Any Prosumer/Enterprise-ish Wireless Access Points I'm missing?

[Zarathustra[H]]

Hey everyone,

I've been trying to get away from Ubiquiti Unifi products for some time, and wanted to make it happen with my upgrade from Unifi AC ap's to something ax (or newer)

I just tried Mikrotik's cAP ax AP's with unsatisfactory results. VLAN failed to work right, even internally on bridges on the Mikrotik hardware, so I returned them.

Next, I am leaning towards trying Ruckus AP's. Two Ruckus R650's with Unleashed firmware are probably what I will try next, but damn, are they expensive. Over 3x as much as the Mikrotik's.

Are there any other recommendations for pro-sumer entperise wifi in the home?

I'd appreciate suggestions on what else to try.

 

[Stugots]

Out of curiosity, why are you trying to move away from Ubiquiti products?

 

[SamirD]

While I haven't personally used Ruckus, I've read so many good things about them. Two others to look at are some HP Aruba ones and the Oneida (sp?) series from tplink as I've read good things on them as well.

 

[Zarathustra[H]]

Out of curiosity, why are you trying to move away from Ubiquiti products?

I used to really like Unifi back 15 years ago when they were a startup shaking up the business.

That's about when I got my first Unifi AP and I loved it, and only expanded since then.

Then - because I liked my Unifi AP's, when I needed a video surveillance platform I got into Unifi Video.

I loved how I could run my own on premises servers for each on my VM server.

Then things started slowly going downhill. Ubiquiti started adding hardware firewalls and router products and integrated them into their eco system, so you constantly had to look at their "error no router" messages when you didn't use their products. That started to piss me off.

Then they unceremoniously discontinued the local Unifi Video server. All of your hardware became useless if you didn't use their cloud. I don't do cloud. No cloud ever.

And to add insult to injury, at the same time as they announced that Unifi Video would be moving to cloud only, they had a highly publicized breach compromising the data of all of their customers who used their cloud service.

This just left such a bad taste in my mouth that I have wanted out ever since, but I had just invested in my fancy new UAP-AC LR units, and they were working fine, so I just didn't get around to it until now, when I am considering upgrading.

I don't know if they will do the same thing with the Unifi controller server for AP's, but even if they don't, they have proven themselves to not be trustworthy, IMHO, and I want nothing to so with them.

If I could have the scrappy small Ubiquiti Networks of 2009 back again, I'd stay with them in a heartbeat, but that company seems long gone, and in its place is a cynical, cloud based tech-bro shit-show that - just like the big boys - has no concept of user consent, and I want no part of that.

 

[kydsid]

Omada, older Aruba are my go to. You can get solid Aruba IAP325s (the ones that don't need a controller) for like $20 on ebay.

 

[Dopamin3]

TP Link Omada.

I have two EAP660 HD APs and they are fantastic. The Omada controller can be used with a hardware appliance, you can self host it, or pay a cloud subscription (IIRC $5 per AP). I run a docker container. If you've used the Unifi controller to manage Ubiquiti, the Omada controller essentially has feature parity.

 

[Zarathustra[H]]

older Aruba are my go to. You can get solid Aruba IAP325s (the ones that don't need a controller) for like $20 on ebay.

Appreciate the recommendation. I have played with Aruba switches in the past, and I consider them to be quality gear (if a little clunky to set up and configure) but I'd totally consider Aruba if I can make it work for me.

The price is certainly right, but I am not really feeling like doing a side grade from ac -> ac.

Do you know if there are any ax Arubas that don't require a controller? (or if they require a controller, have a software controller I can throw in a VM that does not require a paid license free if you own the hardware?)

 

[Zarathustra[H]]

Omada,

TP Link Omada.

Everyone's comfort level here is going to be different, but I don't really feel like inviting Peoples Republic of China Military Intelligence into my home, so anything TP-Link (or other brands with design authority in the PRC) are going to not be on any list of mine.

Lots of little fly-by-night Chinese "brand name generator" brands for switches and other network hardware - mostly based on RealTek switching chips - have been getting popular lately due to them being cheap, but I can't see myself ever using any of them.

You know, the likes of Davuaz, Hasivo, ienRon, Keeplink, Mokerlink, Nicgiga, Sodola, Tenda, Vimin, Xikestor, YuanLey, YuLinca, etc.

TP-Link has been around a little bit longer, but being headquartered and designed in Shenzhen in an authoritarian state any of their products being intentionally compromised is just an order from an intelligence officer away. I don't want that shit in my house, with or without Beavis and Butt-head Cornholio jokes.

 

[kydsid]

Appreciate the recommendation. I have played with Aruba switches in the past, and I consider them to be quality gear (if a little clunky to set up and configure) but I'd totally consider Aruba if I can make it work for me.

The price is certainly right, but I am not really feeling like doing a side grade from ac -> ac.

Do you know if there are any ax Arubas that don't require a controller? (or if they require a controller, have a software controller I can throw in a VM that does not require a paid license free if you own the hardware?)

I haven't paid all that much attention. I believe HP has been more restrictive with recent models. I can tell you from experience it really isn't a side grade. Them old 325s are way better than nearly any other ac AP out there. Rock of Gibraltar stable and performant.

Everyone's comfort level here is going to be different, but I don't really feel like inviting Peoples Republic of China Military Intelligence into my home, so anything TP-Link (or other brands with design authority in the PRC) are going to not be on any list of mine.

Lots of little fly-by-night Chinese "brand name generator" brands for switches and other network hardware - mostly based on RealTek switching chips - have been getting popular lately due to them being cheap, but I can't see myself ever using any of them.

You know, the likes of Davuaz, Hasivo, ienRon, Keeplink, Mokerlink, Nicgiga, Sodola, Tenda, Vimin, Xikestor, YuanLey, YuLinca, etc.

TP-Link has been around a little bit longer, but being headquartered and designed in Shenzhen in an authoritarian state any of their products being intentionally compromised is just an order from an intelligence officer away. I don't want that shit in my house, with or without Beavis and Butt-head Cornholio jokes.

They really aren't interested in you. When they get banned by DoD or CISA for purchase or use then maybe worry, like with Huawei or ZTE. In the meantime I say buy and watch some really weird porn to spook the intel guys (theirs or ours).

 

[Zarathustra[H]]

They really aren't interested in you. When they get banned by DoD or CISA for purchase or use then maybe worry, like with Huawei or ZTE. In the meantime I say buy and watch some really weird porn to spook the intel guys (theirs or ours).

I work for a medical technology startup, and I work two days a week from home.

Chinese military intelligence has a long history of state sponsored acquisition of western technology. Once they get it, they shovel money at it, produce it locally, and dump it on the market at below cost driving the actual inventors out of business.

I am not aware of them targeting any medical device companies yet. It has been mostly green technology and consumer electronics, but it doesn't hurt to be careful.

 

[Zarathustra[H]]

I went ahead and ordered a couple of Ruckus R650 AP's. I have flashed their "Unleashed" firmware (which allows it to be managed directly from the device without management hardware/infrastructure) to one of them thus far.

The way this works is that one of the AP's becomes the master and manages the rest. They can also hand off this responsibility to eachother if the master goes down. It is supposed to be for small business where you dont necessarily want the 1U dedicated Ruckus management system and Enterprise license. So - in other words - perfect for a Networking pro-sumers home.

They seem like great units, but you get what you pay for. They are not cheap. They are a bit picky when it comes to PoE adapters though. That and they run a little warm, so I guess they are really making the most out of the 30w 802.11at spec.

I have recently set up a DC->DC UPS system for my access points and switches, so the standard line level to PoE adapters were not going to work for me.

DC to DC PoE injectors are a little rare (at least ones that are not passive). The first ones I tried said they were 30w 802.11at compatible, but did not do the job of satiating the R650's, dropping them into low power mode constantly. Since I didn't have much luck in finding alternatives, I decided to try the same brand but one size up (the 95W 802.11bt versions). These appear to work.

PoE injectors rated for multigig are also somewhat rare, but it turns out that injecting power doesn't really have much to do with bitrate auto-negotiation, so as far as the switch and unit are concerned, the PoE adapters are just cables. In my case, despite the PoE injectors only being rated as gigabit units, they seem to connect just fine at 2.5gig, at least over short runs. Still not sure if I would actually be limited by gigabit networking on these, but if they offer 2.5gig capability, I'm going to use it on principle


These are "Wifi 6", not 6E or 7 (god I hate the new dumbed down nomenclature for Wifi), but hey, half of the things I connect to wireless are still B/G/N devices, and most of the rest are AC, so I'm not going to make use of anything fancier than that anyway.

The only things that will even connect at ax are my better halfs and my Pixel phones. I might get a Mini-PCIe to m.2 adapter and install ax adapters in the laptops at some point though.

I plan on setting up the Ruckus AP's and installing them over the next few days and will post back with my experiences here.

Wish me luck!

 

[Valnar]

I have a pair of Ruckus R610 AP's that I bought used on eBay. Running Unleashed.

When I say I have never had a single WiFi problem in my crowded neighborhood, I literally mean NEVER. Not once. I can't recommend them enough.

 

[Zarathustra[H]]

I have a pair of Ruckus R610 AP's that I bought used on eBay. Running Unleashed.

When I say I have never had a single WiFi problem in my crowded neighborhood, I literally mean NEVER. Not once. I can't recommend them enough.

Good to hear!

For what it is worth though, apparently the latest Unleashed firmware (200.15) has an issue that is causing many (but not all) users connection troubles, primarily with Apple devices, but other devices too.

The recommendation I have read is for people to stay on 200.14 Refresh 2 until it is resolved in a new release, so that is the revision I am using for my initial setup.

I still need to do some reading to figure out best practices for adopting additional AP's once the Unleashed master has been configured.

 

[Valnar]

I'm on 200.14.6.1.203. I haven't bothered to upgrade to 200.15, but now I won't. Thanks.

 

[Zarathustra[H]]

So I installed the R650's last night, and apart from the short stint where one wouldn't grab an IP address and I spent way more time troubleshooting than I care to admit just to find I forgot to hit "apply" after changing the DHCP static IP assignment in OPNSense...

(Seriously, I will never understand why this is a two step process. Open the configuration page. Complete all of your entries, then click save to close the configuration page and return to the main screen. Now you also have to hit "apply" before changes become effective. I've been doing this for a long time, and know better, and I still forgot to hit "apply " )

But that has nothing to do with the Ruckus R650 AP's.

These things rock.

I got two of them because I absolutely needed two Unifi UAP-AC-LR's to cover my entire house without issues, but I probably could have gotten away with just the one R650. The signal is just that strong, in spite of difficult walls.

One of them is installed on the side of the house where the main entrance is, and the other is on the other side. Right now, phones and other mobile devices connect to the one near the front, and never migrate to the back because they don't need to. That definitely was not the case with my Unifi AP's. I had to tinker with the client load balancing adjacent radio thresholds to get clients to actually migrate to the second AP for better load balancing. Crazy.

When I moved to Unifi in 2009 it was becuase I lived in a dense neighborhood where the 2.4Ghz band was overloaded, and performance was awful. (While 802.11n came out in 2008, 5Ghz wasn't in common residential use yet at that point). I tried all sorts of consumer routers of increasing levels of expense and nothing worked. Then someone on here recommended Unifi, and it cut through the noise like it wasn't even there. I was thrilled.

When I upgraded to the 802.11ac long range access points, they were even better than my first one (I presume it was 2.4Ghz only b/g/n? I can't remember)

I didn't think it was possible, but these Ruckus units blow away the Unifi AP's from a radio signal perspective. Like, night and day. I am very happy.

They are pricy, but I guess you get what you pay for.

My only complaints (and these are minor) with the R650 and Unleashed combo are:

1.) Limited client activity and traffic logging (but maybe I just haven't figured out how to do this right yet)
2.) Seriously long boot times when you make a configuration change that requires rebooting a unit. (which thankfully is rare)

I have two of them set up, both using the aforementioned DC-> DC PoE injectors. One with a ~25ft Cat6 cable and one with a 75ft cat6 cable.

The Injectors are only rated for gigabit, but they do negotiate 2.5gig. Except the one with the longer cable eventually drops down to gigabit.

Right now I have them going into one of the 10gig SFP+ ports each of my Mikrotik CSS326-24G-2S+RM switches using one of Mikrotiks S+RJ10 2.5/5/10 SFP+ to copper adapters and then going into the Gigabit rated PoE Injectors.

Excuse this hastily edited and reused network diagram for illustrative purposes:

I knew it was no guarantee that the gigabit rated PoE injectors would work at multigig speeds, but I also knew it was a possibility, as as far as the switch and AP's are concerned, the injectors are just a cable. The PoE insertion has no part in the auto-negotiation process. As long as the signal is good enough, they will negotiate 2.5gig.

Which brings me to my only hickup thus far. The one with the longer cable - after several hours - will drop down to gigabit speeds. An anticipated risk.

It is notable that the S+RJ10 adapters run very hot (2.7W of power into a tiny footprint with limited heat dissipation will do that.

The one hooked up to the secondary device hovers at 68C at idle. The one to the Master at 72C at idle. And this is in ~67F ambient rooms.

My theory is that the temperature contributes to the dropping down to gigabit.

The CSS326-24F-2S+ switches are passively cooled which contributes tot he problem. I may try adding some small heatsinks to the SFP+ cages and some scaled back (to keep them silent) 40mm Noctuas to these switches to keep the temps down and see if that helps.

If it doesn't, maybe swapping the long run for a better category cable will help. (solid core Cat8?) I mean, Cat6 should be fine for 75ft of multigig, but I suspect the signal drops across the PoE injector. I figure since it is right on the edge of working reliably, maybe if I reduce the signal loss by switching to Cat8, the total signal loss in the chain will be low enough that it will stay at 2.5Gig permanently.

I mean, 2.5Gig is really not necessary for what I do with WiFi, but if I can I would prefer my wired network to be non-blocking as far as the AP's are concerned just on principle.

I will post back with results when I get around to it.


But all of that said, I am pretty excited about this setup. These Ruckus units really are kickass.

 

[Valnar]

But all of that said, I am pretty excited about this setup. These Ruckus units really are kickass.

A perfect summation. That's what you get with custom firmware on a Qualcomm Atheros chipset vs a consumer AP with Broadcom.

I've said it before: You can get by with consumer/home switches, maybe even a consumer router if your needs are minimal (Linksys/ASUS), but consumer WAP's are crap.

 

[dbwillis]

I switched from unifi to ruckus at home, single r610, no issues

 

[Nicklebon]

You can get by with consumer/home switches, maybe even a consumer router if your needs are minimal (Linksys/ASUS), but consumer WAP's are crap.

You might can "get by" with it but you shouldn't. All consumer networking gear is utter garbage and it is because it's garbage we are stuck with stupid standards. Anyone in the security realm will tell you wired and wireless should **NOT** be treated the same yet almost if not all home networks do.


edit - added the missed **NOT**

 

[Valnar]

I mean....even a Netgear gigabit switch will perform at gigabit speeds without interference. The same isn't necessarily true of a WAP. Also, a dumb switch without a configurable OS won't have any attack vectors. A typical home user doesn't need vlans, 802.1x, MAC filtering, etc. People on this forum are not typical.

For home firewalls...yeah. It's pretty sad out there. My lowest recommendation to the average person is an Asuswrt-Merlin enabled router with everything turned up to 11.

 

[Zarathustra[H]]

You might can "get by" with it but you shouldn't. All consumer networking gear is utter garbage and it is because it's garbage we are stuck with stupid standards. Anyone in the security realm will tell you wired and wireless should be treated the same yet almost if not all home networks do.

A basic non-managed layer 2 switch doesn't need to be fancy or enterprise, but other than that, yeah I agree.

Of course, if you run a network with multiple VLAN's like I do, except for a small desktop switch at the edges where the entire switch is on the same VLAN, unmanaged switches are not going to be terribly useful.

 

[Nicklebon]

There's more to switches than forwarding traffic. Sure they might apparently handle line rate but are they flooding ports doing it? Many do. I've got a tp link switch placed inline between an ONT and a certain ISP's gateway specifically because it doesn't handle vlan tags correctly and forwards when it should not enabling me to bypass their garbage consumer oriented gateway.

 

[Valnar]

There's more to switches than forwarding traffic. Sure they might apparently handle line rate but are they flooding ports doing it? Many do.

Sounds like a hub. Are you sure?

 

[Darunion]

Sounds like a hub. Are you sure?

Anytime someone else says hub I swear out loud.

 

[MrGuvernment]

A perfect summation. That's what you get with custom firmware on a Qualcomm Atheros chipset vs a consumer AP with Broadcom.

I've said it before: You can get by with consumer/home switches, maybe even a consumer router if your needs are minimal (Linksys/ASUS), but consumer WAP's are crap.

Ya, this is why in our next house and when Wifi8 drops officially I will likely look to buy some quality APs like the Ruckus knowing I wont have to replace them for many years to come.

 

[Nicklebon]

Sounds like a hub. Are you sure?

LOL there are many legitimate reason for a switch to forward traffic to all ports/all ports in a vlan. There are also many not so legitimate reason to do so. Also, technically per standard, there is no such thing as a gigabit hub.

 

[Nicklebon]

when Wifi8 drops officially I will likely look to buy some quality APs like the Ruckus knowing I wont have to replace them for many years to come.

BE was just ratified and BN is years away.

 

[ND40oz]

Why are you bothering with injectors, does Microtek not have a decent POE switch you can use?

 

[Nicklebon]

Why are you bothering with injectors, does Microtek not have a decent POE switch you can use?

I can't speak for OP but my guess is good old fashion $$. I have a new be AP I am testing that needs bt poe and my otherwise perfectly good poe switch can't provide enough power. I spent $55 on a 95watt injector vs a couple grand on a new 48port bt enabled switch. That said, I will be getting a 10Gb bt enabled poe switch in a few months but the need is now.

 

[Zarathustra[H]]

LOL there are many legitimate reason for a switch to forward traffic to all ports/all ports in a vlan. There are also many not so legitimate reason to do so.

You talking multicast and stuff like that?

Also, technically per standard, there is no such thing as a gigabit hub.

Yeah, hubs have been deprecated per 802.3 since 2011 now I think.

Switches - even basic ones - used to be very expensive back in the 90's. Now the basic ones are cheap enough that there is no reason for hubs to exist anymore.

 

[Zarathustra[H]]

Why are you bothering with injectors, does Microtek not have a decent POE switch you can use?

Mikrotik has been slow with multigig. They just started releasing a switch or two recently that have it. (but I don't think those have PoE) That said I am not married to Mikrotik. I'll buy whatever (non-chinese designed) switch does the job for the right price.

I just already had these switches and these 2.5/5/10gig copper adapters, so it was cheaper and easier to get a couple of injectors than to go out switch shopping. At least with my self imposed limitations of avoiding Chinese designed networking gear, as when you start eliminating all of the chinese designed Realtek based models from "the list" there isn't much left...

 

[ND40oz]

Mikrotik has been slow with multigig. They just started releasing a switch or two recently that have it. That said I am not married to Mikrotik. I'll buy whatever (non-chinese designed) switch does the job for the right price.

I just already had these switches and these 2.5/5/10gig copper adapters, so it was cheaper and easier to get a couple of injectors than to go out switch shopping. At least with my self imposed limitations of avoiding Chinese designed networking gear, as when you start eliminating all of the chinese designed Realtek based models from "the list" there isn't much left...

Since you're not using Unifi stuff, that does make it a little harder. I have the Enterprise 8 PoE ready to replace my Ruckus 7150-C12P.

 

[Nicklebon]

You talking multicast and stuff like that?

Not really, though a cheap switch that doesn't support igmp snooping would probably resort to flooding all ports vs dropping. I am speaking about typical unicast traffic. In general any time the switch doesn't know what specific port the destination MAC is on it floods the ports with the unicast packet or packets. Broadcast traffic will get flooded to all ports. Also, when the MAC table is full the switch will begin flooding all ports. All of that is normal behaviour. Where cheap switches fail is a)small lookup tables b) backplanes and CPUs that can't handle the load of all ports at capacity. A proper switch with an undersized backplane, increasingly uncommon these days, will make efforts to slow down the traffic from the source. These cheap PoS switches otoh will flood packets, drop packets and more importantly do so with no effort to resolve things.

 

[Valnar]

That would have to be a very crappy switch to not handle even a normal-to-high amount of MAC addresses.

 

[Zarathustra[H]]

Not really, though a cheap switch that doesn't support igmp snooping would probably resort to flooding all ports vs dropping. I am speaking about typical unicast traffic. In general any time the switch doesn't know what specific port the destination MAC is on it floods the ports with the unicast packet or packets. Broadcast traffic will get flooded to all ports. Also, when the MAC table is full the switch will begin flooding all ports. All of that is normal behaviour. Where cheap switches fail is a)small lookup tables b) backplanes and CPUs that can't handle the load of all ports at capacity. A proper switch with an undersized backplane, increasingly uncommon these days, will make efforts to slow down the traffic from the source. These cheap PoS switches otoh will flood packets, drop packets and more importantly do so with no effort to resolve things.

That would have to be a very crappy switch to not handle even a normal-to-high amount of MAC addresses.

Yeah, I think I agree.

Now granted, I am in a home environment, not a large business, but even my old little 5 port Netgear switches have large enough Mac address tables to support anything that will ever fit on a single /24 subnet, which is all I used at home.

I HAVE filled state tables in shitty old ISP provided routers (old school game browsers are brutal) but I don't think I've ever filled a switch Mac address table, even before I started buying better switches.