WiFi access point

In residential settings, the location of the WiFi access point is usually a point of debate, as we don’t want them to be in plain sight. We have gotten used to looking at the consumer grade routers (although some of them look ridiculous).

This consumer grade WiFi router looks like some kind of spider.

The Ubiquiti WiFi access points look totally acceptable, and blend into the environment. Below is a picture of a kitchen, with a AC-Pro connected to the ceiling. The blue light ring is still on in this picture, but it can be switched off.

AP AC-Pro mounted on the ceiling
The WiFi access point is connected to the ceiling. The blue light can be switched off. It is not intrusive and looks like a smoke detector.

Connecting 2 switches using the SFP ports

At some point in time, network switches are full, and the network needs to be expanded with more switches. These switches can be connected together via regular ethernet cable. Sometimes it is desirable to use the SFP or SFP+ ports.

SFP and SFP+ ports are switch ports in which one can still choose which media one is going to use. Different media types are for instance copper wire, or fiber optic cable. The difference between SFP and SFP+ is that SFP can be used for speeds up to 1Gbps while the SFP+ can go to 10Gbps. SFP+ is downwards compatible, which means that they can communicate with SFP ports, but only at the 1Gbps speed.

When we connect 2 switches together, we try to use more than 1 port for the connection. We use link aggregation, which bonds the ports together. For example when using 2 ports at the same time, we get speeds of 2 Gbps instead of only 1Gbps. This makes switch to switch communication a bit better.

When switches are a long distance apart (i.e. different building), the usage of fiber optic cable is preferred. This has to do with the fact that there is no electric current involved in the transportation of the data in the cable. The SFP module uses a laser to send light waves thru the cable to the other SFP module. When using copper between different building, one always has to make sure that the earthing or grounding is done correctly (potential equalization). It can cause a lot of issues which are very difficult to trace when that is not done. Fiber optic cables prevent those issues entirely.

SFP fiber modules
SFP modules and fiber optic cable to connect switches together.

Not the worst server room ever….. but getting close

I was called in to help trouble shoot a network issue. When I came in and saw cables bulging out of the small network cabinet, I got a bit worried about all of the problems we would encounter while cleaning this up. Fortunately the issue was found very quickly ( a loose connection). The customer is going to cleanup his cabling….

A Cable mess
A customer had issues with his network. He needed help figuring out what was causing it. Looking at the cable spaghetti I think this needs to be cleaned up to properly diagnose the issue.

Home Office Network Equipment for Video Editor

Home Office Network Closet

We installed a new network for a home office. This particular customer and his family have a lot of mobile devices, like phones and tablets. Next to that he has a network video recorder for all of his Ubiquiti cameras. The special thing about this customer is that he is a video editor, and also uses 10GB ethernet networking to store his files on a Synology NAS. This allows him to use his Apple computer for editing video, while storing all of the large files associated with this activity on a central location. This requires an extremely fast network. With the Ubiquiti devices we used, we have created the fastest network currently possible using affordable equipment, which is not carrier grade. The Synology NAS (DS1819+)has about 80TB storage space available, and is backed up to a second Synology NAS. File transfers to the 10GB connected NAS are amazingly fast: more than

Home Office Network Closet
Using Ubiquiti equipment we created 10 GB ethernet connections to the NAS as well as to the iMac Pro of this customer.

We added a CyberPower UPS (Uninterruptible Power Supply) to the network rack. This device filters the 110V input and produces a real sine wave. In case of a brownout or a complete loss of power, the Synology devices are gracefully shutdown, and the rest of the network equipment will remain running until the batteries are depleted. This UPS can keep the network up and running (including WiFi and all the cameras) for about an hour.

We also upgraded the customer’s Comcast internet modem, to the best DOCSIS 3.1 modem currently available: Motorola MB8600. This modem connects the customer’s network to the 1Gbps Xfinity connection.

Depending on the time of day, we see SpeedTest download speeds of up to 860Mbps and upload speeds of 40Mbps.

Speedtest
We used the Motorola MB8600 DOCSIS 3.1 modem to get these results

Cloud Key Firmware 0.12.0 brings new interface

We have been running this version of the firmware now for a few months in our test environment to make sure it is stable to support in the field. This firmware also brought us a new controller version and it was a major change coming from the prior version. An entirely new user interface was the first thing we noticed. And also under the surface there were enough changes, that made us want to give this version a thorough test before we would upgrade the systems at our customer’s sites.

We have noticed a few things that made our eyebrows frown, and they took some investigation to truly understand what was going on. In some cases it had to do with the new controller software, and in other cases, after in depth investigation, the issues we encountered had nothing to do with the controller at all. As an example we had one site where there was a device, which we hadn’t identified, that kept roaming from one AP to the next, and the next and the next, and then to be finally rejected from the network. But at other times, we would see the device actually generate a limited amount of network traffic. After a few hours of plowing through log files, and scavenging the internet, we found out it was the owner’s Tesla parked outside of the building that would try to connect to the network. Depending on how it was parked, it would get a strong connection to the network, and on other occasions it would hardly get a network connection at all. When we figured out that it was the car that was causing the issues, they were easily corrected (in the car’s wifi settings).

From today onwards, we will run this firmware, with the latest controller software on our sites. The new interface did take some time to get used to, but it works.

VPNFilter Malware

Malware tied to Russia can attack connected computers and downgrade HTTPS

Two weeks ago, officials in the private and public sectors warned that hackers working for the Russian government infected more than 500,000 consumer-grade routers in 54 countries with malware that could be used for a range of nefarious purposes. Now, researchers from Cisco’s Talos security team say additional analysis shows that the malware is more powerful than originally thought and runs on a much broader base of models, many from previously unaffected manufacturers.

The most notable new capabilities found in VPNFilter, as the malware is known, come in a newly discovered module that performs an active man-in-the-middle attack on incoming Web traffic. Attackers can use this ssler module to inject malicious payloads into traffic as it passes through an infected router. The payloads can be tailored to exploit specific devices connected to the infected network. Pronounced “essler,” the module can also be used to surreptitiously modify content delivered by websites.

(Much) bigger attack surface

Talos said VPNFilter also targets a much larger number of devices than previously thought, including those made by ASUS, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE. The malware also works on new models from manufacturers previously known to be targeted, including Linksys, MikroTik, Netgear, and TP-Link. Williams estimated that the additional models put 200,000 additional routers worldwide at risk of being infected. The full list of targeted devices is:

Asus Devices:

RT-AC66U (new)

RT-N10 (new)

RT-N10E (new)

RT-N10U (new)

RT-N56U (new)

RT-N66U (new)

D-Link Devices:

DES-1210-08P (new)

DIR-300 (new)

DIR-300A (new)

DSR-250N (new)

DSR-500N (new)

DSR-1000 (new)

DSR-1000N (new)

Huawei Devices:

HG8245 (new)

Linksys Devices:

E1200

E2500

E3000 (new)

E3200 (new)

E4200 (new)

RV082 (new)

WRVS4400N

Mikrotik Devices:

CCR1009 (new)

CCR1016

CCR1036

CCR1072

CRS109 (new)

CRS112 (new)

CRS125 (new)

RB411 (new)

RB450 (new)

RB750 (new)

RB911 (new)

RB921 (new)

RB941 (new)

RB951 (new)

RB952 (new)

RB960 (new)

RB962 (new)

RB1100 (new)

RB1200 (new)

RB2011 (new)

RB3011 (new)

RB Groove (new)

RB Omnitik (new)

STX5 (new)

Netgear Devices:

DG834 (new)

DGN1000 (new)

DGN2200

DGN3500 (new)

FVS318N (new)

MBRN3000 (new)

R6400

R7000

R8000

WNR1000

WNR2000

WNR2200 (new)

WNR4000 (new)

WNDR3700 (new)

WNDR4000 (new)

WNDR4300 (new)

WNDR4300-TN (new)

UTM50 (new)

QNAP Devices:

TS251

TS439 Pro

Other QNAP NAS devices running QTS software

TP-Link Devices:

R600VPN

TL-WR741ND (new)

TL-WR841N (new)

Ubiquiti Devices:

NSM2 (new)

PBE M5 (new)

Upvel Devices:

Unknown Models* (new)

ZTE Devices:

ZXHN H108N (new)

We looked at the Ubiquiti devices that are on the list. Notice that out of the huge list of equipment that Ubiquiti sells, 2 part numbers are mentioned.  Lim IT Consulting doesn’t have any of these in the field! And next to that, these parts have a very specific use case and are in fact not ROUTERS at all. The NSM2 is the Nano Station, and the PBE M5 is the PowerBeam (with the large dish antenna). Both devices are predominantly used to extend wireless networks, either to out-houses on large properties, or as in the case of the Powerbeam for Internet Operators making connections over a distance of more than 12 Miles. All other devices from the other manufacturers are indeed routers and are very prone to being attacked over the internet.

As always, it is important to keep up with the latest firmware to make sure your network is as safe as possible. We at Lim IT Consulting test all firmware before we roll them out to our customers.

Upgrade to NVR firmware 3.9.5

As you may recall, we decided not to upgrade our Ubiquiti Unifi NVR’s to version 3.9.4, because we saw some issues with regard to connectivity. It turned out our testing was done well, because Ubiquiti later decided to pull the 3.9.4 firmware from it’s repository, and posted an article on how to revert back to version 3.9.3.

Two weeks ago, version 3.9.5 was released to the public and we decided to do some testing again (as we always do) before upgrading our production environments.  In the release notes we can read the following:

Bug Fixes:

  • Fixed an error in motion recording that caused Minimum Motion Event Trigger content to be truncated for short recordings
  • Fixed motion recording playback sometimes including an extra video segment
  • Fixed motion images sometimes not included in alert emails
  • Fixed cloud disconnections caused by websocket pong timeouts, when network is slow or cloud server responses are slowed down.  This solves the repetitive disconnected/reconnected cloud issue.  If your UniFi Video install continues to be disconnected after upgrading, it should come back to a Connected status in 15 minutes or less
  • Fixed Email username field not populated correctly
  • Fixed UniFi Video cloud re-connection hanging after the controller is disconnected either due to degraded network or the UniFi Video installation losing its IP address

Results:

We found the issue we had with the prior release to be fixed and have decided to deploy this version to production environments. Which means that our production environments will go from version 3.9.2 to 3.9.5.

NVR Firmware (3.9.4) on HOLD

At Lim IT Consulting, we thoroughly test software and firmware updates, before we deploy them in a production environment. We do this for all of the product that we support (most of Ubiquiti’s Unifi line of products and  Synology NAS).

We have been testing the new firmware that Ubiquiti sent out a week ago (3.9.4), and we have found some issues with remote connections. We will NOT install this version on any of our installations, and will wait until a newer version comes out, that we can verify to be in correct working order.

UPDATE:

Our testing was good, as Ubiquiti published the following statement:

In light of the cloud connection issues related to UniFi Video 3.9.4, we have decided to pull that release and revert back to 3.9.3 as the current GA release.

We would like to sincerely apologize to our user base and to our exceptional community for the inconvenience this has caused and are committed to getting the next release as stable and reliable before it goes to a public release.  This is not our best work and certainly not up to our standard of quality.

We at Lim IT Consulting are looking forward to the next release Ubiquiti is going to release. They usually do a good job, and we consider this release to be an exception.

Unifi© CloudKey firmware and controller update

Ubiquiti released a firmware update and a controller software update for the Unifi CloudKey. As always, we will have tested the updates before rolling them out to our customer’s networks.

As far as we can tell at this moment, a few new features have been added, which mostly make life a little easier for network and system administrators like us. However two features that are still in Beta, and likely to be released for production soon are called: IPS and IDS. And this will be a big deal for everyone, as the Unifi networks are going to be even more “Fort Knox” impenetrable for hackers.

IDS stands for Intrusion Detection System and IPS stands for Intrusion Prevention System. Unifi’s Intrusion Prevention System will protect the network from attacks and malicious activity. It will block and shut down connections that could compromise your security. The IDS system, will only send alarms when it suspects an attack, but will not act on it.

It was one of the things that we have been asking Ubiquiti to add to their software, and it is good to see that they listen to their customers. In a few months when this feature comes out of Beta, we will apply this to all our managed networks. In the mean time: we still have you covered. The networks are still very safe and no-one will be able to easily gain unapproved access to your networks.

Online Gaming

Playing online video games is probably one of the most network intensive things one can do on the network.  Playing games is a nice way to relax, if the technology doesn’t fail you.

When everything starts getting sluggish, and you already made sure that your internet provider gives you enough bandwidth (upstream and downstream), what could be causing this issue?

More often than not, when you run into these types of issues, the cause is that your WiFi router cannot keep up with the demand.

The regular consumer grade WiFi router does 3 or 4 tasks:

  • provide WiFi access
  • route traffic to and from the internet
  • network switching (connects all the ethernet cables to the network)
  • and sometimes it is also a modem (AT&T, Comcast etc.), which connects to the actual internet provider’s network.

Although it is tempting to use these all in one solutions, they are what you’d call: Jack of all trades, master of none. Most likely the routing function and/or the WiFi function are lacking horse power. Routing actually needs a speedy CPU, as does the WiFi function. However the WiFi is also hampered by things like interference and maximum range. The farther from the antenna, the slower the speed. Interference of neighboring networks, microwaves, drywall and other obstructions will only make it worse. And gamers typically already use the 5GHz network for WiFi, which by technical limitations has a lesser penetration to begin with (but is faster). What that means is that the range of the network is much smaller compared to the slower 2.4 GHz network, and that the speed decrease, as a function of distance is even worse! If you want to have maximum speed at the 5GHz network you need to be within a few feet from the antenna.

It is often said that for online gaming you need to use a wired connection instead of a WiFi connection. However this is only true if your WiFi network is not up to the task. Lim IT Consulting can fix that for you! You can even invite a few friends to your party and have them also play on your WiFi network. If you use the right equipment and set it up correctly, this is all possible.

We at Lim IT Consulting recommend simple enterprise grade solutions by Ubiquiti. The separate components together cost just slightly more than a high end consumer grade solution, but everything just goes fast! All the time! Just as we like it when we’re playing games at 60fps!

Give us a call or send an email if you want to learn more, or need help.