Wifi AC
-
Hey maybe you install access points in every place you do installations. That’s great. I’m proud of your strong sensibility... But for places where you want to access the web console from say, a phone, or laptop without an Ethernet port, might make sense to have one since it’s actually hardcoded into the system... but maybe the access point is not pulling an address or conflicts with the router, so you spend a lot more time trying to configure it than you should. Maybe you’ve forgotten, they actually do support WiFi in the same system. Hmmm.
Just because you do something a certain way doesn’t mean that others have the same requirements. Just seems like people are making a lot of excuses not to do it or give it the attention it deserves. Which sounds a lot like throwing in the towel. Maybe the dd-wrt router I wound up using can do just as good of a job, but that’s besides the point. Let’s keep voicing our opinions about how you do your installs rather than answering the original question.
-
I’m proud of your strong sensibility... But for places where you want to access the web console from say, a phone, or laptop without an Ethernet port, ...
My New Year's resolution will not contain making you proud.
If I need to access the console of a device not properly configured I use this: https://www.get-console.com/shop/en/27-airconsoleWhich sounds a lot like throwing in the towel.
Nobody is throwing in anything, except for experience maybe. If you do some research on FreeBSD and 802.11 you'll find that this combination doesn't have a track record worth mentioning.
If you want an AiO device then get one. Fritz!Box-es are a common choice in my vicinity. It's fine when you don't want/need dedicated devices and it isn't threatening anyone if you think DD-WRT would be a better choice for you. -
@jahonix well I’m glad you were sensible enough to see my sarcasm... thanks for the link, but that solution is too expensive. Yeah it looks like a great piece of hardware, but paying that much for the feature set leaves a lot to be desired. Why it doesn’t seem to power itself over USB or PoE makes it even less desirable for the price point, especially when I could use a Cisco aironet or ruckus zoneflex which does the same thing for literally a fraction of the price of the base unit... maybe we have different priorities. I’m trying to commercially deploy these boxes to smaller businesses that don’t have a huge budget, not so much the mega conglomerates that have plenty of cash to burn. Perhaps you don’t see what I’m tryin to do here, but that’s ok. The thing about sense is that it’s literally a matter of installing software on a box and then plugging in an adapter, and bam. An enterprise grade router with no real expense. Adding on a WiFi point, even with the aironets or zoneflexes just make life more difficult... sure would be nice to flash them with some sense and make them more cohesive. That was the point.
-
-
@nogbadthebad said in Wifi AC:
The Airconsole is RS232 over Wi-Fi it’s not an access point.
I have one.Basically you're right. It's my tool to access a console etc. It's not an alternative to a decent AP.
PoE? Nope, it has a battery built-in!
And you only have one AirConsole? Well, ...
-
Sounds like the principle of RS232 is about as old as the year 1960.
I'd rather use SSH or telnet over an access point that uses PoE that way I don't have to use a separate adapter to charge the battery in my overpriced lightweight tool that, while I'm sure some may find useful, defeats the purpose of less expensive methods. If you have cash to burn, great. Some people, like me for instance, fail to see it's usefulness when I can literally use a wifi to usb adapter that does the same exact thing as well... only i'm not trying to do it that way. Why get one of these if I could buy a unify? Defeats the purpose of using the sense box.
I mean, if money isn't an object then why use pfsense at all? Sounds like a pretty strange contradiction...
and just saying, never said that it was an access point. i'm saying that an access point is a lot more useful than this overpriced gadget that you were swindled into buying.
-
Sounds like the principle of RS232 is about as old as the year 1960.
A serial console is sometimes needed, if you can't connect via IP. Many routers have a serial port, connected to a dial up modem, to use as a "back door" for management. I carry a USB - RS232 adapter in my computer bag for when I configure equipment. You need it if you work with routers, switches, etc., from Cisco and others.
-
You really don't understand what the device is actually used for, I'd suggest you look at the device specifications.
Tell me how you can use an access-point to configure a Cisco switch or router out the box.
One minute your talking about 802.11 AC that doesn't exist under FreeBSD, then talk about installing pfSense on the WRT1900AC.
-
I did. I know what RS232 is for. Probably been doing network management a lot longer than you.
I looked at how much the device costs, you would know that if you read what I said. You would also know that I'm making an argument about why the lack of AC support is a thing. N works. So does every other version of it.
I studied for my CCNA back in 2003, so I have a pretty good idea what RS232 is for. I'm saying that if you're using legacy COM ports then you're using dinosaurs. Most people use things like "ethernet" and "usb", which cisco routers and switches use a lot of these days, and although I am more than well aware of the fact that other ports use that protocol, using straight up COM ports means you're likely using something built prior to 2003... Using RS232 with a device that costs 150 dollars and doesn't use a cable to keep it charged sounds like an expensive waste of money. But hey, maybe I'm wrong and ignorant... the point of all this is because I want to know why no one cares to develop the capability, and you're sitting there wondering if I'm being a troll, when it's a matter of no one answering the question.
I don't want to use dd-wrt, or other access points, I want to merge the equipment. I don't want to use an external adapter, I want to be able to put a lock on the box and never need to open it. I want to be able to distribute it to people who don't have a huge budget, and I'd like it to be impenetrable to intrusion. So far, I haven't seen anyone make the comment that says it's a worthless investment of time and resources to develop, just a lot of excuses and redirects.
-
Just a word of advisement, if you're using these devices, then you're essentially opening up a can of worms when it comes to security. All it would take to crack your network is to plug in a device that captures your input, they're actually a lot cheaper than this magic device you're saying I don't understand... but understand pretty well. What an expensive vulnerability you've advocated for, at least with ethernet and wireless, there's mac address filtering that would prevent that level of mitigation.
-
I did. I know what RS232 is for. Probably been doing network management a lot longer than you.
Started in networking in1990 for a large American multi national where I looked after 60 Unix workstations and the associated networking.
First router installed Cisco AGS.
If you want Wi-Fi in a pfSense box your stuck at 802.11n if you want 802.11ac you need to look elsewhere.
-
Ok. So I was wrong, but it's still a vulnerability to use RS232, its very easy to fool, it still uses IRQ# for direct CPU access.
Look, I apologize for the overextension. I've been pretty frustrated and it just seems like everyone's just fine with the way things are. Like I gotta go buy unify to get it workin. Not what I want to do. I appreciate the information I really do, but maybe i'll have to write the drivers myself is what I'm seeing here. Not something I have the time to do...
-
I studied for my CCNA back in 2003, so I have a pretty good idea what RS232 is for. I'm saying that if you're using legacy COM ports then you're using dinosaurs.
Try configuring a Cisco router or switch out of the box. You need to use the serial console to do that, though some models now have a built in USB converter.
BTW, I first started working with RS-232 back in the early '70s.
Just a word of advisement, if you're using these devices, then you're essentially opening up a can of worms when it comes to security. All it would take to crack your network is to plug in a device that captures your input
In my work, a serial port is only used when network access is not available, that is when configuring equipment from scratch, though it could also be used if locked out of the network connection due to misconfiguration. It is not used for normal management, in the manner one would use SSH.
BTW, ever use Wireshark to look at network traffic? Unless encrypted protocols are used, it's all plain text. Several years ago, I showed my manager how I could plug into the network and read ID's and passwords (this was on a network that used hubs, not switches).
-
Serial is still kind of dead simple OOB/console access. Just because it's "old" doesn't mean it's bad in this case. You can never rely on a network stack being functional for configuration, period. That's how you end up with braindead things like having to reset the firmware completely to work around a simple network setting glitch. If you are worried about serial port access, then fix your physical security.
-
I studied for my CCNA back in 2003, so I have a pretty good idea what RS232 is for. I'm saying that if you're using legacy COM ports then you're using dinosaurs.
Try configuring a Cisco router or switch out of the box. You need to use the serial console to do that, though some models now have a built in USB converter.
That’s exactly what I’m talking about. Older Cisco devices have serial ports, and they did for some time. But eventually with the catalyst 2900+s and up, they use an RJ 45 type console cable and even fat usb micro or various other “light blue” interfaces these days. That’s what I to do my startup configs and flash based stuff, which btw, can be mitigated too...
BTW, I first started working with RS-232 back in the early '70s.
Just a word of advisement, if you're using these devices, then you're essentially opening up a can of worms when it comes to security. All it would take to crack your network is to plug in a device that captures your input
In my work, a serial port is only used when network access is not available, that is when configuring equipment from scratch, though it could also be used if locked out of the network connection due to misconfiguration. It is not used for normal management, in the manner one would use SSH.
BTW, ever use Wireshark to look at network traffic? Unless encrypted protocols are used, it's all plain text. Several years ago, I showed my manager how I could plug into the network and read ID's and passwords (this was on a network that used hubs, not switches).
Yes, I use PKI encryption whenever possible and even harden the permissions with either radius, mac filter lists, or simply wds if and when I can use them. I’m still experimenting between things like ruckus, tp link, zyxel, and others to be able to get these different platforms to be cohesive, but generally speaking, I’ve had a lot of luck getting Cisco and sense to.. make a lot of sense. XD
Pfsense even has captive portal and works like a wap. That’s hella useful. It’s also one of the things I overlooked at first when using it, but, I’d more readily say that pfsense goes even further than a lot of Cisco’s capabilities , especially the older devices... but yes wireshark and solarwinds,they’re definitely useful but I rarely ever need to unless I’m doing some grey hat type stuff.
-
Serial is still kind of dead simple OOB/console access. Just because it's "old" doesn't mean it's bad in this case. You can never rely on a network stack being functional for configuration, period. That's how you end up with braindead things like having to reset the firmware completely to work around a simple network setting glitch. If you are worried about serial port access, then fix your physical security.
Not saying it’s bad in and of itself, but unless you’ve saved your router configs (like most smart engineers do..), there’s a way to short the pins and get a readout, so if you go to use that port and don’t physically check your cable, then you’re allowing a physical keylogger to watch your entry... then there goes the hierarchy of security you set up. What makes this far more difficult to do on a network with strictly lan ports is the Mac based filtering. Even if you use a certificate over db9 you’re still basically able to pretty easily recreate those entries.
Any network admin or engineer worth his salt should be able to make sure they will never need to use it and then straight up disable any com ports they have, that’s just my dead honest opinion.
-
they use an RJ 45 type console cable and even fat usb micro or various other “light blue” interfaces these days.
And those are all variations of serial. The USB especially is just an easy way to hit a hosted USB/Serial bridge.
As for the other points, again, if you are worried about that then your physical security is shit. If someone got to that point they could do far worse than sniff keystrokes.
-
@jimp of course they could. Physical security isn’t just a matter of locking a premises, it’s about closing ports that don’t need to be used. The point of it is, sometimes security also means protection from the people that have physical access. You could be working with someone who has malicious intentions, you never know if they’re gonna try to pretend they’re you later on cause they logged your creds and saved that information for later... OR... let’s say you do a job for a client and when you’re 99% done, the client has someone else finish the job and refuses to pay you what you’re owed... trust me, I’ve had that happen before and it has made me pretty unwilling to provide any access whatsoever until the bills are paid.
-
On one hand you are worried about security, on the other you post stuff like this:
The whole point is that I should be able to integrate as many services into one device as I see fit that don’t require virtualization, more equipment, other software packages, or another monetary investment.
I see a way to have the sense box run Apache or web server for other sites not just the config panel, since it has the software libraries for it and happens to be deadly in security... using that in combination with vpn tunnels and everything else, I see no reason why it couldn’t be a hell of a lot more than it already is.
-
And if you have physical access you could still remove power, cut cables, etc. A physical serial port is the least of your worries and makes administration much easier.
If you are worried about that kind of access then lock the cage, lock the room, lock the floor, lock the building, guard the campus, etc.
You've picked a weird hill to die on, but if you want to keep going off on that tangent, feel free. I'm out.
