Hi there,
I just bought an Ubiquiti Unifi UAP‑AC‑HD. Its firmware is very powerful but I am concerned with some security aspects. I am tempted to flash OpenWRT on it, but I am not sure it perfoms at least as well as the original firmware does.
So my question is, will I lose some functionality or performance if flashing OpenWRT on it?
Thanks!
define performance
Hi @frollic,
Performance would mean, for me, technical aspects such as:
On the other hand, I don't care on configuration GUI, Android or iOS apps, automatic mesh configuration...
What makes you believe that BCM4706+BCM4360+BCM4331 would be supported in the first place?
The fact that the UAC AP HD is officially supported since 21.02 makes me think it will work. Am I wrong?
Apparently the helpful redirection from "Ubiquiti Unifi UAP‑AC‑HD" to https://wikidevi.wi-cat.ru/Ubiquiti_Networks_UniFi_AP_AC_(UAP-AC) set me up…
What security aspects are you concerned about?
In my experience, the Unifi stock firmware is pretty good in terms of security when it is used with the Unifi Network Controller. In that mode, the device is really just a bridge -- wired/wifi. It is VLAN aware and you can place the management features on a separate management VLAN, if you have one configured on your network. And it supports guest networks with network access that can be defined pre- and post- authorization.
There are many reasons to put OpenWrt on thee devices, too. In particular, if you want to use the device as a router or if you want to do things that are not supported in the Unifi environment.
Personally, I use the Unifi stock firmware and the Unifi Network controller for the management of my APs. I have OpenWrt on other devices for different purposes, including VPN.
Hi @psherman,
I am mainly concerned about closed-sourceness.
I plan to use the device as an access point, being client of a wifi network. This is not a common usage, thus I'm not sure it's supported on the original firmware.
The very first UAP-AC was Broadcom based, and much sooner than they typically EOL other models, Ubiquiti stopped supporting it.
The UAP-AC-HD offered features that were very high performance for its time, such as 4x4 wifi and the ability to bond the two Ethernet ports for higher than 1Gb wired to wireless throughput. With a MSRP of $349 there will not be many found in the field.
Hi @mk24,
Thanks for the explanation. Do you know whether these two features will work flawlessly in OpenWRT?
It is worth mentioning that:
From a security standpoint, the benefit that open source software has over closed source is that it can be used freely (thus more potential users of a platform) and that the source code can be reviewed by everyone. Between these two aspects, there are more opportunities to find and patch security issues, and it is often done with a reasonable level of with transparency. This doesn't inherently mean that all open source software has indeed been tested, reviewed, and hardened, though, and it also doesn't mean that all security related bugs/vulnerabilities are known to the developers to be resolved.
That said, OpenWrt is considered to be reasonably well tested, audited, secured and hardened (at least in the context of home and small business use).
Meanwhile, it might surprise you to know that the Unifi APs have a codebase that was forked from LEDE (17.01), which was a branch of OpenWrt (between 15.05 and 18.06).
Downstairs-BZ.v4.3.20# cat openwrt_release
DISTRIB_ID='LEDE'
DISTRIB_RELEASE='17.01.6'
DISTRIB_REVISION='r3979-2252731af4'
DISTRIB_CODENAME='reboot'
DISTRIB_TARGET='ar71xx/ubnt'
DISTRIB_ARCH='mips_24kc'
DISTRIB_DESCRIPTION='LEDE Reboot 17.01.6 r3979-2252731af4'
DISTRIB_TAINTS='no-all mklibs busybox'
Now, granted, this is a VERY old version and considered to be vulnerable to various security flaws -- it is advisable to avoid installing LEDE (official release) onto any devices that will be connected to the internet based on these issues. However, there are three things that make this less of a concern in the Unifi context:
Consider that Unifi is aimed at and used by high end home users, small businesses, educational institutions and small-scale (or lower end) enterprise environments. Therefore, it is important that Ubiquiti stays on top of the security vulnerabilities. That's not to say that they don't screw up -- they have had several epic events in the last year or two, but most of those have been related to their cloud services, not local devices.
At the same time, consider your threat models (i.e. the expertise/persistence of attackers, the environment (home vs business), the modes of access (physical, proximity, connected to the same network, over the internet, etc.), the value of your network as a target (a major political campaign would be much higher value than a small town automotive garage), and the consequences of a breach.
Meanwhile, don't assume that the standard Unifi stack is lacking up-to-date security measures and patches. Likewise, don't assume that running OpenWrt immediately means you've got better security -- a flaw can be discovered at any time and/or you could simply misconfigure your device with respect to the various security considerations.
None of this is to say anything negative about OpenWrt -- I'm on this board because I love the platform and I believe that it has a good track record on security (i.e. patched reasonably quickly when issues are discovered, well designed architecture, etc.). If you want to go with OpenWrt, awesome -- I think you'll be really happy with it, and this forum is here to help you learn and troubleshoot.
I am using three Unifi HD devices with openwrt installed. They work flawlessly, I have not had any problems. Only 160mhz doesn't work. I can get 500 mbps speed with Intel AX200 card. I am using 80mhz. There is no change in the coverage area. The device heats up less with Openwrt. I'm using non-CT Atheros drivers. They are connected to x86 device as router. I wish there was a 4x4 mimo card that I can use in the ngff interface..
Hi @psherman @altuntepe,
Thank you very much for your kind, detailed answers! They provided me with the what I needed to make a decision on which firmware to use (OpenWRT won here this time 
). I'll post here if I need help in the future.
Regards
