Ubiquiti network gear
I've been having wireless access point problems on my home network for a while. Clients on the wifi network would speed up and slow down every few seconds and the overall throughput was super slow. I've been thinking about updating my network infrastructure for several years and I finally pulled the trigger, buying a router, switch, and access point.
Against my better judgement I bought a ubiquiti edgerouter x and a ubiquiti unifi access point. Ubiquiti makes well regarded network equipment but I didn't anticipate how over engineered their software actually was. Following the instructions to setup their router required installing almost 20 docker services, registering a new user and creating a mess of my virtual network interface list. When I ran this software to ostensibly discover my new router the first thing it asked me was whether I was an ISP. After a long registration process where I had to add a new ip address to my NIC I finally got it to recognize the router and learned this was all unnecessary. The router comes up with a sensible default of 192.168.1.1 and you can log in to it directly.
Here's my docker list (just before I uninstalled it all)
[06:43]hydra:~/temp/ubiquiti$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
b74ef50ad6e2 ubnt/unms:1.0.2 "/usr/bin/dumb-init …" 45 hours ago Up 45 hours unms
5294edff5fdf ubnt/unms-crm:3.0.2 "make server_with_mi…" 45 hours ago Up 45 hours 80-81/tcp, 443/tcp, 9000/tcp, 2055/udp ucrm
ca391d58603e ubnt/unms-netflow:1.0.2 "/usr/bin/dumb-init …" 45 hours ago Up 45 hours 0.0.0.0:2055->2055/udp unms-netflow
9e26a3e776bf ubnt/unms-nginx:1.0.2 "/entrypoint.sh ngin…" 45 hours ago Up 45 hours 0.0.0.0:81->81/tcp, 0.0.0.0:443->443/tcp, 0.0.0.0:30080->30080/tcp unms-nginx
2595e3c62647 postgres:9.6.12-alpine "docker-entrypoint.s…" 45 hours ago Up 45 hours unms-postgres
f51447f59e3f rabbitmq:3.7.14-alpine "docker-entrypoint.s…" 45 hours ago Up 45 hours unms-rabbitmq
ec00145fe15c redis:5.0.5-alpine "docker-entrypoint.s…" 45 hours ago Up 45 hours unms-redis
7852fe552dab ubnt/unms-fluentd:1.0.2 "/entrypoint.sh /bin…" 45 hours ago Up 45 hours 5140/tcp, 127.0.0.1:24224->24224/tcp unms-fluentd
Here's what it removed when I ran the uninstall script. Afterwards I had to remove the ubiquiti user it added to my system!
[06:57]hydra:/tmp$ sudo ~unms/app/unms-cli stop
[sudo] password for na:
Removing unms ... done
Removing ucrm ... done
Removing unms-netflow ... done
Removing unms-nginx ... done
Removing unms-postgres ... done
Removing unms-rabbitmq ... done
Removing unms-redis ... done
Removing unms-fluentd ... done
Removing network unms_public
Removing network unms_internal
UNMS stopped.
To completely remove all UNMS data, please delete directories /home/unms/data and /home/unms/app
You may also wish to remove the UNMS user account.
My first warning sign I had made a mistake purchasing ubiquiti equipment was the android and facebook icons on the login page. Then there was the EULA where I had to agree to let them sell my information to a third party and the checkbox to sign up for spam. Surprisingly the router software (called EdgeOS) was fine. It's based on debian and they give you direct ssh access to the board. The hardware even has a populated serial console!
My goal with the router was to get something that was up to date, flexible, and powerful enough to block ads (ala pi-hole). There were notes online indicating this was possible within EdgeOS but the presence of those third party icons and the EULA left a sour taste in my mouth. Fortunately the router is supported by openwrt.
I read and re-read the process of flashing the openwrt firmware and did a bunch of experiments with tftp boots before I felt confident enough to pull the trigger. Thankfully everything worked the first time and now I have a much better UI, console, and feature list. Openwrt has three different ways you can configure it to block ads (though I realize with the imminent move to dns over https this will become less useful) and a ton of features I will probably never use but I'm happy to know are there.
Setting up the ubiquiti unifi wireless access point was a different can of worms. It turns out I couldn't use the same software I had already installed to setup my router. All I wanted to do was set up a SSID and password but the installation instructions made me register with the ubiquiti forums. The unifi software uses a mongodb back end and a java app that won't install on my linux system because it requires dependencies that are too old for my repo (ubuntu 18.04) and I had to move to my dad's old mac laptop to get it set up. The app was 360MB and the configuration process kept pushing me to do 'cloud configuration' and to register to their forums. I eventually found a third way to configure things under the hidden advanced settings but not before I created an account, gave them my email, and agreed to be tracked and sold to third parties.
When it finally let me discover and configure the device it was a matter of just setting up the ssid and password. The java app provides a nice dashboard showing connected devices as graphics floating in space but I don't really care. I just want a wireless AP on my network. The application has a lot of options that are unavailable and nag you to buy their security portal box. Mostly this is stuff like buttons or links that suggest they'll configure your connected devices but which return a blank page telling me I can only use this feature after I buy another one of their products. Classy.
The access point didn't work for a while after I set it up and I poked around in the app to discover why. To my dismay it was updating it's firmware (automatically) and 'provisioning' (whatever that is) from the internet. So I guess I have a device on my network that doesn't belong to me. I can't wait until my computer is hacked because the access point lets advertisers or the government log in. The hardware is fine but this is the wrong product for me and I would argue it's the wrong product period but I know most people don't care about their privacy or security until it inevitably becomes a problem.
I switched everything over last weekend and it's been running fine. I particularly pleased with my openwrt router. Here's some notes on how I set it up.
I bought an ubiquiti edgerouter X
I used my usb serial adapter to connect the console
Pin Value Connection
1 - 3.3? X
2 - RX Brown (TX)
3 - TX RED (RX)
4 - GND Black
As a router the device comes up as a client on the WAN port (eth0) and as a switch with an address on the other LAN ports. The default address on the LAN side is 192.168.1.1.
The board supports ssh out of the box but they seemed to have added firmware signatures since the openwrt wiki page was written and I was unable to flash the firmware following the wiki. Here's a log of the failed upgrade:
cd ~/temp/ubiquiti/
<moved cable to eth1>
scp openwrt-18.06.4-ramips-mt7621-ubnt-erx-initramfs-kernel.bin ubnt@192.168.16.2:/tmp/
ssh ubnt@192.168.1.1
ubnt@ubnt:~$ cd /tmp
ubnt@ubnt:/tmp$ md5sum openwrt-18.06.4-ramips-mt7621-ubnt-erx-initramfs-kernel.bin
db67263ea2e9f1267bea354119e6436f openwrt-18.06.4-ramips-mt7621-ubnt-erx-initramfs-kernel.bin
ubnt@ubnt:/tmp$ add system image openwrt-18.06.4-ramips-mt7621-ubnt-erx-initramfs-kernel.bin
Version [v1.9.7+hotfix.3.5013617.170830.0227] is about to be replaced
Are you sure you want to replace old version? (Yes/No) [Yes]:
Checking upgrade image...Upgrade image does not support the device. Upgrade failed.
Since it refused over ssh with their kernel I used the serial cable to do a tftp boot from my kernel and update the firmware from there.
Installing tftpd:
sudo apt install tftpd-hpa tftp-hpa
sudo mkdir /tftpboot
sudo chown na:na /tftpboot
# modify /etc/default/tftpd-hpa
TFTP_USERNAME="tftp"
TFTP_DIRECTORY="/tftpboot"
TFTP_ADDRESS=":69"
TFTP_OPTIONS="--secure --create"
I downloaded the kernel and sysupgrade images from here
The bootloader supports booting over tftp but it uses eth0 as primary interface. After the image has booted however, that port is used for the WAN so you have to switch the cable to eth1 to ssh into it.
[19:22]hydra:/tftpboot$ ll
-rw-rw-r-- 1 na na 3.3M Sep 8 12:23 openwrt-18.06.4-ramips-mt7621-ubnt-erx-initramfs-kernel.bin
-rw-rw-r-- 1 na na 3.4M Sep 9 18:56 openwrt-18.06.4-ramips-mt7621-ubnt-erx-squashfs-sysupgrade.tar
lrwxrwxrwx 1 na na 59 Sep 9 19:22 openwrt.bin -> openwrt-18.06.4-ramips-mt7621-ubnt-erx-initramfs-kernel.bin
I booted with option 1 into my openwrt.bin, switched my cable to eth1, and copied the squashfs file to the board with:
[19:26]hydra:/tftpboot$ scp openwrt-18.06.4-ramips-mt7621-ubnt-erx-squashfs-sysupgrade.tar root@192.168.1.1:/tmp/
Finally the upgrade itself:
root@OpenWrt:/tmp# sysupgrade -n openwrt-18.06.4-ramips-mt7621-ubnt-erx-squashfs
-sysupgrade.tar
Commencing upgrade. Closing all shell sessions.
Watchdog handover: fd=3
- watchdog -
killall: telnetd: no process killed
Sending TERM to remaining processes ... uhttpd udhcpc odhcp6c ntpd dnsmasq ubusd logd rpcd netifd odhcpd
Sending KILL to remaining processes ...
Performing system upgrade...
1+0 records in
1+0 records out
Unlocking kernel1 ...
Writing from <stdin> to kernel1 ...
Volume ID 0, size 14 LEBs (1777664 bytes, 1.6 MiB), LEB size 126976 bytes (124.0 KiB), dynamic, name "rootfs", alignment 1
Set volume size to 244301824
Volume ID 1, size 1924 LEBs (244301824 bytes, 232.9 MiB), LEB size 126976 bytes (124.0 KiB), dynamic, name "rootfs_data", alignment 1
sysupgrade successful
It only took a few seconds and when I rebooted I was running openwrt. If you're technically inclined, have a usb-tty cable, and want a nice openwrt based router try the ubiquiti edge router x. Just make sure to flash the firmware before their software destroys your system and their EULAs sell you out and stay far away from their unifi access points.
The infrequently updated blog.