I’m moving from an apartment into a house soon and have been looking into getting the house wired so I can have access points in multiple places without being limited by the mesh wifi setups. However, I’m not sure what hardware (or software, if that’s a separate thing like pfSense) to use.
In the apartment we’re using Google Wifi hardware so we don’t need to leave servers in a network closet, but it’s fairly limited and is very tied to Google. One of the most “fun” issues I’ve had is that it caches all DNS requests and will even re-try those requests (I assume with Google’s DNS servers) even if you tell DHCP to report another DNS server (such as if you’re trying to run PiHole internally). Additionally, all DNS requests on pihole come from the gateway rather than the clients, which messes with some of pihole’s features.
Quite a few people have evangelized Ubiquiti hardware, but I’ve been hearing about friends having issues with wifi, and a recent fairly large breach which make me question going all-in.
So, what do you use for your home? Do you run some sort of mesh wifi setup? Do you use Ubiquiti? Are there any other solutions (both hardware and software) you’d recommend?
Openwrt all the way
Same here, openwrt as main router and few dumb ap for wireless
What do you have for a dumb AP?
I’m in the market for something that I can broadcast two ssids (guest and home) and have them on separate vlans.
With what kind of hardware?
Not the OP, but in my case a NetGear R7800. Does 802.11ac, has dual radios so you can run 2.4GHz & 5Ghz simultaneously. 4+1 gigabit ethernet ports with a half decent switch behind them that can do tagged vlans.
I’m still using an old tplink archer c7. Probably gonna do an upgrade in the next year or so to get wifi 6. Pretty sure it was something like $80 back in 2014 or 2015.
Not the OP, but I use a Linksys WRT1900ACS. A tad pricy, or was when I got it, but the wifi is good, has native support for OpenWRT, and and it’s fast enough to handle gigabit fiber.
I’ve used openwrt in the past for single router/AP setups, but as far as I’m aware for larger properties it wouldn’t be enough, unless I’m misunderstanding something. Is it possible to use OpenWRT with multiple APs?
It is possible, either as an 802.11s mesh or with a number of wired access points set up in bridge mode. I’m currently using the latter and it works fine.
Ubiquiti is the most recommended, but this happened recently: https://krebsonsecurity.com/2021/03/whistleblower-ubiquiti-breach-catastrophic/
I am not sure the others are much better, but just FYI in case you haven’t seen it yet.
It’s worth noting though that (as of yet, hope it stays that way) you do not need to use their cloud offerings or even have an account with them. It may seem simpler for some use cases, but any cloud offering inherently involves you placing data under the control of a third party. They do try to push this on people though (as do most other vendors, too…), which I don’t like all that much. Being in control of my own data and infrastructure is important to me.
You can host your own controller, both on the internet or locally, or use their “setup app” which AFAIK emulates just enough of a controller on your phone to set up a single AP with a simple config. Once configured, you can even switch the controller off and let them run autonomously.
You should also not (I hope this does not need saying, but saying it anyway) expose your access points directly to the internet (allowing them to be accessed from outside of your network). UBNT also sells other HW (like security cameras) where this is more commonly done, but even there I’d advise against it. Use a VPN if you need direct access. I know of no single IoT/HW vendor with a “clean” or even “acceptable” security track record.
Just as a precaution I would recommend putting some form of additional authentication (eg. basic auth, which suprisingly even works with their L3 controller) before the controller when hosting it in a publicly accessible place though. It’s likely not the greatest piece of software either, as evidenced by it’s weird dependency requirements…
All in all I’m not saying UBNT can do no wrong, but there’s certainly worse offerings in the market regarding security as well as features.
Yep absolutely!
So I saw in the HN discussion that you now need cloud authentication even for self hosted software now.
See the main discussion here: https://old.reddit.com/r/Ubiquiti/comments/kslyh9/cloud_key_local_account/
I will admit I was confused by this because I know others that haven’t had to do cloud auth for their self hosted setups so maybe it’s required with the latest update only?
I got a USG on discount to play around with it and it doesn’t seem like you need to do cloud auth even when I set it up a few weeks ago, though they really push you towards that. I think you have to click “Advanced Setup”, choose “Local account”, and not enable remote access or something like that.
I don’t cloud auth with them. Local accounts all day long on a dedicated vm operating as a controller.
I don’t know about the Cloud Key specifically (I mean, it says ‘cloud’ right on the box), but last I checked and updated you could still download the controller installation packages directly, both from their download site as well as their apt repositories. Running that did not require any cloud setup. Hope that didn’t change :(
tbh I’ve had one access point from them and their software package for management was so hilariously outdated, I returned it instantly
Yes, this is one of the big things that’s making me question using them. I added your link to the original post so there’s more context.
The hardware is still really quite good. I’m using a pair of U6-LRs at home (one in the attic, one in the basement) with a couple of US-8-60W switches, and the controller on a Raspberry Pi, and the coverage and performance are fantastic. Router is an EdgeRouter-4, which is Ubiquiti but not UniFi, so it doesn’t play with the same configuration tools, but I’m really happy with what it gives me too (rock solid, the config tree stuff really works, but also it’s a “real” linux system) so I’m not touching it.
As with others here, I’m not using cloud management — it’s a pretty damn cool feature in some scenarios but I don’t have a need for it.
I can really suggest Mikrotik. They are cheap and very powerful. I have one running in my home as router and access point and it’s work fine from years.
I had a bunch of ARM boards running Docker Swarm, but I am planning to migrate them to some refurbished x86 boxes because they struggling too much with CPU intensive applications (think about ELK). Anyway ARM boxes works fine for DNS or home automation services like HomeAssistant.
Which Mikrotik box are you using? I’m considering the catchily named RB4011iGS+5HacQ2HnD-IN to get 10 gigabit ethernet ports plus really fast wifi. I wish I could get away with the hAP AC2 or AC3, but have too many ethernet devices.
Anything with metal boxes is good. They used to make too-cheap plastic boxes as well.
I’ve used RB433s (with capsman) for more than a decade and am a fanboi: Mikrotik still ships new firmware for >10yo hardware and replies to support email with a straightforward factual reply. If you want my undying love for whatever you’re doing, that’s the way to win it.
I am a Mikrotik fanboy as well: in my very past work experience, I have used Mikrotik from small boxes to ISP BGP routers and they work very well. They are not Cisco or Juniper of course, but they cost a fraction and they are very powerful. You need a basic script skills and sometimes the configuration is a bit tricky (i.e. for QoS) but you can implement very advanced networking feature.
The support is good (at least for a free support) and they keep pushing lot of new features, like Wireguard implementation.
I have the RB4011iGS+5HacQ2HnD-IN. It’s fantastic.
https://lobste.rs/s/dbr7yu/what_do_you_use_for_your_home_networking#c_pkpte7
I have an hAP device. For my use case (I have a 50mb connection) it’s enough. Every room in my house has an Ethernet plug, but I am using a refurbished Cisco 3550 as core switch that I got for free at my job.
I use RB4011 and a pair of PoE powered cAP ac. Copper throughout the house for desktop PCs and TV boxes. In conjunction with gigabit cable works amazingly well.
As far as I can tell, while that model has 10 ethernet ports, they are not switched which means if you treat it like a switch and plug in 10 Ethernet devices and they start using bandwidth, they’re going to hammer your router’s CPU and memory.For best performance, you’re going to want to dangle a switch off of this, instead.Edit: I stand corrected. The block diagram shows two Realtek switch controllers inside. These are performant, switched ports. You are good to go!
https://i.mt.lv/cdn/product_files/RB4011iGSplus5HacQ2HnD-IN_181032.png
Keep in mind that the 4011 for some bizzare reason does not support passive DACs, which is really bizzare in the SFP+ world.
+1 for Mikrotik. I have a couple Hap’s, Hex’s, CRSxxx, and an RB3011. Excellent kit. Fairly steep learning curve.
DD-WRT router between my network and the ISP router to keep as much in my control as possible and just use their box as an upstream connector, it’s pretty good at that but its UI is restrictive and nasty. Had all sorts of WiFi hassles until I just knuckled down and bought powerline Ethernet connectors for every room with WiFi access points in each one. Gave the 5Ghz and 2.4Ghz networks the same SSIDs and credentials, let the access points sort out the channels between themselves by setting “auto”, and let the clients sort out hopping where they want. Total awesomeness.
This almost matches my setup with two differences:
I’m particularly interested in how well using the same SSID for each AP works. For some reason, I had thought there were problems with this approach, but it’s been so long since I did research in this area that I can’t remember what specifically I was worried about. So now I’m wondering if I should just make all the APs use the same SSID. Are your phones good about switching to the strongest AP when you move between rooms? If not, can you override it?
Also, do you use the same SSID for 2.4GHz and 5GHz broadcasts? Or do they have different names? (I need to broadcast both because I have some devices in my house that only work on 2.4GHz.)
Hello, yes I struggled with this for a while. I had thought it would be better to have separate SSIDs, so I had “Network” + “Network 5Ghz”, and thought a variety of mistaken things over time about why this would be better. From what I can tell, it’s basically not, although I think to some extent it will depend on the shape and layout of your home. (Also I had tried putting a WiFi extender in a family member’s house where I set the same SSID and even fixed the same channel (I thought smartly) but there were endless clashes and it just didn’t work. I think in retrospect they needed to be on different channels.)
But in short, yes, give them the same SSID and credentials for both ranges, and let the devices just work it out for themselves. Occasionally one of them will linger on one from another room, but this starts to be about shape and size of rooms and distance between APs - fundamental point being 5Ghz is higher power but shorter range and 2.4Ghz is vice versa. So having both is good, for most coverage, and letting the gadgets work out what they want to do is better than trying to force what you (I!) think they should do, as that’s interfering with the gadget’s WiFi implementations. I have a v old MacBook Air for example which does have a 5Ghz implementation on the card but it doesn’t work very well and the 2.4 is way more reliable and actually gets better speeds - even that occasionally will choose 5Ghz but mostly it doesn’t, and it seems to make sensible decisions. I used to have problems moving from room to room between different networks and very occasionally I get a bit of drop-outs in a FaceTime call when doing so, but mostly it’s fine.
Same SSID on all APs and both bands, make sure the APs are set to auto-choose their bands, and let everything sort itself out. I even did quite a bit of experimentation with channel width settings including reading up on what the strategy for it should be, but frankly just leaving it on auto always worked out better, and I’ve completely forgotten the rationale for anything else. I think in the last few years this stuff has improved enormously.
NB. This works for me, with 1x Apple Extreme WiFi AP & 3x tp-link powerline APs. YMMV!
Very interesting. Thank you for the data point. I am encouraged to actually give this a whirl!
Worth a try for sure - worst that can happen is you go back to what you already have, and best in my case was it absolutely sorted out my issues :-)
BTW. My DD-WRT router had been getting annoying - I think it was old hardware failing and I was getting increasingly regular connectivity dropouts, but the UI was quite buggy and weird in places too. So I decided to try something else out, and replaced it yesterday with a Mikrotik hEX S. Nothing else changed and yet I get a (so far) reliable 5mbps increase downstream, and noticeably faster DLNA streaming starts on the LAN. (Also mDNS discovery but can’t help wondering if that was some issue with the old one.) And it’s really small and neat. And cheap. The OS & UI are a giant step up from DD-WRT in terms of capability & also complexity, as it’s basically the same OS as on their much larger scale enterprise-y boxes, but the OOB config is perfect for a consumer setup like mine, with just a few things added like static dhcp leases and local DNS. V pleased with it so far.
https://www.turris.com/en/omnia/overview/
Open Hardware, Free Software. The only blob is for 5GHz WiFi.
Now I just need some libre power line adapters.
Have any performance and stability tests?
What’s the OS of the router?
OpenWRT based TurrisOS
Does it have a version with 8 LAN ports? What about 2.5 Gbps Ethernet?
I’ve been running a minimal setup with a MikroTik hAP AC2. Related to your Pi-hole comment, I added some NAT firewall config to redirect port 53 requests to the local Pi-hole. Full disclosure: approaching 2 years since I dove down that rabbit hole so the solution I found may be out of date now.
apu2 with openbsd
unifi UAP-AC-Pro
self-hosted unifi controller
Same setup!
My setup might be a bit unconventional to some but I currently have my setup like this:
My Cable Modem is set to bridge mode to avoid double-NAT issues and is connected to a computer running OpenBSD / pf.
The OpenBSD machine takes care of DHCP from the standpoint of both getting its IP address from the ISP as well as giving out IP addresses to my devices. I also do my own DNS in case the ISP DNS goes haywire. You could also do this for a bit of added privacy for your domain lookups.
The computer also has 3 physical NIC cards: One is connected to the Cable Modem, one is connected to a switch for wired devices in the house and one is connected to another switch for DMZ use (such as WiFi WAP for phones, tablets, IoT devices, your own public facing servers, etc…).
I like to keep wireless devices on the DMZ (and the WAP on the DMZ has its own subnet) because I cannot control who is intercepting my signals outside the house. I don’t broadcast my SSID, but that does not go very far.
Since I own the house, I ran CAT-6 cable to rooms that needed it.
I am considering swapping my DMZ switch for a managed one to place different types of devices on their own VLAN. If someone hacks my thermostat or WAP for instance, it might slow them down from island hopping.
Finally, since my devices don’t change very often, everything has its MAC address reserved. If a foreign device hits the network, an IP address is not given out to it. I have a second reservation list for guests.
This also makes it easy for me to see “at a glance” in the logs what my devices are up to since I know which IP address is going to which device.
This setup has served me well for well over a decade. I have heard way too many stories of off the shelf firewalls having hardcoded, backdoor login credentials and what not so I only trust my OpenBSD machine for NAT/DHCP/Firewall, etc…
I have a PCEngines apu4c4 running NixOS as my router, using a custom zone-based firewall script, a pile of OpenVPN tunnels that share routing information using a combination of BGP and OSPF. Within my apartment, I host wifi using Ubiquiti gear (an AC Lite and a nanoHD) with a locally-hosted controller. I see no need to use their cloud offering, and given that my modus operandi is to host everything I can myself, I find it unlikely that I ever will.
For switches, I’ve been using a Netgear GS324T and GS108E depending on how many ports I need; they’re not the most full-featured things I’ve used, but they’re cheap and good enough.
My NAS lives on the other end of one of the VPN tunnels for noise reasons; it’s a used HP DL380e Gen8 server that I’ve packed to the gills with RAM. It’s also running NixOS, and has enough horsepower to handle running a pile of VMs for miscellaneous vendor appliances as well as some publicly accessible services (Matrix, Plex, etc).
All told, it’s simple, reliable, and I can have a full backup of everything necessary to bring back a clean slate on a single floppy disk. If I were doing it again, the only change I might consider is using a custom-built mini PC instead of the APU; it’s not that there’s any problem with the APU, but running nixos-rebuild takes just long enough to be irritating.
In 2014 I decided that I was willing to spend more than the usual $50-150 on a router/firewall, if I could be sure that:
After a bit I concluded that building a mini-ITX x86 machine and running Debian stable on it would work well.
It’s now seven years later and I should probably replace the USB stick that I use for a daily rsync of the contents.
The machine is described here: https://blog.randomstring.org/2014/11/09/a-new-firewall/
Because it runs a nicely supported OS, I get mail from it when there are necessary package updates. It handles firewalling, IPv6, wireguard, DNS, DHCP, and some basic stats collection.
It connects to a dumb 24-port gigabit switch that handles the other machines in the home office, and then has cross-house runs of ethernet to two other switches and three wifi access points, which are configured in bridge mode and don’t supply NAT or DHCP. I tend to assign consistent IPs via DHCP to every non-guest device, and keep a pool of 30 addresses for guests.
What’s the advantage of reusing IPs from the pool for guests instead of generating new ones?
I’m not sure what you mean. When a machine I don’t recognize asks for a DHCP-assigned IP, it comes from a pool that I allow to access the Internet and a very few local services; machines owned by my family or a few close friends get a subnet that allows rather more access.
(And certain machines that I “own”, like my TV, get addresses that aren’t allowed to talk to the outside world at all.)
I use an APU2 running pfSense (will be switched to opnsense when I have time) as my router. I have a secondhand cisco sg200-26 switch for my ethernet devices. Wifi is powered by a Unifi AP and I run the controller in a jail on my FreeNAS storage box.
I run a pfSense firewall, a Univention domain controller (which handles DNS and DHCP), and a locally-hosted virtual Unifi controller that controls my Pro access point and my tiny Flex Mini switch. It has been incredibly reliable and I hardly ever need to do anything with any of the components. I could live without the domain controller now, but it has been really handy for managing logins on our family devices and works so reliably that I don’t really have a reason to decommission it.
A Fritz!Box with fiber modem (currently 500MBit synchronous), switch and 802.ac WiFi access point (provided by our ISP, XS4ALL) near the fuse box. Ethernet to the living room and my desk. Most devices are hooked up through Ethernet. We also have a Fritz!Box 802.11ac repeater, hooked up to Ethernet as an additional AP in the living room. Fiber + ethernet has been super-reliable (only a brief downtime once since we moved in here 2.5 years ago). Never had any issues with WiFi through the Fritz devices either.
I haven’t researched AVM (the makers of Fritz! devices) in detail. But they seem like a decent/reliable privately-owned German company that do not do ‘growth hacking’ and other shenanigans. Also, they seem to provide firmware updates for quite a while. I could be wrong, but my impression as a long-term customer has been pretty good.
Fritz! here too - very good so far. The first Fritz!Box came with the ISP connection. I bought two more second hand to use as mesh repeaters.
Hi Daniel,
You’re right they are from Berlin, Germany and had already ISDN cards years ago. It’s quite common brand here in Germany and very good but expensive.
What model is yours? I have a 5530 with SFP for GPON but my ISP has a ONT provided by them which I can’t replace. This ONT is connected via cooper to the Fritzbox.
5490, the fiber cable is directly connected to the Fritz!Box.
I have outfitted both my (appartment) as well as my family’s (multi-story house) place, as well as some customer sites with Ubiquiti AP’s. I use them with a “L3 controller” setup where the Ubiquiti Controller runs on a VM in my colocation rack, and all the AP’s report (via the internet) to there to get their updates, configuration, etc. As far as I know, the recent “UBNT is serving ads” discussion only concerns the “hosted controller” variant (where they host the controller for you).
The access points are grouped into “sites” by household, so I can create dedicated accounts for people that may need to change the Wifi password once in a while. They only do WiFi, routing is done separately (and with varying degrees of sophistication). The central management allows me to schedule and perform firmware upgrades which might otherwise get ignored (once installed, most people never look at their infrastructure again, nor do they want to). This is something most “controller-based” systems can do, though, not especially specific to UBNT.
For installation I did a basic site survey for AP placement, laid CAT6 to good locations for the AP’s and installed a central PoE switch to power them. Works fine so far.
The AC Lite hardware is decent for the price and manageability, the pricier models can be worth it if your clients support newer standards and your use-case supports/requires better transfer rates (ie., fast internet connection or lots of local traffic).
In general, I’d recommend running dedicated wiring for AP’s over any sort of mesh solution.
Personally my experience with Ubiquiti hardware is great so far. In my parent’s house, I have installed one UniFi Lite AP (the older one, 802.11ac only) and one newer UniFi 6 Lite AP (this one supports 802.11ax). Both work perfectly but the UniFi Lite AP has a quite weak antenna gain and thus doesn’t have a great range (but this is on purpose: it’s designed for high density networks, where you have many short-range APs instead of one long-range AP). The newer UniFi 6 Lite AP nearly covers the whole house.
So if you want to buy one of these access points, just keep in mind that they are primarily designed for the enterprise, and some of their characteristics (range, PoE power supply, lack of a built in web UI) are a bit different from most consumer hardware.
ISP sucks here in Central London, all I can have are ADSL+ 10mb connections so I opted to buy a 4G home broadband router. It is a Huawei one and it is not bad, it usually gives me a bit more than 10mb but not much more. I attach it using ethernet cables to my trusted Mikrotik Cloud Router Switch (https://mikrotik.com/product/CRS125-24G-1S-2HnD-IN) which can kinda do anything but that I use as mostly a dumb wifi router with cables going to my dock and video mixer. That router is strong enough for me to pick it across the street (it is in front of a large glass window)
Surprised you can’t get VDSL in central London.
It’s really patchy, it totally depends on what happens to have been installed in the cabinet nearest to where you live, which can be wildly different from street to street. Some places do have VDSL, others just … don’t.
Can you get FTTP? Might not be worth the cost to you of course.
Haha. Actually I have a story about that. I had it in my last apartment, and it was amazing. I moved in to a brand new block where everything seemed whizzy, but when it came to it, the ISP said, uh, 0.75mbps up and 16 down. No cabinet upgrades planned. No, no idea when or if they will be. Yes we know the next street over has VDSL but you don’t. No, we’re basically not even sorry. Uh huh. So first of all, I looked into a line-of-sight microwave link from the office I was working in at the time, a few hundred feet away, but not only is UK weather really bad, I also found out they were planning the next sister block to be built directly in the way. Yay. So then I got onto a FTTP provider who wires up whole buildings, and basically wangled with the building manager for them to install it in that whole building, and the 2 next-door buildings in the process of being built, which was the treat they were looking for, as when I initially said “40 apartments in the block” they yawned a bit and said something about not getting out of bed for less than 100. Overall it took a year and change and a lot of hassling, but eventually I had a symmetric 1Gbps fiber line that reliably gave me 900mbps each way. With a 1ms ping into LINX. Joy. And I didn’t even have to pay for the install or the first year because I was the one that wangled it in there. It was actually one of the things that kept me in that place, long after I was happy with it for other reasons.
So when I finally decided to move, I even used FTTP availability as a factor in choosing my current place. I saw that another FTTP provider had literally just dug up the road outside, and they offered 900mbps for even less than the other lot. Boom. I kicked off the process before moving in or signing anything, checked with the real estate people, got them to ask the landlord if it was OK, they said it would all be fine, so I got an ISP estimate done for wiring it into the apartment through the window frame, started the ISP’s landlord approval request, everything. Only after I moved in did anyone tell me not only that (a) the building is Grade II listed, so no, you can’t drill any holes, anywhere, and that (b) the cable riser that was put in 20 years ago when everything was converted (under an apparently extremely painful permission process) is 20 feet back into the building from the main wall, so I’d have to go in the basement, into the neighbour’s apartment, up through the riser, open the wall in my apartment to get the cable out, then pull up the antique wooden flooring, run the cable underneath it back to the front wall, break open that wall to get into the other riser and have it come out the socket, etc, etc, none of which would be allowed anyway - but also that (c) the ISP had dug their hole 6 feet away from the vault under the street containing the ingress point for all the existing cables/gas/power etc, where they should have dug it. Instead, they dug it above The Other Vault - you know, the one owned by the “weird little old guy” who used to own the building and a load of other ones in the area and who, when he did the deal to sell them all and allow for the conversions, got some crazy feudal lawyer to make changes to the centuries-old land registry documents so that Weird Little Old Guy still owns The Other Vault, along with the identical secondary under-street vaults in a lot of the other nearby properties he used to own, and Uses Them, for Things No-One Knows About, and only he has keys and rights to give entry permission to them, and he famously Never Gives Entry Permission For Them, To Anyone, Ever. Apparently once in a blue moon he’s seen showing up, checking the surroundings, and Going In to the Vault and locking the door behind him, staying for a while, then venturing out and scurrying away. No-one knows his story, or anything about why he wants a series of presumably unconnected under-street vaults, or what he’s doing in there. Maybe there are connecting tunnels. Maybe he’s got a subterranean cache of stolen gold with an attendant dragon retainer guarding it for him. Bondage dungeons. Within a mile of the UK government & intelligence buildings, so it could be anything really, secret service entrances, dimension portals, anything, but … No-One Knows.
So the upshot is that I have to put up with 80/20mbps VDSL. Even then the ISP I could get sold me 180/100+ on the basis that their tool told me I was close enough to the cabinet, but when they installed it, it managed to sync at 160/80 but it had a crazy error rate. The engineer tried to explain, clearly expecting me to glaze over, but then when I made the error of saying “oh you mean a CRC” about one particular bit, he got all excited and then got into way more detail that I could keep up with, but the long and the short of it was that I could either “keep the sync speed and have a 30% error rate” or “lose the errors but also lose more than half the speed”, which was obviously a no-brainer. And then they tried to charge me the same price they quoted for the higher speed, as though this were perfectly natural. Hahaha. It took about 10 days for it to settle at 80/20 but it’s been totally reliable since then. So … obviously that’s a lot better than most DSL, but after living with FTTP for 4 years, anything else seems like purgatory really. Even if this is perfectly fast enough for most stuff I do, it’s just when you have a big push or pull to do it’s just …. argh. Hey ho!
Arghhh !! I am chewing on my lip out of frustration as I read this. Man, seriously, idk what to say, sorry for your loss?
Thanks! Ah, you know, it could be way worse, at least we haven’t been stuck indoors with nothing to do except use internet for a year 😂
I’m reading along going yeah, ok, yeah, then suddenly there it is: “Grade II listed”. You have my sympathies, if nothing else!
Hehe, thanks. Yeah. I guess I should have checked, but it just didn’t occur to me. Old cities, tsk …
Ubiquiti: I have 5 unifi AP ACs at work for the last 6 months, mixed bag. Very nice wifi performance when they work, pretty appearance when mounted on walls, PoE powered. One unit was warrantied a few weeks back (tripping PoE in a loop, not booting) and the rest are having weird behaviours with their built-in guest network feature. Every few minutes all packets from clients on the guest network (and only the guest network) stop routing anywhere. We use ICMP redirects in our environment, so I wonder if that’s playing with their traffic inspection rules. I’m going to try putting OpenWRT on them (I think they might be a supported target), that will make me happier (and let me do easier packet caps to work out the causes of future problems, without having to hookup of external capt equipment south of a PoE injector!).
Home: PCengines APU2 + openwrt for the past year, it has been amazing. Rock solid reliability (much better than all of the SOHO routers I have used over the years, both stock firmware and OpenWRT). No crashes, oddities or mysterious miasmas.
Sadly the APU2 is expensive, around $200AUD with case, mSata SSD and shipping. Given that it’s essentially a low-power x86 box with multiple intel gigabit NICs: check what old computers you have handy and see if they will fill the role. At the time the only units I had that were small enough for my target location were unfortunately pre-2011 computers (Core 2 duos I think?), which according to my calcs at the time would use most of $200AUD idling for three years :P
I’m also using a cheap mediatek wifi router (running OpenWRT) as a wifi AP. It does not provide amazing wifi performance and I have had issued in the past with the wifi conking out (requiring a restart of the interface and/or a reboot); but it seems to have been going ok the past few months. Ideally I’d put an mPCIE wifi card in my APU2, but I stole the last good one I had to use in my laptop. I’m too cheap for anything else, I spent all my Timtam money on the APU2.
I’ve been using a UDM plus additional UAP-AC-Pro for the last few years. I wouldn’t really recommend them — when they work it’s fine, but it also constantly feels like an unfinished product:
I really wanted to like their stuff, but they don’t live up to the expectations they set out for themselves. I don’t think I’ll be adding any more Ubiquiti gear in the future.
I recently purchased a UDM and have been frustrated with flakey performance in games. What way did IPv6 cause problems for your network? Did devices just not connect, or was it more insidious?
For whatever reason, Windows devices would always try to resolve DNS using a link-local (?) address or something? I don’t recall and don’t have a test subject handy, but basically upon successfully connecting they would resolve everything to some non-existent IP (forget exactly, but it’s the same one for all lookups on all (unrelated) Windows devices), and the only way to stop it and get things working is to disable the IPv6 stack manually on the device. It seems like the non-functional IPv6 configuration it gets takes precedence for some reason.
On managed Windows devices (like my nestmate’s work laptop) where you can’t access the adapter properties, it gets even worse; you can’t just go in and disable the IPv6 stack, and through the “simple” interface (which isn’t denied by group policy or whatever) you can only do DHCP for 4 and 6, or manually set both. So it has to have a static IP configured, in order to keep IPv6 off. Ugh.
PC Engines apu1 running NetBSD performing standard routery things like DHCP, firewall via NPF, etc, with some PoE WiFi access points.
Cable modem (includes router) my ISP provides in the hope that this setup requires the least amount of energy. As long as it gets updated in okay with that.
I absolutely love my Mikrotik RB4011iGS+5HacQ2HnD-IN (https://mikrotik.com/product/rb4011igs_5hacq2hnd_in)
It’s complete overkill, but RouterOS is extremely configurable. You can even configure it with Ansible. I believe you can do Terraform too, but I’ve never tried that.
I seem to rebuild my router at least once a year before purchasing a pfsense appliance.
I did finally write down the minimal viable how-to for me for the next time though: https://jjasghar.github.io/blog/2020/02/14/centos-8-as-my-new-router/
My firewall is a Protectli FW6C running OPNsense. My wireless access point is a PC Engines APU2 running HardenedBSD.
Eero and Amplifi, depending on a given week.
They are both meh. I am a network engineer by day. I don’t want to mess with that stuff at night. Something something cobbler’s children.
But I’m about at my wits end and about ready to deploy a Microtik/Edgerouter or something.
My home network is used for gaming, streaming media, and webdev work from home. I use Ubiquity APs and consumer switches. I haven’t been affected by the toxicity from the company.
Just upgraded from a terrible tp-link modem+WiFi router to a Linksys velop mesh dual band (tp link still handles modem+routing). Internet is 60/20 so really no need for anything more powerful. Powerline links the modem to primary velop node, and also provides Ethernet to the office (end of garden). Pretty good overall, impressed with the velop performance even over dual band, more than keeps up with our internet.
I used to have a Unifi setup with multiple access points. But my new apartment gets excellent WiFi coverage from a single central location, which happens to be next to a coax port for my modem. So now I just have a TP-Link Archer AX50 and 2 TP-Link TL-SG108E switches. But the AX50 can also run in access point only mode, so if I needed more coverage I would just buy more of them and wire them up through the wall.
WiFi 6 is really a game changer. If I shove my phone into the far corner of the furthest room from the AP, I still get 200+ mbps. It’s so stable and fast that I use my desktop over WiFi with a TP-Link TX3000E PCIe card. I get better latency and jitter wirelessly than another PC in the apartment with a mediocre onboard Ethernet chipset. Granted, my desktop’s antenna stand has direct line of sight to the AP. I only tried it because there aren’t any Ethernet wall outlets by my desk, and was pleasantly surprised.
The guest network also supports full client isolation, the most important enterprise-y feature for me. It’s a really great piece of hardware for the price, and dead easy to set up. Been running it for months with zero problems.
Already mentioned, but +1 Ubiquiti for AP’s with self hosted or if possible no Controller install and Mikrotik for small but powerful home router.
Ubiquiti stuff generally very easy to get going fast with and super friendly and pleasant to use.
Mikrotik’s routers are super powerful for the price, you can do a huge amount with a $50 or $100 device but have a steeper learning curve. I’d recommend investing a few hours in setting one up though because it gives you a whole toolbox of powerful low level networking tools in one little box - the opposite of what it sounds like you have now - more UI complexity but much better control. All basic stuff (DHCP, DNS, routing) is reasonably straightforward; then I found that things at the next level of complexity like VLANs, QoS/traffic shaping came in extremely handy from time to time. E.g. In Ubiquiti devices you can assign an SSID to a specific VLAN. So you could configure different VLAN’s in a Mikrotik router with different properties (e.g. internal only with no internet gateway; only allowed traffic through the gateway on specific ports; services/destinations (e.g. streaming) prioritised, bandwidth limited, etc.), so devices are connected to one of these depending on the SSID they connect to.
Also a Mikrotik device with PoE out doubles as your PoE power supply which kills two birds with one stone.
I used to use Google WiFi (and actually worked on the first version) but wanted more advanced nerdy features so switched to Ubiquiti UniFi gear and haven’t really used the power features.
I currently use a ubiquiti edgerouter network firewall (and isp handoff), and unifi[1] on the internal network (switches, access-points). Been looking into other platforms lately though, in case I need to switch due to ubiquiti’s quality slipping further than it has lately.
[1]: unifi controller is a cloud key, but with “cloud login” disabled – only local login
We have DSL. For a router, I have a virtual machine running on an old Linux box with two physical NICs. One NIC is connected to the DSL modem, and the other is connected to a switch. Hanging off of the switch is a wireless access point from … Ubiquiti.
I used to use a couple of USB wifi adapters as an access point, by means of hostapd. It was kind of flaky. Everyone was always complaining about the wifi, so I bought the Ubiquiti.
250 Mbit fiber + TimeCapsule + Ubiquity AC Pro
I’m in the middle of setting up a network with TP-Link’s Omada line. So far it’s been a positive experience. Controller will detect new devices and adopt with a single click. This weekend, I’m setting up outdoor point-to-point across ~300 meters with a couple of their Pharos access points, and I’m hoping everything on the other end gets recognized just the same.
Tiny celeron box with OPNsense for gatewaying, Aruba 1930 for switching, good old Archer C7v2 (OpenWRT) for wirelessing.
Kinda want to upgrade the AP but… current “Wi-Fi 6” devices aren’t OpenWRTable? 6GHz is coming but due to regulations that’s just who knows when? Arghh wake me up when the state of 11ax is not a mess.
If anyone wants a story of what NOT to use, here you go:
I recently moved somewhere where Xfinity was the only option. They said that Fios would be coming within 2 months, so I decided to go with the router rental fee while waiting for the chance to splurge on a nice fiber-optic modem. Still waiting on Fios five months later.
The Xfi router has been nothing but pain. Things I haven’t had to do in a decade, I have to do again. Power cycling the router constantly, being VERY cautious during video calls about how much bandwidth I’m using, you’d really think I was paying for the cheapest option. (A side note: I know equipment is recycled by ISPs but do you really have to send me scratched and dirty routers?)
In terms of NAS, I keep it simple, running an SMB share on a Raspberry Pi. I’ve never had throughput issues, though directory listings take a little while in macOS Finder. Pretty great setup for the price, but no matter how secure I keep it, having it plugged into a router that wants to run an extra unauthenticated network for “subscribers” makes it moot.
How big is your house? What speeds do you need? Do you need low latency e.g. for gaming?
We have a two story house (+ basement) with 600 sq-ft per floor. We have grownups and kids with various devices, video conferencing and streaming video mostly on the first and second floor. No gamers.
I have a single TP Link router (AC1750) positioned on the ceiling of the basement at the center of the house. Serves us just fine.
My house is smaller, but two concrete floors reduce the effective strength of a wifi signal to almost nothing. The way a house is constructed can make a big difference.
I’m currently setting up a Debian based machine for firewalling/routing with nftables. VyOS is great but I wanted an excuse to learn nftables, which so far has been very fun to learn. Will probably run dns/dhcp on this machine as well. Once I’ve setup the firewall I’ll setup the rest with ansible.
Next step after that will buying and setting up a cli based switch with more ansible. Just for the fun of it!
I’ve used unify stuff in the past and it’s been great, but gave it away to a relative and had some other hardware laying around. Hence the current situation.
I have one Ubiquite AP (the round non-expensive one) but I’ve never been happy with it (except the wifi quality) as I’ve had major problems with it (I seem to be a rare case, many people I know are really happy with the administration) - so if it died I’d definitely buy something different.
Before that I had a WNDR and before that an actual WRT54G with OpenWRT, apparently my needs in this apartment are pretty modest. Wifi coverage is important and it doesn’t have to be completely stupid or lack features I need, but I couldn’t tell you which those are.
Reading the other comments here, you might discover your experience is not as unusual as you first thought.
I did, and I didn’t see anyone who had the same “100% perfect as a user, 100% argh horrible as an admin” experience though. My controller (via docker) forgets the AP all the time and re-adoption doesn’t work, so basically every time I want to change something I have to reset it. But I only change something once a year, so it’s working 364 days per year ;)
I can live with that, but I wouldn’t recommend them.
I have a Fritzbox 5530 with two Mikrotik Switches connected via Single Mode BiDi to each other and cAP AC from Mikrotik as access points. I had a old telephone cable with a very some hole between the basement and first floor and with Single Mode LC/LC cable from fs.com it was not necessary to make the hole bigger to replace it.
As someone who would rather not spend any time thinking about home networking, I use the router that Comcast gave me and an Eero mesh network, and this setup works really well for my ~2000sqft, 2 floor house. (pre-Eero the wifi was really bad if you were too far from the router).
I run a x86 machine as my router using Alpine Linux as the OS and iptables as the firewall, unbound as the dns server, and dhcpd as the dhcp daemon. My firewall isn’t that extensive, here’s the output of
iptables -S(a few forwarded ports have been omitted for brevity):Connected to this router are two Unifi AP Lites for WiFi and a few other small x86 boxes for VPN and NAS.
I wanted to run conduit when we moved into our house, but it’s 120 years old and it wasn’t going to be doable with our budget, so we settled on Netgear Orbi mesh. It’s … fine? but we pay for 1.5Gb/s FTTP and I’d really like to be able to get closer to those nominal numbers than the Orbi can provide.
I’m running OpnSense on a Protectli Box as edge router and firewall. A 24p Ubiquiti switch as the main switch. Two small outdoor Ubiquiti switches with POE to power cameras around the house. Another small Ubiquiti switch for the home office.
Three Ubiquiti APs around the house.
Not too happy about the development of Ubiquiti as a company and the latest news in particular.
I have a EdgeRouter Lite with OpenBSD on it. It is simply plugged to a GigE switch and a Unifi AP for wireless. Works really well.
I just burned out my Linksys router. While I used to love the product, they have documented flaw in their chipset.
I switched to a d-link. The interface isn’t as robust, but it says it can support streaming up to 6 devices.
I can get away with only one router in a two story house because I’ve threaded the cat6 from the modem all the way to the center of the house where I put the router. HTH