[SOLVED] Good AP with Wi-fi 6 and Privacy in Mind

Apr 15, 2022
3
0
10
I'm working on improving my network setup from a SOHO router to something a little more interesting and sophisticated. I'll be running OPNsense on a computer to act as my router, and I'm already looking into some good switches. What I need now is a good wireless access point that can handle gaming, provides the 802.11ax standard with WPA3, but won't ship my personal information to someone else. I am willing to spend at most maybe a little over 1,000 dollars, but no more than 1,500. I know a lot of APs don't cost that much, but I'm willing to pay a lot for one that does what I want. In my head the perfect AP for me would be one I can manage from a web browser, that has a decent UI, nothing too fancy in terms of a graphical user interface, but still easy not to use not laggy etc. while delivering on everything else I mentioned. And, if I can't get the privacy I want, is there a way I could tinker with an AP to prevent it contacting the outside world via OPNsense? I was thinking it should be possible, but I'm worried that even if that is possible and I prevent the AP from contacting home, that might cause problems with updates and, correct me if I'm wrong I'm still a bit of a newbie, would take up a lot of bandwidth because the AP would be continually trying to contact home. If I have to build my own, I will, but I haven't found any DIY WAPs that can do wi-fi 6 with WPA3. So, if that is possible I would be willing to do that. Thanks!
 
Solution
Almost every router/ap you find now days transmits at the full legal power. Most true AP are using exactly the same wifi radio chips as a router. Again the only real feature a AP has that a router does not is PoE, unless you consider it a feature that it only has 1 ethernet port.

In most cases management systems for AP only matter if you have a huge number of them. It would be a pain to push a software patch to 100 units. When you have 1 or 2 it is going to be easier to do this by hand. You can look at ubiquiti stuff but again you are likely making something complex when you don't actually need the features.
Some very high end stuff from say cisco or HP uses controllers that cost more than some cars do. They also only...
Not sure what devices you have been looking at but pretty much any AP is a extremely stupid device. Its only purpose is to take wifi session from remote devices and convert them to ethernet. Unless you plan on using some fancy features they do not talk to any external device even on your network.
They pretty much are just a media converter. They do not use the IP address they are assigned for anything but management of the AP. You can actually set it to a different subnet and then they can't even talk to local devices.

Now if you are using fancy network management software to control multiple AP or are using something like enterprise mode (ie radius) rather than a pre shared key then the AP needs to talk to some controller on your network or if you are really stupid it can be managed from the "cloud".

Do you need a actual AP. The key reason people buy a real AP is mostly for things like PoE so they can mount it to say the ceiling where there is no easy power source. You can pretty much run any router as a AP if yo do not need PoE

It sounds like you in effect need wifi cards for your home built router computer. For what ever reason internal wifi cards do not seem to function as well as a actual commercial device. You can use a AP if you like but I would buy a inexpensive router and run it in AP mode.

The only real feature you need to look for is wifi feature you need. I think all wifi6 runs WPA3. Not all wifi6 though supports 160mhz radio channels. I would actually look for wifi6e devices since the 6ghz radio band. It is a bit more expensive but only a tiny fraction of $1000 you talk about.

The safest way to manage these but prevent access is to use a secondary IP address. For example assign them 10.1.1.100 and the put a secondary IP on your "router" ethernet port of 10.1.1.1. You can then rig the routing in the router to not allow this to talk to anything other than the router.
In most cases you set a AP configuration and never look at it again.
 
Apr 15, 2022
3
0
10
Yeah, I agree, I get the industry is moving to the cloud, but I really don’t like using it. I feel it takes the fun out of your hands not to mention privacy issues. I don’t necessarily need an AP and could run the network with a router as an AP, but I’m doing this as a hobby and I want to make it as much like a industrial setup as possible to learn more about the process. Plus, and once again correct me if I’m wrong, I was under the impression that some APs cover a larger area than a router, which is why I opted to go with an AP as well. Ideally I would not like to spend a thousand dollars on this, and if I can include a couple access points and get a single controller with it that would be great. I am definitely interested in the fancy network management software, which is why it has been a little disorienting finding an AP that doesn’t work on the cloud or come with a subscription that I don’t know whether or not I’m forced into using. If you know if that’s optional to use, let me know. It will be more work getting a controller and setting up a network like this, but I’ll have fun doing it. You mention setting it up with the router so the only device the AP talks to is the router, if I did that, I assume the AP wouldn’t be /trying/ to talk to anyone else. It would realize there is no one else to talk to and shut up, so to speak. On that note could you technically explain — not necessarily how to configure the router so it does this —but what is actually happening that prevents the AP from trying to make other requests to some outside agent. Don’t be afraid to get technical. I’ll figure it out. I’m just really curious about that. If you’re willing of course.
 
Almost every router/ap you find now days transmits at the full legal power. Most true AP are using exactly the same wifi radio chips as a router. Again the only real feature a AP has that a router does not is PoE, unless you consider it a feature that it only has 1 ethernet port.

In most cases management systems for AP only matter if you have a huge number of them. It would be a pain to push a software patch to 100 units. When you have 1 or 2 it is going to be easier to do this by hand. You can look at ubiquiti stuff but again you are likely making something complex when you don't actually need the features.
Some very high end stuff from say cisco or HP uses controllers that cost more than some cars do. They also only work with their extremely expensive AP.

Don't get sucked in by the stuff like seamless roaming etc. The roaming function is controlled by the end device not the network. The network can not actually force it to connect to a particular AP. The part you would need a controller for is if you are running enterprise mode. It is much more complex to move from AP to AP when you have a radius server doing the authentication that using simple pre shared keys.

There is almost no need for seamless roaming anyway nobody actually watches netflix while they walk around the house. If you set the power on the units to have as little overlap as possible it generally will switch "ok" and if it doesn't you just stop and start the wifi client on the end device and it will switch. Key here is the layout of the AP, too much wifi signal is actually worse that not enough in some ways.

It is very easy to prevent a device from getting out of the network. The whole concept of subnet need a "gateway" to tell devices the path for traffic to exit. If the gateway does not exist or if you rig the gateway machine...ie your router pc...to prevent sending any traffic to other subnets the devices can not get out. Just not putting in the gateway or putting in a invalid one tends to be the simplest way to prevent traffic from leaving a network.
 
Solution
Apr 15, 2022
3
0
10
I'm gonna give you best answer. Yay. Thanks for helping me think some of this out. It will save me money, and has given me a lot to consider in the process.