The saddest part is that we had many good engineers who could have continued to do amazing things with the UniFi momentum. So much time was wasted on dead end products like FrontRow. Most everyone I know left for jobs where we were treated better and paid more.
That said I don't hear the best about the company (long working hours, not the highest pay) and have declined a job offer there myself.
As someone who lives in a low cost country: rubbish. There's a reason we're a lower cost.
1. We have a lower standard of education
2. We have a higher cost of technology (relative to average income)
3. We have a lower need for the luxury market where most technology resides
You can also look at the proportion of field leaders. Are more from the developed nations or the developing ones?
The developed nations had a headstart on technology, do you think the developing ones have overcome that, despite most of us going backwards in terms of access to education and the wealth gap?
Don't take it personally, I'm not trying to tell you that you're a bad developer. What I'm saying is we have to work harder to uplift our country's fields and not fall into the trap of "well I'm the biggest fish in this tiny pond so therefore I'm an equally big fish in the ocean". It does not work that way.
Lower cost of living does not imply developing nation.
Czhech Republic or Poland or Taiwan are developed nations, all with the cost of living a fraction of Bay Area.
I see Ubiquiti dev center apparently moved to Latvia. You can argue it's a depressed region of the EU but it is not a developing country by any metric.
A lot of the engineering talent you find there is extremely limited in quantity, but it is untapped.
Overall I think it’s a step in the right direction as compared to other countries we’ve outsourced work to, but let’s not pretend Poland is an exemplary ray of developed industry and society.
Sure, if you take 300M market like US and pool all the best talent to west-coast, there is a lot of engineers. But the market is saturated, and it's nigh-impossible to hire a team of the magnitude you can get in Eastern Europe. Canada? Oh please...
Having worked (as a French) with dev teams over there, I can assure you they have a whole bunch of A+ devs and the market is very competitive.
You don't have problems with access to clean water in Poland. You ain't going to die from hunger in Czech Republic. There are no issues getting education in Latvia.
And mythical Anglo engineering talent, please. They are approximately the same anywhere you mentioned.
But I wouldn't think of the Baltics as such a place?
Instead, just hanging over the code and infra to new people, is risky in itself and can easily make security problems happen?
I'd like to also add that from my own perspective Ubiquiti gear and software is/was _exceptionally_ good. So converting to "just another network gear company" level of quality is going to have a much greater impact on my perception of the company compared to if this news of off-shoring came from say cisco.
In the US, good engineers don't have to tolerate abusive companies in exchange for good wages. Not all countries are so fortunate.
Almost forgot, but just last month my wife started complaining about the WiFi, turned out the latest firmware that was pushed to my UAP's is horrible. You have to turn off auto update and check reddit before upgrading firmware, what a joke!
> I hope it's not "the company is declining because the company moved talent to countries where developers are cheaper"
We probably agree the cost of developers varies considerably in different locations.
Companies operating in markets where local developers are expensive (I work near London for example) sometimes decide to outsource development to locations where it is much cheaper (e.g. India).
What I have seen (admittedly just anecdotally, not carefully studied and subject to bias) is a correlation between companies that don't value high quality software development and companies that are happy to dump a substantial part of their development efforts on cheap developers overseas.
Such companies don't care about their existing team - developers who are expensive but have built the software and understand it, and are to some extent understanding the end customer (often filling gaps left by product managers in smaller organisations). They just see their development team as a huge cost that needs to be reduced. Or they have trouble hiring locally.
When the daily rate of developers overseas is substantially lower, the company also doesn't care about those developers. They will want to outsource the least creative and satisfying work to them. They want to just fire and forget: "here's the spec, go and build it". Lower productivity is less of an issue if the "resources" are cheap. I'm over simplifying and I'm sure some companies try to work more in equal partnership but you get the picture.
Also, the move to outsourcing is often done suddenly; it's more like wielding an axe than an organic growth or shift in development model. Companies don't tend to invest in overseas developers as individuals.
In my view it's not great for either set of developers, or for the customers of that company. Perhaps when done right it can be more beneficial and I hope things will improve overall.
You cut my quote short of the important part which was "and employees complained less about constant crunch mode". It is easier to "trap" engineers in countries where average salaries are lower by offering them 20% over market rate and then threatening to fire them if they don't work constant crunch hours. We were promised very large bonuses that never arrived.
> That said I don't hear the best about the company (long working hours, not the highest pay)
It is a sad situation. The pay was very good and the working hours were reasonable when I started, but that changed for the worse. That is why all of my peers left the company.
My company started doing the same and erosion of knowledge is really bad.
You are saying the same as the parent. Expecting “short” hours is seen as “feeling entitled”... There are countries where people are not willing to work in those conditions.
Bottom-of-the-barrel developers bring even greater savings, and paying peanuts has always been a great way to get monkeys.
Are there any other "prosumer"-type devices on the market that could replace a Dream Machine? If Unifi is going downhill it doesn't seem like I'll be going with them for a replacement.
Opnsense forums have lots of recommendation for hardware, which is the path I went recently. I went with https://protectli.com/, which are just some rebranded hardware sold on Alibaba, but they provide support ontop of the hardware.
I actually reversed this choice and am back to using the Unifi Controller again - pfSense is superb in production or more-networking-enthusiast style environments, not so nice for "average" home. I used a 5-ethernet port fan-less Intel Atom box almost identical to the one you linked for my homemade pfSense router while it was running, for that purpose it was pretty good.
But at the same time, I run Google WiFi points as I don't want to deal with them. :)
The benefit of UniFi is that you can centrally control a bunch of switches. It's definitely overkill and overpriced if you just want an all-in-one.
I keep hoping that one of the OpenWRT snapshots will fix it, but this is something I've been fighting with for years on multiple pieces of hardware.
Separate 5G and 2.4G SSIDs are no issue in my experience-- it's multiple SSIDs on one phy where Atheros goes wrong.
I really want WiFi6 gear... but given that there's no real OpenWRT support yet, and how long it's taken 802.11ac to mature in OpenWRT (it arguably hasn't yet), it's kind of discouraging.
maybe you have a known-bad hardware in regards to driver support, but that is absolutely not to be expected.
I had been considering trying out some of their gear, but perhaps I might not bother now!
I replaced my ISP-provided all-in-one box (Orange in France) with an EdgeRouter 4 and it is many, many times more stable. The crap you get from the ISP does not compare.
The management is horrible and how they designed it is horrible as well (from the OS perspective) but once it works, it works.
Data leaks happen! It shouldn't but that's just how the world is. UI has been honest about it, and informed every customer as a precaution. (I assume they're still investigating).
I can't be sure, but since UniFi Video went offline at the same time the breach was announced, a week earlier than it was scheduled to, that might have been the entry point.
In any case, the UDM (despite all the negative talk) is a fine machine, and does what it promises to do. If you want similar performance you're either looking at building something yourself, or paying twice of what you paid for a firewall appliance. The Netgate SG-3100 has less performance at twice the cost.
You need a UI account to set it up, but that doesn't mean you have to allow managing it from the cloud. Disable the cloud controller access and any access to your firewall configuration will have to happen from your local network. I'm unsure if you can disable the UI account, but i have a spare UDM sitting around so i will test it.
What disappointed me is that some aspects are really unfinished, and it looks like there's no intention of it to be fixed.
For example we bought their pro firewall (which has been out for years), it's got 2 WAN ports for automatic fail over. To use the 2nd WAN port I had to switch over the UI back to legacy mode. Ok weird but I guess the new UI is still sort of new. But then it turned out that to configure automatic fail over in the most common way, I needed to ssh in and edit configuration files manually.
It didn't turn out to be very hard, but it was just jarring. One of their flagship products, and of the 4 ports it has, 1 port is not supported in their main UI and it's most common use is not possible even in their legacy UI.
Unifi Protect has similar incompleteness issues.
I don't think there's a company that does it better than Ubiquity right now, just disappointed that it stops there.
I've been running Ubiquiti gear for years, from a single 2.4GHz UAP with the Edgerouter products, to my current setup with UDM Pro, 10 GB backbone and multiple NanoHD access points, and to use an Apple quote, "It just works". I don't have a complicated setup, just some basic VLANs, firewall rules, radius assigned VLANs via MAC, and IDS/IPS, so maybe that's why i'm not having any issues with it.
I have the technical skill to set it up from scratch if i wanted a second day job, but i don't anymore. I've run on homebuilt devices, on a Soekris net4801, on an Alix APU1D4, on m0n0wall and PfSense in various configurations, latest on a Netgate SG-3100, and while the SG-3100 comes very close to being a network appliance, it still managed to crash to a point where i was flashing it and setting it up over a USB cable, and while Netgate support was very helpfull, that's hardly something you'd ask the average consumer to do.
On the access point side of things the only real contender would be Meraki, but those are 2-3 times the cost of UniFi gear. You could of course also get a bunch of Zyxel/Netgear/whatever consumer devices and put them in bridge mode, and lose all central management.
I would generally expect the UI to be for enthusiasts, with the more advanced functionality hidden in the CLI (kind of like Windows). WAN Failover probably isn't super popular among enthusiasts
I used to have several Ubiquit USG devices as well as their EdgeRouter.
I moved to pfSense as it's open-source, more stable, and gives you much better control/configurability on your hardware. There's a great ecosystem of packages on pfSense, that you can install via the web UI - making it a really feature-packed for a homelab.
However, recently I've been moving to VyOS to pfSense, which is basically a stripped-down Linux distro, with a heavily tuned FRR routing stack built on top of it.
VyOS is an open-source fork of Vyatta, which was previously owned/released by Brocade networks.
It operates with a CLI, like many enterprise/commercial routing products. It takes a bit of getting used to, but it's really great to use in practice, and makes it easy to diff configurations, or rollback changes, or copy the same configuration across multiple devices.
And of course, it implements with config-management software like SaltStack/Ansible (via Napalm), which is something that pfSense. If you have multiple pfSense devices, you basically need to point/click via the web UI on each one.
For APs - Ruckus is great, as is HPE/Aruba (they have a new low-cost line that's targeting the Prosumer market) - they have both been leaders in the wifi field for ages, and have things like AP handover, RF tuning/optimisation, adaptive antennas etc down pat.
The wiki is good and the community is really friendly. If you have networking experience or want to something to tinker with it’s a nice deal. If you want something you can set and forget I’d look elsewhere though as the UI is not friendly at all.
Their WiFi APs are behind the curve (no mu-mimo even afaik), but you can just hook up some other wAP if you need the newer protocol features.
What I do is keep a Mikrotik router that does all the heavy stuff and hang wAPs off of it as needed. I especially love capsman for wAP management. They do have all-in-ones of course, just not my cup of tea.
The hardware is indeed a bit lagging, I'm not arguing there, but it's not always (only) the hardware that makes prosumer.
hardware stats and software features are severely behind the curve but it mostly just works and you dont really need those features anyway.
certainly not prosumer
It is on the expensive side, but the hardware is beefy and you get vendor's support for OpenWRT out of the box.
Did you try? i did.
The controller UI shows you a hole in the left part of the diagram and explicitly tells you "no routing control without USG"
I have several Unifi switches and a controller (running on an rpi) on my network but I use my own router. I can setup VLAN access ports and trunks all day on the switches no problem, but I can't control the layer 3 routing between those VLANs with the controller, which is what you're talking about. By setting up a gateway/network on each VLAN from my router I can control routing. It's just not as slick as having a USG where it's all controlled via the controller UI.
It is not all nicely integrated together if you use a separate router (obviously), but it's not like it makes it impossible. It's not even difficult... at least not any more than it would be in any other setup.
I’m a big fan of the ecosystem and I’ve recommended it to many people but I’m constantly astonished by the slow pace of hardware updates.
I am aware of the UDM Pro and USG Pro but those things are expensive 1U monsters. Maybe fine for SMB use but this is for home use and I’m very space constrained.
If Ubiquiti made a small footprint security gateway with some modern hardware (the USG3P is some 8 years old at this point!) I’d buy it in an instant.
Not sure where to go next, but it probably won’t be Ubiquiti.
Robert Pera (the CEO) got his start in the industry in San Jose.
1) You start a .app that sits for a few seconds then requires you to launch the browser by clicking a button. While using the browser, you can't close the extra window for the controller.
2) On the browser, you go to a localhost website that has an invalid TLS certificate (you can a "Not Secure" warning) and have to click through to the unsafe website (and it's still like that in my current Unifi version).
3) The login page doesn't let you use the Chrome password manager, so you have to type it all in each time to access a local program.
4) In the web UI, the icons are not intuitive, and some combination of circles and rounded rectangles.
5) The new UI makes it seem like you can configure things that can't actually be configured outside your router.
6) Speaking of your router, Ubiquity's own EdgeRouter routers aren't supported in the Controller UI. They require a completely different interface.
In case anyone thinks the problem with the certificate is something to do with my own setup, it's not. It's a universal problem [https://help.ui.com/hc/en-us/articles/212500127-UniFi-SSL-Ce...]
I haven't had the password manager issue you describe. KeepassXC in Chrome and Firefox both fill out my credentials successfully on the login page. I totally agree about the UX of the web application though. It feels like over time, options have become more and more hidden and the icons more cryptic.
- Without a valid SSL certificate, there's no way to tell whether you're actually visiting your UniFi controller or a honeypot. Ubiquiti isn't the risk here.
- UniFi features that depend on WebSocket and WebRTC are unavailable when using self-signed certificates. This includes live stats updating, device terminal, airView, etc. (Those features can be used in the cloud UI... if your Internet connection happens to be working fine.)
- Valid SSL certificates would be easy to auto-provision these days with LetsEncrypt. There are some minor challenges around port forwarding / relay, but that isn't rocket science. If Plex can figure it out, Ubiquiti can figure it out :)
What to say - maybe before assuming that someone "don't really know how any of this works" you may, just a second, think that the person your comment is directed to has written a security reverse proxy and presented on that on one of the largest security conferences.
Or not, maybe that I really do not know how terminating traffic on MY reverse proxy and sending it upstream to MY ubnt controller works. Who knows.
I too have a working reverse proxy setup or few. I certainly don't expect something using a "localhost site" to come with valid certificates. Unless they somehow get a valid cert for https://localhost
Edit: apologies for the assumption, I didn't realise that you weren't the guy I originally replied to. I'm new around here.
Here's a review: https://seabits.com/teltonika-rutx11-lte-router/
I once worked for a company, there were some "grievances" between the programmers and CEO (nothing major) but enough to elicited a "meeting" between all the devs and the CEO to "smooth" things over and build a better path forward, we will all in high spirits for the meeting and optimistic.
The very FIRST opening line from the CEO in the meeting was:
"How extremely lucky we(programmers) are to be working there..."
It all kinda just went downhill from there... 6 Months most of the programmers quit.
It's not traditional networking gear, sure, but I can certainly see the play they're making, so I wouldn't call this a scatter-shot approach.
But I think this is an example of them having an ideas they only end up abandoning. They are now selling an access control solution, but would you trust them to be standing behind this in 5 years? Enough to deploy it to a customer building? Not me. Attractive for the hobbyist perhaps.
openwrt is based on Linux
I hope things are better now.
He's not wrong
Which is pretty hard to disagree with.
In this case, the cleaned URL that should have been posted is https://mailchi.mp/ubnt/account-notification
I'd argue that this feature is not worth the privacy invasion, but for it to work, you do need a secret in the URL that is always personal.
> The networking company quickly followed its email with a post on its community pages confirming that the email was authentic, after several complained that the email sent to customers included typos.
Indeed: How am I supposed to know whether this email is really from Ubiquiti?
* There was apparently no official press release.
* All links in the email, including the "Change password" button, are to e.g. `https://ui.us8.list-manage.com/track/click?u=somehexnumber&i...`.
* The delivering server is `mail42.atl11.rsgsv.net`, which the TLD of which doesn't seem to resolve in my browser to provide hints.
* Various news sites that reported this either just referred to "emails people got", screenshots random people got via Twitter, or link to the Mailchimp site, for which I'm not sure how to verify whether the "ubnt" account actually belongs to Ubiquiti.
Given this, how shall the normal affected user figure out that this isn't well-executed phishing?
It seems companies could do a much better job making it obvious that their emails are legit. Especially if they were just breached, and "Change password" buttons are involved.
I'm still quite annoyed by the fact that I was forced to migrate from Unifi Video to Unifi Protect - due to vendor lock in and the fact that the remote interface for Unifi Video was switched off this month.
I guess on the plus side - no one who is still using Unifi Video has to worry all that much.....
Hopefully it is just a case of resetting passwords and enabling 2FA if you haven't done it already - not entirely sure how much damage could be done otherwise, unless there is an undocumented backdoor into Ubiquiti products ?
Basically they are alienating their existing customer base (who have already paid a premium price for the prosumer product upfront and expect things to Just Work for the price) in favour of convincing the next idiot to
fund their OPEX with shiny new features and toys that are a quick sell. Not realising (or unwilling to realise) that this strategy is completely in contradiction with their reputation and brand image as trustworthy prosumer hardware vendor, and just adds to the underlying issue.
I predict that it won’t be long before they run out of cash or investor confidence and have to sell out to a large consumer hardware vendor with deep pockets that will try to capture the Ubiquiti premium margins by selling their lower-value existing consumer gear under the Ubiquiti brand. I applaud them for having come this far while maintaining most of their integrity and reputation, but I’m afraid their strategy is doomed to fail and it’s starting to show.
Yeah, this has been really baffling. Their settings UI has been in a transition state between "Classic Settings" and "New Settings" for years. Neither is complete. Some settings are only in New Settings (e.g. WiFi AI), while many more are only in the Classic Settings (e.g. allow multicast from Ethernet to WiFi).
More the old guard leaves, the more of the old guard that leaves. Then who is left to train the new people?
"Do not choose the skip option when running the Migrate Site wizard. If you do your devices may end up in a weird state."
For me, that’s a good outcome because I won’t be bothered by their updates for my currently-working unifi video setup anymore.
Alternatively, you can use their hardware with an alternative serf-hosted NVR like zoneminder.
The cameras work just fine in standalone mode as RTSP sources.
One of the great things about ubnt was the ability to self-host their management software on a Ubuntu VM or container.
Why does every company, after demonstrating a lack of security, like to say this exact line? I can just imagine the PR person hovering over the shoulder of whoever authored the post yelling "make sure you tell the victims of this breach that we care!"
 Maybe not technically a franchise. Not sure. There are a bunch in California.
> .. never had any safety issue so far
It's the 'so far' which really tickles me.
So they can take your security seriously, but they will be hacked, or they have already.
It was a light-hearted jest at the fact that this exact line is in every single breach notification I have read for the past few years.
The more serious point I was alluding at was not "just don't get breached", it was that the "we care" line rings hollow after the 250th time reading it.
They could have not done that. The users were probably unaware that their data was even placed on the cloud servers of some third party.
Ubiquiti used to be cool. They've taken a nose dive in recent years in several ways: Firmware upgrade suddenly including telemetry by default, forcing people to use their NVR appliance instead of installing their software on their private servers, etc.
Had Ubiquiti not moved people to "cloud solutions" an attacker would have to attack millions of peoples equipment. Now he only had to attack one providers network.
When did they stop allowing people to use a private server for central management? I see Unifi still has a network controller.
I'm thinking of "Unifi Video" that is going out (EOL announced six months ago), where you could either buy their appliance OR download an official .deb package and install the NVR software on your own server.
They replace that with "Unifi Protect" that comes ONLY as an NVR appliance. No more .deb packages. It also requires you to buy one of their other products (Cloud Key 2), IIRC.
I think it's expensive, but possible.
Do you have data to back up your claim that no one, ever has ever successfully remained secure?
The unknown unknown. How can you be sure all the "resisted actual attempts" been even detected?
... right up until the SolarWinds hack became public.
The point being, provable "we've never been breached" seems to have a way of turning out to be wrong. :/
Just because known attempts have failed doesn’t mean the unknown ones have too.
Not unheard of at Google, either.
Maybe you should know literally anything about the topic at hand before making sweeping assertions? I realise that's asking a lot here at HN, but it would improve the site a lot.
That will be the new norm in these kinds of annoucements, I'm sure.
Just like SolarWinds dropping "Team City", saying "no evidence" of a breach of it. So why mention it at all?
‘We know they breached but don’t know what they did’ is an interesting statement. One POV is that they didn’t have sufficient logging and segregation to determine how widespread the breach was, the other is that they’re not arrogant enough to think their SIEM adequately captures everything.
Aren't they based in California which, if I remember correctly, as a law requiring them to notify the victims of a data breach?
Would they still have chosen to in the absence of such a law? We'll never know, I guess.
No, that is not what I'm saying. I'm saying don't put platitudes in a breach notification.
HAHA ! Too True !
Reminds me of getting "punished" as a child...
Parent: "Now remember this will hurt me more than it will hurt you"
PS. No child were abused in the making of the above comment. My parents were/is excellent !
WHAT? I bought this stuff so I could self-host and _not_ rely on other services. I guess I didn't do enough research when investing in new hardware. I didn't see anything in their spec. sheets or descriptions about needing cloud for Protect access.
I really like ubiquiti hardware but I got fed up with their software BS. Now I use either Mikrotik or TP-Link’s industrial offerings. Both are way easier to work with than ubiquiti and the hardware is usually in the same tier.
Do not get me wrong, I love Mikrotik, but easier would not the word I would be using. This image (https://www.reddit.com/r/mikrotik/comments/jyjgnc/mikrotik_v...) sums it up neatly.
Also, Mikrotik is not directly comparable, you cannot replace Unifi Controller with Capsman.
So in the end, for APs, I'm using Unifi.
The big problem with the Ubiquti thing is that it takes a long time to start, so if your usage model is to start it whenever you want to make a change it's rather piggish. If you start it once and leave it running forever on a dedicated device it's not nearly as bad.
Also it usually works fine, but when it breaks, it breaks HARD
But every couple of days, the logs start to fill up with random java exceptions, then it starts leaking memory and eventually brings the host to a grinding halt and crashes.
I've had no troubles when using the Cloud Key Gen2 Plus, but I like the idea of the controller NOT being located on site.
After the initial installation and configuration was done, I've probably only logged into it a handful of times.
(With the exception of their APs and said controller, I avoid Ubiquiti as much as possible, though.)
Is there a better alternative? When I tested multiple routers mostly regarding low latency, network stability and reliability a few years ago nothing came close, especially when having multiple access points.
My primary use case for their gear at home was to have a router that can handle a LACP WAN bond for my fancy cable modem as well as connecting to a 10G Ethernet switch via copper or direct-attached SFP+ to a CRS-305 10G switch. Their RB-4011 was a perfect fit, without any of the Ubiquiti SSO/controller stuff to worry about.
I haven’t explored their WiFi products yet (still using an old router as an AP) but their product range is pretty broad. Might look into it this year though.
Also interested in what access points (besides unifi) people pair with mikrotik routers. Any wifi 6 recommendations?
If you just need one AP you can set it up in standalone mode and forget about it. If you want more monitoring and control you'll need to have a Ubiquiti controller running to manage things. (can run one in docker, on a rasp pi, or just buy their "Cloud Key" product.)
unless you need any feature besides wifi at all. then you need a controller and usg at all times.
I’m still looking for a proper WiFi 6 replacement that can hook up to my 10G core, ideally via 2.5/5/10G copper or preferably SFP+ DAC. Nothing’s jumped out at me yet though.
I've had a UAP AC LR at home for a few years and we've got about 6 UAP AC HD at work. We used the phone app to provision and after that you can pretty much forget about it. Great for small startups that want great coverage and dont have someone who's supposed to mess around with it.
Up until around a year ago I was on adsl2 with a highly symmetrical connection. I work from home mostly as does my partner, with constant syncing to various cloud services plus large uploads and downloads for work.
Maxing out the puny 1Mb of upload would render the entire connection completely unusable. Yes, you can manually limit various apps but it so much easier just to throw an edgerouter x in front of everything running stock smart queue or cake.
I'm on a faster connection now so uploads are not so much an issue, but even still it works a treat for things like gaming / VOIP.
On my previous ISP latency would reach 2000+ ms when I let Dropbox sync or downloaded a huge file. Even web browsing would time out. I used Tomato to prioritize DNS, my VoIP analog telephone adapter, the first 256KB of any HTTP(S) connection, and some 27000+ ports used by games.
My current WAN connection reaches 300 ms without fq_codel enabled. With it enabled there's no jump in latency.
Because there are so many features the setup is not as easy as some alternatives I'm sure. But the value proposition is great.
Their "RouterOS" is standardised over pretty much all of their kit. So after you have worked it out once you should be set for anything else.
At this point there are probably 20+ home Unifi networks that i'm responsible for recommending or setting up, doing the same with MikroTik might turn me into a full time sysadmin :)
> RB-4011 was a perfect fit
Huh, isn't RB4011 the one with the very weird "you can't use a DAC in the SFP+ port" limitation?
> haven’t explored their WiFi products yet
They seem extremely underwhelming, especially in terms of software support :(
https://help.mikrotik.com/docs/display/ROS/WifiWave2 — they're finally barely rolling out WPA3, MU-MIMO/beamforming, 802.11w — in an optional beta package for a beta version of the OS, currently on 4 devices, breaking 2.4ghz on one of them, and breaking CAPsMAN (centralized management).
Thanks for the update on the WiFi side of things. Seems likely that I’ll be looking to another vendor for APs, but that’s fine.
That said, my next router/gateway won't be from Ubiquiti. Though I'll keep using UI access points for now.
Check https://mikrotik.com/software for some demos and stuff.
I'm still using Wi-Fi 5 because it's fast enough and cheaper. My central AP is a IAP-315, an IAP-305 in the garage, and another IAP-305 at the wall by the back yard. They're all PoE and linked with wired backbone to form a single big coverage area using a single elected IAP leader as controller for the rest.
You shouldn't have trouble buying grey-market ones as long as you are careful to stick to the same regulatory domain for all of them. Aruba gear is available as USA/FCC, Japan, Israel, and RW (Rest of World) versions. I have operated RW units in FCC territory (proooobably legally but probably not worth the risk) by setting them to "US Virgin Islands" so they match FCC-allowed frequencies and power limits, but linking more than one AP still requires the hardware to be same regulatory domain.
For mad scientists though, the very open software stack is a good friend to have when 11th hour Requirements® dictate you must produce a rabbit without a hat, or rewrite your own domain-specific implementation to replace the Avahi service.
No experience with Mikrotic.
With cloud news like this, it's nice to know about the availability of Ubiquitis' Network Management System which you can host and run wherever.
Also RouterOS does not seem open source.
WireGuard isn’t supported on RouterOS 6, which is the current stable version, afaik. RouterOS 7 (currently available in beta) did support for WG in August though, as part of 7.1beta2 .
It's great hardware but I'm no personal fan of RouterOS.
However, MikroTik seem to be making slow but steady progress with new features. Stability is still an issue to an extent, but for home use I could almost make the jump.
In fact, if I didn't use CAPsMAN to centrally control the multiple access points in my home, I would make the jump purely for fq_codel/cake AQM, Wireguard and WPA3.
Replace the US-24-250W PoE switch with an Aruba Networks S2500-24P (gigabit and PoE, 4x 10gig ports, quiet).
Replace the Cloud Key Gen 2 with BlueIris for camera controller. I expect this will be able to connect to the existing Ubiquiti cameras.
Possibly add one or more Ruckus R610 APs running in "Unleashed" mode to augment my Google WiFi. I'm happy with the Google WiFi, and in particular it has good tools for managing kids access to WiFi. But the Ruckus APs are quite good and so I may move parent and IoT access over to Ruckus, separate out IoT devices to their own network.
This is the end of phase 1. Then I plan to go on to:
Add an OPN-Sense router. Currently not using Ubiquiti for routing, the Google WiFi is our main router. Would like to gain additional capabilities like insight into what the kids are doing.
Replace the Ubiquiti Dome G3 with one of the less expensive 4K cameras if they seem to provide similar or better functionality. Also trying out the Wyse Cam v3, which seems ok and the price sure is right, but is more of an augment camera than a main camera, I prefer wired and PoE.
I've been doing some research and those are the options that seem attractive. In particular, going with old enterprise gear looks to be a huge win. You do lose that handy "single pane of glass" management. But considering the problems I'm having with Ubiquiti, and the upgrades I've already done to try to get past them, with only some success, I can't bring myself to go further in on Ubiquiti.
Can you get free firmware updates from Aruba or do you need a support contract?
Similarly for the Ruckus R610 AP I mentioned: Those APs were a grand new, but you can get them for a bit over $100 on ebay. Linus Tech Tips did a comparison of it with other consumer units, doing heavy multi-device streaming, and Ruckus was the clear winner.
Yes, Ubiquiti looks like a good value and they make some very interesting products. I've used some of them to great effect over the years. But my experience with the NVR and cameras and switch and Cloud Key has been relatively bumpy. Enough so that I'm ready to ditch the convenience for up-front loading and hopefully day-to-day more realible.
Have you looked at the power consumption of the switch? I've run some enterprise gear at home in the past (my favorite was the E-450 Sun server which an ex-employer gave me for free), but when I started paying for my own power, I found that even if the hardware is free, the power consumption makes it expensive.
Most recent version is a couple years old, but it was EOLed 3 years ago.
Ruckus firmware seems to be downloadable from their main product page for the R610, updated a month ago.
Re power consumption, it looks like the Aruba pulls around 50W idle, and the Ubiquiti pulls 29W idle. Of course, if I can get rid of the second switch I've been running because the Ubiquiti keeps blocking the Google WiFi ports, that brings it even closer. :-)
With a male/male extension:
My current one I've nicknamed a "Pirate" R232 adapter because it has an unfortunate and hilarious effect of duplicate the lowercase 'r' character for some reason (so I see Arrrrrrrrchlinux).
I mostly administer via SSH so it's all good at the moment.
I don't usually run any services since I prefer to dedicate boxes to things, but I have in the past run a number of services, including minecraft and minetest on it and it flies. Really pleased with it.
There's Xeoma and Blue Cherry, neither of which I know very much about. Never heard anyone mention either of them. So I figured BlueIris was what I'd try. Seems to be what everyone on YouTube is using...
The other reason I decided to 'roll my own' was an in-line IDS. There seem to be 'hacky' ways to get Snort installed on the RouterOS platform, but the CPUs aren't really powerful enough to run DPI with a sufficiently large ruleset.
I also like the ability to use Ansible to manage my router/firewall. There are modules available to do this with RouterOS, but they don't seem nearly as robust and mature as the built-in Linux utilities.
I've had whatever routers before, but mostly when using some VPN to hide the traffic from your home network, and if having fast enough internet, a good CPU is a must.
Outside that, wifi part is hard to get right and smart switches are nice to have, but they are PITA if the firmware is never updated and there's no single place to nicely manage it all.
I don't think the distro was ever security audited.
Do you have some better suggestions for the router software? I'd love to run Opnsense, but a native Wireguard client is a must, and so is a good web interface for the setup.
These are available from Europe, but I've heard good things from US about similar boxes, when I searched with "best pfsense computer". Not the same brand, but similar hardware.
Let's see how it works, but I expect it to be much faster than my current ARMv7 box. Of course if you have space for a rack, go with something actively cooled. In our apartment, we expect the router to not make any noise.
That said, it also says 'Pfsense', so I suppose more likely it's a typical 'Chinesium' listing.
The current ARMv7 I have goes to about 100 degrees Celsius and loads in the level of 4 to 6 when downloading a bunch of data full speed.
Edit: You would be better served by other boards from this benchmark repo for vpn usage: https://github.com/ThomasKaiser/sbc-bench/blob/master/Result...
While a Raspberry Pi might work for some folks, it's worth noting that these are two very different performance classes.
Ethernet adapter and USB speeds seem less than ideal.
It's definitely not for people like OP but may work for other people who don't want to pay much and still have something decent that they can hack themselves.
I have tried to flash open firmware on my router before but it didn't work out. I had a raspberry pi already so I decided to convert it into a router and use it.
I'm seriously thinking about pfSense or Opnsense, but FreeBSD still misses native Wireguard support, leaving the encryption to the go implementation, which is subpar for our use cases. But, I'd be happy to run Opnsense, with jails and all those goodies from FreeBSD.
You were probably thinking of OpenVPN? Wireguard is not based on AES and thus has no use for AES-NI.
The cons are that everything has one or more "mikrotik" way of doing things, and it may not be intuitive to the new user. Also, although everything is included, you have to set it all up yourself.
They’re still sending out the email. Mail chip will be rate-limiting the send rate to prevent email providers from block listing them.
Give it a couple of hours and no doubt you’ll have an email as well.
I just received it at 2:42 pm pst
Make sure you turn off Remote access in your device.
Probably can leave on local login (w/Ubiquiti acct) but should turn on 2FA
You do need a Ubiquiti account to setup the hardware in the first place, but you can turn off cloud access and login locally after that. And you should.
> can't see why disabling cloud login is a problem
I do agree it is a big limitation, and I am looking for alternatives as Ubiquiti do not seem to be prioritizing getting their app to work without remote login which is truly unfortunate, since the predecessor, UniFi Video, supported this.
When it comes to software, I'm conflicted. I like pfsense, but Netgate has gone a bit sour with the FLOSS community. I'd also consider OpenWRT, FreeBSD, OpenBSD.
I had to do some work to get it to boot properly, and it worked great for a year or so, but then it just died one day, and I could never figure out what its problem was.
Out of warranty by the dead date, never bought another.
Been using a $100 HP 8300 SFF with an i7 since, it's a bit overkill, but the price was right.
Just purchased a Lenovo M90n iot when it was on sale for $215, will see how it works out once I get it.
I haven't kept up with pfsense. Any chance for a tl;dr?
I think for some use cases this setup could be a nice alternative (and cheaper) to ubiquiti.
This is not a common use case, I was not interested in high bandwidth. I did try to disable beamforming and all other fireworks when testing though (but did tests with default settings too)
Honestly, unifi is great for what it is. What kind of IPS do you expect for $100?
If you want less risk, you need to move up the $ ladder.
The only issue I have with Netgate is pricing!
We are just as susceptible to the stuff haha.
So basically all you need to do is plug a laptop into a non-Unifi switch on someone's Unifi network and are able to breach the firewall.
Needless to say I was flabbergasted at the vendor lock-in strategy worse than Apple, and asked for a refund. Thankfully they complied.
I now have a hand-rolled OPNsense router that does everything I need, and with MUCH more configurability.
As another comment said, your strategy about breaching the firewall is confusing but it sounds like a configuration issue. If your aim is to default deny outbound traffic, or traffic from or across the LANs except for approved devices, that’s an achievable aim regardless of what switches are in the mix. If you’re trying to do port level security, you’d need a managed switch, Ubiquiti or no.
You had unmanaged switches on your network, and were trying to manage thier downstream connections?
What exactly do you mean by 'breach the firewall'?
There is no way to identify any clients on your network that are either behind the switch or behind the airport (even in bridged mode). I would expect at least some list of clients based on DHCP leases or the ARP table, but they are not accessible through the UI.
I have a robotic vacuum from china, and i want to stop it from calling home. There's isn't even a way to find out the IP or what traffic it's sending through the UDM pro, and no way to set blocking rules from the UI.
I understand if they want to provide wifi mesh support and other special wifi features for unifi devices only, but the supposed "enterprise grade" router and FW functionality should support standard network setups, since all traffic goes through the UDM-Pro, and it is certainly aware of the clients since it gave them DHCP leases, and they are in the ARP table (which is only accesible through the SSH command line) and are on the same subnet. It's unacceptable in my opinion.
The default logging may not capture the individual child clients, depending on your configuration (eg double nat), sure... but those child clients are still entirely at the mercy of your configuration otherwise. Saying that the clients are completely invisible/invincible, and that the fault is the Ubiquiti product, is not true.
Furthermore I didn't say they were invincible. I just said they were invisible to the UDM-Pro's UI. Unless you have a blanket ban on outgoing LAN traffic, which would be absurd, there's no way to block access for a particular client or a particular destination address for that client.
In the case I gave, a Chinese robot vacuum with no on-device interface, please tell me how to find the IP of this robot, then block outgoing traffic from it, without SSH'ing into the UDM and running scripts. That's right, you can't, because the UDM-Pro doesn't support it.
> Unless you have a blanket ban on outgoing LAN traffic, which would be absurd, there's no way to block access for a particular client or a particular destination address for that client.
To the contrary; this is exactly what you should be doing. Isolated subnet for these untrusted devices. Block by default. (Whitelist only)
I used the word invisible to describe it missing in the ui.
I used the word invincible to describe your lack of “management” (ie; blocking) of the device.
What I am trying to suggest, however, is that the UDM is likely not the root cause of these issues. I certainly don’t mean to suggest they are the best. The lack of compatibility of features between their product lines is a nightmare.
Could you elaborate a bit more about your previous network setup? This sounds awful.