Community discussions

MikroTik App
 
ffries
Member Candidate
Member Candidate
Topic Author
Posts: 177
Joined: Wed Aug 25, 2021 6:07 pm

RB962UiGS-5HacT2HnT (hAP ac) WPA3

Sat Aug 06, 2022 10:08 am

Dear all,

I purchased five RB962UiGS-5HacT2HnT (hAP ac) access points which will be used in my home. The network topology is quite simple : router => 5 access points. I am replacing a couple of OpenWRT access points. I will be using fiber for the network.

My question are :

1) Can I use WPA3-EAP (not WPA3 mixed mode)? I don't plan to use OpenWRT as the SFP connector is apparently not implemented.
2) Are there any security reason why I should not use WPA3-EAP, i.e. some reason why Mikrotik should stick to WPA2?

Kind regards,
Kellogs
 
holvoetn
Forum Guru
Forum Guru
Posts: 5322
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: RB962UiGS-5HacT2HnT (hAP ac) WPA3

Sat Aug 06, 2022 10:52 am

As far as I know ... WPA3 is only implemented in the wifiwave2 package on ROS7.
And hAP AC is not on the list of supported devices to use that package.

So ... no WPA3 on hAP AC. From what I can see (could be wrong) not even on openwrt.
 
holvoetn
Forum Guru
Forum Guru
Posts: 5322
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: RB962UiGS-5HacT2HnT (hAP ac) WPA3

Sat Aug 06, 2022 2:13 pm

Other thing which puzzles me, would be nice if you can shed some light ?

Why use a fiber backbone and then use APs which are hardly able to connect using 300-400Mb max via wireless ?
That I don't understand.
The ethernet ports should be able to use their potential (sort of, since all ports go to the same chip which only has a single 1Gb-lane to CPU), unless you're not using those ports ?
Then I understand even less why fiber is used ...
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: RB962UiGS-5HacT2HnT (hAP ac) WPA3

Sat Aug 06, 2022 4:00 pm

Concur, recommend returning those devices and ordering 2-3 of the hapax#, which should be available in 5 years.
In the meantime get yourself two TP link 660HD (assuming two floor house).
Its like buying a 4K tv and then purchasing an 8 track machine to watch movies ??????????
 
holvoetn
Forum Guru
Forum Guru
Posts: 5322
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: RB962UiGS-5HacT2HnT (hAP ac) WPA3

Sat Aug 06, 2022 4:07 pm

Concur, recommend returning those devices and ordering 2-3 of the hapax#, which should be available in 5 years.
...
Tss, tss tss, hap AX2 is coming shortly. Could be already next month.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: RB962UiGS-5HacT2HnT (hAP ac) WPA3

Sat Aug 06, 2022 4:32 pm

Concur, recommend returning those devices and ordering 2-3 of the hapax#, which should be available in 5 years.
...
Tss, tss tss, hap AX2 is coming shortly. Could be already next month.
Okay smarty pants, why do you think the AX2 will be available when nobody can get an RB5009 ?"??

Besides.......
Giving false hopes to OPs should be punishable by sending Belgian Chocolate to hungry llamas!!
 
holvoetn
Forum Guru
Forum Guru
Posts: 5322
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: RB962UiGS-5HacT2HnT (hAP ac) WPA3

Sat Aug 06, 2022 4:46 pm


Okay smarty pants, why do you think the AX2 will be available when nobody can get an RB5009 ?"??
Being one of those nobodies myself :? ...

a) running production is much easier to be diverted to other (more profitable) products when supply is short for commonly used components.
Look at various car brands worldwide and see how many small cars are being sold. Then look at the luxury models.
There are companies selling LESS (a LOT less) then last year yet making MORE profit (because the higher-end models get made and sold).

b) because it would be plain STUPID to start making waves and noise going for release when you know upfront there is no material available to be sold. For some products it "could" be a marketing strategy though ... create demand, keep supply low, limited or even non-existent for a while (in order to FURTHER increase demand).
But then you need a unique product.
If you do so when your competition has similar products, it will give them plenty of opportunity to step in the void which has been created.
So I'm not counting on that playing here.
Besides.......
Giving false hopes to OPs should be punishable by sending Belgian Chocolate to hungry llamas!!
llamas are to be found in South-America, right ? Argentina, Peru, something like that ?
 
ffries
Member Candidate
Member Candidate
Topic Author
Posts: 177
Joined: Wed Aug 25, 2021 6:07 pm

Re: RB962UiGS-5HacT2HnT (hAP ac) WPA3

Sat Aug 06, 2022 5:28 pm

Dear all,

I am using SFP modules because in my summer house, I plan to use only fiber network. I am currently implementing a wired network and I see no interest in using copper network. I am using fiber networks whenever possible (even with ethernet converters) and plugging everything I can to wires. So WIFI is only for mobiles phones and sometimes laptops.

Copper wires are expensive and in France Orange started removing all copper wires in their public networks. All copper will be removed and sold (unless it is too difficult to remove). At home I use only fiber and I am very satisfied with Mikrotik product line. Copper is dead. If I implement a copper network in 10 years it will be useless.

As for RB962UiGS-5HacT2HnT (hAP ac), it seems very decent hardware. I will not be using it as router, only "dumb" APs operating on different radio frequencies, on a separate vlan. Also, I am quite interested by the three radios on 2.4Ghz and 5Ghz. I purchased them for a very low sum of money (40 euros each), so I plan to experiment them. Also I like the idea to be able to connect with ethernet network cables to the hAP ac switch if needed (examples : TV, etc ...). In my house, I will probably install the APs on furniture and plug them to AC/DC, so I don't need PoE.

Yes, until now and for the last 10 years I used on OpenWRT and it rocks. So in the worst situation, I can always flash the hAP ac under OpenWRT, but I am not planning to do it.

Nearly all OpenWRT devices with decent radio capabilities provide WPA3-EAP and WPA3-mixed mode. So looking at RB962UiGS-5HacT2HnT specs I see no reason why it could not provide WPA3. Any reason why Mikrotik sticks to WPA2 and are there plan to migrate to WPA3 for all APs?

Kind regards,
Kellogs
 
holvoetn
Forum Guru
Forum Guru
Posts: 5322
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: RB962UiGS-5HacT2HnT (hAP ac) WPA3

Sat Aug 06, 2022 5:50 pm

Even on openwrt there is no wpa3 for that hw.
 
holvoetn
Forum Guru
Forum Guru
Posts: 5322
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: RB962UiGS-5HacT2HnT (hAP ac) WPA3

Sun Aug 07, 2022 11:24 am

I have a vacation house in South of France (it's going to be sold, but that's another story).
The community where it is located has ZERO fiber access. Nothing planned in near future.
Only solution: copper or 3G/4G-modem (and even that last option is shaky, rural in France sometimes really means "the middle of nowhere").

It will be a LOOOONNG time before in such places copper will be completely abandoned.
My view.
So looking at RB962UiGS-5HacT2HnT specs I see no reason why it could not provide WPA3. Any reason why Mikrotik sticks to WPA2 and are there plan to migrate to WPA3 for all APs?
Specifications for that device do not mention anything about WPA3 being supported on HW level so I do not understand how you make that assumption that it should.

Did some proper checking.
On the technical specs for the Wifi-chip used on that device (QCA9880), there is no mentioning of WPA3.
I could not find ANY device from whatever vendor having that chip AND WPA3 capability.
Maybe there is but I could not find it.
So it's not only MikroTik holding back that feature, it seems ?

That chip is simply not capable of handling it as far as I can tell.
So the device where that chip is being used as Wifi driver, is not either.

Makes perfect sense, no ?
 
ffries
Member Candidate
Member Candidate
Topic Author
Posts: 177
Joined: Wed Aug 25, 2021 6:07 pm

Re: RB962UiGS-5HacT2HnT (hAP ac) WPA3

Sun Aug 07, 2022 12:48 pm

Hello,

My summer house is in the middle of nowhere but it has fiber access.
The smallest town (200 inhabitants) is 2 km away and the nearest baker 12 km.

The whole department has fiber access and fiber is coming everywhere I guess.
Orange announced that it would remove all copper wires and sell them within the next 10 years.
Since June, my little Hamlet has officially no copper phone support as noone here (4 houses) use copper any longer.

As for the Mikrotik RB962UiGS-5HacT2HnT, it is finally supported by latest OpenWRT 22.03 target:
https://downloads.openwrt.org/releases/ ... /mikrotik/

I will test and report,
Kind regards,
 
holvoetn
Forum Guru
Forum Guru
Posts: 5322
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: RB962UiGS-5HacT2HnT (hAP ac) WPA3

Sun Aug 07, 2022 12:57 pm

My summer house is in the middle of nowhere but it has fiber access.
The smallest town (200 inhabitants) is 2 km away and the nearest baker 12 km.
Yeah, I know those conditions.
We have 250 habitants almost 2km further as well, there is a bakery in the village but it's more sold out then anything else.
So nearest one is the next village, about the same distance as you.

Lucky you on the fiber being available.
There is a difference however in Fiber To The Home and Fiber IN the home ...

Good luck with the OpenWrt image.
Please let us know if it supports WPA3 on that device since others might be interested as well.
 
ffries
Member Candidate
Member Candidate
Topic Author
Posts: 177
Joined: Wed Aug 25, 2021 6:07 pm

Re: RB962UiGS-5HacT2HnT (hAP ac) WPA3

Mon Aug 08, 2022 5:24 pm

Sure, I will report when receiving the APs, with pleasure.

One limitation with Mikrotik is that they are part of the WIFI alliance. So going through certification of WPA3 for an old device is probably too time consuming. On the converse, OpenWRT does not certify WPA2/3, it is simply the best reference development and proof of concept. The radios are either supported by ath9k or ath10k with updated firmware, so I doubt that WPA3 is not supported. It would be a big surprise, but everything is possible.

Stay tuned.
 
ffries
Member Candidate
Member Candidate
Topic Author
Posts: 177
Joined: Wed Aug 25, 2021 6:07 pm

Re: RB962UiGS-5HacT2HnT (hAP ac) WPA3

Tue Aug 16, 2022 5:30 pm

I finally as able to install OpenWRT using bootp support :
* First booted into OpenWRT 19.07 using bootP and dnsmasq
* Installed OpenWRT 19.07
* Upgraded to OpenWRT 20.03 latest rc candidate without keeking settings

I can confirm that the RB962UiGS-5HacT2HnT (hAP ac) "unofficially" supports WPA3 under OpenWRT. This means that this is OpenWRT reference development of WPA3, not a Wifi alliance certified development. Again, this has nothing to do with Mikrotik.

The reason why WPA3 is not available on the hAP-ac is quite obscure, but it is probably that Mikrotik does not want or cannot go through WPA3 certification and prefers to launch a new device. Maybe some Mikrotik engineer can answer us.

I will now perform iperf3 speed testing but I believe that everything which was written about the supposed "slowness" of this device is crap. It is indeed a very good device, still up-to-date.
Capture d’écran du 2022-08-16 16-05-20.png
Capture d’écran du 2022-08-16 16-05-20.png
You do not have the required permissions to view the files attached to this post.
 
ffries
Member Candidate
Member Candidate
Topic Author
Posts: 177
Joined: Wed Aug 25, 2021 6:07 pm

Re: RB962UiGS-5HacT2HnT (hAP ac) WPA3

Tue Aug 16, 2022 5:59 pm

I can confirm that the hAP ac is a very fast wireless device.

With two radios (it has three), the speed is around 360 Mbits/sec, which is close to the maximum theoretical speed:
iperf3 -P4 -c 192.168.10.12
Connecting to host 192.168.10.12, port 5201
[ 5] local 192.168.10.102 port 56250 connected to 192.168.10.12 port 5201
[ 7] local 192.168.10.102 port 56266 connected to 192.168.10.12 port 5201
[ 9] local 192.168.10.102 port 56276 connected to 192.168.10.12 port 5201
[ 11] local 192.168.10.102 port 56290 connected to 192.168.10.12 port 5201
[ ID] Interval Transfer Bitrate Retr Cwnd
[ 5] 0.00-1.00 sec 19.6 MBytes 165 Mbits/sec 0 837 KBytes
[ 7] 0.00-1.00 sec 15.5 MBytes 130 Mbits/sec 0 700 KBytes
[ 9] 0.00-1.00 sec 8.13 MBytes 68.2 Mbits/sec 0 421 KBytes
[ 11] 0.00-1.00 sec 13.6 MBytes 114 Mbits/sec 0 690 KBytes
[SUM] 0.00-1.00 sec 56.9 MBytes 477 Mbits/sec 0
- - - - - - - - - - - - - - - - - - - - - - - - -
[ 5] 1.00-2.00 sec 11.2 MBytes 94.4 Mbits/sec 0 837 KBytes
[ 7] 1.00-2.00 sec 10.0 MBytes 83.9 Mbits/sec 0 700 KBytes
[ 9] 1.00-2.00 sec 11.1 MBytes 93.3 Mbits/sec 0 634 KBytes
[ 11] 1.00-2.00 sec 11.2 MBytes 94.4 Mbits/sec 0 701 KBytes
[SUM] 1.00-2.00 sec 43.6 MBytes 366 Mbits/sec 0
- - - - - - - - - - - - - - - - - - - - - - - - -
[ 5] 2.00-3.00 sec 11.2 MBytes 94.4 Mbits/sec 0 837 KBytes
[ 7] 2.00-3.00 sec 10.0 MBytes 83.9 Mbits/sec 0 700 KBytes
[ 9] 2.00-3.00 sec 9.88 MBytes 82.8 Mbits/sec 0 706 KBytes
[ 11] 2.00-3.00 sec 10.0 MBytes 83.9 Mbits/sec 0 701 KBytes
[SUM] 2.00-3.00 sec 41.1 MBytes 345 Mbits/sec 0
- - - - - - - - - - - - - - - - - - - - - - - - -
[ 5] 3.00-4.00 sec 10.0 MBytes 83.9 Mbits/sec 0 837 KBytes
[ 7] 3.00-4.00 sec 11.2 MBytes 94.4 Mbits/sec 0 737 KBytes
[ 9] 3.00-4.00 sec 10.0 MBytes 83.9 Mbits/sec 0 740 KBytes
[ 11] 3.00-4.00 sec 10.0 MBytes 83.9 Mbits/sec 0 737 KBytes
[SUM] 3.00-4.00 sec 41.2 MBytes 346 Mbits/sec 0
- - - - - - - - - - - - - - - - - - - - - - - - -
[ 5] 4.00-5.00 sec 11.2 MBytes 94.4 Mbits/sec 0 837 KBytes
[ 7] 4.00-5.00 sec 10.0 MBytes 83.9 Mbits/sec 0 737 KBytes
[ 9] 4.00-5.00 sec 10.0 MBytes 83.9 Mbits/sec 0 740 KBytes
[ 11] 4.00-5.00 sec 10.0 MBytes 83.9 Mbits/sec 0 737 KBytes
[SUM] 4.00-5.00 sec 41.2 MBytes 346 Mbits/sec 0
- - - - - - - - - - - - - - - - - - - - - - - - -
[ 5] 5.00-6.00 sec 11.2 MBytes 94.4 Mbits/sec 0 837 KBytes
[ 7] 5.00-6.00 sec 10.0 MBytes 83.9 Mbits/sec 0 737 KBytes
[ 9] 5.00-6.00 sec 11.2 MBytes 94.4 Mbits/sec 0 740 KBytes
[ 11] 5.00-6.00 sec 10.0 MBytes 83.9 Mbits/sec 0 737 KBytes
[SUM] 5.00-6.00 sec 42.5 MBytes 357 Mbits/sec 0
- - - - - - - - - - - - - - - - - - - - - - - - -
[ 5] 6.00-7.00 sec 10.0 MBytes 83.9 Mbits/sec 0 837 KBytes
[ 7] 6.00-7.00 sec 10.0 MBytes 83.9 Mbits/sec 0 737 KBytes
[ 9] 6.00-7.00 sec 8.75 MBytes 73.4 Mbits/sec 0 740 KBytes
[ 11] 6.00-7.00 sec 10.0 MBytes 83.9 Mbits/sec 0 737 KBytes
[SUM] 6.00-7.00 sec 38.8 MBytes 325 Mbits/sec 0
- - - - - - - - - - - - - - - - - - - - - - - - -
[ 5] 7.00-8.00 sec 10.0 MBytes 83.9 Mbits/sec 0 837 KBytes
[ 7] 7.00-8.00 sec 10.0 MBytes 83.9 Mbits/sec 0 737 KBytes
[ 9] 7.00-8.00 sec 10.0 MBytes 83.9 Mbits/sec 0 740 KBytes
[ 11] 7.00-8.00 sec 10.0 MBytes 83.9 Mbits/sec 0 737 KBytes
[SUM] 7.00-8.00 sec 40.0 MBytes 336 Mbits/sec 0
- - - - - - - - - - - - - - - - - - - - - - - - -
[ 5] 8.00-9.00 sec 10.0 MBytes 83.9 Mbits/sec 0 837 KBytes
[ 7] 8.00-9.00 sec 10.0 MBytes 83.9 Mbits/sec 0 737 KBytes
[ 9] 8.00-9.00 sec 11.2 MBytes 94.4 Mbits/sec 0 783 KBytes
[ 11] 8.00-9.00 sec 10.0 MBytes 83.9 Mbits/sec 0 781 KBytes
[SUM] 8.00-9.00 sec 41.2 MBytes 346 Mbits/sec 0
- - - - - - - - - - - - - - - - - - - - - - - - -
[ 5] 9.00-10.00 sec 11.2 MBytes 94.4 Mbits/sec 0 837 KBytes
[ 7] 9.00-10.00 sec 10.0 MBytes 83.9 Mbits/sec 0 775 KBytes
[ 9] 9.00-10.00 sec 10.0 MBytes 83.9 Mbits/sec 0 783 KBytes
[ 11] 9.00-10.00 sec 11.2 MBytes 94.4 Mbits/sec 0 816 KBytes
[SUM] 9.00-10.00 sec 42.5 MBytes 357 Mbits/sec 0
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bitrate Retr
[ 5] 0.00-10.00 sec 116 MBytes 97.2 Mbits/sec 0 sender
[ 5] 0.00-10.02 sec 112 MBytes 94.1 Mbits/sec receiver
[ 7] 0.00-10.00 sec 107 MBytes 89.5 Mbits/sec 0 sender
[ 7] 0.00-10.02 sec 104 MBytes 87.1 Mbits/sec receiver
[ 9] 0.00-10.00 sec 100 MBytes 84.2 Mbits/sec 0 sender
[ 9] 0.00-10.02 sec 97.2 MBytes 81.3 Mbits/sec receiver
[ 11] 0.00-10.00 sec 106 MBytes 89.0 Mbits/sec 0 sender
[ 11] 0.00-10.02 sec 103 MBytes 85.9 Mbits/sec receiver
[SUM] 0.00-10.00 sec 429 MBytes 360 Mbits/sec 0 sender
[SUM] 0.00-10.02 sec 416 MBytes 348 Mbits/sec receiver

iperf Done.
Also, CPU usage is close to 1% as shown on this screenshot. So everything which was written on the Internet about hAP ac being slow and consuming CPU resources, was pure nonsense and is a lie.

With three radios and a SFP port, the hAP ac is still one of the best AP on the market.
Capture d’écran du 2022-08-16 16-47-15.png
You do not have the required permissions to view the files attached to this post.
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 2989
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: RB962UiGS-5HacT2HnT (hAP ac) WPA3

Tue Aug 16, 2022 6:12 pm

The hAP ac does not have 3 radios, it has 2 radios of 3 chains each radio.

Maybe to work only as ap, that CPU is enough.

But with some heavy features enabled will not.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: RB962UiGS-5HacT2HnT (hAP ac) WPA3

Tue Aug 16, 2022 8:04 pm

Also, CPU usage is close to 1% as shown on this screenshot.

No, screenshot shows that hAP is hitting the CPU ceiling (0% idle) and 85% of CPU cycles are used to service interrupts (ksoftirqd/0 pseudo process; quite possibly triggered by wireless chips). 1% of CPU is used on userland applications, e.g. to execute top command.
I've no idea which of (pseudo)processes would show CPU consumption if (kernel!) firewall would have to spend time on packets though. (Note that different FW configuration possibilities, e.g. iptables or nftables or even firewalld, are merely management tools, it's the same in-kernel firewall engine executing the rules)
 
ffries
Member Candidate
Member Candidate
Topic Author
Posts: 177
Joined: Wed Aug 25, 2021 6:07 pm

Re: RB962UiGS-5HacT2HnT (hAP ac) WPA3

Wed Aug 17, 2022 9:01 am

I did a similar iperf3 testing using another OpenWRT AP with a quad-core modern ARMv8 CPU and SIRQ shows 20% usage. So I believe that Wireless is a single core process, which needs massive IRQs and eats-up CPU time pretty fast.

The only drawback of the hAP ac is to be single core and adding more CPU cores would probably not help wireless performance itself.

Because modern Linux is nearly real-time by default, I suspect that a high level of SIRQ does not mean that interruption time is used for processing, only that wireless under Linux is running nearly real-time in a single process. Therefore it is normal to have high SIRQ. On the converse, wireless is a cpu-time consuming process.

So IMHO the hAP ac seems to be a nice platform and is not CPU limited when only wireless is concerned. This is why I also like to use APs exclusively for wireless and I prefer to use a separate gateway.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: RB962UiGS-5HacT2HnT (hAP ac) WPA3

Wed Aug 17, 2022 4:01 pm

Because modern Linux is nearly real-time by default, I suspect that a high level of SIRQ does not mean that interruption time is used for processing

No, by default linux kernel is not real-time at all, it's still event driven (it is highly optimized and with decently sized hardware one can get impression of real-time operation, but that's not it) - there's linuxRT which contains RT patches. The main reason to have ksoftirq (pseudo) process(es) is exactly because of this: kernel isn't guaranteed to process everything necessary real-time, so processing is offloaded to non-realtime (pseudo)process which is using real CPU resources to do all the processing.

I guess the only way of increasing wireless throughput without using massively faster CPU is to increase AMPDU and AMSDU ... because every packet received over the air triggers interrupt (I don't know if packets to be sent need to go via interrupts or not) and executing interrupts has some (fixed) overhead. By reducing number of packets (while retaining amount of payload) also overhead is reduced. But that has limit as well. The other possibility is to offload certain functions to dedicated hardware.
All of it was already seen and tried in world of wired high speed communications, such as FDDI some 25 years ago (which was the first mass technology to use MTU larger than still standard 1500 bytes).

Who is online

Users browsing this forum: Scoox, Vojta and 29 guests