Ex Ubiquiti employee here. I barely recognize the company any more. The company always had problems but we had a lot of smart and hard working peopl in the early days. People are always amazed when I tell them how small the company was when we made Ubiquiti and UniFi into household names among nerds.
Some of those people remain. UI-Marcus in that link is a good person. The company went into a steady decline after the CEO started centering the company around the offices in Portland and China. Portland was home to the UX designers who wanted to redesign everything to look nicer but didn't understand how customers used our products. Portland was also home to Nick Sharp, the cloud lead who tried to extort the company and lied to the press about hacks. The favorite office in China made the FrontRow product, which failed so badly that I doubt anyone has heard of it. These people were supposed to be the future leaders of the company, but everything they did was a disaster. We could all see the writing on the wall and left. Well, almost everyone.
I don't even know which Ubiquiti office owns the cloud any more because everyone working on cloud at Ubiquiti either quit or was laid off after the cloud lead went to prison for extorting the company.
I hope the company can get back on track some day. It's sad to see all of our old work decay like this.
> Portland was home to the UX designers who wanted to redesign everything to look nicer but didn't understand how customers used our products.
MirkoTik has also been updating their UI this year and it's only getting worse.
They are starting to put everything into auto-collapsed sections so that instead of just scrolling down the page you now must remember the section's title and open it in order to access the controls. There are hundreds of sections.
Yeah, seriously - it's ugly and quirky but generally all the settings you care about are there and I don't have to click through 15 different levels of menus or look things up in the wiki for the proper cli invocation when I need to tweak something.
Exactly, I can think of very few tools/apps that are as effective and powerful as winbox.
Not to mention that the entire program is portable and around a few megabytes in size)
For probably the past 10 to 15 years there has not been a moment that I haven’t had at least two winbox sessions open/running on my daily desktop 24/7. (Network/Wi-Fi admin , responsible for thousands of devices)
The Dude. edit: more context, that's the Win UI manager with the 90s look for MikroTik. It's not pretty but I know fairly large ISP admins swearing by it https://mikrotik.com/thedude
These newly collapsed sections are tabbed sections in WinBox, so there you've had the problem since the beginning.
It's a matter of preference and I've always preferred Webfig. I'm a MikroTik user since 2013 and have 9 devices which I like a lot. I only used WinBox when I misconfigured them a bit in order to access them via the MAC address.
Hadn’t heard of FrontRow (as you assumed) so went looking for information about it and it looks like they may have repurposed it for the Access Reader Pro? Haha that’s a way to move them.
>I hope the company can get back on track some day. It's sad to see all of our old work decay like this.
Agreed, and it really was amazing work. As someone who started using and then deploying UniFi in maybe 2015-2016ish and found it a revelation, it's been tremendously depressing see so much potential and such a community utterly squandered. I can only imagine what it's like for someone on the inside. Nevertheless, thank you so much for your work and all the others who helped make it happen. If nothing else it did at least really blaze a trail and show what could be done, and contrary to this issue without any cloud bullshit and subscription lock-in. Even were Ubiquiti to truly implode, that showing of what could be done would remain and by its nature the kit would remain useful for a long time.
There have been some mildly positive signs recently though, even if the UX churn remains shitty. There has been small shoots of progress on actual core features, years and years and years late granted, but not entirely too late. I wonder if the emergence of TP-Link's Omada as a clear, direct same-niche competitor has lit any fires there?
I hooked my home up with 3 Unifi AC Pros + ERPOE5 in 2015/2016. They've been running for 8 straight years without ever restarting. Never had a problem.
Granted, I never updated the firmware in the 8 years. Heck, I'm not even sure how I can get back to the web UI to control them.
Its fine to use at home, but I see a lot of people pretend these are Enterprise devices and use them as such. They are upgraded consumer gear, at best, imo.
Source: I've been working with unifi gear for the past 4+ years and use a basic unifi setup at home, since it was free to me. I wouldn't have bought it.
Like all things, YMMV. I'm glad to hear its working like you need it to.
What would you have a bought instead? In my experience there isn’t anything comparable in the consumer space. I’d love to be shown I’m wrong. I use both their network gear and security setup (door bells, cameras).
I’m not sure there is another company offering the same solution with ease of setup and low overhead to manage. Is there?
I guess this depends on use-case. I mean, if someone has a need for the more advanced features of a router/firewall like this, then they don't need the consumer focused UI.
If someone doesn't know networking well enough, then the UI isn't helpful really since they don't know the why of things.
It's a great niche, but Unifi has issues and they seem more focused on selling more of them, than fixing issues present for 5+ years.
Here's an example:
Unifi uses Strongswan for VPN. There is a bug in that 2 people cannot connect to the VPN site from the same IP. Site2Site between 2 unifi devices has been unreliable.
As far as what I would have bought, it's moot, since I'm not the common use case. At one point, I used an ASA 5510 as a home router. ;)
Use the Unifi phone app to manage them. You can manage the APs themselves without logging into anything. I’d recommend updating the firmware after 8 years, you can always do a hard reset to get the original back.
Hard reset will not automatically downgrade the firmware.
And I don't think it's a good idea to manage multiple APs using the app instead of from the controller. Managing a single AP from the app is ok, but I think you'll run into problems when you have multiple in a network.
OP didn’t ask about managing from the controller. I prefer the controller and use it myself. Some of my family members do not want a controller and use the Unifi APs I suggest.
For example, you can't set up meshing from the mobile app. Best you can do is give them all the same SSID/password, and they also have to be wired in that scenario.
It's a weird one because they had a decent product line and just seem to be making really weird choices - I assume to market to the home/"pro-sumer" crowd instead of actual businesses? They just came out with a network switch with RGB for damnsake.
A few of my IT clients have UniFi routers and they're quite lackluster for the price - pretty UI but loads of broken features and bugs galore, and you can't manage them centrally like the rest of the UniFi kit.
This actually my turn out to be VERY useful. As someone who runs Unifi at home w/ a stupid amount of VLans, being able to color code them at the switch will come in real handy when I just go and start unplugging stuff and rearranging as does happen. If they update it to flash VLan color while unplugged using the LCD screen it will be even MORE useful. We can hate on RGB all day just for RGB sake but when it has a use, more the better.
There are some really terrible UI choices in SwOS, like not labeling rows of checkboxes so users need to hover over each one with their mouse to see a tooltip.
Send them a bug report, they'll likely fix it. I'm not joking, they're not using Webfig often, so sometimes they can overlook these kinds of minor issues.
I have a mikrotik https://mikrotik.com/product/hap_ac3 that I bought as a sort of test and it's been working fine for my needs. the webUI isn't the best, but wiki docs were pretty straightforward and I've been decently happy.
There's a learning curve indeed, but it's also essentially just a thin wrapper around nftables (read iptables) so you learn about Linux networking by using them
I've been using unix and linux since the 90's and linux full-time on every system of mine, and Tik's still seemed entirely counterintuitive to me. I'd rather just deal with iptables and linux directly without the wonky cli.
Anyone using Mikrotik these days? Been Mikro-curious for awhile and always see them thrown around as a Unifi alternative. Yet to hear of any firsthand implementations though.
As a network engineer, I've considered them for my house, the price is right, but:
1) Their main push seems to use a thick client for admin which is a big no to me, otherwise the web ui in theory looks ok-ish.
2) Looking at their cli guide, it was cryptic as hell to me, and I deal with everything from cisco, arista, aruba, juniper, fortinet, pan, whatever from a cli or gui.
This was mostly confirmed a few weeks back, another old network engineer friend of mine hit me up asking if I've ever dealt with Mikrotik, and said no, but I knew where he was going. He'd screwed with it for a day or so supposedly just trying to make some L3 vlans, and finally a day or so later told me he'd made it work, but has never dealt with anything so terrible to configure from either gui or cli after having tried both, and he's another 20yr+ network engineer like me I trust not to be stupid.
That was all I needed to hear for future consideration.
Mikrotik has had WinBox for as long as they've been around and there's a lot of inertia around using it, but WebFig and the CLI are the only things I use (though I do have The Dude running through Crossover because it's useful).
Where you run into problems with 'tik gear is the differences that L3HW acceleration introduced into the mix. They didn't do what every other switch vendor does and limit features to what the switch chip supports and hide everything that the CPU can't handle away, so you have multiple ways of approaching most issues which threw me for a look as somebody who had been running JunOS gear in his lab for a while.
Once you get a feel for it then it's pretty straightforward to work with everything, though somebody used to an older generation of NOS like classic IOS (and associated clones) would have an easier time than me.
For sure, VLAN config is one of the most extremely "How and why did anyone end up designing it this way?" thought-inducing areas of Mikrotik config.
But I will say that the boxes of theirs that I bought about ten years ago are still going strong, never had a device fail on me, still receiving OS updates, still able to export and re-import my config to any of a wide variety of newer devices when the time comes.
Clearly they're not the right choice for everybody, but there are certainly up sides, if you're willing to grapple with the config.
Hmm, that looks like it must be centrally managed from the internet? Not saying it's not an appropriate replacement for Ubiquiti, but that seems like an opportunity for the same issues to show up… something that isn't remotely managed might be better instead.
I think the "InstantOn" functionality requires internet for setting up, but it seems like there is a way to manage it locally without the use of the "InstantOn" functionality:
Thanks! So it sounds like it may work, but it's very unclear it'll keep working. (Also I happened to be more personally interested in the APs rather than switches, and it's unclear if that also has a local management mode.)
I notice that the linked docs article doesn't get listed if you go up the breadcrumb and try to go back down…
Not sure if they sell it outside of EU, but Keenetic is absolutely awesome. Been using their routers for a while, have a wifi mesh configured in my home built on their devices.
China deploys plausibly deniable backdoors into internationally shipped network devices. Bugs that are remotely exploitable if you know they exist, but not obvious enough that they provide justification for the devices to be banned from import. These consumer devices are not exploited for intelligence gathering, but rather deployed as proxies that fall into one of two common buckets: acting as SOCKS proxies to relay attacks, and allowing a remote operator to scan for nearby wireless networks and bridge into them.
The NDAA blacklist was a happy compromise by the US government of banning the most egregious vendors that might find their way into sensitive facilities (Huawei, Hikvision, etc) while letting consumer focused brands that do the same (TPLink, Jetstream, Wavlink, etc) slip by so it didn't appear at face value to be a blockade of all Chinese made networking gear.
Taiwan on the other hand is less concerned about how China perceives their relations and bans all these vendors. They also ban Zoom.
First, [citation needed] w.r.r tplink and other consumer grade routers 'getting off easy'
Second, you seem knowledgeable about concerns w.r.t some supply chain attacks, at least from foreign actors, so do you have an alternative suggestion that isn't impacted by such concerns?
Ubiquiti is a non starter imo given their recent posture
"We are unsure how the attackers managed to infect the router devices with their malicious implant. It is likely that they gained access to these devices by either scanning them for known vulnerabilities or targeting devices that used default or weak and easily guessable passwords for authentication"
This implies the opposite of "the CCP has a backdoor to every device". Vulnerable devices from all manufacturers get exploited like this all the time.
I use TP link access points with my own cloud controller (running in docker container on my LAN) and a separate wired router. I don’t think there’s any concern with access points “phoning home” in this configuration.
I've had pretty bad luck with TPLink APs temporarily dropping connections and being just generally unstable. Even when you can put OpenWRT on them the hardware is just kinda buggy.
I think OP means the Omada EAP's, which are dedicated access points and not the routers. I have 2 EAP225's that have been better than the Ubiquiti it replaced.
Draytek routers are not perfect, the UI lacks polish, but I have never had one fail on me yet. Solid kit (even though you do need to keep up with the firmware updates to keep them secure)
Is it true the failed FrontRow hardware was repurposed into the Unifi door fob scanning thing/product ("Access Reader Pro")? I recall reading this somewhere, and the hardware appears to be identical:
I was absolutely floored when I saw the announcement of the FrontRow device - what a bizarre thing to have brought to market for a network hardware company. I can only imagine someone somewhere got far too caught up in the "wearable" hype a few years ago.
I can't really go into details, but FrontRow wasn't the most bizarre thing Ubiquiti was working on, just the one that got reasonably close before being shelved.
IIRC Access reader isn't the only product the FrontRow R&D cost/stock of parts was tried to be recouped, but at that time I wasn't working there anymore.
It makes good sense for large distributed deployments.
One page to update everything rather than have to connect to each device and push a config.
The controller also "back-ports" the configuration as appropriate for a given device. Declare a vLan once, don't have to worry about which cli version is running on a given switch and adjust your command accordingly.
These things don't matter much when you only have one physical location / few devices but if you're an IT guy that manages networking across every physical building in a school district...
Since the device tries to phone home, it's also a NAT buster which is invaluable when you're drop-shipping equipment to customers and have little control over your environment but need to be able to promise some level of functionality.
> Portland was home to the UX designers who wanted to redesign everything to look nicer but didn't understand how customers used our products
I think that's every single piece of modern software to date. I call them "Dribbblrs", because it's like they take inspiriation from these websites (e.g. Dribbble) that fetishize things that look pretty but are dogshit to use. I really wish it would end but I don't see it happening unless there's a revolution from within the UX community (which I am not a part of).
I built a UniFi network 6 or 7 years ago. I was pretty excited, as the hardware seemed properly solid. A touch expensive, but I was expecting it to run forever, essentially.
The hardware was actually really good from what I could tell. Not a single issue that wasn't caused by my own misconfiguration. But the software, woof. The software was designed to do exactly one thing: look impressive to execs in a board meeting. It was nearly unusable for me. I don't recall any specifics, but all you really need to know is that it took multiple days to get a simple home network with a single AP and a single router set up. It was so much effort just to log in to the damn thing.
I went into this project excited at the prospect of all the cool monitoring and analytics I could do. Fancy security and remote access and whatnot. After I finally got everything configured, I never touched it again. There were a few times when I needed or wanted to get into it, but I couldn't remember the specific incantation and combination of software needed to access it, so I just didn't.
I'd love to have a solid system built on quality hardware. UniFi is notionally exactly what I want, and exactly what a lot of hackers and tinkerers want. But the quality of your hardware is pretty much irrelevant if your software wasn't designed to be used by humans.
So I'm stuck using consumer routers with open firmware. It's fine I guess.
My situation is basically the other side of the same coin: I built out my network 7 years ago using Edge gear instead of UniFi.
The hardware is solid and the software isn't flashy but it's reliable. It's exactly what hackers and tinkerers want, so naturally Ubiquiti has all but abandoned the entire product line.
They haven't discontinued it (yet) so I could still replace any piece of it if I needed to but their software version history doesn't exactly paint a picture of a product that's cherished or actively invested in:
My EdgeRouter finally bit the dust after over a decade of service, and I decided to "upgraded" to a Dream Machine. I was hesitant due to the security breaches and now I really regret my decision.
UDMs are discounted right now for the holidays. I'm in the process of migrating my home networking/server stuff into a rack, and I was tempted to pick one up because my current little PFSense box isn't particularly rack-friendly. This thread is cooling my heels a bit.
When I bought the UDM-SE, I too was excited thinking it as an "upgrade". Only later realized it couldn't even do BGP like their entry level gateway products.
You can, yes. The bigger problem is that I also bought into their Protect products at the same time. And you lose a ton of functionality if you turn off cloud access.
I'm going to try to replicate notifications and stuff using Home Assistant and shut off the remote access completely, but I might as well have purchased a cheaper and better NVR + camera setup if I need to set up all of this stuff myself anyway...
Mostly remote monitoring capabilities. You don't get motion/detection/doorbell notifications, and the Protect app needs to VPN in to view cameras when you're not on the local network.
We were using Nest before and these would be huge UX downgrades for my not-tech-savvy spouse.
Ubiquitis Unifi controllers and the TP-Links clone called Omada always remind me of the glory days of the NoSQL fad. Want to install our software? Please add a third-party mongodb repository to install an obsolete version. They can't handle version upgrades of their own database properly, but hey! At least it's web-scale.
They also need a 32-bit version. The actual, easiest solution to appliance-ify Unifi OS was to take some "run it on your Raspberry Pi!" guide and convert the instructions to Debian 32-bit.
...with which you still need to fight with MongoDB.
I'm still running with a Turris Omnia as router, which served me very well for >7y, added a small legacy SSD, managed to setup everything and worked for a while, but TO is armhf architecture, which mongodb quit packaging for with version 3.x. LXC containers for armhf (Debian/Ubuntu) stopped being released too by official channels. But the latest shiny Unifi app requires MongoDB >= 4.x (Unifi app >=7.5).
"Ok, I'll just buy one of those small embedded boxes": purchase Odroid H3+ (x86_64), install stuff, add docker, start up mongodb5 container annnnddd... illegal instruction! Turns out with MongoDB 5 they decided that with pre-built packages everybody has AVX instructions anyway, and packages are built with the expectation AVX instructions are present... which is not always true for low-power devices or even servers (the Intel Jasper Lake CPU of the Odroid H3+ was released in Q1'21).
That's changed for some of them recently. The linuxserver.io container for 'unifi-controller' was deprecated in favor of 'unifi-network-application' [1] so they could quit bundling MongoDB. There's not much value there anymore IMO because it's no simpler than running standalone in a VM at that point.
At least with a VM I can shut it down, snapshot it, block incoming network access for everything but a canary deployment, update it, wait for my canary to come up properly, and then let everything else hit it. That gives the option of a rollback which is much harder with Docker.
I say that as someone using 'linuxserver.io/unifi-controller' which was a mistake I guess.
I don't think riley_dog means they somehow controls Unify APs with opnsense. I think he just configured the APs with the Unify controller, the never touched them again and left all routing to an opnsense box.
This seems to be a popular approach, as there are no attractive routers from Unify, there was the Ubiquiti Unifi Security Gateway (USG), which ran very hot but was affordable and small (EdgeRouterX-like). Now they have the Dreamrouter, which has everything in one, including Wifi. It looks like an Alexa tube. There is a gap in their offering if you ask me, I'm also looking for a nice simple 2 nic opnsense box (preferably a nuc(-like)), after I blew up my EdgeRouterX (used the wrong power supply).
pcengines apu platform is great if you're comfortable with command line. they are EOL now (no new hardware updates) but doing the same thing with any Linux box is trivial... plenty of off the shelf options for modular hardware.
These are really bad, and both very recent. One post is a Reddit user who is seeing camera images from other Ubiquiti installations. The other is a general discussion about the lack of response from Ubiquiti so far.
The cloud is like those portable toilets in public. They are private, but there are also people around you at all times. Sometimes you forget to lock the door and someone else opens it.
Are you meaning to say that a big accident in a public cloud like AWS or Azure is waiting to happen?
I did have something weird the other day in AWS. I was accessing a K8S hosted website in my clients tenant, and I got an SSL handshake issue. Turns out the certificate served wasn't of my clients website, but of some dev-xxxx.polar.com. That environment wasn't externally accessible as the domain cannot be resolved in public DNS and I assume that the environment itself is also shielded. After refreshed, the issue was gone and I could access the client site again.
Do they by any chance use a CDN for their cloud console? This has burned organizations so many times before where they cache the dynamic data and not static data.
I wouldn't expect to be able to administer the resources if this was just a caching issue. Seeing them yes, administer them no. Unless their authx design is tragically bad.
"Full Access" could mean a lot of things. I don't see anything suggesting they could make changes (though I haven't read the entire thread). The user could just assume they have full access because they can see everything.
It's hard to be certain while we're just speculation, but a view caching bug could make it _look_ like you're making changes to the other user's console even if they're actually going to your own console.
It could also be caching something that contains a token that can perform other actions. The disparate reports of different pages and being able to navigate make it sound like this is at some API level, not literally caching the console page view.
For anyone with a UDMP looking to disable remote access via UniFi servers, the setting isn't under the Network application, it's part of the higher level console management:
And note that to see the Remote Access checkbox, you need to be logged into the console as a ui.com user, not a local user.
If you have disabled Remote Access and instead want to use the phone app via a VPN, you may have to add it manually. There's a (+) button for that, and then a "Need help?" option, which contains a way to manually add by IP/user/password.
I really wish there was an open source equivalent that’s user friendly. I run OPNSense but the learning curve is steep and I wouldn’t recommend it to family because of it. I’ve been debating Firewalla but this same issue can happen since the control panel is cloud based.
If it was open source, would you recommend Unifi to your family? I feel like family will either be technical enough to understand OPNSense, or not technical at all at which point even Unifi is not something they'll manage themselves.
I actually run OPNSense for myself at home, but for my parents I deployed full Unifi. This way if there's any problem, I can remotely look at the network in the cloud console and try and see what's wrong.
> I feel like family will either be technical enough to understand OPNSense, or not technical at all at which point even Unifi is not something they'll manage themselves.
Agreed. Major ISPs in the US (and I presume many other places) offer routers that work well enough to satisfy the requirements of any non-technical household and often come with provisioning/troubleshooting features that enable the ISP to provide technical support if necessary.
In the old days, ISP-provided devices often lagged behind other consumer or prosumer network offerings, and it made sense to swap them out... but that's not really the case today. Today, swapping out the ISPs router is probably going to make a non-technical user's life harder, unless they have someone technical to manage it for them.
Satisfaction happens when a product or service meets the user's requirements. A new Cisco catalyst setup may be technologically superior to my mother's ISP provided router, but it might not make it easier for her to play Candy Crush on her iPhone if she forgets the wifi password.
I suppose you're right. Just after seeing my family lose internet a bunch of times due to the ISP supplied router just straight up failing, I don't have much confidence in the hardware. Also I don't think that rebooting the router once a week because it's frozen makes it a quality product that brings satisfaction. I've never seen an ISP supplied router that isn't like this. But that could just be my personal experience.
I mean, when the first thing you hear when you call your ISP, is to "reboot your router" on a recorded message, doesn't that throw a red flag to anybody else? I don't use high end gear at home like Cisco, either, but it has never needed a reboot.
My family uses some of the later devices from Comcast and Verizon and they don't seem to have any issues requiring reboots. I do know, at least for Verizon, that their troubleshooting tool can automatically reboot and reprovision their routers, so there's no need to tell the user to do this on the phone anymore.
No, AT&T is still shipping with a router that cannot hit more than 50% bandwidth on any of 3 devices from under 5 feet. With one wood + pressboard wall between me and the router, 25%.
You've described a technical problem, not a non-technical problem.
I'm not familiar with that device, but a non-technical user might not care about that "problem", as long as their device does the task they are intending to perform.
The problem is being described technically, which is more useful than the non-technical description of the problem, which is "I don't know, the Zoom isn't working, and the kids can't watch their Netflix at the same time".
I dunno what to say, but it does not do basic tasks to the satisfaction of people who buy 1gb internet connections.
I can tell you from experience that large downloads and uploads cause latency-sensitive applications to stutter in a way that is fixed by using ubiquiti gear.
In your defense, you did say non-technical household, but I dunno -- I don't think that wanting to use, eg, backblaze for backup and not have that tank zoom makes you a technical household.
And I don't know anything about the equipment AT&T is handing out these days, it could be particularly bad. But generally speaking the equipment that ISPs are handing out these days is pretty functional for generic use.
I think UnifiOS is pretty straight forward (at least for my generation). I don’t think I would recommend it to my parents but I did to a sibiling and they managed to setup their own system with only a little bit of help from me. I also sent them the awesome lazy admin VLAN guide which helped a ton.
I'm pretty bad at coming up with business ideas, but one that I think would work, if I ever got the time to do it, is a user-friendly x86 router firmware centered around the idea of making it as easy as possible to set up and control your network and its devices.
On my home network, what I really want is the ability to define one or more networks (VLANs, if you will) and then place devices in those networks. When you click on a device, you are then able to do things like give it a static IP, look at the traffic it's generating, shape its traffic, disallow traffic from/to certain ports, kick it off the network at certain times of day, allow it access to the local network but not the Internet, change its DNS resolvers, etc.
In order to do these things on most routers, if they offer the ability at all, you need to jump around to different places in the UI and manage each service as its own thing. OPNSense is great (and it's what I currently use) but it's UI is really just multiple little windows into the various sub-services that the firmware provides. Separate page for all the firewall rules, another for all the DHCP leases, etc. It works, but it's kind of frustrating to use, especially when you're not digging around in it every day.
The business model would be: everything open source, but three "tiers" of releases: 1) free "beta" releases featuring new and lightly-tested features for the adventurous. 2) "stable" releases via subscription (paying customers have access to the source code and build tools) 3) "freeloader" releases, the same as "stable" but with a 6-9 month delay.
Devil is in the details of course, but if I had any entrepreneurial bent at all, I think it would be a big improvement over the current state of things.
I know about OpenWRT and used it for years on various cheap MIPS routers. But back then, the UI did not come with the firmware, you had to install it separately. And it was _very_ basic and there was lots that you still had to do on the command line to get anything done.
Correct me if I'm wrong, but that still looks to be largely true. Except that there are multiple to choose from: https://openwrt.org/docs/guide-user/luci/webinterface.overvi... I had a look at a few, and they all seem to be "managing the router"-centric, not "managing your network"-centric.
I have a lot of complaints about OpnSense. But how exactly is that a similar security response?
That wasn’t a security incident for OpnSense. It was a CVE for an optional package most users probably don’t have installed. Sounds like not-an-emergency to me. That user is completely unreasonable.
Opnsense should refund their money (if any lol) and tell them to pop off.
>That wasn’t a security incident for OpnSense. It was a CVE for an optional package most users probably don’t have installed.
First of all, the point is that the OS didn't release CVE fixes for the packages in its repositories even though it had already committed those fixes to version control. Notice that my comment specifically talks about "delay in security response", not that it was an "emergency".
>That user is completely unreasonable. Opnsense should refund their money (if any lol)
Second, I recommend reading the comment you respond to carefully before you rush to make an account to respond to it. "That user" is me. The GH thread has a clear comment from me that I did not pay them any money and do not have any expectation of support.
Third, notice that the point of the GH thread was me asking what their policy of releasing CVE fixes was. You seem to think I was some Karen complaining that they hadn't released the fix. All I asked was a confirmation that they're aware that they're shipping a package with a CVE, that they've already fixed the package but just not published it, and what their policy is for releasing fixes in general.
They could've responded with something like "We're aware of the CVE but we don't plan to release the fix in 23.1. Our policy is to only release bugfixes for non-critical packages in the next stable release, and we consider os-haproxy to be a non-critical package."
Instead they got weirdly defensive about it, tried to lecture me about how OS releases generally work, called me "rude" (ironic), and locked the issue.
The ultimate point is that OPNsense delays security fixes. Maybe you think it's okay because you think some OS packages are critical and this one wasn't. Maybe you think if an OS can't articulate its security fixes release policy without getting combative, then it's hard to take its security seriously. The decision is yours.
The maintainers of OpnSense are able to make their own determination about the severity of the issue and the method of the fix. They gently reminded the user of their process. Ubiquiti, as a provider of a paid security product, has a much larger, immediate, and different responsibility to fix the issue and communicate clearly with their clients.
I think that everyone is entitled their own intentions, but they are also responsible to communicate those intentions effectively. If the intention was to not be "some Karen complaining" it wasn't clearly communicated that way.
Reminds me of that time someone at Dropbox pushed a change onto production that ignored your password, so you could login as anyone with any password...
When people ask me why I don't use Ubiquiti products, and I tell them that I don't trust companies with closed/proprietary offerings with something as critical as this, I get a lot of skepticism and even eye-roll. Open source isn't a silver bullet, but if I were self-hosting my own "cloud" controls I wouldn't be worried about something like this.
honest question, who do you trust that provides either high end residential or SMB type networking gear that works well? The average residential stuff is all garbage and I was looking into unifi because seems to work better but I'm open to suggestions.
This is a really hard time to be in that market. I built my own "mesh" system by deploying 3 separate routers in bridge mode, connected via ethernet (lucky that house was pre-wired). We moved to a house that didn't have that and I used powerline adapters which worked well enough, but once wifi 6 came and the true mesh systems like Google Wifi and Eero put together a system that has much better handoff (by coordinating), open source really just hasn't kept up. The powerline solution kind of sucks because it caps out for me at 20 Mbps (which is very disappointing when scp-ing a file over the LAN!). I've heard people able to get 200 Mbps through powerline, but I haven't been successful. I built a system that just used three routers each with a slightly different SSID, and a script on my laptop that would switch it to the one with the most power once it hit a certain differential threshold. That was honestly my favorite system, and what I plan to do again once my current system retires.
My current system is a Protectli 4-port firewall appliance that is running AlmaLinux. It gets CGNATed by my ISP (Starlink) but I set up Tailscale (Headscale) and don't really have any issues now from CGNAT. Cockpit plus plugins provides me a good GUI, although I prefer to just SSH and use the CLI. I have two "wireless access points", one is a Linksys WRT3200ACM: AC3200 (open source edition). It's good, not great. The other is a (swallow) Google wifi. The Google wifi adds a layer of NAT in order to provide mesh. You can avoid that by putting it in hub mode but you lose wireless handoff if you use that. I've been pretty happy with that system for several years, but I'm still on the lookout for something more open that isn't a major downgrade on speed/reliability. I can more or less hot swap any WAP into place since most of the brains/config is in my Almalinux router.
I personally run a bunch of obsolete Aruba, Juniper, and Ruckus gear at home. It works pretty well, doesn't cost very much, generally doesn't require licenses or cloud, and supports every feature under the sun. The only problem is power consumption, but I don't mind burning ~200W on my whole house's network infrastructure.
This is a great way to go if you don't mind the power consumption and/or learning how to administer them. You can buy used Juniper equipment that went for 4 to 5 figures when it was new, for dirt cheap (2 figures). Still plenty sufficient for home use. If you've never done Juniper before it can be a bit of a learning curve, but the equipment is really solid.
After doing that, you can't access your router remotely from The Cloud, (well, you can log in over the VPN, remote into a computer on-site, and access the router from that computer) but you're secure against a whole class of bugs and errors in Someone Else's Computer.
I set up nginx to point to my UDMP's 443 port via a subdomain of mine. Unsure if this is horrible security but I don't have 'Remote Access' turned on. I guess at worst it relies on UniFi OS security and auth to be solid?
I setup a domain from name cheap and pointed a subdomain towards my routers IP. Then I VPN using Unifi to control it. I cancelled the domain and use the IP but I’ve found it does change from time to time.
Unifi’s firewall blocks a ton of IPs whenever I open a port for plex or whatever. I’ve tried to fight back against US providers letting anyone with a VM run port scans but they only care about getting paid.
If you're running UniFi on FreeBSD/OpenBSD it won't even allow cloud access because their Java websocket library for it doesn't include support for anything but Mac/Win/Linux
Before all this cloud stuff you could just run the ubiquiti protect suite on a linux box. But then they discontinued it and the ios app to push their cloud offerings on people.
Overall I found the statement to be solid. I would like a more detailed follow up analysis to demonstrate they actually did more then just roll back to last version and make a bug fix of the root cause.
There should be changes to their release process to test and ensure this won’t happen. Also, I’d like to see a real root cause analysis of some sort.
Agreed. It's very difficult, and sometimes impossible, to retrofit security, especially without a huge investment.
If you just don't even care enough, then you'll never get it right. Not saying that Ubiquiti is that way, but there's a reason why some companies never seem to have significant security concerns and others have an unrelenting stream of them.
I believe the controller can be configured to be accessible via the cloud UI, but it isn't the default. At least thats the behaviour when configured with a local user.
I always make an assumption that people writing nefarious communication will check SSL certificates and thus MITMing it would only work if I can load a root certificate (which typically is only doable on proper devices like phones and laptops, and I don't like the extra risk of having a wide open root that I've generated and have to keep secure on my devices as I don't trust myself enough)
However speaking to some people at work who have had experience in the past, seems most malware (and that includes IOT devices) doesn't bother validating certificates or things like ESNI and (validated) DOH, so there's a lot you can find out without breaking TLS, due to the lazineess/incompetence of the malware writers.
Hmm I should upgrade my wifi next year. Right now I have an old ish Ubiquiti AP that does its job without bothering me, but it's from before the cloud insanity.
Have they seen the light and made their devices usable without ever logging into their servers? Last time I asked this question the 'cloud' was unavoidable during the initial set up but could be turned off later. This doesn't look like enough to me. I want a damn access point that doesn't talk to anything outside my network.
You can keep it non-cloud as far as I know. I just bought a gen2 cloud key to replace the [persistently crappy] gen1 cloud key that I've had for ~5 years and I was able to skip the cloud login during initial setup. Of course, the devices reach out to fetch updates and whatnot, but all auth/config is held locally.
> Have they seen the light and made their devices usable without ever logging into their servers?
I run the management software in a VM and don't even have an account on ui.com. My firewall doesn't let the management software talk to the internet (I allow NTP and the couple of pings it wants to do, reject phone home; I temporarily allow phone home when I want to check for firmware updates).
My parents live in another country, and I want to set up some network equipment at their house so that I can coordinate their network if they get into trouble, and to support cameras as one of them has become high-care. My dad also has some complex data. I intend to install a rackmount server for him so that I can help him with data problems from time to time.
For network equipment, I have a fair bit of experience with datacentre grade equipment, but none in the consumer space. I think I want this,
1. Good quality.
2. Fanless
3. Drives multi-node wifi APs
4. Control cameras
5. Web interface that parents can use.
6. Cisco-like CLI that I can use.
7. No cloud.
The unifi equipment seems to fit all criteria above except the last two points. Seems you cannot make permanent changes from the console, and their offering is oriented towards cloud configuration. Would someone who knows the segment be happy to offer advice? (thanks in advance)
I have a UniFi AP and a 24-port 10G switch from Ubiquiti. As far as 6. goes, you are sadly correct. It’s all Linux underneath so there are plenty of changes you can make in the CLI, but the middleware will happily stomp all over it at the next upgrade or reboot.
For no cloud, it’s quite easy to avoid. The middleware can be spun up in a container or installed on any Linux VM and have no access to Ubiquiti’s servers at all and it’ll work fine (you’ll have to upload updates yourself). However, the product will be full of little nagging notices coaxing you into going to the cloud, or as in my case, getting mad you aren’t using a UDM for your router/firewall and turn off a bunch of the L3 features. The software is meme-level in how many bad patterns and form-over-function decisions are in it. Cloud or no, it’s frankly kinda crap.
The APs are solid, but I’ll likely not buy another switch from them if I can help it. Depending on your needs, there is plenty of used enterprise gear to be had for quite cheap on eBay. But, I’m in the market for a fat 48-port switch with a huge PoE budget and they have one that’s all 2.5G. I don’t know that anyone else makes one, and if they do, it’s three times the price, or I have to call some sales person to talk about it, or the actual existence of the product is impossible to surmise through thick marketing wank datasheets.
There's no all in one solution that I'm aware of that ticks all of those boxes. If you're already standing up a server, I would recommend using mikrotik switches along with tplink omada APs. You can set up the free omada controller on the server.
For the camera side, Reolink or Amcrest POE cameras (or WiFi if you must) paired with a PVR like Blue Iris if you're a Windows guy or Frigate on the Linux side
I run my own Docker image for the Unifi server, no cloud needed. The CLI is limited though but I can ssh into my switches and router. I haven't used their camera offerings though.
One possible explanation for this can be a mistake in caching. While it is tempting to log in and see if you can see other people's consoles... that just might put you in the cache for someone else to see.
There is no way for us to know what is causing the bug and what will help without official word for Ubiquiti but logging in can only possibly hurt and won't help.
Random fact: Ubiquiti is publicly traded, yet Pera owns 90%+ of it, meaning shareholders virtually have no power to push for changes. You might as well call it a privately held company, lol.
The hilarity that goes with this is that their VPN has been broken for years - android and iPhone both deprecated protocols that were considered insecure, but ubiquiti hasn't seen fit to add any others. It has been years.
Their security posture is trash, which is unfortunate for a company that plays a central role in security
I love Tailscale, but you are really then just substituting one company's remote access for another's. I'm quite certain that TS are more capable of creating a secure system than Ubiquiti are, but still, the principle of not trusting others with access to your network, is violated by TS.
I agree that enabling any form of remote access controlled by a third party increases attack surface, but I also feel like Tailscale has earned more of my trust than other vendors with the quality of their past security responses.
That incident ended badly for anyone that had a Windows box and got 0wned. Tailscale's response was good, but my trust in the software they produce was damaged by that incident. I'm a current Tailscale user (esp with their AppleTV app), but that incident wasn't good.
I have a USG Pro 4. Which is still purchasable from their website, not yet EOL, nominally still supported. The only firmware update in the last two years was to fix a security issue, and didn't include support for updated VPNs.
From my perspective, they have failed catastrophically to do what I perceive as the pivotally important parts of their job, without which the rest of it is pointless. So, while you say "Just stop", I say "Why the hell should this company be trusted with anything network-related, if they can't do bare-minimum-required security stuff?"
Not if you use their "Dream Machine" line of products - you have to use the controller that's self hosted on the box. I'm currently trying to figure out how to disable the cloud connection on these and go back to good ol' open ports to manage the thing.
I have a Dream Machine Pro (UDM-Pro), and disabling remote access is as simple as finding the setting and turning it off. I disabled it on mine a while ago as an extra security measure.
I have a few unifi things at home, and for the most part, they've been good, and work well together. But this sort of stuff is very concerning, and forcing the cloud account on everyone is really stupid.
But what are the alternatives. Firewalla seems to be a good alternative, but they don't do APs, leaving me with a mixed system.
Using the cloud is not required, you can set everything up with local access. Certain products, like Protect, do require cloud access. But not the base networking stuff.
im running unifi here and I've never dealt with any of this cloud stuff, there's a checkbox called "enable remote access" that defaulted to false for mine and I'd never check that box, so hopefully it's not actually "forced" ?
Ubiquiti has always been pushing the remote management feature pretty hard. But recently they are also making some really nice VPN features. I hope incident like this would further change their standpoint and actually make local account access nicer.
There are tons of dark pattern in the Protect app that prevents you from using a local account. And when you finally learned to workaround all of them, you realized that there's no push notification without remote access. (I understand the difficulty to push message straight from console to mobile device, but many selfhostable software offer a centralized, managed push notification relay over internet. I am not sure if this is too much to ask for)
I tried the AmpliFi mesh router several years ago and hated it. It didn't seem any better than the Arris gateway that ATT sent me.
Why would you have a central console that has the potential for accessing all the routers with a single login though? Why wouldn't this be just local to the network with remote access?
Earlier this year, some tech tabloid (krebsonsecurity?) reported how bad security was at UI. I think it was ultimately determined to be a bad story and UI sued for defamation.
this is why smear attacks work. Someone on a different hacker news thread today was stating that the car that blew up at the Canadian border was a Tesla (It was a bently).
I've seen these types of bugs before. I think they introduced a very bad credentials or session bug. The good news is you can turn cloud off for all of these, and they work just fine.
Or how the one fire in a Tesla in Florida following a hurricane became a whole fleet of every EV in Florida spontaneously combusting. A lie can travel halfway around the world while the truth is putting on it's shoes.
It’s unlikely that simply seeing things in the main console means you’ll be able to change things if this is a caching issue. It can still expose passwords and other internal information you don’t want to get out.
Odd coincidence in that I had the same problem with Ubiquity the 401k provider several years ago. Could see most of my colleagues 401k accounts. Never good.
Does anyone have a recommendation for a replacement? After the requirement to create a cloud account on their so-called "Pro" Dream Machine I already felt something is wrong, and after "Please don't use shielded Ethernet cables with our so-called "Professional" WiFi Access Points, they can randomly reboot"[1] and now this nonsense, I'm just simply done with them.
But I really like the hardware of the Dream Machine Pro (Router, Switch with 10G uplink) and the overall view of clients and connected devices, so I don't just want to buy some random Router and pair it with random WiFi APs - though I guess that's the best choice?
The fact that they decided to release a "Pro" product with that requirement initially still counts heavily against them: What were they thinking, and why should I trust them if they are making such decisions?
If I reported to a vendor that I had unfettered access to other people's cloud console, and it was the fourth such report, I'd expect them to shut down access to the console until they figure out what's going wrong.
Instead, they're "looking into it" or something?
I guess they'll just hope nobody does anything nefarious like change the passwords on every switch/router/AP they have access to then get remote access?
Imagine being able to shut off all Ubiquiti console access in the world instantly, by posting about a grave security issue (real or not) and having a few compatriots to do the same in a short amount of time. You could trivially block a business's access to its own security cameras on a moment's notice, among other things.
If the response to an unverified issue were "just shut everything down" you effectively have implemented an exploitable DoS in your own incident policy.
This was posted 18 hours ago. If you can't either verify the user has actual access to other people's consoles (at which point you should be immediately turning access off) in 18 hours, then you should probably just close up shop because you have no business providing remote access to a can of soup much less someone's firewall.
If the user in question was making it up, you should also have posted within minutes of discovery that the user in question (and multiple other people) were making false claims.
Again, they've chosen the "we're looking into it" route which is always reassuring.
> If you can't either verify the user has actual access to other people's consoles [...] in 18 hours, then you should probably just close up shop
It's impossible to prove a negative. Maybe they believe that this was user error/malice but are doing more research to confirm this and find evidence of a vulnerability.
>It's impossible to prove a negative. Maybe they believe that this was user error/malice but are doing more research to confirm this and find evidence of a vulnerability.
So it's impossible for me to prove that nobody has walked through my front door today? I'm quite confident it isn't. I'm also confident if they have sane logging in place, they can prove accounts weren't being accessed by unauthorized users.
You're also talking in vagaries like they're hunting a ghost. They've been interacting with a willing end-user who originally reported the error.
I was typing exactly this when I saw your comment. This could very well be a real issue, but could also be a nefarious attack or even just incompetence. I've done support before and there are always users convinced that they are "hacked" or that we are doing something shady because they forgot their friend logged in on their device or forgot that they actually made two accounts in the past.
For what it's worth, all reports and screenshots of this seemed to have happened within the same hour, so it might've been fixed quickly. I definitely would expect this to get a public postmortem within 48 hours, though (maybe Cloudflare has ruined my postmortem timeline expectations).
If someone was actively stealing your car, and 911 told you they're an hour out, would that be acceptable? Having carte blanche access to someone else's network equipment seems like the highest emergency a company like Ubiquity could have.
I don't know if the time frame is acceptable, but I know I would have reached out to the customer versus waiting around for a DM once the alarm was rung.
You have to search the streets yourself and be your own advocate if you want to recover your stolen car.
In the last 8 years SPD has become completely unmotivated to do their job despite never having their budget cut. Adjacent police departments like Kirkland and Lake Forest Park are much more willing to do their job, but they fire officers who don't do their job, while SPD retains these caustic, non-performing officers.
So long as we let our officers in Seattle getaway with billing fraudulent hours that weren't worked, ignoring core job duties, and slow rolling the duties that they do do, we will be stuck with an ineffective police force.
While defund the police was ill-though out, let's remember that it was a response to the continued use of excessive use of force by police. As one of the parent commenters said, SPD has a poor track record of disciplining misconduct of their officers. People will take increasingly desperate measures if they feel like they're not being heard. The idea that you'd do away with police was short sighted and didn't make sense since the beginning, but the situation SPD finds itself in is partially a self-inflicted wound.
The police chief is appointed by the mayor. If people feel like they are not being listened to or there is too much abuse maybe they should elect a mayor that will deal with it?
The SPD has lost officers, yes, despite offering hiring bonuses higher than ever. This is not because they don't have enough money, but because the prestige of being a police officer in Seattle has declined.
Yes and no. Traffic enforcement and dispatch positions were moved to another funding line item outside of the SPD. This was the city council attempting satisfy calls to "defund the police", while not actually reducing the amount of money allocated to policing.
I could say the exact same thing for your interpretation. Why not just say 1000 years ago the budget wasn't cut? It would have the same meaning. Oh wait, it wouldn't have the same meaning because 8 and 1000 years are quite a bit different.
8 years is probably not meaningless for the poster. He probably moved there 8 years ago or had his car stolen back then and is saying nothing has improved since then despite there being no budget cuts.
It makes no sense to say in the last X years if the poser just mean X years ago. It would cause unnecessary confusion.
>I could say the exact same thing for your interpretation. Why not just say 1000 years ago the budget wasn't cut? It would have the same meaning.
Because it would not have the same meaning. The point of the phrasing is that the time the Seattle PD stopped being motivated to do their job was close to eight years ago, and they have continued to be unmotivated since then.
"1000 years ago the budget wasn't cut" does not convey that information.
If the poster meant 8 years ago they stopped being motivated he would have just said that. The post didn't say that. You are just tangling yourself in word play to try to get the post to mean something different than it does.
20 years ago in school our English teacher had us read a science fiction short story about a robbery. I wish I could remember the name of it. The essential idea was that robbery was at some point legalised and nobody really cared because they just claimed on insurance. With more and more of our possessions being basic commodities (cars, electronics, IKEA furniture etc.) and everything of importance being digital, this seems to be coming true now.
Do you think Ubiquiti has hundreds of people on staff to watch their forums to triage every issue within seconds of it being posted? I'm curious what level of support would be satisfactory to you, in this instance.
Not OP but you don't need 100s of staff monitoring the forum. You need a webhook that filters on "security" in the title and post it in the relevant slack channel. I do expect UI have a 24/7 paid support/security team and I'm sure someone could say "uh, this looks real what's going on?"
Yes, damn those engineers for coming up with solutions to problems I personally believe are unsolvable based on nothing but personal feelings.
Ignoring the fact that flagging when certain keywords are posted is probably built into the forum software itself... I had that with phpbb back in 2001.
I just find it funny when engineers trivialize solutions that they themselves wouldn't employ. Like yeah, I'm sure your phpbb solution was a proper vulnerability reporting and triaging system.
That's called anecdotal evidence. I've had police come slow and come fast. 911 also prioritizes calls, so it's possible you're being rate limited by them and not the actual police. The data from their apps tells a different story, maybe they're fudging it, I just don't think making blanket statements about timing based on someone else's story gives me an accurate picture.
Yep, the stats are bogus because the party that they are measuring are also creating the stats.
Even crime stats are bogus in NYC, I speak from experience as cops literally tell you to fuck off if you want to file a police report. You can be stabbed, bleeding out and walk into a police precient, and they'll drag you outside so they don't have to write a report
911 is paid by taxes for being 24/7 available. It is also a public service. Ubi is free (at least I don't pay for any of my Unifi consoles, besides the initial cost). It is also a private company, free (as in beer) to do as they like.
I don't know if it's expected of status pages to signal security incidents and bugs if you technically can still use your (and other people's) console.
(Putting on buck teeth and fidgeting with something) But but but akchyually, it's not an outage, you see.
If other people can access your console, then this feels like a case where it's negligent not to have an intentional outage, shutting down all remote access to all cloud consoles until this is fixed.
I don’t know, imagine relying on remote access and one day when you absolutely need to log in and do your thing you suddenly cannot because the breach and they turned it off for everyone.
And to get on site it’s a 8-hour commute, or you have to cross a border or two, or you need a visa to get there. Or anything at all which necessitated remote access in the first place.
Why would users want them to advertise a vulnerability on the status page before the issue is fixed? I would want them to keep this as quiet as possible until the issue is resolved.
Update the status, and discuss it more in the open. Obviously with any security issue there's reasons to keep some discussions private, but it feels like they're attempting to minimize it, the same way a restaurant doesn't want their customers to hear about the mice in the kitchen.
I think you are missing the point. the point is this should never ever happen in whats considered to be SMB enterprise products. Peoples businesses and livelihoods are at stake. The fact that it did happen is bad enough, the rest is just the icing on the cake. you made the point about a 1 hour response, howewver 18 hours after that response there is still no update anywhere for lots of worried customers.
If Ubiquiti was my company and this post was posted on my forum, I would be having status messages/emails out to all my customers, updates on status pages, warnings on website logins etc. Hiding this in a private DM with a single customer is terrible, and they even told the world thats what they were doing which was a kick in the nuts.
Some of those people remain. UI-Marcus in that link is a good person. The company went into a steady decline after the CEO started centering the company around the offices in Portland and China. Portland was home to the UX designers who wanted to redesign everything to look nicer but didn't understand how customers used our products. Portland was also home to Nick Sharp, the cloud lead who tried to extort the company and lied to the press about hacks. The favorite office in China made the FrontRow product, which failed so badly that I doubt anyone has heard of it. These people were supposed to be the future leaders of the company, but everything they did was a disaster. We could all see the writing on the wall and left. Well, almost everyone.
I don't even know which Ubiquiti office owns the cloud any more because everyone working on cloud at Ubiquiti either quit or was laid off after the cloud lead went to prison for extorting the company.
I hope the company can get back on track some day. It's sad to see all of our old work decay like this.