Ruckus Wireless as an Unifi alternative?

[ms264556]

Looks like these access points have serious security issues, and our options are to just sit back and wait and hope that Ruckus patches them. :/

They are patched for all known security issues if you just keep updated to the latest release.

Unleashed had a bunch of CVEs recently, but these were fixed by Ruckus before the CVEs were announced, because the researcher wasn't an ass.

The SmartZone CVEs were fixed a few days after they were announced.

Update to the latest 200.15 or 200.18 release and you're safe.

 

[ms264556]

There are still a ton of open ports on the Ruckus devices main IP addresses.

They don't allow web browser logins on the main IP, but that is of little comfort...

My expectation was that all ports visible from anything but the management network would be closed.


Here is the AP configured as the main unleashed master:

PORT      STATE    SERVICE
22/tcp    filtered ssh
23/tcp    filtered telnet
80/tcp    open     http
443/tcp   open     https
1883/tcp  open     mqtt
4222/tcp  open     vrml-multi-use
8099/tcp  open     unknown
9997/tcp  open     palace-6
9998/tcp  open     distinct32
9999/tcp  open     abyss
18301/tcp open     unknown

And here is the one that is not the master:

PORT      STATE SERVICE
22/tcp    open  ssh
443/tcp   open  https
1883/tcp  open  mqtt
8099/tcp  open  unknown
9999/tcp  open  abyss
18301/tcp open  unknown

Ruckus Unleashed APs talk to each other to let clients roam, to pick radio frequencies which don't clash, to make sure they all have up-to-date configuration (in case one dies and another one needs to take over controller duties).

So of necessity there will be ports open.

 

[ms264556]

The Master isn't accepting ssh connections on the main vlan, but the non-master is. or at least probably would, except I can't connect to it, because I have blacklisted the broken old ssh-rsa host key algorithm So not only is that port probably accessible on the interface I don't want it to be accessible on, but it is likely protected by severely outdated and broken encryption...

ssh-rsa key exchange isn't broken - it's deprecated because it can use a sha1 hash. And sha1 hashes can, at significant expense and time, be chosen-prefix collision attacked.
So in a theoretical future when the sha1 collision can be generated in a few seconds or minutes, a man-in-the-middle attacker on your network could hijack your session.

If you're still running that firmware in 2030-something, with an attacker already inside your network, then you will have to avoid using the SSH functionality.

But already there's not much reason to SSH in to your Unleashed AP.

Almost everything useful is moved already to the web UI. Otherwise I provide a python API to configure Unleashed without using SSH. I already rewrote the home assistant integration to use this, a long time ago.

edit:

If you must use SSH, and your chosen client OS doesn't let you downgrade SSH security anymore (currently, only non-trusted users on recent centos/rhel/fedora derived distros would have this issue), then I have a patch which replaces the RSA key with an ECDSA key. Unfortunately, applying the patch will require you to temporarily downgrade your AP firmware, which is a rigmarole, so it's only worth doing if you regularly need SSH access to Unleashed.

 

[ms264556]

One last response....

If you're super worried about the security of devices within your home network, then you should 100% have a separate VLAN for untrusted devices/traffic. Ruckus makes it very easy to tag individual SSIDs (or clients, using DPSK) with a VLAN. And you should definitely not run guest networks with walled garden login forms - use DPSK guest passes instead.

If you enjoy the superior Ruckus radio performance, but can't even accept trusted management devices talking to each other, then you can use a controller-based Ruckus solution behind a firewall. You can use a ZD1200 if your APs are supported, or buy an R750/R850/R770 to run as an Unleashed Dedicated Master, or put in a Virtual SmartZone VM. I have firewall guides which pass only the bare minimum of necessary AP traffic to the controller.

 

[kpfleming]

Same issue with non-master Unleashed R710 AP, 200.15.6.212.27 stuck at 0% and timeout. Had to factory reset to get it thru eventually.

I just upgraded two R710s and an R510 and it went smoothly, although I had to download the firmware files and use the 'local upgrade' method.

 

[Vesalius]

Resolved Issues in Build 200.18.7.101.242

• Unleashed (200.17.7.0.152), resolved an issue where Wi-Fi Calling on Apple devices would experience dropped calls or one-way audio

when roaming between access points. [ER-15088]

• Unleashed (200.18), resolved an issue where TLS encryption with the Active Directory authentication server failed after upgrading to

version 200.17. [ER-15441]

• Security fix, refer to the RUCKUS Security Advisory for more information.

 

[ms264556]

Resolved Issues in Build 200.18.7.101.242

• Unleashed (200.17.7.0.152), resolved an issue where Wi-Fi Calling on Apple devices would experience dropped calls or one-way audio when roaming between access points. [ER-15088]
...
• Security fix, refer to the RUCKUS Security Advisory for more information.

The release notes are unhelpful this time around: these two fixes were already in the previous 200.18 build. Only the AD fix is new.

200.18.7.101.242 does add support for the R370 and T670sn, and they're claiming UI improvements too.

(and the usual plug for my unofficial changelog)

edit: the list of missing R370 functionality is very comprehensive

 

[jei]

Bought R650 from China. 4-pair PoE does not work (ICX7450-24P 90W ports), but 2-pair PoE on 30W ports does. Forcing 90W port to 2-PAIR-PSE does not work. After getting power it can only negotiate 100Mbps link. Clearly there's a problem with 1 or 2 contacts for the ethernet. I'm wondering how likely this is a RJ45 connector issue that could be corrected with reflow or maybe something deeper.

edit: Reflowed what I could, no change. Connector seems to be ok.

 

[Sealside]

Are there more people running r770 units? If so what's the experience so far? Now with wifi7 being more available I'm tempted to get one. Would run unleashed.

 

[int0x2e]

Are there more people running r770 units? If so what's the experience so far? Now with wifi7 being more available I'm tempted to get one. Would run unleashed.

I think bang-for-the-buck is still on the x50 line right now, but I'd love to hop on the x70 train if I could justify the cost...

 

[sth]

@Sealside I'm running several R770s here since early 2024. It was rough in the early days but lots of bugs have been resolved and now I feel comfortable recommending it. Wifi7 is a noticeable jump now client devices are catching up. It is a hassle having older clients (Nvidia Shield I'm looking at you) that don't support WPA3.

 

[epicurean]

Is there any advantage to having a higher or newer firmware for one or more of the ruckus access points, or its best to keep all the access points at the same firmware build?

I have an unleashed network of 3 access points - R730 converted to a R850 and firmware kept at 200.14. A R610 which is the master and is not broadcasting wirelessly, and a R750 which also has their firmware at 200.14 . Is there any advantage to getting the R750 up to the latest firmware?
The R750 is on the ground floor , and doing most of the heavy wifi lifting

much thanks for your insights

 

[ms264556]

The later releases have better remote management, but mainly they have no known security vulnerabilities. I see absolutely no improvement in performance vs later versions.

The unpatched security vulnerabilities are very bad, but all require the attacker to be on your management network, so not really a worry for a home deployment. Even if you allow untrusted/guest devices, I'd personally just isolate them on an SSID with a VLAN.

 

[epicurean]

can I just update the firmware of just the R750 via the unleashed interface? or can it only do for all the access points in the network?

 

[ms264556]

can I just update the firmware of just the R750 via the unleashed interface? or can it only do for all the access points in the network?

You can only have one Unleashed network per subnet, and all APs on the network need to run the same firmware.

So you can either run everything on 200.14, or put the R730 (and the R610 if you want) on a separate subnet and run two independent Unleashed networks. But this is a bit of a pain to manage, and it really won't improve security.

If you worry about the security vulnerabilities then you could buy a $40 ZD1200 and run everything on this, which would get all your APs on supported firmware for a couple more years.

If you want new toys to tinker with then you could install vSZ. I'm happy to give you a partner domain on my vSZ if you want to try it without dedicating a significant amount of VM resources. vSZ is pretty easy to setup but it's a chunky VM: assuming you thin-provision, the latest vSZ will need ~10GB disk, 2 cores & 13GB RAM. If you don't thin-provision the disk (since they strongly recommend against it) then you need 150GB disk. Older versions had very low idle CPU usage, but the latest builds seem to chew half a CPU all day.

 

[int0x2e]

Anyone else notice that the R850 can be bought for more or less the price of a R750 these days?

I know most of us probably don't really need the 8x8 MIMO (most people probably won't notice any difference compared to an R650) and there's the issue of the higher power consumption - but I suspect the R850 is still a great deal if they're the same price (which does require some patience...).

Example deal -
Seller accepted 1 @ $245 for this listing

 

[sth]

The R850 (from memory) is optimised for volume so unless you have a stadium environment, less performant than the R750 in lower density throughput. I don't have the docs to hand ot fact check though but before you buy, please do some research.
EDIT: I had a quick google for the source and couldn't locate it, also found several comments contradicting that perspective.

 

[int0x2e]

The R850 (from memory) is optimised for volume so unless you have a stadium environment, less performant than the R750 in lower density throughput. I don't have the docs to hand ot fact check though but before you buy, please do some research.
EDIT: I had a quick google for the source and couldn't locate it, also found several comments contradicting that perspective.

I agree it's really overkill for any normal home and most offices even.
I suspect it's still at least on par with the R750, if not slightly better as it's their flagship offering in the WiFi-6 gen.
Very anecdotal evidence in threads like this one seems to support that notion - but I don't know if you should really rely on it...
Either way - I suspect between all of the above, and the fact it requires slightly "too much" PoE power - there's less demand for used R850, so they may be a good deal for some. Definitely not a clear winner though!

 

[howtobean]

@ms264556
Thanks a lot! I’ve got a few R510s and R310s, and I’m really interested in modding the R730 to an R850 too.
Could you show me how to use a console cable to connect directly to the board of a Ruckus AP?
Is this the same type of cable that works with all current Ruckus AP models?

 

[ms264556]

@ms264556
Thanks a lot! I’ve got a few R510s and R310s, and I’m really interested in modding the R730 to an R850 too.
Could you show me how to use a console cable to connect directly to the board of a Ruckus AP?
Is this the same type of cable that works with all current Ruckus AP models?
View attachment 45871

You shouldn't need a serial cable to do Ruckus AP modding, unless something's gone very wrong. My mods all work from the web UI and/or SSH CLI. The R730 Unleashed guide is here: Run Unleashed on the Ruckus R730 | ms264556.net

But to answer your question...

Yes, I have that cable and it seems to work reliably on all Ruckus APs.

Jon Sands shows the UART pins here:-

And Floris Brunet published a nice page with a picture showing which colours connect to which UART pins:-