "DevOps" (as a title) postings from startups that emphasize Dev (programming against a cloud API and/or "automate everything!"). That kind of redefinition is much harder to do convincingly for office IT.
I've tried all kinds of WiFi gear over the past 5 years -- Apple, UniFi, Aruba Instant -- and all of them have been unsatisfactory in one way or another:
* Most of my client devices are from Apple, and I easily got the best WiFi performance overall with 802.11ac-capable Airport Extremes, which is impressive given how relatively cheap they are. However, I'd like multiple SSIDs, and Apple gear can't do that (the guest network support doesn't count). Regardless, Apple is out of the game, so this isn't a long-term solution.
* The UniFi gear had terrible 802.11ac performance, even when my devices were in the same room as the WAP. At the time, I was using first-gen 802.11ac hardware from UniFi, so it's somewhat understandable, but the poor performance combined with 2 of the units failing within the first 6 months didn't leave a good impression.
* The Aruba Instant WAPs were reliable and got good performance (though not as good as the Apple WAPs), but I'm not a fan of their licensing. Without a support contract, it was possible to hunt down the latest firmware updates, but they didn't make it easy.
I recently bought a PC Engines APU3C4 with a mini-PCIe WiFi card and a couple of Chaohang antennas [1], and I'm contemplating build my own WAP. This would give me all of the configurability and tweaking that I want, and I could deploy it as just another piece of my personal little devops pipeline.
However, I don't know much about the RF side of things. I'm aware there's a lot of black magic involved, but it's not clear to me how much performance and/or range I'm going to lose by piecing together COTS stuff versus a professionally-engineered solution from Ubiquiti et al. If anyone who's reading has built their own WAPs, I'd love to hear from you.
I've heard multiple people saying Apple wireless APs perform so much better than others. I really wish someone could do a technical deep-dive and explain how Apple did it.
While it doesn't really matter whether you use EIA-586-B or EIA-586-A so long as you're consistent, I've been told that EIA-586-A is the standard in Canada.
addendum:
Re crimping RJ45 - the better way to do terminations is to use the EZ-RJ45 pass-through plugs like the ones made by Platinum Tools. You need a special crimper, but it's night and day easier. If you're using AWG23 Cat 6, you also need to make sure your plugs can handle those wires (not an issue with the Platinum Tools plugs).
"ANSI/TIA-568 recommends the T568A pinout for horizontal cables... The standard also allows the T568B pinout, as an alternative, "if necessary to accommodate certain 8-pin cabling systems"... Many organizations still use T568B out of inertia."
Typically the cable manufacturer will have a recommendation but in AU I pretty much exclusively use B unless the manufacturer of the cable being used requires A for some reason (like, they spool the strands a certain way, so you might get less AXT with A vs B or some such)
Only thing I've found annoying about passthrough plugs is it's easy to not quite cut the wires flush with the end of the plug. This can make the plug not seat fully.
At least, this is true for me. Maybe I did it wrong.
I think this depends on which crimper you use. I used a cheapo crimper from China I bought off Amazon (I wasn't doing enough terminations to justify Platinum Tools' top of the line crimper which cost more than 2x what I paid) and it was leaving maybe a mm or less of wire hanging off, because of the crappy tolerances.
On the other hand, I saw some videos on Youtube of people using other cheap crimpers, and they were getting clean flush cuts. Luck of the draw is a big thing when you get the cheaper tools.
Originally I thought that 1mm or less was preventing my plugs from seating fully but on further inspection I found that the locking lever on my plugs weren't consistently locking. I made the mistake of not using the matching Platinum Tools strain relief boots for my plugs, which actually have a piece of plastic that pushes the locking lever up a little more to ensure a more secure mating between the plug and port.
When you're deploying multiple APs you also want to turn down the broadcast power on them. If the signal of multiple APs overlap too much, clients won't roam onto the next AP in time.
Also don't be afraid to hire someone to do a wireless survey - or do it yourself. Someone will walk around with a laptop, and try to find wifi blackspots/hotspots, and can recommend adjustments to AP power and/or placement.
Yep, and disable the lowest data rates, particularly if you have decent coverage. The AP is forced to send certain types of traffic at the lowest available data rate so everyone can hear it so you save a lot of airtime on that traffic but also clients will be more likely to roam because they can't "stick" to a far away AP at a really low data rate even if they wanted to.
Shame that security wasn't really addressed, other than the brief mention of WPA2-PSK. I feel like PSK in general is a horrible idea in an office environment. Lots of people + lots of devices ≈ shitty password which never gets changed.
But then I still haven't had any luck setting up a WPA2 Enterprise config that works on all devices.
> Multiple access points should share the same SSID. They must have exactly the same security settings (same password, exact same mode, i.e. WPA2-PSK Personal) for clients to be able to automatically roam between APs.
I will also add to this, consider having all the APs on the same channel. My experience is that some OSs (I'm looking at you, Windows) don't roam properly if the following three things are not the same:
1. SSID
2. Authentication/Encryption
3. Channel
It does sound like the author has deployed consumer access points. For a proper office scenario centrally managed is the way to go. Finally, never use WPA2-PSK Personal in a work environment. Use proper back-end authentication such as Radius or MAC filtering, or a 'Register me via a captive portal' system with a central LDAP type user directory.
Putting 2.4 and 5 onthe same SSID is a recipe for sadness. OSX does very poorly at deciding which band it should be on, and 2.4 is largely useless in most of SF. OSX also tends to be pretty sticky. The worst is that it uses RSSI as its metric rather than SNR.
I know that at least with my Ubiquiti access points I simply set them to prefer 5G and they will move clients over to that. I have had limited issues with roaming and such with that enabled.
I use either axel or lftp’s pget (works on SFTP) all the time. Being in Australia the 200-400ms latency means I frequently wont get full speed otherwise.
I have gigabit internet at my house and a single WiFi access point. I am running dual SSID's one for 2.4GHz (don't use it), and one for 5Ghz (use it). The 2.4Ghz is set to auto-channel, but the 5Ghz I statically set to channel 161 (5Ghz, 80Mhz). It shows a Tx rate of 866Mbps, and on SpeedTest.net I get around 400ish Mbps up and down. Sometimes going further back into my apartment I have to connect and disconnect from WiFi in macOS.
Should I try using a lower 5Ghz channel such as 36 or 40? Won't that decrease overall throughput? My understanding was the higher the channel number on 5Ghz, the theoretically higher the throughput.
I disagree on the channel width. Yes, a packet uses double the bandwidth, thus double the chance of collision. But also half the time so half the chance of collision.
And you can get more channels than 3, if you use 20Mhz channels, not the 22MHz channels by simply not using 802.11b. only use g&n and you get four channels.
And do use the DFS channels, exactly because people like this author are not there to congest the channel. Just make sure you have non-DFS too while the DFS AP is in listen mode.
So this article is very much not written by an expert.
Anyone have a recommendation of a company in the Bay area that solves this issue for startups? Someone I can just call, have onsite and get my people back to work in <5 business days?
do you mean strategy/planning/design/bestpractice or troubleshooting and implementation? the former can get complicated if you dont scope right, which is why business analysts and enterprise architects exist. just because youre a startup, doesnt mean you dont want to explore where components can be reused, how many places you need to log in to manage your company, how things compliment and overlap each other, and which vendor you should use for which service. good foresight and some lucky guesses can make your life easier later. when you buy three kitchen sinks, and they all offer payroll services, you have to pick which is authoritative. same with file services, corporate planning, financial forcasting.
where do you want to put your portfolio management, in something dedicated like clarizen, smartsheet, or wrike; somewhere simplistic like or asana or trello, with finance like anaplan. now that anaplan is on the table, it might change how you feel about adaptive insight. now you might need to replace your gl. losing adaptive insight for anaplan might push you away from workday and towards ultimate, because of the ownership structure (not at all a technical decision.) ten cascades later, you are asking yourself aryaka+hyperv+qumulo+simplivity+ruckus+salesforce+gsuite+adaptiveinsight+workday or velocloud+esxi+nasuni+nutanix+ubiquiti+anaplan+dynamics+office365teams. your either or's become complex and intertwined. you might think some of these decisions are just "IT/technical" but at the the end of the day every decision cascades into another, changing the scope of the next decision.
if my somewhat silly rant didnt make my point: too often companies want to outsource decision making that belongs in the c suite, that can give them a competitive edge, if done right, in house by magicians. you lose your magic and secret sauce by going with what everybody else does. its akin to whatsapp being erlang based vs going with metoo ruby. or how newspaper publishers have an edge when they also develop the hosting platform and license to others (vox chorus, gizmodo kinja, wapo arc, say tempest, bi viking, vs wordpress.)
> Multiple access points should share the same SSID. [...]. If you use separate SSIDs [...] it will often lead to laptop users remaining marginally connected to an AP they’re barely within range of.
I constantly run into this issue in my home network. Is solving it really just a matter of reconfiguring the routers to share she same SSID or is there more to it?
One more thing is required - the different APs must all be on the same layer 2 network. 802.11 (WiFi) clients, by design, assume that all APs broadcasting the same SSID provide access to the same 802 (Ethernet & friends) network, and so assume their DHCP leases and TCP connections etc. will carry over. If you break that assumption then roaming will cause issues.
It really is that easy in my experience. I had five APs at the last house and Android, iOS, MacOS and Windows all were able to hunt automatically as long as I had the same SSID. When I tried to get cute stuff got a lot less usable.
The sentence you copied started with an important qualifier: "Counting both ends of a cable,"
> If you’re new to making cables
However, IMO if you're making your own patch cables, you're so far on the wrong side of what's reasonable that I don't know what else to say. Punching down horizontal cabling to jacks makes sense; there's no other choice. Making patch cables is an enormous waste of resources.
Never seen parallel s3 chunked downloading using `aria2c -x 16 -s 16 -k 4M -o ${OUTPUT_FILENAME} ${DOWNLOAD_S3_URL}`. Any drawbacks of this? Corruption?
I thought it was considered and GOOD idea to put the 5 GHz and 2.4 GHz APs on different SSID is because some clients won’t connect to the faster one automatically. Or maybe it was because all traffic slow down to the lowest level.
Is that no longer an issue? Or maybe these aren’t problems as long as the 2.4 and 5 access points are physically separate.
You're right that many devices don't choose bands very well, so you should use an access point that supports band steering if you want to do this. Pro APs will support this and Broadcom-based AC consumer routers do also - need to read a review to know if a specific model works well though.
I set up extra SSIDs for specific bands on my Unifi equipment to force some wifi gear (IP cams that have since been retired) to always connect to the closest AP.
The AP can make the decision as to whether or not it's possible. It has data about how well the packets are getting through on both bands (as long as the device probes both bands). If it sees that 5GHz is working, but the device is using 2.4GHz, then it can disconnect it from 2.4GHz. But if 5GHz doesn't work, then it can allow the client to stay on 2.4GHz.
Clients do pretty stupid things, which is why the AP is the right place to control this sort of thing. (If you have more than 1 AP, then you have signal strength data from the other APs, and AP A can disconnect the client and force it to use AP B. This seems to work better than letting the client decide on its own.)
Yup. I can certainly understand the hesitation because it's basically two computer programs both saying "I'm smarter than you! No I'm smarter than you!" which rarely ends well.
But I think since WiFi clients are so varied in their intelligence, the ideal thing is to build the roaming functionality into the AP... because at least you have the ability to fix it once and for all for everyone. Whether or not currently commercially-available hardware does that, I don't know.
Am I missing something, or did they buy consumer routers to use as access points?
Triplebyte, I can save you a ton of management, troubleshooting, and learning time: switch to Ubiquiti Unifi or an equivelant now, youll have one pane of glass to reconfigure every device. The devices will talk to each other, to help hand off clients between them. All channel management will be by the devices working together, they can throttle down power if they are causing each other interference. I cant even begin to list all the different benefits with a single set of settings vs devices that dont work together. Even an asus aimesh network would likely be better. Youre asking for a troubleshooting nightmare.
You can either pay a couple hundred a year for the management interface, or $80 for an on prem tiny little stick that hosts it. (paying for the cloud hosted one, has its benefits, and is my recommendation.)
Access Point - https://unifi-hd.ubnt.com/
POE Switch - https://www.ubnt.com/unifi-switching/unifi-switch-poe/
Management Interface - https://www.ubnt.com/unifi/unifi-cloud-key/ OR Cloud Management https://unifi.ubnt.com/
Router - https://www.ubnt.com/unifi-routing/usg/
You should never need to track down or log into individual devices to configure them.
I dont mean to be a complete ballsack, but isnt it weird for a company thats mission is matching talent to problems, to fail to find the talent to adequately address their problem, and to be giving authoritative (mis)advice on something they are not remotely domain experts in. It doesnt seem like the best advertisement.
That said, this is the KIND of post companies should be making when their seo expert says to use keywords. Good job writing about improving the internals of your company, and not just what your company does. Write a V2 of this post once you upgrade, and rename the old one, "How we Created (and then mitigated a Device Management and Troubleshooting Nightmare)