Looking for new Networking Equipment - Gateway/Firewall + AP

[dalekphalm]

Hey guys,

 

I have a full stack of Meraki gear at home right now (thank you webinar free gear!):

MX64 Gateway

MS220-8P POE L2 Switch

MR33 AP

 

The Meraki licensing for these recently expired, so I'm on my 30-day expired license extension (20 days left).

 

I'm looking for suggestions for some replacement equipment - ideally either prosumer or entry level enterprise.

 

Specifically I would like to replace the Gateway and the AP. The Switch, I don't really use the managed features of it (and the only POE device is the Meraki AP), and I have some dumb Gigabit switches and some old Enterprise Gigabit switches, so that's not a requirement.

 

I have a TP-Link Archer C9 Router that I could use. As far as WIFI routers go, it's a pretty good one, but it's using a bit older AC tech. I live in a fairly small basement apartment, but even the MR33 was never able to achieve anything close to LAN speeds.

 

Things that I would like to have support for:

Ability to host a VPN server straight from the Firewall/Router

Dynamic DNS service (bonus if it's built-in without the need for additional third party services)

Bonus if it does IPS, etc.

 

Price: No specific budget. Just looking at options right now, as I can jump back to the Archer C9 in the short term. Looking for things that are more affordable, yet will still provide some enterprise features.

 

I've considered UBNT products in the past - specifically one of the EdgeRouters and one of the Unifi AP's - but if there are other suggestions, I'm definitely looking to see what things people are using.

 

I did have a look at the UBNT Dream Machine, but the non-pro version apparently has garbage throughput when you're using any of the intrusion defense systems, and the Pro version is goddamn expensive.

 

I'm not married to UBNT, it's just been the most prolific "prosumer" type Enterprise gear.

[Electronics Wizardy]

Im a sucker for untangle. Pretty easy to use. Pretty web interface, lots of filtering options. Pretty good free version, or 50 bucks a year for home version for full web filter, and l2tp vpn and other advanced features.

 

I love the unifi aps, have a lot, they all work well. There aren't great computers in the price range I have found with onsite controller + no monthly fees. TP link omada is probalby the closest you can get.

[dalekphalm]

4 minutes ago, Electronics Wizardy said:

Im a sucker for untangle. Pretty easy to use. Pretty web interface, lots of filtering options. Pretty good free version, or 50 bucks a year for home version for full web filter, and l2tp vpn and other advanced features.

 

I love the unifi aps, have a lot, they all work well. There aren't great computers in the price range I have found with onsite controller + no monthly fees. TP link omada is probalby the closest you can get.

Thanks for the info, I'll be taking a look at some of the products you've mentioned.

 

I'm likely to only need a single AP, so that part doesn't have to be overly complex - if I did get the Unifi AP's, I'd likely host my own controller via a VM if they still offer that option.

[Electronics Wizardy]

4 minutes ago, dalekphalm said:

Thanks for the info, I'll be taking a look at some of the products you've mentioned.

 

I'm likely to only need a single AP, so that part doesn't have to be overly complex - if I did get the Unifi AP's, I'd likely host my own controller via a VM if they still offer that option.

Yea id give untangle a try in a vm. I like it over pfsense/opnsense/sophos xg for advanced home stuff.

 

Unifi still lets you use a vm for a controller. I use them at a few locations, no issues.

[dalekphalm]

5 minutes ago, Electronics Wizardy said:

Yea id give untangle a try in a vm. I like it over pfsense/opnsense/sophos xg for advanced home stuff.

I'll have a look - thanks. I see that the basic home version of the NG Firewall is $50/year, and $150/yr for the advanced home version. $50/yr (I assume USD) would be alright, if it ends up suiting my needs.

 

I would prefer to run an appliance though rather than run it as a VM, but the VM can do for testing.

5 minutes ago, Electronics Wizardy said:

Unifi still lets you use a vm for a controller. I use them at a few locations, no issues.

Excellent. I'll likely give the AP a shot at any case.

[Lurick]

Cisco ASR9922 and Cisco 8818 perhaps?

 

Kidding aside, if it wasn't for the licenses I've got I'd be off my Meraki APs too due to licensing costs. If you want to stay enterprise-lite kind of gear perhaps some used stuff off ebay or Unifi/Mikrotik would be good options.

[dalekphalm]

9 minutes ago, Lurick said:

Cisco ASR9922 and Cisco 8818 perhaps?

 

Kidding aside, if it wasn't for the licenses I've got I'd be off my Meraki APs too due to licensing costs. If you want to stay enterprise-lite kind of gear perhaps some used stuff off ebay or Unifi/Mikrotik would be good options.

Yeah I'd still be using the Meraki gear if not for the steep license costs. If I were running a business out of my home or office, I could justify it, but for personal use.... no way.

 

I'll likely stay away from Mikrotik. We have a bunch at work, and I fucking hate them. The controller is confusing garbage that seems like an AP controller add-on was added as an afterthought, and we seem to need to reboot the AP's on a regular basis to get consistently good performance.

[Lurick]

2 minutes ago, dalekphalm said:

Yeah I'd still be using the Meraki gear if not for the steep license costs. If I were running a business out of my home or office, I could justify it, but for personal use.... no way.

 

I'll likely stay away from Mikrotik. We have a bunch at work, and I fucking hate them. The controller is confusing garbage that seems like an AP controller add-on was added as an afterthought, and we seem to need to reboot the AP's on a regular basis to get consistently good performance.

Ah, I hadn't heard that about Mikrotik but good to know

[dalekphalm]

21 minutes ago, Lurick said:

Ah, I hadn't heard that about Mikrotik but good to know

Maybe we just had a bad experience, but we have 2 generations of their AP's. The older generation only supports Passive PoE and doesn't conform to the standard PoE spec, so we can't power them with our HP Aruba PoE switches, we have to use a dumb PoE switch sold by Mikrotik.

 

And the controller is really the biggest hurdle. It's a pain to make even small changes, because the UI is so bad you're constantly hunting for the right tab or window.

[brwainer]

2 hours ago, dalekphalm said:

I did have a look at the UBNT Dream Machine, but the non-pro version apparently has garbage throughput when you're using any of the intrusion defense systems, and the Pro version is goddamn expensive.

UDM "Base" gets 850Mbps minimum when IDS/IPS is enabled, but if it isn't handling a huge number of APs and clients then individual clients are definitely able to saturate a gigabit internet connection.

 

I recommend Untangle as the top choice for router, and PFSense as a second choice. Both are available either on pre-configured hardware, or to install on your own x86 system (either your own choice of hardware, or a third party "router appliance" like Protectli).

 

Unifi APs are a good choice. But so are many other brands recently. I'm loving Ruckus Unleashed, but that only makes financial sense for the home if buying used off of eBay. I chose Ruckus because I am familiar with it from work, and they have a patent on antenna-based beamforming, which is hard to measure but definitely better than the radio-based beamforming everyone else has to resort to. Also Ruckus APs were chosen as the gold-standard that all other WiFi 6 APs will be compared to, and all WiFi 6 clients will be tested against.

 

Mikrotik definitely has not made any improvements with CAPsMan in many years. I retired a CAPsMan setup of hAP-ACs in my house for the Ruckus setup.

[Dutch_Master]

I've recently seen reports (YT? I think it was Level1Techs or Lawrence Systems) that Ubiquity has changed their Terms&Conditions recently, resulting in a home-cloud solution no longer being a feasible option. Best investigate before buying anything!

[dalekphalm]

1 hour ago, Dutch_Master said:

I've recently seen reports (YT? I think it was Level1Techs or Lawrence Systems) that Ubiquity has changed their Terms&Conditions recently, resulting in a home-cloud solution no longer being a feasible option. Best investigate before buying anything!

I’ll make sure to look into that, thanks!

[mynameisjuan]

6 hours ago, dalekphalm said:

I'll likely stay away from Mikrotik. We have a bunch at work, and I fucking hate them. The controller is confusing garbage that seems like an AP controller add-on was added as an afterthought, and we seem to need to reboot the AP's on a regular basis to get consistently good performance.

Its confusing because RouterOS allows you low level configuration, no different than any other enterprise CLI hierarchy and if you could see under the hood for Meraki and Unify, the configuration would look similar. Its just all hidden to you and automatically checks the hidden boxes that make it a smoother experience. For me, I rather know what my hardware is exactly doing but that doesn't mean it cannot be a pain point. Also a controller is not necessary.

 

Most issues almost always revolve around Country band being incorrect, example, if you are in the US, its need to be set to united states 3, not, united states which would cause clients to constantly hop freq. leading to lost airtime hence a reboot fixing it for a period of time. Also another factor is using the capsman tunnel (which is how the wiki tutorial sets it up) for forwarding traffic but the device handling does not have the resources, its not going to be a fun time.

 

The only downside of going Mikrotik APs is 802.1k (roaming) and passive PoE. Former is not as terrible as additional config will get it nearly to the same real world experience outside VOIP being the smoothest transition and the latter needing an injector or if you have another Mikrotik, most tend to have at least a single passive PoE out. Also don't expect Wifi6 for some time.

 

Probably the best setups at the moment for your situation:

- RB4011

- hAP ac (setup as AP) that can be powered by the 4011

 

The only additional points it checks with with the beta you can run Wireguard directly on the 4011 and due to its hardware can expect almost full gigabit, excluding overhead, and support basic DDNS. For another VPN service or IPS you are are going to have to go the Untangle/Opensense routes but I cannot justify the extra power, cost and troubleshooting time.

 

Personally Id avoid Unify completely. Rittled with bugs with software and GUI, GUI is terribly unorganized IMO, unnecessary controller, their "IPS" is useless and now are destroying their customer base. APs are solid but the need for a controller is asinine.

 

So its up to how much do you need in terms of configuration and depth

 

[dalekphalm]

Hey guys just thought I'd post an update.

 

My original plan was to get a Unifi nanoHD AP, and pair it with an EdgeRouter. After costing that out, I decided instead to try the Unifi Dream Machine.

 

I read some more reviews of it, and it seemed like it's come along way - it has a really good integrated AP, that is functionally separate. It also has the integrated controller software (though it doesn't support every type of UBNT hardware - no Camera Server NVR module for example).

 

I got a really good deal on it directly from the UBNT store ($389 CAD), which was cheaper than anywhere else I looked (including used models on eBay).

 

I haven't hooked it up yet, but I took it out of the box and damn, the physical design is pretty stunning. Very simple and elegant. Also the build quality feels excellent too. They definitely stole the "Apple" approach when it comes to packaging design as well - unboxing was a breeze.

 

I'll probably hook it up sometime this week or on the weekend (I have... 5 more days until Meraki locks me out of the existing hardware).

 

Once that's done, I'll be unclaiming the meraki hardware and selling them (I was thinking $100 CAD each for the Gateway, AP, and PoE Switch, or $250 CAD for the whole bundle - thoughts? I based this off of sold listings on eBay).

 

I'll list them here on the forums, among other places, if anyone wants to look out for them. They're unlicensed, hence the very low cost compared to new (The newer version of the AP, the MR42, for example, retails for around $1200 CAD and comes with a 3 year license). If anyone has alternate pricing suggestions for the old hardware, please let me know (see the opening post for model numbers).

 

I'll post some pictures at some point - either here or in a new thread.

[brwainer]

2 hours ago, dalekphalm said:

Hey guys just thought I'd post an update.

 

My original plan was to get a Unifi nanoHD AP, and pair it with an EdgeRouter. After costing that out, I decided instead to try the Unifi Dream Machine.

 

I read some more reviews of it, and it seemed like it's come along way - it has a really good integrated AP, that is functionally separate. It also has the integrated controller software (though it doesn't support every type of UBNT hardware - no Camera Server NVR module for example).

 

I got a really good deal on it directly from the UBNT store ($389 CAD), which was cheaper than anywhere else I looked (including used models on eBay).

 

I haven't hooked it up yet, but I took it out of the box and damn, the physical design is pretty stunning. Very simple and elegant. Also the build quality feels excellent too. They definitely stole the "Apple" approach when it comes to packaging design as well - unboxing was a breeze.

 

I'll probably hook it up sometime this week or on the weekend (I have... 5 more days until Meraki locks me out of the existing hardware).

 

Once that's done, I'll be unclaiming the meraki hardware and selling them (I was thinking $100 CAD each for the Gateway, AP, and PoE Switch, or $250 CAD for the whole bundle - thoughts? I based this off of sold listings on eBay).

 

I'll list them here on the forums, among other places, if anyone wants to look out for them. They're unlicensed, hence the very low cost compared to new (The newer version of the AP, the MR42, for example, retails for around $1200 CAD and comes with a 3 year license). If anyone has alternate pricing suggestions for the old hardware, please let me know (see the opening post for model numbers).

 

I'll post some pictures at some point - either here or in a new thread.

Nice. After you get things settled, if you want you can also run other containers on the UDM. There is an active community around it. The central point is https://github.com/boostchicken/udm-utilities

The most useful things to run are either PiHole or NextDNS, and also nTopNG if desired.

[dalekphalm]

13 hours ago, brwainer said:

Nice. After you get things settled, if you want you can also run other containers on the UDM. There is an active community around it. The central point is https://github.com/boostchicken/udm-utilities

The most useful things to run are either PiHole or NextDNS, and also nTopNG if desired.

Wait you're telling me that the UDM can be extensible like that? I assume it's because UBNT's controller is ultimately still Linux underneath?

 

Very interesting. Do you happen to know of any guides for it? I'll have a look at the GitBub, but that's a bit outside my areas of expertise.

[brwainer]

43 minutes ago, dalekphalm said:

Wait you're telling me that the UDM can be extensible like that? I assume it's because UBNT's controller is ultimately still Linux underneath?

 

Very interesting. Do you happen to know of any guides for it? I'll have a look at the GitBub, but that's a bit outside my areas of expertise.

The guides are on that github, although the structure isn’t ideal. Generally each folder for a thing has its own readme. “Support” for it is via the Unofficial Ubiquiti Discord, where boostchicken and others who contribute are normally around. The server join link is https://discord.gg/ui

 

The UDM has two operating systems. First it boots UbiOS which is a custom buildroot based Linux distribution. UbiOS on the UDM runs Podman, which is docker compatible. One of the containers is UnifiOS, which is a Ubuntu derivative they use to run the controller(s).

 

The UDM-Utilities project takes advantage of how Ubiquiti does their updates to slip in extra containers and a method to run things on boot. For Ubiquiti to block this they would need to completely rearchitect it.