Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
 
  • Post
  • Reply
skipdogg
Nov 29, 2004
Resident SRT-4 Expert

Rakeris posted:

So you don't have to use the gateway but it has it's own downsides, I use the dumb switch bypass (easy to find on google) for it, which works really well however if your power goes out you have to connect the gateway back to the ont for a couple seconds and then you can unplug it again.

I suppose a UPS could fix this to some degree but I haven't bothered with that yet, as it's pretty infrequent that we lose power.

There's a newer authentication method being rolled out where the bypass doesn't work anymore. It may work for now, but if AT&T changes things, it'll stop working.

https://www.dslreports.com/forum/r32839785-AT-T-Fiber-Gateway-bypass-with-WPA-supplicant-stopped-working-2-days-ago

Adbot
ADBOT LOVES YOU

Impotence
Nov 8, 2010
Lipstick Apathy

SwissArmyDruid posted:

UDM (the Trashcan Mac, non-rackmount one) also demands that you create a Ubiquiti cloud account with no options for local credentials only, before you can access any functions. It won't even function as a dumb switch in the meantime.

Combined with their most recent data breach of customer information, and it's enough to put anyone off Ubiquiti.

In case anyone was wondering, I've decided on getting something midway up the stack from Netgate.

Netgate has had a few interesting scandals/history of hating open source, including one this month regarding some apparently ludicrously insecure and rushed security code

text editor
Jan 8, 2007

Biowarfare posted:

Netgate has had a few interesting scandals/history of hating open source, including one this month regarding some apparently ludicrously insecure and rushed security code

worse they were trying to pushed a bloated and buggy version of their code into freebsd upstream and threw a tantrum and a half when the guy who defined the wieeguard protocol stepped in to rewrite it from scratch

Rakeris
Jul 20, 2014

skipdogg posted:

There's a newer authentication method being rolled out where the bypass doesn't work anymore. It may work for now, but if AT&T changes things, it'll stop working.

https://www.dslreports.com/forum/r32839785-AT-T-Fiber-Gateway-bypass-with-WPA-supplicant-stopped-working-2-days-ago

Weeeelll that blows, hopefully the rollout is as painfully slow as most things att does.

SwissArmyDruid
Feb 14, 2014

by sebmojo

Biowarfare posted:

Netgate has had a few interesting scandals/history of hating open source, including one this month regarding some apparently ludicrously insecure and rushed security code

Yeah, I did read about that, but the STH article that I read seemed to pass it off more as "this code needs more time, don't use it for now". Since moving my VPN's configuration over to the router is more headache than I care to put up with, I was intending to just keep using it at the client level, but you make it sound like there's actual fighting going on.

SwissArmyDruid fucked around with this message at 02:01 on Mar 25, 2021

PowFu
Dec 31, 2010
Hello everybody, I'm moving to a new place and need to setup my own network. I read the router recommendations in OP and "TP-LINK Archer C5 (AC1200) $75-$120" suits my situation. Given that the OP was last edited nearly 3 years ago, does this recommendation still hold up?

KozmoNaut
Apr 23, 2008

Happiness is a warm
Turbo Plasma Rifle


Well, it's not going to not work, but it's not part of their current range anymore. The C6, C7 and C8 still are, though.

It's a 2x2 device that promises 867Mbit/s, with the usual disclaimers, ie. that's the best-case maximum connection speed you can get if you're very close to the router, and actual throughput will be around 60-80% of that. 500Mbit/s is faster than most internet connections, so it's not going to be a bottleneck in that regard.

Most client devices are 2x2 aside from high-end laptops and such that are 3x3 or very rarely 4x4, so realistically an AP that claims to be faster on paper will end up at the same speed in real world use.

What you'll be missing out in comparison to the newer 4x4 and 8x8 routers is the fancy-pants beamforming, optimization for multiple client devices and other tricks high-end routers can use to increase signal strength for devices that are farther away. You also won't be getting Wifi 6 (802.11ax), but very few devices support that at the moment. Plus Wifi 6E is coming out with a wider frequency spectrum and current Wifi 6 devices will (probably) not be able to support that.

So it'll work, but I wouldn't buy it unless it was 50% off or something.

KozmoNaut fucked around with this message at 16:56 on Mar 27, 2021

Cyks
Mar 17, 2008

The trenches of IT can scar a muppet for life
At that price range I'd be looking at the A10 (currently $99@ Amazon) or the AX50 (currently $129@ Walmart). Depending on if you have more devices connected to 2.4ghz using 802.11n or if you rather be able to support WiFi6.

Xaintrailles
Aug 14, 2015

:hellyeah::histdowns:
Is there a recommended USB wifi adapter, and/or PCIe wifi6 adapter? My current USB one is getting flaky, and I'm considering getting a wifi6 router, so if I'm buying something anyway wifi6 support is a plus.
PCIe wifi6 are all based on the same intel chip anyway I think.

Tuxedo Gin
May 21, 2003

Classy.

Xaintrailles posted:

Is there a recommended USB wifi adapter, and/or PCIe wifi6 adapter? My current USB one is getting flaky, and I'm considering getting a wifi6 router, so if I'm buying something anyway wifi6 support is a plus.
PCIe wifi6 are all based on the same intel chip anyway I think.

I've been using the TP-Link TX3000 PCIe adapter and it's great in that I have had no problems whatsoever.

Ffycchi
Jun 4, 2014

Sigh...challenge accepted...shitty photoshop incoming.

SwissArmyDruid posted:

UDM (the Trashcan Mac, non-rackmount one) also demands that you create a Ubiquiti cloud account with no options for local credentials only, before you can access any functions. It won't even function as a dumb switch in the meantime.

Combined with their most recent data breach of customer information, and it's enough to put anyone off Ubiquiti.

In case anyone was wondering, I've decided on getting something midway up the stack from Netgate.

Anyone who is at the level of using unifi at home and doesnt have 2fa enabled and rolling passwords via something like bitwarden almost deserved to be breached.

That being said, while setup requires a cloud account you can actually use local information and cut it off from their cloud services. It's just kind of dumb to do that when the cloud access gives so much ease of use.

Unifi's market for SMB, prosumers, IT home labs, and rich people with on call IT. It's really not built for your average consumer. I only recommend it to people with a bit of savvy or deep pockets.

As for netgate....the people above have really said it all. They are not exactly a paragon of virtue.

SwissArmyDruid
Feb 14, 2014

by sebmojo
And as I've said before: If you can't bootstrap it from ground zero without an internet connection, you don't actually own it. I do not feel like paying $300 to not own the gateway I paid for.

movax
Aug 30, 2008

SwissArmyDruid posted:

And as I've said before: If you can't bootstrap it from ground zero without an internet connection, you don't actually own it. I do not feel like paying $300 to not own the gateway I paid for.

I got a UDM-Pro for my parents, ostensibly for simplicity but the remote interface won't even let me issue an update remotely and I'm almost afraid to do so now. I've gotten much more comfortable with the CLI on the EdgeRouter 4 now (since I have one here) and I'm tempted to just replace their UDM-Pro with an ER-4 and then put a Cloud Key there, or run it from my place over a WireGuard tunnel.

DearSirXNORMadam
Aug 1, 2009
Thread question, I don't know how viable this really is (or if this is exactly the right place to ask?):

I'm going to need to get a personal computer again soon, but I'm working on a budget. The performance envelope for budget desktops is obviously much beefier than for budget laptops, but desktops are... desktops. Has anyone had luck with buying a cheap-to-very-cheap laptop and remoting into a desktop for performance-intensive stuff? Mostly I'm concerned with a bit of computational biology, but if it's viable for gaming that would be a big bonus. I haven't played with remote desktop software in years, but all I remember from back in the day was that it was a laggy nightmare. Is there anything on the market right now that is reasonably fast and not a total pain to set up? Ideally I'd want to do both ethernet and IP, but if it only works well over ethernet that might still be ok.

Ffycchi
Jun 4, 2014

Sigh...challenge accepted...shitty photoshop incoming.

movax posted:

I got a UDM-Pro for my parents, ostensibly for simplicity but the remote interface won't even let me issue an update remotely and I'm almost afraid to do so now. I've gotten much more comfortable with the CLI on the EdgeRouter 4 now (since I have one here) and I'm tempted to just replace their UDM-Pro with an ER-4 and then put a Cloud Key there, or run it from my place over a WireGuard tunnel.

Update the controller and firmware to the latest beta. Has configurable automatic updates.

Also you can remotely update it through ssh.

Xaintrailles
Aug 14, 2015

:hellyeah::histdowns:

Tuxedo Gin posted:

I've been using the TP-Link TX3000 PCIe adapter and it's great in that I have had no problems whatsoever.

Danke, bought.

LRADIKAL
Jun 10, 2001

Fun Shoe

Mirconium posted:

Thread question, I don't know how viable this really is (or if this is exactly the right place to ask?):

I'm going to need to get a personal computer again soon, but I'm working on a budget. The performance envelope for budget desktops is obviously much beefier than for budget laptops, but desktops are... desktops. Has anyone had luck with buying a cheap-to-very-cheap laptop and remoting into a desktop for performance-intensive stuff? Mostly I'm concerned with a bit of computational biology, but if it's viable for gaming that would be a big bonus. I haven't played with remote desktop software in years, but all I remember from back in the day was that it was a laggy nightmare. Is there anything on the market right now that is reasonably fast and not a total pain to set up? Ideally I'd want to do both ethernet and IP, but if it only works well over ethernet that might still be ok.

Like.. you want a laptop and a desktop in your house so you can remote into the performance desktop from the couch? Also game streaming? You're also on a budget?

I suppose the ideal thing would be to get a minimum spec set top box that can do Steam/Nvidia remote streaming, and have that wired to your network, get a 200 dollar chromebook for couch which you remote into your desktop in the other room. The budget build is probably to get a desktop and use that.

Rooted Vegetable
Jun 1, 2002

Mirconium posted:

Has anyone had luck with buying a cheap-to-very-cheap laptop and remoting into a desktop for performance-intensive stuff?

Yeah I do that all the time with my Unraid server running VMs. I use Chrome Remote Desktop mostly for typical desktop and Steam Link for gaming. I've got RDP and vnc by browser as options.

Decent network helps.

rufius
Feb 27, 2011

Clear alcohols are for rich women on diets.

Rooted Vegetable posted:

Yeah I do that all the time with my Unraid server running VMs. I use Chrome Remote Desktop mostly for typical desktop and Steam Link for gaming. I've got RDP and vnc by browser as options.

Decent network helps.

Parsec is the best Remote Desktop option for gaming. It’s designed specifically for gaming so low latency is a big focus. Which also means it’s very effective as a general purpose Remote Desktop tool as well.

https://parsec.app

rufius
Feb 27, 2011

Clear alcohols are for rich women on diets.
Ooo get mad Ubiquiti nerds (including me):

https://mobile.twitter.com/superdealloc/status/1376626243865604100

fletcher
Jun 27, 2003

ken park is my favorite movie

Cybernetic Crumb

This doesn't seem all that bad to me

Sniep
Mar 28, 2004

All I needed was that fatty blunt...



King of Breakfast
I mean, that screen shot is going thru unifi.ui.com, the cloud management shits. I have all that off anyway, i just use it on a local hostname and i'd be real surprised if it showed up there.

SwissArmyDruid
Feb 14, 2014

by sebmojo

fletcher posted:

This doesn't seem all that bad to me

I don't have a nice way of saying this, and may very well catch a probe for this, but people like you are the reason that (X)aaS exists.

KozmoNaut
Apr 23, 2008

Happiness is a warm
Turbo Plasma Rifle


Advertising. In your network management.

fletcher posted:

This doesn't seem all that bad to me

It is intensely bad. It's on the level of Samsung sneaking advertising into the channel guide and selection screens on their TVs, just massively making GBS threads on their paying customers.

E: Read the thread. They're brazen enough to call it "not an ad, more like a new look", for something that steals 1/3rd of the screen space for advertising.

I'm glad I went with Mikrotik instead of Ubiquiti.

KozmoNaut fucked around with this message at 08:47 on Mar 30, 2021

Fats
Oct 14, 2006

What I cannot create, I do not understand
Fun Shoe

Sniep posted:

I mean, that screen shot is going thru unifi.ui.com, the cloud management shits. I have all that off anyway, i just use it on a local hostname and i'd be real surprised if it showed up there.

I don't know if it always looks like this, I just got my UDMP and switch, but the local interface with the new UI has a fat ad at the bottom:



Will it still be there when they finally ship my U6-LR? Who knows.

I will say, other than an extremely limited UI compared to the theoretically worse Asus router I had before, and a weird IPv6 issue with Comcast, I like the hardware.

Internet Explorer
Jun 1, 2005





SwissArmyDruid posted:

I don't have a nice way of saying this, and may very well catch a probe for this, but people like you are the reason that (X)aaS exists.

You're not going to catch a probe for it, but its a pretty silly thing to say. There are all sorts of reasons IaaS / SaaS / PaaS / *aaS exists, and it's not because someone doesn't mind that an ad for a manufacturers product got injected into one of their interfaces. And it's not like *aaS is bad and if you use it you should be ashamed of yourself or are somehow less of a technical ubermench or something. I'd be more worried about people who straight up refuse to use *aaS.

Horse Clocks
Dec 14, 2004


Is there a firewall distribution for x86 systems that’s a bit simpler than opnsense/pfsense.

My pfsense install shat the bed when upgrading to 2.5 and got stuck in a boot loop. Now I’m back to working out the minor details to get things working again.

All I really need is all outbound WAN connections run through a VPN service at 1gbps. I *had* pfsense doing this with multiple OpenVPN connections and then load balancing gateways. But damned if I can get it to do it again.

I also had a couple of separate VLANs setup to isolate some IoT devices, but allow access to one or two services inside the network. But I don’t really need that any more.

Complicated things are fine and good, if you can remember how to use it between the 3-yearly failures... which I never can.

HalloKitty
Sep 30, 2005

Adjust the bass and let the Alpine blast

fletcher posted:

This doesn't seem all that bad to me

Nah, it's pretty bad

Less Fat Luke
May 23, 2003

Exciting Lemon

Sniep posted:

I mean, that screen shot is going thru unifi.ui.com, the cloud management shits. I have all that off anyway, i just use it on a local hostname and i'd be real surprised if it showed up there.

It does show up locally if you're using the UDM non-pro. The pro puts a bunch of stats and poo poo in that pane and the UDM in the latest firmware shows a big ad for UDM Pro.

Also if your Internet connectivity has issues you get a pop-up for Unifi LTE.

It really sucks cause drat, the prosumer (ugh) alternatives are much worse.

rufius
Feb 27, 2011

Clear alcohols are for rich women on diets.

Horse Clocks posted:

Is there a firewall distribution for x86 systems that’s a bit simpler than opnsense/pfsense.

My pfsense install shat the bed when upgrading to 2.5 and got stuck in a boot loop. Now I’m back to working out the minor details to get things working again.

All I really need is all outbound WAN connections run through a VPN service at 1gbps. I *had* pfsense doing this with multiple OpenVPN connections and then load balancing gateways. But damned if I can get it to do it again.

I also had a couple of separate VLANs setup to isolate some IoT devices, but allow access to one or two services inside the network. But I don’t really need that any more.

Complicated things are fine and good, if you can remember how to use it between the 3-yearly failures... which I never can.

Simple is a relative word. What I am about describe is relatively simple but I wouldn’t call it easy.

For what you’re describing, OpenBSD + pf is quite easy to setup. It can also be made to do very complex things.

I like OpenBSD + pf for a lot of these scenarios because it’s straightforward to work with.

To be clear though, there’s no GUI here. You’re remoting into an OpenBSD server to configure it.

For example, the following config drops all inbound traffic except HTTP, HTTPS, and port 8738 (used for SSH):

code:

set skip on lo

block return	# block stateless traffic
pass		# establish keep-state

# By default, do not permit remote connections to X11
block return in on ! lo0 proto tcp to port 6000:6010

# Port build user does not need network
block return out log proto {tcp udp} user _pbuild

ext_if="xnf0"

# By default, block everything with drop
block drop all
set block-policy drop

# Allow outbound
pass out

set reassemble yes

# Allow SSH, HTTP, and HTTPS
tcp_pass="{http https 8738}"
pass in on $ext_if proto tcp from any to ($ext_if) port $tcp_pass

PS: pf is actually what OpnSense/pfSense also use though they use a fork of the code from when FreeBSD integrated it. Pretty similar but there are differences.

Edit: clarifier

H2SO4
Sep 11, 2001

put your money in a log cabin


Buglord

Mackieman posted:

Do any of you guys have recent experience with AT&T fiber? I just bought a house and it has an SFP termination box bringing in fiber from the street. The bottom of that box has an RJ-45 connector but I'm not sure if AT&T will require the use of their gateway or if I can plug in my ER-X and be off to the races. I'd really rather not have their gateway in the middle if I can help it.

The type of gateway they install will dictate whether you're going to be able to sidestep their gateway or not. I took the lazy way out and just bought a set of certificates off of ebay that I can use with eap-proxy to completely bypass the AT&T gateway and it's served me well for a while now. That said, as others mentioned they are transitioning to another type of auth that will supposedly break this workaround so depending on their schedule that tactic is on borrowed time.

KozmoNaut posted:

It is intensely bad. It's on the level of Samsung sneaking advertising into the channel guide and selection screens on their TVs, just massively making GBS threads on their paying customers.

It... isn't, though. Samsung wasn't advertising their other related home theater products to you that I recall, they were doing third party ads which is entirely different than the controller going "hey you don't have our wifi, here's an ad for it." It's annoying they made them more obnoxious than the previous "no USG detected, network statistics unavailable" with a link to the USG sales page but the sky isn't falling by any means yet.

withoutclass
Nov 6, 2007

Resist the siren call of rhinocerosness

College Slice
Staying on controller version 5 forever it seems, no ads for me.

ROJO
Jan 14, 2006

Oven Wrangler
No ads for me, but I'm on a USG4-PRO (latest 6.X update though). That would piss the hell out of me.

edit: nvm, not on the latest controller firmware, mine is a month old or so. not touching that update button (good Unifi rule in general IMO).

Internet Explorer
Jun 1, 2005





From a UI perspective, if they had an X button to close it out, I wouldn't even bat an eyelash.

From a security perspective, it seems fine to me at first thought, but I'm not an infosec guru. I feel like this is actually the biggest concern, but I haven't seen anyone weigh in on it.

I get that Ubiquiti doesn't really deserve the benefit of the doubt here, but this doesn't seem all that egregious to me. There are so many vendors in the tech space and they all suck in their own way.

Perplx
Jun 26, 2004


Best viewed on Orgasma Plasma
Lipstick Apathy

Horse Clocks posted:

Is there a firewall distribution for x86 systems that’s a bit simpler than opnsense/pfsense.

My pfsense install shat the bed when upgrading to 2.5 and got stuck in a boot loop. Now I’m back to working out the minor details to get things working again.

All I really need is all outbound WAN connections run through a VPN service at 1gbps. I *had* pfsense doing this with multiple OpenVPN connections and then load balancing gateways. But damned if I can get it to do it again.

I also had a couple of separate VLANs setup to isolate some IoT devices, but allow access to one or two services inside the network. But I don’t really need that any more.

Complicated things are fine and good, if you can remember how to use it between the 3-yearly failures... which I never can.

There is https://vyos.io/ which is cli only, which can be more complicated up front but once you understand its more manageable to look at 1 screen of text config than a gui with a bunch of submenus that gets shuffled around all the time. Also its 95% the same syntax as ubiquiti edgeos.

Perplx fucked around with this message at 17:40 on Mar 30, 2021

fletcher
Jun 27, 2003

ken park is my favorite movie

Cybernetic Crumb

KozmoNaut posted:

Advertising. In your network management.


It is intensely bad. It's on the level of Samsung sneaking advertising into the channel guide and selection screens on their TVs, just massively making GBS threads on their paying customers.

E: Read the thread. They're brazen enough to call it "not an ad, more like a new look", for something that steals 1/3rd of the screen space for advertising.

I'm glad I went with Mikrotik instead of Ubiquiti.

It's not some random third party ads though, which would certainly be egregious. Yeah it's certainly not ideal but at least it's just ads for other Ubiquity products in the space of the UI where features from that product would normally be

KozmoNaut
Apr 23, 2008

Happiness is a warm
Turbo Plasma Rifle


H2SO4 posted:

It... isn't, though. Samsung wasn't advertising their other related home theater products to you that I recall, they were doing third party ads which is entirely different than the controller going "hey you don't have our wifi, here's an ad for it." It's annoying they made them more obnoxious than the previous "no USG detected, network statistics unavailable" with a link to the USG sales page but the sky isn't falling by any means yet.

fletcher posted:

It's not some random third party ads though, which would certainly be egregious. Yeah it's certainly not ideal but at least it's just ads for other Ubiquity products in the space of the UI where features from that product would normally be

If they had put an ad on the login screen or something, sure. But they put it taking up a full 1/3rd of the screen at the top, in absolute prime real estate, in the management software used by people who have presumably already paid Ubiquiti a bunch of money for their hardware.

At the very least, they could have put the ad on the bottom of the page, if they absolutely have to have it. Or as some "additional products that work with this function you're looking at" in a place that doesn't wreck the UI. Or they could have put it in their opt-in marketing emails.

Doing what they did stinks of marketing-mandated upsell. I'm sick of the greater IT world somehow being fine with annoying their customers for stupid sales tactics.

H110Hawk
Dec 28, 2006

fletcher posted:

This doesn't seem all that bad to me

Internet Explorer posted:

From a UI perspective, if they had an X button to close it out, I wouldn't even bat an eyelash.

Still :wrong: - it's still bad. If they want a tab on the right that is "Check out new products" fine. Basically a link to their store. But a masthead-sized display ad on the product I paid for? gently caress right off.

movax
Aug 30, 2008

They have some loving product managers there that are hell bent on driving the reputation into the ground. Apparently all of the good engineers left awhile ago, and they to me more or less appear to have the majority of their developers be mediocre web devs and then a smaller group of people working with MediaTek and Qualcomm on the actual AP software.

EdgeOS seems OK...for now.

e: Oh, loving neat (https://krebsonsecurity.com/2021/03/whistleblower-ubiquiti-breach-catastrophic/)

quote:

Adam says the attacker(s) had access to privileged credentials that were previously stored in the LastPass account of a Ubiquiti IT employee, and gained root administrator access to all Ubiquiti AWS accounts, including all S3 data buckets, all application logs, all databases, all user database credentials, and secrets required to forge single sign-on (SSO) cookies.

Such access could have allowed the intruders to remotely authenticate to countless Ubiquiti butt-based devices around the world. According to its website, Ubiquiti has shipped more than 85 million devices that play a key role in networking infrastructure in over 200 countries and territories worldwide.

For me, it's loving Protect that makes me even tolerate the SSO / cloud aspect of it -- otherwise, I have local accounts setup on my Cloud Key (I think with the most recent update, they 'merged', but I still have a local account I can auth with) and I have NextDNS kill off the DNS queries to trace.svc.ui.com or whatever.

movax fucked around with this message at 19:41 on Mar 30, 2021

Adbot
ADBOT LOVES YOU

skipdogg
Nov 29, 2004
Resident SRT-4 Expert

Just came here to post that.

Glad I haven't committed to the entire UniFi stack yet.

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply