Need recommendations for Wifi access point

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.

BLinux

cat lover server enthusiast
Jul 7, 2016
2,669
1,081
113
artofserver.com
Like any techie guy, I've been through my fair share of Wifi access points in my home. Over the last few years, I've settled for cheaper units figuring they've become less novelty and more commodity. Over that time, I'm realizing the cheaper units might not be a great fit. so, here I am looking for recommendations, with my requirements below... would really appreciate some good advice and recommendations on what to get next. I don't mind paying more, the cheap route hasn't worked out, as long as it solves my problems.

my requirements:
1) long-ish term software/firmware support. i find a lot of the cheaper units probably aren't meant to be used for more than 2 yrs (1yr warranty) and the manufacturers just stop updating them so they are left vulnerable when security holes are found and bugs remain unfixed. i'd like something that will continue to get support/updates for a longer period of time - perhaps until the technology is superseded.

2) security is important. admin interfaces should at least be https, with support for current crypto alg, ability to regenerate certs or upload certs. passwords are not stored in clear in the config, etc.

3) I do use features like MAC addr filtering, multiple SSID for different uses with isolation, VLANs. run a DHCP server with features to assign specific addresses to MAC address (I use this for the lab servers). currently, my use of these features has resulted in a lot of instability, probably due to overloading.

4) prefer something not "cloud" dependent... i have plenty of reasons to keep using Wifi even if both of my internet connections go down. don't mind added features, just don't want to have any dysfunctions if the internet connection goes down.

5) I do have 1Gbps fiber internet connection, so high speed to benefit from the 1Gbps connection would be nice.

6) Must be PoE powered and mountable to ceiling. prefer something white or off-white to blend into the ceiling.

7) I will need it to support wireless bridging. I currently use this to connect my lab network that can't be connected by wire to my primary network.

I don't need multiple access points as the property is not large, and usually mounting a single access point on the ceiling of the 2nd floor has provided enough coverage.

nice to have, although i've never seen this, is an open API to manage the unit via programs. i can write code, and this would help simplify things i do in the lab.

TIA
 
Last edited:

Terry Wallace

PsyOps SysOp
Aug 13, 2018
197
118
43
Central Time Zone
You pretty much described my use case at home and I use Ubiquiti AC Pro wave 2 units. Now before all the trolls jump me to talk about more enterprise grade gear like Ruckus etc I am well aware its not the highest end gear you can pickup by any means. But it does fill all of the things he @BLinux mentioned. It runs (qty 2) Gigabit lines bonded. Runs of POE you can run the management service on a small Linux container or VM no need for cloud access. SSH config access to config change if you wish. Supports multiple SSID's vlans passing DHCP duties to different lan segments etc.
For the 20 odd devices at my house, alexa, laptops, TV's phone watches etc that aren't hardwired its been rock solid.

I'm sure you will get other advice from other points of view :)
p.s. I power mine off my brocade switch without a problem
 
  • Like
Reactions: BoredSysadmin

BLinux

cat lover server enthusiast
Jul 7, 2016
2,669
1,081
113
artofserver.com
You pretty much described my use case at home and I use Ubiquiti AC Pro wave 2 units. Now before all the trolls jump me to talk about more enterprise grade gear like Ruckus etc I am well aware its not the highest end gear you can pickup by any means. But it does fill all of the things he @BLinux mentioned. It runs (qty 2) Gigabit lines bonded. Runs of POE you can run the management service on a small Linux container or VM no need for cloud access. SSH config access to config change if you wish. Supports multiple SSID's vlans passing DHCP duties to different lan segments etc.
For the 20 odd devices at my house, alexa, laptops, TV's phone watches etc that aren't hardwired its been rock solid.

I'm sure you will get other advice from other points of view :)
p.s. I power mine off my brocade switch without a problem
thanks for your thoughts. how is their security? and how long do they support and provide updates for their products? how frequently do they release updates? my points #1 + #2 are really top of priority list...
 

Terry Wallace

PsyOps SysOp
Aug 13, 2018
197
118
43
Central Time Zone
Security is good if you secure it :) I use radius security and all my devices have individual credentials to connect rather than share passwords.

Ubiquiti - Simplifying IT

Thats the current firmware list for 1 model I use it was released in 2015 and latest firmware is January 2020. They are pretty good about keeping firmware updating and they dont use any paywall / accounts needed to download the firmware or software.
 

Spartacus

Well-Known Member
May 27, 2019
788
328
63
Austin, TX
Security is good if you secure it :) I use radius security and all my devices have individual credentials to connect rather than share passwords.

Thats the current firmware list for 1 model I use it was released in 2015 and latest firmware is January 2020. They are pretty good about keeping firmware updating and they dont use any paywall / accounts needed to download the firmware or software.
+1 I picked up a AC-HD just for the 4x4 mimo, I have mine setup with a standard password, however I have it locked down by white listed mac addresses.
All of my automation and unsecure devices are on a separate vlan & ssid to collect data from each other rather than my home devices. (the vlan split is done at the USG level rather than the AP level though)
 

BLinux

cat lover server enthusiast
Jul 7, 2016
2,669
1,081
113
artofserver.com
@Terry Wallace @Spartacus ok. going down the ubquiti rabbit hole... maybe you guys can help me out on some technical questions. my wifi access point this would replace is wired on a separate leg of my main firewall. if I setup a VM or container for the controller software, it would be on a private LAN segment separated from the WiFi dmz by that firewall. how does the controller and access point discover each other? do they require some special broadcast protocols / IGMP/ etc.? (which might be problematic across a firewall), or do they use standard tcp ports? is the communication inbound/outbound or both? sorry, not that familiar with this stuff... i'm watching a ton of youtube videos about it right now, but i just come up with more questions...
 

Jeggs101

Well-Known Member
Dec 29, 2010
1,529
241
63
Look up the USG-XG-8 discontinuance.

Ubiquiti has a crazed following. They're cheap and reasonably OK if price is top priority. They'll do stuff like immediately EOL something out of nowhere. They send data back from their devices which they started doing one day.

If you're okay with some Chinese manufacturer doing things on the lowest cost designing your network stuff and making it then Ubiquiti building its own layer of software then they're the best option.
 
  • Like
Reactions: Fritz

BLinux

cat lover server enthusiast
Jul 7, 2016
2,669
1,081
113
artofserver.com
Look up the USG-XG-8 discontinuance.

Ubiquiti has a crazed following. They're cheap and reasonably OK if price is top priority. They'll do stuff like immediately EOL something out of nowhere. They send data back from their devices which they started doing one day.

If you're okay with some Chinese manufacturer doing things on the lowest cost designing your network stuff and making it then Ubiquiti building its own layer of software then they're the best option.
ok, obviously you're not a fan... i'm just looking at options. so, what would you suggest would meet my needs?
 

pricklypunter

Well-Known Member
Nov 10, 2015
1,708
515
113
Canada
Having rolled the dice several times in the past, I settled on Cisco. Well built and reliable like the sun and the moon. They are not at the cheap end of the market, nor pushing the latest bleeding edge, but they work and keep working, have decent support and a solid feature set.
 

Spartacus

Well-Known Member
May 27, 2019
788
328
63
Austin, TX
Having rolled the dice several times in the past, I settled on Cisco. Well built and reliable like the sun and the moon. They are not at the cheap end of the market, nor pushing the latest bleeding edge, but they work and keep working, have decent support and a solid feature set.
My issue with Cisco is all their firmware is behind a pay wall you have to get their support to get their updates for the enterprise gear.

@Terry Wallace @Spartacus ok. going down the ubquiti rabbit hole... maybe you guys can help me out on some technical questions. my wifi access point this would replace is wired on a separate leg of my main firewall. if I setup a VM or container for the controller software, it would be on a private LAN segment separated from the WiFi dmz by that firewall. how does the controller and access point discover each other? do they require some special broadcast protocols / IGMP/ etc.? (which might be problematic across a firewall), or do they use standard tcp ports? is the communication inbound/outbound or both? sorry, not that familiar with this stuff... i'm watching a ton of youtube videos about it right now, but i just come up with more questions...
I use my Unifi controller in a docker container: https://hub.docker.com/r/linuxserver/unifi-controller

That lists all the ports needed for communication no special protocol to my knowledge just udp/tcp for controller comm and discovery pretty sure its both ways for communication.
 
  • Like
Reactions: BLinux

Terry Wallace

PsyOps SysOp
Aug 13, 2018
197
118
43
Central Time Zone
True they tried to expand into the higher end switch market. Failed and dropped that product line. And for people that brought those that does suck. I would not recommend them for switches. I use quanta and brocade for switches hp proliant for servers. And ubiquity for WAPs. And as far as the telemetry being sent home to China yes they did start doing that and the community raised such an uproar that they took it out. So they are responsive to their forum community. Cisco APs are solid I just personally find them a little more expensive and a little more locked in for needing things like an account to download upgrades. But there is nothing wrong with them either.
 
  • Like
Reactions: BoredSysadmin

Terry Wallace

PsyOps SysOp
Aug 13, 2018
197
118
43
Central Time Zone
I use my Unifi controller in a docker container: https://hub.docker.com/r/linuxserver/unifi-controller

That lists all the ports needed for communication no special protocol to my knowledge just udp/tcp for controller comm and discovery pretty sure its both ways for communication.
yep that’s my setup as well. Same lan segment to do a initial setup. Then it’s just a straight Ip stored in AP that tells it where to poll for config updates.
 

Spartacus

Well-Known Member
May 27, 2019
788
328
63
Austin, TX

Terry Wallace

PsyOps SysOp
Aug 13, 2018
197
118
43
Central Time Zone
Okay guess they reversed directions again on that front. I did see that you can opt out by editing a config file but not the direction I would have liked to have seen them go.

not going to drop mine as I’m happy with them but all points to make a decision which is the goal here provide info.
So @Serverking rather than just refuting my points which is perfectly fine and understandable. Do you have some recommendations for blinux. I’m always open to other suggestions on hardware.
 

BLinux

cat lover server enthusiast
Jul 7, 2016
2,669
1,081
113
artofserver.com
along the Cisco line... talked to a friend of mine at Cisco who I use to work with when I consulted there, and he's given me a cisco air-cap3702e-a-k9 with the autonomous IOS on it. issue is I can't get updates without his help. also if i'm to use it I need the ceiling mount bracket. and he said it doesn't have a dhcp server.

any other suggestions other than Ubiquiti and Cisco?
 

BLinux

cat lover server enthusiast
Jul 7, 2016
2,669
1,081
113
artofserver.com
That lists all the ports needed for communication no special protocol to my knowledge just udp/tcp for controller comm and discovery pretty sure its both ways for communication.
I see that 10001/udp is listed as AP discovery. So, how does that work? Does it just scan the local broadcast domain? how would it reach AP that is not on the same broadcast domain and has to traverse routing?
 

elag

Member
Dec 1, 2018
79
14
8
Discovery is only for initial setup.. once setup the AP talks to your controller over tcp at the address you specify.
I have one VLAN for Unifi management: the APs and the controller connect over that vlan, and nothing else. Each SSID has its own VLAN separate from management. I do allow SSH into the management VLAN for access to the APs as convenience (although I could even logon through the controller VM using SSH).
Hmm, note to self: it may be interesting to completely disable routing for the management VLAN as the management VM is dual hosted anyhow. Updates of the APs can be done by caching the updates on the controller so there is no need for the APs to access the internet....
 

ttabbal

Active Member
Mar 10, 2016
743
207
43
47
If you really want the wifi firewalled, you can just put a Pi or similar on that network to be the controller. I don't separate it like that, I just use VLANs to split off the couple of IoT things onto the guest network that way. Then the pfSense has an interface on the vlan to limit them to internet only. Having it air-gapped like that is probably more secure, but I'm not sure how much so.

I only have one Ubiquiti AP, an AC Pro. It works great and gets somewhat frequent updates. I'm not thrilled about the phone-home stuff. I don't care if they think it's anonymous. It's been shown over and over that "anonymous" data be re-identified. I was thinking about getting one or two more APs, but have been holding off as I'm not thrilled with the choices in general. Most higher end stuff needs support contracts, consumer gear ends up having zero support and security problems. And now Ubiquiti has data collection. My other AP is an older Linksys, but runs Tomato so I can update it once in a while. I might just hold off and see what the new wifi6, or whatever they are calling it this week, brings.