MacGyver phone redux

In MacGyver’in up an IP phone I wrote about the great success in re-deploying an Orange PI and some wire to become a wireless bridge for my wife’s work-from-home setup.

Sadly there have been some unreliability in the system. My WiFi meter shows the Aruba device she is equiped with constantly broadcasts on Channel 10 Wifi and Channel 36 WiFi (despite not using the WiFi, it just chatters away anyway). And this proved a problem for a couple of reasons:

  1. More RF noise makes less reliability all around
  2. It overlaps with the nearest Access Point to her, increasing the affect on her system
  3. You should not use Channel 10 in 2.4GHz (use 1/6/11 only, I talked about this in WiFi: going from good to great is very hard)

So, I decided to redo it. I purchased a Wavlink WL-WN575A3, a dual-band wifi repeater. They are a dime a dozen, quite a few out there in the $40-$80 range. I purchased this on a couple of assumptions:

  1. It would likely run OpenWRT (spoiler: it does, based on MediaTek MT7628AN)
  2. dual-band means I could use the 5G as an upstream and the 2.4G as a downstream if I had to (never use a wifi repeater where it has a single radio).
  3. It would have adequate antenna diversity to improve the overal signal strength and resilience

So, repeater acquired I set it up. Installing OpenWRT was a breeze. I then disabled the 2.4GHz wireless, set the 5G wireless to my house WAN, moved the 2 Ethernet ports to a LAN bridge, boom, we are done.

Was it a great success? Yes I think so. Signal rate is -77dBm, noise floor is -100dBm, so the SNR is ok.

I would really rather the Aruba would turn off its transmitters (both), but, workaround achieved.

Now, this brought up an interesting dilemma. You see, the Aruba widget she was sent home with is an IPSEC VPN. They wanted you to plug the laptop into it as well as the phone. Previously we had the phone there, but the laptop was on the (guest) WiFi, and she would VPN it in directly. So, the general Internet speed of the laptop is now *lower*. Why? Because all traffic trombones through the company, our downstream (1Gbps) is throttled by their upstream (seems 90Mbps).

But, she doesn’t have to start/stop her VPN.

Is this a good tradeoff?

From a security standpoint, no.There is an Ethernet jack in our house on their corporate network. Zero-Trust would be better, get rid of this VPN.

From a employee happiness standpoint? Maybe. She will have a worse experience doing video conferencing and youtube and browsing. But she will have a better experience with (what is that horror, is it a 3270 terminal emulator? its some text-based interface run in a shell, probably AS/400?) their built in tools.

Posted

in

by

db

Tags:

Comments

4 Responses to “MacGyver phone redux”

  1. Alex Leyn

    Ignoring the security of a VPN hole in your house issue, I’ve just recently switched over to a semi-mesh based on the Netgear Orbi AC3000 system (RBR50/RBS50). This allowed the cleanup of a hodgepodge of extenders and extras, cleaning up my local spectrum as a nice side effect. And the inter-satellite roaming around the house for devices that support it (modern smartphones, tablets, and laptops) is brilliant. I now get 650-800Mbps in most of the house, garage, and deck. Time to upgrade the ISP. The brilliant part: no wires — all of this is handled by Orbi’s dedicated dual-link-ganged 5GHz band backhaul on separate channels. Orbi will now both star and mesh/daisy chain — seen it do it when it made sense. And Orbi give me 4 local bridged wired Gbps Ethernet ports at each satellite location, a nice bonus for an older printer, wired gear, and hacking around. Only using Orbi for AP, not for router — lots of past reports of instability that seems to mostly be focused on the router part — I am rather happy with a separated modem, router/firewall, and wifi for home anyway; it has all the benefits of the old component hifi system.

    Only serious problem with Orbi is lack of wifi sequencing and/or client to satellite binding facilities. After a power fault or otherwise reboot, many dumber smart devices don’t roam on wifi and end up connecting to and staying permanently connected on too distant a satellite. One solution is UPS on all satellites and hope reboots aren’t needed. I guess that’s another problem: fairly expensive as a system.

    For the useless-radio-always-on gear, how about a makeshift grounded tinfoil faraday cage for those? Only slightly joking.

    Reply
    1. db

      I ran tp-link omada for our office (EAP245). Its fantastic for seamless handoff, well managed, automatic. the management sw runs on your own site. Highly recommend. Its also just the L2 connectivity, its not a router or firewall, it just makes connectivity work w/o config, handles the guest network everywhere too.

      As for the VPN, its outside my firewall, so not my problem 🙂

      Reply
      1. X

        Does EAP245 have dedicated/segregated wireless backhaul? I think that’s key for top performance in such a system if you can’t wire the backhaul. Before settling on the Orbi AC3000 system (which is also locally managed!), I preordered and think I was the first in Canada to purchase the TP-Link AX3000 Deco X60 system. Returned 2 days after receipt: kept crashing every few hours and solely cloud managed, both completely unacceptable. And it’s not a bleeding edge system, not completely new, just new in Canada. I have lots of other TP-Link gear I like, but Deco X60 is not a winner.

        Reply
        1. db

          i don’t believe in wireless backhaul unless unavoidable.
          its PoE, each access point is a mesh in the sense of hand-off, but not in transmission.
          its on the list for home, just not high on the list, i’m waiting for their wifi 6 version. I have ethernet at the 5-6 locations i need the AP’s.
          But it allows for different segments (e.g. guest, iot, …), its all self managed for e.g. channel, power, etc. Its very good. its the same concept as the cloud-managed wifi they use in venue etc, just they have their own sdn controller you use yourself.

          Reply

Leave a Reply

Your email address will not be published. Required fields are marked *