Wifi AC



  • Bumping an old thread... posted a comment on the thread that got this response brewed, but wanted to post it here too. Seems like Unify would be a great way to go if you didn't already have a significant investment in equipment that could easily be converted if FreeBSD got it's act together and supported AC. It's gonna be around for a while longer... why not get some official support on the subject?

    I've used a mixture of Unift, Fortigate, Cisco, HPE, Zyxel, TrendNET, Netgear, Ruckus, TPLink... at the end of the day, I would like to use pfSense on the WRT1900AC that I have at home. Why? Cause it's pretty badass. Also cause the guys at Belkin/Linksys actually had talks with Netgate about getting a pfSense distribution together for it and many of it's other devices... but you know what? I'm messing around with DD-WRT because it supports the WiFi. The whole point is if you have an already good device, why not make it better? Unify isn't bad but I really don't see the point in wasting more money on equipment unless you're going for enterprise grade protection... which pfSense already does for free...

    Does anyone see what's wrong with this picture?



  • Don't hold your breath on getting AC support in FreeBSD. Why not load DD/Open/WRT or whatever on your WRT1900AC, use it as an AP, and load pfSense on another box for the firewall? Wireless on the firewall itself means it is rarely in an ideal position.



  • That is what I did lol.

    Would’ve been nice to have pfsense running instead though, cause ddwrt doesn’t exactly work as well as pfsense does. That was my reasoning.


  • Banned

    @mcc85 said in Wifi AC:

    at the end of the day, I would like to use pfSense on the WRT1900AC that I have at home.

    You can't anyway, there are no community builds for ARM based hardware.



  • I saw a post on linksys forum that said they were working on it but WiFi ac would require another adapter.

    But anyway, I’ve been looking into other ways to skin the cat. Not sure if it’s blasphemy for me to say the words “what about Opnsense”? As it is ddwrt is working fine, but it’s a lot less intuitive and not nearly as responsive.

    Is there another Bsd distribution that would do this? Maybe community editions get a lot less love. Hence why ubiquity or opnsense will probably overrun this at some point...

    All the great software always has some flaw that reduces the desire to use it ...



  • @mcc85
    Op... The fork that shall not be named is also based on FreeBSD, so has the same wireless functionality. I understand the sentiment, but most business or home setups use a mix of technology. I see no problem using a firewall that is focused on it's role and having a separate WiFi solution. For the immediate future, BSD is simply not the best choice for access points. I've used WRT routers in the past, but UniFi has great functionality for it's price point.



  • Isn’t unity based on FreeBSD or some version of Linux? Do they not have the same roots? If it works on Linux, why doesn’t it work on BSD?

    Maybe I’m at a loss when you bring up those points... but I’m not saying Unify isn’t a good way to go, I just fail to see why pfsense is ready to throw in the towel to it.

    Perhaps you see that I am trying very hard to advocate for some “sense” in this world, whether it’s a small wrt router, or it’s a mega enterprise gateway... I really like using it and the fact that it’s free leaves me to believe that it’s worth making it work somehow without making a compromise that jumps ship.

    Just my two cents.



  • The whole point is that I should be able to integrate as many services into one device as I see fit that don’t require virtualization, more equipment, other software packages, or another monetary investment.

    I see a way to have the sense box run Apache or web server for other sites not just the config panel, since it has the software libraries for it and happens to be deadly in security... using that in combination with vpn tunnels and everything else, I see no reason why it couldn’t be a hell of a lot more than it already is.

    This is just one example, and maybe the engineers and devs arent ready for that kind of commitment... but sense is very scalable and I like the product that it is enough to try and ask the questions that others haven’t.



  • UniFi is Linux based. I don't see it as throwing in the towel- more like concentrating on core strengths. Putting the AP on the firewall is a compromise anyway, most enterprise firewalls don't have built in wireless. Using the right tool for the right job is not jumping ship. There are enough alternatives for running an access point that very few people are concerned about the poor wireless support in PfSense. My guess is that the greatest push for AC would be coming from desktop FreeBSD users, and that's a fairly small group as well.



  • So you’re saying it’s not worth the trouble?

    Having an integrated WAP would only be a compromise if you didn’t know how to secure it.

    As it is, wireless is another beast, but sense does support non-ac... right?

    Not to mention, those little zotac boxes come with this little adapter that has wireless but I’ve had to turn it off or disable it every time I’ve had to install sense onto them... simply because I did have another access point to use.

    But a lot of access points suck. Would be nice to load them up with something that makes sense. Cisco equipment can have its firmware iOS changed too right?

    I guess what I’m saying is that with enough talent, knowledge, and dedication, one could turn any networking device into something completely different if it has the capabilities. We’re not building things out of LEGO’s, these are highly capable networking switches and it’d be nice to apply the same software to them all, especially if they’re doing that already with the commercial grade equipment by Netgate.

    Idk. I don’t see myself as very complacent... and rather than mitigate my curiosity, maybe someone could provide a better explanation, unless it’s already been stated... then it does indeed sound like throwing in the towel.



  • @mcc85 said in Wifi AC:

    supported AC. It's gonna be around for a while longer...

    We'll shortly have AX which will do a far better job in HF crowded places. So AC/AC wave2 won't last longer than other wireless standards before.

    Does anyone see what's wrong with this picture?

    pfSense is a router. You're looking for an AccessPoint.
    I'm glad I don't have those all-in-one boxes anymore because I can update/replace the component needed and I have my APs where they belong (high up on the ceilings) and the router deep down in a closet.



  • Hey maybe you install access points in every place you do installations. That’s great. I’m proud of your strong sensibility... But for places where you want to access the web console from say, a phone, or laptop without an Ethernet port, might make sense to have one since it’s actually hardcoded into the system... but maybe the access point is not pulling an address or conflicts with the router, so you spend a lot more time trying to configure it than you should. Maybe you’ve forgotten, they actually do support WiFi in the same system. Hmmm.

    Just because you do something a certain way doesn’t mean that others have the same requirements. Just seems like people are making a lot of excuses not to do it or give it the attention it deserves. Which sounds a lot like throwing in the towel. Maybe the dd-wrt router I wound up using can do just as good of a job, but that’s besides the point. Let’s keep voicing our opinions about how you do your installs rather than answering the original question.



  • @mcc85 said in Wifi AC:

    I’m proud of your strong sensibility... But for places where you want to access the web console from say, a phone, or laptop without an Ethernet port, ...

    My New Year's resolution will not contain making you proud.
    If I need to access the console of a device not properly configured I use this: https://www.get-console.com/shop/en/27-airconsole

    @mcc85 said in Wifi AC:

    Which sounds a lot like throwing in the towel.

    Nobody is throwing in anything, except for experience maybe. If you do some research on FreeBSD and 802.11 you'll find that this combination doesn't have a track record worth mentioning.
    If you want an AiO device then get one. Fritz!Box-es are a common choice in my vicinity. It's fine when you don't want/need dedicated devices and it isn't threatening anyone if you think DD-WRT would be a better choice for you.



  • @jahonix well I’m glad you were sensible enough to see my sarcasm... thanks for the link, but that solution is too expensive. Yeah it looks like a great piece of hardware, but paying that much for the feature set leaves a lot to be desired. Why it doesn’t seem to power itself over USB or PoE makes it even less desirable for the price point, especially when I could use a Cisco aironet or ruckus zoneflex which does the same thing for literally a fraction of the price of the base unit... maybe we have different priorities. I’m trying to commercially deploy these boxes to smaller businesses that don’t have a huge budget, not so much the mega conglomerates that have plenty of cash to burn. Perhaps you don’t see what I’m tryin to do here, but that’s ok. The thing about sense is that it’s literally a matter of installing software on a box and then plugging in an adapter, and bam. An enterprise grade router with no real expense. Adding on a WiFi point, even with the aironets or zoneflexes just make life more difficult... sure would be nice to flash them with some sense and make them more cohesive. That was the point.



  • @mcc85

    The Airconsole is RS232 over Wi-Fi it’s not an access point.

    I have one.



  • @nogbadthebad said in Wifi AC:

    The Airconsole is RS232 over Wi-Fi it’s not an access point.
    I have one.

    Basically you're right. It's my tool to access a console etc. It's not an alternative to a decent AP.
    PoE? Nope, it has a battery built-in! 😂

    And you only have one AirConsole? Well, ... 😜



  • Sounds like the principle of RS232 is about as old as the year 1960.

    I'd rather use SSH or telnet over an access point that uses PoE that way I don't have to use a separate adapter to charge the battery in my overpriced lightweight tool that, while I'm sure some may find useful, defeats the purpose of less expensive methods. If you have cash to burn, great. Some people, like me for instance, fail to see it's usefulness when I can literally use a wifi to usb adapter that does the same exact thing as well... only i'm not trying to do it that way. Why get one of these if I could buy a unify? Defeats the purpose of using the sense box.

    I mean, if money isn't an object then why use pfsense at all? Sounds like a pretty strange contradiction...

    and just saying, never said that it was an access point. i'm saying that an access point is a lot more useful than this overpriced gadget that you were swindled into buying.



  • @mcc85 said in Wifi AC:

    Sounds like the principle of RS232 is about as old as the year 1960.

    A serial console is sometimes needed, if you can't connect via IP. Many routers have a serial port, connected to a dial up modem, to use as a "back door" for management. I carry a USB - RS232 adapter in my computer bag for when I configure equipment. You need it if you work with routers, switches, etc., from Cisco and others.



  • @mcc85

    You really don't understand what the device is actually used for, I'd suggest you look at the device specifications.

    Tell me how you can use an access-point to configure a Cisco switch or router out the box.

    One minute your talking about 802.11 AC that doesn't exist under FreeBSD, then talk about installing pfSense on the WRT1900AC.



  • I did. I know what RS232 is for. Probably been doing network management a lot longer than you.

    I looked at how much the device costs, you would know that if you read what I said. You would also know that I'm making an argument about why the lack of AC support is a thing. N works. So does every other version of it.

    I studied for my CCNA back in 2003, so I have a pretty good idea what RS232 is for. I'm saying that if you're using legacy COM ports then you're using dinosaurs. Most people use things like "ethernet" and "usb", which cisco routers and switches use a lot of these days, and although I am more than well aware of the fact that other ports use that protocol, using straight up COM ports means you're likely using something built prior to 2003... Using RS232 with a device that costs 150 dollars and doesn't use a cable to keep it charged sounds like an expensive waste of money. But hey, maybe I'm wrong and ignorant... the point of all this is because I want to know why no one cares to develop the capability, and you're sitting there wondering if I'm being a troll, when it's a matter of no one answering the question.

    I don't want to use dd-wrt, or other access points, I want to merge the equipment. I don't want to use an external adapter, I want to be able to put a lock on the box and never need to open it. I want to be able to distribute it to people who don't have a huge budget, and I'd like it to be impenetrable to intrusion. So far, I haven't seen anyone make the comment that says it's a worthless investment of time and resources to develop, just a lot of excuses and redirects.



  • Just a word of advisement, if you're using these devices, then you're essentially opening up a can of worms when it comes to security. All it would take to crack your network is to plug in a device that captures your input, they're actually a lot cheaper than this magic device you're saying I don't understand... but understand pretty well. What an expensive vulnerability you've advocated for, at least with ethernet and wireless, there's mac address filtering that would prevent that level of mitigation.



  • @mcc85 said in Wifi AC:

    I did. I know what RS232 is for. Probably been doing network management a lot longer than you.

    Started in networking in1990 for a large American multi national where I looked after 60 Unix workstations and the associated networking.

    First router installed Cisco AGS.

    If you want Wi-Fi in a pfSense box your stuck at 802.11n if you want 802.11ac you need to look elsewhere.



  • Ok. So I was wrong, but it's still a vulnerability to use RS232, its very easy to fool, it still uses IRQ# for direct CPU access.

    Look, I apologize for the overextension. I've been pretty frustrated and it just seems like everyone's just fine with the way things are. Like I gotta go buy unify to get it workin. Not what I want to do. I appreciate the information I really do, but maybe i'll have to write the drivers myself is what I'm seeing here. Not something I have the time to do...



  • @mcc85 said in Wifi AC:

    I studied for my CCNA back in 2003, so I have a pretty good idea what RS232 is for. I'm saying that if you're using legacy COM ports then you're using dinosaurs.

    Try configuring a Cisco router or switch out of the box. You need to use the serial console to do that, though some models now have a built in USB converter.

    BTW, I first started working with RS-232 back in the early '70s.

    Just a word of advisement, if you're using these devices, then you're essentially opening up a can of worms when it comes to security. All it would take to crack your network is to plug in a device that captures your input

    In my work, a serial port is only used when network access is not available, that is when configuring equipment from scratch, though it could also be used if locked out of the network connection due to misconfiguration. It is not used for normal management, in the manner one would use SSH.

    BTW, ever use Wireshark to look at network traffic? Unless encrypted protocols are used, it's all plain text. Several years ago, I showed my manager how I could plug into the network and read ID's and passwords (this was on a network that used hubs, not switches).


  • Rebel Alliance Developer Netgate

    Serial is still kind of dead simple OOB/console access. Just because it's "old" doesn't mean it's bad in this case. You can never rely on a network stack being functional for configuration, period. That's how you end up with braindead things like having to reset the firmware completely to work around a simple network setting glitch. If you are worried about serial port access, then fix your physical security.



  • @jknott said in Wifi AC:

    @mcc85 said in Wifi AC:

    I studied for my CCNA back in 2003, so I have a pretty good idea what RS232 is for. I'm saying that if you're using legacy COM ports then you're using dinosaurs.

    Try configuring a Cisco router or switch out of the box. You need to use the serial console to do that, though some models now have a built in USB converter.

    That’s exactly what I’m talking about. Older Cisco devices have serial ports, and they did for some time. But eventually with the catalyst 2900+s and up, they use an RJ 45 type console cable and even fat usb micro or various other “light blue” interfaces these days. That’s what I to do my startup configs and flash based stuff, which btw, can be mitigated too...

    BTW, I first started working with RS-232 back in the early '70s.

    Just a word of advisement, if you're using these devices, then you're essentially opening up a can of worms when it comes to security. All it would take to crack your network is to plug in a device that captures your input

    In my work, a serial port is only used when network access is not available, that is when configuring equipment from scratch, though it could also be used if locked out of the network connection due to misconfiguration. It is not used for normal management, in the manner one would use SSH.

    BTW, ever use Wireshark to look at network traffic? Unless encrypted protocols are used, it's all plain text. Several years ago, I showed my manager how I could plug into the network and read ID's and passwords (this was on a network that used hubs, not switches).

    Yes, I use PKI encryption whenever possible and even harden the permissions with either radius, mac filter lists, or simply wds if and when I can use them. I’m still experimenting between things like ruckus, tp link, zyxel, and others to be able to get these different platforms to be cohesive, but generally speaking, I’ve had a lot of luck getting Cisco and sense to.. make a lot of sense. XD

    Pfsense even has captive portal and works like a wap. That’s hella useful. It’s also one of the things I overlooked at first when using it, but, I’d more readily say that pfsense goes even further than a lot of Cisco’s capabilities , especially the older devices... but yes wireshark and solarwinds,they’re definitely useful but I rarely ever need to unless I’m doing some grey hat type stuff.



  • @jimp said in Wifi AC:

    Serial is still kind of dead simple OOB/console access. Just because it's "old" doesn't mean it's bad in this case. You can never rely on a network stack being functional for configuration, period. That's how you end up with braindead things like having to reset the firmware completely to work around a simple network setting glitch. If you are worried about serial port access, then fix your physical security.

    Not saying it’s bad in and of itself, but unless you’ve saved your router configs (like most smart engineers do..), there’s a way to short the pins and get a readout, so if you go to use that port and don’t physically check your cable, then you’re allowing a physical keylogger to watch your entry... then there goes the hierarchy of security you set up. What makes this far more difficult to do on a network with strictly lan ports is the Mac based filtering. Even if you use a certificate over db9 you’re still basically able to pretty easily recreate those entries.

    Any network admin or engineer worth his salt should be able to make sure they will never need to use it and then straight up disable any com ports they have, that’s just my dead honest opinion.


  • Rebel Alliance Developer Netgate

    they use an RJ 45 type console cable and even fat usb micro or various other “light blue” interfaces these days.

    And those are all variations of serial. The USB especially is just an easy way to hit a hosted USB/Serial bridge.

    As for the other points, again, if you are worried about that then your physical security is shit. If someone got to that point they could do far worse than sniff keystrokes.



  • @jimp of course they could. Physical security isn’t just a matter of locking a premises, it’s about closing ports that don’t need to be used. The point of it is, sometimes security also means protection from the people that have physical access. You could be working with someone who has malicious intentions, you never know if they’re gonna try to pretend they’re you later on cause they logged your creds and saved that information for later... OR... let’s say you do a job for a client and when you’re 99% done, the client has someone else finish the job and refuses to pay you what you’re owed... trust me, I’ve had that happen before and it has made me pretty unwilling to provide any access whatsoever until the bills are paid.


  • Banned

    On one hand you are worried about security, on the other you post stuff like this:

    @mcc85 said in Wifi AC:

    The whole point is that I should be able to integrate as many services into one device as I see fit that don’t require virtualization, more equipment, other software packages, or another monetary investment.

    I see a way to have the sense box run Apache or web server for other sites not just the config panel, since it has the software libraries for it and happens to be deadly in security... using that in combination with vpn tunnels and everything else, I see no reason why it couldn’t be a hell of a lot more than it already is.

    🤦


  • Rebel Alliance Developer Netgate

    And if you have physical access you could still remove power, cut cables, etc. A physical serial port is the least of your worries and makes administration much easier.

    If you are worried about that kind of access then lock the cage, lock the room, lock the floor, lock the building, guard the campus, etc.

    You've picked a weird hill to die on, but if you want to keep going off on that tangent, feel free. I'm out.



  • @mcc85 said in Wifi AC:

    they use an RJ 45 type console cable

    That's still RS-232, but with a different connector. You can get adapters that convert from that to DB-25 or DE-9 connectors. Cisco provides console cables that are RJ-45 on one end and DE-9 on the other.

    I expect the gear with a USB connector has a built in USB-serial port converter.



  • @grimson heh. Not saying I wanted to do all of that on the same box. Just wanted the option.



  • @jimp well I guess it’s a matter of opinion. Always learning things from what people say, can’t say it’s a loss hearing how other engineers do their work.

    Wanted to use AC and was curious why it can’t easily be implemented, but after all this time thinking about it, I have to concur that it’s prolly not worth the effort if n band is available.

    Idk, I tend to learn a lot more practical uses for things when I have some very specific requirements, and not that really anyone was wrong with their responses, I just think having examples of what I’m doing with the equipment would help.

    I do a bit of physical security as well as surveillance, intrusion detection, monitoring, and alarms, so having a box somewhere that I could use a WiFi connection with my phone, without really hooking up some fancy adapter, would make life a lot easier. Sometimes when I do a job I give up the keys to the locks, and all I have if I go onsite for a follow up is remote access.

    Wasn’t trying to contradict myself, just trying to support the brand and thought it was worthy of investigation/inquisition.



  • @jknott yes those usb->rj45 cables do com port emulation, so you’re absolutely right now that I think of it... I use putty quite a bit and I didn’t make the correlation. I wasn’t aware that it was emulating old school rs232, since I’ve always associated it with db9 or like token ring?



  • @mcc85 said in Wifi AC:

    since I’ve always associated it with db9

    That's DE-9. People often make that mistake. In one job I had years ago, I'd often order connectors by the 1000's. If I ordered DB-9, the order would be sent back unfilled. With those connectors, the first letter refers to the connector series. The 2nd, the shell size and the number refers to the number of pins.

    https://en.wikipedia.org/wiki/D-subminiature



  • Hey, that's good to know n def pretty cool. Much appreciated



  • @jknott said in Wifi AC:

    That's DE-9. People often make that mistake.

    Woops, now it's getting interesting again!
    I didn't even know of the D-sub naming convention and until today referred to those 9-pin serial connectors (wrongly) as DB-9.

    This happens more often than one might think. The audio industry pretty much always uses 3-Pin "XLR" connectors for symmetrical analog audio today. Fun part is that Cannon named them XLR with the trailing "R" for a rubber version. But no-one knows that and if I told a colleague to use the XL connector he would think I'm completely nuts now. ⛑
    https://en.wikipedia.org/wiki/XLR_connector#History_and_manufacturers


Log in to reply