Hacker News new | past | comments | ask | show | jobs | submit login
Ubiquiti Networks Breach (mailchi.mp)
647 points by ShaneCurran on Jan 11, 2021 | hide | past | favorite | 467 comments

As a former Ubiquiti employee, I'm sad to watch the slow decline of the company. There was a steady exodus of engineering talent through 2020. The CEO was focused on moving to countries where engineering was cheaper and employees complained less about constant crunch mode. If you search around, you can find interviews where he brags about closing the San Jose office because he thought everyone there was too entitled.

The saddest part is that we had many good engineers who could have continued to do amazing things with the UniFi momentum. So much time was wasted on dead end products like FrontRow. Most everyone I know left for jobs where we were treated better and paid more.

As someone who uses Ubiquiti NanoStation M2 APs very often as a part of wireless bridging solution for our own products, I was wondering what is happening with Ubiquiti. I have close colleague in Taiwan and he was so excited to inform me that he’s now working for Ubiquiti. I was sorta shocked because I thought Ubiquiti was a US based R&D team. When it first started, I remember watching the video of all the awesome engineers that left Cisco to start this new revolution. It’s sad to hear how the company is now being driven into the ground (merely for profits over innovation). I always thought that Ubiquiti would champion something in the 5G realm that would give US an edge over everyone else.

Innovation leads to profits, imho. "Short term profits" is the killer in most cases.

Yes of course, but there also comes a time at such companies that have experienced exponential growth (primarily attributed to innovation) that the innovation curve reaches a plateau and the focus shifts to brining in the next hot CEO to deliver profits and profits only by reducing overhead and increasing market share. At this point, any innovation and employee morale goes running out the door.

I'm a developer from one of the cheaper engineering countries to where Ubiquiti has moved to. I'm not sure what are you implying with your comment and I hope it's not "the company is declining because the company moved talent to countries where developers are cheaper". I do personally have friends working there and they are top class developers. Living costs don't necessarily correlate with talent levels.

That said I don't hear the best about the company (long working hours, not the highest pay) and have declined a job offer there myself.

> Living costs don't necessarily correlate with talent levels.

As someone who lives in a low cost country: rubbish. There's a reason we're a lower cost.

1. We have a lower standard of education

2. We have a higher cost of technology (relative to average income)

3. We have a lower need for the luxury market where most technology resides

You can also look at the proportion of field leaders. Are more from the developed nations or the developing ones?

The developed nations had a headstart on technology, do you think the developing ones have overcome that, despite most of us going backwards in terms of access to education and the wealth gap?

Don't take it personally, I'm not trying to tell you that you're a bad developer. What I'm saying is we have to work harder to uplift our country's fields and not fall into the trap of "well I'm the biggest fish in this tiny pond so therefore I'm an equally big fish in the ocean". It does not work that way.

> You can also look at the proportion of field leaders. Are more from the developed nations or the developing ones?

Lower cost of living does not imply developing nation.

Czhech Republic or Poland or Taiwan are developed nations, all with the cost of living a fraction of Bay Area.

I see Ubiquiti dev center apparently moved to Latvia. You can argue it's a depressed region of the EU but it is not a developing country by any metric.

Latvia? That's home to Mikrotik, this sounds quite dodgy. Prolly it was a move aimed at draining some talent from them.

I’ve spent a lot of time in Czech and Poland, and while someone could argue they’re developed countries when looking at the wider gamut, it doesn’t compare well Canada, USA, UK, etc engineering talent.

A lot of the engineering talent you find there is extremely limited in quantity, but it is untapped.

Overall I think it’s a step in the right direction as compared to other countries we’ve outsourced work to, but let’s not pretend Poland is an exemplary ray of developed industry and society.

As somebody who founded and ran R&D-heavy companies in Czech Republic and in Bay Area - this is complete bullshit. Arguably the per-capita amount engineering talent is much higher in Eastern Europe, and it is untapped because the target market is small and there's lack of entrepreneurship tradition.

Sure, if you take 300M market like US and pool all the best talent to west-coast, there is a lot of engineers. But the market is saturated, and it's nigh-impossible to hire a team of the magnitude you can get in Eastern Europe. Canada? Oh please...

Well, if you look at teh rsults of the CS Olympiads, you will see Poland as teh 5th overall (http://stats.ioinformatics.org/countries/?sort=medals_desc)

Having worked (as a French) with dev teams over there, I can assure you they have a whole bunch of A+ devs and the market is very competitive.

Developed in "developed country" customary means certain things. Like a decent standard of governance, sanitation, education, healthcare, welfare and quality of life. All these countries I mentioned are roughly on the same level.

You don't have problems with access to clean water in Poland. You ain't going to die from hunger in Czech Republic. There are no issues getting education in Latvia.

And mythical Anglo engineering talent, please. They are approximately the same anywhere you mentioned.

I guess in reality the opposite can be said. In 'poorer' countries actually more folks want to work in IT or software. Hence a possible perception of a bit worse talent.

And i suppose it can become/seem important to embellish ones resume, to land a job and get "food for the day" for one's family -- if there's no functioning social welfare system

But I wouldn't think of the Baltics as such a place?

Instead, just hanging over the code and infra to new people, is risky in itself and can easily make security problems happen?

Look at the US health system and the declining life expectancy in the US if you believe that higher cost equals better.

Clearly false unless you think a fresh graduate in a high cost area is let's say twice as skilled as someone with decades of experience in a low cost area? Salary is a good proxy of bargaining power, not a good proxy for skill.

As a developer from a lower-cost country: all of this is true.

If living costs does equal quality code, most quality logically must be from Scandinavia. If that is fact or not I won't try to judge.

They didn't write "equals", but "correlates".

You simply cannot ignore the wider context here. The new leadership is moving development to cheaper regions and, if the interviews and comments about "entitlement" etc are to be believed, you can bet they are not fussed about hiring the best talent in the new regions - they are going to be hunting out the "good enough" agencies and/or employees, which is most definitely going to reduce quality.

I'd like to also add that from my own perspective Ubiquiti gear and software is/was _exceptionally_ good. So converting to "just another network gear company" level of quality is going to have a much greater impact on my perception of the company compared to if this news of off-shoring came from say cisco.

Yes! The move to low cost countries is confusing because the company has more than enough profits to pay high wages. I think the company wanted offices in cheaper countries because it was easier to convince the employees to accept the abuse because they had fewer options for employers who could pay well.

In the US, good engineers don't have to tolerate abusive companies in exchange for good wages. Not all countries are so fortunate.

Maybe there is no causality, but quality is definitely declining, and the company focus is shifting from making enthusiast hardware to extracting profit at all costs. The fiasco with the UDM firmware, releasing more incompatible PoE products (I think they use every possible variation of the standard now), passive/active, 24v/48v). And discontinuing stand alone video software just to force everyone on new hardware?

Almost forgot, but just last month my wife started complaining about the WiFi, turned out the latest firmware that was pushed to my UAP's is horrible. You have to turn off auto update and check reddit before upgrading firmware, what a joke!

There are many angles to this, I'll just look at one in the hope that it helps.

> I hope it's not "the company is declining because the company moved talent to countries where developers are cheaper"

We probably agree the cost of developers varies considerably in different locations.

Companies operating in markets where local developers are expensive (I work near London for example) sometimes decide to outsource development to locations where it is much cheaper (e.g. India).

What I have seen (admittedly just anecdotally, not carefully studied and subject to bias) is a correlation between companies that don't value high quality software development and companies that are happy to dump a substantial part of their development efforts on cheap developers overseas.

Such companies don't care about their existing team - developers who are expensive but have built the software and understand it, and are to some extent understanding the end customer (often filling gaps left by product managers in smaller organisations). They just see their development team as a huge cost that needs to be reduced. Or they have trouble hiring locally.

When the daily rate of developers overseas is substantially lower, the company also doesn't care about those developers. They will want to outsource the least creative and satisfying work to them. They want to just fire and forget: "here's the spec, go and build it". Lower productivity is less of an issue if the "resources" are cheap. I'm over simplifying and I'm sure some companies try to work more in equal partnership but you get the picture.

Also, the move to outsourcing is often done suddenly; it's more like wielding an axe than an organic growth or shift in development model. Companies don't tend to invest in overseas developers as individuals.

In my view it's not great for either set of developers, or for the customers of that company. Perhaps when done right it can be more beneficial and I hope things will improve overall.

Some of the best engineers I worked with were in non-US offices. They were also smart enough to leave.

You cut my quote short of the important part which was "and employees complained less about constant crunch mode". It is easier to "trap" engineers in countries where average salaries are lower by offering them 20% over market rate and then threatening to fire them if they don't work constant crunch hours. We were promised very large bonuses that never arrived.

> That said I don't hear the best about the company (long working hours, not the highest pay)

It is a sad situation. The pay was very good and the working hours were reasonable when I started, but that changed for the worse. That is why all of my peers left the company.

It doesn't have to imply that developers are lower quality for this to be a troubling signal - if you close an existing office that is doing good work to save money, that shows where your priorities lie. And I agree with your sentiment, I worked with some very talented developers in Shanghai, but there are a lot of factors at play that make it hard to build a solid team from the other side of the world, factors that are legitimate and feed into the misconception that these countries have inferior talent.

I'm one as well, but I think the OP meant that the company is not trying to keep the existing experienced employees and just replacing them when they leave.

My company started doing the same and erosion of knowledge is really bad.

>> That said I don't hear the best about the company (long working hours, not the highest pay) and have declined a job offer there myself.

You are saying the same as the parent. Expecting “short” hours is seen as “feeling entitled”... There are countries where people are not willing to work in those conditions.

The whole motivation for management moving development to Brutopia is to maximize savings, they are not going for the most expensive, world-class developers of Brutopia.

Bottom-of-the-barrel developers bring even greater savings, and paying peanuts has always been a great way to get monkeys.

I have heard the weather is nice in Brutopia this time of year

I bought a Unifi Dream Machine last year because it was an all-in-one device that seemed like the simplest way to have multiple VLANs on my home network, in order to segregate my IoT devices and security system from the rest of my home network. At the time, I didn't see any similar products.

Are there any other "prosumer"-type devices on the market that could replace a Dream Machine? If Unifi is going downhill it doesn't seem like I'll be going with them for a replacement.

The recommendation I've seen around is to run opnsense or pfsense for the router, then unifi APs. (I first found out about it from a YouTube channel as being a way. https://youtube.com/user/TheTecknowledge . They are PFsense resellers, which is why they talk about it. But they could go straight unifi but they don't. After running PSNs myself for the last 4 years, I like opnsense being a little more open to community involvement, versus the control that PFsense has.).

Opnsense forums have lots of recommendation for hardware, which is the path I went recently. I went with https://protectli.com/, which are just some rebranded hardware sold on Alibaba, but they provide support ontop of the hardware.

I've been down this path before. I'd argue strongly pfSense is non-trivial and will require significant time investment for most people coming off Unifi stuff to learn the ropes, and should not be considered a serious alternative for most people. They have very different target markets and this is reflected in the software. Unifi is much closer to a "plug and play" user experience in comparison to pfSense. The customization options for pfSense are of-course fantastic.

I actually reversed this choice and am back to using the Unifi Controller again - pfSense is superb in production or more-networking-enthusiast style environments, not so nice for "average" home. I used a 5-ethernet port fan-less Intel Atom box almost identical to the one you linked for my homemade pfSense router while it was running, for that purpose it was pretty good.

Point taken. I've been running linux with iptables since 1999. I also spent a few years at Cisco doing network security stuff. So PFsense was a minimal learning curve for me.

But at the same time, I run Google WiFi points as I don't want to deal with them. :)

If you only need to VLAN-tag the 4 ports on that one device, you can do it with like… about literally anything? e.g. an Archer C1750 with OpenWRT does that easily.

The benefit of UniFi is that you can centrally control a bunch of switches. It's definitely overkill and overpriced if you just want an all-in-one.

I need to set up multiple wifi SSIDs, each on a distinct VLAN, and apply firewall rules to ensure things like: hosts in the "home" vlan can open connections to hosts in the "iot" vlan, but "iot" cannot open connections to "home".

OpenWRT supports that.

Though you'll probably end up with Atheros wifi chipset on modern hardware... and I've found the OpenWRT drivers to be extremely unreliable when providing multiple SSIDs--- crashing every few days instead of weeks of uptime.

I keep hoping that one of the OpenWRT snapshots will fix it, but this is something I've been fighting with for years on multiple pieces of hardware.

I bought a Linksys WRT3200ACM specifically for use with OpenWRT after a bunch of research. It's modern hardware and based on Marvell, not Atheros. I don't have lots of SSIDs, but I do have separate 5G and 2.4G SSIDs, and they're working well enough.

Thanks for the info!

Separate 5G and 2.4G SSIDs are no issue in my experience-- it's multiple SSIDs on one phy where Atheros goes wrong.

I really want WiFi6 gear... but given that there's no real OpenWRT support yet, and how long it's taken 802.11ac to mature in OpenWRT (it arguably hasn't yet), it's kind of discouraging.

5G and 2.4G is usually not handled by the same NIC. So that'd be why they're not problematic.

The Velop series, from my own inspection, seems to be based on a custom (neutered) version of OpenWRT

i have had different hardware running openwrt and never experienced problems regarding to multiple ssids...

maybe you have a known-bad hardware in regards to driver support, but that is absolutely not to be expected.

Look at Ruckus

would be good to see more argument behind this?

as the name implies, that company made a ruckus in the prosumer segment like ubiquiti but since bought by Arris is declining same same (like you only get FW updates with registration).

Meraki does multiple wifi SSIDs. Probably does the firewalling too.

I would go with MikroTik. Or just one if the cheaper Ubiquiti devices, like the EdgeRouter series.

MikroTik feels like rolling your own linux router box, a bit overkill and high maintenance.

It's definitely overkill, but what is a homelab if not overkill? It's not really high maintenance, though. Once it's in and running you'll never have to touch it.

Until you do and then you’ve forgotten how and what to do.

Not to mention software updates to ensure your credentials aren't leaked in plaintext...

Isn't this true for any advanced technology?

With Ubiquity, it wasn't, and you get a nice mobile app to see the status of everything.

The MSP I work at maintain some 500 MikroTik devices, I wouldn't call it particularly high maintenance. Once they're set up they'll just keep working. I've been auto upgrading my stuff at home with beta software for the last 4 years without encountering any issues. (ROS6, 7 is another story).

I have come across several situations where professional network engineers have accidentally left a Mikrotik in a dangerously insecure state by misunderstanding the UI. I like Watchguard or Draytek in the small business space. They are a bit more expensive than Mikrotik though

Oh my... so the Draytek UI is better than Mikrotik?

I had been considering trying out some of their gear, but perhaps I might not bother now!

The MikroTik UI is... an acquired taste. Honestly I don't think it's bad, I would argue that it's among the best GUIs out there for routers. I would be surprised if it's more common for MikroTik routers to be left in an insecure state that any other router, unless it's only because people who work on routers tend to have been trained on Cisco or Juniper and that training just doesn't translate very well to MikroTik. But I'm also not going to die on a hill of defending MikroTik's configuration design choices, there's a lot to be desired.

It probably depends on the environment one is in.

I replaced my ISP-provided all-in-one box (Orange in France) with an EdgeRouter 4 and it is many, many times more stable. The crap you get from the ISP does not compare.

The management is horrible and how they designed it is horrible as well (from the OS perspective) but once it works, it works.

I've had good luck with MikroTik hardware, but I really didn't like their OS and just went with OpenWRT.

Has UI gone downhill ? or is it just because of all the negative feedback ?

Data leaks happen! It shouldn't but that's just how the world is. UI has been honest about it, and informed every customer as a precaution. (I assume they're still investigating).

I can't be sure, but since UniFi Video went offline at the same time the breach was announced, a week earlier than it was scheduled to, that might have been the entry point.

In any case, the UDM (despite all the negative talk) is a fine machine, and does what it promises to do. If you want similar performance you're either looking at building something yourself, or paying twice of what you paid for a firewall appliance. The Netgate SG-3100 has less performance at twice the cost.

You need a UI account to set it up, but that doesn't mean you have to allow managing it from the cloud. Disable the cloud controller access and any access to your firewall configuration will have to happen from your local network. I'm unsure if you can disable the UI account, but i have a spare UDM sitting around so i will test it.

I built up my companies network infrastructure on unifi gear the past two years. I did so because we don't have budget for a professional network engineer, but we do have some important network requirements that I needed to be able to set up with minimal learning curve. For the most part this turned out great, there's a powerful UI that lets you configure all of the basics. And lets you inspect everything without having to relearn a bunch of tools and concepts everytime. I'd say perfect for a situation where the CTO has to 'solve' the network.

What disappointed me is that some aspects are really unfinished, and it looks like there's no intention of it to be fixed.

For example we bought their pro firewall (which has been out for years), it's got 2 WAN ports for automatic fail over. To use the 2nd WAN port I had to switch over the UI back to legacy mode. Ok weird but I guess the new UI is still sort of new. But then it turned out that to configure automatic fail over in the most common way, I needed to ssh in and edit configuration files manually.

It didn't turn out to be very hard, but it was just jarring. One of their flagship products, and of the 4 ports it has, 1 port is not supported in their main UI and it's most common use is not possible even in their legacy UI.

Unifi Protect has similar incompleteness issues.

I don't think there's a company that does it better than Ubiquity right now, just disappointed that it stops there.

I agree there's a lot of unused potential with their existing product line, but as you said, nobody does it better currently.

I've been running Ubiquiti gear for years, from a single 2.4GHz UAP with the Edgerouter products, to my current setup with UDM Pro, 10 GB backbone and multiple NanoHD access points, and to use an Apple quote, "It just works". I don't have a complicated setup, just some basic VLANs, firewall rules, radius assigned VLANs via MAC, and IDS/IPS, so maybe that's why i'm not having any issues with it.

I have the technical skill to set it up from scratch if i wanted a second day job, but i don't anymore. I've run on homebuilt devices, on a Soekris net4801, on an Alix APU1D4, on m0n0wall and PfSense in various configurations, latest on a Netgate SG-3100, and while the SG-3100 comes very close to being a network appliance, it still managed to crash to a point where i was flashing it and setting it up over a USB cable, and while Netgate support was very helpfull, that's hardly something you'd ask the average consumer to do.

On the access point side of things the only real contender would be Meraki, but those are 2-3 times the cost of UniFi gear. You could of course also get a bunch of Zyxel/Netgear/whatever consumer devices and put them in bridge mode, and lose all central management.

In fairness, SSH in and edit a file is the "standard" here. I used to manage a bunch of Cisco devices, and I don't believe there was a GUI at all.

I would generally expect the UI to be for enthusiasts, with the more advanced functionality hidden in the CLI (kind of like Windows). WAN Failover probably isn't super popular among enthusiasts

For the routing/firewall side, I would encourage looking at either pfSense (as others here have suggested), or possibly VyOS.

I used to have several Ubiquit USG devices as well as their EdgeRouter.

I moved to pfSense as it's open-source, more stable, and gives you much better control/configurability on your hardware. There's a great ecosystem of packages on pfSense, that you can install via the web UI - making it a really feature-packed for a homelab.

However, recently I've been moving to VyOS to pfSense, which is basically a stripped-down Linux distro, with a heavily tuned FRR routing stack built on top of it.

VyOS is an open-source fork of Vyatta, which was previously owned/released by Brocade networks.

It operates with a CLI, like many enterprise/commercial routing products. It takes a bit of getting used to, but it's really great to use in practice, and makes it easy to diff configurations, or rollback changes, or copy the same configuration across multiple devices.

And of course, it implements with config-management software like SaltStack/Ansible (via Napalm), which is something that pfSense. If you have multiple pfSense devices, you basically need to point/click via the web UI on each one.

For APs - Ruckus is great, as is HPE/Aruba (they have a new low-cost line that's targeting the Prosumer market) - they have both been leaders in the wifi field for ages, and have things like AP handover, RF tuning/optimisation, adaptive antennas etc down pat.

I have a Mikrotik Audience I can wholeheartedly recommend. The performance is great, it had a great price and doesn’t look half bad. The UI is very much “pro” in the sense that you get all the options you might ever want to play with which for 90% of the time is just too much.

The wiki is good and the community is really friendly. If you have networking experience or want to something to tinker with it’s a nice deal. If you want something you can set and forget I’d look elsewhere though as the UI is not friendly at all.

I would suggest looking into Mikrotik. Bit of a steep learning curve and a prerequisite that you understand networking, but cheap, reliable, feature packed.

Their WiFi APs are behind the curve (no mu-mimo even afaik), but you can just hook up some other wAP if you need the newer protocol features.

What I do is keep a Mikrotik router that does all the heavy stuff and hang wAPs off of it as needed. I especially love capsman for wAP management. They do have all-in-ones of course, just not my cup of tea.

Something from Mikrotik, perhaps a hAP AC2? I'm a big fan of RouterOS for a home/prosumer use-case (I used a hEX myself)

I think Mikrotik would be great as well. I'm currently running a RB2011UiAS-2HnD-IN and a RBcAPGi-5acD2nD-US (the cAP ac).

Give AVM and their Fritz!box products a go.

FritzBox is way better than isp-provided or TP-Link-like boxes but certainly not pro-anything (no vlans or ingress-qos, guest-wifi but no real multi-ssid, severely limited dns-customization ...)

fritzboxes are everything but certainly no "prosumer"-type devices. Most of their "mesh" is still dual band. only the latest repeater "FRITZ!Repeater 3000" is tri-band and afaik there is no router yet available that supports tri-band.

Compared to ordinary consumer products, I'll keep listing them as prosumer. They aren't mikrotik, or barebones openwrt, rather like dd-wrt.

The hardware is indeed a bit lagging, I'm not arguing there, but it's not always (only) the hardware that makes prosumer.

avm is like the apple of home-networking.

hardware stats and software features are severely behind the curve but it mostly just works and you dont really need those features anyway.

certainly not prosumer

I use Turris Omnia, which is stock OpenWRT + their (open source) addons. You can configure VLANs like you mentioned, I do the same.

It is on the expensive side, but the hardware is beefy and you get vendor's support for OpenWRT out of the box.

You could always suck it up and get a managed switch.

Ironically you can do that with pretty much ANY access point. From TP-LINK, assus all the way to arruba ones (unleashed). BUT you can't do that with unifi ones alone. Go figure. You need a usg+key or the discontinued UDM you have.

This is wrong. First, the UDM is not discontinued- it's for sale right now. Second, you don't need a USG+key to do VLANs. You do need to run a Unifi controller, but you can self host that anywhere like on a RasPi or in a VM. You don't need a USG to do the tagging and routing, either... the VLANs you set in the Unifi controller will work with any router/gateway it's just not all streamlined into the controller interface if you use a separate gateway. I know this because I do exactly that, I have a pfSense gateway and Unifi switches/APs.

> you don't need a USG+key to do VLANs. You do need to run a Unifi controller

Did you try? i did.

The controller UI shows you a hole in the left part of the diagram and explicitly tells you "no routing control without USG"

VLANs are at layer 2 which is switching. Routing is layer 3.

I have several Unifi switches and a controller (running on an rpi) on my network but I use my own router. I can setup VLAN access ports and trunks all day on the switches no problem, but I can't control the layer 3 routing between those VLANs with the controller, which is what you're talking about. By setting up a gateway/network on each VLAN from my router I can control routing. It's just not as slick as having a USG where it's all controlled via the controller UI.

A couple of their top of the line switches can actually do layer 3 switching. I haven't actually tried that, but the docs don't mention it requiring a USG so I don't think it does.

Yes. As I said, I do that myself with a pfSense firewall/router into Unifi switches and APs with multiple VLANs and routing between them. I've also done it with an Edgerouter + Unifi switches and APs, and a Mikrotik router too. Of course the Unifi controller doesn't control a non-Unifi router, but you can set up whatever VLAN arrangement you want in the Unifi controller and then set up your router to match and do whatever inter-VLAN routing you want separately in its own interface.

It is not all nicely integrated together if you use a separate router (obviously), but it's not like it makes it impossible. It's not even difficult... at least not any more than it would be in any other setup.

Same here but with opnsense instead of pfsense. It would be great to have all of the info in the controller's dashboard, but I wasn't thrilled with what ui had available over the last year and figured I'd punt buying a usg or similar down the road a few years.

I personally wouldn't recommend it, the USG and their other Unifi gateways are actually kinda limited feature wise. You get all the stuff in the dashboard, but I'd say it's fairly primitive compared to what you'd be used to in ***sense. It's a good solution for people who want something turnkey, but if you're a prosumer/homelabber type you're better off leaving switching and APs in Unifi but using something else for the gateway. I do quite like the EdgeMax routers like the ER-4 paired with Unifi, however. Just my own perspective having tried all of the above.

The UDM is discontinued? I couldn't find anything on this, do you have a source?

It's not, the parent is wrong. I'm not sure if I would 100% recommend one (it depends on your needs and how nervous Ubiquiti's recent business decisions make you), but it's not discontinued nor about to be.

it's definitely not. I would still recommend the UDM, it is a very solid wifi 5 Gig device with good hackability.

I’m not sure how it is that they still don’t have a hardware update to the USG3P that can enable both IPS and DPI without throttling network speeds to sub-80Mbps speeds. It’s been years now.

I’m a big fan of the ecosystem and I’ve recommended it to many people but I’m constantly astonished by the slow pace of hardware updates.

I guess you're more waiting for the XSG-Pro, which was announced at least a year ago but hasn't materialized yet. I'm guessing that the UDM and UDM-Pro are meeting the needs for most customers, although obviously they're not the right fit for everyone.

UDM Pro can do it. But there is no standalone security gateway that can do gigabit.

UDM Pro can do it, but can't do dual NICs yet. Still.

The USG3P can do gigabit (I get very close to gigabit speeds in internet speed tests - ~950/950) but I can’t use IPS/IDS without severe performance penalties. It basically becomes a fancy router with little in the way of actual “security” besides its basic firewall functionality.

I am aware of the UDM Pro and USG Pro but those things are expensive 1U monsters. Maybe fine for SMB use but this is for home use and I’m very space constrained.

If Ubiquiti made a small footprint security gateway with some modern hardware (the USG3P is some 8 years old at this point!) I’d buy it in an instant.

UXG-Pro is the successor to the USG. It’s available in the EA store. I was tempted to get it but it’s $500 so I’ll wait for it to go GA.

Appreciate this. I’ve been recommending Ubiquiti to family and friends for a while and have noticed the decrease in quality and features recently.

Not sure where to go next, but it probably won’t be Ubiquiti.

Can I ask what networking gear you run at home these days?

> If you search around, you can find interviews where he brags about closing the San Jose office because he thought everyone there was too entitled.

Robert Pera (the CEO) got his start in the industry in San Jose.

Have suggestions for an alternative? Most web UIs are garbage but the Ubiquiti one looks fine, even if it is cloud based.

Second this. I'm no great expert in this area but have greatly enjoyed using Ubiquiti gear for my home the past few years. If there is something else that offers a comparable experience at similar price point would be great to know. The Unifi Controller software has been some of the nicest I've used in a domestic setting.

Strange, I found the Unifi Controller web UI to be really poorly architected.

1) You start a .app that sits for a few seconds then requires you to launch the browser by clicking a button. While using the browser, you can't close the extra window for the controller.

2) On the browser, you go to a localhost website that has an invalid TLS certificate (you can a "Not Secure" warning) and have to click through to the unsafe website (and it's still like that in my current Unifi version).

3) The login page doesn't let you use the Chrome password manager, so you have to type it all in each time to access a local program.

4) In the web UI, the icons are not intuitive, and some combination of circles and rounded rectangles.

5) The new UI makes it seem like you can configure things that can't actually be configured outside your router.

6) Speaking of your router, Ubiquity's own EdgeRouter routers aren't supported in the Controller UI. They require a completely different interface.

In case anyone thinks the problem with the certificate is something to do with my own setup, it's not. It's a universal problem [https://help.ui.com/hc/en-us/articles/212500127-UniFi-SSL-Ce...]

I'm not sure it's fair to fault the Unifi software for using a self-signed SSL certificate. I think the only theoretical security risk here would be that Ubiquiti could decrypt the traffic between you and your Unifi controller, if they could somehow obtain it. (Someone please correct me if I'm wrong.) Ultimately, if you don't trust the certificate it comes with, it's not too difficult to replace it with one of your own (in fact, the page you linked explains how).

I haven't had the password manager issue you describe. KeepassXC in Chrome and Firefox both fill out my credentials successfully on the login page. I totally agree about the UX of the web application though. It feels like over time, options have become more and more hidden and the icons more cryptic.

I think it's fair for few reasons:

- Without a valid SSL certificate, there's no way to tell whether you're actually visiting your UniFi controller or a honeypot. Ubiquiti isn't the risk here.

- UniFi features that depend on WebSocket and WebRTC are unavailable when using self-signed certificates. This includes live stats updating, device terminal, airView, etc. (Those features can be used in the cloud UI... if your Internet connection happens to be working fine.)

- Valid SSL certificates would be easy to auto-provision these days with LetsEncrypt. There are some minor challenges around port forwarding / relay, but that isn't rocket science. If Plex can figure it out, Ubiquiti can figure it out :)

Enabling non self-signed TLS certificate on IoT devices looks like easy task but actually it has difficulty. Especially router is hard because it bootstrap WAN connection.

To be fair, there is no (or very few) practical solution other than to use self-signed certificate. https://lwn.net/Articles/837491/

How does one have a valid TLS cert on a piece of software that uses a "localhost website"?

You can reverse-proxy the traffic into the Ubiquity app, and have your RP terminating the TLS connection. This is what I do and I get a correct HTTPS connection to the web site.

And how is ubnt supposed to do that, on your own domain, as you've done? I suspect you don't really know how any of this works.

Well, sorry for that. I will have to google "reverse proxy" a little bit more. And thank the god of your choice for having that setup miraculously working at home on my server.

What to say - maybe before assuming that someone "don't really know how any of this works" you may, just a second, think that the person your comment is directed to has written a security reverse proxy and presented on that on one of the largest security conferences.

Or not, maybe that I really do not know how terminating traffic on MY reverse proxy and sending it upstream to MY ubnt controller works. Who knows.

In that case, you'd understand the difficulties of providing a product or piece of software out of the box with valid certificates without user setup, as you've done (without running all user data through offsite servers).

I too have a working reverse proxy setup or few. I certainly don't expect something using a "localhost site" to come with valid certificates. Unless they somehow get a valid cert for https://localhost

Edit: apologies for the assumption, I didn't realise that you weren't the guy I originally replied to. I'm new around here.

But you can replace the certificate if you want to. But many users won't have a static IP address they can use to point to their controller, and many don't even own a domain, which means the self-signed certificate is the only option.

Its not the most pretty thing, but has a lot of features I wanted in Unifi; Ruckus has a version of firmware you can load on their APs called Unleashed. It turns one of the APs into the controller, then you can manage all of them from there.

I run the webcrap in a docker in a VM: https://hub.docker.com/r/jacobalberty/unifi/

Check out latest Teltonika's products. They are made for industrial customers mostly, but UI (on top of openwrt) is the best I've seen.

Here's a review: https://seabits.com/teltonika-rutx11-lte-router/

You can run the controller software locally [0]; I use Unifi switches and APs, but use pfSense for routing/firewall. After getting a look at what Unifi offers for that with a Dream Machine, I'm pretty happy with my choice.

Yea that sounds toxic ! And to "brag about it" !

I once worked for a company, there were some "grievances" between the programmers and CEO (nothing major) but enough to elicited a "meeting" between all the devs and the CEO to "smooth" things over and build a better path forward, we will all in high spirits for the meeting and optimistic.

The very FIRST opening line from the CEO in the meeting was:

"How extremely lucky we(programmers) are to be working there..."

It all kinda just went downhill from there... 6 Months most of the programmers quit.

The product lineup has also gotten pretty scatter-shot. What is Ubiquiti doing selling solar panels?!

I can't see that they're actually selling solar panels. What I do see is them selling a specialized switch that is powered by solar panels and a battery that can then be used to power remote devices in locations where they would otherwise need to run power lines.

It's not traditional networking gear, sure, but I can certainly see the play they're making, so I wouldn't call this a scatter-shot approach.

They did sell solar panels but the product line was mostly killed. Product number SM-SP-260W-DC-US. You can find a legacy datasheet for the product family still.

But I think this is an example of them having an ideas they only end up abandoning. They are now selling an access control solution, but would you trust them to be standing behind this in 5 years? Enough to deploy it to a customer building? Not me. Attractive for the hobbyist perhaps.

I think some of their seemingly wackier stuff makes marginally more sense when you think of them trying to outfit their WISP customers - having solar to power stuff on your rohn tower, manage it all from one pane of glass, that kind of thing. They had a whole line of managed power products (since abandoned) for several years aimed at this crowd.

Any idea what it would cost to develop a completely open source router?

I'm unsure if you're referring to open-source software or hardware, but for software pfSense [1] and OpenWrt [2] are both popular open-source routers.

[1] https://www.pfsense.org/ [2] https://openwrt.org/

The Turris Omnia is an OpenWRT based open source option.

Any running Linux kernel is a router. You just have to know how to configure it. Of course, you might be expecting a lot more than just a router, ie. DHCP, DNS, traffic shaping etc. It's all available in most distros.

Buy a small PC with lots of network ports and install VyOs [1] on it. If I recall correctly, Ubiquiti's EdgeOS is based on VyOs.

1. https://vyos.io/

pfsense and opnsense are BSD based routers.

openwrt is based on Linux

Nothing worse than working for a shitlord.

I hope things are better now.

> brags about closing the San Jose office because he thought everyone there was too entitled.

He's not wrong

What do you mean? What was going on at Ubiquity?

I think he's implying people in Silicon Valley are often entitled, and he's not wrong.

Which is pretty hard to disagree with.

Workers should be allowed to share the fruits of the labor instead of having a rent seeker exploit them and steal it all.

it’s not the money ( actually quite underpaid) it’s the attitude

PSA: with Mailchimp URLs, it's best to remove the `?e=xxx` URL parameter. That way, A) you can't be identified by the sender as the person who shared the email, and B) other people can't flood your inbox by clicking the "unsubscribe" link at the bottom of the email.

In this case, the cleaned URL that should have been posted is https://mailchi.mp/ubnt/account-notification

Good call! This just keeps getting better, sharing the URL is such a natural thing to do but of course they need to add the tracking parameters to everything.

In this case it's both tracking and a legitimate feature: being able to place unsubscribe links in the "web version".

I'd argue that this feature is not worth the privacy invasion, but for it to work, you do need a secret in the URL that is always personal.

They could easily have left the unsubscribe in the email, and linked to a UID of the mass mailout text instead for the web view.

The ClearUrls Firefox extension often prevents this...: https://gitlab.com/KevinRoebert/ClearUrls

Regarding authenticity, from the TechCrunch article about this:

> The networking company quickly followed its email with a post on its community pages confirming that the email was authentic, after several complained that the email sent to customers included typos.

Indeed: How am I supposed to know whether this email is really from Ubiquiti?

* There was apparently no official press release.

* All links in the email, including the "Change password" button, are to e.g. `https://ui.us8.list-manage.com/track/click?u=somehexnumber&i...`.

* The delivering server is `mail42.atl11.rsgsv.net`, which the TLD of which doesn't seem to resolve in my browser to provide hints.

* Various news sites that reported this either just referred to "emails people got", screenshots random people got via Twitter, or link to the Mailchimp site, for which I'm not sure how to verify whether the "ubnt" account actually belongs to Ubiquiti.

Given this, how shall the normal affected user figure out that this isn't well-executed phishing?

It seems companies could do a much better job making it obvious that their emails are legit. Especially if they were just breached, and "Change password" buttons are involved.

I missed a mortgage payment, because my mortgage company launched their "new" website as a subdomain on a primary domain that wasn't registered to them. They sent an email from that same domain, directing people to the new site. I tried to verify the authenticity of the email with their customer service team, but, crickets. No one bothered contacting me until they wanted to chase me down for the payment, at which point, I told them what a horrible practice it was, and insisted they remove the late fee. They did remove the fee, but the site and all related emails still look like phishing attempts. Not surprising really, given that the majority of companies double-down on stupid when called out for their blunders.

The best user behaviour on receiving a potentially 'fishy' email is to not click any inks, but to go directly to the site in question and change your password, if you feel the email is genuine in anyway.

The "change password" button leading to an opaque tracker is inexcusable. That said, the "safe" way to handle this is the same way you do with cold calls. Ignore any calls to action in the email, go to Ubiquiti's website on your own, and change your password. If it was a phishing attempt, worst case, you updated your password which is not a bad practice every once in a while.

The real kicker is that the sender is no-reply@ubnt.com - why is it not @ui.com?

Generally you maybe don't want to include mailchimp's MX's in your SPF for your main corp domain, it's common to send such things either from a delegated (in dns terms) subdomain (e.g: mailings.ui.com which mailchimp can then manage the spf/dkim/etc records for) or more simply by just using one of your other domains..

ubnt.com is another one of their domains.

My point is that it's very confusing when their main domain is ui.com and auth server is account.ui.com - there's seemingly no customer-facing reference to that domain.

Silly, I instantly thought "Ubuntu".

Yeah I was really suspect seeing two buttons like that in the email. They didn't really think that one through.

I must admit - Ubiquiti has lost some of it's shine in the last few years, whilst AP and routing hardware seems to still be very good in terms of pricepoint, it does feel like the software side of things has been going in a very strange direction for quite some time.

I'm still quite annoyed by the fact that I was forced to migrate from Unifi Video to Unifi Protect - due to vendor lock in and the fact that the remote interface for Unifi Video was switched off this month.

I guess on the plus side - no one who is still using Unifi Video has to worry all that much.....

Hopefully it is just a case of resetting passwords and enabling 2FA if you haven't done it already - not entirely sure how much damage could be done otherwise, unless there is an undocumented backdoor into Ubiquiti products ?

Agree on Ubiquiti losing their shine. They seem to have fallen for the classic trap of vendors selling hardware without fully factoring in the cost of maintaining software and “cloud” infrastructure. So now their “growth hackers” have to keep coming up with things that should just be add-ons or bug fixes but instead they sell them as a premium feature or new product to make up for a lack of recurring revenue.

Basically they are alienating their existing customer base (who have already paid a premium price for the prosumer product upfront and expect things to Just Work for the price) in favour of convincing the next idiot to fund their OPEX with shiny new features and toys that are a quick sell. Not realising (or unwilling to realise) that this strategy is completely in contradiction with their reputation and brand image as trustworthy prosumer hardware vendor, and just adds to the underlying issue.

I predict that it won’t be long before they run out of cash or investor confidence and have to sell out to a large consumer hardware vendor with deep pockets that will try to capture the Ubiquiti premium margins by selling their lower-value existing consumer gear under the Ubiquiti brand. I applaud them for having come this far while maintaining most of their integrity and reputation, but I’m afraid their strategy is doomed to fail and it’s starting to show.

Not only have they engaged in multiple interface redesigns with loss of features with no apparent gains, the last firmware update removed the ability for me to use the Protect app locally on my network without needing cloud access enabled. This breach has only confirmed my belief that my home cameras must stay off their cloud. Extremely dissatisfied.

>engaged in multiple interface redesigns with loss of features with no apparent gains

Yeah, this has been really baffling. Their settings UI has been in a transition state between "Classic Settings" and "New Settings" for years. Neither is complete. Some settings are only in New Settings (e.g. WiFi AI), while many more are only in the Classic Settings (e.g. allow multicast from Ethernet to WiFi).

Their EdgeSwitch line has this same issue - legacy and new UI each with different functionality, and even less capability within UNMS (Now named UISP?). Frustrating.

Ubiquiti had a steady exodus of engineers in the past few years. It's a very different company now compared to the glory days of UniFi.

Doesn't it seem like one of the missing measurements for directors/VPs should be "amount of disappearing expertise"?

you would think, but then you'd have to actually do something to retain talent instead of hiring whoever you can whos cheaper and has no idea how any part of the software or or company works. But of course the comp/hr team never see it that way.

More the old guard leaves, the more of the old guard that leaves. Then who is left to train the new people?

Fun fact: very few directors or VPs at Ubiquiti. Very flat organization

Often times churn is rewarded because it can keep salaries lower.

The directors and VPs quit, also.

Deploying a 6 AP network some years back, I ran across this gem in some Release Notes. I can hear someone screaming JUST SHIP IT!

"Do not choose the skip option when running the Migrate Site wizard. If you do your devices may end up in a weird state."


For now, I’ve resorted to extracting the rootfs of the cloud key plus firmware images, and running UniFi protect in a LXD container on a raspberry pi. I’ve not tried this with their cloud access, and could not get the app to work with it yet. I’d like to do a writeup at some point, but not sure if I could get in legal trouble...

> I'm still quite annoyed by the fact that I was forced to migrate from Unifi Video to Unifi Protect - due to vendor lock in and the fact that the remote interface for Unifi Video was switched off this month.

For me, that’s a good outcome because I won’t be bothered by their updates for my currently-working unifi video setup anymore.

Can’t you still access a Unifi video server locally? What’s so hard about setting up a reverse proxy or VPN?

You can't do that anymore. You either have to buy their server or use their cloud, from my understanding. I am another considering migration away from them for this reason as well.

> You can't do that anymore. You either have to buy their server or use their cloud, from my understanding. I am another considering migration away from them for this reason as well.

Alternatively, you can use their hardware with an alternative serf-hosted NVR like zoneminder.

The cameras work just fine in standalone mode as RTSP sources.

You can still use their UniFi Video NVR in local-only mode, though I think the last update for that ha shipped. The Protect platform may be different in this regard.

One of the great things about ubnt was the ability to self-host their management software on a Ubuntu VM or container.

No specific comments to the breach... But, I couldn't help but chuckle at We Take Your Security Seriously™.

Why does every company, after demonstrating a lack of security, like to say this exact line? I can just imagine the PR person hovering over the shoulder of whoever authored the post yelling "make sure you tell the victims of this breach that we care!"

> That phenomenon is called counter-signaling, which I first ran into listening to Dan Jurafsky making the point that if a menu uses the word "fresh", its a low-brow restaurant. A high-brow restaurant would never use the word "fresh" -- the freshness is implicit in the other signals. https://kelley.iu.edu/riharbau/cs-randfinal.pdf

source: https://news.ycombinator.com/item?id=25713050

Italian franchise[0] restaurant in Sacramento has this huge neon sign in their window: "health inspected". Neon. It's just that one instance of the store. Not that I've seen them all, but never seen that signage in their other stores.

[0] Maybe not technically a franchise. Not sure. There are a bunch in California.

There's a bar near Union Square, SF, which has a sign including the words

> .. never had any safety issue so far

It's the 'so far' which really tickles me.

Reminds me of a restaurant in Goa, India, which proudly advertises: "Vegetables are cleaned with clean water before use!"

In India and many other less developed countries, proper culinary hygiene is very far from universal, and contaminated water is common. It's less absurd of a statement than it would be in the US.

Well, it might be a sign seen in a restaurant in Flint, Michigan :)

Well, it's not like Sacramento has a Ganges River...

That’s cool, I read his book, The Language of Food, and think about these things all the time when reading menus now; and then like an annoying pedant, nudge my wife and point it all out.

It's impossible to secure yourself against a devoted persistent threat group over the long term. The asymmetry of effort is not tractable to overcome.

So they can take your security seriously, but they will be hacked, or they have already.

I don't think my post argues, or even attempts to argue, against your point.

It was a light-hearted jest at the fact that this exact line is in every single breach notification I have read for the past few years.

The more serious point I was alluding at was not "just don't get breached", it was that the "we care" line rings hollow after the 250th time reading it.

My misread, apologies. I think the "we care" is a dodge around the reality that most are uncomfortable with, which is, "we make your data safe as possible but we will likely be hacked and you should compartmentalize your personal data accordingly with that expectation". But I am no good with marketing.

Most companies choose to collect data they don't have to.

They put all of their users eggs in one basket in the cloud. That makes for a very interesting target.

They could have not done that. The users were probably unaware that their data was even placed on the cloud servers of some third party.

Ubiquiti used to be cool. They've taken a nose dive in recent years in several ways: Firmware upgrade suddenly including telemetry by default, forcing people to use their NVR appliance instead of installing their software on their private servers, etc.

Had Ubiquiti not moved people to "cloud solutions" an attacker would have to attack millions of peoples equipment. Now he only had to attack one providers network.

I heard rumors about the telemetry thing, but that is usually an overhyped concern - unless it is sending flow logs or something.

When did they stop allowing people to use a private server for central management? I see Unifi still has a network controller.

Sorry for being obtuse - it wasn't my intention.

I'm thinking of "Unifi Video" that is going out (EOL announced six months ago), where you could either buy their appliance OR download an official .deb package and install the NVR software on your own server.

They replace that with "Unifi Protect" that comes ONLY as an NVR appliance. No more .deb packages. It also requires you to buy one of their other products (Cloud Key 2), IIRC.

I think it is possible to secure yourself against a devoted, persistent threat group.

I think it's expensive, but possible.

Do you have data to back up your claim that no one, ever has ever successfully remained secure?

My name is Ozymandias, King of Kings; Look on my Works, ye Mighty, and despair!

No one could possibly prove this kind of negative.

Why not? All you have to do is point to one particular company whose systems have not been verifiably breached after having resisted actual attempts.

> one particular company whose systems have not been verifiably breached

The unknown unknown. How can you be sure all the "resisted actual attempts" been even detected?

You've changed the requirement. To prove a company hasn't been breached, you'd also have to prove that there hasn't been a breach that hasn't been detected (so breached, but not verified). Any given target might already be quietly owned by some state actor or corrupt insider with allies on the outside.

Several places probably would have met those goals...

... right up until the SolarWinds hack became public.

The point being, provable "we've never been breached" seems to have a way of turning out to be wrong. :/

Challenge accepted?

Just because known attempts have failed doesn’t mean the unknown ones have too.

most attacker groups would be unlikely to share that result

What evidence do you have that anyone has?

When was the last time you heard of a google user data breach?



Maybe you should know literally anything about the topic at hand before making sweeping assertions? I realise that's asking a lot here at HN, but it would improve the site a lot.

The real genius in the announcement is, "data hosted by a third party provider". Absolutely irrelevant, but subtly implying that the error was the fault of a third party.

That will be the new norm in these kinds of annoucements, I'm sure.

Just like SolarWinds dropping "Team City", saying "no evidence" of a breach of it. So why mention it at all?

They opted to TELL people about it which is a good indicator. I’m sure there’s many companies who choose not to (which may be against the law). It’s also HR spin on the topic, but iirc ubiquity offer bug bounties on a range of devices they sell so there’s at least some truth to the spin.

‘We know they breached but don’t know what they did’ is an interesting statement. One POV is that they didn’t have sufficient logging and segregation to determine how widespread the breach was, the other is that they’re not arrogant enough to think their SIEM adequately captures everything.

> They opted to TELL people about it which is a good indicator.

Aren't they based in California which, if I remember correctly, as a law requiring them to notify the victims of a data breach?

Would they still have chosen to in the absence of such a law? We'll never know, I guess.

I'm unsure how your statement is meant as a response to mine. I obviously agree that it is a good indicator that they notified customers of a breach.

I mean, should they say that they don’t care about your security?

Weird polar opposite stance.

No, that is not what I'm saying. I'm saying don't put platitudes in a breach notification.

they should tell me, what they are going to improve. :)

It rolls off the tongue better than "We now wish to begin taking your security seriously"

"make sure you tell the victims of this breach that we care!"

HAHA ! Too True !

Reminds me of getting "punished" as a child...

Parent: "Now remember this will hurt me more than it will hurt you"

PS. No child were abused in the making of the above comment. My parents were/is excellent !

I'm sure it's also the case that your call is important to them. Isn't that what companies always say while making you wait on hold for 45 minutes?

Along with the stock, “due to COVID-19, our service sucks right now”.

Ubiquiti has typically been the "cloudless" provider which is why I've used their stuff. They've been sorta moving in a disturbing direction for cloud control. I don't want that risk.

I bought a UDM Pro so I could run Unifi Protect. I got three cameras deep and their SSO went down the other day. It was impossible to access from my phone, as their app only supports SSO login.

WHAT? I bought this stuff so I could self-host and _not_ rely on other services. I guess I didn't do enough research when investing in new hardware. I didn't see anything in their spec. sheets or descriptions about needing cloud for Protect access.

You can allow local only logins, I believe, but it might be opt-in.

The protect app will now only work with cloud enabled. Previously you could sign in, then disable cloud, and your session would remain active. It doesn't work at all now with cloud access disabled.

Cloudless if and only if you run their gigantic bloated Java network management tool.

I really like ubiquiti hardware but I got fed up with their software BS. Now I use either Mikrotik or TP-Link’s industrial offerings. Both are way easier to work with than ubiquiti and the hardware is usually in the same tier.

Mikrotik? Easier?

Do not get me wrong, I love Mikrotik, but easier would not the word I would be using. This image (https://www.reddit.com/r/mikrotik/comments/jyjgnc/mikrotik_v...) sums it up neatly.

Also, Mikrotik is not directly comparable, you cannot replace Unifi Controller with Capsman.

Only thing disappoints me about Mikrotik is the wireless performance of their routers, which seems to that is more about the RouterOS then the hardware itself. You can never know if the next update will improve or worsen WiFi perf. Otherwise they have really good products.

It is both. Hardware-wise, many Mikrotik products are shipping with just 2x2 radio. Software-wise, even where hardware supports it, RouterOS doesn't support MU-MIMO and beam-forming (there is some preliminary support in the ROS7 beta, for selected chips). There are also some weird bugs, like when you have a client with Intel WiFi and it is unable to connect to VHT80 band... but all the other clients do not have such problem.

So in the end, for APs, I'm using Unifi.

MikroTik is great, but hard to configure compared to UniFi AND capsman NEVER worked reliably for me.

... we run it on a raspberrypi. Not sure I'd call that gigantic or bloated.

RasPis have a fair bit more grunt than people give them credit for.

The big problem with the Ubiquti thing is that it takes a long time to start, so if your usage model is to start it whenever you want to make a change it's rather piggish. If you start it once and leave it running forever on a dedicated device it's not nearly as bad.

Its not a great solution. The application logs and writes to storage alot.

Also it usually works fine, but when it breaks, it breaks HARD

Agree. Our DHCP pool is around 200, so we're not talking a huge amount of data. If I were running any bigger of a LAN I'd definitely ratchet the skookum factor up.

You can also just run a docker container for it [0]. This has the added benefit of separating your data from the runtime so you can move it around as if you had a physical cloud key.

[0] https://hub.docker.com/r/linuxserver/unifi-controller

Yeah ... I find that the containerized UniFi controller tends to crash after a few days with various Java errors. I've tried several different unifi-controller containers, although I haven't tried this particular one so I'll give it a try.

That particular image has been problem free for me on unraid for I dunno feels like years now. They did do some update that I missed the notes on that wiped out my database and I had to re add everything. Wasn't too happy about that.

I have tried a couple of others before and have currently been using:


But every couple of days, the logs start to fill up with random java exceptions, then it starts leaking memory and eventually brings the host to a grinding halt and crashes.

I've had no troubles when using the Cloud Key Gen2 Plus, but I like the idea of the controller NOT being located on site.

I shouldn't have to run a docker appliance for my network appliances to function. Are you kidding me?

You don't. The docker appliance (or whatever platform you use to run the controller) only is needed for config changes. You can shut it down when finished making changes and everything runs fine. The install at my mom's house has the Windows controller, and I don't think it's run in 6 months.

They have a little device (IIRC they call it "cloud key" or something like that) that runs that interface pretty well. Much better than setting that UI up on a device yourself.

The CloudKey is actually pretty decent -- the CK2 Plus Gen2 if you're running UniFi Protect.

I've been running the Unifi controller on a Raspberry Pi 2 for four or five years now with no problems that I can recall.

After the initial installation and configuration was done, I've probably only logged into it a handful of times.

(With the exception of their APs and said controller, I avoid Ubiquiti as much as possible, though.)

You don't need their Java client (which I agree, is BS) if you use a Cloud Key or a UDM PRO.

Argh, why do I learn about this from HN when they pretty much force me through the cloud login with UDM-Pro. Nothing in the dashboard. Also I think http://unifi/ is crap from a security standpoint. Their threat management also seems to be just some kind of a bad joke.They could for example do a nice hardware based honeypot that you have to untrigger with physical access. They could offer so much more for prosumers providing sane defaults for a common case of having multitude of devices at your home which can be categorized as intruder but expect to be on the same network as your phone.

Is there a better alternative? When I tested multiple routers mostly regarding low latency, network stability and reliability a few years ago nothing came close, especially when having multiple access points.

I’ve become a big fan of MikroTik routers and 10G/SFP+ router/switch hardware in the last few years. Their web UI and SSH console are a bit quirky but the performance is pretty great for the price.

My primary use case for their gear at home was to have a router that can handle a LACP WAN bond for my fancy cable modem as well as connecting to a 10G Ethernet switch via copper or direct-attached SFP+ to a CRS-305 10G switch. Their RB-4011 was a perfect fit, without any of the Ubiquiti SSO/controller stuff to worry about.

I haven’t explored their WiFi products yet (still using an old router as an AP) but their product range is pretty broad. Might look into it this year though.

My primary use case for a home router is solid set and forget qos. fq_codel and cake were recently added to routeros v7 beta, which means I will be plugging in my hEX again after a few years of happy edgerouter x usage.

Also interested in what access points (besides unifi) people pair with mikrotik routers. Any wifi 6 recommendations?

The standalone Ubiquiti access points are still great IMHO. It's just their recent prosumer gateway/router product line that's really struggling. I've had a great experience with the older UAP-HD-PRO. Their newish $100 Wifi 6 U6-Lite AP is tempting but haven't tried it.

If you just need one AP you can set it up in standalone mode and forget about it. If you want more monitoring and control you'll need to have a Ubiquiti controller running to manage things. (can run one in docker, on a rasp pi, or just buy their "Cloud Key" product.)

Their Edgerouter VyOS products are awesome too. I won't touch their Unifi stuff but I can't find anything that's even in the same price ballpark as the EdgeRouter 4.

> If you just need one AP you can set it up in standalone mode and forget about it

unless you need any feature besides wifi at all. then you need a controller and usg at all times.

For awhile I was actually using a UniFi NanoHD for my AP. Performance and stability were great but running a Docker container for a Ubiquti Controller (for a single AP) was annoying enough for me to bail on it. My old Asus router with OpenWRT has been fine for now and doesn’t require me to run a container. :)

I’m still looking for a proper WiFi 6 replacement that can hook up to my 10G core, ideally via 2.5/5/10G copper or preferably SFP+ DAC. Nothing’s jumped out at me yet though.

If you just want dumb WiFi, you can provision and remove the controller. Nowadays you can even do this with the UniFi phone app (standalone mode let's you configure and update firmware).

I've had a UAP AC LR at home for a few years and we've got about 6 UAP AC HD at work. We used the phone app to provision and after that you can pretty much forget about it. Great for small startups that want great coverage and dont have someone who's supposed to mess around with it.

I'm curious as to what you are doing with qos in a home setup.

Late reply, and the other reply covered it really.

Up until around a year ago I was on adsl2 with a highly symmetrical connection. I work from home mostly as does my partner, with constant syncing to various cloud services plus large uploads and downloads for work.

Maxing out the puny 1Mb of upload would render the entire connection completely unusable. Yes, you can manually limit various apps but it so much easier just to throw an edgerouter x in front of everything running stock smart queue or cake.

I'm on a faster connection now so uploads are not so much an issue, but even still it works a treat for things like gaming / VOIP.

Not have VoIP or gaming get disrupted whenever a large upload runs.

On my previous ISP latency would reach 2000+ ms when I let Dropbox sync or downloaded a huge file. Even web browsing would time out. I used Tomato to prioritize DNS, my VoIP analog telephone adapter, the first 256KB of any HTTP(S) connection, and some 27000+ ports used by games.

My current WAN connection reaches 300 ms without fq_codel enabled. With it enabled there's no jump in latency.

Yes, I recommend MikroTik as well. Got two of their cAP wireless access points. All the features you would expect on enterprise level kit at 1/4 the price easily.

Because there are so many features the setup is not as easy as some alternatives I'm sure. But the value proposition is great.

Their "RouterOS" is standardised over pretty much all of their kit. So after you have worked it out once you should be set for anything else.

One of the reason Uniquiti is so loved by techies is that you can recommend it to family/friends or set it and forget it for them (regular users also find the phone apps impressive and easy to use - it's an Apple like experience for network gear).

At this point there are probably 20+ home Unifi networks that i'm responsible for recommending or setting up, doing the same with MikroTik might turn me into a full time sysadmin :)

> connecting to a 10G Ethernet switch via copper or direct-attached SFP+

> RB-4011 was a perfect fit

Huh, isn't RB4011 the one with the very weird "you can't use a DAC in the SFP+ port" limitation?

> haven’t explored their WiFi products yet

They seem extremely underwhelming, especially in terms of software support :(

https://help.mikrotik.com/docs/display/ROS/WifiWave2 — they're finally barely rolling out WPA3, MU-MIMO/beamforming, 802.11w — in an optional beta package for a beta version of the OS, currently on 4 devices, breaking 2.4ghz on one of them, and breaking CAPsMAN (centralized management).

I had to get an active DAC cable (S+AO0005) for the RB-4011 because of the quirk you mentioned. Works great with the active cable, which was about $50 I think. I was glad I read the manual beforehand. :)

Thanks for the update on the WiFi side of things. Seems likely that I’ll be looking to another vendor for APs, but that’s fine.

Do you know how ubiquiti's "edge" line compares to mikrotik?

Ubiquiti has a polished interface that's relatively simple to use for something with enterprise-ish level features. They also have some pretty good docs. For example, their article on the harms of Broadcast/Multicast packet storms [0] is useful even if you're not using their products. Same goes for the RF Antenna patterns docs [1].

That said, my next router/gateway won't be from Ubiquiti. Though I'll keep using UI access points for now.

[0] https://help.ui.com/hc/en-us/articles/115001529267-UniFi-Man...

[1] https://help.ui.com/hc/en-us/articles/115012664088-UniFi-Int...

I'm a Mikrotik user, not a Ubiquiti user, but looks like the closest match would be Mikrotik's CRS (Cloud Router Switch) line. My home network is a CRS317-1G-16S+RM at the core and three CRS305-1G-4S+IN (one in each room), all running SwitchOS/SwOS instead of the stock RouterOS (they dual-boot, your choice), and I am very happy with them.

The Mikrotik CRS will work as a "gateway" right? That is, run a DHCP server, connect to my cable modem, provide local DNS, etc? Thanks!

If you can run RouterOS (you can) you can do all that stuff - switchOS is much more like a bare-bones packet switcher; RouterOS is a full-fledged network OS.

Check https://mikrotik.com/software for some demos and stuff.

Yep, that’s how they come by default, booting into RouterOS. I prefer my switches to just be switches, though, so I run SwOS and do all that service stuff jailed on a FreeBSD router PC.

What APs do you use with a MicroTik setup?

I like Aruba Instant APs, the kind that don't require cloud management or a separate controller, though it seems they've folded the IAP line into the regular AP line or something with their new Wi-Fi 6 gear.

I'm still using Wi-Fi 5 because it's fast enough and cheaper. My central AP is a IAP-315, an IAP-305 in the garage, and another IAP-305 at the wall by the back yard. They're all PoE and linked with wired backbone to form a single big coverage area using a single elected IAP leader as controller for the rest.

You shouldn't have trouble buying grey-market ones as long as you are careful to stick to the same regulatory domain for all of them. Aruba gear is available as USA/FCC, Japan, Israel, and RW (Rest of World) versions. I have operated RW units in FCC territory (proooobably legally but probably not worth the risk) by setting them to "US Virgin Islands" so they match FCC-allowed frequencies and power limits, but linking more than one AP still requires the hardware to be same regulatory domain.

Having owned several products from both, Mikrotik equivalents are generally way more feature packed but I find them hard to use. EdgeMax stuff is more polished, but has fewer features. Performance is comparable for the most part.

After having worked intensely with Ubiquiti Edge devices (their routers specifically), I'd recommend them time and again. Their Debian derivative EdgeOS is great to work with, both as an enabler for advanced administration, but also an approachable web ui (plausible to offload many issues to support desk without requiring insane amounts of dedication to the Craft).

For mad scientists though, the very open software stack is a good friend to have when 11th hour Requirements® dictate you must produce a rabbit without a hat, or rewrite your own domain-specific implementation to replace the Avahi service.

No experience with Mikrotic.

_On topic_: With cloud news like this, it's nice to know about the availability of Ubiquitis' Network Management System[1] which you can host and run wherever.

[1]: https://unms.com/

MT radios are inferior to UBNT for some outdoor non-WiFi applications. 802.11ac vs the proprietary AirFiber. Agree that MT is often a better option for wired scenarios.

Does it support Wireguard?

Also RouterOS does not seem open source.

Sadly RouterOS isn’t open source. They’ve received a bit of flak for their “available on request” stance on getting GPL sources too. The fact that their GPL patches aren’t readily available is pretty uncool.

WireGuard isn’t supported on RouterOS 6, which is the current stable version, afaik. RouterOS 7 (currently available in beta) did support for WG in August though, as part of 7.1beta2 [1].

[1] https://mikrotik.com/download/changelogs/development-release...

If you have any more details about the GPL issues with Mikrotik RouterOS, I recommend reporting them to the Linux developers via Software Freedom Conservancy, who have copyleft compliance projects:


V7 supports Wireguard and UDP OVPN, it's in beta but reasonably stable, at least for home use.

finally! been waiting for any UDP VPN from mikrotik since ... 2008?

I use a Microtik hAP AC (Small little SOHO style router with an sfp and PoE). You can easily flash it with OpenWRT and use wireguard on that. All open source too.

It's great hardware but I'm no personal fan of RouterOS.

Huh. What's the experience like? Eg are there any driver issues, or edge cases with unimplemented/missing bits of functionality?

It's brilliant, everything works fine. I've even used the USB port with a smartphone for 4G backup tethering (just need to add relevant usb packages, the openwrt wiki details all this). Plus there's the luci web interface which runs like a charm. No complaints whatsoever.

Although it isn't OSS, it's based on Linux and therefore semantically comprehensible by someone familiar with iptables, iptraf, etc. Unlike say IOS which will explode your brain.

RouterOS is not, but Mikrotik added wireguard support to their firmware sometime in mid-late 2020. IDK if its out of beta yet.

No, still very shitty beta sadly. In mikrotik communities routeros7 is a meme (it'll never arrive). Even though its here, its not.

A few months ago when ROS 7's first few public beta releases were out (and before then), I'd agree with you.

However, MikroTik seem to be making slow but steady progress with new features. Stability is still an issue to an extent, but for home use I could almost make the jump.

In fact, if I didn't use CAPsMAN to centrally control the multiple access points in my home, I would make the jump purely for fq_codel/cake AQM, Wireguard and WPA3.

Mikrotik phones home too

I'm in the process of replacing my home Ubiquiti infrastructure. Here's what I've decided on:

Replace the US-24-250W PoE switch with an Aruba Networks S2500-24P (gigabit and PoE, 4x 10gig ports, quiet).

Replace the Cloud Key Gen 2 with BlueIris for camera controller. I expect this will be able to connect to the existing Ubiquiti cameras.

Possibly add one or more Ruckus R610 APs running in "Unleashed" mode to augment my Google WiFi. I'm happy with the Google WiFi, and in particular it has good tools for managing kids access to WiFi. But the Ruckus APs are quite good and so I may move parent and IoT access over to Ruckus, separate out IoT devices to their own network.

This is the end of phase 1. Then I plan to go on to:

Add an OPN-Sense router. Currently not using Ubiquiti for routing, the Google WiFi is our main router. Would like to gain additional capabilities like insight into what the kids are doing.

Replace the Ubiquiti Dome G3 with one of the less expensive 4K cameras if they seem to provide similar or better functionality. Also trying out the Wyse Cam v3, which seems ok and the price sure is right, but is more of an augment camera than a main camera, I prefer wired and PoE.

I've been doing some research and those are the options that seem attractive. In particular, going with old enterprise gear looks to be a huge win. You do lose that handy "single pane of glass" management. But considering the problems I'm having with Ubiquiti, and the upgrades I've already done to try to get past them, with only some success, I can't bring myself to go further in on Ubiquiti.

The reason most people go with Ubiquiti for home use is the price -- that Aruba switch costs $3500 new. The ubiquiti switch costs about 1/10th that at $399.

Can you get free firmware updates from Aruba or do you need a support contract?

I guess I could have pointed it out more clearly: I'm going "used enterprise" as the route for replacement. As you say, yes, this switch was $2500 new (that's what I saw when I looked), but I bought one for under $100 on ebay.

Similarly for the Ruckus R610 AP I mentioned: Those APs were a grand new, but you can get them for a bit over $100 on ebay. Linus Tech Tips did a comparison of it with other consumer units, doing heavy multi-device streaming, and Ruckus was the clear winner.

Yes, Ubiquiti looks like a good value and they make some very interesting products. I've used some of them to great effect over the years. But my experience with the NVR and cameras and switch and Cloud Key has been relatively bumpy. Enough so that I'm ready to ditch the convenience for up-front loading and hopefully day-to-day more realible.

That is a good price for the hardware, but what about the firmware? Do Aruba and Ruckus give free firmware updates?

Have you looked at the power consumption of the switch? I've run some enterprise gear at home in the past (my favorite was the E-450 Sun server which an ex-employer gave me for free), but when I started paying for my own power, I found that even if the hardware is free, the power consumption makes it expensive.

Looks like Aruba has the most recent firmware available for download here: https://h10145.www1.hpe.com/Downloads/SoftwareReleases.aspx?...

Most recent version is a couple years old, but it was EOLed 3 years ago.

Ruckus firmware seems to be downloadable from their main product page for the R610, updated a month ago.

Re power consumption, it looks like the Aruba pulls around 50W idle, and the Ubiquiti pulls 29W idle. Of course, if I can get rid of the second switch I've been running because the Ubiquiti keeps blocking the Google WiFi ports, that brings it even closer. :-)

You do have to sign up with an account at HP to get the firmware, and it won't let you use a gmail account, but once I signed up I was able to download the latest firmware and update to the latest. Just FYI.

You can get S2500-24P from eBay for 125 US or so each.

I hear these are great little boxes for running PFSence and OPNSense


There's also Netgate hardware, which has the added benefit of supporting development of pfSense. I have the SG-3100 and have been very happy with it.


Takes a bit of searching to find the hardware section (it's under products->appliances) https://www.netgate.com/products/appliances/

Do any of these pfsense setups allow an Orbi-style network? I’ve been really unhappy with my last several router purchases.

No, you'd still need a 3rd party like Orbi or Ubiquiti. I'm running a few Ubiquiti FlexHD's in mesh and have yet to have any issues.

we're happy you're happy!

I've never used those ones but I can recommend these ones (originally from the US, moved to Switzerland): https://pcengines.ch

Second these guys; really easy to set up (though I did have a nightmare getting a reliable USB-R232 converter for the initial bootstrap).

Not sure if you found a good one, this one has never failed me: http://amzn.com/B00425S1H8

With a male/male extension: http://amzn.com/B00QM8ZP5E

Will take a look at it!

My current one I've nicknamed a "Pirate" R232 adapter because it has an unfortunate and hilarious effect of duplicate the lowercase 'r' character for some reason (so I see Arrrrrrrrchlinux).

I mostly administer via SSH so it's all good at the moment.

That's hilarious.

Thanks for the pointer. I was planning on running under a VM. A dedicated box would be nice from just a reboot standpoint. I was looking at getting one or two of those HP COMPAQ ELITE 8300 boxes off ebay for $200, but they probably only have one Network interface, so I might want to add another.

I have two, and yes, they are freaking amazing. I run CentOS on mine.

I don't usually run any services since I prefer to dedicate boxes to things, but I have in the past run a number of services, including minecraft and minetest on it and it flies. Really pleased with it.

What will you do now that CentOS support is going away?

white label brand. You can get those boxes from alibaba for <$100. There are intel/amd/arm versions.

Blue Iris is a great piece of software and Ken the developer has constantly improved it. I think there's a way to get the RTSP stream from your existing cameras.

One of the slick things you can do is add machine learning to it and have motion alerts based on what is detected in the video (person, car, bear, those are some of the built-in options). That looks pretty slick.

I'm trying to recall, but maybe someone else can answer: do the UniFi cameras stream RTSP directly still, or do you still have to run their controller and re-stream it?

Log into the WebUI, set it to whatever the non-Unifi Video mode is, update the firmware, repeat, set your RTSP config, good to go.

I use Blue Iris with my Ubiquiti cameras. Works like a champ.

This sounds good, but are there any good alternatives to BlueIris that would run on a Linux server?

I'm not aware of one, but would be interested if there was. I'd prefer to run it on Linux. Zoneminder seems to be the common recommendation, but most discussions I've seen of it have not been very positive.

There's Xeoma and Blue Cherry, neither of which I know very much about. Never heard anyone mention either of them. So I figured BlueIris was what I'd try. Seems to be what everyone on YouTube is using...

I resisted for a long time, but after finding that there is no good home router that doesn't have major security drawbacks I decided to just build my own [1]. It's a bit of a chore to set up but works better than any off-the-shelf device I've ever owned. I run Debian, but I've heard other people using OpenBSD with great results as well; it's all about personal preference and what you're familiar with...

[1] https://nbailey.ca/post/linux-firewall-ids

What about mikrotik? I've got the RB4011 and found it to be the perfect home/small business router

I used a RB750Gr3/hEX router for nearly a year, and I wasn't terribly impressed by the software. The hardware seemed neat, but even as somebody very familiar with routing & switching I found the UI to be rather obtuse.

The other reason I decided to 'roll my own' was an in-line IDS. There seem to be 'hacky' ways to get Snort installed on the RouterOS platform, but the CPUs aren't really powerful enough to run DPI with a sufficiently large ruleset.

I also like the ability to use Ansible to manage my router/firewall. There are modules available to do this with RouterOS, but they don't seem nearly as robust and mature as the built-in Linux utilities.

Just ordered a Chinese box with 8th gen U-series i5, 8 GB of RAM and 120 GB of SSD. Has six ethernet connections, HDMI and COM. Planning to install OpenWRT to it, and with AES-NI the system should be easily able to push the full 1 Gbps of traffic through Wireguard.

I've had whatever routers before, but mostly when using some VPN to hide the traffic from your home network, and if having fast enough internet, a good CPU is a must.

I still put the important part of my network behind my own router similar to yours (and in terms of security I think ubuntu server + whatever you need has likely much smaller attack surface than OpenWRT which is a piece of software just too tasty not to be exploited).

Outside that, wifi part is hard to get right and smart switches are nice to have, but they are PITA if the firmware is never updated and there's no single place to nicely manage it all.

Can you expand on the security of an Ubuntu server (acting as firewall, router and vpn), versus a dedicated router hardware and software (eg pfsense or OpenWRT)?

openwrt contributor's focus is consumer hardware support.

I don't think the distro was ever security audited.

I'm having already Unifi's AP's, the controller running in my NAS and a good switch for the current setup.

Do you have some better suggestions for the router software? I'd love to run Opnsense, but a native Wireguard client is a must, and so is a good web interface for the setup.

Link to the box you got? That sounds interesting.

Oh, sorry!

These are available from Europe, but I've heard good things from US about similar boxes, when I searched with "best pfsense computer". Not the same brand, but similar hardware.


Let's see how it works, but I expect it to be much faster than my current ARMv7 box. Of course if you have space for a rack, go with something actively cooled. In our apartment, we expect the router to not make any noise.

Despite the name in the Amazon listing, it has nothing to do with Mikrotik; also a 1Gbit ARM Mikrotik router/firewall can be had for considerably less.

I can't read German, but maybe it's a bare Mikrotik router board in a custom enclosure?

That said, it also says 'Pfsense', so I suppose more likely it's a typical 'Chinesium' listing.

How fast are the ARM CPU they have in their routers, do they support AES-NI and how much data you can push with VPN encryption through their boxes?

The current ARMv7 I have goes to about 100 degrees Celsius and loads in the level of 4 to 6 when downloading a bunch of data full speed.

I'm not sure if they support AES-NI on ARM. I found some changelogs indicating that they do support it on x86 and x64, and most ARM routers list "hardware IPsec" encryption, so maybe?

$350-$400ish search AliExpress for "i5 7200U firewall"

Also curious, and wondering how much that cost.

similar boxes are on amazon, with worse(ish) specs under the brand "Protectli "

Raspberry pi 4 compute module might be good for building your own router too. You can attach a pcie network extension or usb to Ethernet for local usage. All of that would cost under $70.



Edit: You would be better served by other boards from this benchmark repo for vpn usage: https://github.com/ThomasKaiser/sbc-bench/blob/master/Result...

It's worth noting that the Unifi gateways have hardware offload for traffic routing.

While a Raspberry Pi might work for some folks, it's worth noting that these are two very different performance classes.

How is it great with one NIC?

Ethernet adapter and USB speeds seem less than ideal.

I don't need many ethernet ports so it works for me. My home network speed is less than a gigabit.

It's definitely not for people like OP but may work for other people who don't want to pay much and still have something decent that they can hack themselves.

I have tried to flash open firmware on my router before but it didn't work out. I had a raspberry pi already so I decided to convert it into a router and use it.

A Pi 4 can handle about 1 Gb without issue. It is a great option for consumer workloads at consumer prices. I've certainly seen far worse consumer gear.

The CM4 can hit up to ~3.4 Gbps for one interface over PCI-E, and 4.15 Gbps if you also use the onboard Gigabit interface. Use a 1, 2, or 4-port network card and you can do some interesting things at 1+ Gbps: https://pipci.jeffgeerling.com/#network-cards-nics

It misses AES-NI though, so missing encryption hardware and would be subpar if running a VPN client for the network...

FWIW, I tried using OpenWRT on a box with similar specs to yours and it was a nightmare. Ended up using FreeBSD instead and it was a vastly better experience. I think OpenWRT might only be worth it on very low-spec hardware.

Hey! Could you please share what you think didn't work so well with OpenWRT? I'm currently running a Turris Omnia with their custom OpenWRT that I know how to use and it's been working quite well. What's missing is a better CPU to run Wireguard encryption full speed through our fast internet connection.

I'm seriously thinking about pfSense or Opnsense, but FreeBSD still misses native Wireguard support, leaving the encryption to the go implementation, which is subpar for our use cases. But, I'd be happy to run Opnsense, with jails and all those goodies from FreeBSD.

Since Netgate (the company behind pfSense) paid for the Wireguard work, you can make a good bet that same will appear in a near-future release of pfSense.

Wireguard has been merged into upstream FreeBSD almost a couple months ago.

FreeBSD 13 is out in March 2021 and opnSense with that system much later. Might be a bit complex to go that route right now, but it might be a great choice one year from now...

"with AES-NI the system should be easily able to push the full 1 Gbps of traffic through Wireguard"

You were probably thinking of OpenVPN? Wireguard is not based on AES and thus has no use for AES-NI.

i've got this on my todo list of projects. looks super interesting. there seem to be a lot of flavors of these boxes and i'm having a difficult time figuring which one will work best. i don't know anything about the manufacturers.

Another endorsement for mikrotik here...spent a lot of time in the WISP space and doing CPE installations. Mikrotik all the way down - text config files (version control), ssh-like remote terminals on all endpoints, full feature-set on even the most basic hardware. I've taken them into other jobs and other engineers have been happy with them.

The cons are that everything has one or more "mikrotik" way of doing things, and it may not be intuitive to the new user. Also, although everything is included, you have to set it all up yourself.

Another con is never ending regressions between versions.

> Argh, why do I learn about this from HN when they pretty much force me through the cloud login with UDM-Pro. Nothing in the dashboard.

They’re still sending out the email. Mail chip will be rate-limiting the send rate to prevent email providers from block listing them.

Give it a couple of hours and no doubt you’ll have an email as well.

Just for reference, I did receive an email from them.

I received one as well approximately an hour ago.

I still haven't received one, I'll update this comment if I do.

-edit- I just received it at 2:42 pm pst

I got an email for a secondary account I had forgotten about at 4PM PST.

i haven't got an email yet either

Finally got it too (aprox 4pm PST).

Make sure you turn off Remote access in your device.

Probably can leave on local login (w/Ubiquiti acct) but should turn on 2FA

Ubiquiti let users disable the cloud logins with UDM Pro, after a pretty big backlash on their forums.

You do need a Ubiquiti account to setup the hardware in the first place, but you can turn off cloud access and login locally after that. And you should.

How? I have been looking for this setting but haven't been able to find it.

On the landing page after you log in, click Users at the bottom. Then click Add User or Add Admin, and just set the Account Type to Local Access Only.

Oh but this doesn't actually disable remote access on the UDM side, does it? It's just a flag that the cloud host can choose to respect?

You need to go to the settings for the UDM/UDMP itself, not the network controller, and disable remote access there. It's a bit hidden.

I turned off cloud login a while back. There’s a toggle in the settings for this.

I was confused by the parent comment too. Aside from the remote management features, if you turn off cloud login you still get everything else. Maybe it's something specific to the USG Pro? I've only used the smaller USG.

I recently invested in UniFi hardware with the UDM Pro and this isn't exactly correct. UniFi Protect (the video security line) requires remote access and Ubiquiti Cloud accounts or it will break in a million weird ways. If you disable cloud login you cannot reasonably use UniFi Protect.

As someone who uses UniFi Protect and refuses to use cloud-login: I disagree somewhat. It works fine, but the mobile apps become non-functional even on the same LAN. I haven't ran into any other problems.

> a major feature within my own infrastructure is completely broken

> can't see why disabling cloud login is a problem


I was responding to "will break in a million weird ways" which is FUD to my eyes.

I do agree it is a big limitation, and I am looking for alternatives as Ubiquiti do not seem to be prioritizing getting their app to work without remote login which is truly unfortunate, since the predecessor, UniFi Video, supported this.

Good catch. Since USG is Unifi Security Gateway, I kinda just mixed it up with Unifi Protect. Still a troubling development IMO.

Not USG but UDM-PRO. It was the first device from them that required me to make an ubiquiti account to set it up.

Well this is a disappointing development. I'm currently using EdgeRouter hardware, but was considering moving to their Unifi line for my next upgrade. Guess that's off the table till I can use these without cloud access.

Other comment seems to imply that only Unifi Protect really requires an account, not any of the networking functionality


Fitlet2 looks rather nice to me. Outfitted with an Intel J3455 CPU, and 2-4 Intel NICs, it is really power efficient for its performance class (idles at ~6 watts, for those that care). There are also some Chinese companies producing slightly cheaper boxes in this category- Qotom, Kettop, Protectli.

When it comes to software, I'm conflicted. I like pfsense, but Netgate has gone a bit sour with the FLOSS community. I'd also consider OpenWRT, FreeBSD, OpenBSD.

I had a fitlet2, was super excited about it, and took awhile to find one.

I had to do some work to get it to boot properly, and it worked great for a year or so, but then it just died one day, and I could never figure out what its problem was.

Out of warranty by the dead date, never bought another.

Been using a $100 HP 8300 SFF with an i7 since, it's a bit overkill, but the price was right.

Just purchased a Lenovo M90n iot when it was on sale for $215, will see how it works out once I get it.

Protectli seems to be a US company rebadging these Chinese devices. But apparently also putting coreboot on them now, which is nice. I wonder if their coreboot board configs are open source.

> I like pfsense, but Netgate has gone a bit sour with the FLOSS community

I haven't kept up with pfsense. Any chance for a tl;dr?

Okay this seems like a compelling reason to switch to OPNsense https://docs.opnsense.org/history/thefork.html#transparency

Ok TBH I'm unprepared to back up my statement. I only vaguely recall second hand heresay in regards to their exchanges with OpenBSD developers.

I’m running pfsense as my router and TP-Link access points. I run their controller in a container locally and everything works great together. Super happy.

I think for some use cases this setup could be a nice alternative (and cheaper) to ubiquiti.

The HN story is a link to the Ubiquiti email sent via MailChimp. You may not be on their mailing list, but Ubiquiti is actively letting people know. I got the email at 2:31pm PST.

Did you happen to write up the results of your router tests? I'd be really interested in reading up on them! I recently picked up an old Apple Airport Extreme so I could easily set up Time Machine backups on my network, but obviously Airports have their own host of issues so I'd be really interested in upgrading soon.

I don't, but it was a narrow case. Part of my home-made home automation runs on wifi so I was focusing on low latency and no packets lost when using wifi in my specific building. Top of the shelf routers all had some occasional hiccups. I think the good old WRT54GL did much better than them. Plus it was done with the set of wifi receivers available to me at the time (mostly cheapos connected to rpis & esp8266).

This is not a common use case, I was not interested in high bandwidth. I did try to disable beamforming and all other fireworks when testing though (but did tests with default settings too)

A second-hand Mac mini is an alternative that I've used for network Time Machine backup targets. Can also turn on caching iCloud/App Store/system updates for your home, if bandwidth is metered and/or slower than your local speeds.

Aruba is a few notches up. But any of the cheaper companies use merchant silicon, open source services, etc.

Honestly, unifi is great for what it is. What kind of IPS do you expect for $100?

If you want less risk, you need to move up the $ ladder.

I run a Netgate SG-5100 (PF-Sense) as the main router, the Unifi controller and Access points are al behind the Firewall. The AP and switches are really good, not the DPI/IPS/IDS solution (those suck)

Great router!

The only issue I have with Netgate is pricing!

Protectli is a pretty common alternative.

Protectlii isn't paying for software development or testing, either.

I received an email notification before the HN article fwiw. However when I reset password for the email address they notified...crickets. I don't use UBNT for anything other than forum posts though..

Second miracle: less than 1h after posting on HN I received the reset email.

Yeah I originally bought their hardware after being recommended it here. Really regret that now, as I realize it was just marketing doing work.

We are just as susceptible to the stuff haha.

Have you tried MikroTik gear?

Speaking of security... I fell for their marketing and slick Apple-like design and decided to add a UDM-Pro router and access point to my pre-existing network. I thought I was doing something wrong when the UDM-Pro ignored everything on my network that wasn't connected directly to a Unifi device. I asked about it on the Ubiquiti subreddit and basically got blackballed for "whining". Opened a support ticket with Ubiquiti and they confirmed that you can't work with any clients on non-Unifi hardware.

So basically all you need to do is plug a laptop into a non-Unifi switch on someone's Unifi network and are able to breach the firewall.

Needless to say I was flabbergasted at the vendor lock-in strategy worse than Apple, and asked for a refund. Thankfully they complied.

I now have a hand-rolled OPNsense router that does everything I need, and with MUCH more configurability.

Hmm.. I’ve seen a few UDMP deployments with third party switches in place, which still have visibility into the clients connected through them. You can’t manage the switches obviously. If you’re trying to do client management functionality that would be handled at L2 (MAC whitelisting on a switch port, etc) UBNT’s management interface won’t abstract rando vendor’s functionality for you, but isn’t that expecting a bit much? Meraki deployments won’t do that either, if I understand what you’re after (and maybe I’m not).

As another comment said, your strategy about breaching the firewall is confusing but it sounds like a configuration issue. If your aim is to default deny outbound traffic, or traffic from or across the LANs except for approved devices, that’s an achievable aim regardless of what switches are in the mix. If you’re trying to do port level security, you’d need a managed switch, Ubiquiti or no.

I am not sure I am following, can you elaborate? The way you wrote it sounds impossible.

See my response above.

I'm not clear what you were trying to achieve?

You had unmanaged switches on your network, and were trying to manage thier downstream connections?

What exactly do you mean by 'breach the firewall'?

It's a basic home network. I had a simple netgear unmanaged switch and an apple airport extreme in bridged mode. The equipment works and i didn't want to add more trash to the landfill and spend money i didn't need, so I wanted to continue to use them.

There is no way to identify any clients on your network that are either behind the switch or behind the airport (even in bridged mode). I would expect at least some list of clients based on DHCP leases or the ARP table, but they are not accessible through the UI.

I have a robotic vacuum from china, and i want to stop it from calling home. There's isn't even a way to find out the IP or what traffic it's sending through the UDM pro, and no way to set blocking rules from the UI.

I understand if they want to provide wifi mesh support and other special wifi features for unifi devices only, but the supposed "enterprise grade" router and FW functionality should support standard network setups, since all traffic goes through the UDM-Pro, and it is certainly aware of the clients since it gave them DHCP leases, and they are in the ARP table (which is only accesible through the SSH command line) and are on the same subnet. It's unacceptable in my opinion.

This is not entirely accurate.

The default logging may not capture the individual child clients, depending on your configuration (eg double nat), sure... but those child clients are still entirely at the mercy of your configuration otherwise. Saying that the clients are completely invisible/invincible, and that the fault is the Ubiquiti product, is not true.

You need to read my comment again. The clients are behind either a bridged AP or a switch, i.e. all on the same subnet, all getting their DHCP addresses from the UDM-Pro, all in the UDM-Pro's ARP table. There is NO double NAT happening here.

Furthermore I didn't say they were invincible. I just said they were invisible to the UDM-Pro's UI. Unless you have a blanket ban on outgoing LAN traffic, which would be absurd, there's no way to block access for a particular client or a particular destination address for that client.

In the case I gave, a Chinese robot vacuum with no on-device interface, please tell me how to find the IP of this robot, then block outgoing traffic from it, without SSH'ing into the UDM and running scripts. That's right, you can't, because the UDM-Pro doesn't support it.

I never said you were using double nat, but noted it as an example in which you may have these issues.

> Unless you have a blanket ban on outgoing LAN traffic, which would be absurd, there's no way to block access for a particular client or a particular destination address for that client.

To the contrary; this is exactly what you should be doing. Isolated subnet for these untrusted devices. Block by default. (Whitelist only)

I used the word invisible to describe it missing in the ui. I used the word invincible to describe your lack of “management” (ie; blocking) of the device.

What I am trying to suggest, however, is that the UDM is likely not the root cause of these issues. I certainly don’t mean to suggest they are the best. The lack of compatibility of features between their product lines is a nightmare.

It's not just compatibility features. They are missing features that low end consumer grade hardware have, and I'll say what I was implying: It's because it's a vendor lock-in strategy, and they want you to replace ALL your equipment with theirs. Explain to me why I shouldn't be able to manage a list of DHCP clients in a piece of "enterprise grade" hardware.


Could you elaborate a bit more about your previous network setup? This sounds awful.

See my response above.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact