Is The tp-link Omada SDN platform A UniFi Alternative?

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

tom here from lauren systems and we're going to dive into tp-link omada and all the different gear that we have out in front of me now tv lincoln model is kind of interesting and i will be of course addressing the elephant in the room does this look a lot like ubiquities here and specifically the ubiquiti unify line and doesn't the controller look a whole lot like the ubiquity controller software and doesn't everything kind of work in a very similar way yes that's absolutely true and i know that's one of the reasons there's been a lot of people requesting that to review this and tplink did reach out to me and offer to send me all this equipment but that being said yes this was sent to me that does not buy a review from me i take my time we evaluate it we make a determination of what we think on things and offer an opinion on us whether we buy it or a company sends it to us the opinions are my own and not at all influenced by that particular company that sent me the product in this case tp link they were nice enough so thank you for them to sending this out but i'm still going to remain objective of my thoughts on this product now another thing that i want to get out up front we've only been testing this for a couple weeks that means i don't have a ton of long term hey what does this look like deployed and what does this look like deployed with let's say 300 devices and we have sites with 300 plus devices running unify equipment so my reviews of that have been because we haven't installed literally thousands of those units and we thou manage thousands of them as well so my reviews of unified come from a longer time experience this is going to be a shorter term review but the next place for all this equipment is actually going to be my house and i'm going to switch out all the gear i have in my house with this so we can actually use it because there's people watching tv and netflix and using phones and using outside access and everything else so i'll be able to give a follow-up review later after i've done a little bit more thorough testing but let's start with what do we have in front of me here and i guess we can start with the omada controller this is the oc 200 model it has a msrp right now in april of 2021 of 89 supports up to 100 devices this is essentially the brains of the operation this is very similar in our references a couple times for those you looking at all unify alternatives the tp-link cloud controller is very similar to the way a cloud key works with unifi this runs the central sdn software defined networking controller that you load set up configure we'll get into how to configure that and adopt all these devices into it now you can run this without this model as well you can load the software defined networking controller you can load this on your own linux server it even does support windows you can load the controller software adopt and manage all these so this is a nice way to run it on a piece of hardware but if you would like to just run it on your own and run it in your own stack on your own server and not tie to one of their devices you can do that also of note if you use their cloud controller it does not force you to register with their cloud at all it does have an option too but that option can be bypassed and we'll show that in the controller setup and that does work the same for the self-hosted controller you can host that yourself and i did take the time to do a little bit of testing and it does not do any call outs even to the web you can actually have a controller with no internet access and just local network access and it doesn't make any unusual callouts do a little testing on that to make sure it's not reaching out to stranger rogue ips or sending any type of data all right next we have the firewall firewall is a little bit of a confusing one and let me explain why now the firewall is got a couple different model numbers and i say a couple different because the tlr605 which is listed right here on their site the safestream gigabit multi-wan vpn router design for remote office reliable flexible and all the other marketing terms we have here and yes it does support freelance we'll get to that later it has more than one number so this is safe stream tlr 605 but when we go on to the what devices are compatible and we scroll down a little bit it says the compatible one is the er 605. now i'm sure it's just a slight variation but well it can be a little bit confusing when you're going is this really the one compatible and i found that a little bit strange because it is marked specifically on this one tl r605 and this just says er 605 without the tl so it has an e in front of ztl i know it's it's tiny but there's those nuances when you're buying products that you want to know the answer to is you know how's that work then we have their outdoor unit right here uh the outdoor unit is the eap 225 outdoor which is sells for 69 and then we have the in-wall unit now the email unit is kind of neat because this is the 225 dash wall and it's only 49 but has three ports on there which you can assign vlans to then we have the switch down here now the switch is the tlsg2210mp sells for 149 and it's a 10 port managed switch with eight port poe all eight ports have poe and a budget of 150 watts so not bad and by the way this is not powered off a brick it's got a built-in power supply with your standard connector on the back so pretty straightforward the way that's hooked up standard power cord away we go metal it is not passively cooled does have a fan but it's extremely quiet you just don't hear it which hey that's nice each of these devices including this all have a kensington locks on the back of them which i think was kind of cool there's an additional micro usb on the back of the tp-link oc 200 controller so you can power it over that if you do not have a poe to power it over right now it's powered over the poe from the managed switch last but not least we have this eap620 and yes this thing's bulky by the way it's hard to see but you can kind of see into it the device is actually not near as big as the plastic i'm not sure what made them decide they should put this giant plastic piece on there this device can be powered over poe or via a little 12 volt one amp adapter and of course there's a little reset button in there but it's kind of unneededly big i found that to be kind of odd but it mounts nice but even when you mount it think about that hanging from the ceiling it is uh it's big i don't know it's a little feels awkward it doesn't weigh that much it's just a lot of big empty plastic has a little mounting bracket on there and i might cover these a little bit more in depth later on an individual basis and then the reason i want to cover these on invoabacious later is an interesting facet of way all this works now we're going to cover the omada software and how it ties all these together but i also want to mention each one of these has their own management interface so these don't have to work with the omada that's kind of an interesting idea because unlike and this makes them very diversion from the way unifi does it when you have the unified equipment it only ties to the unified controller and doesn't have its own management this has a complete management system in it so you can actually take this not adopt it to the emote mamata software and load it up use it on its own as an independent device completely without any other special software or anything special you need to load has a web interface on it gets an ip you can program it for using it just that way same with this device here and this device and the firewall and the switch each one has its own management interface now once you adopt them to the amana that manager interface becomes disabled and it just gives you a warning that hey this is under management by omada but you can unadopt them and they just go through a factory reset and then you can go back to managing them individually now any of the changes you do when you manage individually don't carry over it erases it when you adopt them back into the omada controller but i think that's a first standout feature they have compared to some of the competitors is offering a device going you know i just want one and i don't want to buy a whole kit and build out a whole network you can start with one but later when you have five of them you're going how do i change the ssid on five devices without logging into five devices that's where the omada software is nice because it will glue it all together and allow you to have that level of control so you have one control plane to control multi but if you only want to start with one you can start with just one device now let's dive right into the almata software itself now before we get into loading a software in the interface i thought this was kind of a novel thing pointed out by level one techs so thanks wendell for tweeting this and he had tagged me in this post he said if you go over on places like theme forest and look up admin dashboards and i look through just a couple of these you'll find a few that look extremely similar to ubiquiti's dashboard i thought that was kind of interesting and we are completely speculating and hypothesizing but i think it's worth noting that yes while the omada controller software certainly does have a similar look to ubiquity it also has a very similar look to a lot of the other theme templates that are out there so that's at least one thing i will note that that might be speculative as to where that came from but hey thought it was interesting now on to the controller itself now they have a whole instruction on how to set up the controller you can as i said download it for linux or windows and this is if you don't want to buy one of their cloud controller softwares and either way you do it as i said you don't have to register things online you can just set it up all with local admin now whether you use local admin or title cloud there is no two factor at this time for the latest 4 series of their software which is 4.15 i don't know why but that's the way they did it second problem it is based on mongodb 3.6 which end of life is april 2021 so yes we are reaching the end of life for the database software that they tell you to load to set this up which is mongodb and i don't understand why they're not supporting the newer versions of but they want the older version on here so that's kind of concerning right off the bat by the way for those wondering yes unifi also says use the older versions of i don't know why but yes they chose to still build this controller on older software once you've recovered from those kind of unusual issues the next one you have is yes it also needs java 8 which can be a little bit tricky for doing it on linux if there's enough demand i'll do a video on it but if you look at how to install you can google search quickly how to install java 8 on linux and that's another dependency it has so java 8 mongodb 3.6 and then you can then go load the controller now let's look at the controller when you set it up let's get started and this is interesting and i can't find any documentation after reading through the documentation as to what this does i think it's nice is it a hotel is it a restaurant is it an office you can check these different boxes i'm assuming it does some type of tuning based on that template but i don't know what the differences are between each one and i've actually reloaded it and changed it you can change these posts later as well i'm not exactly sure where where the changes i didn't see a grid um that i could easily find it said if you set this it changes these settings or if you set it to restaurant or airport it changes these settings so nice that it does it nice that it has a custom option that we can call toms so easy enough we can change the time zone to match my time zones that's important give it the controller name tom's controller and by the way i'm setting this up on the self-hosted this is not on the oc 200 that one's already set up all right do we want to adopt any devices for now we won't we'll sit skip network sid we'll skip that we don't really want to name a network we just want to show you how it works we'll create a user tom we can skip the email yeah i know it's a weak password password123 not the best password don't do this because especially there's no 2fa but protect your control plane don't publicly have it internet facing and away you go and if you don't want to have cloud access now the cloud access is you can register over a tp link and it's a bridging system so you can remotely from outside of your network getting your network without opening up any ports but that also means you're tied to the tp-link cloud system so it's up to you whether or not you want that you can just say no and move on to the next there we go we have the application name the username and cloud access off we hit finish and then we can log in and as i said before i tested this it doesn't do any call outs or send any data out when you don't register for the cloud when you do obviously it reaches out to their cloud for the registration and then we can log in now we're going to move over to the oc 200 where i have everything set up but this is what you first are seeing when you log in is this and as i said you can go into the admin settings or settings over here and would choose the different hotel restaurant and save and it will change it of note the ssh accounts when you enable them are down here there's the username and it generates a different password so i used password123 to set this controller up but the password is randomly generated but can be set so your username is actually the same when you enable ssh but you can actually reset a different password but i want to point out something here so if we put tom and not the right password incorrect password try again but if we put invalid username this is another security fail i noticed right away it should not tell you whether or not you've guessed a username properly and not the password so when you try to log in it says that one's wrong oh wait because we had it tom all right now we know it's the password wrong so i've been trying to evaluate i did not do a fulls i'm not a pen tester pen test on this i did notice if you dig around and look for some cves they had some older security vulnerabilities that were updated and patched in these systems so they do seem to be actively responding to things that are found in these systems but uh still there's a few other ones that aren't necessarily a actual exploit but they're still not good security practice such as letting me know what usernames are available and which ones are not that's just generally not good now this is the dashboard on our oc 200 and we do have it cloud enabled and linked and it's not had any issues we tried accessing it through their cloud tried accessing it locally it's actually been very stable we've randomly been pulling the plug and powering this off so we can make sure that we've done some testing so every time we pop this on and off it rebooted fine i never had a recovery problem i am uncertain of any way to actually get like command line level access in this because it doesn't seem to open up ssh available for me to log into this device but nonetheless i haven't had any recovery issues with it that was part of the testing that we had on there i will also note for those of you wondering why there's a little yellow post it's on here that is my staff being funny from all their testing because i said which one's the firewall a couple too many times so they put little post-it notes on there for me thanks device does take a couple minutes to boot up for when it first powers it does take about three or four minutes but my controller that i built locally boots up in i don't know less than 60 seconds so obviously they didn't use really powerful hardware in here but you know that keeps the price low now there's not going to be a lot in this dashboard right here but i at least would cover the dashboard and this is what it looks like it offers some customizations to see networks clients i even created a dashboard called test we can edit that test dashboard and then from there you can start adding things to it so i created that one you can create another one and call it test two just give you guys an idea here and once you're on there click the gear add the widget add the widget and build your own dashboard they seem to do a nice job of customization on here to allow you to customize a view that you are comfortable with or how you want to see it i did like the fact that they've done this click the little done button up here and there we go now we have a different dashboard for test two we showed anything to test one but maybe test one we only want one thing on there so we'll click the gear again keep being tempted to click the little edit over there and uh maybe we'll just add this widget right here hit done all right now we have that widget on here for client association activities pretty simple so you can create these and i'm going to say this is a very responsive interface even though the hardware on here may not be very high end the responsiveness has been absolutely great for it we have a stats page we can get performance stats switch stats you can set up speed tests and do a series of speed test stats there is no dark theme by the way for those of you going swish is a dark theme you're blinding me i'm sorry there's not this is uh obviously very familiar i really like the auto building topology maps like i've seen in the unifi system they did a nice job of this here and offering in different types of overview maps such as being able to load in your own templates and this allows you to drag devices and have them in different locations so you know where the access points are so nice job on doing that of note what i didn't see in here is unable to do an outdoor map and load it based on like a google location uh this is something that unifi does have so for those of you looking for that one-to-one comparison that is not something i seen an option for in here so that's missing but onto the devices themselves now the device menu is obviously where you get to control everything and it's neat the fact that these have independent control but also have the control inside of here but not at the same time i just bring that up because it's an interesting facet of the way they design these how you can buy into your device and later adopt them all in but as far as features go right away i want to talk about the fact that the wan is missing the multi-ip option just like the unifi system is so the unifi usg it's been a feature a long time requested to be able to have a block of ips assigned to it someone may point out it's a beta feature coming that's fine but it's really an issue when it's a common feature and if you're going to copy someone and make a very similar product you shouldn't copy some of those same flaws like that but that is definitely an issue with the way this works of note though how they implemented this is a little bit different so when we go into the settings for the site we go to wired networks and we go to internet which is not called lan this firewall has several ports on it so on the end we have a lan port and on the other end we have a wan port and the way that works is kind of interesting the wan and lan ports are either or and then you choose them with the software you go through and click like do i want two lan ports in one lan or do i want three lan ports or all well not all but all but the last one or four lan ports so even though i can't assign multiple ips to a single lan port i could for example put a switch in front of this from a isp and then add all the additional wan addresses i haven't tested that but it seems like it should work from a design concept now when you don't assign these wan and you have it like this where one's when connected to your isp and the rest are not checked they all end up becoming just standard lan ports unless you assign them otherwise so it's all just kind of a shared port system so interesting how they did that it's implemented a little bit different than the way it was over at the unifi side but at least it's programmable and something you can do oh and by the way when you don't plug a device in because i unplug it to show that uh it does say heartbeat missed kind of a familiar if you're in the unified world that's the same exact phrase unifi does when it doesn't get the stun protocol sent back and forth to it i haven't done a lot of protocol analyzing to see how close the protocols are the same or done any security to see whether or not they use the same type of encryption when sending all that different data back and forth and it uses adoption and it re-adopts that now when we get down here to the system here we have the same nomenclature to easily go through it's all labeled right here for whether it's a poe whether it's just adopted as a switch or powering 100 powering one gig and they have it all right here except the thing that's kind of interesting let's go ahead and edit one of the ports if we go here to the config that's where we go here to reports and let's say we want to edit a port which i have to set up to a test vlan when you're doing that and we maybe want to go to a profile override because we want to override the link speed hey awesome i can link this at 10 gig but didn't you see this is a one gig sure is good news is when i try to do that i'm not getting the error now if you try to do some of these it won't let you save it it's kind of interesting there we go and then we'll hit it for here here so let's hit it for 10 gig apply and you get this little invalid link speed and duplex setting so it's interesting they didn't bother filtering out they kind of seem to be applying the same generic template to all of these but then telling the switch like when you try to apply it it goes no you can't apply something that doesn't make sense because it's not a 10 gig switch so i thought it was interesting they had that in there but yeah you can override it but not override it to an invalid setting at least it does some checking because that would probably cause a lot of people problems when they just try to set things to different settings so that's how you manage all the switch and the details of the switch it does also offer the ability to set a management vlan and that's kind of important because something else i notice about the switch is that there's telnet enabled on it so yes i just telnetted to 192.168074 which is the ip address of the switch and uh yes it responds now what it doesn't respond to is username password no matter what i've tried uh quite a few combinations it does not seem to allow me to log in so i could not tell that in now i tried sshing into the switch so if we ssh it only wants ssh keys so i get it invalid so i was unable to get to the command line of the switch you can get into the command line of the individual devices themselves that i didn't have a problem doing the username password does seem to work for those but it does not work for the switch or the firewall so if i wanted to do the same thing with the firewall no key exchange and i didn't see any way to upload my ssh keys to allow access to the switch or the firewall so just of note but having telnet enabled ah that seemed to be somewhat bothersome to me the good news is even with telnet enabled if you put it on its own management vlan that you create for the control plane for all of these uh i tried vlan hopping a little bit and a few other things i've actually tried with uh older tp-link device i read a long time ago one of their main switches that i was told has been fixed now but i was able to do it on these ones i was not able to vlan hop or reassign different ips to try to get back to it it seems to respect when you trunk a port that that port is trunked and will not allow access to the telnet interface so it might be something from a design standpoint that you think about because telnet old protocol and potentially has issues so it's of note even though it's not using telnet to actually manage it having that exposed is to me a little bit of security concern now back on to the other devices like the in-wall one and we'll go to the config and just like the other wi-fi devices you have radio options but the interesting thing is how they handle under here if we go scroll down eth vlan i mentioned you could set vlans on these and you can but unlike the normal switch way of doing it of when you create a vlan in a network and being able to do a pull down you enable it and then have to type in the vlan tag so to me this feels like a little bit of a put together interface for this device versus the way as i mentioned i would mention unify a few times unified does it with just a series of pull downs and port configs you have to remember which tag you had on there i'm happy that you can do it but it is of note that you just have to go oh what was the vlan tag that i had set to these now throughout all this interface and this is actually true for all of them there's an ip settings option where it lets you choose static or dhcp the dhcp is my preferred way to do this and you can set some static assignments on these but the static options are also a fallback ip option that way if for some reason the firewall isn't handing out dhcp addresses you could in theory say this is what address it will fall back to and getting if it's not dhcp so i thought that's nice that they included that and like i said that is consistent across all these devices now we'll scroll all the way down to the bottom hit manage device you do have the option to push firmware into it you have the option to move it between more than one controller if you notice up here where it says default site yes this is a multi-site controller so we could add more sites to it and then we have the option to forget the device and one thing i'll point out let's go ahead and forget one of these devices let's go to this one here go to config and we'll forget that device right here do we like to forget this access point we sure would before we do that let's note the ip address so the one we're forget which is 0.15 here so we'll forget this device because i want to show you what the interface looks like real quick when you forget it and the adoption process all right you can see the device is on the network and now pending adoption when you release it it does a factory default reset and i refresh the page here and with it being not adopted i can actually go in here admin admin which is the default when you have a brand new one and it will start the process so let's go ahead and set a new username and password on this tom uh yeah yeah password123 it lets me know that's not a great password little skip setting that up finish and now we're into it so we have local control now let's talk about what happens when you try to adopt these devices now you don't have to set it up like that you can actually just leave it in the admin admin and not log into the web panel and just adopt it once it discovers on a network it will find it but now let's see if we can adopt it after we did this without having to factory reset it again so let's go here and we'll hit adopt and it should prompt me for whatever credentials i have already on that system all right let's try adopting it now it says fail within prompt so let's see if that does the adoption properly we'd adopted them previously without setting each one of them up so we're doing a test in real time and learning this and the device is adopted and provisioning right back into the network so that's that's how that process goes easy to forget these easy to move them easy to migrate them now let's go down to clients there's not much on here right now we just have a few devices but it does have some statistics and does give you some real time activity and speed on there there's not a lot though that you get in terms of statistics there's not a ton of stats but it's got some of the basic stats on here then we have some insights and has some information on connections past connections past portal authorizations i have not tried the active portal yet i'll do that in a later video rogue aps if it finds any of them then we have the log and notices and yeah all the different little things that are going on here disconnects and this seems pretty thorough this is something i really like now on to the settings themselves talking about the site and the way this works so we go here here is all the site options where we can control the led services i kind of like that because maybe you don't want the lights but the concern to me is not the light with this i don't think the light is what's the distraction people are like what is the giant white plate looking thing that you have over on the wall over there but you can't turn off the light on it so if that's the part that bothers you does support meshing not 100 clear on what models support it but i do know some devices that shows up and some it doesn't so once again that'll be some cross compatibility things we'll get to compatibility and towards the end of the video periodic speed test that you can enable where you can tell to do that and populate that speed test we currently haven't done that alert emails remote logging options i like that they have the ability to dump all this to remote logging because you can't get into the controller to see details but hey we can actually push all of them to a syslog server i've done a video on greylog it's a great system for ingesting lots of logs and i do have our current unify system tied to it so throughout the testing maybe i'll tie some of this to it as well and then here's that device username and the username here once again is going to be different than a generated one for the ssh access now back onto the wired networks as we were showing how this is allowing you to configure things dynamic ip or we can set it to static ip ppoe l2 tp pptp so if we have a ppoe connection username and password with some advanced settings but those advanced settings do not include when you set a we'll actually switch it to static ip no option for setting a block of ip addresses this so yeah they copied that flaw right from the competition onto the land side of the world we have this land we have a test vlan we can create another test vlan so let's call it test vlan 2. call it whatever you want is it an interface or vlan only so you can without having the firewall involved just program all the devices to be aware of a vlan and a tag so you can assign it that is something supported in here along with igmp stooping is a feature that is supported on this gear that i have then we have profiles where you can create separate profiles for each setting of the network and then individual switch settings and you can edit the port profile switching on these that was kind of neat they give you a couple different grouping options on here for this to be able to manage it pretty pretty well thought out i think in the overall onto the creation though let's go ahead and create that test2 interface and we'll go ahead and attach it to lan which is interesting that you can attach it to this as well um kind of curious about what other extensibility i have if i do it that way but it does allow you to build it now when you build it like this when you're attaching it this is a way to build it without a being a vlan but just being a separate lan on one of the other ports on the firewall versus if you want to actually create it as a vlan it's kind of interesting so we're giving it a vlan id and attaching it to lan or without giving you a vlan id you can attach it to one of the other ports on the firewall so like i said a little bit of flexibility you have in creating it we're going to attach it to lengths we want it to be a normal vlan we'll give it 555.5.55 we'll make it a slash 24 or 23 actually make it a little bit bigger let's say it's a big guess network and it'll automatically update the dhcp range and hit it'll provision it out and then now it's an option so this one we called vlan 666 this one we called vlan 555 and if we go back over here to the devices choose a port edit the port hey there's our test and test vlan 2. now one thing of note when it comes to the firewall rules on this let's get back over here i wanted to make that network so i can talk about the default firewall rules which are backwards to people who are network engineers that when you create a separate network you would think i would have to implicitly create rules for it to talk the opposite is true by default it talks so that network can see all the other network until you take them down and lock them down if there's enough interest maybe i'll do a video on that and uh yeah it's one thing that's kind of interesting that they by default the way the rules work in here is not is not secure by default and under network security acl that's where i believe you create all these rules i haven't created any i just know for each network i create the default is everything can talk and everything can get out so then you go through here to start creating the implicit ip group or ip port group rules and protocols by default and do you want to do a deny or permit so do we want to you know deny traffic from here to there and then you build out each of the rule sets inside of here i haven't done much testing with it so i don't want to get it wrong in this video but i'll leave it up note that when you're building these yeah that's kind of interesting thing that they have about how they do the firewall rules now before we get ahead of ourselves let's talk about the wireless networks a lot of people just want this for wi-fi and for wi-fi they have a pretty simple way to create this so here is the ltso model lab 2.45 checked guest network now the nice thing if you don't want a network to talk they do have a guest option so a lockdown will be put on that network so yes a wi-fi guest network can be created with those basic rules then we have the advanced security settings right here where you have the broadcast if we wanted to go to a specific vlan we can do that wlan scheduling is on here so we're able to turn them on and off based on certain times create new time range entry so if you want your wi-fi not on all the time if you're a business and read about security you could set this up so it's only operating when people are in your office and when it's not someone can't sit in the parking lot and guess kind of a neat feature rate control options and mac filtering options in here now as far as creating multiple ssids we can go ahead here and just add another one so we'll create another network test2 go through wp personal enterprise it still supports wep and you have the option to create radius profiles if you're using wp enterprise on here but pretty much pretty straightforward and all the settings work and easy enough to create a second sid and it by default already creates these and pushes it out to all the devices adopted in the wi-fi for that particular group it does support and i say group because you can create multiple wi-fi groups and if you're doing a larger deployment group these things together and have them diff differentiated that way so you can have one group with one ssid another group with another ssid and each one can have its own vlan setup if that was necessary now let's get down to all this we've covered acl and we have url filtering i thought this was clever they built this in uh it seems to be doing dns sync holding i didn't really work hard to bypass it but the basics of it work quite well i can't type in websites i create a block for so i put the block in and we'll block something like let's say my website so we'll call this lts source network or ipgroup and you can create a group or an ip any so there's options there but we'll say this the whole network what do we want to block lawrence systems.com i'm actually we'll open that up here so there's my website loading and it's loaded in the background great all right so now that we've blocked and we hit apply we'll say lan it doesn't make you choose what network you want this blocked on all right we've now blocked that particular network and you can go back in and edit this you can add more than one so we'll block like newegg.com we don't want people buying stuff from there all right we've blocked them okay that took a little bit longer to provision and actually i had to skip ahead a minute here it did block my website took a little bit longer than expected but i also want to note when you do block a site it just does this site can't be reached and if we try to get it from the command line and we do something like looking up a dig it's still able to get the dns to the website so it is actively looking and blocking it at a url level but i'm still able to get to my website and look up its ip address via dns so i thought that was interesting it's definitely doing some url type filtering not just dns sync holding it but a neat feature that they've added in there the fact that they have url featuring filtering options in there attack defense is interesting i did not play with this it's got a couple packet anomaly defense basically it's looking for unusual packets and offers the ability to block certain attacks and then really test the validity of how well that works then we have routing and we can create special route rules policy routing rules and i'm unclear on all the features that you can do with this once again i didn't deeply test it but it interesting they put them on there where you can say here are certain policy routings of how i want something to go and maybe which when address you want it to apply to so if the current one's down is able to create new route and also the static route options here where you can say next hop or interface at least they do give you some options to control the firewall inside of here so not the most advanced options but a few options in there indeed for things like failover we did not we know it supports multi-wan failover we're not support not sure if it supports how many different wan interfaces for failover but there are things like session limitations in here down below so you can say session limit create new rule and apply the rule to a network for example maximum number of sessions that can be done odd way to put it because a once device can have quite a few sessions but at least you can do some type of restrictions on there i'm not sure what happens if it just doesn't create new connections and they get weird timeouts but unless they have that feature bandwidth control and you can apply bandwidth control we'll put test here what network do i apply this to which when does it go to upstream limits downstream limits and this is you know per this entire network or a per a individual on each network on there so it's not exactly traffic shaping but it's limiting the amount of traffic and volume that an individual can take up on there now vpn this is the one i know a lot of people are hoping it's going to be exciting and it's not at all once again they have very weak vpn policies here they have a nice site-to-site system i only have one system set up right now so i didn't try with two firewalls cf2 merged together with site-to-site it does have an option if you have multi-site to be able to pull them together no way to test that you can do client-to-site and it has in the options here vpn server l2tp pptp ipsec or openvpn and vpn client being openvpn now when you set this up as vpn server openvpn and we can put all the presets in here tie it to wan what's the ipool 1 24 create it does create the file but it does not seem to have like a full user management system that i was able to find in this so it's basically once again only for site tonight site not managing like a connection to a bunch of users using like openvpn maybe it has a feature in a month familiar with how to set it up i didn't dive deep into it but it's definitely um not normally you would see all the stuff in here so i'm gonna say i don't think it really does that i don't see an easy like user management tie-in because when you go to the settings i don't see any way to say here's your authentication server and here's where you authenticate all these vpn users against now this was an interesting feature to even notice in here the fact that you can create time ranges to for tasks where you can say this time range apply and then that is that time range that would apply to other sections of it so you could say this is what i want these things to operate and a few different devices a few different options are available where you have those time ranges then we have groups same thing it reminds me a little bit of aliases so you can create an ip group ipv4 group or a mac group so you could take a block of devices to apply rules to and i thought this was kind of cool it's very similar what a lot of firewalls may call an alias system or an object system so you can have objects that you can assign a parameter to and then you can group assign it later so that's option here i don't know how extensive or how well it works but i do see they have the features in here they do offer captive portal authentication 802 11x mac base and radius profiles can be set up onto the services menu they have dynamic dns snmp upnp so good news is by default that's turned off for those you worried about that you can turn it on and then apply it only to certain networks this is very handy because sometimes gaming devices just work best like xboxes and playstations with upnp they're the easiest way to configure them but you may not want that on your main network because of a security risk and they do have the option to apply it to an individual network ssh access you can turn it on and change what port it's on and actually nice feature when this feature is enabled the layer 3 accessibility check this is so you can say only allow devices locally on there not remotely to get to it until you enable it and then allows remote devices outside the network to be able to get to it for through routing so actually a little bit of security they put on there a reboot schedule this is weird but hey if you want to schedule a time that your device should reboot you can schedule a reboot schedule for your device and the same thing with a power schedule i guess if you're on a power budget and you say you know what i would like these things not to be on that the access points phones or whatever you have plugged into poe they let you schedule the poe kind of novel then we get to the controller itself and here's the general settings in the controller same system where the controller itself has a dhcp but can fall back to a static ip or can be statically assigned it has an option to import certificate now i didn't mess much with this but i think the idea is if you wanted to have your own certificate and import it in there but without any automation around it importing a certificate like if you wanted to use something like maybe let's encrypt and maybe if there's a way to do that not having it automated means you're going to be doing it all the time so kind of novel they had it but hey cool i guess maintenance wise here's the controller and we have survived an update i bring that up because that was something we were excited to see that there was an update see how the update worked and we pushed an update to it no problem didn't have an issue now the not being able to get into the controller means i can't really get into the guts of how it does its updates but when you tell it to check for update which is over here we'll show that in setting um it checks for the update and just pushed and applied it same with the firmware updates that it pushed to the devices that really wasn't a problem and the last couple things are the backup where you can download a backup file for settings only reboot factory default this is that check for the upgrade down here at the bottom and the migration options they both have a site migration and the controller migration so you can migrate a site to another site or you can migrate an entire controller to another device so let's say you started with the oc 200 model what wanted to migrate that to on-prem they have that as an option as well and then the auto backup if you turn this on it will look for the usb device on there so you turn on auto backup right there but it does note that you have to be plugged into a poe device for that to work and of course the cloud if you choose but is optional as i said to to connect this to the cloud there's our oc 200 and the lts lab and when we launch this i have not opened up any ports matter of fact this is triple netted because of the way our network is set up so it reaches through all the gnats and has no problem uh getting to the device because it's reaching out to make that connection so i do like these cloud features when you have that so you can get into something without opening ports the downside is of course now you have to make sure that their cloud doesn't have some type of breach that they forgot to tell you all the details about because that would be really bad and kind of a problem so the final verdict of course is i mentioned unify several times is would you replace unify with all this well on paper this is a very complete system and i say on paper as far as like all the features it supports having not deployed these i don't have the confidence yet that this device setup would you know scale because i just don't know i'm hoping some of you will leave some comments down below of large deployments i didn't really find anyone or could not within my friends circle find anyone who says tom i've deployed two or three hundred of these at a site and manage them all with the omada system and it's been working great i just don't have a lot of information that so i will be taking this home to do a little bit longer term review of it and actually put some use to it good news is where i put this because i don't my wife will kill me if this is in the living room um i will have a place to hide this we'll cover me putting in at my house for some of the testing um i have a place that i'll mount all this so it's a little bit more obscure but when i do that longer term testing i'll have some better answers as to is it stable does it crash at least a few weeks it's been here all the devices we connected to it and all the little speed tests we did internally never had a problem yes the router does route at one gig that was never an issue wi-fi speed testing chris did some tests go watch this video on it but one challenge with wi-fi speed testing is it's very very subjective but i will do some wi-fi six videos because i know people are asking me for them and with this at home and i'll load up a wi-fi six set up at my house so i can do some speed tests around the house and see how it compares and maybe also do a test between this and i'll put these in the exact same location as unifi so i have some real world numbers i know exactly how long the unifi has been where it's at on my house so we'll see if i have the same range on these so those comparisons are coming that's not a verdict i can really answer right now for home users i think the price is right i think it's something that is great to play with i just don't have that long-term confidence in this product yet but i've been using tp-link for a while for some of the other things we've had lots of random dump switches we've gotten from tp-link for different use cases they always have held up really well but please note the things i mentioned earlier in the security like having telnet and not a way to disable telnet that worries me a little bit because that's a real concern that that's enabled even if it is on the local management plane i did test the firewall by default no ports are open on it but nonetheless you know ssh access to this is not available for me to really dive into the inner workings but maybe i'll poke at it or if i have some my security research friends that can spare a few minutes to poke at this system i will certainly open up access to them uh who are curious about it and see what other interesting things they may find but i'll leave a link to chris's video and i believe mac telecom networks has done a few videos on these as well i'll leave those linked because you know when you're making a decision of what gear to start with or what gear to put in your network um it can be challenging i'll also have some affiliate links down below that do not cost you anything more but do help out the channel if you want to buy them on amazon because all of these were available on amazon as of recording of this video and pretty easily accessible for you wanted to get any of these and as i said if you didn't want to get all complicated and want to try a single device at a time check each one because they do have their own interfaces on at least the devices we have here and last but not least what else by omada support they have a omada compatibility list and i'll leave this linked down below as well and these are the current devices that they have on their support list i mentioned earlier though the little bit of confusion about the firewall but the er 7206 and er 605 er605 er6051 that we have here um even though it says tl on mine so when i look it up on amazon it's tl but it's er here it does appear scene b1 i can't vouch because i haven't tested but i'm assuming maybe there's the same nomenclature change or way they labeled it on here either way their jetstream series appears to be all the ones that are fully supported on the model so those are switches that are compatible in controller mode as they like to put it and these are the access points compatible in controller and standalone modes right here so i imagine that's what the list is now maybe when you're watching this in the future that list gets bigger but hey nonetheless i have a lot of hope for this i think tp-link will see how their commitment goes to this product but uh yeah this is not a bad setup so far i think they're really off to a good start off to a good start but i do know they've been out for a little while in a couple different versions and if you look back at version three this is all the version four of the omada it did look a lot different so i would kind of say it's new for version 4 because it's kind of a facelift from the version 3 interface but yeah as i said so far in all my testing everything's worked i didn't find any glaring flaws that i didn't lack a 2fa and the weird desire to run this on 3.6 but if you're using a lockdown controller that's more of a weird you chose old software that's end of life but it's not publicly exposed the internet and doesn't require it to be for you to run it so it's an issue but yeah it's an odd one all right leave links to everything i talked about below in those other videos i mentioned and thank you and thank you for making it to the end of this video if you enjoyed this content please give it a thumbs up if you'd like to see more content from this channel hit the subscribe button and the bell icon to hire a shared project head over to lawrences.com and click on the hire us button right at the top to help this channel out in other ways there is a join button here for youtube and a patreon page where your support is greatly appreciated for deals discounts and offers check out our affiliate links in the descriptions of all of our videos including a link to our shirt store where we have a wide variety of shirts and new designs come out well randomly so check back frequently and finally our forums forums.laurensystems.com is where you can have a more in-depth discussion about this video and other tech topics covered on this channel thank you again and we look forward to hearing from you in the meantime check out some of our other videos you

Info

Channel: Lawrence Systems

Views: 76,281

Rating: undefined out of 5

Keywords: lawrencesystems, tp-link omada, tp link, tp-link oc200 omada cloud controller, omada controller tp-link, omada tp link, tp link omada, tp-link omada cloud controller, tp-link tl-r605 review, tp-link eap225, tp link omada vs ubiquiti

Id: VJkV4qlzPsU

Channel Id: undefined

Length: 50min 11sec (3011 seconds)

Published: Thu Apr 08 2021