Networking arkistot - Page 3 of 3

How to set up Ubiquiti UniFi WiFi access points with an iOS device (iPhone or iPad) in 5 minutes

If you have a very small deployment, you don’t need to set up a UniFi Controller at all. You can get by just using the iOS mobile app.

Ubiquiti has published the free UniFi.app on AppStore to manage UniFi access points. You can use it as the only means of deployment as well, but there are a few caveats. During deployment the initial connection poses the biggest challenge, since you can only work wirelessly with iOS devices. In other words: you need to connect to the WiFi in order to create it! A classical chicken-egg-problem!

The default network and password built into UniFi access points is a meaningless string of characters and numbers. On the back of each device is a QR code that needs to be scanned and decoded with the app to connect to the access point. Once you are connected the configuration is fairly straightforward. At least until you change the name of the network to something meaningful, because you are immediately disconnected… Then you just need to reconnect to the new network you just created.

On the video below these steps are shown for a two access point network. It was shot on an iPhone 5 (the smallest screen supported) just to show it is possible. With an iPad you have more screen estate to work with.

Steps:

To begin with: both access points are connected to the Ethenet network and are glowing a steady white light.

Scan the credentials for the default network
Join to the default network in iOS Settings > Wi-Fi
Set up the administrative account and country in the general settings
Configure both 2.4 GHz and 5 GHz networks on each access point: name of the network, WPA2 Personal Security and a security key (a.k.a. password)
(Since the name and password for the network changes when you configure the first access point, you need to join again to the new network at that point.)

At this point the HomeNet WiFi network is active and both access points are glowing a steady blue light.

(The UniFi.app is in English, but the iPhone user interface is in Finnish. You should still be able recognize the Wi-Fi settings anyhow. My bad – apologies)

I cannot recommend UniFi.app except for the smallest of deployments. Every access point needs to be configured separately. This is error prone and time consuming if the network is any larger. There are also very few options to configure. The access points are capable of much more. For example you cannot create multiple networks, just one per band. It is almost always better to install UniFi Controller on a workstation or a server.

Weather radars in Finland

Don’t use the same WiFi channel as the closest weather radar!

European weather radars use frequencies between 5,60 and 5,65 GHz. In WiFi parlance it means channels 120, 124 and 128. If a WiFi device detects a radar signal it will either change channel or go silent for a half an hour. Either way the connection will be dropped. Your safest bet is to avoid these channels. On the other hand, there are just ten weather radars in Finland and they are pretty far apart. Do you need to avoid a channel in use in Utajärvi if you are in Helsinki? No. Usually it suffices to avoid the frequency used by the nearest radar.

Don’t be surprised when the WiFi doesn’t appear immediately. New and recently upgraded access points will listen for ten minutes for radar signals on these channels. This doesn’t sound good, but on the other hand these channels have least traffic for the very same reason.

Here is the current (3/2017) list of frequencies:

Name	Established	Position (WGS84)	Height (AMSL)	Frequency (MHz)	WiFi Channel
Anjalankoski	1994	60.9039N 27.1081E	139 m	5638	128
Ikaalinen	1994	61.7673 N 23.0764E	153 m	5644	128
Kesälahti	2014	61.9070N 29.7977E	174 m	5610	124
Korppoo	1997	60.1285N 21.6434E	61 m	5620	124
Kuopio	1995	62.8626N 27.3815E	268 m	5615	124
Luosto	2000	67.1391N 26.8969E	533 m	5618	124
Petäjävesi	2015	62.3045N 25.4401E	271 m	5628	124
Utajärvi	1997	64.7749N 26.3189E	118 m	5608	120
Vantaa	1994	60.2706N 24.8690E	82 m	5649	128
Vimpeli	2005	63.1048N 23.8209E	200 m	5639	128

This is an example of radar interference. The narrow, straight patch of ”rain” between Helsinki and Tallinn is a caused by a transmitter on channel 128. The transmitter is either in Tallinn or on the sea, because the the beam is so narrow. A transmitter closer by would cause a wider sector of interference.

Alright, it’s 802.11 but what are the characters? (a, b, g, n, ac)

What are 802.11a, 802.11b, 802.11g, 802.11n and 802.11ac?

Originally WiFi or 802.11 was designed for barcode scanners. In a warehouse cords were inpractical, so going cordless was logical. Bandwidth requirements were very modest, so speed was not a primary design objective. This is the basis for all enterprise wireless networks of today providing videoconferencing and high speed database connections. The change has been gradual:

	Max speed / radio	Frequency (GHz)	Year
802.11	2 Mbps	2,4	1997
802.11a	54 Mbps	5	1999
802.11b	11 Mbps	2,4	1999
802.11g	54 Mbps	2,4	2003
802.11n	150 Mbps	2,4 & 5	2009
802.11ac	867 Mbps	5	2013
802.11ax	?	?	(2019)

The first redesign was 802.11a. It offered increased speed, but used the new 5 GHz band. 5 GHz radios were expensive and A never really took off. It was B, that used the 2,4 GHz band that really created the market. G brought the speeds of A to the less expensive 2,4 GHz band. N added even more speed and N was defined for both bands. 5 GHz radios were still more expensive, so cheaper devices and access points only had 2,4 GHz radios. The latest is AC, which is only defined for 5 GHz, but in practice all devices and access points are compatible with older standards (so they support also 2,4 GHz).

Isn't the maximum speed of 802.11n 600 Mbps? Yes, it is. N introduced MIMO (Multiple Input, Multiple Output) radios that could use multiple connections (four at max.) 4 x 150 Mbps is 600 Mbps. In AC there can be 8 radios that can connect to multiple clients at the same time (MU-MIMO or Multi-User MIMO). In practice mobile phones have a single radio, tablets may have two and laptops four. Each radio eats up batteries (and also adds to the manufacturing cost).

Why doesn't my device ever report these maximum speeds? In N it was possible to bond two 20 MHz channels to create a 40 MHz channel, which can transfer over twice the data. The maximum speeds are calculated using these wide channels. In AC the maximum is eight channels or 160 MHz channel width. The channel width is set at the access point, so if the access point is only using the default single channel then the speed will be limited to that. The 2,4 GHz band has so few channels that channel bonding is practical only in the 5 GHz band.

WLAN, Wi-Fi, WiFi or 802.11 – what’s the difference?

They all mean the same thing

In Europe the acronym WLAN is widely used. It stands for Wireless LAN or Wireless Local Are Network. WLAN is not a trademark, so it can be used freely. On the other hand, it is easily confused with VLAN or Virtual LAN. VLAN is a wired LAN technology that can be used to separate traffic in the wired network.

Wi-Fi is a trademark owned by Wi-Fi Alliance. Wi-Fi Alliance defines standards and tests for interoperability between Wi-Fi products. Certified products will connect with each other. In practice all products are certified by Wi-Fi Alliance, although it does not have any official status. The term Wi-Fi is in wide use in the Americas, although the dash has started to disappear: WiFi.

802.11 is a technical standard for wireless networks defined by IEEE or Institute of Electrical and Electronics Engineers. After the original 802.11 there have been addendums and extensions, that have a character as a name: a, b etc. After z the naming was continued with aa, ab, ac, ad etc.

How secure is your WiFi?

Do you have a shared password to the WiFi network? When was it last changed? Hasn’t anyone left the company since?

At first WiFi networks were unsecured. However, radio waves penetrate through walls, so eavesdropping is very simple even from a distance – encryption was required. The first method was Wired Equivalent Privacy or WEP. WEP was weak from the first day on, but yet the breaking of WEP caught the industry pants down. A new method was needed fast – WPA or Wi-Fi Protected Access was created, also known as TKIP. WPA was improved upon and today WPA2 is the preferred choice. WPA2 is fast and presently a trusted method for securing WiFi traffic.

There are two flavors of WPA2: Personal and Enterprise. In Personal there is one, shared password for the whole network. Anyone who knows the password can join the network and listen on the traffic. WPA2 Personal is good for personal and home use, why not for a small office as well. In business use people come and go, though, and the password should be changed every time anyone leaves the company. Nobody should have access to the company network after leaving or being laid off. Still, WPA2 Personal is the most common way of securing WiFi networks.

WPA2 Enterprise requires that every user has a username and a password. This is the case in Windows Active Directory (AD). You can install Network Policy Server role (NPS) to a Windows Server to provide RADIUS service to the access points (AP). The APs will verify each user’s name and password with the RADIUS server (e.g. NPS) before allowing the user to access the network. By removing or disabling a user account in the AD you can deny access to the WiFi network as well. There is no need for additional equipment or software. In practice all APs support WPA2 Enterprise and the NPS role can be installed on AD Domain Controllers (DC).

WPA3 is the latest Wi-Fi Protected Access

How can a single user cripple the WiFi network?

..and what is Airtime Fairness?

Wireless network is a shared media, where only a singe device can transmit at a time. Every device must wait for its turn and gets to transmit eventually. The problem is that the transmit speed depends on signal quality: distance and interference. Close to the access points the transmit speed can be hundreds of megabits per second, while at the edge of the network it is one megabit per second. Users have typically have quite similar needs for data transfer, it is just that some user’s bits are transferred more quickly than other’s. That is, when the device at the network’s edge gets its turn, it will use several hunded times more time – while everyone else waits. One device can use 90% of the time capacity of the network, even though the amount of data is the same. The problem has grown worse over time, because WiFi speeds have increased, but all legacy devices and speeds are still supported.

Equipment vendors have a simple solution to sell: Airtime Fairness or ATF, which is found in many systems. ATF means that the access point will transmit packets to slower devices less often. It used to be that all devices were treated equally, but in ATF the speed of the device affects who gets the turn. Older devices (using older standards) and devices further away from the access point will get even slower service, while the total throughput of the network does increase.

The access point cannot control how devices transmit. All devices compete for sending on an equal basis, but the access point will favour the faster clients when responding. Often the traffic is biased on downloads and that’s when ATF can improve the throughput.

Airtime Fairness is a good solution for intermittent problems, but it is still better to design the network so that all users are covered. Adding access points where needed will guarantee all users with a fast connection. Airtime Fairness can cover up design flaws up to a point, but it cannot fix them.

WiFi – from a nice-to-have to a requirement

When was your WiFi network deployed? How many users did it have? How many users are there today?

Not so long ago wireless networks were advanced technology, a gimmick. It was deemed high tech to set up an access point for the sales guy, who had the only laptop in company. Today everyone has a laptop and people are expected to wander around the office and work here and there, but always with equal efficiency. Back then it was sufficient to access email and occasionally browse web pages. Today video conferencing and learning videos have bandwidth requirements in a completely different scale. Designing the wireless network has become important. Parts of the design process are the same as in wired networks, but the radio path does bring its own challenges.

Design

Capacity planning is familiar from wired networks. How many users? What kind of applications? What kind of latencies can be tolerated? How much bandwidth? User mobility does bring some uncertainty to these calcaulations. One day they all sit with their laptops in the same room, where there is only a single access point – and no one is happy. Still, all the access points have to be connected to the network and these connections must provide enough bandwidth and preferably have redundant paths. In many offices a single hardware failure can stop all work.

The same security principles can be applied from wired to wireless networks. You can create a few wireless networks (different names a.k.a. SSIDs) and connect these to different VLANs on the wired side. This way you can separate sales, management and R&D to their own virtual networks. Technically slightly more challenging way is to use a single network, authenticate users and forward their data to the proper VLAN on a per user basis. WPA2 Enterprise provides for user based authentication and personalized settings using 802.1X.

The most difficult aspect of WiFi design is the radio path, because you can't see it. How many access points do we need and where? What kind on antennas? Do we have full coverage or are there holes? Is the capacity sufficient?

Hardware

In the early days access points were expensive, so usually only one was bought and placed in the middle of the office. This worked fine when there were just a few users with no specific requirements for bandwidth or latencies. Today user count is not the right metric, because every user has multiple devices: a laptop, a smartphone and often a tablet. Smartphone battery capacity is very limited, so is their transmit power. You need to have an access point near every phone, so you need to have multiple access points. Multiple access points will interfere with each other unless you turn down their transmit power, typically on par with the lowest powered smartphone (10-15mW). Do not leave all access points on full power, which is usually the factory default.

Managing multiple access points becomes a burden. Consumer grade access points are managed individually, typically through a web interface. Keeping just five access points in synch regarding setting and updates is a chore. Look for some kind of centralized management solution when choosing access points. With a centralized controller you can update settings and apply updates to all access points with a single action.

Upgrading to 802.11ac

802.11ac will yield enormous speed and capacity, but what are the points you need to consider?

First of all, 802.11ac is defined only for 5GHz band, 2.4GHz band will continue to use 802.11n. Higher frequences fade more quickly, so you will need more 5GHz access points, because they need to be closer to each other. The 5GHz band was already in use with 802.11n, so this has usually already been taken care of.

The new speeds in AC use wider channels (80MHz and 160MHz) and more precise modulation (256-QAM). High precision modulation requires very good reception, in practice it requires clear line-of-sight to the access point. You won't get AC-speed if the access point is on the other side of a wall. This is another reason you usually will want more access points when upgrading to AC. You also gain more capacity so the network can support the increasing number of users and their requirements. When you add more access points you need to turn down the transmit power so the access points won't interfere with each other, otherwise adding access points will degrade performance instead.

The third challenge is more technical. AC access point require more electric power. If they have their own power supllies this won't be a problem. If the power is fed through the Ethernet cable from the switch, the switch may need to be upgraded. Only the latest 802.3at (aka PoE+) can feed the power hungry AC access points. The older standard was 802.3af (aka PoE without a plus).

You may need to consider the data bandwidths as well. 802.11n of the today already exceeded the capacity of 100Mbps Ethernet. 802.11ac requires at least gigabit Ethernet connection – the more powerful access points have two Ethernet ports, because at least in theory you may exceed the capacity of one. In any case dual cabling will add redundacy, but will require more switch ports. If you have connected multiple access points to the same switch, you may need to upgrade the uplink to network core as well to avoid bottlenecks.

Affordable enterprise WiFi

Centrally managed Enterprise WiFi doesn’t have to cost an arm and a leg

Wireless networks can be divided roughly into two categories: autonomous access points and managed enterprise networks. The latter used to carry a tenfold price tag and require skilled personnel to run. Today there are lighter weight alternatives for building an enterprise WiFi:

Ubiquiti is a U.S. based company specialized in wireless technology. Ubiquiti has kept their costs down for example marketing mainly by word of mouth. UniFi is their WiFi brand.
MikroTik is a Latvian company, that has delivered routers and other network equipment for the last 20 years. MikrotTik access points are fully fledged routers with a wireless card – and yet they are one of the lowest cost APs on the market. RouterBoard is MikroTik’s hardware brand.
[Edit 8/2018: Discontinued] XClaim is the lighter weight brand of Ruckus, an established U.S. wireless company. Their product line is very compact, but the quality is Ruckus level. For example there are two 802.11ac access points: one for indoor use, the other for outdoor use.

These brands share the price range in a couple of hunder euros, no annual licenses, centralized management and subdued, businesslike design. Centralized management doesn’t require a dedicated controller but runs as an application (that may even fit in your smartphone). A thousand euros will buy equipment to create a good network for a mid-sized office.

Links:

Category: Networking