>Assign static IPs for infrastructure like access points. This makes them easy to reach when reconfiguration is needed<p>Am I missing something, or did they buy consumer routers to use as access points?<p>Triplebyte, I can save you a ton of management, troubleshooting, and learning time: switch to Ubiquiti Unifi or an equivelant now, youll have one pane of glass to reconfigure every device. The devices will talk to each other, to help hand off clients between them. All channel management will be by the devices working together, they can throttle down power if they are causing each other interference. I cant even begin to list all the different benefits with a single set of settings vs devices that dont work together. Even an asus aimesh network would likely be better. Youre asking for a troubleshooting nightmare.<p>You can either pay a couple hundred a year for the management interface, or $80 for an on prem tiny little stick that hosts it. (paying for the cloud hosted one, has its benefits, and is my recommendation.)<p>Access Point - <a href="https://unifi-hd.ubnt.com/" rel="nofollow">https://unifi-hd.ubnt.com/</a><p>POE Switch - <a href="https://www.ubnt.com/unifi-switching/unifi-switch-poe/" rel="nofollow">https://www.ubnt.com/unifi-switching/unifi-switch-poe/</a><p>Management Interface - <a href="https://www.ubnt.com/unifi/unifi-cloud-key/" rel="nofollow">https://www.ubnt.com/unifi/unifi-cloud-key/</a> OR Cloud Management <a href="https://unifi.ubnt.com/" rel="nofollow">https://unifi.ubnt.com/</a><p>Router - <a href="https://www.ubnt.com/unifi-routing/usg/" rel="nofollow">https://www.ubnt.com/unifi-routing/usg/</a><p>You should never need to track down or log into individual devices to configure them.<p>I dont mean to be a complete ballsack, but isnt it weird for a company thats mission is matching talent to problems, to fail to find the talent to adequately address their problem, and to be giving authoritative (mis)advice on something they are not remotely domain experts in. It doesnt seem like the best advertisement.<p>That said, this is the KIND of post companies should be making when their seo expert says to use keywords. Good job writing about improving the internals of your company, and not just what your company does. Write a V2 of this post once you upgrade, and rename the old one, "How we Created (and then mitigated a Device Management and Troubleshooting Nightmare)
Generally pretty solid advice. I say that as someone who is known for solving tough wireless problems. :-)<p>On the cable termination part: I've (mostly) stopped crimping cables because I've had too many go flaky and don't have 4-5 figure testing equipment. One thing I'll add is that there are ends for solid conductor and stranded, make <i>SURE</i> you have the right ones for the cable you are using.<p>These days I always just put on keystone ends and then use commercial patch cables from there. I've had very good luck. I'd recommend against the advice to use a screw driver to punch them down, the Leviton ones I prefer you just put the cap on and they punch down themselves. The random ones I get from Ace Hardware have a little punch tool included.<p>One additional recommendation I have is to put 5GHz radios in each space. 5GHz has more spectrum, and less interference, but it penetrates drywall significantly worse. But that's a good thing, because it cuts down on interference from your neighbors.<p>Beware of microwave ovens, baby monitors, cordless phones (last 2 more in residential areas). They can be intermittent interference, and won't show up on the non-commercial spectrum analyzers. Our 2.4GHz used to go out when we'd run our brand new microwave. But it would also go out at other times, possibly when a neighbor ran theirs? 2.4GHz penetrates buildings quite well, which kind of sucks.<p>My credentials: <a href="https://www.tummy.com/articles/pycon2012-network/" rel="nofollow">https://www.tummy.com/articles/pycon2012-network/</a>
It’s only sort of passively mentioned in the article but I am AMAZED at the number of people who don’t hardwire everything they can.<p>Obviously phones are out, but why not hardwire every laptop when it’s at the desk? If someone’s using a actual desktop computer like an iMac then what’s the point of Wi-Fi? Clear up the signal space and get a 100% reliable and ultra fast connection.
If you're based in SF and want to have a high quality boutique IT shop work with you, without hiring IT staff yourself, then I can't recommend <a href="https://www.boxit.net/" rel="nofollow">https://www.boxit.net/</a> enough.<p>I was managing consumer grade routers for the company since its inception until we switched to Aruba APs (which are awesome <3) and then eventually to an office with a real firewall, several APs, and a switch for 100+ cabled desks. The folks at BoxIT were a real life-saver at that stage, both for the initial setup and proactive monitoring of your network's health over time. Having your staff spend brain cycles on this stuff isn't the best ROI IMO.<p>The one thing to watch out for is VoIP in SF office buildings. Our APs conflict with about 300 other APs in the area, so getting reliable VoIP for your sales people over WiFi is not even worth trying. We got lucky and inherited an office where the previous company learned that the hard way and wired every nook and cranny with ethernet.
My startup purchased Meraki, and we don't have to deal with many of these issues. We also paid an electrician to do wiring and crimping. SDE time is expensive and we want the team focused on building our product, so we made the tradeoff to pay more for the network gear and installation. As a result our entire team, engineering and everyone else, has network access that "just works". This was true when the 35 person team showed up at our last office for the first time, and continues to be true.<p>The configuration is done through a hosted dashboard that also provides monitoring. We're in a heavily regulated field, and the Meraki dashboard provides a lot of evidence for compliance audits. It also enables us to remotely control devices (e.g. lock, wipe, locate) and ivestigate issues when integrated the Meraki MDM solution.<p>We did have to tune the bitrate for wireless.<p>We also cannot setup redundant VPN tunnels to AWS (Meraki only supports one tunnel for non Meraki VPNs), so we have to do manual faiilover. This is my biggest gripe with Meraki. We are investigating adding a Cisco ASA to handle site-to-site VPN to AWS with redundant tunnel support.
> Use fast DNS servers<p>I use GRC's DNS Benchmark tool[1] for this whenever I set up DHCP somewhere, and the results are sometimes surprising. If you're on a *nix or macOS, it runs well under Wine.<p>[1] <a href="https://www.grc.com/dns/benchmark.htm" rel="nofollow">https://www.grc.com/dns/benchmark.htm</a>
Biggest issue I have with the solution proposed is the recommendation to avoid DFS channels. These channels are much more "cleaner" as adoption is less due to added cost caused by extra design and certification.<p>Radars are pretty static and does not come and go (especially weather radars), so the router does not need to move from channel pretty much. False alarm can be an issue but if one has a decent quality router, it should not be very often. Furthermore, after a radar detection (false alarm or actual), routers can switch to non-DFS channels and and start operating immediately.
UniFi is already mentioned elsewhere in the comments already, so this whole post is likely redundant. If you're at the level of cobbling together consumer routers, even flashed to DD-WRT/Tomato/whatever, change. If someone your team is Cisco certified from a previous life as a network engineer, and insists you use Meraki kit and pay the fees, well, you're in SF and paying SF salaries anyway, so probably just go for it.<p>If you run a full UniFi stack, you can view your entire topology in the dashboard--it'll tell you which switch port or access point/SSID a client is connected to. Here's my home topology:<p><a href="https://imgur.com/MnJwHiB" rel="nofollow">https://imgur.com/MnJwHiB</a><p>Note that most switches are double-uplinked for 2000Mbps throughput, and there's a 10-gigabit core router. 10gbe isn't nearly as expensive as you might think, especially for very small teams. It is possible to get access points to deliver 500-700Mbps speeds, too--that's going to depend a lot more on your device's radios than anything. See speed benches for UniFi kit at: <a href="https://goo.gl/RL4kkW" rel="nofollow">https://goo.gl/RL4kkW</a><p>This guide doesn't cover VLANs, but it probably should mention they exist. Any IOT or networked camera type devices that don't need Internet access shouldn't be allowed egress, and VLANs are an easy way to implement network segregation. You almost certainly want a guest network too, both wired and wireless.
I've tried all kinds of WiFi gear over the past 5 years -- Apple, UniFi, Aruba Instant -- and all of them have been unsatisfactory in one way or another:<p>* Most of my client devices are from Apple, and I easily got the best WiFi performance overall with 802.11ac-capable Airport Extremes, which is impressive given how relatively cheap they are. However, I'd like multiple SSIDs, and Apple gear can't do that (the guest network support doesn't count). Regardless, Apple is out of the game, so this isn't a long-term solution.<p>* The UniFi gear had <i>terrible</i> 802.11ac performance, even when my devices were in the same room as the WAP. At the time, I was using first-gen 802.11ac hardware from UniFi, so it's somewhat understandable, but the poor performance combined with 2 of the units failing within the first 6 months didn't leave a good impression.<p>* The Aruba Instant WAPs were reliable and got good performance (though not as good as the Apple WAPs), but I'm not a fan of their licensing. Without a support contract, it was possible to hunt down the latest firmware updates, but they didn't make it easy.<p>I recently bought a PC Engines APU3C4 with a mini-PCIe WiFi card and a couple of Chaohang antennas [1], and I'm contemplating build my own WAP. This would give me all of the configurability and tweaking that I want, and I could deploy it as just another piece of my personal little devops pipeline.<p>However, I don't know much about the RF side of things. I'm aware there's a lot of black magic involved, but it's not clear to me how much performance and/or range I'm going to lose by piecing together COTS stuff versus a professionally-engineered solution from Ubiquiti et al. If anyone who's reading has built their own WAPs, I'd love to hear from you.<p>[1] <a href="https://www.amazon.com/gp/product/B01E29566W" rel="nofollow">https://www.amazon.com/gp/product/B01E29566W</a>
While it doesn't really matter whether you use EIA-586-B or EIA-586-A so long as you're consistent, I've been told that EIA-586-A is the standard in Canada.<p>addendum:<p>Re crimping RJ45 - the better way to do terminations is to use the EZ-RJ45 pass-through plugs like the ones made by Platinum Tools. You need a special crimper, but it's night and day easier. If you're using AWG23 Cat 6, you also need to make sure your plugs can handle those wires (not an issue with the Platinum Tools plugs).
When you're deploying multiple APs you also want to turn down the broadcast power on them. If the signal of multiple APs overlap too much, clients won't roam onto the next AP in time.<p>Also don't be afraid to hire someone to do a wireless survey - or do it yourself. Someone will walk around with a laptop, and try to find wifi blackspots/hotspots, and can recommend adjustments to AP power and/or placement.
Shame that security wasn't really addressed, other than the brief mention of WPA2-PSK. I feel like PSK in general is a horrible idea in an office environment. Lots of people + lots of devices ≈ shitty password which never gets changed.<p>But then I still haven't had any luck setting up a WPA2 Enterprise config that works on all devices.
> <i>Multiple access points should share the same SSID. They must have exactly the same security settings (same password, exact same mode, i.e. WPA2-PSK Personal) for clients to be able to automatically roam between APs.</i><p>I will also add to this, consider having all the APs on the same channel. My experience is that some OSs (I'm looking at you, Windows) don't roam properly if the following three things are not the same:<p>1. SSID<p>2. Authentication/Encryption<p>3. Channel<p>It does sound like the author has deployed consumer access points. For a proper office scenario centrally managed is the way to go. Finally, never use WPA2-PSK Personal in a work environment. Use proper back-end authentication such as Radius or MAC filtering, or a 'Register me via a captive portal' system with a central LDAP type user directory.
We had internal debates about different SSIDs for 2.4 vs 5 GHz, but in the end, this is the optimal configuration we landed on.<p>I was also surprised by how slow S3 was with a single download connection, but really fast when using aria2 to parallelize the download.
I have gigabit internet at my house and a single WiFi access point. I am running dual SSID's one for 2.4GHz (don't use it), and one for 5Ghz (use it). The 2.4Ghz is set to auto-channel, but the 5Ghz I statically set to channel 161 (5Ghz, 80Mhz). It shows a Tx rate of 866Mbps, and on SpeedTest.net I get around 400ish Mbps up and down. Sometimes going further back into my apartment I have to connect and disconnect from WiFi in macOS.<p>Should I try using a lower 5Ghz channel such as 36 or 40? Won't that decrease overall throughput? My understanding was the higher the channel number on 5Ghz, the theoretically higher the throughput.
I really wish MacOS would allow you to choose which band or BSSID to connect to.<p>Every so often I have to physically drag my laptop to the superior AP and restart wifi to get my laptop to stop connecting to the bad AP.
I disagree on the channel width. Yes, a packet uses double the bandwidth, thus double the chance of collision. But also half the time so half the chance of collision.<p>And you can get more channels than 3, if you use 20Mhz channels, not the 22MHz channels by simply not using 802.11b. only use g&n and you get four channels.<p>And <i>do</i> use the DFS channels, exactly because people like this author are not there to congest the channel. Just make sure you have non-DFS too while the DFS AP is in listen mode.<p>So this article is very much not written by an expert.
Anyone have a recommendation of a company in the Bay area that solves this issue for startups? Someone I can just call, have onsite and get my people back to work in <5 business days?
> Multiple access points should share the same SSID. [...]. If you use separate SSIDs [...] it will often lead to laptop users remaining marginally connected to an AP they’re barely within range of.<p>I constantly run into this issue in my home network. Is solving it really just a matter of reconfiguring the routers to share she same SSID or is there more to it?
> connection requires only 8 of the 16 physical connections to be made successfully. A working 1000BASE-T (gigabit) connection requires all 16 of 16!<p>Small error here, should be 4 of 8 and 8 of 8, respectively ;)
Never seen parallel s3 chunked downloading using `aria2c -x 16 -s 16 -k 4M -o ${OUTPUT_FILENAME} ${DOWNLOAD_S3_URL}`. Any drawbacks of this? Corruption?