On 07/24/2015 01:09 AM, Dave Warren wrote:
On 2015-07-23 21:24, Adam Thompson wrote:
On 2015-07-23 10:46 AM, Karl Fife wrote:
Your point about having a one-off solution is a great one.
Installing a single UniFi AP would be unnecessarily complex.
The TP-Link TL-WA801nd is a BGN-only device. Do you (or anyone)
have a preferred stand-alone AC access point?
Not a recommendation at all, but stay away from EnGenius devices. OK
hardware & good price, but (e.g.) my AP comes with an open DNS
resolver that can't be disabled, and they don't seem to think it's a
problem at all...
I like the EnGenius hardware, when it works, but if it doesn't,
support doesn't seem to care about much. I'm trying to map SSIDs to
VLANs, the traffic just won't pass, switch doesn't even see it, and
support hasn't be useful. Looks like a bug, but still, it's literally
the reason I bought the device over my previous solution. On the other
hand, the speed is amazing, so I'm not ripping it out.
I noticed the DNS resolver, but it didn't bother me personally as I
have other resolvers similarly positioned in my network. As a possible
workaround, does it need DNS at all? If not, either remove it's DNS
settings, or configure your resolver to refuse packets. Not perfect,
but it's better than being an open resolver if it's exposed to
untrusted users. And for whatever it's worth, it looks like a
non-caching forwarder, not a full resolver.
Still, it concerns me that support doesn't understand how it's a
potential issue. If you use it for NAT/routing/anything, does it
listen on the WAN interface, or only the LAN side?
OK, this discussion is getting WAY off-topic for a pfSense list...
but... I can't resist either...
To clarify, I have an EAP-600, which is a pure access point, not a
router at all. It only has one LAN port, grand total. There is *no*
universe where it makes sense for an access point to run a DNS
server/forwarder/whatever.
I had connected it to a public segment (the joys of having your own
address space <grin>), but within a couple of weeks I was apparently
participating in a DDoS DNS amplification attack.
At that point I not only moved its management interface behind a
firewall, and had to set up SSID-to-VLAN mapping, but also notified
EnGenius about the already-exploited security flaw in their device.
Their answers basically consisted of alternating "Huh?" and "We don't
believe it's a problem". *Not* what I want to hear from a networking
vendor.
-Adam
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
