Hi,
I am looking for outdoor (dumb) AP device preferably which is:
any suggestion please?
(I know PoE is great but for two reasons it is not preferable to me:
a) it is security risk and i don't want to invest in to end-device security,
b) don't want to break walls to do ethernet cabling.)
thanks
Can you be more specific? There are many devices that mean those requirements.
Maybe something like an Aruba AP-365?
thank you.
what i have not mentioned yet:
according to https://www.hpe.com/psnow/doc/c05348011.pdf i cannot find AC power input option, only PoE options. or am i missing something?
Could you please elaborate on why you consider POE a security risk?
Genuinely curious question, no flaming/other intended.
You could just use a POE injector. I would also make sure to have some sort of surge protection as lightning can easier travel down a cable into a switch and other equipment.
because an ethernet cable connected to my internal network is exposed externally. there is no physical security: someone can simply disconnect the cable from my device and connect to their laptop and instantly on my network.
and also the lightning problem as @Darin755 mentioned.
yes, could use PoE injector but that would mean an additional waterproof device. i'd rather have one single, compact box running on AC power, as power is needed anyway.
Ah, OK, so you're planning to use WIFI as the backhaul too.
So, your security concerns are about the Wired Ethernet backhaul, not really the POE capabilities of the Spine switch connected to the AP.
Easily solvable by putting the device in its own restricted VLAN.
not really, still no physical security and have to expose some services in that vlan too so maybe it is less vulnerable but still vulnerable. not to mention the electrical hazard and the wall breaking. so no, if possible would use wifi backhaul only.
anyhow, would still would like to see possible device models. i could imagine powerline APs too, but i have not found (yet) outdoor version.
Can you confirm that you are planning to use wireless backhaul? Running multiple VLANs via wireless backhaul means there are some considerations for the configurations of both the upstream and downstream APs. And what upstream AP are you using currently?
Regarding PoE... if you are currently planning to have AC power (in an outdoor weather-resistant enclosure) at the location of the AP, you can easily use a PoE injector just the same as you would a standard power brick.
From a security perspective, you can configure the port (from a data perspective) to either:
To be clear, you'll have the same "issue" with physical port security even if you don't use PoE, assuming the AP itself can be accessed by 'untrusted' people.
This is an important aspect, actually the most important one, because WLAN doesn't have a concept of VLANs, so this doesn't work (easily) at all. You can only simulate VLANs by tunneling those networks over a single wireless backhaul link (e.g. GRETAP or similar), which isn't exactly fun to set up - and requires more performance on the AP side.
no, i don't plan this i actually want to avoid it as i wrote ("single, compact box").
look at this https://www.tp-link.com/en/home-networking/deco/deco-x50-outdoor/
it is a PoE or AC powered, not external AC-DC, but has an builtin AC-DC adapter. so i just need to plugin and it works without any additional device, does not need additional waterproof cage to hold the AP and adapter/PoE injector, extra cables etc.
but i have not found it in ToH so i assume it is not openwrt supported.
the WLAN vs VLAN information, that is really interesting thanks for the heads-up, i might end up not using VLANs if that is too much/impossible effort.
why? if i have just AC power cable connected to AP what may happen?
the only protection in case of PoE is - as you said too - if it is only used for delivering power and not used for data networking. which looks somehow overkill (to me) to break walls, add extra surge protection, grounding and whatnot, plus an extra cheap PoE switch to isolate physically from the rest of internal network etc ... just to deliver power and still use of wifi backhaul (with its limitations).
powerline is a better technology in this case, but again, i have not found (yet) outdoor version.
so the question is, any owrt supported similar AP as X50 or a powerline alternative might anybody can suggest?
But youll draw the ethernet next to mains wire? So security model involves zapping wannabe hackers?
I would never go the PowerLine route again. I've been using several different adapters over the years, and none was stable enough for my needs. I've never found even one adapter that wouldn't randomly crash (the powerline chip, not the main SoC). Running proper Ethernet cables finally made it reliable.
That said: you can always place a PoE injector near your AC outlet (even outdoors), so that you can use any PoE-powered outdoor AP. No need for a PoE switch or pulling new cables.
Makes sense. But wireless backhaul sucks...
I'd love to suggest something like Fiber-POE-G2 and enabling 802.1x on that port with certificates.
But there is basically no documentation to be found on how to actually do that.
Someone else can connect to the AP ethernet ports whether or not you do. Or to the AP console port. The wireless backhaul traffic is available unencrypted on the AP, and so are the keys used to protect the backhaul tunnel(s).
If you can't guarantee sufficient physical security then it's better to go for zero trust strategies. Encrypt the traffic between clients and some trusted zone. Do not assume a "secure AP".
it looks like:
so these are generic problems.
" Encrypt the traffic between clients and some trusted zone" can you please elaborate?
Not really. Most devices have one if you open the case.
Same as with any untrusted network, like hotel wifi or public wifi. E.g ssh from client to trusted server. Or ipsec tunnel to some VPN server you trust. Or anything over TLS Etc
ok, thank you. that's not what i expected to be honest but in general this is good.