by Harj on 9/26/18, 5:01 PM with 245 comments
by basch on 9/26/18, 6:37 PM
Am I missing something, or did they buy consumer routers to use as access points?
Triplebyte, I can save you a ton of management, troubleshooting, and learning time: switch to Ubiquiti Unifi or an equivelant now, youll have one pane of glass to reconfigure every device. The devices will talk to each other, to help hand off clients between them. All channel management will be by the devices working together, they can throttle down power if they are causing each other interference. I cant even begin to list all the different benefits with a single set of settings vs devices that dont work together. Even an asus aimesh network would likely be better. Youre asking for a troubleshooting nightmare.
You can either pay a couple hundred a year for the management interface, or $80 for an on prem tiny little stick that hosts it. (paying for the cloud hosted one, has its benefits, and is my recommendation.)
Access Point - https://unifi-hd.ubnt.com/
POE Switch - https://www.ubnt.com/unifi-switching/unifi-switch-poe/
Management Interface - https://www.ubnt.com/unifi/unifi-cloud-key/ OR Cloud Management https://unifi.ubnt.com/
Router - https://www.ubnt.com/unifi-routing/usg/
You should never need to track down or log into individual devices to configure them.
I dont mean to be a complete ballsack, but isnt it weird for a company thats mission is matching talent to problems, to fail to find the talent to adequately address their problem, and to be giving authoritative (mis)advice on something they are not remotely domain experts in. It doesnt seem like the best advertisement.
That said, this is the KIND of post companies should be making when their seo expert says to use keywords. Good job writing about improving the internals of your company, and not just what your company does. Write a V2 of this post once you upgrade, and rename the old one, "How we Created (and then mitigated a Device Management and Troubleshooting Nightmare)
by linsomniac on 9/26/18, 9:17 PM
On the cable termination part: I've (mostly) stopped crimping cables because I've had too many go flaky and don't have 4-5 figure testing equipment. One thing I'll add is that there are ends for solid conductor and stranded, make SURE you have the right ones for the cable you are using.
These days I always just put on keystone ends and then use commercial patch cables from there. I've had very good luck. I'd recommend against the advice to use a screw driver to punch them down, the Leviton ones I prefer you just put the cap on and they punch down themselves. The random ones I get from Ace Hardware have a little punch tool included.
One additional recommendation I have is to put 5GHz radios in each space. 5GHz has more spectrum, and less interference, but it penetrates drywall significantly worse. But that's a good thing, because it cuts down on interference from your neighbors.
Beware of microwave ovens, baby monitors, cordless phones (last 2 more in residential areas). They can be intermittent interference, and won't show up on the non-commercial spectrum analyzers. Our 2.4GHz used to go out when we'd run our brand new microwave. But it would also go out at other times, possibly when a neighbor ran theirs? 2.4GHz penetrates buildings quite well, which kind of sucks.
My credentials: https://www.tummy.com/articles/pycon2012-network/
by MBCook on 9/26/18, 8:37 PM
Obviously phones are out, but why not hardwire every laptop when it’s at the desk? If someone’s using a actual desktop computer like an iMac then what’s the point of Wi-Fi? Clear up the signal space and get a 100% reliable and ultra fast connection.
by akurilin on 9/26/18, 7:39 PM
I was managing consumer grade routers for the company since its inception until we switched to Aruba APs (which are awesome <3) and then eventually to an office with a real firewall, several APs, and a switch for 100+ cabled desks. The folks at BoxIT were a real life-saver at that stage, both for the initial setup and proactive monitoring of your network's health over time. Having your staff spend brain cycles on this stuff isn't the best ROI IMO.
The one thing to watch out for is VoIP in SF office buildings. Our APs conflict with about 300 other APs in the area, so getting reliable VoIP for your sales people over WiFi is not even worth trying. We got lucky and inherited an office where the previous company learned that the hard way and wired every nook and cranny with ethernet.
by vandot on 9/27/18, 4:17 AM
The configuration is done through a hosted dashboard that also provides monitoring. We're in a heavily regulated field, and the Meraki dashboard provides a lot of evidence for compliance audits. It also enables us to remotely control devices (e.g. lock, wipe, locate) and ivestigate issues when integrated the Meraki MDM solution.
We did have to tune the bitrate for wireless.
We also cannot setup redundant VPN tunnels to AWS (Meraki only supports one tunnel for non Meraki VPNs), so we have to do manual faiilover. This is my biggest gripe with Meraki. We are investigating adding a Cisco ASA to handle site-to-site VPN to AWS with redundant tunnel support.
by teeray on 9/26/18, 6:27 PM
I use GRC's DNS Benchmark tool[1] for this whenever I set up DHCP somewhere, and the results are sometimes surprising. If you're on a *nix or macOS, it runs well under Wine.
by exabrial on 9/26/18, 7:23 PM
by tradertef on 9/26/18, 7:38 PM
Radars are pretty static and does not come and go (especially weather radars), so the router does not need to move from channel pretty much. False alarm can be an issue but if one has a decent quality router, it should not be very often. Furthermore, after a radar detection (false alarm or actual), routers can switch to non-DFS channels and and start operating immediately.
by matthew-wegner on 9/27/18, 12:19 AM
If you run a full UniFi stack, you can view your entire topology in the dashboard--it'll tell you which switch port or access point/SSID a client is connected to. Here's my home topology:
Note that most switches are double-uplinked for 2000Mbps throughput, and there's a 10-gigabit core router. 10gbe isn't nearly as expensive as you might think, especially for very small teams. It is possible to get access points to deliver 500-700Mbps speeds, too--that's going to depend a lot more on your device's radios than anything. See speed benches for UniFi kit at: https://goo.gl/RL4kkW
This guide doesn't cover VLANs, but it probably should mention they exist. Any IOT or networked camera type devices that don't need Internet access shouldn't be allowed egress, and VLANs are an easy way to implement network segregation. You almost certainly want a guest network too, both wired and wireless.
by jpm_sd on 9/26/18, 7:43 PM
Uh, what? Are you nuts? Hire somebody.
by dhess on 9/26/18, 11:15 PM
* Most of my client devices are from Apple, and I easily got the best WiFi performance overall with 802.11ac-capable Airport Extremes, which is impressive given how relatively cheap they are. However, I'd like multiple SSIDs, and Apple gear can't do that (the guest network support doesn't count). Regardless, Apple is out of the game, so this isn't a long-term solution.
* The UniFi gear had terrible 802.11ac performance, even when my devices were in the same room as the WAP. At the time, I was using first-gen 802.11ac hardware from UniFi, so it's somewhat understandable, but the poor performance combined with 2 of the units failing within the first 6 months didn't leave a good impression.
* The Aruba Instant WAPs were reliable and got good performance (though not as good as the Apple WAPs), but I'm not a fan of their licensing. Without a support contract, it was possible to hunt down the latest firmware updates, but they didn't make it easy.
I recently bought a PC Engines APU3C4 with a mini-PCIe WiFi card and a couple of Chaohang antennas [1], and I'm contemplating build my own WAP. This would give me all of the configurability and tweaking that I want, and I could deploy it as just another piece of my personal little devops pipeline.
However, I don't know much about the RF side of things. I'm aware there's a lot of black magic involved, but it's not clear to me how much performance and/or range I'm going to lose by piecing together COTS stuff versus a professionally-engineered solution from Ubiquiti et al. If anyone who's reading has built their own WAPs, I'd love to hear from you.
by slantyyz on 9/26/18, 8:58 PM
addendum:
Re crimping RJ45 - the better way to do terminations is to use the EZ-RJ45 pass-through plugs like the ones made by Platinum Tools. You need a special crimper, but it's night and day easier. If you're using AWG23 Cat 6, you also need to make sure your plugs can handle those wires (not an issue with the Platinum Tools plugs).
by keeperofdakeys on 9/26/18, 11:06 PM
Also don't be afraid to hire someone to do a wireless survey - or do it yourself. Someone will walk around with a laptop, and try to find wifi blackspots/hotspots, and can recommend adjustments to AP power and/or placement.
by Tharkun on 9/27/18, 6:35 AM
But then I still haven't had any luck setting up a WPA2 Enterprise config that works on all devices.
by Jaruzel on 9/27/18, 8:18 AM
I will also add to this, consider having all the APs on the same channel. My experience is that some OSs (I'm looking at you, Windows) don't roam properly if the following three things are not the same:
1. SSID
2. Authentication/Encryption
3. Channel
It does sound like the author has deployed consumer access points. For a proper office scenario centrally managed is the way to go. Finally, never use WPA2-PSK Personal in a work environment. Use proper back-end authentication such as Radius or MAC filtering, or a 'Register me via a captive portal' system with a central LDAP type user directory.
by compumike on 9/26/18, 5:02 PM
I was also surprised by how slow S3 was with a single download connection, but really fast when using aria2 to parallelize the download.
by nodesocket on 9/27/18, 4:56 AM
Should I try using a lower 5Ghz channel such as 36 or 40? Won't that decrease overall throughput? My understanding was the higher the channel number on 5Ghz, the theoretically higher the throughput.
by intsunny on 9/26/18, 6:41 PM
Every so often I have to physically drag my laptop to the superior AP and restart wifi to get my laptop to stop connecting to the bad AP.
by knorker on 9/27/18, 3:20 AM
And you can get more channels than 3, if you use 20Mhz channels, not the 22MHz channels by simply not using 802.11b. only use g&n and you get four channels.
And do use the DFS channels, exactly because people like this author are not there to congest the channel. Just make sure you have non-DFS too while the DFS AP is in listen mode.
So this article is very much not written by an expert.
by maerF0x0 on 9/26/18, 8:49 PM
by ufo on 9/27/18, 2:04 AM
I constantly run into this issue in my home network. Is solving it really just a matter of reconfiguring the routers to share she same SSID or is there more to it?
by mciancia on 9/26/18, 8:35 PM
Small error here, should be 4 of 8 and 8 of 8, respectively ;)
by nodesocket on 9/27/18, 4:44 AM
by qwerty456127 on 9/26/18, 10:26 PM
by TabTwo on 9/26/18, 9:59 PM
by jonny_eh on 9/26/18, 8:04 PM
Uhh, do they mean "don't put 5 GHz on its own SSID"?
by GuyPostington on 9/26/18, 10:22 PM
by majidazimi on 9/27/18, 7:49 AM
by djmips on 9/27/18, 6:20 AM