Thinking about retiring and getting some quality of live

[SuperMiguel]

So for as long as i can remember, I been managing my own network, and for the longest time i would follow packets around (i really enjoyed that kind of stuff) but lately im just tired lol, and im thinking about retiring some/most/all of my home enterprise gear and get something a bit less hands on where i mostly dont have to worry about it. My current home network has a few Brocade ICX6610 as main switches, and few smaller brocade like, 4 Ruckus R710, and OPNsense as a firewall. And the truth is that there are issues here and there like dropped wireless clients, sometimes a slow wired client, some compatibility issues with things like Sonos, some IoT devices dont want to play well even 2.4 GHz... For example today i been having intermittent issues with the entire network, where clients will just drop for no particular reason, and rebooting all of this gear and troubleshooting is becoming a pain in the rear and time consuming...

So i started thinking.... that my requirements have depleted so much that is it worth it dealing with all this old noisy gear? My only requirements right now are VLAN, ability to assign VLAN based on client MAC address using radius server, filtering (can probably just use pihole) and VPN (currently using wireguard, but switching to Tailscale) so.... should i drop it all and just get a complete system from Unifi, Meraki, or Omada and gain some quality of live? Or the other side is truly not that green compared to mine?

Also my ISP is currently pushing hard their 2 and 5 G connections so maybe ill piggy back on that and get my house ready for 5gigs.

 

[Stephan]

The question is, will a single box provide you with the diagnostic capabilities to find the cause of clients going away. Doubt it...

You could revert to a more "KISS" keep-it-simple-stupid setup. Lower the number of devices. Only keep those which let you diagnose the problems you have, but not make it any simpler if that meant losing deep diagnostics.

For example ditch any unmanaged switch, dynamic VLANs and Radius. Make every client static in their VLANs based on SSID or network port. I like Main (servers, boss' machines), IoT (filtered heavily), Guests (no access to internal systems, DNS ad-filtered internet), Kids (routed through a 3rd world country, in case they or some app do something really stupid without me catching it fast enough).

Wifi problems can be tricky. I use a stack consisting of an AR9590 mini-PCIe card with a patched regulation-free ath9k Linux driver, slightly patched hostapd and speccy:

Here I can diagnose really anything: Spectrum noise problems without a 50k EUR Rohde & Schwarz spectrum analyzer. Like an insufficiently insulated microwave oven. The AR9590 even has 8-bit sample depth, a GOAT of a chip. Blob-free. The early 2010s really had a bunch of hardware companies 10 years ahead of their time like Mellanox, Atheros.

Then there's your IoT client Wifi problems. Like ESP32 sleeping too much in some firmware revisions. Counterable using disassoc_low_ack=0 in hostapd.conf. Does your white box vendor support that? Yeah, no. Sometimes the Wifi on a device is simply shot. hostapd_cli shows signal level and current rx/tx rates. Okay any Tomato on Linksys can do that.

Finally with Atheros sysfs debug capabilities, I can see general air link problems:

# cat /sys/kernel/debug/ieee80211/phy*/ath9k/{reset,dump_nfcal}
    Baseband Hang:  0
Baseband Watchdog: 49
   Fatal HW Error:  0
      TX HW error:  0
 Transmit timeout:  1
     TX Path Hang:  0
      PLL RX Hang:  0
         MAC Hang:  2
     Stuck Beacon: 18
        MCI Reset:  0
Calibration error:  0
Tx DMA stop error: 15
Rx DMA stop error:  0
Channel Noise Floor : -95
Chain | privNF | # Readings | NF Readings
 0    -105    5        -105 -104 -104 -105 -105
 1    -105    5        -106 -105 -106 -105 -105
 2    -100    5        -100 -117 -116 -100 -99
 3    -104    5        -105 -104 -104 -105 -104
 4    -105    5        -105 -105 -105 -105 -105
 5    -103    5        -103 -107 -107 -103 -102

I have no good words for Sonos and their antics.

Pi-Hole seems popular but I run dnsmasq on LAN segments and unbound for its upstream DNS with a blocklist and my own blocked domains.

 

[zunder1990]

So i started thinking.... that my requirements have depleted so much that is it worth it dealing with all this old noisy gear? My only requirements right now are VLAN, ability to assign VLAN based on client MAC address using radius server, filtering (can probably just use pihole) and VPN (currently using wireguard, but switching to Tailscale) so.... should i drop it all and just get a complete system from Unifi, Meraki, or Omada and gain some quality of live? Or the other side is truly not that green compared to mine?

doing radius at home, that really does up the complexity of the network layout. Ask your self do you really need radius or is there another way doing it that would get you about the same result.

 

[SuperMiguel]

doing radius at home, that really does up the complexity of the network layout. Ask your self do you really need radius or is there another way doing it that would get you about the same result.

dynamic vlan is awesome!!! And somehow one of my networking pieces that works really well

 

[SuperMiguel]

The question is, will a single box provide you with the diagnostic capabilities to find the cause of clients going away. Doubt it...

didnt actually meant an all in one device i will never do that, meant more like get multiple switches, AP, maybe routers under the same brand for easier management and visibility

 

[fta]

This is why I moved to unifi hardware several years ago. I very much like having the ability to do everything from a single interface.

 

[Becks0815]

I wouldn't use Unifi, but this is just my personal opinion, based on:

As soon as I tried to use their hardware in a mixed environment, the hardware tended to fail. The Wifi AP didn't find the Unifi controller software, because it wasn't running on the router and there was no computer named "unifi" in my home network, and the AP has no other option than this to find the controller. The Switch is even worse, and currently not able to find the controller despite setting Option 43 in DHCP server and point it to the machine running it.

I don't like how they enforce cloud service stuff, without giving real advantages. There is no online backup available, something which would be easy to build, because the config file of such a controller is only 26kb big - uncompressed. This might be different if you sign up and pay a monthly fee, but I don't see the need of paying and montly fee, just to be able to control my local network.

The whole backup concept is trash. While I can easily create one on opnsense and read it with any other machine running the same software, the unifi controller backups are tied to the software version and IP of the machine. I found it out the hard way when I had to move the software to a new computer after a hardware failure, just to find out I had to manually build up all the settings from scratch, at 2 in the morning, the only time no one was really using the network for work or watching movies. Combined with the AP not finding the new controller, I was busy until 5 in the morning to google solutions and repair the network.

I don't like the controller software. It is based on a totally outdated version of Java and mongodb, and the only way to install it on a third party system without headaches, a lot of tricks and errors, is to run it in docker.

I had a look at the hardware they offer. The "dream machine" is powered by a processor with less CPU power than the one I replaced a month ago, and the J3160 I replaced is already 7 years old. The dream machine costs twice the amount I paid for the box I use now, and the box iI use now is about 6-7 times faster.

Last but not least I don't plan to build my network using components of a single company, to avoid the possibility of enshittification (read the linked text, well made). The more you rely on a single company, the harder it is to move away if they become greedy. If you build your whole network using Unifi hardware, it will take a lot of work and money to move away. This could be required if they e.g. enforce the cloud service part, lock essential functions behind it and a monthly fee, and/or make manaiging the network impossible without online access. I can already see this all over the places, from Mercedes/BMW (pay a monthly fee, or we will lock functions of your car) over HP (pay a fee to get ink, or we will render your printer useless, and if you try to print a page while being offline - good luck), and this one here could be another one. I'd rather exchange the router, instead of having to replace router, web cams, Wifi APs, switches, doorbells, electrical car chargers, ....

 

[Stephan]

Thanks for taking the time to write up your experiences with Unifi! Good example to show the whole point of forums such as STH: Allowing oneself be set up for a journey from meh-solutions to the better or great stuff. Minimum level of device ownership for me means that I could replace the bootloader, if I wanted to. If I can't, I am powering somebody else's property.

 

[sth]

Your issues sound like MDNS broadcast issues (Sonos), DFS compatibility (IoT) and WiFi tuning (handoff and reliability) issues that could be solved pretty simply. Your equipment is fine. maybe start a new thread with more details and we can support you resolving them.

 

[fta]

I'm not a unifi fanboy, and I generally don't find it necessary to reply to posts like this, but I'm going to in this instance because I think some of it does not always apply.

As soon as I tried to use their hardware in a mixed environment, the hardware tended to fail. The Wifi AP didn't find the Unifi controller software, because it wasn't running on the router and there was no computer named "unifi" in my home network, and the AP has no other option than this to find the controller. The Switch is even worse, and currently not able to find the controller despite setting Option 43 in DHCP server and point it to the machine running it.

My controller isn't running on my router, and my router is not unifi hardware. I am not having these issues.

I don't like how they enforce cloud service stuff, without giving real advantages.

I am not using anything cloud. All of my unifi stuff is local only.

I don't like the controller software. It is based on a totally outdated version of Java and mongodb, and the only way to install it on a third party system without headaches, a lot of tricks and errors, is to run it in docker.

The controller is designed for large enterprise installations. It's no surprise it is more complicated than something that would only work for a home installation. Docker/containerization is the future since it is designed to solve this exact problem of software being hard to install. I use it for everything.

I had a look at the hardware they offer. The "dream machine" is powered by a processor with less CPU power than the one I replaced a month ago, and the J3160 I replaced is already 7 years old. The dream machine costs twice the amount I paid for the box I use now, and the box iI use now is about 6-7 times faster.

In my day job, we create custom hardware for our customers. The hardware often contains a single core, slow, ancient CPU. And yet the hardware can process multiple gigasamples of data. In appliances like these, ASICs and FPGAs do the heavy lifting. CPU power isn't as relevant as in a standard PC like box.

 

[sic0048]

so.... should i drop it all and just get a complete system from Unifi, Meraki, or Omada and gain some quality of live? Or the other side is truly not that green compared to mine?

I'd say there is no magic solution. Even a "complete" system from Unify, Meraki, Omanda, etc is going to have problems at times. I think you are simply going to end up swapping one set of problems for another, and spending a whole lot of money in the meantime. In other words, I don't think you will find the grass to be any greener compared to yours already......

 

[Becks0815]

My controller isn't running on my router, and my router is not unifi hardware. I am not having these issues.

Feel free to hop into a plane, come over, and work with my hardware. The flex mini is in the "adopting" stage now for maybe 4 days.



and this despite setting DHCP Option 43, which is needed to tell this stupid piece of hardware where to look at:



If this is unknown to you: these switches are unable to find the controller in a mixed environment, except you activate option 43 in the DHCP server and add a text, starting with 0x0104 followed by the IP address of the unifi controller in hex (192.68.1.5 translates to c0a80105). This worked last time, I found the solution at around half past 4 in the morning, after playing with Unifi gear since 2. Why it doesn't work again is unknown to me. I have set that thing back maybe 10-15 times in the past days, and now I simply ignore it for now.

I am not using anything cloud. All of my unifi stuff is local only.

I saw different opinions and reviews about the Dream machine pro, and UI definitely pushes people to their cloud approach:

Do not buy. This has major weaknesses that mean it is not ready for real-world use.
This is, without doubt, the worst piece of networking equipment that Ubiquiti has ever produced.

Let's count the problems.

1. There is no physical power button, so if (rather, when) there is an issue, there is no way to reliably shut the device down without either yanking the power cable out the back, or performing a factory reset.

2. The WAN routing mechanism ALWAYS uses NAT, and it can't be changed. So forget using this with a second router unless you want the joy of double NAT (not good for certain devices, and generally not ideal for performance).

3. The device forces open REMOTE access management from the web. Yes, you read that correctly, the UDM Pro is so poorly coded that it has an open back door for hackers to come in and manage the device remotely. Sure, they might need to have obtained your UI.COM account details, but think on this... the Ubiquiti system is now a perfect honeypot for hackers because they know that if they can hack that, then they can gain access to any network which has a UDM on it. THIS IS POSSIBLY THE MOST STUPID THING THAT I HAVE COME ACROSS IN 30 YEARS OF WORKING WITH NETWORKS.

Not only that, the UnifiOS is very flaky and the implementation on the UDM Pro is, well, not good.

This is clearly (in June 2020) an alpha release, and perhaps in a year or so's time, when they Ubiquiti team have worked through all the bugs - especially in their thinking - then the product might be great.

But right now, it is a very expensive paperweight that you simply cannot risk adding to your network.

(Local sellers feedback page)



I also can see that UI populates a portion of my network to their user account page. Side note: I have started adding year, month and version to the name to keep track of how many times I had to reinstall everything due to some kind of hick up

For me the trend of UI tends to cloud, just like e.g. the Windows user account management. On Win 7/8, I could create alocal admin account. Win 10 tried to push me to live.com and a MS account, including one for the admin access on my machine. I have refused to look at win11 so far, but heard bad things about the tricks you need to stop MS from forcing an online cloud account to be created.

The controller is designed for large enterprise installations. It's no surprise it is more complicated than something that would only work for a home installation. Docker/containerization is the future since it is designed to solve this exact problem of software being hard to install. I use it for everything.

Complicated and outdated are two different things. Using Java 8 while JRE 11 is the currently used one on Linux is not a positive sign, and just because it is "enterprise software" doesn't mean it has to be hard to install. The reason why it is hard to install is that the controller is based on outdated software. You have to trick Linux to use old packages and old software, without trashing/crashing the rest of the system.
I also prefer Docker, because now I can run a script to save the configuration data using a Linux script (backup of the configuration subdirectory). It only takes one re install from scratch to move it there - because you can't create a backup of the current one, install the controller on Docker and import it. Tried that already.

In my day job, we create custom hardware for our customers. The hardware often contains a single core, slow, ancient CPU. And yet the hardware can process multiple gigasamples of data. In appliances like these, ASICs and FPGAs do the heavy lifting. CPU power isn't as relevant as in a standard PC like box.

UI should add some more to their equipment then. The dream machine "Pro" offers a 10GBit NIC, but even the official docu of the machine shows that the max. speed this thing can achieve is 3.5 GBit/sec (https://dl.ubnt.com/ds/udm-pro). Same applies for the Dream machine SE.[/quote]

 

[fta]

Feel free to hop into a plane, come over, and work with my hardware.

You have strong feelings on this, whereas I do not. I'm just giving the perspective of when it works well.

UI should add some more to their equipment then. The dream machine "Pro" offers a 10GBit NIC, but even the official docu of the machine shows that the max. speed this thing can achieve is 3.5 GBit/sec (https://dl.ubnt.com/ds/udm-pro). Same applies for the Dream machine SE.

3.5Gbps doing IDS/IPS. That's actually pretty impressive for a $379 device.

 

[oldpenguin]

Ubiquiti UAP devices, from a 802.11 perspective, still do a more than reasonable job. As previously mentioned by others, the same can't be said about the infamous controller - however, properly containerized (unless you feel like running an ubuntu 18 VM) it does the job of configuring them. My greatest laugh on them was seeing switch models that can only be configured from the Unifi controller - wtf, meraki copycat without proper quality control. ER series - as much as they were praised by various people around, don't exactly match up to anything but hype. Similar or lower priced, decade old cisco (or insert your favorite brand that used to last forever) router with about same specs will likely accomplish more and if you're lucky, outlive them too.

Look at Mikrotik as comparison (pretty sure it's right nearby when you compare specs/pricing) - i'm pretty sure you're likely getting more features from them (haven't had the chance to play with their CAPs unfortunately) but they didn't seem to enroll to the "enshittification" trend (great article btw). And a PtP link pair from those guys is likely to "enshittify" a lot of competition, but that's not really a STH area unless you're too lazy to pull your own 200m fiber cable.

TL/DR version: ubnt access points still do an awesome job in my case, they still get firmware updates, they handle VLANs correctly - but limiting to 4 SSIDs/band is an ass move, controller sucks badly, haven't had but one case of unit requiring readoption in nearly 7 years, zero handover is just a marketing term. Other types of devices from them - definitely avoiding (had a failed switch that needed 802.3af PoE, got an USW-16-POE unit - went to returns 2 days after and got replaced by a WS-C3560X-24P-S for 1/3rd of the price, about same noise and bit less watts used, no power flipping on ports, not restarting because Murphy's laughing in his grave or whatnot).

Maybe Mikrotik CAP user around (if any) can share some feelings too.

 

[Becks0815]

You have strong feelings on this, whereas I do not. I'm just giving the perspective of when it works well.

You do you. I don't have strong feelings at all - ask my wife about "feelings", I just have an opinion. And in my opinion it is a bad idea to place a bet on a single company or single type of hardware. It binds you to the company, no matter if you like what road they take in the future.

But because I don't get money from any side (pro or against UI), I am out of this thread.