229 comments

[ 5.0 ms ] story [ 236 ms ] thread
> I had to move away from Asus as they didn't provide a good hardware solution for 4G

Surely a 4G USB dongle would work fine in a linux router such as those from Asus?

Oh come on, a dongle? In 2021, really? Most dongles on the market are Huawei anyway and they do NAT, no bridge or modem mode. You have to pull down some pin to ground and reflash them to get actual modem functionality. I've got one in my drawer. Plus when they get hot they'll start causing issues.
Mikrotik SXT LTE6 works for me as I am in a very remote place. RouterOS is really great piece of software, you have web based GUI, you have fully featured CLI with all things you need from router: NAT, firewall, port forward, I cannot name them all, I believe I barely use few % of what is inside. Ubiquiti UAP-AC as an AP.
I dislike the mikrotik devices because they lock the functionality of the device. I was unable to set up a pair of repeaters as anything else because of this. It was not really advertised and it's totally artificial.
(comment deleted)
Huawei AX3 does something similar. As does any Xfinity router (but I think you can turn that off) but the Xfinity mesh is actually pretty decent if you have a subscription. Similarly, in Vietnam HCMC you can connect to wifi anywhere in the city because every telco/isp router creates a mesh like Xfinity. It's not a bad idea: having wifi network everywhere, but I suspect 5G will obviate this need. Wouldn't surprise me if home routers became a thing of the past in some areas if 5G delivers.

FYI: `airodump-ng` is a great way to see whats going on with any new router since it hops channels.

The public hotspot systems are actually much "worse" in terms of the overheads the author wrote about.

With a couple of unused SSIDs, they're just sending out a simple 802.11 beacon frame every so often and that's it. The energy cost and disruption to surrounding networks/channels must be minimal.

With a hotspot, not only do you have regular network traffic flowing and causing more potential interference, your router/modem is also using more power to process the traffic and modulate that signal into the wireline side. At least one estimate I found would be around $23/year of 24/7 use of the hotspot network (it may be less with newer hardware, article is from 2014) https://www.extremetech.com/computing/185560-new-report-illu...

Too bad fon/fonera didn’t span out. The idea was to share your access point (in a secure way) and earn credits for doing so.
I still own a couple of foneras, I liked the model..
(comment deleted)
I don't follow your reasoning at all.

It sounds like you are claiming public 802.11 hotspots are more noisy that everyone running their own routers. You do realize it is the same spectrum, right? It is literally the same impact, except with a larger BSSID you can route traffic more effectively.

Sharing more stations across phy APS in the same BSSID would be less overall traffic because it can be evenly distributed.

Maybe I missed your point: please explain how personal router vs public hotspot over rented router is different w.r.t. 802.11 interference.

EDIT: Deleted the part where I computed power cost incorrectly, because I'm an eeeediot.

No, that is not what I am claiming. If you read the article, the author claims that the 2 unused networks are a source of interference. I'm simply claiming that a busy or utilized hotspot will be a much larger source of potential interference than an unused network doing nothing but broadcasting a few beacon frames every few ms.

Your power calculation is only based on the power of the broadcasting signal, not evaluating the electrical load on the router to do so or to process received signals and process traffic (performing NAT, encapsulation, etc.) The article I linked you to clearly states this

>According to Speedify’s testing, the router draws 0.14 amps when idle and 0.22 amps when loaded. By the company’s calculations, this comes out to roughly $23 per year at mid-Atlantic power rates

Gotcha. Makes way more sense now. Thanks!
Coincidentally I just discovered today that my Xfinity modem was broadcasting a public "xfinitywifi" by default. I only became an Xfinity customer a few weeks ago and had no idea. I even read all the terms of agreement and never saw this mentioned. I shuddered upon discovering this, just considering the security implications, and immediately disabled it. (I only gave in to using their modem due to a fairly large monthly discount. Starting to regret it.)
The security model for this doesn't look utterly broken. Seems that you need to go into the main router and "add" the mesh nodes. They obviously appear there by attaching to these hidden networks.

But since this is configuration-free, that suggests that the mesh devices store a single static key for these networks and can join any such network. Whatever protocols exposed on that interface better not have any security problems, or you'll have a backdoor.

You could make this somewhat secure by having a TPM in the mesh device that signs a challenge-response to get the hidden network key by MAC-address, but that seems too complicated.

They could simply having the mesh endpoints broadcast a proprietary AP, and 'adding' by joining that network from the primary device and setting configuration.

https://www.tp-link.com/us/support/faq/2532/

Unrelated but kind of related: I stopped looking at TP-Link routers(and other cheap chinese routers) as soon as their android app required registration: obviously for legal reasons due to all the "good-faith telemetry"[surely not shady at all], etc.

Disgusting.. ended up paying more for an asus router(related to the article: not needing 4g/5g), not perfect or made in the west nor enterprise-tier but good enough for home usage, also pretty decently supported by open firmware solutions.

So after the Ubiquiti debacle I went out and looked for a similar combination (solid hardware + not-too-annoying software). After briefly considering Mikrotik (which has issues with ac (wifi 5) and no ax (wifi 6) support) I settled on Grandstream for now. They don't just make phones but a small set of fairly nicely featured wifi APs for ok prices. Hardware seems solid, Software not annoying.

I've bought a few pieces from TP-Link when I was a poor student, not too bad as far as datasheet-specs per dollar goes, but the firmware was always exactly the kind of trashfire you'd expect and the hardware exactly what you paid for (not much). Definitely the kind of device you have to try real hard to fake your surprise when you find dozens of unpatched CVEs and no firmware updates.

> So after the Ubiquiti debacle…

I was in this same boat, but did you know that data breach was completely fabricated by a disgruntled employee? They didn’t actually leak any data or had any real breach. It’s still not great that this was doable, but at some level, someone has to have the keys to the kingdom.

https://news.ycombinator.com/item?id=29411775

I think Ubiquiti makes really nice gear for prosumers, and it is completely unfair that their good reputation has suffered so much over this incident.

There was more to the debacle, for example, putting ads for their other products in the controller UI.
Or the new version of their controller software missing huge chunks of functionality causing you to keep switching from new UI to old UI depending on what you needed to get done.
Although to be fair, while this has been super annoying, they are slowly getting there with recent releases. It definitely has the new product manager 'start from scratch clean slate' vs 'inherited mess' while co-existing vibes. Once they have hit parity, the cadence of this new team's releases should turn into a feature because they are consistently releasing updates/fixes way differently to previous management.

I still hate that the iOS Protect UX/UI has never used their own app beyond 9-5, as dark mode was removed and the interface is PURE WHITE. The iOS Network UX/UI designer has clearly used their app at night, hence a dark mode existing.

I think most of the complaints about UI are overblown (as commenters in this thread have pointed out) but this one is absolutely brutal. Sitemap works in one UI but not the other; some features work in new but not old... ridiculous.
Given their inexpensive pricing, as long as they only do that in their admin interface and don’t mess with my packets, it’s not worth throwing the baby out with the bath water in my book… especially since there are no real competitors offering good hardware with nice UI.
Does Ubiquity use a standard ad network architecture that allows code from unknown third parties to run within your network?
It’s Ubiquiti advertising their own products.
More specifically, the ads are embedded into the software, not loaded dynamically
Well that's a rare thing, so imagine my surprise. ;)
We have an EdgeRouter. The firmware is super annoying, I couldn't get it to do everything that I want, boring stuff that is easy with FreeBSD or OpenBSD and PF, Linux or Mikrotik for that matter. IPv6 also is only configurable from the console. The hardware us good though, does lots of pps. Too bad its ruined by annoying software.
I was able to enable IPv6 through the web interface when I used an EdgeRouter about a year or so ago. Even some of the Wizards turns it on for you if you want (IIRC) although you can go into the manual configuration to set it up. I ended up switching to Microtik due to my unease with Ubiqiti. Have to say however I found it more difficult to set up IPv6 on the Microtik, so another point for the EdgeRouter's IPv6 support there.
I like products from GL-inet. I have one of their small routers for my house, native support for OpenWRT, without doing anything difficult to install it (no need to flash via serial port, there is also a nice uboot recovery web interface in case you brick the device by flashing the wrong image as I did!), everything works nicely out of the box.

They are small AP so not that big range, but rather inexpensive and you can have a lot of them in your house (of course if you already have a wired network).

And by the way if you don't want to bother flashing OpenWRT... the stock firmware is already a custom build of OpenWRT, and fully unlocked, you can connect in SSH, install Luci, and install packages without limitations. Of course you can also use the simplified web ui that they provide that is nice. I installed a custom version just because I wanted to have more updated packages, but the stock one works fine if you only need an AP.

Ubiquiti's Unifi line seems riddled with issues. Why would I want an account or the internet involved in any part of my network control?

However, I am quite happy with the Edgerouter series. I just wish it got more updates. The last update to EdgeOS is 6 months old. I don't like my security gateway not being patched with weekly security updates.

I don’t think an account is actually required for UniFi, although it’s the default route. It enables remote management, which is an nice feature for techies helping parents with wifi problems.
I don't have any cloud account to run my home network, I just have a VM running the Unifi software locally. I'm quite happy with the setup. USG to route packets, PoE switch with three AC-Pro access points hanging off it.
It was a pain to figure out, but I was able to set up my own instance of the management software without going through their servers. At one point I had to SSH into the AP and wipe its nonvolatile memory...

Of course, I don't remember how to do it at this point, so hopefully I don't ever need to change the settings on my AP. It's been working completely issue free for a couple years now.

I have good experiences with Aruba instant on stuff for home networking.
Aruba instant on is super simple, and very easy to setup.
Got rid of Ubiquiti and the breach was just a footprint. Personally I'm really happy with Mikrotik. I do not recommend it if networking is not your thing and you just want some plug and play. So far I love it, wifi performance is better to me than unifi but that has many dimensions (I care most about reliability and low latency), plus it allowed me to have 10Gbe at a reasonable price.

It's still closed source, but if you're a bit paranoid then OpenWRT does not solve your problems (re some other comment). Switch chips are computers on their own and you have no control over them. I would be really really surprised if they don't have tons of adventures in them. Reacting to magic packets or even something that may not be visible to L3 sniffer seems trivial to implement in ASIC. Firmware of network cards is also something outside your control.

Long story short, I would suggest starting to treat your local network as if it was public Internet. E2E, firewalls, honeypots (obscure ones) and backups. I mean, if you care, perfectly fine not to, life's short.

Ubiquiti was nice. But updates were horrible.

If there is a power outage, or cloud key gets restarted without shutting down, database gets corrupted. None of the other hardware - microtik, ruckus, Aruba instant or OpenWrt - has that issue. Ubiquiti added a battery to new cloud key to fix the issue.

I moved my hotel's wifi to Ruckus & another to Aruba instant on. It's been more than 12 months, and everything is working without any issue.

Grandstream is hot garbage. Stay faaaaar away from their products.

-Someone who suffered through years of their software / support horror show.

I have been more than happy with both my tp-link AX50 and tp-link AX11000.

The most stable routers and best router firmware that I’ve owned.

Not sure what they mean by "build my own router", it's easy enough to flash open firmware on a lot of tp-link models. https://download1.dd-wrt.com/dd-wrtv2/downloads/betas/2021/1...
Tried it, but Wifi speed on the Archer C7 was significantly reduced.
OpenWrt probably has to do everything through the CPU. Not hardware accelerated like in the stock firmware.
Usually a lack of hardware acceleration support is a problem on the wired side, where a lot of consumer routers rely on NAT offload in the Ethernet switch, without which a cheap MIPS core cannot offer good WAN to LAN throughput. WiFi NICs are quite self-contained these days with their own complicated firmware, to the extent that it is often hard to move enough of the processing back to the CPU even when you want to (such as to do smarter airtime scheduling than the proprietary firmware that runs on the NIC).
Do you know the reason? In my case I just had to boost the power for the wifi a bit in the settings to improve the speed. But I never ran it with the original firmware, so have no point of comparison.
it sounds interesting, however manufacturer claims it can stop functioning if you install "wrong" locale (whatever that means)

while I cannot get how hardware can die from install different "driver" warnings like that put me off from using tp-links. Perhaps I'll buy a cheap tp-link and give it a try just as experiment to see how far I can get

> while I cannot get how hardware can die from install different "driver"

There are many ways that could happen. For instance, the software could configure as an output a pin which, on that particular board, is hard-wired to a power rail; when the opposite value is set as the output (low when the pin is hard-wired to power, or high when the pin is hard-wired to ground) it would be a short-circuit. Or the software could configure a programmable voltage regulator to output a voltage which is higher than the maximum allowed voltage for one of the chips on that power rail. Or the software could configure more than one chip on a shared bus to output opposite values at the same time (again a short circuit, unless it's something like an open-collector bus). Or it could program invalid values on one-time-programmable antifuses, for instance setting the chip to use an external clock which doesn't exist. Or it could write an invalid program to the bootloader (for instance, it might be expecting memory to reside at a different address, so it always crashes) and there's no recovery method other than externally flashing the NAND (that one is technically a "soft" brick, but most people wouldn't be able to recover from it). And so on.

Build a Debian $latest firewall on an x86 box with two NICs (one upstream, one downstream/intranet). You don't need much CPU power for a router.

To downstream, connect a good switch with port mirroring. (You might want to be able to capture traffic.)

Connect a wireless router as an access point or do double-NAT.

Let the AP be a dispensable component, not the main component of your network.

> Let the AP be a dispensable component, not the main component of your network.

Yes. Agreed. Let routing and WiFi be 2 separate concerns handled by 2 different devices (or in the case of mesh-networking, classes of devices).

> You don't need much CPU power for a router.

Depends on how fast your link is. I could get decent routing on a mid-range MIPS-based device until I needed more than 300mbps. The CPU peaked and throttled traffic, because it was responsible for the NATing (ie actual routing, not just passing ethernet frames or TCP packets around untouched)

After that I needed a router with support for hardware NAT-offloading and it can do 1gbps actual routing just fine.

You probably don’t need to go full X86 + Debian, but depending on your needs, you may still find yourself bandwidth-limited because of CPU constraints.

I built a small x86 box and installed OPNsense and all my router woes have gone away.
This type of whackery is (the primary reason) why I try to buy computing devices on which I can flash a clean OS (OpenWrt/DD-WRT for routers)[1]. It sucks because it limits my choices down to a few, but at the same time I feel like I don't throw out money at abandonware.

[1] don't even get me started on TP-Link releasing routers with the same name but v2/v3/2020/2021 update where it's hard to even know if I'm buying the one that supports the custom OS flash.

The author touched on right of repair. I’d love to see a law requiring all devices to either be supported, or if being sunset, being required by law to provide tools/source/schematics to take over the device and extend its utility beyond the manufacturer’s willingness. Particularly a last firmware that disables anything requiring phoning home to continue to function. We saw that with OnHub recently, when after only 6 years Google decided to render a lot of devices e-waste. The least they could do is recycle them for you at their own cost.
Imagine not being able to use a lawn mower engine to make a go-kart.
"Right of repair" being focused on hardware is a neat little trick to enforce the illusion that changing software is beyond your rights as a consumer. Yes, you can fix the antenna when it breaks, and focus on how hard the fight was to get the right to fix the hardware you own... which you don't own as long as the company uses software to control what the hardware can and cannot do. But you sure physically own those mostly-useless atoms real good!
> "Right of repair" being focused on hardware is a neat little trick to enforce the illusion that changing software is beyond your rights as a consumer.

Is it a trick, or just limited imagination?

My impression is that "right of repair" came from mechanically-minded people seeking to maintain their traditional ability to repair physical devices in the face of corporate hostility (e.g. farmers vs. John Deere).

> Yes, you can fix the antenna when it breaks, and focus on how hard the fight was to get the right to fix the hardware you own... which you don't own as long as the company uses software to control what the hardware can and cannot do. But you sure physically own those mostly-useless atoms real good!

This seems more of software-centric Free Software attitude, which is not a place someone with mechanical skills but not very strong software skills is likely to arrive at themselves.

Hate to break it to ya, but anyone with any mechanical aptitude has what it takes to do whatever may need doing with software.

Heck, Before I received any formal instruction in programming I was tracing things via symbols and strings just like I did hardware connections.

The tractor right to repair issues include software. You might even say that software is the prime issue preventing repair of the newer from equipment. Parts with drm, unsupported software, etc.
> The tractor right to repair issues include software. You might even say that software is the prime issue preventing repair of the newer from equipment. Parts with drm, unsupported software, etc.

My understanding is the farmers just want to be able to repair their tractors without dealer approval (e.g. replace broken parts). They're not looking to hack new features into the firmware and stuff like that.

> My understanding is the farmers just want to be able to repair their tractors without dealer approval (e.g. replace broken parts).

For which they need to circumvent or disable DRM, and be able to run the manufacturers diagnostic software (or be able to use 3rd party diagnostic software).

> They're not looking to hack new features into the firmware and stuff like that.

I think you may be reasoning from a set of assumptions about farm equipment that is out of date. Modern farm equipment is very sophisticated and ties into all sorts of external services (GPS, mapping and terrain, high resolution soil data, weather forecasts, etc.), and can do things like adjust the direction and spacing of rows, depth seeds are sown, selective harvesting, selective pest control, selective fertilization, and more. The software that controls all that isn't just 'firmware'.

Not to mention that the equipment sends every bit of data back to the manufacturer to power add on services they can sell to the farmer by subscription.

Farmers certainly like all these features. In fact they like them so much they pay for after-market upgrades for older (repairable) equipment to add features and 3rd party services. They don't like being stuck inside the manufacturers' walled gardens.

These things have passed the point of just being equipment or tools, and are now platforms in their own right, and farmers are in many ways no longer their owners, but just captive users.

While right to repair starts with re-enabling a local mechanic to replace a part, it doesn't end there. Not by a long shot.

I had no idea it was focused on hardware. It applies to software too.
There is a specific problem with routers and certification for radio usage. This makes right to repair harder. It's not just a legal issue. The ether is quite full and it mostly works because there are clear rules that devices must meet.

With user serviceable routers, bumping up power, or moving to locally forbidden (quieter) frequencies could become lifehacks. There was already an airport whose radio saw interference from extra powerful 5ghz wifi routers.

Locking down devices as a business model is bad. But Locking them down as a regulatory precaution to keep radio working is different.

How to keep every manufacturer from seeking excemption from right to repair under these rules would be challenging tho.

If we didn't allow for an exemption but still required full compliance, perhaps manufacturers could physically limit the output from the power amplifiers and/or use blowable fuses in the chips to set a non-modifiable power limit. I imagine that the same could be done for frequency management either on board (bandstop filtering) or on chip (once again, blowable fuses to set disallowed frequencies).

I know that there will still be enterprising folks who modify their hardware itself to try to get around these limitations, but such enterprising people are already more than capable of physically modifying their existing hardware.

Not in manufacturing so I'm just speculating here. But I'd imagine that would create a new set of logistical issues, specifically instead of one bill of material that can be applied everywhere with controlled applied via software, now you need N BOM's, when N is the market region that has a slightly different set of RF transmission rules.

Not infeasible but certainly a significant increase in cost.

My PC has a 5ghz wifi antenna, and I can install any OS I want. Why should a router be any more locked down than my PC?

The FCC takes illegal broadcasting VERY seriously and I think that should deter people from becoming criminals.

1) The scale of the problem seems much lower on PCs because Windows and MacOS respect local regulations, Linux has an infrastructure to do so that works by default in some distros but not others, but overall the Linux market share is small and as is PC WiFi adapters are more often sold in country-specific variants with hardware restrictions than the chipsets in routers are (and usually have lower hardware Tx power limits). Overall, the architecture of WiFi is such that it's rare for a PC to make these kinds of decisions anyway. If it's an infrastructure mode network, the AP dictates channels.

2) FCC enforcement is, in general, rare. It usually requires specific complaints from commercial broadcasters in order for the FCC to respond. In the ISM and WiFi-specific bands, enforcement is extremely difficult because enforcement methods like radio direction finding are inherently difficult for the frequencies involved and even more difficult because of the high noise floor and large number of sources in urban environments. Even if the FCC allocated significant resources (which they do not), it would technically be difficult to enforce these regulations.

The FCC has closed more than half of field offices and laid off half of the enforcement staff over the last ten years. They have eliminated most of their field enforcement teams and now only have teams (perhaps only a handful, they don't say but the best public info I've found suggests 5) based out of the DC area that have to fly out. It's been very frustrating to see the FCC eliminating enforcement resources these days, but the reality is that enforcement has become far more difficult and less effective over time due to advancements in the technology. Direction finding FM pirate stations is technically pretty easy and something the FCC is very effective at (especially since FM broadcasters inform the FCC promptly). Just about everything else... fat chance of the FCC doing anything about it unless they can do so at an organizational/regulatory level (e.g. fining manufacturers or large scale operators). At the field level it's just too expensive and unproductive to try to track down individuals who have configured their WiFi routers in violation.

Follow the California Prop 65 model: Enable the general public to collect damages via civil suit. (Only half joking)
> Why should a router be any more locked down than my PC?

It's possible that the WiFi card in your PC will refuse to transmit on a 5GHz channel until it detects some other device already transmitting. I've pulled WiFi modules from dead laptops that had such restrictions enforced at the hardware/firmware level, making those WiFi cards unusable for a DIY access point.

Most modern wireless cards will do a scan for wireless networks on startup and set their regulatory domain to the one regulatory domain contained in the majority of beacons from surrounding wireless APs. This can't (easily) be overridden and prevents people from setting the wrong country and causing interference, while still allowing a single WLAN card to work globally.

Intel calls this "Location Aware Regulatory".

> This can't (easily) be overridden

Isn't it a simple drop-down in openwrt?

Not all radios support this in openwrt.
There being a dropdown doesn't tell you if the radio actually does anything with it.
> There is a specific problem with routers and certification for radio usage.

No, there isn't, because it's perfectly possible to limit what frequencies and power levels the hardware can emit without affecting the ability to run custom firmware such as OpenWRT. The certification argument is a dodge used by router manufacturers to avoid having to give customers what they actually want.

> There was already an airport whose radio saw interference from extra powerful 5ghz wifi routers.

Anyone who is radiating enough power to interfere with airport radios is doing something a lot stranger than just flashing custom firware like OpenWRT on their router. Such people are easily stopped without having to lock down devices.

Um, no. The "airport radio" in question is weather radar, which does directional scans and is very sensitive to interference. Just choose the wrong regulatory domain, and you're messing up the spectrum in ways that are mostly invisible to you.

https://en.wikipedia.org/wiki/Dynamic_frequency_selection

(some devices try to avoid this by scanning the spectrum for weather radars...user indignation at unavailable channels follows)

> The "airport radio" in question is weather radar

Ah, ok. Weather radar is very different from "airport radio". For the latter I have a very hard time seeing how someone's ordinary wifi router could cause interference, but weather radar antennas have to be much more sensitive.

Sure, but news channels usually don't distinguish this. "It's some sort of wireless problem at the airport, therefore airport radio."
TP-Link loves to make things proprietary. They have a custom protocol called the Tether Management Protocol, the weird OneMesh stuff noted here, custom firmware headers and signing, etc. all without proper documentation.

Many major vulns in TP-Link devices have been a result of these protocols, save for a few prolific things such as FragAttack. But hey, I guess it gives people something to hack on.

You may interested in my comment below. And yes, after helping a family member set up a TP-Link mesh I will do my best not to take part in expanding their coverage again. I'm not affiliated, just a bit psyched about discovering that there exist alternatives. :)

https://news.ycombinator.com/item?id=29642616

I used to do that and I suggest you look into OPNsense
Yeah I used to get TP-Link because they were so well supported by openwrt and dd-wrt. But lately they've really become consumer hostile like with their smart plugs, removing local control functions so they can no longer be used with home automation systems :(

For WiFi I moved to unifi but they're also becoming more difficult to work with. They are making it harder to use their stuff locally without their cloud service and to use the docker controller instead of their hardware.

So when I replace it I'll have to look for yet another supplier.. Why do companies always have to turn evil.

In general, margins in hardware manufacturing are low. Companies will generally do anything they can to increase demand, and establishing a "moat" is a great way to inflate demand. "I have some stuff, but it only works with other stuff from this same company" sucks for us as buyers, but it's obviously great for the seller.

This is also why literally every company ever says that repairing anything they sell will void the warranty unless you also buy all the parts from them unless the law expressly forbids them from doing so.

>” This is also why literally every company ever says that repairing anything they sell will void the warranty unless you also buy all the parts from them unless the law expressly forbids them from doing so.”

No, manufacturers do that because they don’t want to have to fix products that you’ve hacked up, then guarantee the item’s safety and regulatory compliance.

Exactly. I have a nice TP-Link router that doesn't have the problem described in the article..because the first thing I did was to flash OpenWRT on it. Problem solved.
If you can afford it, go one better.

I started out buying expensive home Wi-Fi routers, and I now have a box of expensive home routers I've decommissioned because they have vulnerabilities and stopped receiving updates. Probably well over ~£1000-2000 spent on them over the past ~decade.

Next I switched to separate Router/Switch/AP and started with a Ubiquiti EdgeSwitch 8 POE, EdgeRouter Lite 3 and an AP-AC-Pro. Later I added a EdgeSwitch 24.

Recently my EdgeRouter kicked the bucket, and wanting to be entirely free from manufacturer updates so I bought a Protectli box, flashed it with Coreboot (instead of AMIBIOS) and installed pfSense. I still use the AP-AC-Pro for now but will look for more open WiFi AP options once that dies or I move from my London apartment to a bigger home.

I say "if you can afford it" because the Protectli box came in at just over £500 once RAM and SSD were added (I got the i3 model), the AP-AC-Pro is ~£120 (IIRC) and the EdgeSwitch another ~£150. This isn't "reasonably" priced equipment for home use, nor would I recommend Ubiquiti of late, but it's working well for me at the moment.

Have you tried Turris routers?
I have not. I considered one when I was replacing the EdgeRouter but I'm a firm believer in separation of concerns, I didn't want my router to be handling my WiFi or doing the switching.

It would have been my top choice had I wanted to stick to an "all in one".

I would recommend installing Proxmox on the Protectli bare metal and running pfsense (I prefer opnsense) in a VM. Then you can run your unifi controller in a container on the same device. The i3 should be able to handle that, and you can use Proxmox to share some USB drives over NFS.
Thanks for the suggestion but "separation of concerns" is key for me; I also wouldn't want extra software running on my edge, even containerised. I have plenty of hardware (and several Kubernetes clusters) inside my network to run software workloads on.

For storage I built my "NAS" in the Silverstone CS381 (https://www.servethehome.com/silverstone-cs381-8-bay-matx-ca...) with an LSI HBA, Ryzen 9 3900X / 128GB RAM, 6 Intel NICs, 2 NVM.e SSDs + 1 SATA SSD for Proxmox and a bunch of HGST Ultrastar He10s as ZFS mirrors. I run the Unifi controller in a container on there.

Before the pfSense Protectli I was also running AdGuard Home in a container (which replaced Pi-Hole on a Pi) but Unbound + pfBlockerNG is more capable.

Re: pfSense / OPNSense; I was running OPNSense initially, but had some issues, I'm likely to go back if they're resolved; I find myself falling on the OPNSense side of the politics there.

OpenWRT was a reason I finally started considering TPlink routers, otherwise they are on my never buy list for this article and other reasons.
This type of issue of OneMesh discovery could be a wifi chip firmware functionality that isn't programmable via host OS. In such a scenario, even if you could run your own host OS, it wouldn't be of much help.
Linksys does the same shenanigans closing their router. Have to check the manufacture date to know if a model can be modded with openwrt.
Openwrt has a good description of the various supported routers (v2, v3 etc.) and i had no issues with it.
If you have a home router, do yourself a favor and install OpenWrt. You won't have to worry about the UI lying to you.
Many TP-Link products are absolutely terrible. Their Mesh products at Costco, you have to use an app on your phone to manage them and they are tied to an online account so presumably they are shipping your network info back to China. They won't even let you change your login email address once you've registered.
Cheap $20 TP-Link Wireless AC routers are capable of reliably running latest builds of DD-WRT if you turn the link power down. I run my TP-Link TX power at the minimum allowable setting. You can count on a reliable 866 mbps!
That last point was so infuriating. Was home visiting family a while back and helped them set up their new TP-Link network. Reluctantly installed the management app on a device of mine, and made my family member admin with full permissions (or so I thought).

Only after I left town did we realize I'd have to hand them my account to actually give them the admin rights.

Not only does their Deco mesh force you to use their cloud app, but there's no 2FA.
having exactly same expirience with tp-link, firmware is always outdated and I find it at every flat for rent (long-term or airbnb), hotels small coffee-shops etc. So much space to have fun :\

I've moved to Mikrotik and don't know all disadvantages I have, but I am super happy about configuration options they provide. Happy to find alternatives here in the thread

Last week I bought a TP-Link AX55 and went through the settings and enabled all the neat things and disabled all the regular consumer ease of access things (WPS, meshing things), and the only hidden networks in my area with the same app are several decibel away with a different MAC address. Either it’s not around in the newer models or it’s part of one of the regular consumer ease of access things.
Why disable mesh? I thought that will ensure the devices work together rather than compete (looking at fritzbox, but it seems they are all compatible).
A mesh network is entirely different from and inferior to a network with multiple access points each with a wired connection. If you've built your network to be the latter, you don't want anything to start acting as a wireless repeater and wasting lots of airtime.
Some people use term "wired backhaul mesh". It seems that it's just a seamless roaming but that's what I want.
Excuse me for the late response. I logged into the router and it’s called their trademarked “TP-Link OneMesh”, it’s likely useful if you buy more TP-Link products and want easy integration, however it’s unnecessary for my home. You’re lucky with your Fritzbox, my area has no competition in the ISP market which means I’m stuck with overpriced low quality, from the copper to the modem to the customer service.
I just got the AX55 as well. Fast modern router for the price. Pretty happy with the purchase, despite the lack of openness.
I had a related problem with their PowerLine TPA-4220 devices yesterday. It turns out there's a DHCP server on it that you can't turn off! It's supposed to be smart and know when there's another DHCP server on the network, but it appears that this sometimes doesn't work. So I found that my laptop sometimes ends up configured on the wrong subnet, which of course kills the internet connection. The thing is, the web interface does not have a setting to shut off the rogue server.

If I hadn't done a CCNA I don't think I would have ever figured this out. I don't know what ordinary people do when this happens to them.

I had a similar experience with my Netgear Orbi; they have a dual 2.4/5 GHz network on the same SSID, but certain devices just cannot handle it (including apparently Facebook's Oculus and quite a few smart home devices).

Turns out you can split them up into separate SSIDs, but only by telnetting into your base station and each satellite and running some cryptic commands on each. It used to be possible via the web UI, but they just... dropped it.

Our network at home has both 2.4 and 5 on the same SSID, with no issues (and I have an oculus). Is this just a Netgear thing?
No clue. Very possible it's specific to the Orbi, or possibly the spots in our house the Oculus and LG washer/dryer are located - perhaps the signal strength is just iffy enough they hop between the two frequencies sometimes. A full restart of the devices helps, but usually only for 15-30 mins.
> A full restart of the devices helps, but usually only for 15-30 mins.

This rings a bell. Do you have an Orbi mesh by any chance? I used to experience this with specific cheap IoT devices that were constantly hopping to different Orbi satellites.

There is an option somewhere in the UI to bind a device to one specific access point, and you can tag a device as IoT or smart speakers which (based on feeling) seems to change the steering heuristics to something that stops this from happening.

Yeah, we use the Orbi mesh network, but they don't mind hopping between satellites if 2.4 and 5 are split. Given the way my kids move the Oculus around a lot between rooms, being able to hop is important.
they have a dual 2.4/5 GHz network on the same SSID, but certain devices just cannot handle it

My Canon wireless printer is one of those devices that can't handle it. If they both have different SSIDs, then it will connect fine. But if there are two with the same SSID, during setup if fails to ask the user for a password and therefore cannot connect.

Meanwhile, Amazon's eero has removed the option to have different SSIDs for each network. The two mistakes combined (Canon's and eero's) mean it's not possible to use the Canon on an eero network. Unless...

What I ended up doing was unplugging the eero, and setting up an Airport Express I used to use for traveling with the SSID I want for the eero. Hook the Canon up through the Airport. Unplug the Airport and turn the eero back on and it connects. A stupid workaround.

I ended up naming my SSIDs SSIDNAME and SSIDNAME2.4 for just this reason. I had all kinds of problems getting my 2.4GHz devices onto my network when they shared the same name. PCs and tablets did fine but anything more obscure (smart switches for instance) was a mess.

I did not know that about the eero devices. Really glad I didn't "upgrade" to the newest Ring base station with eero built-in.

Yep, smart bulbs from most manufacturers need 2.4GHz. Had to go back to owning my own router (thankfully) after a brief stint with the standard Spectrum one.
Perhaps they would buy a new router, then replace other things randomly until it worked again. This approach might even be quicker. Much more wasteful however.
This feature is stupid. I never buy TP-link products because I can't believe people who ship like this. ref: https://community.tp-link.com/en/home/forum/topic/160293
THANK YOU for that link, I didn’t realize that our self-hosted DHCP was facing attacks not only from the shitty ISP cable modem but also from the TP-Link APs. Hopefully an upgrade will fix that. It really says something about their attitude:

> And there seemed to be some misleading about "smart DHCP". This feature would not be enabled for no reason.

It took >2y and >100 forum posts on the issue before they even acknowledged that even in “AP mode” it silently enables a DHCP server as long as it doesn’t get a DHCP reply within 60s from boot.

I see. So that's why our network broke when the power failed. My Linux router is slow to boot, and the tp-link's in AP mode ran out of patience.
Tenda devices do this as well, and some other thing I have, maybe a gl.inet. if my main connection dies for more than 15 minutes, it's anyone's guess which device will win the race to break dhcp.
THANK YOU for that link, I didn’t realize that our self-hosted DHCP was facing attacks not only from the shitty ISP cable modem bit also from the TP-Link APs. Hopefully an upgrade will fix that. It really says something about their attitude:
My TP Link wifi router loses the ability to list connected clients if you switch it to access point mode.

I discovered that this problem affects many models and people have been posting about it in the tp link forums for many years and have only received annoying "we'll look into it" customer service responses.

I will never buy a router I can't put openwrt on again.

Ironically, TP-Link is often the best choice for OpenWRT.

Cheap, good hardware and most importantly, a supported chipset.

They do what I kept on doing with these devices, unplug them and then plug them back in again.
You can use wireshark to access the server on the device, its what they use when they update firmware, but have you used a modded powerline adaptor to access engineering settings in white goods like modern fridge freezers because alot of them have a cpu controlling everything and you access it using the mains plug?
What? Do you have any proof of that?
A bit of a tangent, but I recently discovered GL.iNet[0] and ordered a couple of routers and hotspots. HK vendor for network devices running forked OpenWRT with a bunch of extras and customization.

I haven't had the time to dive deep enough into all of the code yet, but so far I'm very optimistic. Not perfect; some of the more interesting functionality (like site-to-site VPN) is tied to a proprietary closed SaaS with associated telemetry (and maybe even backdoors, intentional or otherwise). The Wireguard setup is for some reason (legacy?) not using the OpenWRT WG-interfaces but set up using custom init scripts. And getting anything else than OpenWRT/LEDE running on them with full hardware support will probably be a significant effort. I'm a bit wary of using the stock OS without compiling it myself because, well, you know.

Still, the sources are provided (including instructions on how to customize and compile your own OS/firmware). The locked-away functionality can be ported/unlocked if you're up for it. They fully support users hacking their devices all they want - and stuff like this[1] shows some hacker DNA. Out of the box the hotspot is by far the best I've found in the price-class.

The mudi's pretty cool; pocket wifi with swappable miniPCIe 4G/WiFi cards and a small dongle for Ethernet. So one could make it into a fully customized road-warrior bridge for any WiFi/Ethernet devices, or whatever other shenanigans you can imagine with that.

I really hope they steer course on the right track and don't fall to the same fate as Ubiquity. As mentioned I haven't battle-tested them extensively yet but so far I can warmly recommend them.

[0]: https://www.gl-inet.com/

[1]: https://github.com/gl-inet/portal-detection

I’ve got one of those, it’s pretty nice. Last I checked (multiple years ago) it phoned home to a .cn address by default. I don’t remember the details – please verify for yourself.
I will! Without the cloud stuff, the only thing I found so far was stuff like this, which I remove myself but is fully understandable - if you want to do zeroconf connectivity-checking on devices used in Mainland China you don't have much options otherwise. 8.8.8.8 certainly won't work.

https://github.com/gl-inet/gli-pub/blob/326341dc5c14a256562e...

Ah yeah I think that might be what I was remembering. If 8.8.8.8 is up, will it ever check 208.67.222.222?

I didn’t realize the firmware is open source – that’s nice. Would be nicer still if you could verify the blob.

>[0]: https://www.gl-inet.com/

I just checked out their site and their offerings look underwhelming. Their top of the range home router costs $90 and supports 802.11ax... but only at 1200Mb/s. You could buy a mid-range 802.11ac router with similar speeds, made by ASUS years ago, on sale. I guess you could argue "Openwrt" is worth the premium, but ASUS routers have asus-merlin for open firmware.

Horses for courses, I guess. For my purposes, Asus-Merlin does not even come close to cutting it - and I have ran it before on a couple of different devices.

Asus routers are what's underwhelming in my experience - very unreliable and if you buy anything that's been on the market for <1-2y you never know which one will end up an expensive paper-weight down the line and which one will have decent support. The chipset vendor - avoid Broadcom - is a decent heuristic but not 100%.

YMMV but the GL-AP1300 improved throughput, coverage and reliability significantly compared to my old RT-AC66U (which is one of the Asus devices that can actually run OpenWRT without jumping through hoops).

I have their AX router, Flint and the CPU is actually good on this thing - ARM-A53, Quadcore 64-bit, basically it's a Raspberry PI 3. Most routers come with ARM-A7, an old 32 bit arch, and not all of them are quad-core.

When I use OpenVPN, I get over 100 Mb/s with Flint, and <30 Mb/s on ASUS RT-Ax55.

I do not think your wireless performance comparison is right, you need 3 antennas to get 1200 Mb/s on AC/Wifi 5, and there are only a couple niche desktop PCIE adapters that can do that.

I get 30-40% higher real-world wireless throughput from Flint compared to two high-end AC routers I tested. If you want to really dig into wireless performance, you would have to test real-world throughput. It certainly doesn't have all the bells and whistled of Wifi 6E and 160 Mhz channels.

Oof, I was about to order a Velica ($109) and they charge $47 for shipping to Canada.

No thanks.

They have a store on Aliexpress. I think shipping will be a lot cheaper there.
Good to know, I'll take a look.

EDIT: $143.00 + $25.40 shipping, yikes

Coming from a more remote country, that sounds completely normal when buying electronics directly from international manufacturers these days.

And, not saying anyone should do anything stupid, but sometimes these companies can be willing to send you less valuable but otherwise identical products if you ask nicely (wink wink)

I recently found GL.iNet. I wish they release higher end products.
If anyone remembers seeing an article about using a gl.inet mango as a way to mitm cellphone apps on your own network, I'd like to request a link. I read it, and bought a couple mangos a couple months later, and now, a couple years later I cannot find the page anymore.
Buy routers that can work with Openwrt, period.

TP-Link actually has quite a few(not the newest models though, but the not-newest-model should work for 95% of the customers) that runs openwrt well.

All my routers are running non-vendor firmware(e.g. openwrt) for the last 15 years, never had any troubles.

Sadly OpenWRT doesn’t support band steering.
You can install DAWN and get band-steering and controlled migration between multiple APs.
If you set the SSID and password identical for both bands, the clients should prefer to negotiate the optimal band. I just checked and all clients save for some legacy devices on my OpenWRT router are on 5GHz. So I'm now wondering for which cases is band-steering helpful?
Clients don't always do this automatically. My Arch Linux laptop would often select 2.4GHz in places where 5GHz offered a much better experience. Generally it will start on 5GHz when it is close to the router, fall back to 2.4GHz when it moves far away, and (sadly) it doesn't go back to 5GHZ when it moves back closer to the router. Apple devices were pretty good, automatically choosing and switching to the best bands at all times with behaviour much similar to that seen on mobile phones. For this reason I prefer the AP to manage the band steering as it means all devices are connected to the best band. Leaving it to the clients results in a hit and miss experience depending on how well the decide operates. I live with other people who own all sort of different devices so it's not possible for me to say "OK this network is only for Apple devices", I have to ensure thr WiFi works for all sorts of different devices.
Yeah, this is what I recommend to anyone who knows anything about computers. It also depends on each person's needs though, since OpenWRT sometimes excludes the latest tech.

At home we connect to a TP-Link Archer C7 running OpenWRT. It's only WiFi5, but we have zero issues streaming many 5ghz devices off of it. It's even held up fine while we both work from home.

I also run a second much older TP-Link router using stock firmware on a separate subnet. I don't think OpenWRT supports that one. But only my IoT devices and smart TV connects to it because I don't trust them on my network anyways.

All that being said, I wish there was something better and easier for the tech illiterate. The state of routers/security/privacy sucks today.

I had OpenWRT running on an Archer C7 for a while, but the wifi was "unreliable". It's like the 5Ghz would just randomly stop flowing packets. I never root caused it, but since I stopped using it my home wifi experience has been generally boring in a good way.

I live near main street in a small touristy coastal town, and there's tons of access point beacons flying around. I only have a 10,000 sq. ft. lot and have three access points to cover it. I turned off "legacy" rates everywhere I could so hopefully all my beacons are 6Mbps+ with greenfield preambles.

Different wifi chipsets cope differently with congestion. Specifically, when packet collisions do occur, some chipsets miss both frames, while other chipsets successfully decode the frame of higher signal strength as long as there's enough of a difference. In low congestion areas it doesn't matter since packets rarely collide, but in high congestion areas it can make a big difference for throughput as packet collisions occur frequently.

Maybe my area is low then. There's 12 other 5Ghz APs in my area.

I also wonder if it's luck of the draw with some of these cheaper routers? My C7 is also a newer variant, a v5 I think.

Could be! I think mine is a V2. My guess is an overheating component somewhere.
The 5Ghz is actually handled by a daughterboard using a mini PCIe slot (not sure about what the actual interface is tbh).

And yes, it overheats, especially in sustained transfer.

Slap a heatsink on all the chips and call it a day :D

Stock firmware and the 5Ghz band dies on me every few months requiring a reboot. interesting.
I aggree that the situation the author describes is unacceptable.

But I am wondering why the author does not value his personal time. I can‘t help but think of opportunity costs. He spends a lot of time writing this article, reverse engineering backups and whatnot instead of shelling a hundred dollars to get a new device? I see this pattern so often in the tech world.

> But I am wondering why the author does not value his personal time.

Maybe, because it is fun reverse engineering stuff?

I agree. I like tinkering myself. But then why mention avoiding spending a hundred dollars for a new device, but spending a couple of hours as if those hours are worth less than said amount of money.
I'm not sure if you're trying to be funny for jokes, but we all know you don't get paid for hours which you can't bill, so...
"Time you enjoy wasting is not wasted time."
Out of principle maybe?
Should customers of a product be forced to either spend 100$ for a new product and generate more ewaste, or tinker with their device leaving it in an unsupported perhaps even out of warranty state?

Maybe some people are happy with either option, but it sure is unethical to force that choice, especially when all the effort it could have taken from the manufacturer was to add a boolean flag.

I'd complain too, not everyone is in the same situation, and this is dodgy behavior anyway regardless of me liking the workarounds or not, simply having to workaround is bad enough in principle.

Maybe he wants to make other aware of the strange things TP-Link does. Which is a huge help, now I won't buy any TP-Link device either unless I can reflash it with OpenWRT
Eero seems like a company which makes simple, plug and play mesh routers and doesn't seem to pull anything funny with their equipment.
Eero is owned by Amazon now, so I'm not sure how far I'd trust that. Like, I trust them to be technically competent, but not to act in my interests.
The main issue for me has been forced updates, which can fire off at inopportune times. They have been very stable though.
While we're talking routers I'll plug Mikrotik. Some basic knowledge of the Linux networking stack is required so they're not great for a general user, but for ~$50 I got a device that handles my setup with ease (Ipv4 over PPPoE and IPv6 over 6rd) and I'm seeing throughput significantly higher than my previous router which was a Zotac mini computer running pfsense. If you are more toward the power user / networking nerd end of the spectrum I'd recommend Mikrotik.
yeah their stuff is pretty good

but as you say it's a pretty thin layer on top of the Linux stack

(e.g. you have to understand iptables else you'll get nowhere)

They also make a great 16 port SFP+ 10G switch (CRS317-1G-16S+RM) usually available for ~$350 which is nice for a prosumer setup. They also have a 10/100/1000/2500/5000/10000 RJ45 transceiver which is nice because it lets you migrate things over without having to upgrade everything or buy a separate multirate gigabit switch.

I do my actual routing on a Ubiquiti EdgeRouter though I've used MikroTik there as well in the past. I avoid most other Ubiquiti products though, particularly the UniFi line.

In both cases HW accelerated NAT and routing greatly outperforms an unaccelerated ARM/x86 Linux/BSD PC. Particularly when it comes to new session latencies not just saturating the bandwidth.

Hard to beat OPNsense on Protectli machines with your favorite flavor of networking hardware (Unifi, Microtik, etc).
I did this during COVID and it took a lot of time and learning, but now I feel like the God of my network and I can do cool stuff that wasn't possible on my old gear. I've read that Protecli boxes are re-branded Qotom machines and I'm sure you can get the same setup for a few hundred less but I'm glad I went with them for the support and coreboot OOTB.
Totally on board with the US-based support. I’ve called them once and they were fantastic. As soon as they offer a model with 10Gb NICs, I’ll buy one of those, too.

As for god mode, I agree. Super customizable and everything works properly. I grew tired of the nonsense routing ubiquiti kept releasing, went to pfsense, and right to opnsense.

Any recommendations for an ethernet only router? I do know I could use the Pi to do that, but it seems like a waste.
Qotom boxes seem to work well and can run OpenWRT, opnsense, pfsense, etc.
Mikrotik has a ton of options for that.
Depends on what you want from it. I've other things I hack on so I don't really have the time to hack together my own router, so I use a Ubiquiti USG. Before that I had an EdgeRouter Lite (more or less identical) for years.
I thought Ubiquiti was in the news recently for something very unsavory?
(comment deleted)
My solution is to buy a reliable WiFi Access Point and plug that into the router, and just disable the router’s WiFi. That way I can choose a router for the features I need (or use a small PC if I wanted to do something tricky or needed high performance). I think that would fix the problem with the TP-Link (albeit costing far more).

I use Unifi UAP-AC-LR for the AP, because they are easy to set up from an Android phone, are not expensive, are not flakey, can be mounted in a location to optimise WiFi reception (powered from Ethernet cable by included DC injector), can be easily moved to new ISP or house, don’t require a controller, and they just keep working. Ubiquiti have made some dick moves, but their AP and point-to-point hardware has been solidly reliable and relatively simple to configure.

Not trying to defend TP-Link or anything, but I recently bought a pair of mesh router from them and they work very well.

BTW, this hidden network probably uses another protocol (for the OneMesh). It is the 802.11s (https://en.wikipedia.org/wiki/IEEE_802.11s), that uses its own encryption method based on Simultaneous Authentication of Equals (SAE) (yeah, that is the same as WPA3, however it came before it). It shows as hidden network on Wi-Fi Analyzer, but the network is not actually hidden in the same sense of a hidden Wi-Fi network: this simple happens because 802.11s has no concept of SSID.

The authentication of new devices happens when you pair a new router using the application available on Android/iOS (it has a web interface too but AFAIK it doesn't allow adding new mesh routers to the network). So it seems pretty secure for me, at least sans some security bugs that I am sure that the device should have. Doesn't bother me too much considering that most bugs that I saw on those consumer routers generally comes from the security from things like administration pages and not the Wi-Fi network itself (unless it is something like KRACK that affects all devices implementing the protocol).

Yeah, it is still pretty sh*t that they enable this by default, but if the router from the author of blog post is from one of their lines of mesh routers I do think this is kinda of made by purpose, because using multiple routers devices is kinda of the idea of a mesh network.

Thanks for the info. That makes sense given the "11s" configuration I found for those SSIDs. The router is not in their mesh line AFAIK, though most of their home products now support OneMesh, so that line is a bit blurry.

To clarify, I like TP-Link products too. Their PowerLAN products so far have been the most reliable for me and the router's been solid too. It's just really disappointing that an almost (for me) perfect product has this very simple software flaw without any solution other than to hope the manufacturer decides to fix it at some point. I had the same issue with Asus routers, but they were smart enough to open source their software and let others fix pretty much everything for them.

So these "hidden networks" are basically the backhaul for when you set up the AP as part of a mesh?

Question: do WiFi networks always send (and thereby interfere with networks in use), even if there is no traffic?

They send network advertisement packets even when no traffic is going.