Wifi AC
-
@nogbadthebad said in Wifi AC:
The Airconsole is RS232 over Wi-Fi it’s not an access point.
I have one.Basically you're right. It's my tool to access a console etc. It's not an alternative to a decent AP.
PoE? Nope, it has a battery built-in!And you only have one AirConsole? Well, ...
-
Sounds like the principle of RS232 is about as old as the year 1960.
I'd rather use SSH or telnet over an access point that uses PoE that way I don't have to use a separate adapter to charge the battery in my overpriced lightweight tool that, while I'm sure some may find useful, defeats the purpose of less expensive methods. If you have cash to burn, great. Some people, like me for instance, fail to see it's usefulness when I can literally use a wifi to usb adapter that does the same exact thing as well... only i'm not trying to do it that way. Why get one of these if I could buy a unify? Defeats the purpose of using the sense box.
I mean, if money isn't an object then why use pfsense at all? Sounds like a pretty strange contradiction...
and just saying, never said that it was an access point. i'm saying that an access point is a lot more useful than this overpriced gadget that you were swindled into buying.
-
Sounds like the principle of RS232 is about as old as the year 1960.
A serial console is sometimes needed, if you can't connect via IP. Many routers have a serial port, connected to a dial up modem, to use as a "back door" for management. I carry a USB - RS232 adapter in my computer bag for when I configure equipment. You need it if you work with routers, switches, etc., from Cisco and others.
-
You really don't understand what the device is actually used for, I'd suggest you look at the device specifications.
Tell me how you can use an access-point to configure a Cisco switch or router out the box.
One minute your talking about 802.11 AC that doesn't exist under FreeBSD, then talk about installing pfSense on the WRT1900AC.
-
I did. I know what RS232 is for. Probably been doing network management a lot longer than you.
I looked at how much the device costs, you would know that if you read what I said. You would also know that I'm making an argument about why the lack of AC support is a thing. N works. So does every other version of it.
I studied for my CCNA back in 2003, so I have a pretty good idea what RS232 is for. I'm saying that if you're using legacy COM ports then you're using dinosaurs. Most people use things like "ethernet" and "usb", which cisco routers and switches use a lot of these days, and although I am more than well aware of the fact that other ports use that protocol, using straight up COM ports means you're likely using something built prior to 2003... Using RS232 with a device that costs 150 dollars and doesn't use a cable to keep it charged sounds like an expensive waste of money. But hey, maybe I'm wrong and ignorant... the point of all this is because I want to know why no one cares to develop the capability, and you're sitting there wondering if I'm being a troll, when it's a matter of no one answering the question.
I don't want to use dd-wrt, or other access points, I want to merge the equipment. I don't want to use an external adapter, I want to be able to put a lock on the box and never need to open it. I want to be able to distribute it to people who don't have a huge budget, and I'd like it to be impenetrable to intrusion. So far, I haven't seen anyone make the comment that says it's a worthless investment of time and resources to develop, just a lot of excuses and redirects.
-
Just a word of advisement, if you're using these devices, then you're essentially opening up a can of worms when it comes to security. All it would take to crack your network is to plug in a device that captures your input, they're actually a lot cheaper than this magic device you're saying I don't understand... but understand pretty well. What an expensive vulnerability you've advocated for, at least with ethernet and wireless, there's mac address filtering that would prevent that level of mitigation.
-
I did. I know what RS232 is for. Probably been doing network management a lot longer than you.
Started in networking in1990 for a large American multi national where I looked after 60 Unix workstations and the associated networking.
First router installed Cisco AGS.
If you want Wi-Fi in a pfSense box your stuck at 802.11n if you want 802.11ac you need to look elsewhere.
-
Ok. So I was wrong, but it's still a vulnerability to use RS232, its very easy to fool, it still uses IRQ# for direct CPU access.
Look, I apologize for the overextension. I've been pretty frustrated and it just seems like everyone's just fine with the way things are. Like I gotta go buy unify to get it workin. Not what I want to do. I appreciate the information I really do, but maybe i'll have to write the drivers myself is what I'm seeing here. Not something I have the time to do...
-
I studied for my CCNA back in 2003, so I have a pretty good idea what RS232 is for. I'm saying that if you're using legacy COM ports then you're using dinosaurs.
Try configuring a Cisco router or switch out of the box. You need to use the serial console to do that, though some models now have a built in USB converter.
BTW, I first started working with RS-232 back in the early '70s.
Just a word of advisement, if you're using these devices, then you're essentially opening up a can of worms when it comes to security. All it would take to crack your network is to plug in a device that captures your input
In my work, a serial port is only used when network access is not available, that is when configuring equipment from scratch, though it could also be used if locked out of the network connection due to misconfiguration. It is not used for normal management, in the manner one would use SSH.
BTW, ever use Wireshark to look at network traffic? Unless encrypted protocols are used, it's all plain text. Several years ago, I showed my manager how I could plug into the network and read ID's and passwords (this was on a network that used hubs, not switches).
-
Serial is still kind of dead simple OOB/console access. Just because it's "old" doesn't mean it's bad in this case. You can never rely on a network stack being functional for configuration, period. That's how you end up with braindead things like having to reset the firmware completely to work around a simple network setting glitch. If you are worried about serial port access, then fix your physical security.
-
I studied for my CCNA back in 2003, so I have a pretty good idea what RS232 is for. I'm saying that if you're using legacy COM ports then you're using dinosaurs.
Try configuring a Cisco router or switch out of the box. You need to use the serial console to do that, though some models now have a built in USB converter.
That’s exactly what I’m talking about. Older Cisco devices have serial ports, and they did for some time. But eventually with the catalyst 2900+s and up, they use an RJ 45 type console cable and even fat usb micro or various other “light blue” interfaces these days. That’s what I to do my startup configs and flash based stuff, which btw, can be mitigated too...
BTW, I first started working with RS-232 back in the early '70s.
Just a word of advisement, if you're using these devices, then you're essentially opening up a can of worms when it comes to security. All it would take to crack your network is to plug in a device that captures your input
In my work, a serial port is only used when network access is not available, that is when configuring equipment from scratch, though it could also be used if locked out of the network connection due to misconfiguration. It is not used for normal management, in the manner one would use SSH.
BTW, ever use Wireshark to look at network traffic? Unless encrypted protocols are used, it's all plain text. Several years ago, I showed my manager how I could plug into the network and read ID's and passwords (this was on a network that used hubs, not switches).
Yes, I use PKI encryption whenever possible and even harden the permissions with either radius, mac filter lists, or simply wds if and when I can use them. I’m still experimenting between things like ruckus, tp link, zyxel, and others to be able to get these different platforms to be cohesive, but generally speaking, I’ve had a lot of luck getting Cisco and sense to.. make a lot of sense. XD
Pfsense even has captive portal and works like a wap. That’s hella useful. It’s also one of the things I overlooked at first when using it, but, I’d more readily say that pfsense goes even further than a lot of Cisco’s capabilities , especially the older devices... but yes wireshark and solarwinds,they’re definitely useful but I rarely ever need to unless I’m doing some grey hat type stuff.
-
Serial is still kind of dead simple OOB/console access. Just because it's "old" doesn't mean it's bad in this case. You can never rely on a network stack being functional for configuration, period. That's how you end up with braindead things like having to reset the firmware completely to work around a simple network setting glitch. If you are worried about serial port access, then fix your physical security.
Not saying it’s bad in and of itself, but unless you’ve saved your router configs (like most smart engineers do..), there’s a way to short the pins and get a readout, so if you go to use that port and don’t physically check your cable, then you’re allowing a physical keylogger to watch your entry... then there goes the hierarchy of security you set up. What makes this far more difficult to do on a network with strictly lan ports is the Mac based filtering. Even if you use a certificate over db9 you’re still basically able to pretty easily recreate those entries.
Any network admin or engineer worth his salt should be able to make sure they will never need to use it and then straight up disable any com ports they have, that’s just my dead honest opinion.
-
they use an RJ 45 type console cable and even fat usb micro or various other “light blue” interfaces these days.
And those are all variations of serial. The USB especially is just an easy way to hit a hosted USB/Serial bridge.
As for the other points, again, if you are worried about that then your physical security is shit. If someone got to that point they could do far worse than sniff keystrokes.
-
@jimp of course they could. Physical security isn’t just a matter of locking a premises, it’s about closing ports that don’t need to be used. The point of it is, sometimes security also means protection from the people that have physical access. You could be working with someone who has malicious intentions, you never know if they’re gonna try to pretend they’re you later on cause they logged your creds and saved that information for later... OR... let’s say you do a job for a client and when you’re 99% done, the client has someone else finish the job and refuses to pay you what you’re owed... trust me, I’ve had that happen before and it has made me pretty unwilling to provide any access whatsoever until the bills are paid.
-
On one hand you are worried about security, on the other you post stuff like this:
The whole point is that I should be able to integrate as many services into one device as I see fit that don’t require virtualization, more equipment, other software packages, or another monetary investment.
I see a way to have the sense box run Apache or web server for other sites not just the config panel, since it has the software libraries for it and happens to be deadly in security... using that in combination with vpn tunnels and everything else, I see no reason why it couldn’t be a hell of a lot more than it already is.
-
And if you have physical access you could still remove power, cut cables, etc. A physical serial port is the least of your worries and makes administration much easier.
If you are worried about that kind of access then lock the cage, lock the room, lock the floor, lock the building, guard the campus, etc.
You've picked a weird hill to die on, but if you want to keep going off on that tangent, feel free. I'm out.
-
they use an RJ 45 type console cable
That's still RS-232, but with a different connector. You can get adapters that convert from that to DB-25 or DE-9 connectors. Cisco provides console cables that are RJ-45 on one end and DE-9 on the other.
I expect the gear with a USB connector has a built in USB-serial port converter.
-
@grimson heh. Not saying I wanted to do all of that on the same box. Just wanted the option.
-
@jimp well I guess it’s a matter of opinion. Always learning things from what people say, can’t say it’s a loss hearing how other engineers do their work.
Wanted to use AC and was curious why it can’t easily be implemented, but after all this time thinking about it, I have to concur that it’s prolly not worth the effort if n band is available.
Idk, I tend to learn a lot more practical uses for things when I have some very specific requirements, and not that really anyone was wrong with their responses, I just think having examples of what I’m doing with the equipment would help.
I do a bit of physical security as well as surveillance, intrusion detection, monitoring, and alarms, so having a box somewhere that I could use a WiFi connection with my phone, without really hooking up some fancy adapter, would make life a lot easier. Sometimes when I do a job I give up the keys to the locks, and all I have if I go onsite for a follow up is remote access.
Wasn’t trying to contradict myself, just trying to support the brand and thought it was worthy of investigation/inquisition.
-
@jknott yes those usb->rj45 cables do com port emulation, so you’re absolutely right now that I think of it... I use putty quite a bit and I didn’t make the correlation. I wasn’t aware that it was emulating old school rs232, since I’ve always associated it with db9 or like token ring?