Yet another Ubiquiti thread
-
We are looking to upgrade a client's wireless network and move them to AC so I thought I would give Ubiquiti a go since everyone on here seems to rave about them. Small client, only 3 access points. Two of the SSIDs will need to be isolated from the rest of the network. Client is a pseudo-NFP so the budget is a bit tight.
I looked over the Ubiquiti website and it seems to be written for those who already have familiarity with the terminology they use to refer to their products, which is a bit offputting to me but I am moving on from that. What do I need to know? It seems like the UniFi AC Lite is what I would be looking at, but is there anything I am missing?
-
-
I have an EdgeRouter ER-X. That is the extent of my Ubiquiti knowledge. Sorry.
-
@mott555 no worries. I appreciate the reply all the same.
-
@polygeekery Can't help you.
-
@polygeekery said in Yet another Ubiquiti thread:
UniFi AC Lite
I was told that, for a better range and signal strenght, you're better off with the AC Pro.
That's as much as I know.
-
@polygeekery said in Yet another Ubiquiti thread:
We are looking to upgrade a client's wireless network and move them to AC so I thought I would give Ubiquiti a go since everyone on here seems to rave about them. Small client, only 3 access points. Two of the SSIDs will need to be isolated from the rest of the network. Client is a pseudo-NFP so the budget is a bit tight.
I looked over the Ubiquiti website and it seems to be written for those who already have familiarity with the terminology they use to refer to their products, which is a bit offputting to me but I am moving on from that. What do I need to know? It seems like the UniFi AC Lite is what I would be looking at, but is there anything I am missing?I'm doing a pretty big Ubiquiti rollout here.
First, Unifi is its own kind of thing. Ubiquiti does other products for other scenarios. Unifi is great for small businesses, or places like hotels, libraries, etc. But it can be a bit of a pain if you're upgrading an existing network.
If you get Unifi access points, you'll need a Unifi controller to set them up. The controller adopts the access points and provides a web interface for all of them at the same time. The controller only has to be on the network 24/7 if you want the access points to do guest access. You can build a Unifi controller with some Ubuntu packages, or just buy a dongle. I went with an Ubuntu virtual machine.
That said, if you get a Ubiquiti switch or router (and you might want to do that, maybe), you'll need to configure those with the Ubiquiti controller. That's where retrofitting a network becomes a pain.
UAP-AC-Lites are fine, especially for smaller spaces. Just make sure you get a couple for good coverage and use POE to power them. UAP-AC's are nicer and faster, but whatevs.
We've currently got 3 UAP-AC-Lites, and I'm working to compile all the data I'll need to swap over to a Unifi Security Gateway.
The access points do let you do VLAN tagging, so you can have separate SSIDs for different networks. I'm not even going to try setting that up with the hodge-podge of refurbished switches we have (hence the bigger project to install the switch and router)
-
@captain how do they function without the controller VM? They have a fair amount of excess capacity for VMs, but what happens if they go down or something? Current VMs are basically expendable so that system is not redundant, at all.
-
@polygeekery said in Yet another Ubiquiti thread:
@captain how do they function without the controller VM? They have a fair amount of excess capacity for VMs, but what happens if they go down or something? Current VMs are basically expendable so that system is not redundant, at all.
The access points store their own configuration. If the controller goes down, they just keep running. The exception is if a wifi network is set up with guest access and a guest portal. The controller runs a webserver and a database to keep track of who is a guest. Without a controller, the guest portal breaks. I haven't actually seen that yet, though. I imagine it would be a sane break.
You would want to turn the VM back on to, for example, do firmware updates or reconfigure the access points.
-
@captain if it is just guest portal, we can do without that. I will try to test it and report back if we go ahead with Ubiquiti.
-
@polygeekery I know people who have Unifi setups who just bung the controller on a Windows laptop and fire it up when they need to upgrade firmware or do configuration.
The APs work 100% without it
-
@weng thanks for the input. For their simple deployment it is good to know.
How does everyone like the controller on Ubiquiti? Is it comparable to controllers from other vendors? We have another client we will need to upgrade at the end of this year but they use Vocera so their wireless configuration is extremely picky and touchy. (Vocera is pretty shit to support, but it pays the bills) Handoff between APs has to be 100% seamless. This small deployment is sort of a test for the other client.
-
@polygeekery Handoff works fine if the client radio isn't IOT garbage.
-
@polygeekery said in Yet another Ubiquiti thread:
How does everyone like the controller on Ubiquiti? Is it comparable to controllers from other vendors? We have another client we will need to upgrade at the end of this year but they use Vocera so their wireless configuration is extremely picky and touchy. (Vocera is pretty shit to support, but it pays the bills) Handoff between APs has to be 100% seamless. This small deployment is sort of a test for the other client.
I like the controller well enough that I'm going to try to sell managed wireless and voip in the next year.
-
@captain said in Yet another Ubiquiti thread:
If you get Unifi access points, you'll need a Unifi controller to set them up. The controller adopts the access points and provides a web interface for all of them at the same time. The controller only has to be on the network 24/7 if you want the access points to do guest access. You can build a Unifi controller with some Ubuntu packages, or just buy a dongle. I went with an Ubuntu virtual machine.
For those who might stumble on this thread, there is an installer for Windows also. No Linux VMs required. We popped that on their server and will probably install tomorrow. Kinda slammed with work right now.
-
@polygeekery said in Yet another Ubiquiti thread:
No Linux VMs required
Linux Pro tip: the controller requires a good chunk of output from /dev/random.
If running it on a pi, VM or headless server, havege is advisable. My startup time went from an hour to a minute or so.
-
@polygeekery
Notes from the UniFi Windows installer (since I just stumbled through it last week):- No installer configurability, it will install in %UserProfile% of the execute as user you install it for (meaning if you use an admin account for the UAC prompt, it installs under the admin account's profile directory
- By default, it drops a shortcut on the installing user's desktop that will fire up the Java thingy that is the server, and it runs in user space.
- You can configure it to run as a service, though the documentation on that is kind of hidden. https://help.ubnt.com/hc/en-us/articles/205144550-UniFi-Run-the-Controller-as-a-Windows-service
- Important note: assuming you have a 64-bit Windows system that you're installing this on, you must install the 64-bit JRE per the link/note at the bottom of the install instructions. The default installer for the UniFi controller only installs the 32-bit JRE, which suffices to run the program in user space but will log a completely non-helpful error when you try to start it as a service.
-
@swayde said in Yet another Ubiquiti thread:
Linux Pro tip: the controller requires a good chunk of output from /dev/random.
If running it on a pi, VM or headless server, havege is advisable. My startup time went from an hour to a minute or so.Does Java still use /dev/random by default? That infuriates me.
So an additional pro tip: If for whatever reason you can't or don't want to install haveged, you can also use the JVM parameter -Djava.security.egd=file:/dev/urandom or set whatever the equivalent property is in java.security. Or just fucking link /dev/random to /dev/urandom since they use the same PRNG. Stupid fucking Linux bullshit.
-
@heterodox Or just use C#, because Java is godawful.
-
@heterodox said in Yet another Ubiquiti thread:
@swayde said in Yet another Ubiquiti thread:
Linux Pro tip: the controller requires a good chunk of output from /dev/random.
If running it on a pi, VM or headless server, havege is advisable. My startup time went from an hour to a minute or so.Does Java still use /dev/random by default? That infuriates me.
So an additional pro tip: If for whatever reason you can't or don't want to install haveged, you can also use the JVM parameter -Djava.security.egd=file:/dev/urandom or set whatever the equivalent property is in java.security. Or just fucking link /dev/random to /dev/urandom since they use the same PRNG. Stupid fucking Linux bullshit.
Except /dev/urandom will happily give you numbers with low entropy. Which is fine if that suits your needs, I'm not sure what this controller wants the numbers for but if it's for something like WPS then there are known attacks against the PRNG state, using low-entropy randomness would be the last thing you need.
-
@cursorkeys said in Yet another Ubiquiti thread:
Except /dev/urandom will happily give you numbers with low entropy. Which is fine if that suits your needs, I'm not sure what this controller wants the numbers for but if it's for something like WPS then there are known attacks against the PRNG state, using low-entropy randomness would be the last thing you need.
THIS IS NOT CORRECT. THIS HAS NOT BEEN CORRECT FOR ABOUT TWENTY YEARS. THIS IS SUPERSTITION.
I'd do a more detailed write-up than that, but I don't really want to and it turns out there's a much better one here anyway.
Edit: Since I know how fond WTDWTFers are of reading TFA, fine, let me do a brief TL;DR in my own words: You don't need a constant supply of entropy (if you did, you'd know it). You need a small amount of entropy once to seed the PRNG then you're off to the races. That's how PRNGs work. If you're worried about the small attack window during which you might not have enough entropy at boot (though only very little is needed, so it's very small), then generate the seed during installation (when blocking is fine), re-seed constantly in the background, save the seed you're using at shutdown, and read it at startup. Oh wait, distros have been doing that for about twenty years by now. The fact that /dev/random still exists on those distros (and has blocking behavior) is security theater and really annoying security theater.
-
@heterodox said in Yet another Ubiquiti thread:
@cursorkeys said in Yet another Ubiquiti thread:
Except /dev/urandom will happily give you numbers with low entropy. Which is fine if that suits your needs, I'm not sure what this controller wants the numbers for but if it's for something like WPS then there are known attacks against the PRNG state, using low-entropy randomness would be the last thing you need.
THIS IS NOT CORRECT. THIS HAS NOT BEEN CORRECT FOR ABOUT TWENTY YEARS. THIS IS SUPERSTITION.
I'd do a more detailed write-up than that, but I don't really want to and it turns out there's a much better one here anyway.
Edit: Since I know how fond WTDWTFers are of reading TFA, fine, let me do a brief TL;DR in my own words: You don't need a constant supply of entropy (if you did, you'd know it). You need a small amount of entropy once to seed the PRNG then you're off to the races. That's how PRNGs work. If you're worried about the small attack window during which you might not have enough entropy at boot (though only very little is needed, so it's very small), then generate the seed during installation (when blocking is fine), re-seed constantly in the background, save the seed you're using at shutdown, and read it at startup. Oh wait, distros have been doing that for about twenty years by now. The fact that /dev/random still exists on those distros (and has blocking behavior) is security theater and really annoying security theater.
I'm no cryptographer so I read your link very carefully.
If I'm reading it right the argument in that document seems to be that even with 'low' entropy the CSPRNG used will still show no attackable cyclic behavior so reseeding it doesn't matter. As long as the initial state randomisation was good I guess?
I've built PRNGs that went in shipping products (LFSR in discrete logic gates and a Mersenne Twister in C) so I have a little familiarity with how those work, CSPRNGs look alien so I'll bow to the experts.
-
@cursorkeys said in Yet another Ubiquiti thread:
I'm no cryptographer so I read your link very carefully.
I wouldn't call myself one either, though I've done enough postgrad study of cryptography to be able to say "I understand some of these words..."
If I'm reading it right the argument in that documentseems to be that even with 'low' entropy the CSPRNG used will still show no attackable cyclic behavior so reseeding it doesn't matter. As long as the initial state randomisation was good I guess?
Correct, if you take it a step further. Even with no entropy (other than the initial seed, as you say), the CSPRNG should show no attackable cyclic behavior. AIUI, the entropy input is to provide forward security in the case that the state has been fully compromised.
I've built PRNGs that went in shipping products (LFSR in discrete logic gates and a Mersenne Twister in C) so I have a little familiarity with how those work, CSPRNGs look alien so I'll bow to the experts.
CSPRNGs aren't wildly different (e.g. I think there's a cryptographically secure version of the Mersenne Twister); they just have a few additional requirements and those requirements being fulfilled is what makes urandom perfectly fine to use without blocking on an entropy estimate.
-
Deployed today. That was dead simple. I am impressed. I might switch the stuff here at our house over.
-
furious note taking noises
To become @Polygeekery's exclusive vendor:- Provide dead simple installation
- Provide bottle of Jack's to occupy all the time saved with dead simple installation
- ???
- Profit!
-
@izzion to be fair, if you skipped straight to Step #2 you would still have a pretty good chance.
