The best 802n wireless accesspoint?

Mr. Jingles

Thank you all very much for all your replies  ;D

All the positive remarks have convinced me to buy a Unifi UAP-PRO device. However, there is one thing I don't understand:

• I will connect it to my switch, and then, as far as I know, all traffic will be protected by Pfsense.
• So why then all the articles on the net about WEP/WPA easy to crack? If I am protected by Pfense, my neighbor can't get on my LAN, so can't get to my device, so can't crack my WEP/WPA ???

I am sure this is a stupid question ( ;D) but I don't know that much about all of this (but I could do your taxes  ;D).

wallabybob

@Hollander:

If I am protected by Pfense, my neighbor can't get on my LAN, so can't get to my device, so can't crack my WEP/WPA ???

But your neighbour might get close enough to receive the wireless traffic and possibly get passwords, credit card numbers etc.

It can be significantly easier to listen in on WiFi traffic than it is to listen in on wired traffic.

stephenw10

The wireless encryption you use, wep/wpa, will always be vulnerable to attack since it's broadcast to anyone in your general vicinity.
Do not use WEP since it's very easy to crack. If you stick to WPA2 and a use a random passcode you will be relatively safe.
pfSense cannot protect your wifi but where it can help is separating your wifi traffic from your LAN. Connect your wifi access point to a separate interface and you can filter the traffic on in independently. Thus even if an attacker cracked your wifi encryption they would still not have general access to your LAN. Of course this can present it's own set of problems since often that's exactly what you want to use wifi for yourself.  ;)

Steve

Mr. Jingles

Thank you to the both of you for replying (hi Steve, didn't know you were here also  ;D  :D  ;D).

Ok, I was sort of mixed up assuming that PFS would protect all wireless transmissions also. I am tempted to believe that was indeed a stupid assumption, but a small part of brain says 'I don't understand why not'. But mostly, when small parts of my brain start to complain, I tell them to shut up. After all, my brain is a democracy where the majority decides what is right for the whole of my brain ( ;D).

I have ordered the UAP-PRO (from a shop in the UK with fair prices; over here they are way overpriced), and expect arrival early next week. What I now need to find out is how to setup everything 'the smart way', given the following problem. If you choose to use top quality products, you get top quality complexity ( ;D):

• PFS 2.0.2 has 'VLANS';
• My HP 1910 switch has 'VLANS';
• The UAP-PRO wireless access point has 'VLANS';

And I don't even understand a thing about 'VLANS'  8) ( :D). Well, I understand it at the very highest level: it is a 'virtual LAN', and it appears to be used to separate different segments of the LAN. But then again, so do 'subnets'. Google is cheating on me again, because it only gives me rubbish.

So, would perhaps somebody have a link to an explanation that even a noob on these matters will understand? I would, for the so-many-time'd - be in debt for that  :-[

Steve, could I ask about this:

[quote]Connect your wifi access point to a separate interface and you can filter the traffic on in independently

I am afraid I don't understand it. What I do understand is:

• Interface 0: WAN, goes into my ISP-modem/router
• Interface 1: LAN, goes to my HP Switch.
• Interface 3: OPT, but not available for me as I was recommended to buy the separate access point for that.

So as far as I understand, my accesspoint will connect via a network cable to my HP-1910 switch, and from there on, 'everything magically works'.

So, if I may ask: what do you mean with 'connect the WIFI-access point to a separate interface'? Which interface? I don't have that, I thought it goes into the HP Switch?

(Probably again a stupid question, sorry).

Thank you very much to all of you for all your help :-)

Bye,

extide

Just plug the AP into your switch, and use WPA2/AES and a good password and you will be fine. Connecting the AP to another interface on the pfsense box is an alternate configuration that is significantly more complicated and as mentioned by Steve, may not really provide more security unless you are really fine grained about what you allow to traverse from LAN <–> WIFI which will also probably cause you headaches you don't want.

Most people just run their AP's off their switch (that's how I do it) and just rely on the wifi encryption. As long as you don't use WEP as mentioned you are pretty safe, but it may be a good idea to change the password occasionally.

stephenw10

Hollander, I can't actually remember off hand what motherboard you went with in the end.  :-[ However I believe you only had 2 network interfaces, yes?

Like extide said you will be fine just connecting the access point to your switch. WPA2/AES is sufficiently secure.

If you did want to isolate your wifi traffic you would have to use VLANs since you don't have a spare interface to connect it directly.
That's probably a subject for another thread though as it get complicated. However since all your devices support VLANs you have many options available to you.

Steve

robi

I use a MikroTik rb751G-2HnD, with RouterOS installed, but configured just as an AP.

It doubles as an emergency spare in case the big pfSense hardware has a blocker fault (fingers kept crossed hoping that will never happen).

Mr. Jingles

Thank you once again for your help  ;D

I will then proceed by putting it in the switch, and see how that works.

Btw: Stephen, I have the Intel mobo that you recommend in some threads. It works flawlessly. I will put the hardware specs in my sig, that is probably more comfortable for anybody who wonders what I have.

xbipin

does any1 know of any AP similar to the below in size etc, probably with option to add rubber duck antenna. size is important for me, i dont want those big and bulky AP, minimum b/g and if possible n but not compeltely necessary

http://routerboard.com/RBGroove2Hn

markuhde

VLANs occur on layer 2 and if setup properly create separate virtual infrastructures. Subnets divide the IP space.

Mr. Jingles

@markuhde:

VLANs occur on layer 2 and if setup properly create separate virtual infrastructures. Subnets divide the IP space.

This is a very helpful remark (as I am trying to figure out what I need to do with VLANs and subnets and my appliances and don't understand a thing about how to do it. So subnets are within VLANs?

xbipin

the ubiquity ones have a bulky power brick, i wonder y they dont make direct socket powered access point or atleast make use of modern power adapters which r tiny and very light

jasonlitka

@xbipin:

the ubiquity ones have a bulky power brick, i wonder y they dont make direct socket powered access point or atleast make use of modern power adapters which r tiny and very light

Not sure what you mean.  I use standard PoE switches with their inline "Instant 802.3af" adapters.  The more expensive "Pro" model doesn't need them.

extide

@xbipin:

does any1 know of any AP similar to the below in size etc, probably with option to add rubber duck antenna. size is important for me, i dont want those big and bulky AP, minimum b/g and if possible n but not compeltely necessary

http://routerboard.com/RBGroove2Hn

Ubiquity Rockets of Bullets should do what you need, and they should support PoE also.

xbipin

i dont have a poe switch but where i plan to install this AP is next to a switch and a power socket so i was looking for something more simpler like power adapters connecting to AP directly to power it up rather than go through bulky power units or adapters etc in between

extide

@xbipin:

i dont have a poe switch but where i plan to install this AP is next to a switch and a power socket so i was looking for something more simpler like power adapters connecting to AP directly to power it up rather than go through bulky power units or adapters etc in between

You could always get a POE injector. Also most things that support PoE can also use a regular power brick.

xbipin

im trying to avoid the power brick, y dont they make power adapters similar to those tp-link switches, where the plug has a digital AC to DC converter and then the wire which plugs into the switch, same with the linksys ATA i have, its more convenient and lighter than the traditional transformer based power bricks, the nexus 10 power adapter is one example, if u can produce 2A out of something so light then y make traditional power bricks

Mr. Jingles

Thank you again for all your helpfull suggestions  ;D

I will try to thoroughly digest it all.

As to the remarks about it being overkill, I do respect you all very much for all you know, but there are quite some articles on the net, people in other fora, that seem to disagree when it comes to Radius. I am lost in the middle  :-[

My thoughts on this matter were:

• I will have wired LAN, and a wireless part, WAP.
• I will use Radius voor the wired LAN. I could perhaps dismiss Radius for the guest network, so that people can go in there freely with only a user name and a password. But they won't be allowed to go on the LAN since they can not Radius-authenticate.
• From what I've understood sofar (but I am most probably wrong  ;D) it would require two VLAN's; one for the LAN and one for the wireless. The switch then decides where to send a user to, based on the signal it gets from the Radius server (or something like that, it is not quite clear to me). As in: a user connects to the WAP: the WAP asks the Radius server for authentification. The Radius says 'I dunno that guy' ( ;D) put him in VLAN2 (being the WAP-area).

Wouldn't this make sense/be smart to do? Because even if you are able to 'hack into my WAP' you didn't authenticate with the Radius server to get into the LAN, so all you can do is stay where you are, you ugly hacker: in the WAP-area.

Thank you again for all your valuable suggestions, I will study your previous remarks thoroughly  :P

thermo

@Hollander:

As to the remarks about it being overkill, I do respect you all very much for all you know, but there are quite some articles on the net, people in other fora, that seem to disagree when it comes to Radius. I am lost in the middle  :-[
[/quote]

That made me chuckle… Wait till you manually configure your first Freeradius Server  ;D

My thoughts on this matter were:

• I will have wired LAN, and a wireless part, WAP.
• I will use Radius voor the wired LAN. I could perhaps dismiss Radius for the guest network, so that people can go in there freely with only a user name and a password. But they won't be allowed to go on the LAN since they can not Radius-authenticate.
• From what I've understood sofar (but I am most probably wrong  ;D) it would require two VLAN's; one for the LAN and one for the wireless. The switch then decides where to send a user to, based on the signal it gets from the Radius server (or something like that, it is not quite clear to me). As in: a user connects to the WAP: the WAP asks the Radius server for authentification. The Radius says 'I dunno that guy' ( ;D) put him in VLAN2 (being the WAP-area).

Nearly… The setup should really look like Wired Lan, Wireless to your LAN, Wireless Guest.
Assuming that your switch can do dynamic vlan assignment, the idea would be that 'unknown' clients/computers are put into the guest area or some other vlan away from your own lan (not the WAP area connected to your lan).
The idea of having Radius authentication for guests on wireless is undesirable. It will possibly require the manual installation of certificates on the device each time someone wants to use your guest network with a new device. (Your guests and yourself are already familiar with X509, aren't they?) This is where the captive portal is generally used to allow web based "zero configuration" username/password authentication with a Radius backend, or just with vouchers.

stephenw10

@xbipin:

if u can produce 2A out of something so light then y make traditional power bricks

What country are you in xbipin? That's probably going to be your answer.
Years ago most stuff used to have the power supply inside it and be connected directly with a mains cable. When manufacturers started selling worldwide it became much cheaper to move the power supply outside the product so that they could make a single identical model (of what ever) and use a different power supply for each country. Those are often locally sourced, particularly if you have some odd AC outlets. It then comes down to what's cheapest and for small numbers a transformer based power supply can be cheaper/quicker to produce especially if its output is a bespoke voltage.

I suspect that a large proportion of Ubiquity customers never use a power supply directly, is it possible to buy their products without the power supply?

Steve