Not trying to defend TP-Link or anything, but I recently bought a pair of mesh router from them and they work very well.
BTW, this hidden network probably uses another protocol (for the OneMesh). It is the 802.11s (https://en.wikipedia.org/wiki/IEEE_802.11s), that uses its own encryption method based on Simultaneous Authentication of Equals (SAE) (yeah, that is the same as WPA3, however it came before it). It shows as hidden network on Wi-Fi Analyzer, but the network is not actually hidden in the same sense of a hidden Wi-Fi network: this simple happens because 802.11s has no concept of SSID.
The authentication of new devices happens when you pair a new router using the application available on Android/iOS (it has a web interface too but AFAIK it doesn't allow adding new mesh routers to the network). So it seems pretty secure for me, at least sans some security bugs that I am sure that the device should have. Doesn't bother me too much considering that most bugs that I saw on those consumer routers generally comes from the security from things like administration pages and not the Wi-Fi network itself (unless it is something like KRACK that affects all devices implementing the protocol).
Yeah, it is still pretty sh*t that they enable this by default, but if the router from the author of blog post is from one of their lines of mesh routers I do think this is kinda of made by purpose, because using multiple routers devices is kinda of the idea of a mesh network.
Thanks for the info. That makes sense given the "11s" configuration I found for those SSIDs. The router is not in their mesh line AFAIK, though most of their home products now support OneMesh, so that line is a bit blurry.
To clarify, I like TP-Link products too. Their PowerLAN products so far have been the most reliable for me and the router's been solid too. It's just really disappointing that an almost (for me) perfect product has this very simple software flaw without any solution other than to hope the manufacturer decides to fix it at some point. I had the same issue with Asus routers, but they were smart enough to open source their software and let others fix pretty much everything for them.
Just to correct myself, "11i" is actually what I saw in the configuration and it's the "Beacon Type". WiFi Analyzer shows them as 11n (2.4Hz) and 11ac (5GHz).
This type of whackery is (the primary reason) why I try to buy computing devices on which I can flash a clean OS (OpenWrt/DD-WRT for routers)[1]. It sucks because it limits my choices down to a few, but at the same time I feel like I don't throw out money at abandonware.
[1] don't even get me started on TP-Link releasing routers with the same name but v2/v3/2020/2021 update where it's hard to even know if I'm buying the one that supports the custom OS flash.
The author touched on right of repair. I’d love to see a law requiring all devices to either be supported, or if being sunset, being required by law to provide tools/source/schematics to take over the device and extend its utility beyond the manufacturer’s willingness. Particularly a last firmware that disables anything requiring phoning home to continue to function. We saw that with OnHub recently, when after only 6 years Google decided to render a lot of devices e-waste. The least they could do is recycle them for you at their own cost.
There is a specific problem with routers and certification for radio usage.
This makes right to repair harder. It's not just a legal issue. The ether is quite full and it mostly works because there are clear rules that devices must meet.
With user serviceable routers, bumping up power, or moving to locally forbidden (quieter) frequencies could become lifehacks. There was already an airport whose radio saw interference from extra powerful 5ghz wifi routers.
Locking down devices as a business model is bad. But Locking them down as a regulatory precaution to keep radio working is different.
How to keep every manufacturer from seeking excemption from right to repair under these rules would be challenging tho.
> There is a specific problem with routers and certification for radio usage.
No, there isn't, because it's perfectly possible to limit what frequencies and power levels the hardware can emit without affecting the ability to run custom firmware such as OpenWRT. The certification argument is a dodge used by router manufacturers to avoid having to give customers what they actually want.
> There was already an airport whose radio saw interference from extra powerful 5ghz wifi routers.
Anyone who is radiating enough power to interfere with airport radios is doing something a lot stranger than just flashing custom firware like OpenWRT on their router. Such people are easily stopped without having to lock down devices.
Um, no. The "airport radio" in question is weather radar, which does directional scans and is very sensitive to interference. Just choose the wrong regulatory domain, and you're messing up the spectrum in ways that are mostly invisible to you.
> The "airport radio" in question is weather radar
Ah, ok. Weather radar is very different from "airport radio". For the latter I have a very hard time seeing how someone's ordinary wifi router could cause interference, but weather radar antennas have to be much more sensitive.
Most modern wireless cards will do a scan for wireless networks on startup and set their regulatory domain to the one regulatory domain contained in the majority of beacons from surrounding wireless APs. This can't (easily) be overridden and prevents people from setting the wrong country and causing interference, while still allowing a single WLAN card to work globally.
1) The scale of the problem seems much lower on PCs because Windows and MacOS respect local regulations, Linux has an infrastructure to do so that works by default in some distros but not others, but overall the Linux market share is small and as is PC WiFi adapters are more often sold in country-specific variants with hardware restrictions than the chipsets in routers are (and usually have lower hardware Tx power limits). Overall, the architecture of WiFi is such that it's rare for a PC to make these kinds of decisions anyway. If it's an infrastructure mode network, the AP dictates channels.
2) FCC enforcement is, in general, rare. It usually requires specific complaints from commercial broadcasters in order for the FCC to respond. In the ISM and WiFi-specific bands, enforcement is extremely difficult because enforcement methods like radio direction finding are inherently difficult for the frequencies involved and even more difficult because of the high noise floor and large number of sources in urban environments. Even if the FCC allocated significant resources (which they do not), it would technically be difficult to enforce these regulations.
The FCC has closed more than half of field offices and laid off half of the enforcement staff over the last ten years. They have eliminated most of their field enforcement teams and now only have teams (perhaps only a handful, they don't say but the best public info I've found suggests 5) based out of the DC area that have to fly out. It's been very frustrating to see the FCC eliminating enforcement resources these days, but the reality is that enforcement has become far more difficult and less effective over time due to advancements in the technology. Direction finding FM pirate stations is technically pretty easy and something the FCC is very effective at (especially since FM broadcasters inform the FCC promptly). Just about everything else... fat chance of the FCC doing anything about it unless they can do so at an organizational/regulatory level (e.g. fining manufacturers or large scale operators). At the field level it's just too expensive and unproductive to try to track down individuals who have configured their WiFi routers in violation.
> Why should a router be any more locked down than my PC?
It's possible that the WiFi card in your PC will refuse to transmit on a 5GHz channel until it detects some other device already transmitting. I've pulled WiFi modules from dead laptops that had such restrictions enforced at the hardware/firmware level, making those WiFi cards unusable for a DIY access point.
If we didn't allow for an exemption but still required full compliance, perhaps manufacturers could physically limit the output from the power amplifiers and/or use blowable fuses in the chips to set a non-modifiable power limit. I imagine that the same could be done for frequency management either on board (bandstop filtering) or on chip (once again, blowable fuses to set disallowed frequencies).
I know that there will still be enterprising folks who modify their hardware itself to try to get around these limitations, but such enterprising people are already more than capable of physically modifying their existing hardware.
Not in manufacturing so I'm just speculating here. But I'd imagine that would create a new set of logistical issues, specifically instead of one bill of material that can be applied everywhere with controlled applied via software, now you need N BOM's, when N is the market region that has a slightly different set of RF transmission rules.
Not infeasible but certainly a significant increase in cost.
"Right of repair" being focused on hardware is a neat little trick to enforce the illusion that changing software is beyond your rights as a consumer. Yes, you can fix the antenna when it breaks, and focus on how hard the fight was to get the right to fix the hardware you own... which you don't own as long as the company uses software to control what the hardware can and cannot do. But you sure physically own those mostly-useless atoms real good!
> "Right of repair" being focused on hardware is a neat little trick to enforce the illusion that changing software is beyond your rights as a consumer.
Is it a trick, or just limited imagination?
My impression is that "right of repair" came from mechanically-minded people seeking to maintain their traditional ability to repair physical devices in the face of corporate hostility (e.g. farmers vs. John Deere).
> Yes, you can fix the antenna when it breaks, and focus on how hard the fight was to get the right to fix the hardware you own... which you don't own as long as the company uses software to control what the hardware can and cannot do. But you sure physically own those mostly-useless atoms real good!
This seems more of software-centric Free Software attitude, which is not a place someone with mechanical skills but not very strong software skills is likely to arrive at themselves.
The tractor right to repair issues include software. You might even say that software is the prime issue preventing repair of the newer from equipment. Parts with drm, unsupported software, etc.
> The tractor right to repair issues include software. You might even say that software is the prime issue preventing repair of the newer from equipment. Parts with drm, unsupported software, etc.
My understanding is the farmers just want to be able to repair their tractors without dealer approval (e.g. replace broken parts). They're not looking to hack new features into the firmware and stuff like that.
> My understanding is the farmers just want to be able to repair their tractors without dealer approval (e.g. replace broken parts).
For which they need to circumvent or disable DRM, and be able to run the manufacturers diagnostic software (or be able to use 3rd party diagnostic software).
> They're not looking to hack new features into the firmware and stuff like that.
I think you may be reasoning from a set of assumptions about farm equipment that is out of date. Modern farm equipment is very sophisticated and ties into all sorts of external services (GPS, mapping and terrain, high resolution soil data, weather forecasts, etc.), and can do things like adjust the direction and spacing of rows, depth seeds are sown, selective harvesting, selective pest control, selective fertilization, and more. The software that controls all that isn't just 'firmware'.
Not to mention that the equipment sends every bit of data back to the manufacturer to power add on services they can sell to the farmer by subscription.
Farmers certainly like all these features. In fact they like them so much they pay for after-market upgrades for older (repairable) equipment to add features and 3rd party services. They don't like being stuck inside the manufacturers' walled gardens.
These things have passed the point of just being equipment or tools, and are now platforms in their own right, and farmers are in many ways no longer their owners, but just captive users.
While right to repair starts with re-enabling a local mechanic to replace a part, it doesn't end there. Not by a long shot.
TP-Link loves to make things proprietary. They have a custom protocol called the Tether Management Protocol, the weird OneMesh stuff noted here, custom firmware headers and signing, etc. all without proper documentation.
Many major vulns in TP-Link devices have been a result of these protocols, save for a few prolific things such as FragAttack. But hey, I guess it gives people something to hack on.
I started out buying expensive home Wi-Fi routers, and I now have a box of expensive home routers I've decommissioned because they have vulnerabilities and stopped receiving updates. Probably well over ~£1000-2000 spent on them over the past ~decade.
Next I switched to separate Router/Switch/AP and started with a Ubiquiti EdgeSwitch 8 POE, EdgeRouter Lite 3 and an AP-AC-Pro. Later I added a EdgeSwitch 24.
Recently my EdgeRouter kicked the bucket, and wanting to be entirely free from manufacturer updates so I bought a Protectli box, flashed it with Coreboot (instead of AMIBIOS) and installed pfSense. I still use the AP-AC-Pro for now but will look for more open WiFi AP options once that dies or I move from my London apartment to a bigger home.
I say "if you can afford it" because the Protectli box came in at just over £500 once RAM and SSD were added (I got the i3 model), the AP-AC-Pro is ~£120 (IIRC) and the EdgeSwitch another ~£150. This isn't "reasonably" priced equipment for home use, nor would I recommend Ubiquiti of late, but it's working well for me at the moment.
I would recommend installing Proxmox on the Protectli bare metal and running pfsense (I prefer opnsense) in a VM. Then you can run your unifi controller in a container on the same device. The i3 should be able to handle that, and you can use Proxmox to share some USB drives over NFS.
Thanks for the suggestion but "separation of concerns" is key for me; I also wouldn't want extra software running on my edge, even containerised. I have plenty of hardware (and several Kubernetes clusters) inside my network to run software workloads on.
For storage I built my "NAS" in the Silverstone CS381 (https://www.servethehome.com/silverstone-cs381-8-bay-matx-ca...) with an LSI HBA, Ryzen 9 3900X / 128GB RAM, 6 Intel NICs, 2 NVM.e SSDs + 1 SATA SSD for Proxmox and a bunch of HGST Ultrastar He10s as ZFS mirrors. I run the Unifi controller in a container on there.
Before the pfSense Protectli I was also running AdGuard Home in a container (which replaced Pi-Hole on a Pi) but Unbound + pfBlockerNG is more capable.
Re: pfSense / OPNSense; I was running OPNSense initially, but had some issues, I'm likely to go back if they're resolved; I find myself falling on the OPNSense side of the politics there.
I have not. I considered one when I was replacing the EdgeRouter but I'm a firm believer in separation of concerns, I didn't want my router to be handling my WiFi or doing the switching.
It would have been my top choice had I wanted to stick to an "all in one".
Yeah I used to get TP-Link because they were so well supported by openwrt and dd-wrt. But lately they've really become consumer hostile like with their smart plugs, removing local control functions so they can no longer be used with home automation systems :(
For WiFi I moved to unifi but they're also becoming more difficult to work with. They are making it harder to use their stuff locally without their cloud service and to use the docker controller instead of their hardware.
So when I replace it I'll have to look for yet another supplier.. Why do companies always have to turn evil.
In general, margins in hardware manufacturing are low. Companies will generally do anything they can to increase demand, and establishing a "moat" is a great way to inflate demand. "I have some stuff, but it only works with other stuff from this same company" sucks for us as buyers, but it's obviously great for the seller.
This is also why literally every company ever says that repairing anything they sell will void the warranty unless you also buy all the parts from them unless the law expressly forbids them from doing so.
>” This is also why literally every company ever says that repairing anything they sell will void the warranty unless you also buy all the parts from them unless the law expressly forbids them from doing so.”
No, manufacturers do that because they don’t want to have to fix products that you’ve hacked up, then guarantee the item’s safety and regulatory compliance.
You may interested in my comment below. And yes, after helping a family member set up a TP-Link mesh I will do my best not to take part in expanding their coverage again. I'm not affiliated, just a bit psyched about discovering that there exist alternatives. :)
This type of issue of OneMesh discovery could be a wifi chip firmware functionality that isn't programmable via host OS. In such a scenario, even if you could run your own host OS, it wouldn't be of much help.
Exactly. I have a nice TP-Link router that doesn't have the problem described in the article..because the first thing I did was to flash OpenWRT on it. Problem solved.
For those curious about the "Wi-Fi spam" comment: even though nothing is connected to the network and it's a hidden SSID, it still has to broadcast beacons every 100ms. The 802.11 standard says beacons must be sent at the lowest rate the AP supports, so your ~350 byte beacon at 1mbps (2.4 GHz) uses around 5% of the frequency. It doesn't take many SSIDs on the same 2.4 GHz channel to make the throughput fall through the floor. Beacon spam is one of the reasons why 2.4 GHz is practically unusable in dense environments these days.
Thankfully for 5 GHz this isn't as bad since the lowest rate is 6mbps and the signal penetrates less. Some routers have the option to disable 802.11b which raises the minimum 2.4 GHz beacon to 6mbps as well, but unless everyone does this it won't make much difference.
Another, maybe bigger, problem is probe requests. A client device, e.g. smartphone, uses "active scanning" where it sends probe packets and asks "is there any AP in this channel?" instead of "passive scanning" where it would wait for beacons. Active scanning has the advantege of being much faster. In passive scanning, client needs to stay 200-300 ms in each channel and that ads up quickly when you consider 2.4 GHz and 5 GHz channels. So clients prefer to use active scanning to quickly discover APs. Some clients send periodic probe requests even when they are connected to an AP in case they need to switch to another AP. All these probe requests together with beacons pollute 2.4 GHz.
Would there have been a better way to do design beacons? The general problem is a device needing to advertise itself for other devices to connect to, other devices which might not be capable of any faster rate...
Beacons being 350 bytes is pretty stupid though... They could have been 20 bytes long, saying "I'm a device with mac address XXX, plz contact me to know what services I have on offer".
In retrospect, definitely. But a huge part of why Wi-Fi is so successful is the wide compatibility, so we're stuck with a design that is 20+ years old. Beacons also serve to do power saving wake-ups and various other things these days, and there's room to optimize them if the Wi-Fi alliance were stricter - some vendors are broadcasting their manufacturer and model (and sometimes serial number!) every 100ms as well as lots of other unnecessary information elements.
Beacons also have to broadcast the DTIM which allows stations to come out of standby if there is data waiting for them. This can be up to 128 bytes. But I agree, beacons are stupidly fat. The basic beacon is quite small except for the additional tags. If you fire up wireshark you'll see the bulk of the bytes in broadcasting all kinds of feature nonsense that IMHO should only be broadcast during a request to join.
e.g the beacon frame is 24B on my Netgear, but the tagged paramters are 300 bytes. Sure, the SSID and DTIM are in there, but then there's a bunch of extended support rates, RSN info, HT info, and vendor specific stuff (Microsoft WMM/WME parameters, 3Com stuff... huh??)
There is out-of-band discovery for devices that support multiple bands. That should help in 6 GHz band but it looks more and more that 2.4 GHz will be only for discovery in the future..
I had a related problem with their PowerLine TPA-4220 devices yesterday. It turns out there's a DHCP server on it that you can't turn off! It's supposed to be smart and know when there's another DHCP server on the network, but it appears that this sometimes doesn't work. So I found that my laptop sometimes ends up configured on the wrong subnet, which of course kills the internet connection. The thing is, the web interface does not have a setting to shut off the rogue server.
If I hadn't done a CCNA I don't think I would have ever figured this out. I don't know what ordinary people do when this happens to them.
THANK YOU for that link, I didn’t realize that our self-hosted DHCP was facing attacks not only from the shitty ISP cable modem but also from the TP-Link APs. Hopefully an upgrade will fix that. It really says something about their attitude:
> And there seemed to be some misleading about "smart DHCP". This feature would not be enabled for no reason.
It took >2y and >100 forum posts on the issue before they even acknowledged that even in “AP mode” it silently enables a DHCP server as long as it doesn’t get a DHCP reply within 60s from boot.
Tenda devices do this as well, and some other thing I have, maybe a gl.inet. if my main connection dies for more than 15 minutes, it's anyone's guess which device will win the race to break dhcp.
THANK YOU for that link, I didn’t realize that our self-hosted DHCP was facing attacks not only from the shitty ISP cable modem bit also from the TP-Link APs. Hopefully an upgrade will fix that. It really says something about their attitude:
I had a similar experience with my Netgear Orbi; they have a dual 2.4/5 GHz network on the same SSID, but certain devices just cannot handle it (including apparently Facebook's Oculus and quite a few smart home devices).
Turns out you can split them up into separate SSIDs, but only by telnetting into your base station and each satellite and running some cryptic commands on each. It used to be possible via the web UI, but they just... dropped it.
they have a dual 2.4/5 GHz network on the same SSID, but certain devices just cannot handle it
My Canon wireless printer is one of those devices that can't handle it. If they both have different SSIDs, then it will connect fine. But if there are two with the same SSID, during setup if fails to ask the user for a password and therefore cannot connect.
Meanwhile, Amazon's eero has removed the option to have different SSIDs for each network. The two mistakes combined (Canon's and eero's) mean it's not possible to use the Canon on an eero network. Unless...
What I ended up doing was unplugging the eero, and setting up an Airport Express I used to use for traveling with the SSID I want for the eero. Hook the Canon up through the Airport. Unplug the Airport and turn the eero back on and it connects. A stupid workaround.
I ended up naming my SSIDs SSIDNAME and SSIDNAME2.4 for just this reason. I had all kinds of problems getting my 2.4GHz devices onto my network when they shared the same name. PCs and tablets did fine but anything more obscure (smart switches for instance) was a mess.
I did not know that about the eero devices. Really glad I didn't "upgrade" to the newest Ring base station with eero built-in.
No clue. Very possible it's specific to the Orbi, or possibly the spots in our house the Oculus and LG washer/dryer are located - perhaps the signal strength is just iffy enough they hop between the two frequencies sometimes. A full restart of the devices helps, but usually only for 15-30 mins.
> A full restart of the devices helps, but usually only for 15-30 mins.
This rings a bell. Do you have an Orbi mesh by any chance? I used to experience this with specific cheap IoT devices that were constantly hopping to different Orbi satellites.
There is an option somewhere in the UI to bind a device to one specific access point, and you can tag a device as IoT or smart speakers which (based on feeling) seems to change the steering heuristics to something that stops this from happening.
Yeah, we use the Orbi mesh network, but they don't mind hopping between satellites if 2.4 and 5 are split. Given the way my kids move the Oculus around a lot between rooms, being able to hop is important.
Yep, smart bulbs from most manufacturers need 2.4GHz. Had to go back to owning my own router (thankfully) after a brief stint with the standard Spectrum one.
Perhaps they would buy a new router, then replace other things randomly until it worked again. This approach might even be quicker. Much more wasteful however.
My TP Link wifi router loses the ability to list connected clients if you switch it to access point mode.
I discovered that this problem affects many models and people have been posting about it in the tp link forums for many years and have only received annoying "we'll look into it" customer service responses.
I will never buy a router I can't put openwrt on again.
I've been suffering this for years with a TL-WPA8630P v2.0 and so far the only solution from TP Link [1] is a firmware update that disables DHCP only until you reboot it (or the power goes out). It's ridiculous.
You can use wireshark to access the server on the device, its what they use when they update firmware, but have you used a modded powerline adaptor to access engineering settings in white goods like modern fridge freezers because alot of them have a cpu controlling everything and you access it using the mains plug?
A bit of a tangent, but I recently discovered GL.iNet[0] and ordered a couple of routers and hotspots. HK vendor for network devices running forked OpenWRT with a bunch of extras and customization.
I haven't had the time to dive deep enough into all of the code yet, but so far I'm very optimistic. Not perfect; some of the more interesting functionality (like site-to-site VPN) is tied to a proprietary closed SaaS with associated telemetry (and maybe even backdoors, intentional or otherwise). The Wireguard setup is for some reason (legacy?) not using the OpenWRT WG-interfaces but set up using custom init scripts. And getting anything else than OpenWRT/LEDE running on them with full hardware support will probably be a significant effort. I'm a bit wary of using the stock OS without compiling it myself because, well, you know.
Still, the sources are provided (including instructions on how to customize and compile your own OS/firmware). The locked-away functionality can be ported/unlocked if you're up for it. They fully support users hacking their devices all they want - and stuff like this[1] shows some hacker DNA. Out of the box the hotspot is by far the best I've found in the price-class.
The mudi's pretty cool; pocket wifi with swappable miniPCIe 4G/WiFi cards and a small dongle for Ethernet. So one could make it into a fully customized road-warrior bridge for any WiFi/Ethernet devices, or whatever other shenanigans you can imagine with that.
I really hope they steer course on the right track and don't fall to the same fate as Ubiquity. As mentioned I haven't battle-tested them extensively yet but so far I can warmly recommend them.
I just checked out their site and their offerings look underwhelming. Their top of the range home router costs $90 and supports 802.11ax... but only at 1200Mb/s. You could buy a mid-range 802.11ac router with similar speeds, made by ASUS years ago, on sale. I guess you could argue "Openwrt" is worth the premium, but ASUS routers have asus-merlin for open firmware.
I have their AX router, Flint and the CPU is actually good on this thing - ARM-A53, Quadcore 64-bit, basically it's a Raspberry PI 3. Most routers come with ARM-A7, an old 32 bit arch, and not all of them are quad-core.
When I use OpenVPN, I get over 100 Mb/s with Flint, and <30 Mb/s on ASUS RT-Ax55.
I do not think your wireless performance comparison is right, you need 3 antennas to get 1200 Mb/s on AC/Wifi 5, and there are only a couple niche desktop PCIE adapters that can do that.
I get 30-40% higher real-world wireless throughput from Flint compared to two high-end AC routers I tested. If you want to really dig into wireless performance, you would have to test real-world throughput. It certainly doesn't have all the bells and whistled of Wifi 6E and 160 Mhz channels.
Horses for courses, I guess. For my purposes, Asus-Merlin does not even come close to cutting it - and I have ran it before on a couple of different devices.
Asus routers are what's underwhelming in my experience - very unreliable and if you buy anything that's been on the market for <1-2y you never know which one will end up an expensive paper-weight down the line and which one will have decent support. The chipset vendor - avoid Broadcom - is a decent heuristic but not 100%.
YMMV but the GL-AP1300 improved throughput, coverage and reliability significantly compared to my old RT-AC66U (which is one of the Asus devices that can actually run OpenWRT without jumping through hoops).
I’ve got one of those, it’s pretty nice. Last I checked (multiple years ago) it phoned home to a .cn address by default. I don’t remember the details – please verify for yourself.
I will! Without the cloud stuff, the only thing I found so far was stuff like this, which I remove myself but is fully understandable - if you want to do zeroconf connectivity-checking on devices used in Mainland China you don't have much options otherwise. 8.8.8.8 certainly won't work.
If anyone remembers seeing an article about using a gl.inet mango as a way to mitm cellphone apps on your own network, I'd like to request a link. I read it, and bought a couple mangos a couple months later, and now, a couple years later I cannot find the page anymore.
Coming from a more remote country, that sounds completely normal when buying electronics directly from international manufacturers these days.
And, not saying anyone should do anything stupid, but sometimes these companies can be willing to send you less valuable but otherwise identical products if you ask nicely (wink wink)
Yeah, this is what I recommend to anyone who knows anything about computers. It also depends on each person's needs though, since OpenWRT sometimes excludes the latest tech.
At home we connect to a TP-Link Archer C7 running OpenWRT. It's only WiFi5, but we have zero issues streaming many 5ghz devices off of it. It's even held up fine while we both work from home.
I also run a second much older TP-Link router using stock firmware on a separate subnet. I don't think OpenWRT supports that one. But only my IoT devices and smart TV connects to it because I don't trust them on my network anyways.
All that being said, I wish there was something better and easier for the tech illiterate. The state of routers/security/privacy sucks today.
I had OpenWRT running on an Archer C7 for a while, but the wifi was "unreliable". It's like the 5Ghz would just randomly stop flowing packets. I never root caused it, but since I stopped using it my home wifi experience has been generally boring in a good way.
I live near main street in a small touristy coastal town, and there's tons of access point beacons flying around. I only have a 10,000 sq. ft. lot and have three access points to cover it. I turned off "legacy" rates everywhere I could so hopefully all my beacons are 6Mbps+ with greenfield preambles.
Different wifi chipsets cope differently with congestion. Specifically, when packet collisions do occur, some chipsets miss both frames, while other chipsets successfully decode the frame of higher signal strength as long as there's enough of a difference. In low congestion areas it doesn't matter since packets rarely collide, but in high congestion areas it can make a big difference for throughput as packet collisions occur frequently.
If you set the SSID and password identical for both bands, the clients should prefer to negotiate the optimal band. I just checked and all clients save for some legacy devices on my OpenWRT router are on 5GHz. So I'm now wondering for which cases is band-steering helpful?
Clients don't always do this automatically. My Arch Linux laptop would often select 2.4GHz in places where 5GHz offered a much better experience. Generally it will start on 5GHz when it is close to the router, fall back to 2.4GHz when it moves far away, and (sadly) it doesn't go back to 5GHZ when it moves back closer to the router. Apple devices were pretty good, automatically choosing and switching to the best bands at all times with behaviour much similar to that seen on mobile phones. For this reason I prefer the AP to manage the band steering as it means all devices are connected to the best band. Leaving it to the clients results in a hit and miss experience depending on how well the decide operates. I live with other people who own all sort of different devices so it's not possible for me to say "OK this network is only for Apple devices", I have to ensure thr WiFi works for all sorts of different devices.
I've found similar networks when inspecting other brands of router. It's not an uncommon sight these days with vendors and their 50 different proprietary mesh negotiation protocols.
While I did wonder how they generated the SSID (In this case it was 128-bit hash, underscore then the vendor name), I didn't really look too hard into it as my goal was wiping out the vendor's firmware anyway. I did spot some features like configuration sync that made my "this'll be written properly..." senses go off though.
I do note that there is a Wifi Alliance spec for this kind of thing now though. It's called Wi-Fi EasyMesh. I can't imagine anyone apart from actual SoC vendors taking the effort to implement it though, as it's a 163 page specification, available only on request or by alliance members. (Well the vast majority of chipset manufacturers are members, and the specifications have leaked anyway)
Edit: Scratch that, there were actually 3 different hidden SSIDs. The one mentioned above was a hidden IoT SSID, the other two were VendorMesh_hash and VendorMesh_WPS. :S
While we're talking routers I'll plug Mikrotik. Some basic knowledge of the Linux networking stack is required so they're not great for a general user, but for ~$50 I got a device that handles my setup with ease (Ipv4 over PPPoE and IPv6 over 6rd) and I'm seeing throughput significantly higher than my previous router which was a Zotac mini computer running pfsense. If you are more toward the power user / networking nerd end of the spectrum I'd recommend Mikrotik.
They also make a great 16 port SFP+ 10G switch (CRS317-1G-16S+RM) usually available for ~$350 which is nice for a prosumer setup. They also have a 10/100/1000/2500/5000/10000 RJ45 transceiver which is nice because it lets you migrate things over without having to upgrade everything or buy a separate multirate gigabit switch.
I do my actual routing on a Ubiquiti EdgeRouter though I've used MikroTik there as well in the past. I avoid most other Ubiquiti products though, particularly the UniFi line.
In both cases HW accelerated NAT and routing greatly outperforms an unaccelerated ARM/x86 Linux/BSD PC. Particularly when it comes to new session latencies not just saturating the bandwidth.
Last week I bought a TP-Link AX55 and went through the settings and enabled all the neat things and disabled all the regular consumer ease of access things (WPS, meshing things), and the only hidden networks in my area with the same app are several decibel away with a different MAC address. Either it’s not around in the newer models or it’s part of one of the regular consumer ease of access things.
Why disable mesh? I thought that will ensure the devices work together rather than compete (looking at fritzbox, but it seems they are all compatible).
A mesh network is entirely different from and inferior to a network with multiple access points each with a wired connection. If you've built your network to be the latter, you don't want anything to start acting as a wireless repeater and wasting lots of airtime.
Excuse me for the late response. I logged into the router and it’s called their trademarked “TP-Link OneMesh”, it’s likely useful if you buy more TP-Link products and want easy integration, however it’s unnecessary for my home. You’re lucky with your Fritzbox, my area has no competition in the ISP market which means I’m stuck with overpriced low quality, from the copper to the modem to the customer service.
Worse still almost all new routers and mesh systems, don't have the admin interface on the device, you have to sign up and manage it through a cloud account controlled by the manufacture.
If anyone can recommend a good wifi mesh system that supports wifi 6 and doesn't require signing up for a manufacture cloud account, please let me know.
They also used to be able to be set up standalone without controller (have one AP lite as well) but they removed that from their "apps" a while back (already set up APs keep working in standalone mode). This has caused me to make new AP deployments around the house using TP-Link Omada APs w/ OpenWRT firmware instead. Ubiquity is no longer worth the premium if they keep messing with the software side of things (although their hardware keeps working well).
It's still possible to setup standalone UniFi access points.
I just tested it. The AP Lite 6 on the latest firmware can be set up in standalone mode with the latest Android app. You click the + icon in the top right, wait, then click other setup options -> standalone UniFi access point.
Many TP-Link products are absolutely terrible. Their Mesh products at Costco, you have to use an app on your phone to manage them and they are tied to an online account so presumably they are shipping your network info back to China. They won't even let you change your login email address once you've registered.
Cheap $20 TP-Link Wireless AC routers are capable of reliably running latest builds of DD-WRT if you turn the link power down. I run my TP-Link TX power at the minimum allowable setting. You can count on a reliable 866 mbps!
That last point was so infuriating. Was home visiting family a while back and helped them set up their new TP-Link network. Reluctantly installed the management app on a device of mine, and made my family member admin with full permissions (or so I thought).
Only after I left town did we realize I'd have to hand them my account to actually give them the admin rights.
> they didn't provide a good hardware solution for 4G. That's right, my street doesn't have fibre despite being in the tech startup heart of London. So here I am with a TP-Link router.
Same situation, another UK city center, without fiber, and with an incredibly noisy, effectively useless 1Mbit ADSL line.
I really wanted something running an open firmware, but for LTE you really need something >= Cat10 for reliable home broadband, and there isn't a lot of choice at this end excluding crazy expensive commercial stuff - It's either Netgear or Huawie. After learning way too much about LTE, I ultimately settled on a Netgear M2 (MR2100) and a couple of magnetic MIMO antennas out the window, which has worked very well, and the firmware isn't terrible. I was initially repelled by the high price ~£400, but you really need the 5x carrier aggregation of Cat10 to get something reliable, the cheapo Cat4/6 TP link stuff is not worth the time IMO.
[edit]
At the time there was one industrial LTE router manufacturer that caught my eye "Teltonika" which ship with OpenWRT as the official firmware! but at the time they only had a Cat6 modem. They now appear to have added a Cat12 one! "RUTX12 and it's price is not dissimilar to the Netgear M2:
I once bought a TP-Link Wifi router as it was pretty high-speced at the time and people recommended it. I was happy with it until it hijacked my HTTP connection to tell me there's a firmware update. Will never consider their products again.
I did this during COVID and it took a lot of time and learning, but now I feel like the God of my network and I can do cool stuff that wasn't possible on my old gear. I've read that Protecli boxes are re-branded Qotom machines and I'm sure you can get the same setup for a few hundred less but I'm glad I went with them for the support and coreboot OOTB.
Totally on board with the US-based support. I’ve called them once and they were fantastic. As soon as they offer a model with 10Gb NICs, I’ll buy one of those, too.
As for god mode, I agree. Super customizable and everything works properly. I grew tired of the nonsense routing ubiquiti kept releasing, went to pfsense, and right to opnsense.
I've had very good experience with Gl-iNet products. They have good hardware, very good openWRT support (the official firmware is based on openWRT) and are beefy enough to be used as home routers even if they are marketed as travel routers.
Thanks! In your experience, are they reliable with OpenWRT? My experience with commercial routers and access points (consumer grade) is that they need rebooting about every month because they start failing silently (eg. lights still on but wifi cannot be detected by clients).
Yes very! I use the AR750S as my home router and I never had to reboot it manually in any situation.
Though the updating process can be more streamlined, I had to redo all my configuration when updating from openWRT 19 to latest 21 (could have been my own mistake during flashing, at least I have firmware updates).
We had the misfortune of having a large number of tp-link devices being installed in our network (a large residential building) and those devices have been nothing but a source of trouble ever since they were installed. They seem to be talking with each other and overriding their configuration to the point where I had to segregate them in their own little NATs (with the complete blessings of the building manager). Only then did the shenanigans stop.
That, in addition to their ever-dwindling configuration options, is why I refuse to buy from them anymore. There (much) older devices were fantastic though.
Can anyone link a good "getting started" guide for this? I have experience managing servers but not managing network appliances, so I'm looking for a relatively gentle intro...
Edit: I'm not asking about how to install OpenWRT on an existing router, I'm looking for a guide on how to build a router from general purpose hardware - in the same way that you can build your own NAS etc.
The WiFi card in my mini PC turned out not to support access point mode, so I use separate WiFi routers as my access points. I could've replaced the WiFi card and run an access point on the mini PC too, but didn't bother because I needed multiple access points anyway to cover my house.
There's no fancy GUI to mange my router though, everything is done on the command line.
Thank you! I have had a look at both article! My situation is similar to yours as I'm thinking that perhaps I will not have WiFi on it. Also based on the first of the two articles, it seems that wireless cards for PC are not that great when you use them as access points. (I wonder if the situation has changed at all since 2016 though).
WiFi cards for PC will probably always make crappy access points, not least because the antenna they come with can't compete with those on consumer WiFi routers.
They could totally work if you only need to cover something like a small apartment and don't need top speed.
But separate WiFi access point is probably the way to go, I'd made sure to get ones that could run OpenWRT.
OPNsense installs quite nicely on most x86 hardware. I have had a very good experience running it on a repurposed low-powered used 1U server appliance with a couple of good quality networking interfaces.
It's so easy, all you need to do is install from media, and configure one interface as LAN and the other as WAN. Plug in your internet into one interface and your LAN into the other. Configure it like you normally would configure a router, and you're done.
I'm running mine on a very old dual-core i5 with 4G of RAM and a 16GB SSD, and even this is overkill.
My preference is to install Proxmox on a small x86 machine with enough NICs and virtualize OpenWRT. One could also virtualize OPNSense (or VyOS, which I ran previously), but for me, OpenWRT is enough. I use this to route gigabit WAN: https://www.reddit.com/r/homelab/comments/hzvfih/new_router_...
Thank you! I didn't consider the virtualisation route, interesting. I saw many of those "industrial mini PC" on eBay, but for now I'm planning to repurpose old hardware (discarded parts taken out of my gaming PC over time due to updates, I have everything I need to build a new machine except NICs and case).
PS just followed the AliExpress link, those prices are good
+1 on the same question. I actually saw some posts about x86_64 based router the other day (didn't mention how to build it though), wondered if that's a viable solution.
Mikrotik SXT LTE6 works for me as I am in a very remote place. RouterOS is really great piece of software, you have web based GUI, you have fully featured CLI with all things you need from router: NAT, firewall, port forward, I cannot name them all, I believe I barely use few % of what is inside.
Ubiquiti UAP-AC as an AP.
I dislike the mikrotik devices because they lock the functionality of the device. I was unable to set up a pair of repeaters as anything else because of this. It was not really advertised and it's totally artificial.
Oh come on, a dongle? In 2021, really? Most dongles on the market are Huawei anyway and they do NAT, no bridge or modem mode. You have to pull down some pin to ground and reflash them to get actual modem functionality. I've got one in my drawer. Plus when they get hot they'll start causing issues.
> Let the AP be a dispensable component, not the main component of your network.
Yes. Agreed. Let routing and WiFi be 2 separate concerns handled by 2 different devices (or in the case of mesh-networking, classes of devices).
> You don't need much CPU power for a router.
Depends on how fast your link is. I could get decent routing on a mid-range MIPS-based device until I needed more than 300mbps. The CPU peaked and throttled traffic, because it was responsible for the NATing (ie actual routing, not just passing ethernet frames or TCP packets around untouched)
After that I needed a router with support for hardware NAT-offloading and it can do 1gbps actual routing just fine.
You probably don’t need to go full X86 + Debian, but depending on your needs, you may still find yourself bandwidth-limited because of CPU constraints.
it sounds interesting, however manufacturer claims it can stop functioning if you install "wrong" locale (whatever that means)
while I cannot get how hardware can die from install different "driver" warnings like that put me off from using tp-links. Perhaps I'll buy a cheap tp-link and give it a try just as experiment to see how far I can get
> while I cannot get how hardware can die from install different "driver"
There are many ways that could happen. For instance, the software could configure as an output a pin which, on that particular board, is hard-wired to a power rail; when the opposite value is set as the output (low when the pin is hard-wired to power, or high when the pin is hard-wired to ground) it would be a short-circuit. Or the software could configure a programmable voltage regulator to output a voltage which is higher than the maximum allowed voltage for one of the chips on that power rail. Or the software could configure more than one chip on a shared bus to output opposite values at the same time (again a short circuit, unless it's something like an open-collector bus). Or it could program invalid values on one-time-programmable antifuses, for instance setting the chip to use an external clock which doesn't exist. Or it could write an invalid program to the bootloader (for instance, it might be expecting memory to reside at a different address, so it always crashes) and there's no recovery method other than externally flashing the NAND (that one is technically a "soft" brick, but most people wouldn't be able to recover from it). And so on.
Usually a lack of hardware acceleration support is a problem on the wired side, where a lot of consumer routers rely on NAT offload in the Ethernet switch, without which a cheap MIPS core cannot offer good WAN to LAN throughput. WiFi NICs are quite self-contained these days with their own complicated firmware, to the extent that it is often hard to move enough of the processing back to the CPU even when you want to (such as to do smarter airtime scheduling than the proprietary firmware that runs on the NIC).
Do you know the reason? In my case I just had to boost the power for the wifi a bit in the settings to improve the speed. But I never ran it with the original firmware, so have no point of comparison.
My solution is to buy a reliable WiFi Access Point and plug that into the router, and just disable the router’s WiFi. That way I can choose a router for the features I need (or use a small PC if I wanted to do something tricky or needed high performance). I think that would fix the problem with the TP-Link (albeit costing far more).
I use Unifi UAP-AC-LR for the AP, because they are easy to set up from an Android phone, are not expensive, are not flakey, can be mounted in a location to optimise WiFi reception (powered from Ethernet cable by included DC injector), can be easily moved to new ISP or house, don’t require a controller, and they just keep working. Ubiquiti have made some dick moves, but their AP and point-to-point hardware has been solidly reliable and relatively simple to configure.
I was running a TP-link access point (not router) and was surprised to notice the "hidden" networks. I thought I was misinterpreting the readings at first, but the installed that beta firmware and it allowed me to disable them. This improved connectivity with some devices. I shortly after switched to a Ubiquiti access point which has been a lot better.
I think it's really important for people to know the difference between routers, switches, access points and modems. I've noticed that even geeks these days seem to have forgotten or maybe never knew. This has nothing to do with routers whatsoever. You can pick and choose the best from each category. No need to go "all in" on one device and accept tons of compromises.
Huawei AX3 does something similar. As does any Xfinity router (but I think you can turn that off) but the Xfinity mesh is actually pretty decent if you have a subscription. Similarly, in Vietnam HCMC you can connect to wifi anywhere in the city because every telco/isp router creates a mesh like Xfinity. It's not a bad idea: having wifi network everywhere, but I suspect 5G will obviate this need. Wouldn't surprise me if home routers became a thing of the past in some areas if 5G delivers.
FYI: `airodump-ng` is a great way to see whats going on with any new router since it hops channels.
The public hotspot systems are actually much "worse" in terms of the overheads the author wrote about.
With a couple of unused SSIDs, they're just sending out a simple 802.11 beacon frame every so often and that's it. The energy cost and disruption to surrounding networks/channels must be minimal.
With a hotspot, not only do you have regular network traffic flowing and causing more potential interference, your router/modem is also using more power to process the traffic and modulate that signal into the wireline side. At least one estimate I found would be around $23/year of 24/7 use of the hotspot network (it may be less with newer hardware, article is from 2014) https://www.extremetech.com/computing/185560-new-report-illu...
It sounds like you are claiming public 802.11 hotspots are more noisy that everyone running their own routers. You do realize it is the same spectrum, right? It is literally the same impact, except with a larger BSSID you can route traffic more effectively.
Sharing more stations across phy APS in the same BSSID would be less overall traffic because it can be evenly distributed.
Maybe I missed your point: please explain how personal router vs public hotspot over rented router is different w.r.t. 802.11 interference.
EDIT: Deleted the part where I computed power cost incorrectly, because I'm an eeeediot.
No, that is not what I am claiming. If you read the article, the author claims that the 2 unused networks are a source of interference. I'm simply claiming that a busy or utilized hotspot will be a much larger source of potential interference than an unused network doing nothing but broadcasting a few beacon frames every few ms.
Your power calculation is only based on the power of the broadcasting signal, not evaluating the electrical load on the router to do so or to process received signals and process traffic (performing NAT, encapsulation, etc.) The article I linked you to clearly states this
>According to Speedify’s testing, the router draws 0.14 amps when idle and 0.22 amps when loaded. By the company’s calculations, this comes out to roughly $23 per year at mid-Atlantic power rates
Coincidentally I just discovered today that my Xfinity modem was broadcasting a public "xfinitywifi" by default. I only became an Xfinity customer a few weeks ago and had no idea. I even read all the terms of agreement and never saw this mentioned. I shuddered upon discovering this, just considering the security implications, and immediately disabled it. (I only gave in to using their modem due to a fairly large monthly discount. Starting to regret it.)
> I had to move away from Asus as they didn't provide a good hardware solution for 4G. That's right, my street doesn't have fibre despite being in the tech startup heart of London. So here I am with a TP-Link router, spamming unwanted waves. Do I really have to drop another £100 on new hardware just because TP-Link doesn't want to offer a boolean flag? What a waste. Maybe it's finally time to build my own router.
I'm pretty sure building your own router is going to cost more than $100.
I can highly recommend looking at the router database of OpenWRT. I had bad experiences with DD-WRT. Mostly stability issues. According to my research, OpenWRT doesn't have as much functionality or router support. But, it's very stable.
My favorite feature is both is that you can easily add virtual APs. E.g., I have one virtual AP with net isolation (no access to other networks, Internet only) and clients can't see each other.
I'm not at all surprised by this article because I recently purchased a new TP-Link router (Archer something IIRC) and it's quite honestly the worst router I've ever run. I goes down several times a day, dropping all network traffic that isn't TCP. Thus DHCP, UDP DNS and ICMP echo all fail.
My old router is > 5 years old Asus (possibly as much as 10 years old!!) and literally held together with electricians tape. I've had an array of physical failures due to age from the antenna no longer standing up to the power button no longer functioning and I've used electricians tape to fix all of them. But for the stuff that matters it still works extraordinary well.
So I figured it was only a matter of time before that router died completely and I'd need a new one. And I figured it has been so many years since I last upgraded that my new device should be amazing in comparison. But man was I wrong.
After getting kicked out of an important Zoom call last week (and weeks of issues and debugging too) I finally lost my temper, unhooked the router and went full on Office Space[1] on it.
I'm now back to running the old router. A router that's older than both of my kids. A router that had earned its retirement. I'm going to replace it with a Draytek device in the new year. Given I'm mostly working from home these days I want something reliable. But I'm also thinking Draytek will last me another ~10 years so it will work out cheaper than the TP-Link crap. In fact I'll never buy another TP-Link device again.
[1] For those who haven't seen Office Space: https://youtu.be/fjsSr3z5nVk (also definitely watch the movie. It's great!)
If you've never tried a prosumer router, TP-Link is a great intro. I recommend a standalone router with a standalone access point, rather than a combo like we see so often on the consumer side. I'm so glad I got an ER605 to tinker with while waiting for my Mikrotik to come in.
My ASUS router has enabled remote access after updates at multiple occasions. So much for ASUS.
Is there a tech brand that only sells stuff with no bs? I would gladly by a "pure" router with no branded features. Would also gladly buy a TV without any of the "smart" stuff.
The security model for this doesn't look utterly broken. Seems that you need to go into the main router and "add" the mesh nodes. They obviously appear there by attaching to these hidden networks.
But since this is configuration-free, that suggests that the mesh devices store a single static key for these networks and can join any such network. Whatever protocols exposed on that interface better not have any security problems, or you'll have a backdoor.
You could make this somewhat secure by having a TPM in the mesh device that signs a challenge-response to get the hidden network key by MAC-address, but that seems too complicated.
They could simply having the mesh endpoints broadcast a proprietary AP, and 'adding' by joining that network from the primary device and setting configuration.
I have a box full of old consumer wireless routers. I am not sure why most of these devices are so flaky. These days I separate the packet routing from the wifi part and that has made things a little more sane.
having exactly same expirience with tp-link, firmware is always outdated and I find it at every flat for rent (long-term or airbnb), hotels small coffee-shops etc. So much space to have fun :\
I've moved to Mikrotik and don't know all disadvantages I have, but I am super happy about configuration options they provide. Happy to find alternatives here in the thread
Depends on what you want from it. I've other things I hack on so I don't really have the time to hack together my own router, so I use a Ubiquiti USG. Before that I had an EdgeRouter Lite (more or less identical) for years.
tp-link is pretty solid but i recently went back to asus for their mesh and UI, its just incredibly better with more features. I never saw hidden networks on my tp-link ax 3000, what i did see is lack of firmware updates, it seems like my model was abandoned.
So after the Ubiquiti debacle I went out and looked for a similar combination (solid hardware + not-too-annoying software). After briefly considering Mikrotik (which has issues with ac (wifi 5) and no ax (wifi 6) support) I settled on Grandstream for now. They don't just make phones but a small set of fairly nicely featured wifi APs for ok prices. Hardware seems solid, Software not annoying.
I've bought a few pieces from TP-Link when I was a poor student, not too bad as far as datasheet-specs per dollar goes, but the firmware was always exactly the kind of trashfire you'd expect and the hardware exactly what you paid for (not much). Definitely the kind of device you have to try real hard to fake your surprise when you find dozens of unpatched CVEs and no firmware updates.
I was in this same boat, but did you know that data breach was completely fabricated by a disgruntled employee? They didn’t actually leak any data or had any real breach. It’s still not great that this was doable, but at some level, someone has to have the keys to the kingdom.
Or the new version of their controller software missing huge chunks of functionality causing you to keep switching from new UI to old UI depending on what you needed to get done.
Although to be fair, while this has been super annoying, they are slowly getting there with recent releases. It definitely has the new product manager 'start from scratch clean slate' vs 'inherited mess' while co-existing vibes. Once they have hit parity, the cadence of this new team's releases should turn into a feature because they are consistently releasing updates/fixes way differently to previous management.
I still hate that the iOS Protect UX/UI has never used their own app beyond 9-5, as dark mode was removed and the interface is PURE WHITE. The iOS Network UX/UI designer has clearly used their app at night, hence a dark mode existing.
I think most of the complaints about UI are overblown (as commenters in this thread have pointed out) but this one is absolutely brutal. Sitemap works in one UI but not the other; some features work in new but not old... ridiculous.
Given their inexpensive pricing, as long as they only do that in their admin interface and don’t mess with my packets, it’s not worth throwing the baby out with the bath water in my book… especially since there are no real competitors offering good hardware with nice UI.
We have an EdgeRouter. The firmware is super annoying, I couldn't get it to do everything that I want, boring stuff that is easy with FreeBSD or OpenBSD and PF, Linux or Mikrotik for that matter. IPv6 also is only configurable from the console. The hardware us good though, does lots of pps. Too bad its ruined by annoying software.
I was able to enable IPv6 through the web interface when I used an EdgeRouter about a year or so ago. Even some of the Wizards turns it on for you if you want (IIRC) although you can go into the manual configuration to set it up. I ended up switching to Microtik due to my unease with Ubiqiti. Have to say however I found it more difficult to set up IPv6 on the Microtik, so another point for the EdgeRouter's IPv6 support there.
I like products from GL-inet. I have one of their small routers for my house, native support for OpenWRT, without doing anything difficult to install it (no need to flash via serial port, there is also a nice uboot recovery web interface in case you brick the device by flashing the wrong image as I did!), everything works nicely out of the box.
They are small AP so not that big range, but rather inexpensive and you can have a lot of them in your house (of course if you already have a wired network).
And by the way if you don't want to bother flashing OpenWRT... the stock firmware is already a custom build of OpenWRT, and fully unlocked, you can connect in SSH, install Luci, and install packages without limitations. Of course you can also use the simplified web ui that they provide that is nice. I installed a custom version just because I wanted to have more updated packages, but the stock one works fine if you only need an AP.
Got rid of Ubiquiti and the breach was just a footprint. Personally I'm really happy with Mikrotik. I do not recommend it if networking is not your thing and you just want some plug and play. So far I love it, wifi performance is better to me than unifi but that has many dimensions (I care most about reliability and low latency), plus it allowed me to have 10Gbe at a reasonable price.
It's still closed source, but if you're a bit paranoid then OpenWRT does not solve your problems (re some other comment). Switch chips are computers on their own and you have no control over them. I would be really really surprised if they don't have tons of adventures in them. Reacting to magic packets or even something that may not be visible to L3 sniffer seems trivial to implement in ASIC. Firmware of network cards is also something outside your control.
Long story short, I would suggest starting to treat your local network as if it was public Internet. E2E, firewalls, honeypots (obscure ones) and backups. I mean, if you care, perfectly fine not to, life's short.
Ubiquiti's Unifi line seems riddled with issues. Why would I want an account or the internet involved in any part of my network control?
However, I am quite happy with the Edgerouter series. I just wish it got more updates. The last update to EdgeOS is 6 months old. I don't like my security gateway not being patched with weekly security updates.
I don’t think an account is actually required for UniFi, although it’s the default route. It enables remote management, which is an nice feature for techies helping parents with wifi problems.
It was a pain to figure out, but I was able to set up my own instance of the management software without going through their servers. At one point I had to SSH into the AP and wipe its nonvolatile memory...
Of course, I don't remember how to do it at this point, so hopefully I don't ever need to change the settings on my AP. It's been working completely issue free for a couple years now.
I don't have any cloud account to run my home network, I just have a VM running the Unifi software locally. I'm quite happy with the setup. USG to route packets, PoE switch with three AC-Pro access points hanging off it.
If there is a power outage, or cloud key gets restarted without shutting down, database gets corrupted. None of the other hardware - microtik, ruckus, Aruba instant or OpenWrt - has that issue. Ubiquiti added a battery to new cloud key to fix the issue.
I moved my hotel's wifi to Ruckus & another to Aruba instant on. It's been more than 12 months, and everything is working without any issue.
Unrelated but kind of related: I stopped looking at TP-Link routers(and other cheap chinese routers) as soon as their android app required registration: obviously for legal reasons due to all the "good-faith telemetry"[surely not shady at all], etc.
Disgusting.. ended up paying more for an asus router(related to the article: not needing 4g/5g), not perfect or made in the west nor enterprise-tier but good enough for home usage, also pretty decently supported by open firmware solutions.
I aggree that the situation the author describes is unacceptable.
But I am wondering why the author does not value his personal time. I can‘t help but think of opportunity costs. He spends a lot of time writing this article, reverse engineering backups and whatnot instead of shelling a hundred dollars to get a new device? I see this pattern so often in the tech world.
I agree. I like tinkering myself. But then why mention avoiding spending a hundred dollars for a new device, but spending a couple of hours as if those hours are worth less than said amount of money.
Should customers of a product be forced to either spend 100$ for a new product and generate more ewaste, or tinker with their device leaving it in an unsupported perhaps even out of warranty state?
Maybe some people are happy with either option, but it sure is unethical to force that choice, especially when all the effort it could have taken from the manufacturer was to add a boolean flag.
I'd complain too, not everyone is in the same situation, and this is dodgy behavior anyway regardless of me liking the workarounds or not, simply having to workaround is bad enough in principle.
Maybe he wants to make other aware of the strange things TP-Link does. Which is a huge help, now I won't buy any TP-Link device either unless I can reflash it with OpenWRT
BTW, this hidden network probably uses another protocol (for the OneMesh). It is the 802.11s (https://en.wikipedia.org/wiki/IEEE_802.11s), that uses its own encryption method based on Simultaneous Authentication of Equals (SAE) (yeah, that is the same as WPA3, however it came before it). It shows as hidden network on Wi-Fi Analyzer, but the network is not actually hidden in the same sense of a hidden Wi-Fi network: this simple happens because 802.11s has no concept of SSID.
The authentication of new devices happens when you pair a new router using the application available on Android/iOS (it has a web interface too but AFAIK it doesn't allow adding new mesh routers to the network). So it seems pretty secure for me, at least sans some security bugs that I am sure that the device should have. Doesn't bother me too much considering that most bugs that I saw on those consumer routers generally comes from the security from things like administration pages and not the Wi-Fi network itself (unless it is something like KRACK that affects all devices implementing the protocol).
Yeah, it is still pretty sh*t that they enable this by default, but if the router from the author of blog post is from one of their lines of mesh routers I do think this is kinda of made by purpose, because using multiple routers devices is kinda of the idea of a mesh network.