>Buys new AP to cover a deadspot when going from attic to bedroom.
>Moves old AP from attic to bedroom.
>Installs new AP.
>Phone: *proceeds to ignore the existence of the 5GHz channels*
>*sigh*
(this is just my phone being stupid btw, it is known to be stupid)
So the new AP has wireless reception so good... My phone doesn't want to roam. 
Yes, @mikrotik's new hAP AX S's signal is so good, my phone just doesn't bother to roam.
Even standing in the kitchen (2 floors down, each floor being a slabs of concrete) I still get ~60%.
If you want to buy a single AP to cover most of the house... I think I can give this bugger quite a good recommendation.
"each floor being a slabs of concrete" - is that reinforced concrete? And are the walls concrete, reinforced concrete or just wood/drywall ?
@finlaydag33k @mikrotik Didn't start looking yet, but one wish for this year is a separate accesspoint for IoT applications and then a separate network for cameras too.
So, will have a look at this one.
For the home network there are two older routers in IP-sharing mode as repeaters, also for a few old POTS phones on the VoIP.
@AngelaScholder Why not use VLANs instead?
@finlaydag33k It would be a VLAN indeed, but I will need a WLAN access point as at least a lot of it is wireless.
And as it is from the front of the home to in the garage behind it it will probably have to be two access points.
Where possible it's all wired.
@AngelaScholder If you go with MikroTik, you can use 1 AP to provide multiple SSIDs, which you can use for specific VLANs.
Over here, an AP has 4 networks:
- The main network (which puts the device in a VLAN based on the user that's logged in via RADIUS - My devices get put in VLAN1001, my parents get put in VLAN1002).
- IoT network (VLAN1005).
- Guest network (VLAN1004).
- Open network with OWE (VLAN1006 - Which I turn on if we expect a lot of guests).
So luckily no need to use 2 APs for 2 "different types of devices" (just to "extend the range").
@finlaydag33k @AngelaScholder @mikrotik Exactly - and it's not hard to implement.
I have (due to reinforced walls) 4 APs in my house, 5 VLANs. 1 VLAN is the management VLAN (wired only), 3 VLANs for the inhabitants (me, wife and offspring) - 1 each. 1 VLAN for guests, off until needed. Having the Mikrotik APP in the phone makes it a non-issue to enable the guest "AP" when needed.
Mikrotik FTW any day and every day 🧨
@thor I don't even use the app on the phone to enable my open network.
In the `/system/routerboard/reset-button` you can add a script that happens when you hold the button.
So if I press the reset button on my RB5009 for a few seconds, it'll turn on the open network until 00:00 (and if nobody is connected after that, it'll disable it again - rechecks every 5 minutes).
@finlaydag33k @AngelaScholder @mikrotik That's one way - however my RB5009 is locked away in a rackmount cabinet in the garage - and I would not let anyone mess with it ;)
Also - I use WireGuard to connect to my home lan from my phone and can manage my network with the app - from anywhere in the world. And that's cool - because of the three family members there, only 1/3 understands what networking is :p
@thor Ye fair. :p
My RB5009 sits in a rack on my attic (behind me).
So it's literally faster for me to just get up, walk 2 meter, press button and sit down again than to open up WinBox to enable it (or with my phone).
If I'm downstairs, I can still do it with my phone tho but I prefer buttons since my phone oddly enough isn't something I carry with me in my pocket all day. :')
So instead of having to remember where I left my phone, I can just press a button.
@finlaydag33k @AngelaScholder @mikrotik I get your POV :)
My phone is my eID, my driver's license, my bank accounts, my debet and credit cards - and all my social. So my phone literally stays with me 24/7 :p (Iceland is "largely" a cash-free, plastic-free country if you want it to be)
@thor Yea, Iceland is a lot different from NL.
My phone is mostly just calling, banking, whatsapp/discord, email, Wikipedia (gotta have something to read on the porcelain throne amirite?) and Azur Lane (a game).
Driver's license I have as a plastic doohickey, bank card as well.
So I can leave the house with just my keys and wallet and be 100% fine for "short periods of time" (eg. doing groceries).
When I go for longer periods (eg. to gf), I generally check whether I have my phone (just so parents can reach me if need be).
Inside the house, I rarely carry my phone except when I have to go to the porcelain throne. :')
@AngelaScholder I have used Google wallet in the past but my phone currently runs with a custom ROM, so Google Wallet doesn't run on it.
Also the damn McDonalds app doesn't run properly on it. >:(
@AngelaScholder "random guests" can use the open network here (with OWE if their device supports it) and end up in VLAN1006.
Guests that come here more often (like my gf and a friend of my dad) have login credentials for the RADIUS and end up in VLAN1005.
VLAN1006 can only use the internet (+ the local DNS server), has the lowest priority to bandwidth and even then still a cap (10mbps "generally" but can burst up-to max for 10 seconds).
VLAN1005 can also use casting (eg. to my TV or the speakers), use the printer, use the "shared NAS" (not my main NAS) + have a 50mbps cap (a higher priority than VLAN1006 and the IoT VLAN and burst up-to max for 30 seconds).
That's the fun of VLANs, you can just change the capabilities of whom can access what.
@AngelaScholder Yea, I don't generally recommend having it open.
For me it's open cus it makes it easier when guests are around (especially some that may have children that wanna play on their Switch or something).
And the button gives me "enough security" for my preferences (I can still see what devices pop on to monitor stuff).
@AngelaScholder That's why I have the button.
Without me pressing the button, the network isn't there.
So someone would have to be within range at the right moment to do that.
And indeed, there's still the logs of which device connected when... Tho I don't rely on that really (since MAC addresses and device names are easy to spoof).
@EF @AngelaScholder @finlaydag33k @ClickyMcTicker @mikrotik also - open does not necessarily imply no password. It simply means open for guests to use.
As for network abuse - if you have an active WiFi, I can without too much trouble hack it and google for plans for nuclear devices and voila - MIB are suddenly paying a visit... logs do you no good - I can even pretend to be you by cloning your mobile's MAC address.
Security is only what locks you choose - not whether you will be taken or not.
@AngelaScholder But what about an open network with OWE tho?
It has both encryption but doesn't need a publically known key?
@AngelaScholder To be fair, if CP and alike were such a big deal... Many places like restaurants and hotels would already have gotten rid of their public networks.
@AngelaScholder @EF @finlaydag33k @ClickyMcTicker @mikrotik
Good for you. Now, this discussion is about semantics and splitting hairs. Of course I have an opinion (everybody has one) - but I don't find it productive to compete who has the best/funniest/craziest/most obscene opinion, so I think abstaining from further semantical guidance of the discussion is of value. Back to installing Linux instead of Windows for my family. Saving money, sanity and self worth.
@finlaydag33k
@AngelaScholder @mikrotik
btw. OpenWrt can do that too.
So can UniFi, and I imagine other vendors' enterprise APs too.
Ofc the choice depends on your budget, software preferences, etc.
@AngelaScholder It's also kind of known that they release a product with a bunch of problems, then don't fix it but instead release other products.
MikroTik does fix their software bugs _eventually_ (sometimes takes a while, sometimes gets fixed a few weeks later), UniFi things I consider "EOL-On-Arrival" really.
So even if you take American-company out of the equation, it's not great.
@finlaydag33k @wolf480pl @mikrotik Wow, didn't know they were this bad.
An other good reason to put them on the banned list, even more than them being American.
I think we only once used some microlink from them I think, long ago. Ahter that some from MikroTik.
@erik Only real reason I have the IOT VLAN done as an SSID (instead of through RADIUS), is because many IOT and other consumer devices (like say, my Nintendo Switch and Printer) don't support WPA(2/3)-EAP. :')
@erik Yea, it's also filtered here.
Some IoT devices can reach out in certain cases but it's highly restricted and "disallowed by default".
I don't trust IoT devices because they are meant to be cheap, not secure.
@captainepoch For WiFi via RADIUS (eg. separating my parents from my own devices), I am writing this guide[1].
But for "simple SSIDs" that map to a specific VLAN, I do not (yet) have 1.
It also doesn't go into the details on how to setup VLANs themselves tho (just setting up a RADIUS server on an MT device, adding users and putting them in a specific VLAN).
If you want a guide for setting up VLANs as-is, I do not have that yet either.
Might write one in the future if I have the time.
Tho you can always hmu on Matrix if you need help.
@MikrotikTrainer "which puts the devince in a VLAN based on the user that's logged in via RADIUS"
So ye... I am very much aware of this.
But most IOT devices don't support WPA(2/3)-EAP and for guests it's a pain to give them the credentials other than a small static password.
Hence why I have some extra SSIDs.
@MikrotikTrainer I have not looked at that yet no.
@MikrotikTrainer While it's still up to the client, APs can do quite a bit to help in roaming.
- 802.11r allows the client to do a "shorter authentication" (by piggybacking off the previous authentication).
- 802.11k tells the client which APs (or rather, BSSIDs) belong to the same network and can cause the AP to decide to roam.
- 802.11v tells the client that it should consider roaming.
Currently, the hAP AX S lacks support for 802.11k/v.
This causes my phone (and apparently my workphone as well) to just go off by signal strength as it thinks they aren't actually part of the same network.
The hAP AX3's I have do support these (and devices roam between these 2 just fine).
It has nothing to do with AP counts, even 1 AP with 2 different bands (2.4GHz and 5GHz) can implement this just fine.
Aroop Roelofs
Þór Sigurðsson
Angela Scholder
ClickyMcTicker
Wolf480pl
Erik Ableson
Adolph
MikroTik Trainer