Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Are all Access Points with WPA3 equally secure ?

    Scheduled Pinned Locked Moved Wireless
    9 Posts 5 Posters 756 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      CharlesT
      last edited by

      So I have replaced my all in one router/AP for a Netgate pfSense box and gotten a Netgear Business AP to add wifi.
      I'm wondering if I can safely put the old all in one router in bridge mode and use it only for wifi for a different interface not covered by my main AP ?
      It does support WPA3. My question is if these cheap boxes have any security concerns I should worry about when used just in AP (bridge) mode, or if as long as it supports the most recent encryption standard, these boxes are all the same?

      Thanks!

      johnpozJ 1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator @CharlesT
        last edited by johnpoz

        @CharlesT the protocol is the same be it wpa wpa2 or wpa3.. The problem with any transition from old to new protocol is you can't really just use wpa3 unless all your clients support it.. You prob have to run it in some transition mode where it suppose still wpa2/3 which kind of really defeats the advantages in the new protocol if you ask me.

        But if brand X supports wpa3 and brand Y also supports wpa3 - I would think there should be any real concerns over X does wpa3 better or more secure than brand Y.

        For me I would run eap-tls for all of my wifi - problem is iot devices do not support this, nor do many iot devices support wpa3 as of yet.. So while sure you could run wpa3 for some of your networks.. You prob going to have to provide a wpa2 network for these devices that don't yet support wpa3.. And or some of them don't even work if you try and use a wpa2/wpa3 transition sort of setup..

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.7.2, 24.11

        C 1 Reply Last reply Reply Quote 1
        • C
          CharlesT @johnpoz
          last edited by CharlesT

          @johnpoz Thanks !

          GertjanG 1 Reply Last reply Reply Quote 0
          • JonathanLeeJ
            JonathanLee
            last edited by JonathanLee

            You also want it configured so devices also know BSSID. in Windows 10 the software only looks at the SSID. I did tests with changing different AP units same name same password and Windows 10 didn’t know it was a different AP. The new M1 McIntosh knew it had a different BSSID and wouldn’t connect until I deleted the old profile.

            Make sure to upvote

            johnpozJ 1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator @JonathanLee
              last edited by johnpoz

              @JonathanLee little reason to bring that up - talking the difference between a bssid and ssid and essid it getting deep into the weeds for what amounts to a very basic question.

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.7.2, 24.11

              1 Reply Last reply Reply Quote 1
              • JonathanLeeJ
                JonathanLee
                last edited by JonathanLee

                That said no not all AP units are equal. OpenWRT is the elite WiFi AP software, it’s also open source just like pfSense. I learned that from @johnpoz

                Make sure to upvote

                johnpozJ 1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator @JonathanLee
                  last edited by

                  @JonathanLee openwrt is fine if you have some shit soho router and want to actually have it work stable and provide all the features the hardware can support ;)

                  And yes depending on the software your running if you run native or 3rd party it can expose different features. Or different makers of actual AP like unifi or omada or aruba or ruckus or cisco or cisco meraki, etc.

                  But when it comes to actual wpa3, which is a standard there shouldn't be any differences - because if its not standard you would have issues with different clients using it.

                  Different makers might do some stupid shit like trying to get 40mhz vht on 2.4, this is not a standard. You might have different makers exposing DFS channels to be used, etc. Or some might support PPSK.

                  But at the base layer wpa3 is wpa3 - and there sure shouldn't be any sort of security difference be it wpa3 is on make X or Y AP - now possible the device has other security issues related to its OS its running - wpa3 should be wpa3 be it on X or Y.

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                  1 Reply Last reply Reply Quote 0
                  • stephenw10S
                    stephenw10 Netgate Administrator
                    last edited by

                    I would argue the bigger advantage of OpenWRT over OEM firmware is that it's updated regularly as long as your device is supported. It's almost certainly more secure than some old device that is no longer updater by the manufacturer. Also many 'actual APs' run openwrt anyway, often an ancient version. Personally I run OpenWRT on all my APs here. But mostly because it's fun and I'm cheap! 😉

                    Hostname	AP300-3
                    Model	WatchGuard AP300
                    Architecture	Qualcomm Atheros QCA9558 ver 1 rev 0
                    Target Platform	ath79/generic
                    Firmware Version	OpenWrt SNAPSHOT r26792-646ebbd32c / LuCI Master 24.158.03388~a6f8361
                    Kernel Version	6.6.35
                    
                    1 Reply Last reply Reply Quote 0
                    • GertjanG
                      Gertjan @CharlesT
                      last edited by

                      @CharlesT

                      If this is a question / you have a doubt :

                      Are all Access Points with WPA3 equally secure ?

                      Connect to the wifi first.
                      Then fire up your favorite VPN, thus rendering the question to oblivion. You'll be using an encryption into an encryption. Even better, when you are visiting https site (any TLS destination) , you'll just added another encryption layer !

                      No "help me" PM's please. Use the forum, the community will thank you.
                      Edit : and where are the logs ??

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.