UniFi versus Araknis versus Ruckus

Our old apartment was small enough that the AT&T Fiber-supplied modem covered the entire space with awesome WiFi. The new house is just a little too big for a single base station to cover reliably and is currently suffering from Xfinity cable Internet with two Xpods (Comcast’s own mesh networking device, comparable to Eero; so we have three access points including the modem/base). The system does not seem reliable and oftentimes devices are not connected to the nearest pod, but rather are trying to talk to the base station.

The house was built in 2003 and has a fair number of CAT5 runs, many of them never terminated. My plan is the following:

  • return the rented Xfinity modem/WiFi router and replace with a Motorola MB8611 that can be mounted to a wall near where the cable comes in and the CAT5 wires gather (don’t want to put this in a cabinet because it can draw 15 watts)
  • install a compact 16-port Power-over-Ethernet switch in the A/V wall cabinet where the CAT5 wires come in (the cabinet is 14″ wide by 19″ high and 3.5″ deep; it has a cover that can be left off for cooling, but has no provision for airflow); The UniFi Switch Lite is an example of something that would fit (only 7×7″) and will drive half the ports with power.
  • give the Xpods away to a neighbor
  • install three WiFi access points inside the house and one outside, all driven by PoE; maybe something like the UniFi “mesh” access point?

The neighborhood is packed with busy physicians and dentists who apparently aren’t capable of watching TV or getting an iPhone online without significant assistance. (By contrast, none of our neighbors in the apartment building reported any trouble getting everything that they wanted from AT&T!) It is common to see A/V service providers’ trucks, therefore, and when I ask them what they install for network hardware the answer is always “Ruckus and Araknis,” never the brands that I’ve used before (Cisco, Netgear, Linksys). One installer said that the Ruckus gear is used by municipalities to provide public WiFi (not by the Palm Beach County Schools, apparently, since the other night the guest network was non-functional and also Verizon mobile data was unusable, as is typical in Jupiter) and that he likes it because his company logs in every morning to each client’s house to make sure that all of the equipment is operating properly and has the latest software updates applied.

Readers who are networking experts: What is the correct solution for a standard McMansion like ours? UniFi, Araknis, Ruckus, or “other”? We don’t want to pay an A/V firm to log in every day and, in fact, don’t need any capability of remote management (though maybe it would be nice if we have a house-sitter and the network fails?).

A Reddit thread on this subject:

Ruckus is professional wireless networking. Good stuff but you pay for it.

As for Araknis I have to ask how you even heard of it. Are you dealing with an A/V installer? If so they are trying to scam you. Araknis is mediocre quality gear sold only through “dealers” at crazy prices. They target people who want to throw money at problems instead of doing any research.

An advantage of UniFi for me is that a friend has a big setup and is an expert on configuration. At a minimum, I think that I want to pay an A/V company to do the CAT5 terminations and clean-up in the A/V cabinet. A degree in electrical engineering does not imply skill at CAT5 crimping compared to someone who does it all day every day.

From a security point of view, is remote management a feature or a bug? Xfinity can presumably log every web site that we visit, but why create additional opportunities for individuals or governments to see that, for example, household members are viewing misinformation on a Muskified Twittter?

Related:

31 thoughts on “UniFi versus Araknis versus Ruckus

  1. Hi Phil. I have a big house in Connecticut and I DIYed (entirely) a UniFi setup. 5 PoE WAPs (no mesh; hardwired backbone), terminated everything myself. It took a few hours to get all the equipment working but that was three years ago and I have had 100% uptime since then.

    When I did the work Unifi was the best bang for the buck– truly the “prosumer”-level offering. You won’t scratch the surface of everything it has to offer but the monitoring dashboards are good and interesting (the once per year I bother logging in). Dunno what your aesthetic concerns are but I found both the in-wall offerings (UAP-IW-HD-US) and the outdoor WAP to be compelling. It looks *clean* and hides nicely.

    I get not wanting to do your own punchdowns– I really do– but in this economy a low-voltage guy is going to nick you $50 per termination. Of course you should use a patch panel. If my little brain could figure it out, your big brain can. Just a question of what your time is worth and you’d know that better than me.

    • Ted: Thanks for this. Why use a patch panel? There is limited space in the cabinet. There is nowhere that I will want to plug a CAT5 wire into other than the switch, is there? If so, why not eliminate potential points of failure (3 extra connectors and one extra little cable) by going directly from the wall to the switch?

    • Ted: Suppose that an intelligent 20-year-old had never terminated a CAT5 wire. How long do you think it would take him/her/zir/them to terminate 16 (i.e., assume that the first couple take a long time due to learning)? And then if he/she/ze/they went to a second house, how long to terminate the next 16 ($800 worth!)?

    • https://store.ui.com/products/unifi-in-wall-hd looks awesome! It says that it has 5 RHJ45 ports. But the pictures don’t show any RJ45 ports except one confusing image that shows 4 (not 5; maybe the 5th port is the uplink?). Are the RJ45 ports on the bottom of the device? And the current RJ45 jacks/cables are only 12-18 inches off the floor. Does that lead to any coverage issues? I would think higher is better.

      Aside from the access points, what UniFi hardware do you have? You are using their router just after the ISP’s modem and that router is the brains for the access points?

    • I have a house with an in-wall AV panel in the “mud room”/laundry room. When I bought the house, only the TV cable was terminated, amplified and distributed to every room. The RJ-45 cables, although being available in every room on the second floor and in some on the first floor, for whatever reason were left unterminated in the AV panel (except the two used for the phone lines). Also, there was no punch-down panel inside the AV enclosure.

      I had to trace and label every RJ-45 cable, a rather tedious job. Although, I could have placed a PoE switch in the AV enclosure it would have been messy and inconvenient had I wanted to re-arrange connections later on (which I did on several occasions). So, I bought a punch-down panel, put it inside the AV enclosure, and connected every RJ-45 cable to it with a special tool which was not too hard because there is a color code on the panel jacks matching the colors on the cable wires(I was doing it the first time ever, but internet images is a great help). Fortunately, I have a wall cabinet adjacent to the AV panel where I placed a PoE switch that is connected, with short cables, to the punch-down panel inside the original AV panel in a rather unobtrusive manner.

      A punch-down panel makes moving connections from one room to another much easier and the whole setup more aesthetically pleasing. If you don’t care about either, you do not need a panel.

      I also have an Xfinity cable modem/combo/switch/wifi AP combo which can be set to the “bridge only” mode and, in essence, act as a cable modem only. In this mode, you can connect your own firewall/router without need to buy your own cable modem thus avoiding potential compatibility issues. In my case, signal travels from the cable to a second floor room where it’s terminated on the Xfinity combo to which I connected a 5 year old cheap ASUS RT-AC68U router/firewall/WiFi combo from my previous house. From the RT-AC68U, the private IP signal travels back to the punch-down panel in the laundry room and, from there through the switch, is distributed wherever needed. I have another ASUS whose brand I forget used as a wifi AP placed in the garage that also provides WiFi connectivity in the yard.

      I did try UniFi two years ago, but, surprisingly, found it overpriced and less capable in the WiFi connectivity area than my old RT-AC68U. I was able to achieve both higher rate of transfer as well as a more reliable connection with just the main and the second auxiliary APs than with 4 UniFi APs. Your experience, of course, may be different because ensuring a reliable 2.4/5 GHz RF signal propagation in many cases is hard because it’s affected by multiple factors often beyond our control (e.g. humidity).

    • Re. “https://store.ui.com/products/unifi-in-wall-hd looks awesome! ”

      It’s an AP only gadget powered from a PoE switch. It does have additional 4 ports, not sure how useful they are, a mini switch, perhaps ?

      In addition to that, you need a “main” firewall/IP address translator, not necessarily with WiFi capability. My ASUS router receives a public IP from the Xfinity box, converts it to a private subnet(e.g. 10.0.0.0), provides firewall rules, has a WiFi interface and a 4 port mini-switch (from which the private IP signal goes down to the punch-down panel and, finally, to the main PoE switch).

    • UniFi is gear designed for small businesses, not consumer-grade. It combines network, video surveilance, and door access control into one system, which is nice. Their hardware is nice too, and I have ‘t had any issues with that (I currently use it at three residential sites, with access control used only for gates). Their software sucks on UI side of things (the first thing you do is disable “new UI”, LOL). The HD access points try to deconflict radio bands by reducing power, so you may need more of them, but you do get consistently good performance even if you have lots of clients. The firewall and intrusion detecton seem to be good, and VLAN/VPN support is OK but somewhat limited. The door access controls suffer from limited software functionality due to focus on small business market (why o why cannot I simply tell it to hold a specific door open? Or say “please lock everything” without going into “emergency lockdown”? Or control a hangar door with separate opened and closed positions – only momentarily openable locks are supported). The software also suffers from frahmentation into apps – for example, there is no way to jump from an access event (such as unsuccessful code entry) into a video record by security cam covering the entrance). And no public API for integration with othet systems such as home controllers. The remote management is a big plus for me – but their mobile clients suffer from limited functionality.

      Still better than consumer “high end” systems which are simply scams.

    • averros: Why doesn’t the network address translation of the router foil all intrusions? (assuming that one hasn’t punched holes in this for remote access) Maybe this is an argument for keeping the Xfinity router because it becomes Xfinity’s job to monitor intrusions (right now they alert me any time a new device connects)? Disable WiFi on the Xfinity box, keep paying Comcast a monthly fee, and use UniFi only for wireless.

    • “Disable WiFi on the Xfinity box, keep paying Comcast a monthly fee, and use UniFi only for wireless.”

      That would be the simplest way to expand your wireless coverage. You’d only need a PoE switch to power/connect your APs. In my case, I needed inbound VPN which is not provided by the Xfinity cable modem/router/WiFi AP combo. If it had not been for that, I’d have gone this way.

      The fewer gadgets one has, the less time one wastes on feeding and care they require.

    • RE: terminating CAT5 wire. I had a regular crimper when I set up my UniFi stuff (gateway, switch, two access points, and a few other runs) and had about a ~75% success rate. My friend got one of the newer “pull through” style crimpers and says they are pretty much idiot proof. You have plenty of length of all the wires and they are pulled all the way through the connector and cut off automatically so yo don’t end up with 1 of 8 wires curling a little when being pushed in and not making a good connection.

      As others have said UniFi is good “prosumer” stuff. Not perfect and definitely had a decline in quality over the last few years but still better than the alternatives. All my software developer friends have UniFi. The software setup is not hard, but it’s definitely there. For anyone who doesn’t like doing that type of project and fiddling with settings I just tell them to get a Google WiFi mesh system and be done with it.

    • Thanks, Steven. Yes, that’s the crimper that I remember. Except that my success rate, as with everything else that I attempt, was closer to 7.5%.

    • @philg: NAT is not a replacement for a firewall. Not at all.

      While NAT prevents random external parties to directly connect to exposed services on the LAN, it still misses the vast majority of actual attacks which rely on malicious inserts into legit HTTP / DNS / etc requests and e-mails. (In fact, NAT was kinda ok-ish poor man’s firewall when attacks relied on exposed-by-default OS network services; this became a lot less of a problem when OS vendors got a clue about keeping network-visible stuff enabled by default. It only took two decades of shaming.) Arguably these days the most common mode of outsider attacks on end-user systems is a compromised or malicious website offering some attractive content. You visit it, you get hacked – usually installing some root kit which then phones home (which NAT happily allows, this being an outgoing session). So modern firewalls also watch and filter outgoing connections as well.

      Besides, most NATs are simple things which rely on connection state tracking when deciding which packets to allow inside. This, together with rather weak packet authentication in TCP (relying on 32-bit byte offset – sequence – numbers) still allow for insertion of packets in already established TCP sessions.

    • averros: How do the ISPs’ firewalls do then? AT&T would periodically say (through its ATT Home app) “we’ve blocked access to an insecure site”. I assume that it was always something being loaded in the background by JavaScript because I never found that a site I affirmatively tried to visit was blocked. Xfinity says that it has blocked one .ru site “classified as Phishing/Other Frauds” in the past week from my desktop computer. What do people who run their own firewalls, e.g., from UniFi, do? Does UniFi have what used to be called a “blacklist” (when haters were not “called out” by the righteous) shared by all of its customers? Do you buy your UniFi firewall and then subscribe to a paid service that will give you a list of malware sites? (And I thought Microsoft already included this in Windows?)

  2. I second Ted on the UniFi. I put in my own system and am no expert. The house, built around ’75 had no cabling. I did that. I terminated all the Cat6. I plugged in the UniFi network gear and kinda walked away. It has been running at 100% uptime since then. I can access remotely should I want to. I have cameras I can monitor remotely. If I can do it, just about anybody can. And… $50 per termination? I might just go do that myself.

  3. I used UniFi for years but got tired of its increasingly finicky software + cloud bullshit at enterprise-grade prices. I switched to much cheaper MikroTik gear after moving to a new-to-us house, 5000+ square feet single story and a 3600 sq ft outbuilding. I retrofitted PoE everywhere, “wireless wire cubes” point-to-point linking buildings hundreds of feet apart at Gbps, and APs indoor+outdoor for maybe ~$1500 total. UI is ugly but functional, you need to know what a subnet is to use it, but it just works and costs what it actually should cost.

  4. I’m pretty happy with my Unifi setup. I have 7 different wireless access points all hard wired in with PoE. I believe you will want a Cloudkey device to help you manage it. I have the original Cloudkey which works ok. One time it has failed and I had to rebuild the system.

    Looks like their new thing is a Dream Machine Pro which includes a router, switch, and the management stuff all in one. But it is sold out on their store or sold for hundred over retail on Amazon.

  5. I think you buried the lead on this story about all of your activities searching for a home! I am sure that the search had a lot of highs and lows. My thoughts to the entire fam-damily for a wonderful experience in their new home! I feel like I should send a “crimper” as a house warming gift!

  6. Figure the Greenspun mansion would require multiple starlink dishes or laser links to traverse the distance. If PhD’s in EE ever have to know how to crimp a cable, there’s going to be a recession.

    • lion: It’s not a “mansion” if there is an identical one on either side!

  7. Everybody loves Ubiquity, but their offering is so confusing, I couldn’t even figure our what I need to buy for my setup.

    Anyway, I have 5000sqft, backyard and driveway covered with mesh of 3 Orbis just fine. Costco may have nice bundle. For years I though that one day I’ll run Cat 6, but nowadays mesh is so good there is no need really. I upgraded router to pfSence since I wanted more monitoring, but really it’s not required.

    I was getting only 100mbs from Infinity modem and it took forever to debug – turns out I used wrong cable between modem and router (100mbs instead of 1gbs, sigh). So pay attention to your cables.

  8. I have a UniFi setup (switches and wireless APs) but I am going to ditch it when WiFi 6E becomes more widely available. The company’s security is abysmal, and product availability is poor as well, even before the supply-chain crisis. The alternatives I am considering are TP-Link Omada (a shameless clone), Aruba Instant-On, Asus AiMesh, Cambium Networks.

    In the meantime as a mitigation I replaced my untrustworthy Ubiquiti router (“Security Gateway”) with an OpenBSD one I control, and blocked all Ubiquiti devices from accessing the Internet.

    • Thanks, Fazal. ASUS is a great brand, but it doesn’t look as though any of their devices can be placed outdoors. Nor do they run from PoE. The TP-Link offering looks interesting. Their outdoor WiFi 6 access point is “coming soon”. Their 8-port switch is physically larger than UniFi’s 16-port.

      What is insecure about UniFi? What if you turn off all of their remote management features so that the only way to manage the devices is from within the network?

  9. Networks are a secondary thing in our installs but we do a lot of them. We use Mikrotik exclusively. Cheap but allow for complex “pro” network stuff if you dig into the config software while also having a “dummy” mode for the quick and easy situations.

  10. One argument for paying someone for doing the termination, even if the price seems high and there is a humiliation factor for those of us with EE credentials: It is a task that is easy to spin off, thus leaving time to tackle the tasks that aren’t easy to spin off.

    It is interesting that the A/V installers love Ruckus and nobody here has ever felt the need to install any Ruckus gear.

    • The “installers love brand X” usually means “brand X gives kickbacks to installers” or provides job security to them by refusing to sell parts to general public.

  11. I built a new house last year. The AV guys wanted to use Ruckus; I went with Unifi.

    I’m pretty happy with a bridged modem into a Dream Machine Pro router. I used a switch pro 24 for POE and run 4 VLANS from the switch, 6 cameras including doorbell, VPN set up on the router so I can access the network remotely. I also use their cloud access but you could turn that off. I turn off the TVs and kid stuff by disabling those particular VLANS.

    The newer Dream Machine Pro SE has POE ports so you might not need an extra switch depending on how many POE ports you need.

    There was a security breach last year that scared everyone about the cloud access but it turned out to be one of their employees, not hacked from the outside.

    The biggest problem with Unify/Ubiquiti is they have trouble keeping stock in their online store.

    *I’m not an IT guy, just wanted a good home network

  12. I have the Plume mesh system – https://www.plume.com/homepass/

    It looks attractive and was affordable enough long ago—2017, yeesh—that it served our 3300 sq. ft., U-shaped, single-story, and 70s-era block house. (Our master is on the other side of the U from the cable modem, which is *terrible* but we’re far enough from the street’s cable point that I can’t relocate it without speed degradation.) If I had any wires in the walls, it would plug into those to use as a backchannel freeing up one of the two radios for traffic.

    Now they’ve got faster Wifi chips and an annual subscription but I’ve been happy with the service for these, for what it’s worth.

    • Geesh, I hadn’t realized that the Plume pods _are_ Xfinity xFi pods. I knew that they did a deal with Comcast a while ago but I hadn’t realized that Comcast rebranded to Xfinity.

Comments are closed.