[HN Gopher] Ubiquiti Networks Breach
___________________________________________________________________
Ubiquiti Networks Breach
Author : ShaneCurran
Score : 268 points
Date : 2021-01-11 19:36 UTC (2 hours ago)
(HTM) web link (mailchi.mp)
(TXT) w3m dump (mailchi.mp)
| rodgerd wrote:
| This is a terrible public notification. What is the scope of the
| breach? Their forum software? The accounts Unifi customers can
| use for cloud-based admin of their private networks? Support
| tickets?
|
| It doesn't inspire one iota of confidence. Quite the opposite.
| bigmattystyles wrote:
| On top of that, this is not like Hertz or Avis suffering a
| breach, networks and network security is sort of a big deal to
| ubiquiti. I know they are a more of a networking company than a
| computer security company but their offerings do emphasize
| secure networking.
| reaperducer wrote:
| I think trying to get the notice out to users directly and
| quickly is at least one iota.
|
| Details can some later, once the threat is fully evaluated.
|
| If it waited until all the facts are in to put out a full fact
| sheet, the HN griefers would be jumping ugly that it took too
| long and was covering things up.
| [deleted]
| [deleted]
| alkonaut wrote:
| Did they email everyone with an account this information? I.e.,
| if I didn't get that email, I don't have an account?
|
| You can't check via a login page whether you have an account...
| ThisIsTheWay wrote:
| I can't speak for everyone, but yes, I received an email about
| my account.
| lkxijlewlf wrote:
| Wish they would roll Wireguard up into the firmware distribution
| for the edgrouter-x.
| johnklos wrote:
| My goodness. How stupid does everyone involve need to be to put
| out a statement like this with a "mailchi.mp" URL, WITH PASSWORD
| RESET BUTTONS?
|
| What the hell is wrong with these people?
| politelemon wrote:
| This ought to be on their blog, rather than mailchimp, no?
| switz wrote:
| Not to mention this was confusing to me; I'm sitting here
| wondering if Ubiquiti is a parent company of Mailchimp. It
| seems like that's not the case.
|
| If I was mailchimp, I'd be a tad peeved, but I guess that's a
| downside of hosting a business' content.
| [deleted]
| based2 wrote:
| https://en.wikipedia.org/wiki/Ubiquiti_Networks
| lpgauth wrote:
| What systems were breached? I haven't received an email...
|
| Is UNMS ok?
| [deleted]
| ch0I9daAiO wrote:
| There's a neat docker container you can run for their management
| application instead of using Cloud(tm).
| 29athrowaway wrote:
| The Ubiquiti Cloud Key is the worst product I have ever
| purchased.
| clajiness wrote:
| Ok. Why? I have one and it's great.
| rsync wrote:
| Ubiquiti is slowly becoming Sonos.
|
| The difference is, their potential for bad behavior, risks and
| attack surface is far, far greater.
| e40 wrote:
| Yes, that is worrying. I never hooked my USG up to the cloud,
| opting to run it from a local docker container.
| hsbauauvhabzb wrote:
| What's wrong with Sonos? I'm about to drop a bunch on a full
| home setup, should I consider an alternative?
| secabeen wrote:
| Many people dislike the cloud-focus of sonos. When they
| started, the primary use case was streaming off of SMB
| shares, but now it's streaming from cloud providers. Given
| that all of your music is coming from the cloud, is it really
| that much of a stretch that your sonos hardware is heavily
| backed by cloud services too? It really does help ease-of-use
| for non-technical folk.
| imposterr wrote:
| Would recommend reading through the previous threads on HN.
|
| https://hn.algolia.com/?dateRange=all&page=0&prefix=true&que.
| ..
| 3guk wrote:
| I must admit - Ubiquiti has lost some of it's shine in the last
| few years, whilst AP and routing hardware seems to still be very
| good in terms of pricepoint, it does feel like the software side
| of things has been going in a very strange direction for quite
| some time.
|
| I'm still quite annoyed by the fact that I was forced to migrate
| from Unifi Video to Unifi Protect - due to vendor lock in and the
| fact that the remote interface for Unifi Video was switched off
| this month.
|
| I guess on the plus side - no one who is still using Unifi Video
| has to worry all that much.....
|
| Hopefully it is just a case of resetting passwords and enabling
| 2FA if you haven't done it already - not entirely sure how much
| damage could be done otherwise, unless there is an undocumented
| backdoor into Ubiquiti products ?
| pieno wrote:
| Agree on Ubiquiti losing their shine. They seem to have fallen
| for the classic trap of vendors selling hardware without fully
| factoring in the cost of maintaining software and "cloud"
| infrastructure. So now their "growth hackers" have to keep
| coming up with things that should just be add-ons or bug fixes
| but instead they sell them as a premium feature or new product
| to make up for a lack of recurring revenue.
|
| Basically they are alienating their existing customer base (who
| have already paid a premium price for the prosumer product
| upfront and expect things to Just Work for the price) in favour
| of convincing the next idiot to fund their OPEX with shiny new
| features and toys that are a quick sell. Not realising (or
| unwilling to realise) that this strategy is completely in
| contradiction with their reputation and brand image as
| trustworthy prosumer hardware vendor, and just adds to the
| underlying issue.
|
| I predict that it won't be long before they run out of cash or
| investor confidence and have to sell out to a large consumer
| hardware vendor with deep pockets that will try to capture the
| Ubiquiti premium margins by selling their lower-value existing
| consumer gear under the Ubiquiti brand. I applaud them for
| having come this far while maintaining most of their integrity
| and reputation, but I'm afraid their strategy is doomed to fail
| and it's starting to show.
| ex_ubiquiti wrote:
| Ubiquiti had a steady exodus of engineers in the past few
| years. It's a very different company now compared to the glory
| days of UniFi.
| rossjudson wrote:
| Doesn't it seem like one of the missing measurements for
| directors/VPs should be "amount of disappearing expertise"?
| bacondude3 wrote:
| PSA: with Mailchimp URLs, it's best to remove the `?e=xxx` URL
| parameter. That way, A) you can't be identified by the sender as
| the person who shared the email, and B) other people can't flood
| your inbox by clicking the "unsubscribe" link at the bottom of
| the email.
|
| In this case, the cleaned URL that should have been posted is
| https://mailchi.mp/ubnt/account-notification
| [deleted]
| ashtonkem wrote:
| As someone who was planning on buying Ubiquiti hardware for their
| house, this breach and a lot of the comments here are
| disconcerting. Are there any other alternatives that are more
| locally managed that people would recommend?
| hamstercat wrote:
| You can disable remote login in the settings. It's the first
| thing I did when I got mine. So it's impossible to login to my
| router using my Ubiquiti account.
|
| Can't comment on issues have been getting, but I only have good
| things to say about mine. It's not perfect and the learning
| curve can be steep, but it's miles ahead of any other routers
| I've used before. The only thing that came close was when I
| flashed dd-wrt on my old Linksys.
| dustinmoris wrote:
| I have a TP-Link Mesh network in my house. I have high speed
| WiFi even in my garden. 50+ devices connected. Took me 30min to
| install everything. Didn't have a single issue in 3 years yet.
| Saved lots of money in comparison to Ubiquiti. But what do I
| know, I only use internet for normal activities like smart home
| stuff, streaming, working and so on...
| fullstop wrote:
| I use a fair amount of their equipment at home and I don't
| think that you need to be concerned with this. I run my
| controller on a server in my basement, and no part of it
| (besides the WAN port on my ERL) touch the internet. There is
| no "cloud" requirement.
|
| The "dream machine" thing I don't get. I do like their Unifi AP
| line, though.
| jlgaddis wrote:
| Are you aware that they added telemetry a while back?
| fullstop wrote:
| Yes, I have disabled it. You can also drop outbound traffic
| for the uid running the controller with iptables if you're
| paranoid about it.
| OminousWeapons wrote:
| You are presented with the ability to opt out of data
| collection in your management console.
| OminousWeapons wrote:
| I agree, I don't understand the level of hate appearing in
| this thread. I use Ubiquiti gear at multiple sites and it is
| absolutely bullet proof and trivial to set up once you
| understand their model. As long as you aren't running remote
| access then losing control of your UI.com credentials is
| really a non-issue.
| amacneil wrote:
| Ubiquiti hardware and software is still amazing, and I'm
| willing to bet there are far more satisfied users than the few
| people grumbling on this forum. Cloud login is not mandatory if
| you choose not to enable it.
|
| No products are perfect, but for the use case of "more
| technical than average user" looking for better quality than
| your typical home-grade gear, I have not found anything better
| or more polished.
| sitharus wrote:
| If you include a cloud key in the network there's no need to
| connect to the ubiquity cloud. The cloud key runs an entirely
| local ubiquity management stack.
| ashtonkem wrote:
| Ah, so my plan to buy a Dream Machine Pro would effectively
| mitigate this.
| rangersanger wrote:
| I did a double take after clicking through- when did Unifi change
| their URL to UI.com? I thought this was a clever scaled phishing
| attempt for a second.
|
| Come to think of it, how many times have they changed their
| URL/how many are there? feels like im being trained to do
| something stupid.
| e40 wrote:
| It's been that for as long as I can remember, but that's only a
| year or two.
| ocdtrekkie wrote:
| This is why cloud login for network devices is terrible. I use an
| EdgeRouter at home with no cloud connection and I'm quite happy
| with it, but I've used UniFi in another setting, and I am not
| thrilled at the ease of getting internal passwords and the like
| set on devices from any web browser, for instance.
|
| Another company's network products I work with technically has a
| self-hosted version of their management service, but it doesn't
| scale down well (it expects dozens of GBs of RAM and to be
| running on SSD storage or it's not supported). I've regularly
| felt pressured to move to the cloud just to avoid the jankiness.
| myggan wrote:
| At least we know third party have access to our salted passwords
| et. al?
| verst wrote:
| Sounds like their cloud provider environment was breached. If
| that's the case then access to databases with salted and hashed
| passwords is to be expected, is it not?
|
| Would be good to know which provider this is and whether it was
| the fault of the provider itself.
| myggan wrote:
| You are right. Would be interesting to know who it is.
| Couldn't find anything for AWS atm. That could be big, but
| let's hope it's nothing to worry about. I appreciate they
| communicate this notice asap. Even if we don't have the
| details yet.
| TavsiE9s wrote:
| As some of the IPv4 addresses for ui.com seem to be assigned
| to AWS I'm not sure what to make of it.
| jandrese wrote:
| Improperly secured S3 bucket? That's hit more companies
| than I can count.
| wnevets wrote:
| I still haven't gotten an email, does that mean I'm not affected
| or just a delay in the queue?
| yskchu wrote:
| More discussions on Ubiquiti subreddit:
|
| https://www.reddit.com/r/Ubiquiti/comments/kv9fc8/ubiquiti_e...
| ziddoap wrote:
| No specific comments to the breach... But, I couldn't help but
| chuckle at We Take Your Security Seriously(tm).
|
| Why does every company, after demonstrating a lack of security,
| like to say this exact line? I can just imagine the PR person
| hovering over the shoulder of whoever authored the post yelling
| "make sure you tell the victims of this breach that we care!"
| kenniskrag wrote:
| > That phenomenon is called counter-signaling, which I first
| ran into listening to Dan Jurafsky making the point that if a
| menu uses the word "fresh", its a low-brow restaurant. A high-
| brow restaurant would never use the word "fresh" -- the
| freshness is implicit in the other signals.
| https://kelley.iu.edu/riharbau/cs-randfinal.pdf
|
| source: https://news.ycombinator.com/item?id=25713050
| jiveturkey wrote:
| Italian franchise[0] restaurant in Sacramento has this huge
| neon sign in their window: "health inspected". _Neon_. It 's
| just that one instance of the store. Not that I've seen them
| all, but never seen that signage in their other stores.
|
| [0] Maybe not technically a franchise. Not sure. There are a
| bunch in California.
| MasterScrat wrote:
| Reminds me of a restaurant in Goa, India, which proudly
| advertises: "Vegetables are cleaned with _clean_ water
| before use! "
| hsbauauvhabzb wrote:
| They opted to TELL people about it which is a good indicator.
| I'm sure there's many companies who choose not to (which may be
| against the law). It's also HR spin on the topic, but iirc
| ubiquity offer bug bounties on a range of devices they sell so
| there's at least some truth to the spin.
|
| 'We know they breached but don't know what they did' is an
| interesting statement. One POV is that they didn't have
| sufficient logging and segregation to determine how widespread
| the breach was, the other is that they're not arrogant enough
| to think their SIEM adequately captures everything.
| ziddoap wrote:
| I'm unsure how your statement is meant as a response to mine.
| I obviously agree that it is a good indicator that they
| notified customers of a breach.
| jlgaddis wrote:
| > _They opted to TELL people about it which is a good
| indicator._
|
| Aren't they based in California which, if I remember
| correctly, as a law _requiring_ them to notify the victims of
| a data breach?
|
| Would they still have chosen to in the absence of such a law?
| We'll never know, I guess.
| [deleted]
| jiveturkey wrote:
| The real genius in the announcement is, "data hosted by a third
| party provider". Absolutely irrelevant, but subtly implying
| that the error was the fault of a third party.
|
| That will be the new norm in these kinds of annoucements, I'm
| sure.
|
| Just like SolarWinds dropping "Team City", saying "no evidence"
| of a breach of it. So why mention it at all?
| throwaway5752 wrote:
| It's impossible to secure yourself against a devoted persistent
| threat group over the long term. The asymmetry of effort is not
| tractable to overcome.
|
| So they can take your security seriously, but they will be
| hacked, or they have already.
| ziddoap wrote:
| I don't think my post argues, or even attempts to argue,
| against your point.
|
| It was a light-hearted jest at the fact that this exact line
| is in every single breach notification I have read for the
| past few years.
|
| The more serious point I was alluding at was not "just don't
| get breached", it was that the "we care" line rings hollow
| after the 250th time reading it.
| throwaway5752 wrote:
| My misread, apologies. I think the "we care" is a dodge
| around the reality that most are uncomfortable with, which
| is, "we make your data safe as possible but we will likely
| be hacked and you should compartmentalize your personal
| data accordingly with that expectation". But I am no good
| with marketing.
| pseudalopex wrote:
| Most companies choose to collect data they don't have to.
| luser007 wrote:
| They put all of their users eggs in one basket in the cloud.
| That makes for a very interesting target.
|
| They could have not done that. The users were probably
| unaware that their data was even placed on the cloud servers
| of some third party.
|
| Ubiquiti used to be cool. They've taken a nose dive in recent
| years in several ways: Firmware upgrade suddenly including
| telemetry by default, forcing people to use their NVR
| appliance instead of installing their software on their
| private servers, etc.
|
| Had Ubiquiti not moved people to "cloud solutions" an
| attacker would have to attack millions of peoples equipment.
| Now he only had to attack one providers network.
| unethical_ban wrote:
| I heard rumors about the telemetry thing, but that is
| usually an overhyped concern - unless it is sending flow
| logs or something.
|
| When did they stop allowing people to use a private server
| for central management? I see Unifi still has a network
| controller.
| luser007 wrote:
| Sorry for being obtuse - it wasn't my intention.
|
| I'm thinking of "Unifi Video" that is going out (EOL
| announced six months ago), where you could either buy
| their appliance OR download an official .deb package and
| install the NVR software on your own server.
|
| They replace that with "Unifi Protect" that comes ONLY as
| an NVR appliance. No more .deb packages. It also requires
| you to buy one of their other products (Cloud Key 2),
| IIRC.
| sounds wrote:
| I think it is possible to secure yourself against a devoted,
| persistent threat group.
|
| I think it's expensive, but possible.
|
| Do you have data to back up your claim that no one, ever has
| ever successfully remained secure?
| not2b wrote:
| No one could possibly prove this kind of negative.
| snoshy wrote:
| Why not? All you have to do is point to one particular
| company whose systems have not been verifiably breached
| after having resisted actual attempts.
| someguydave wrote:
| most attacker groups would be unlikely to share that
| result
| WaitWaitWha wrote:
| > one particular company whose systems have not been
| verifiably breached
|
| The unknown unknown. How can you be sure all the
| "resisted actual attempts" been even detected?
| aborsy wrote:
| By ruling out known knowns, known unknowns and unknown
| knowns.
| imoverclocked wrote:
| Challenge accepted?
|
| Just because known attempts have failed doesn't mean the
| unknown ones have too.
| swirepe wrote:
| My name is Ozymandias, King of Kings; Look on my Works, ye
| Mighty, and despair!
| rodgerd wrote:
| What evidence do you have that anyone has?
| ikiris wrote:
| When was the last time you heard of a google user data
| breach?
| rodgerd wrote:
| https://www.forbes.com/sites/kateoflahertyuk/2018/10/09/g
| oog...
|
| https://arstechnica.com/information-
| technology/2013/11/googl...
|
| Maybe you should know _literally anything_ about the
| topic at hand before making sweeping assertions? I
| realise that 's asking a lot here at HN, but it would
| improve the site a lot.
| [deleted]
| mirthflat83 wrote:
| I mean, should they say that they don't care about your
| security?
| kenniskrag wrote:
| they should tell me, what they are going to improve. :)
| ziddoap wrote:
| Weird polar opposite stance.
|
| No, that is not what I'm saying. I'm saying don't put
| platitudes in a breach notification.
| BHSPitMonkey wrote:
| It rolls off the tongue better than "We now wish to begin
| taking your security seriously"
| tiernano wrote:
| Bit more from reddit ubiquiti forum.
| https://reddit.com/r/Ubiquiti/comments/kv9fc8/ubiquiti_email...
| p0p0bawa wrote:
| ooooh, turn off "Remote Management" if you use Unifi products and
| are concerned
|
| https://help.ui.com/hc/en-us/articles/115012240067-UniFi-How...
| exabrial wrote:
| Ubiquiti has typically been the "cloudless" provider which is why
| I've used their stuff. They've been sorta moving in a disturbing
| direction for cloud control. I don't want that risk.
| centimeter wrote:
| Cloudless if and only if you run their gigantic bloated Java
| network management tool.
|
| I really like ubiquiti hardware but I got fed up with their
| software BS. Now I use either Mikrotik or TP-Link's industrial
| offerings. Both are way easier to work with than ubiquiti and
| the hardware is usually in the same tier.
| vetinari wrote:
| Mikrotik? Easier?
|
| Do not get me wrong, I love Mikrotik, but _easier_ would not
| the word I would be using. This image (https://www.reddit.com
| /r/mikrotik/comments/jyjgnc/mikrotik_v...) sums it up neatly.
|
| Also, Mikrotik is not directly comparable, you cannot replace
| Unifi Controller with Capsman.
| exabrial wrote:
| ... we run it on a raspberrypi. Not sure I'd call that
| gigantic or bloated.
| jandrese wrote:
| RasPis have a fair bit more grunt than people give them
| credit for.
|
| The big problem with the Ubiquti thing is that it takes a
| long time to start, so if your usage model is to start it
| whenever you want to make a change it's rather piggish. If
| you start it once and leave it running forever on a
| dedicated device it's not nearly as bad.
| NikolaeVarius wrote:
| Its not a great solution. The application logs and writes
| to storage alot.
|
| Also it usually works fine, but when it breaks, it breaks
| HARD
| sjm-lbm wrote:
| They have a little device (IIRC they call it "cloud key" or
| something like that) that runs that interface pretty well.
| Much better than setting that UI up on a device yourself.
| imposterr wrote:
| You can also just run a docker container for it [0]. This has
| the added benefit of separating your data from the runtime so
| you can move it around as if you had a physical cloud key.
|
| [0] https://hub.docker.com/r/linuxserver/unifi-controller
| centimeter wrote:
| I shouldn't have to run a docker appliance for my network
| appliances to function. Are you kidding me?
| secabeen wrote:
| You don't. The docker appliance (or whatever platform you
| use to run the controller) only is needed for config
| changes. You can shut it down when finished making
| changes and everything runs fine. The install at my mom's
| house has the Windows controller, and I don't think it's
| run in 6 months.
| jlgaddis wrote:
| I've been running the Unifi controller on a Raspberry Pi 2
| for four or five years now with no problems that I can
| recall.
|
| After the initial installation and configuration was done,
| I've probably only logged into it a handful of times.
|
| (With the exception of their APs and said controller, I avoid
| Ubiquiti as much as possible, though.)
| alex_suzuki wrote:
| You don't need their Java client (which I agree, is BS) if
| you use a Cloud Key or a UDM PRO.
| bluedino wrote:
| Ubiquiti is in a weird market, where they are better than
| Linksys/Netgear etc, but they are crap compared to something like
| Meraki.
|
| Their support isn't very good (they point you to a forum), their
| hardware replacement is spotty (sorry, out of stock, you'll have
| to wait!), and their hardware/software is buggy. We had 48 port
| switches that would randomly reboot, for example.
|
| They can be a decent solution for SMB wifi, but that's as far as
| I would go. Nothing mission-critical unless you are willing to
| make compromises you wouldn't have to with a bigger vendor.
| oehtXRwMkIs wrote:
| Are there any 48 port switches you would recommend? I've
| concluded that they're overpriced compared to multiple 24 port
| switches for example but I'm hoping I'm wrong. Never heard of
| Meraki for example.
| vetinari wrote:
| Meraki is a Cisco brand. It's most important feature is, that
| once you buy into it, you are going to pay yearly license
| fee.
| rconti wrote:
| My Meraki APs were replaced with Ubiquiti (MR32 -> AP AC Pro)
| and holy god what a difference. The Merakis just had absolutely
| AWFUL range. I tried everything I could for years, and they
| were just terrible.
| comboy wrote:
| Argh, why do I learn about this from HN when they pretty much
| force me through the cloud login with UDM-Pro. Nothing in the
| dashboard. Also I think http://unifi/ is crap from a security
| standpoint. Their threat management also seems to be just some
| kind of a bad joke.They could for example do a nice hardware
| based honeypot that you have to untrigger with physical access.
| They could offer so much more for prosumers providing sane
| defaults for a common case of having multitude of devices at your
| home which can be categorized as intruder but expect to be on the
| same network as your phone.
|
| Is there a better alternative? When I tested multiple routers
| mostly regarding low latency, network stability and reliability a
| few years ago nothing came close, especially when having multiple
| access points.
| second--shift wrote:
| Another endorsement for mikrotik here...spent a lot of time in
| the WISP space and doing CPE installations. Mikrotik all the
| way down - text config files (version control), ssh-like remote
| terminals on all endpoints, full feature-set on even the most
| basic hardware. I've taken them into other jobs and other
| engineers have been happy with them.
|
| The cons are that everything has one or more "mikrotik" way of
| doing things, and it may not be intuitive to the new user.
| Also, although everything is included, you have to set it all
| up yourself.
| fivesixzero wrote:
| I've become a big fan of MikroTik routers and 10G/SFP+
| router/switch hardware in the last few years. Their web UI and
| SSH console are a bit quirky but the performance is pretty
| great for the price.
|
| My primary use case for their gear at home was to have a router
| that can handle a LACP WAN bond for my fancy cable modem as
| well as connecting to a 10G Ethernet switch via copper or
| direct-attached SFP+ to a CRS-305 10G switch. Their RB-4011 was
| a perfect fit, without any of the Ubiquiti SSO/controller stuff
| to worry about.
|
| I haven't explored their WiFi products yet (still using an old
| router as an AP) but their product range is pretty broad. Might
| look into it this year though.
| aborsy wrote:
| Does it support Wireguard?
|
| Also RouterOS does not seem open source.
| fivesixzero wrote:
| Sadly RouterOS isn't open source. They've received a bit of
| flak for their "available on request" stance on getting GPL
| sources too. The fact that their GPL patches aren't readily
| available is pretty uncool.
|
| WireGuard isn't supported on RouterOS 6, which is the
| current stable version, afaik. RouterOS 7 (currently
| available in beta) did support for WG in August though, as
| part of 7.1beta2 [1].
|
| [1] https://mikrotik.com/download/changelogs/development-
| release...
| vetrom wrote:
| RouterOS is not, but Mikrotik added wireguard support to
| their firmware sometime in mid-late 2020. IDK if its out of
| beta yet.
| carlhjerpe wrote:
| No, still very shitty beta sadly. In mikrotik communities
| routeros7 is a meme (it'll never arrive). Even though its
| here, its not.
| pilsetnieks wrote:
| V7 supports Wireguard and UDP OVPN, it's in beta but
| reasonably stable, at least for home use.
| ahepp wrote:
| Do you know how ubiquiti's "edge" line compares to mikrotik?
| gh02t wrote:
| Having owned several products from both, Mikrotik
| equivalents are generally way more feature packed but I
| find them hard to use. EdgeMax stuff is more polished, but
| has fewer features. Performance is comparable.
| Lammy wrote:
| I'm a Mikrotik user, not a Ubiquiti user, but looks like
| the closest match would be Mikrotik's CRS (Cloud Router
| Switch) line. My home network is a CRS317-1G-16S+RM at the
| core and three CRS305-1G-4S+IN (one in each room), all
| running SwitchOS/SwOS instead of the stock RouterOS (they
| dual-boot, your choice), and I am very happy with them.
| ethanpil wrote:
| What APs do you use with a MicroTik setup?
| mesh wrote:
| Just for reference, I did receive an email from them.
| cptskippy wrote:
| I received one as well approximately an hour ago.
| killion wrote:
| I still haven't received one, I'll update this comment if I
| do.
| novaleaf wrote:
| i haven't got an email yet either
| linsomniac wrote:
| I'm in the process of replacing my home Ubiquiti
| infrastructure. Here's what I've decided on:
|
| Replace the US-24-250W PoE switch with an Aruba Networks
| S2500-24P (gigabit and PoE, 4x 10gig ports, quiet).
|
| Replace the Cloud Key Gen 2 with BlueIris for camera
| controller. I expect this will be able to connect to the
| existing Ubiquiti cameras.
|
| Possibly add one or more Ruckus R610 APs running in "Unleashed"
| mode to augment my Google WiFi. I'm happy with the Google WiFi,
| and in particular it has good tools for managing kids access to
| WiFi. But the Ruckus APs are quite good and so I may move
| parent and IoT access over to Ruckus, separate out IoT devices
| to their own network.
|
| This is the end of phase 1. Then I plan to go on to:
|
| Add an OPN-Sense router. Currently not using Ubiquiti for
| routing, the Google WiFi is our main router. Would like to gain
| additional capabilities like insight into what the kids are
| doing.
|
| Replace the Ubiquiti Dome G3 with one of the less expensive 4K
| cameras if they seem to provide similar or better
| functionality. Also trying out the Wyse Cam v3, which seems ok
| and the price sure is right, but is more of an augment camera
| than a main camera, I prefer wired and PoE.
|
| I've been doing some research and those are the options that
| seem attractive. In particular, going with old enterprise gear
| looks to be a huge win. You do lose that handy "single pane of
| glass" management. But considering the problems I'm having with
| Ubiquiti, and the upgrades I've already done to try to get past
| them, with only some success, I can't bring myself to go
| further in on Ubiquiti.
| Johnny555 wrote:
| The reason most people go with Ubiquiti for home use is the
| price -- that Aruba switch costs $3500 new. The costs about
| 1/10th that at $399.
|
| Can you get free firmware updates from Aruba or do you need a
| support contract?
| napkin wrote:
| Fitlet2 looks rather nice to me. Outfitted with an Intel J3455
| CPU, and 2-4 Intel NICs, it is really power efficient for its
| performance class (idles at ~6 watts, for those that care).
| There are also some Chinese companies producing slightly
| cheaper boxes in this category- Qotom, Kettop, Protectli.
|
| When it comes to software, I'm a bit conflicted. I like
| pfsense, but Netgate has gone a bit sour with the FLOSS
| community. I'd also consider OpenWRT, FreeBSD, OpenBSD.
| dont__panic wrote:
| Did you happen to write up the results of your router tests?
| I'd be really interested in reading up on them! I recently
| picked up an old Apple Airport Extreme so I could easily set up
| Time Machine backups on my network, but obviously Airports have
| their own host of issues so I'd be really interested in
| upgrading soon.
| comboy wrote:
| I don't, but it was a narrow case. Part of my home-made home
| automation runs on wifi so I was focusing on low latency and
| no packets lost when using wifi in my specific building. Top
| of the shelf routers all had some occasional hiccups. I think
| the good old WRT54GL did much better than them. Plus it was
| done with the set of wifi receivers available to me at the
| time (mostly cheapos connected to rpis & esp8266).
|
| This is not a common use case, I was not interested in high
| bandwidth. I did try to disable beamforming and all other
| fireworks when testing though (but did tests with default
| settings too)
| ballenf wrote:
| A second-hand Mac mini is an alternative that I've used for
| network Time Machine backup targets. Can also turn on caching
| iCloud/App Store/system updates for your home, if bandwidth
| is metered and/or slower than your local speeds.
| ViViDboarder wrote:
| I turned off cloud login a while back. There's a toggle in the
| settings for this.
| imposterr wrote:
| I was confused by the parent comment too. Aside from the
| remote management features, if you turn off cloud login you
| still get everything else. Maybe it's something specific to
| the USG Pro? I've only used the smaller USG.
| altano wrote:
| I recently invested in UniFi hardware with the UDM Pro and
| this isn't correct. UniFi Protect (the video security line)
| requires remote access and Ubiquiti Cloud accounts or it
| will break in a million weird ways. If you disable cloud
| login you cannot reasonably use UniFi Protect.
| comboy wrote:
| Not USG but UDM-PRO. It was the first device from them that
| required me to make an ubiquiti account to set it up.
| _jal wrote:
| It does look like newer systems require ui.com
| login/integration.
|
| Which means I'll be replacing mine, they're delusional if
| they think this is OK. It is hard enough keeping a secure
| network without the vendor intentionally backdooring it.
| p0p0bawa wrote:
| I run a Netgate SG-5100 (PF-Sense) as the main router, the
| Unifi controller and Access points are al behind the Firewall.
| The AP and switches are really good, not the DPI/IPS/IDS
| solution (those suck)
| aborsy wrote:
| Great router!
|
| The only issue I have with Netgate is pricing!
| SparkyMcUnicorn wrote:
| Protectli is a pretty common alternative.
| watsonkr wrote:
| I'm running pfsense as my router and TP-Link access points. I
| run their controller in a container locally and everything
| works great together. Super happy.
|
| I think for some use cases this setup could be a nice
| alternative (and cheaper) to ubiquiti.
| hendersoon wrote:
| Ubiquiti let users disable the cloud logins with UDM Pro, after
| a pretty big backlash on their forums.
|
| You do need a Ubiquiti account to setup the hardware in the
| first place, but you can turn off cloud access and login
| locally after that. And you should.
| frisco wrote:
| How? I have been looking for this setting but haven't been
| able to find it.
| pimeys wrote:
| Just ordered a Chinese box with 8th gen U-series i5, 8 GB of
| RAM and 120 GB of SSD. Has six ethernet connections, HDMI and
| COM. Planning to install OpenWRT to it, and with AES-NI the
| system should be easily able to push the full 1 Gbps of traffic
| through Wireguard.
|
| I've had whatever routers before, but mostly when using some
| VPN to hide the traffic from your home network, and if having
| fast enough internet, a good CPU is a must.
| unethical_ban wrote:
| Link to the box you got? That sounds interesting.
| dpzmick wrote:
| similar boxes are on amazon, with worse(ish) specs under
| the brand "Protectli "
| AndrewDavis wrote:
| Also curious, and wondering how much that cost.
| xvf22 wrote:
| $350ish search AliExpress for "i5 7200U firewall"
| pimeys wrote:
| Oh, sorry!
|
| These are available from Europe, but I've heard good things
| from US about similar boxes. Not the same brand, but
| similar hardware.
|
| https://www.amazon.de/gp/product/B08JHKZMTN/ref=ppx_yo_dt_b
| _...
|
| Let's see how it works, but I expect it to be much faster
| than my current ARMv7 box. Of course if you have space for
| a rack, go with something actively cooled. In our
| apartment, we expect the router to not make any noise.
| pilsetnieks wrote:
| Despite the name in the Amazon listing, it has nothing to
| do with Mikrotik; also a 1Gbit ARM Mikrotik
| router/firewall can be had for considerably less.
| pimeys wrote:
| How fast are the ARM CPU they have in their routers, do
| they support AES-NI and how much data you can push with
| VPN encryption through their boxes?
|
| The current ARMv7 I have goes to about 100 degrees
| Celsius and loads in the level of 4 to 6 when downloading
| a bunch of data full speed.
| searchableguy wrote:
| Raspberry pi 4 compute module is great for building your own
| router. You can attach a pcie network extension. All of that
| would cost around $80. Flash one of the router firmware built
| for pi such as openwrt or pfsense.
|
| https://www.raspberrypi.org/products/compute-
| module-4/?varia...
| pimeys wrote:
| It misses AES-NI though, so missing encryption hardware and
| would be subpar if running a VPN client for the network...
| tjohns wrote:
| It's worth noting that the Unifi gateways have hardware
| offload for traffic routing.
|
| While a Raspberry Pi might work for some folks, it's worth
| noting that these are two very different performance
| classes.
| aborsy wrote:
| How is it great with one NIC?
|
| Ethernet adapter and USB speeds seem less than ideal.
| searchableguy wrote:
| I don't need many ethernet port so it works for me. My
| home network speed is less than a gigabit.
|
| It's definitely not for people like OP but may work for
| other people who don't want to pay much and still have a
| something decent that they can hack themselves.
| jsight wrote:
| A Pi 4 can handle about 1 Gb without issue. It is a great
| option for consumer workloads at consumer prices. I've
| certainly seen far worse consumer gear.
| comboy wrote:
| I still put the important part of my network behind my own
| router similar to yours (and in terms of security I think
| ubuntu server + whatever you need has likely much smaller
| attack surface than OpenWRT which is a piece of software just
| too tasty not to be exploited).
|
| Outside that, wifi part is hard to get right and smart
| switches are nice to have, but they are PITA if the firmware
| is never updated and there's no single place to nicely manage
| it all.
| pimeys wrote:
| I'm having already Unifi's AP's, the controller running in
| my NAS and a good switch for the current setup.
|
| Do you have some better suggestions for the router
| software? I'd love to run Opnsense, but a native Wireguard
| client is a must, and so is a good web interface for the
| setup.
| waynesonfire wrote:
| i've got this on my todo list of projects. looks super
| interesting. there seem to be a lot of flavors of these boxes
| and i'm having a difficult time figuring which one will work
| best. i don't know anything about the manufacturers.
| centimeter wrote:
| FWIW, I tried using OpenWRT on a box with similar specs to
| yours and it was a nightmare. Ended up using FreeBSD instead
| and it was a vastly better experience. I think OpenWRT might
| only be worth it on very low-spec hardware.
| pimeys wrote:
| Hey! Could you please share what you think didn't work so
| well with OpenWRT? I'm currently running a Turris Omnia
| with their custom OpenWRT that I know how to use and it's
| been working quite well. What's missing is a better CPU to
| run the Wireguard encryption full speed through our fast
| internet connection.
|
| I'm seriously thinking about pfSense or Opnsense, but
| FreeBSD still misses native Wireguard support, leaving the
| encryption to the go implementation, which is subpar for
| our use cases. But, I'd be happy to run Opnsense, with
| jails and all those goodies from FreeBSD.
| petrohi wrote:
| Have you tried MikroTik gear?
| ex_ubiquiti wrote:
| As a former Ubiquiti employee, I'm sad to watch the slow decline
| of the company. There was a steady exodus of engineering talent
| through 2020. The CEO was focused on moving to countries where
| engineering was cheaper and employees complained less about
| constant crunch mode. If you search around, you can find
| interviews where he brags about closing the San Jose office
| because he thought everyone there was too entitled.
|
| The saddest part is that we had many good engineers who could
| have continued to do amazing things with the UniFi momentum. So
| much time was wasted on dead end products like FrontRow. Most
| everyone I know left for jobs where we were treated better and
| paid more.
| omni wrote:
| Does anyone have a better link for this, preferably one hosted on
| Ubiquiti's own site somewhere?
| reillychase wrote:
| The newsletter looks suspicious but I confirmed with a Ubiquiti
| employee that it is legit
| DetroitThrow wrote:
| Not that I distrust you or am asking you to make a change,
| but it would help if they were to at least post the mailchimp
| link on their social media.
| enzanki_ars wrote:
| They have an official thread/announcement on their
| community forum:
| https://community.ui.com/questions/Account-
| Notification/9646...
| DetroitThrow wrote:
| Thank you!
|
| @dang, the forum post is more appropriate here than the
| mailchimp link - it's source is unambiguously from UI.
| unethical_ban wrote:
| I mean, it's hardly a phish. It doesn't try to directly link
| to an action page, and the requested actions are somewhere
| between "FYI" and "Hey, change your password and strengthen
| your security".
| bardworx wrote:
| I received an email from Ubiquiti that is 1:1 to this post. It
| did not provide a link to a statement on their website but can
| confirm its real.
|
| I can post a screenshot or something if necessary.
| enzanki_ars wrote:
| They have an official thread/announcement on their community
| forum: https://community.ui.com/questions/Account-
| Notification/9646...
| u678u wrote:
| https://community.ui.com/questions/Account-Notification/9646...
| isn't much.
| Belphemur wrote:
| They didn't do a press release yet for it.
|
| This is the email users directly received.
| zkms wrote:
| For what it's worth i can attest to receiving such an email
| from ubiquiti about 40 minutes ago.
| [deleted]
| dustinmoris wrote:
| Ubiquiti had a data breach, but what could hackers possibly want
| to know which we didn't know already? All their customers are
| overpaid engineers who got sucked into dumb influencer marketing
| convincing them to buy overpriced industrial grade networking kit
| for their 50m2 flat. </sarcasm>
| weehoo wrote:
| Ehh they make great products for smb/coliving/coworking spaces,
| where you need better hardware than the box the ISP gives you
| but you don't need the kitchen sink that comes with Cisco.
| Simple enough that a slight savvy frat bro or small business
| owner can set it up in an afternoon and have seamless handoff
| across a large space with several access points and PoE.
| cyberpunk wrote:
| Or if you live in a four story house with half a meter of
| concrete between every floor...
|
| I'm really happy with my UniFi kit..
| dustinmoris wrote:
| Ubiquiti is amazing for your home. You can cycle 50km on your
| Peleton and still get excellent WiFi signal. Which other
| router can deliver such outstanding performance!
| seattle_spring wrote:
| While I would choose a less abrasive way of stating it, I agree
| with your underlying assessment. At the recommendation of
| basically every networking forum and subreddit, I bought some
| Ubiquiti stuff to power networking and wifi for a new place I
| recently moved into. It cost 3x what a mid to high-end Linksys
| would have cost, and as far as I can tell provides literally
| negative benefit for my purpose:
|
| Specifically, rather than a single box and an easy interface, I
| now have 3 devices that all require their own power bricks,
| connected via Ethernet cables, and a UI that required reading
| all sorts of documents and tutorials just to mimic the
| functionality of my last consumer-grade router. Not to mention
| the wifi coverage isn't even as good as my old router, even
| when adjusting a bunch of settings from default based on said
| tutorials.
|
| I'm not saying that this hardware isn't worth it for some
| people, but for anyone who uses it for regular streaming and
| remote working, it's completely not worth the expense, hassle,
| and inconvenient form factor.
| causalmodels wrote:
| I'm sure their fancier equipment is probably a nightmare of a
| time sink but the little kits you can buy are dead simple for
| nontechnical people to set up and use. My parents have
| plaster walls and the modem lives in the basement so they
| have huge problems with coverage even though their house
| isn't very big. This is sort of silly but they connection
| speed gage on their router is super helpful because they get
| confused with things like checking internet speed.
| turblety wrote:
| That link looks awful on a mobile browser. Isn't MailChimp
| supposed to make responsive emails easy.
|
| It's so bad, they have disabled pinch to zoom, so I just
| horizontally scroll.
___________________________________________________________________
(page generated 2021-01-11 22:00 UTC)