UAP AC-IW mostly working

For Developers
#1

So I had one of these laying around and decided to mess with it this weekend.

For those not familiar with this device (https://inwall.ui.com/) it has one port in the back that provides POE and the main ethernet. There's two network connections on the bottom with the one on the left providing pass-thru 802.3af power.

Installation of OpenWRT is the same as any other UAP AC device. I tried both the unifiac-pro and unifiac-mesh-pro images since both of those have multiple ethernet ports on them and the regular unifiac-pro seemed to work the best so far.

Boot messages from the serial console can be found here and a picture of the internal here.

Pretty much everything works including both 2.4 and 5 GHz radios but I have a few outstanding problems

-- the "main" ethernet port on the back that powers it does not seem to be recognized by the kernel. No matter what I've done so far I haven't been able to get it to work on network. The secondary one on the lower right works fine, though, so it can get power from one and a network connection from the other

-- Last time I checked, and blew out a USB ethernet adapter, the POE pass-thru was always turned on on the lower left port. I assume the port is working fine since I can see it in the switch table but I'm hesitant to plug anything else into it

Can someone help me look into these two problems? After that it looks like it should be fully functional

#2

Are all three Ethernet transformers connected to the switch chip, or does the one for the back port go direct to the CPU?

PoE out will be controlled by a GPIO pin. This is not true 802.3af in that it does not probe if the connected device is PoE ready. It applies power all the time which will cause hardware damage when a non-PoE device is connected. To connect safely go backwards through a Ubiquiti PoE injector that is not plugged into the wall. This will isolate the PoE circuit. Don't try that at 48 volts though with a 24 volt injector.

#3

I honestly don't know enough to answer the first question but I'm going to guess the back port doesn't go to the switch solely because it looks like the switch (AR8327) is located on the lower right and I don't see a lot of traces going from where the main ethernet connection is. I have included two more pics of the front and the back that are probably easier to read. I guess that QCA9563 at the top above the main port is the CPU?

Ok, that makes sense on the POE. I had assumed then they said 802.3af in the specs that that's what it actually was on that port distinctly separate from the incoming power. I should have a injector around here somewhere I can use to test that. Is there an easy way to test a GPIO toggle for the power? I've seen that on other systems before

#4

Running stock firmware might give you some clues about the Ethernet port on the back. It's possible to get root access to the device, so it should be possible to look at things like /proc/net and /sys.
I've looked at a UAP-AC-PRO on stock firmware. It should have similar hardware. "swconfig dev switch0 show" lists ports 0-6. Three of them have link, the internal CPU port, the main and secondary Ethernet connectors. It's got two devices connected to it, so that makes sense.
I've got an UAP-AC-IW in the office. I'm working from home right now, but since Sweden is not in a lock-down, I can get it later this week. I'll see if I can figure out how the back port is connected.

#5

Good idea. I'm actually using it as an access point at the moment but I'll reflash it later this evening with the stock firmware and see what I can find

#6

Sorry, totally forgot about this

I've got it set up right now on the network with the stock firmware so can answer any questions about it. Looks like it's showing ports 0 and 1 active with just the main port connected.

BZ.v3.7.58# swconfig dev switch0 show 
Global attributes:
        enable_vlan: 1
        enable_mirror_rx: 0
        enable_mirror_tx: 0
        mirror_monitor_port: 0
        mirror_source_port: 0
        arl_age_time: 7
        arl_table: address resolution table
Port 0: MAC 18:e8:29:9c:1e:fd
Port 1: MAC 00:11:32:9b:19:da
Port 1: MAC 00:11:32:9b:19:d9
Port 1: MAC d4:25:8b:4f:91:29
Port 1: MAC 78:8a:20:b9:1a:28
Port 1: MAC b4:fb:e4:50:6e:fd
Port 1: MAC b4:fb:e4:50:6e:fe
        igmp_snooping: 0
        igmp_v3: 0
Port 0:
        mib: MIB counters
RxBroad     : 39
RxPause     : 0
RxMulti     : 15
RxFcsErr    : 0
RxAlignErr  : 0
RxRunt      : 0
RxFragment  : 0
Rx64Byte    : 27
Rx128Byte   : 186
Rx256Byte   : 82
Rx512Byte   : 14
Rx1024Byte  : 2
Rx1518Byte  : 0
RxMaxByte   : 0
RxTooLong   : 0
RxGoodByte  : 41276 (40.3 KiB)
RxBadByte   : 0
RxOverFlow  : 0
Filtered    : 0
TxBroad     : 165
TxPause     : 0
TxMulti     : 143
TxUnderRun  : 0
Tx64Byte    : 181
Tx128Byte   : 526
Tx256Byte   : 45
Tx512Byte   : 4
Tx1024Byte  : 2
Tx1518Byte  : 4
TxMaxByte   : 0
TxOverSize  : 0
TxByte      : 75816 (74.0 KiB)
TxCollision : 0
TxAbortCol  : 0
TxMultiCol  : 0
TxSingleCol : 0
TxExcDefer  : 0
TxDefer     : 0
TxLateCol   : 0

        enable_eee: ???
        igmp_snooping: 0
        ingress_mode_val: 1
        egress_mode_val: 3
        ingress_mode_override: 1
        egress_mode_override: 1
        pvid: 1
        link: port:0 link:up speed:1000baseT full-duplex txflow rxflow 
Port 1:
        mib: MIB counters
RxBroad     : 165
RxPause     : 0
RxMulti     : 143
RxFcsErr    : 0
RxAlignErr  : 0
RxRunt      : 0
RxFragment  : 0
Rx64Byte    : 181
Rx128Byte   : 526
Rx256Byte   : 45
Rx512Byte   : 4
Rx1024Byte  : 2
Rx1518Byte  : 4
RxMaxByte   : 0
RxTooLong   : 0
RxGoodByte  : 75816 (74.0 KiB)
RxBadByte   : 0
RxOverFlow  : 0
Filtered    : 0
TxBroad     : 39
TxPause     : 0
TxMulti     : 15
TxUnderRun  : 0
Tx64Byte    : 27
Tx128Byte   : 188
Tx256Byte   : 89
Tx512Byte   : 14
Tx1024Byte  : 3
Tx1518Byte  : 0
TxMaxByte   : 0
TxOverSize  : 0
TxByte      : 43376 (42.3 KiB)
TxCollision : 0
TxAbortCol  : 0
TxMultiCol  : 0
TxSingleCol : 0
TxExcDefer  : 0
TxDefer     : 0
TxLateCol   : 0

        enable_eee: 0
        igmp_snooping: 0
        ingress_mode_val: 1
        egress_mode_val: 3
        ingress_mode_override: 1
        egress_mode_override: 1
        pvid: 1
        link: port:1 link:up speed:1000baseT full-duplex auto
Port 2:
        mib: No MIB data
        enable_eee: 0
        igmp_snooping: 0
        ingress_mode_val: 1
        egress_mode_val: 3
        ingress_mode_override: 1
        egress_mode_override: 1
        pvid: 1
        link: port:2 link:down
Port 3:
        mib: No MIB data
        enable_eee: 0
        igmp_snooping: 0
        ingress_mode_val: 1
        egress_mode_val: 3
        ingress_mode_override: 1
        egress_mode_override: 1
        pvid: 1
        link: port:3 link:down
Port 4:
        mib: No MIB data
        enable_eee: 0
        igmp_snooping: 0
        ingress_mode_val: 0
        egress_mode_val: 0
        ingress_mode_override: 0
        egress_mode_override: 0
        pvid: 0
        link: port:4 link:down
Port 5:
        mib: No MIB data
        enable_eee: 0
        igmp_snooping: 0
        ingress_mode_val: 0
        egress_mode_val: 0
        ingress_mode_override: 0
        egress_mode_override: 0
        pvid: 0
        link: port:5 link:down
Port 6:
        mib: No MIB data
        enable_eee: ???
        igmp_snooping: 0
        ingress_mode_val: 0
        egress_mode_val: 0
        ingress_mode_override: 0
        egress_mode_override: 0
        pvid: 0
        link: port:6 link:down
VLAN 1:
        vid: 4017
        ports: 0 1 2 3
#7

Great news!
That means all three ports are connected to the switch. You might want to map them by plugging something in and saving the results. It could of course be a different logical to physical port mapping in stock and OpenWRT, but lets hope it's the same.

One thing worth noting is that in stock firmware the ports 0-3 are assigned to pvid 1 and the unused ones to pvid 0. Pvid 1 is then defined as VLAN ID 4017 and port 0-3 are members of this VLAN and are untagged. So, the vid is not visible outside the switch.

I would guess that the VLAN configuration is incorrect in the OpenWRT firmware. It would most likely also not be correctly mapped for the web GUI. After all IW has three external ports and the UAP AC Pro only has two. That means the port on the reverse side is not visible in the switch config page. Correct?

You can still enable the port and assign it to the right vlan from command line. Let me know if you need assistance to do that. I need a printout from swconfig on OpenWRT in that case.

Eventually, one should figure out how to configure this in the GUI. I think its in /etc/board.d and /etc/board.json. But, I'd have to read up on how to configure that.

#8

Port 2 appears to be the one that get the POE passthrough (the left one when you look at the front of the AC-IW). This is the one that always passes power to the connected device. Eventually I'll look into trying to toggle this power off if it can be shut off.

Port 3 appears to be the other one on the right side when you look at the front.

What you've said makes sense. I'm afraid I don't know enough about swconfig to do that yet but I'm willing to learn if you can get me started. I'll reboot it into openwrt unless you think there's any more useful info to be gathered here.

#9

I think we have what we need to get all the ports active.

swconfig is quite simple to use, but you need to understand vlan switching to use it fully.

I'll help to sort this out. I still haven't fetched my IW from the office.

If you can get a dump of swconfig from the OpenWRT firmware, I'll tell you how to configure it from the command line.

#10

Here's the output. I currently have it set up with two vlans and both active ports untagged on vlan5

Give me a second and I'll note which ones change active status when I plug in the other two ports

# swconfig dev switch0 show 
Global attributes:
	enable_vlan: 1
	ar8xxx_mib_poll_interval: 0
	ar8xxx_mib_type: 0
	enable_mirror_rx: 0
	enable_mirror_tx: 0
	mirror_monitor_port: 0
	mirror_source_port: 0
	arl_age_time: 300
	arl_table: address resolution table
Port 0: MAC 18:e8:29:9c:1e:fd
Port 3: MAC c2:56:27:76:4b:93
Port 3: MAC b4:fb:e4:50:6e:fd
Port 3: MAC b4:fb:e4:50:6e:fe
Port 3: MAC 78:8a:20:b9:1a:28
Port 3: MAC d4:25:8b:4f:91:29
Port 3: MAC f0:9f:c2:70:e7:42
Port 3: MAC 00:11:32:9b:19:da
Port 3: MAC 00:11:32:9b:19:d9

	igmp_snooping: 0
	igmp_v3: 0
Port 0:
	mib: ???
	enable_eee: ???
	igmp_snooping: 0
	vlan_prio: 0
	pvid: 0
	link: port:0 link:up speed:1000baseT full-duplex txflow rxflow 
Port 1:
	mib: ???
	enable_eee: 0
	igmp_snooping: 0
	vlan_prio: 0
	pvid: 0
	link: port:1 link:down
Port 2:
	mib: ???
	enable_eee: 0
	igmp_snooping: 0
	vlan_prio: 0
	pvid: 5
	link: port:2 link:down
Port 3:
	mib: ???
	enable_eee: 0
	igmp_snooping: 0
	vlan_prio: 0
	pvid: 5
	link: port:3 link:up speed:1000baseT full-duplex auto
Port 4:
	mib: ???
	enable_eee: 0
	igmp_snooping: 0
	vlan_prio: 0
	pvid: 0
	link: port:4 link:down
Port 5:
	mib: ???
	enable_eee: 0
	igmp_snooping: 0
	vlan_prio: 0
	pvid: 0
	link: port:5 link:down
Port 6:
	mib: ???
	enable_eee: ???
	igmp_snooping: 0
	vlan_prio: 0
	pvid: 0
	link: port:6 link:up speed:10baseT half-duplex 
VLAN 1:
	vid: 1
	ports: 0t 
VLAN 5:
	vid: 5
	ports: 0t 2 3
#11

Port 3 that it currently shows as active is the same, right side, non-POE port

Port 1 is the port on the back with that takes in power. This is the one that apparently doesn't seem to be working for me

Port 2 appears to be the POE passthrough port on the right side

Not at all sure what the Port 6 is that it's showing is up

#12

Port 1 isn't in any VLANs that's why it won't pass any data. Add it to VLAN 5 along with 2 and 3.

If it's a QCA8337 switch chip, port 6 is a SERDES that's basically single lane raw serial at line speed for a SFP port. The concept of carrier detection would be different if it's implemented at all.

#13

According to the UI they're all added to VLAN5. Even when I first installed it with the stock openwrt setup Port 1 wasn't working so it must never have been tied to a VLAN

#14

But that did solve it. The UI doesn't even show that port. It shows CPU, LAN1, and LAN2 but apparently didn't even set up port 1 on any VLAN.

For anyone that wants to get this set up you will be able to flash it with openwrt much the same as any other UAP AC system. Once it reboots plug a network connection into Port 3 (the non-POE one on the bottom) and should can connect to it on 192.168.1.1

As noted you'll have to edit /etc/config/network and add port 1 to the correct vlan (usually 1) and then once you reboot it will work fine.

#15

Good work!

I think /etc/board.d/ should be the place to get the interface to show up in the Web GUI properly. I'll look at it when I get my hands on one.

If this is stable, it really solves a problem for me. I have a customer that wants a single IW AP. I dreaded to have to set up the whole Unifi management system for one AP.

How do we take this forward to an officially supported FW? I guess the first thing would be to add your findings as documentation on a device page.

How about the PoE pass through? That still needs to be worked out. I think it would be a good idea to turn it off by default. There are several threads on this subject in the Ubiquiti support forums It's possible to turn pass through of in their management system for the UAP-IW-HD. But, so far all I've seen is that it's not possible on the UAP-AC-IW. Perhaps on a modern firmware/controller it works.

#16

I can start to add some of these findings on the normal UAP AC wiki page

It seems like the POE pass-through toggle, if there is one, is a hit or miss process on many of these devices. I have a way to test it easily with another AP but I can tell you not to plug any device into it that won't accept POE. The manual doesn't mention being able to turn it off at all for the normal Ubiquiti firmware

It seems totally stable so far. I've been running as one of the APs with 2.4 and 5 GHz radios for a few weeks with no problems. I am using a latest snapshot build for that and a Pro but I don't think there have been any changes that would prevent the last stable release from working fine

I'm using the uap-ac-pro image. I also tried the uap-ac-mesh-pro since both have switches in them and can't recall what I didn't like on the uap-ac-mesh-pro setup but it did boot.

Oh and if you open it up there is a place to add a header for a serial port. I soldered one on there and this is how I noticed it was booting up fine but the main port just wasn't connecting to the network. It's a nice backup to have. Pinout is the same as the other Unifi devices

#17

Hi all,

Thanks for working on this. I have a question related to the warning on the wiki page.
It mentions that the PoE power on port 2 is always on and I should not connect anything that doesn't like that. Would a fairly recent D-Link switch (DGS-1100-05) be able to cope with incoming PoE? It doesn't need to do anything with it like power devices, but just not die because of it :slight_smile:

#18

Unless it's able to handle 802.3af power then I wouldn't try it directly. As mk24 noted it's not true 802.3af so it doesn't probe the device and see if it is capable of accepting power. You should be able to use POE injector backwards, as he noted, to remove the power from the line. I don't happen to have one around so haven't been able to try that solution

#19

I have OpenWRT 19.07.5 running on my UAP AC IW now, thanks to this thread!

A couple of notes regarding the UAP AC PRO firmware:

  • Port 1 isn't configured, as noted above
  • Port 3, the non-PoE port, comes up as the WAN port with no SSH or HTTP access
  • Port 2 is the PoE port, and initial configuration must go through this port; BEWARE the 48V passive PoE out!

I'm starting to wonder if it's possible to turn off the passive PoE at all; here's my thinking:

  • The stock firmware keeps port 2 energized; if PoE could be turned off, for safety's sake, the stock firmware would.
  • In a brief study of the PCB, I didn't see any chips obviously related to PoE PSE functions (but this is VERY weak evidence, since I put very little effort in).
  • UniFi APs apparently have a reputation for killing non-PoE devices (but I lost the community.ui.com link discussing this problem).

I'm going to look at cutting PCB traces to disable the passive PoE-out, because I know I'll eventually zap something otherwise, and I just don't need that feature.

Anyway, though I haven't actually started using it yet, I'm very happy with the device's form factor, and if it's half as good as my UAP AC Lite, I'll continue being happy. Thanks for the pioneering work in this thread to bring up this device!

#20

But you were able to get Port 1 configured once you change the switch settings, right? Once that was changed then ports 1 and 3 work fine for me. Well and port 2 also when you plug in a device that can handle the passive POE.

I don't know much of anything about the chips on there but if you are able to find how to disable the passive POE that would be great. I have a few of these devices set up this way. It's a nice form factor and seems to behave well with the Pro firmware.

If you do get yourself locked out then the serial port works fine but you'll have to solder on some headers on those pins for easy access.