Not trying to defend TP-Link or anything, but I recently bought a pair of mesh router from them and they work very well.<p>BTW, this hidden network probably uses another protocol (for the OneMesh). It is the 802.11s (<a href="https://en.wikipedia.org/wiki/IEEE_802.11s" rel="nofollow">https://en.wikipedia.org/wiki/IEEE_802.11s</a>), that uses its own encryption method based on Simultaneous Authentication of Equals (SAE) (yeah, that is the same as WPA3, however it came before it). It shows as hidden network on Wi-Fi Analyzer, but the network is not actually hidden in the same sense of a hidden Wi-Fi network: this simple happens because 802.11s has no concept of SSID.<p>The authentication of new devices happens when you pair a new router using the application available on Android/iOS (it has a web interface too but AFAIK it doesn't allow adding new mesh routers to the network). So it seems pretty secure for me, at least sans some security bugs that I am sure that the device should have. Doesn't bother me too much considering that most bugs that I saw on those consumer routers generally comes from the security from things like administration pages and not the Wi-Fi network itself (unless it is something like KRACK that affects all devices implementing the protocol).<p>Yeah, it is still pretty sh*t that they enable this by default, but if the router from the author of blog post is from one of their lines of mesh routers I do think this is kinda of made by purpose, because using multiple routers devices is kinda of the idea of a mesh network.
This type of whackery is (the primary reason) why I try to buy computing devices on which I can flash a clean OS (OpenWrt/DD-WRT for routers)[1]. It sucks because it limits my choices down to a few, but at the same time I feel like I don't throw out money at abandonware.<p>[1] don't even get me started on TP-Link releasing routers with the same name but v2/v3/2020/2021 update where it's hard to even know if I'm buying the one that supports the custom OS flash.
For those curious about the "Wi-Fi spam" comment: even though nothing is connected to the network and it's a hidden SSID, it still has to broadcast beacons every 100ms. The 802.11 standard says beacons must be sent at the lowest rate the AP supports, so your ~350 byte beacon at 1mbps (2.4 GHz) uses around 5% of the frequency. It doesn't take many SSIDs on the same 2.4 GHz channel to make the throughput fall through the floor. Beacon spam is one of the reasons why 2.4 GHz is practically unusable in dense environments these days.<p>Thankfully for 5 GHz this isn't as bad since the lowest rate is 6mbps and the signal penetrates less. Some routers have the option to disable 802.11b which raises the minimum 2.4 GHz beacon to 6mbps as well, but unless everyone does this it won't make much difference.
I had a related problem with their PowerLine TPA-4220 devices yesterday. It turns out there's a DHCP server on it that you can't turn off! It's supposed to be smart and know when there's another DHCP server on the network, but it appears that this sometimes doesn't work. So I found that my laptop sometimes ends up configured on the wrong subnet, which of course kills the internet connection. The thing is, the web interface does not have a setting to shut off the rogue server.<p>If I hadn't done a CCNA I don't think I would have ever figured this out. I don't know what ordinary people do when this happens to them.
A bit of a tangent, but I recently discovered GL.iNet[0] and ordered a couple of routers and hotspots. HK vendor for network devices running forked OpenWRT with a bunch of extras and customization.<p>I haven't had the time to dive deep enough into all of the code yet, but so far I'm very optimistic. Not perfect; some of the more interesting functionality (like site-to-site VPN) is tied to a proprietary closed SaaS with associated telemetry (and maybe even backdoors, intentional or otherwise). The Wireguard setup is for some reason (legacy?) not using the OpenWRT WG-interfaces but set up using custom init scripts. And getting anything else than OpenWRT/LEDE running on them with full hardware support will probably be a significant effort. I'm a bit wary of using the stock OS without compiling it myself because, well, you know.<p>Still, the sources are provided (including instructions on how to customize and compile your own OS/firmware). The locked-away functionality can be ported/unlocked if you're up for it. They fully support users hacking their devices all they want - and stuff like this[1] shows some hacker DNA. Out of the box the hotspot is by far the best I've found in the price-class.<p>The mudi's pretty cool; pocket wifi with swappable miniPCIe 4G/WiFi cards and a small dongle for Ethernet. So one could make it into a fully customized road-warrior bridge for any WiFi/Ethernet devices, or whatever other shenanigans you can imagine with that.<p>I really hope they steer course on the right track and don't fall to the same fate as Ubiquity. As mentioned I haven't battle-tested them extensively yet but so far I can warmly recommend them.<p>[0]: <a href="https://www.gl-inet.com/" rel="nofollow">https://www.gl-inet.com/</a><p>[1]: <a href="https://github.com/gl-inet/portal-detection" rel="nofollow">https://github.com/gl-inet/portal-detection</a>
Buy routers that can work with Openwrt, period.<p>TP-Link actually has quite a few(not the newest models though, but the not-newest-model should work for 95% of the customers) that runs openwrt well.<p>All my routers are running non-vendor firmware(e.g. openwrt) for the last 15 years, never had any troubles.
I'm the one who made the original observation of the hidden network in the TP-link forum: <a href="https://community.tp-link.com/en/home/forum/topic/170160" rel="nofollow">https://community.tp-link.com/en/home/forum/topic/170160</a><p>Took a long time until TP-Link offered a firmware update to disable the mesh functionality. Happy to see the issue mentioned here.
I've found similar networks when inspecting other brands of router. It's not an uncommon sight these days with vendors and their 50 different proprietary mesh negotiation protocols.<p>While I did wonder how they generated the SSID (In this case it was 128-bit hash, underscore then the vendor name), I didn't really look too hard into it as my goal was wiping out the vendor's firmware anyway. I did spot some features like configuration sync that made my "this'll be written properly..." senses go off though.<p>I do note that there is a Wifi Alliance spec for this kind of thing now though. It's called Wi-Fi EasyMesh. I can't imagine anyone apart from actual SoC vendors taking the effort to implement it though, as it's a 163 page specification, available only on request or by alliance members. (Well the vast majority of chipset manufacturers are members, and the specifications have leaked anyway)<p>Edit: Scratch that, there were actually 3 different hidden SSIDs. The one mentioned above was a hidden IoT SSID, the other two were VendorMesh_hash and VendorMesh_WPS. :S
While we're talking routers I'll plug Mikrotik. Some basic knowledge of the Linux networking stack is required so they're not great for a general user, but for ~$50 I got a device that handles my setup with ease (Ipv4 over PPPoE and IPv6 over 6rd) and I'm seeing throughput significantly higher than my previous router which was a Zotac mini computer running pfsense. If you are more toward the power user / networking nerd end of the spectrum I'd recommend Mikrotik.
Last week I bought a TP-Link AX55 and went through the settings and enabled all the neat things and disabled all the regular consumer ease of access things (WPS, meshing things), and the only hidden networks in my area with the same app are several decibel away with a different MAC address. Either it’s not around in the newer models or it’s part of one of the regular consumer ease of access things.
Worse still almost all new routers and mesh systems, don't have the admin interface on the device, you have to sign up and manage it through a cloud account controlled by the manufacture.<p>If anyone can recommend a good wifi mesh system that supports wifi 6 and doesn't require signing up for a manufacture cloud account, please let me know.
Many TP-Link products are absolutely terrible. Their Mesh products at Costco, you have to use an app on your phone to manage them and they are tied to an online account so presumably they are shipping your network info back to China. They won't even let you change your login email address once you've registered.
> they didn't provide a good hardware solution for 4G. That's right, my street doesn't have fibre despite being in the tech startup heart of London. So here I am with a TP-Link router.<p>Same situation, another UK city center, without fiber, and with an incredibly noisy, effectively useless 1Mbit ADSL line.<p>I really wanted something running an open firmware, but for LTE you really need something >= Cat10 for reliable home broadband, and there isn't a lot of choice at this end excluding crazy expensive commercial stuff - It's either Netgear or Huawie. After learning way too much about LTE, I ultimately settled on a Netgear M2 (MR2100) and a couple of magnetic MIMO antennas out the window, which has worked very well, and the firmware isn't terrible. I was initially repelled by the high price ~£400, but you really need the 5x carrier aggregation of Cat10 to get something reliable, the cheapo Cat4/6 TP link stuff is not worth the time IMO.<p>[edit]<p>At the time there was one industrial LTE router manufacturer that caught my eye "Teltonika" which ship with OpenWRT as the official firmware! but at the time they only had a Cat6 modem. They now appear to have added a Cat12 one! "RUTX12 and it's price is not dissimilar to the Netgear M2:<p><a href="https://teltonika-networks.com/product/rutx14/" rel="nofollow">https://teltonika-networks.com/product/rutx14/</a><p>If I was buying again id give this a shot.
I once bought a TP-Link Wifi router as it was pretty high-speced at the time and people recommended it. I was happy with it until it hijacked my HTTP connection to tell me there's a firmware update. Will never consider their products again.
AT&T has been doing something similar for years.<p><a href="https://forums.att.com/conversations/att-fiber-equipment/possible-vulnerability-pace-5268ac-leaves-wifi-radio-on-with-no-security-even-when-is-set-to-off/5defd50fbad5f2f6062df285" rel="nofollow">https://forums.att.com/conversations/att-fiber-equipment/pos...</a>
I've had very good experience with Gl-iNet products. They have good hardware, very good openWRT support (the official firmware is based on openWRT) and are beefy enough to be used as home routers even if they are marketed as travel routers.
We had the misfortune of having a large number of tp-link devices being installed in our network (a large residential building) and those devices have been nothing but a source of trouble ever since they were installed. They seem to be talking with each other and overriding their configuration to the point where I had to segregate them in their own little NATs (with the complete blessings of the building manager). Only then did the shenanigans stop.<p>That, in addition to their ever-dwindling configuration options, is why I refuse to buy from them anymore. There (much) older devices were fantastic though.
> Maybe it's finally time to build my own router<p>Can anyone link a good "getting started" guide for this? I have experience managing servers but not managing network appliances, so I'm looking for a relatively gentle intro...<p>Edit: I'm not asking about how to install OpenWRT on an existing router, I'm looking for a guide on how to build a router from general purpose hardware - in the same way that you can build your own NAS etc.
> I had to move away from Asus as they didn't provide a good hardware solution for 4G<p>Surely a 4G USB dongle would work fine in a linux router such as those from Asus?
Not sure what they mean by "build my own router", it's easy enough to flash open firmware on a lot of tp-link models. <a href="https://download1.dd-wrt.com/dd-wrtv2/downloads/betas/2021/12-20-2021-r47900/" rel="nofollow">https://download1.dd-wrt.com/dd-wrtv2/downloads/betas/2021/1...</a>
My solution is to buy a reliable WiFi Access Point and plug that into the router, and just disable the router’s WiFi. That way I can choose a router for the features I need (or use a small PC if I wanted to do something tricky or needed high performance). I think that would fix the problem with the TP-Link (albeit costing far more).<p>I use Unifi UAP-AC-LR for the AP, because they are easy to set up from an Android phone, are not expensive, are not flakey, can be mounted in a location to optimise WiFi reception (powered from Ethernet cable by included DC injector), can be easily moved to new ISP or house, don’t require a controller, and they just keep working. Ubiquiti have made some dick moves, but their AP and point-to-point hardware has been solidly reliable and relatively simple to configure.
I was running a TP-link access point (not router) and was surprised to notice the "hidden" networks. I thought I was misinterpreting the readings at first, but the installed that beta firmware and it allowed me to disable them. This improved connectivity with some devices. I shortly after switched to a Ubiquiti access point which has been a lot better.<p>I think it's really important for people to know the difference between routers, switches, access points and modems. I've noticed that even geeks these days seem to have forgotten or maybe never knew. This has nothing to do with routers whatsoever. You can pick and choose the best from each category. No need to go "all in" on one device and accept tons of compromises.
Huawei AX3 does something similar. As does any Xfinity router (but I think you can turn that off) but the Xfinity mesh is actually pretty decent if you have a subscription. Similarly, in Vietnam HCMC you can connect to wifi anywhere in the city because every telco/isp router creates a mesh like Xfinity. It's not a bad idea: having wifi network everywhere, but I suspect 5G will obviate this need. Wouldn't surprise me if home routers became a thing of the past in some areas if 5G delivers.<p>FYI: `airodump-ng` is a great way to see whats going on with any new router since it hops channels.
> I had to move away from Asus as they didn't provide a good hardware solution for 4G. That's right, my street doesn't have fibre despite being in the tech startup heart of London. So here I am with a TP-Link router, spamming unwanted waves. Do I really have to drop another £100 on new hardware just because TP-Link doesn't want to offer a boolean flag? What a waste. Maybe it's finally time to build my own router.<p>I'm pretty sure building your own router is going to cost more than $100.
I can highly recommend looking at the router database of OpenWRT. I had bad experiences with DD-WRT. Mostly stability issues. According to my research, OpenWRT doesn't have as much functionality or router support. But, it's very stable.<p>My favorite feature is both is that you can easily add virtual APs. E.g., I have one virtual AP with net isolation (no access to other networks, Internet only) and clients can't see each other.
I'm not at all surprised by this article because I recently purchased a new TP-Link router (Archer something IIRC) and it's quite honestly the worst router I've ever run. I goes down several times a day, dropping all network traffic that isn't TCP. Thus DHCP, UDP DNS and ICMP echo all fail.<p>My old router is > 5 years old Asus (possibly as much as 10 years old!!) and literally held together with electricians tape. I've had an array of physical failures due to age from the antenna no longer standing up to the power button no longer functioning and I've used electricians tape to fix all of them. But for the stuff that matters it still works extraordinary well.<p>So I figured it was only a matter of time before that router died completely and I'd need a new one. And I figured it has been so many years since I last upgraded that my new device should be amazing in comparison. But man was I wrong.<p>After getting kicked out of an important Zoom call last week (and weeks of issues and debugging too) I finally lost my temper, unhooked the router and went full on Office Space[1] on it.<p>I'm now back to running the old router. A router that's older than <i>both</i> of my kids. A router that had earned its retirement. I'm going to replace it with a Draytek device in the new year. Given I'm mostly working from home these days I want something reliable. But I'm also thinking Draytek will last me another ~10 years so it will work out cheaper than the TP-Link crap. In fact I'll never buy another TP-Link device again.<p>[1] For those who haven't seen Office Space: <a href="https://youtu.be/fjsSr3z5nVk" rel="nofollow">https://youtu.be/fjsSr3z5nVk</a> (also definitely watch the movie. It's great!)
If you've never tried a prosumer router, TP-Link is a great intro. I recommend a standalone router with a standalone access point, rather than a combo like we see so often on the consumer side. I'm so glad I got an ER605 to tinker with while waiting for my Mikrotik to come in.
My ASUS router has enabled remote access after updates at multiple occasions. So much for ASUS.<p>Is there a tech brand that only sells stuff with no bs? I would gladly by a "pure" router with no branded features. Would also gladly buy a TV without any of the "smart" stuff.
The security model for this doesn't look utterly broken. Seems that you need to go into the main router and "add" the mesh nodes. They obviously appear there by attaching to these hidden networks.<p>But since this is configuration-free, that suggests that the mesh devices store a single static key for these networks and can join any such network. Whatever protocols exposed on that interface better not have any security problems, or you'll have a backdoor.<p>You could make this somewhat secure by having a TPM in the mesh device that signs a challenge-response to get the hidden network key by MAC-address, but that seems too complicated.<p>They could simply having the mesh endpoints broadcast a proprietary AP, and 'adding' by joining that network from the primary device and setting configuration.<p><a href="https://www.tp-link.com/us/support/faq/2532/" rel="nofollow">https://www.tp-link.com/us/support/faq/2532/</a>
I have a box full of old consumer wireless routers. I am not sure why most of these devices are so flaky. These days I separate the packet routing from the wifi part and that has made things a little more sane.
having exactly same expirience with tp-link, firmware is always outdated and I find it at every flat for rent (long-term or airbnb), hotels small coffee-shops etc. So much space to have fun :\<p>I've moved to Mikrotik and don't know all disadvantages I have, but I am super happy about configuration options they provide. Happy to find alternatives here in the thread
tp-link is pretty solid but i recently went back to asus for their mesh and UI, its just incredibly better with more features. I never saw hidden networks on my tp-link ax 3000, what i did see is lack of firmware updates, it seems like my model was abandoned.
So after the Ubiquiti debacle I went out and looked for a similar combination (solid hardware + not-too-annoying software). After briefly considering Mikrotik (which has issues with ac (wifi 5) and no ax (wifi 6) support) I settled on Grandstream for now. They don't just make phones but a small set of fairly nicely featured wifi APs for ok prices. Hardware seems solid, Software not annoying.<p>I've bought a few pieces from TP-Link when I was a poor student, not too bad as far as datasheet-specs per dollar goes, but the firmware was always exactly the kind of trashfire you'd expect and the hardware exactly what you paid for (not much). Definitely the kind of device you have to try real hard to fake your surprise when you find dozens of unpatched CVEs and no firmware updates.
Unrelated but kind of related: I stopped looking at TP-Link routers(and other cheap chinese routers) as soon as their android app required registration: obviously for legal reasons due to all the "good-faith telemetry"[surely not shady at all], etc.<p>Disgusting.. ended up paying more for an asus router(related to the article: not needing 4g/5g), not perfect or made in the west nor enterprise-tier but good enough for home usage, also pretty decently supported by open firmware solutions.
I aggree that the situation the author describes is unacceptable.<p>But I am wondering why the author does not value his personal time. I can‘t help but think of opportunity costs. He spends a lot of time writing this article, reverse engineering backups and whatnot instead of shelling a hundred dollars to get a new device? I see this pattern so often in the tech world.