Amplifi HD firewall is pure hogwash

T

tangoseal

[H]F Junkie
Joined
Dec 18, 2010
Messages
9,743
So its been 30 mins. I unboxed and installed the Amplifi HD by Ubiquiti...

First thing I did after benchmarking it, and it can easily keep up with my 150mbps comcast connection just fine, was a Gibson Research Port Scan using Shields up.

Here are the results and they are shameful. There is no option to change any security settings on the device. My Cisco 1921 ISR G2 with ZoneFirewall completely passes every security test I can chunk at it. But the routing performance is getting dated and it maxes my ISP around 124mbps top speed.

I am not impressed with the Amplifi, if anything, only because it does not allow a more aggressive firewall approach.

Here is the lowdown. I am going to return this to Amazon in a few days because this thing is essentially not even a firewall. What is the whole point of it then?

edit** depending on the wifi performance at range, I may keep it and just run it in bridge mode (AP only mode) and just get a new router from Cisco or even a Ubiquiti dedicated router with a far superior firewall. I am just displeased with the price and this things ridiculous firewall.

And yes I do understand the target market but things like this should not be allowed in a consumer home because of the data at risk, ID theft, data theft, etc...

amplifi.png
 
Holy shit - that thing really responds as "closed" to those ports? This can't be right, lol...surely?
 
Over and over reboot upon reboot same result. It's like the damn thing doesn't even have a FW. It might as well just be a network switch

I have been playing with the wireless coverage and holy shit its good I won't lie. My AP AC LR the big round one has just as good overall range as the mesh points but at range the mesh points are significantly faster.

I was pulling 30mbps 300 foot away down the driveway. I live in the country. At 200 foot about 75 mbps and 100 foot it was full ISP wirespeed at 183/24 Comcast 150. When the signal db approaches -80 the band switches to 2.4ghz and extends range and speed drastically. But when the 2.4ghz signal increases to a certain point I think around -60db everything kicks over to 5ghz seamlessly. Reminds me of seamless roaming on high end Cisco WAPs I have worked with over the years.

For wireless performance its worth the money even compared to standalone APs which add up to about the same. The firewall is an absolute J O K E!!!

Anyways I can get an Edge router for about 100 bucks to replace my Cisco and it should have these ridiculous security holes. That or ill just setup a pf sense VM using my I3-2100 backup nas appliance.

sorry for cell typos.
 
Last edited:
Man, that's awesome and sucks at the same time. I would just use them as APs and get your own router then, I guess.

I'm reading here that it apparently has a firewall, but it doesn't say anything about how to configure various settings. Does it have an option about what to do with inbound ICMP and other services? I'd at least try to contact their support about that before you write it off... but meh.
 
Cmustang87 said:
Man, that's awesome and sucks at the same time. I would just use them as APs and get your own router then, I guess.

I'm reading here that it apparently has a firewall, but it doesn't say anything about how to configure various settings. Does it have an option about what to do with inbound ICMP and other services? I'd at least try to contact their support about that before you write it off... but meh.
Click to expand...


There is nothing. Just port forwarding. I will contact thier tech support. You ca set a static ip of the router but it only works by changing the dhcp pool range. No direct way.

There is a toggle for uPnP and that's it. And port fwd. No options about ICMP reply or any other advanced function.

Not going to write it off. I'm going to more than likely keep it and set the system to AP (they call it bridge mode) and replace my 6 year old Cisco 1921 branch router with something else.
 
Amplifi HD looks like it is designed to work with another device to handle the routing and firewall.
 
Ocellaris said:
Amplifi HD looks like it is designed to work with another device to handle the routing and firewall.
Click to expand...

I am not sure about that. I think that Ubiquiti screwed the pooch on this one and decided that home users do not need stateful inspection engines on the product. However, it is now in bridge mode and working wonderfully and doing ZERO firewalling.

Here, for perspective, is my Cisco 1921 Integrated Services Router Gen2 with fully licensed IOS Zone Firewall. An actual factual hardcore firewall.

I think I am going to build a PfSense VM and place it on the network and try it for a while. I hear they are steallar firewalls these days.
Cisco.png
 
Could you just pick up their stand alone firewall and run it with the the Amplifi ? I just got the same router and now am concered I may be at risk. Although I have it in bridge mode with the router the ISP provides, no time to set the dam think up properly.
 
As an Amazon Associate, HardForum may earn from qualifying purchases.
tangoseal said:
I am not sure about that. I think that Ubiquiti screwed the pooch on this one and decided that home users do not need stateful inspection engines on the product. However, it is now in bridge mode and working wonderfully and doing ZERO firewalling.

Here, for perspective, is my Cisco 1921 Integrated Services Router Gen2 with fully licensed IOS Zone Firewall. An actual factual hardcore firewall.

I think I am going to build a PfSense VM and place it on the network and try it for a while. I hear they are steallar firewalls these days.
Cisco.png
Click to expand...

I get full green with an AC1900 ASUS router as well.

For the Amplifi HD to fail so hard, I can only presume it's not expected to be used standalone for people that care about security. It's a fancy looking mesh network solution, not a security device. Plus you mentioned it didn't even have security settings to adjust...

//Update: Typo
 
Last edited:
Ocellaris said:
I get full green with an AC1900 ASUS router as well.

For the Amplifi Ti fail so hard, I can only presume it's not expected to be used standalone for people that care about security. It's a fancy looking mesh network solution, not a security device. Plus you mentioned t didn't even have security settings to adjust...
Click to expand...

I am going to agree with that. I just searched my local Marietta GA Microcenter and they are selling the 5 port Edgerouter X for like $49.00. I understand it can completely keep up with a Gig ISP pipe no problem. I think I will forego making the PfSense box and just go and try that router.

For the price of Amplifi HD and it's coverage and speed wirelessly it is going to be damn hard to find better for the price. Even piecing together enterprise grade standalone Ubt products. That is why the more I think about it the less I want to send this Amplfi HD back and just keep it in bridge mode to a real firewall.

Plus I'm a total sucker for that little LCD on the main unit. It's sexy as f**k!
 
Curious.........Did you try turning off UPNP in the Amplifi and try rerunning the Shield's UP scan?

Do you run an SMTP server? I only ask because port 25 shows open when nearly every ISP actively blocks port 25 inbound on residential connections.
 
Comcast doesnt block anything and no I didn't toggle UPNP off. I will try it later.

I have access to host any of the 65K ports there are. I'm a res customer as well.

No I have no use for an email server of my own. Not hosting one.
 
tangoseal said:
Comcast doesnt block anything and no I didn't toggle UPNP off. I will try it later.

I have access to host any of the 65K ports there are. I'm a res customer as well.
Click to expand...

Interesting... South Jersey/Philly Comcast Residential and Dynamic Business connections have port 25 inbound blocked as well as the well known SMB sharing ports.

I'm wondering if something on your network is talking to the Amplifi via UPnP and opening up those specific ports......
 
It was possible. I have all kind of consumer media crap running. The Cisco doesn't support upnp which is a good thing. First upnp edge device I have owned in probably a decade and I will look into it later when I get done mountain biking.
 
tangoseal said:
I am going to agree with that. I just searched my local Marietta GA Microcenter and they are selling the 5 port Edgerouter X for like $49.00. I understand it can completely keep up with a Gig ISP pipe no problem. I think I will forego making the PfSense box and just go and try that router.

For the price of Amplifi HD and it's coverage and speed wirelessly it is going to be damn hard to find better for the price. Even piecing together enterprise grade standalone Ubt products. That is why the more I think about it the less I want to send this Amplfi HD back and just keep it in bridge mode to a real firewall.

Plus I'm a total sucker for that little LCD on the main unit. It's sexy as f**k!
Click to expand...


Get the ERL, not the ERX.
 
There isn't a discernable duff for the price between the two to my understanding of it.

I'll try then since It went and bought it tonight. And if it doesn't pan out ill get the lite instead and if it doesn't pan out then ill build an Pf sense VM.
 
tangoseal said:
There isn't a discernable duff for the price between the two to my understanding of it.

I'll try then since It went and bought it tonight. And if it doesn't pan out ill get the lite instead and if it doesn't pan out then ill build an Pf sense VM.
Click to expand...

The ERL is a higher performing router that will handle your gigabit much better.
 
Cmustang87 said:
The ERL is a higher performing router that will handle your gigabit much better.
Click to expand...

I dont have a gig connection. I only have a 150mbps ... that is why I wasn't worried about it.

For internal lan connections I have an absolutely mindblowing fast Cisco 4948-10GE which has obliteration capable speeds lol. It used to be a $35,000 top of rack switch not too long ago. Now it is retired and still ludicrously overkill.

For internet, you are def right. The edge router via documentation is a little faster, however, since I do not have a gig internet and only 150 it will probably suit my needs just fine for $49.95 at Microcenter for now. I can always return it and order a Edge lite if it doesn't pan out.
 
tangoseal said:
I dont have a gig connection. I only have a 150mbps ... that is why I wasn't worried about it.

For internal lan connections I have an absolutely mindblowing fast Cisco 4948-10GE which has obliteration capable speeds lol. It used to be a $35,000 top of rack switch not too long ago. Now it is retired and still ludicrously overkill.

For internet, you are def right. The edge router via documentation is a little faster, however, since I do not have a gig internet and only 150 it will probably suit my needs just fine for $49.95 at Microcenter for now. I can always return it and order a Edge lite if it doesn't pan out.
Click to expand...

My mistake - I had some details of this post mixed with another thread where another member had gigabit and was having speed issues on an ERX.

Nice switch you have for home :)... what, no Nexus 5K? :)
 
Cmustang87 said:
My mistake - I had some details of this post mixed with another thread where another member had gigabit and was having speed issues on an ERX.

Nice switch you have for home :)... what, no Nexus 5K? :)
Click to expand...


Well now the dilemma constitutes haha but in a good way.

I have an AP AC LR already mounted down stairs.

After even more research it is dawning on me. I really like he idea of centrilized management of all my networking devices besides the Cisco switch mentioned above via Unifi. I think I am going to get the Unified Security Gateway and order two AP AC Mesh points one for floor 1 and floor 2. And since the AP AC LR is down here it means all 3 floors are covered max and there is centralized management.

Although Ireally like the look and convenience of the Amplifi HD, I can't stand not having more control and granularity over my data. That is just the professional network engineer (no longer practicing) in me.

So all you Ubiquiti experts out there does this pass your validation?

1 AP AC LR (already owned)
1 Unifi controller
2 AP AC Mesh (I dont need pro versions)
Unifi Security Gateway (much faster router than the Edgerouter lite and X) and far superior firewall.

I do not intend to run cat 5 cables to the mesh points other than power. That is the whole point of doing mesh. I have a solid wood cabin house and there is no sheet rock anywhere to hide cabling. I do not want to drill my wood beams etc...

Do I need to have Unifi server running all the time for the mesh points to work? How do they communicate on a backhaul with the AP AC LR if is not a mesh point? The Amplifi communcates on a backhaul with the main Amplifi router box and with each other.

This is where I am confused. Or do I need an AP AC Pro model to do this as the AP AC LR doesn't have an extra backhaul radio in it.

Anyone with experience directly with Ubiquiti enterprise level mesh points please offer some guidance. I am going to call UBNT tomorrow also and ask some questions. I am sure they can steer me right.

My goal is to have centralized control over everything. I really can't stand merging consumer junk with enterprise quality. It really bothers me to think about all the time.
 
oh yea, i would have figured you would have turned upnp off before testing this...


gotta turn it off for a decent test, it could be your internal devices poking those holes...
 
Wait a minute, what's the issue here again? Are you those guys that think "stealthed" is something you want to be to benefit security?

Maybe someone could spell out the perceived problem with a closed port so I can tell them how they are wrong. There seems to be a giant misunderstanding in this thread.

The leap from "reports ports as closed" to "is no/not a real firewall" is pretty ridiculous in itself.
 
if there is a single forwarded port, like via upnp, theres no real point in stealthing
 
goodcooper said:
oh yea, i would have figured you would have turned upnp off before testing this...


gotta turn it off for a decent test, it could be your internal devices poking those holes...
Click to expand...

Same thing with upnp off. With my Cisco 1921 and even the edge router X when a port is open the rest still stay stealthed. This is good in that a port scan on a stealth port will just mean the scan will fail and move on but a closed port will say hey something is here, lets try harder to break through now.

TCM2 said:
Wait a minute, what's the issue here again? Are you those guys that think "stealthed" is something you want to be to benefit security?

Maybe someone could spell out the perceived problem with a closed port so I can tell them how they are wrong. There seems to be a giant misunderstanding in this thread.

The leap from "reports ports as closed" to "is no/not a real firewall" is pretty ridiculous in itself.
Click to expand...

A closed port is still an advertisement that there is a system present. IF a port is not stealthed and it is probed someone will know there is something there and it may entice them to dig further. Stealthing ports is a requirement by the US Federal government as well.

You will NEVER see consumer equipment firewalls in play at Federal offices, I know I used to be a network engineer for them, and this is due to the fact that almost all consumer gear would fail miserably against our own testing methodology in securing network channels from breech. This ubiquiti wouldn't even come within an inch of being looked at for a second. However, my Cisco 1921 is gainfully employed in countless government offices because they pass security standards with flying colors.

Im back on my Cisco right now.

I have elected to try the Unifi Security Gateway as it is superior to the Ubiquiti Edgerouter X as well as the Amplifi HD. I am probably going to run the enterprise meshes as well. I do NOT want to drill holes throughout my house to run cabling. I live in a wood cabin style house. No sheetrock anywhere. I want to centralize control to one point. I don't like mixing and matching consumer and enterprise. It is bad juju for me.
 
From a security standpoint a closed port vs. a "dead" port makes no difference. You also don't hide a system this way. If there is a system on an IP address that just doesn't answer to any requests, you still know it's there because the router _before_ it doesn't give you an address unreachable message.

Stealthing is an obscurity thing from the 90s and has nothing to do with security.

The most important security aspect of a port is whether there is any code behind it that's handling requests. Whether the firewall gives you an additional RST packet makes no difference to your security.
 
TCM2 said:
From a security standpoint a closed port vs. a "dead" port makes no difference. You also don't hide a system this way. If there is a system on an IP address that just doesn't answer to any requests, you still know it's there because the router _before_ it doesn't give you an address unreachable message.

Stealthing is an obscurity thing from the 90s and has nothing to do with security.

The most important security aspect of a port is whether there is any code behind it that's handling requests. Whether the firewall gives you an additional RST packet makes no difference to your security.
Click to expand...

Great points. However, I am just used to being subject to all the federal requirements over the years.

I still don't like the idea of mixing consumer and enterprise in the same bag. It may function just fine for most but for me its a mental thing. I don't like having so many moving parts that are managed from different locations.

This thread has been very interesting and I am hopefully it will add to the pool of information to anyone doing a search about UBNT products and firewalls etc...
 
tangoseal said:
However, my Cisco 1921 is gainfully employed in countless government offices because they pass security standards with flying colors.
Click to expand...
There are no secure devices without secure configurations. That 1921 would fail miserably if not configured to pass the test. I have seen a lot of badly configured Cisco gear and any other brand you care to name for that matter. Even seasoned professionals fall into that trap, its secure because I am using X. Then they get scanned for compliance and 2 dozen things show up and they fail miserably.
 
One that is ran into all the time is the ISP modem is full of holes and makes the entire network vulnerable to a man in the middle attack.
 
stormy1 said:
There are no secure devices without secure configurations. That 1921 would fail miserably if not configured to pass the test. I have seen a lot of badly configured Cisco gear and any other brand you care to name for that matter. Even seasoned professionals fall into that trap, its secure because I am using X. Then they get scanned for compliance and 2 dozen things show up and they fail miserably.
Click to expand...

I configure my routers for full compliancy and then they get tested. I have failed many a times, but we just find the problem, and get it to pass. There are lots of problems with IPS on Cisco and its easy to allow many holes through it. But with practice you get better.

I love how my thread have suddenly became a pissing match. Typical on these forums. Anyways I am going to give this UBNT USG a try and see if I like it. I doubt it. I don't like too many of Ubiquiti's layer 3+ crap. Just feels like its trying to be something that its not because its missing out on something or another. I will give it a try. If I don't like it who knows where I'll go next.
 
no difference in the mind of a hacker between closed/filtered (what you call stealth) the router has your mac address, and arp pinging the subnet your are on will discover all devices even ones that block icmp.
 
Also i too wanna know USG vs Edgerouter if anyone has an opinion, The setup OP mentions he will get is pretty good, i was thinking of doing the same, USG - 24port POE switch - AP AC LR - etc etc. The thing i cant figure out is if the unifi products are required for them to work with the controller, as in, will edgerouter showup in the unifi controller, or will you in effect have 2 controllers??
 
Agromahdi123 said:
no difference in the mind of a hacker between closed/filtered (what you call stealth) the router has your mac address, and arp pinging the subnet your are on will discover all devices even ones that block icmp.
Click to expand...

Yeah but the pros that can do that do not care about my/our data. Its the amateurs that you want to keep away. They are going to try stuf...... meh ... nevermind. I didn't want to argue. I simply wanted to report for anyone who give 2 shits that the Amplfi HD has a lackluster, featureless, almost neutered and useless firewall contraption.
 
Last edited:
Agromahdi123 said:
will edgerouter showup in the unifi controller, or will you in effect have 2 controllers??
Click to expand...
Unifi does not integrate the Edge series, so Unifi Controller's gateway section will be empty with an Edgerouter. Or any other non-Unifi router, obviously.

Edgerouters offer their own web portal & the CLI.
 
I have learned that Nothing in ubnt product line will work if it isn't stamped Unifi.

I got the USG running last night. It's actually a decent firewall. As I can tell the same as ERx but more potential as an actual security device potentially.

Lots more to figure out but having Unifi manage everything is really nice and having all the metrics listed in Unifi is super nice too. Now I just need to return my Amplifi and order 2 more APs. Another for the inside of my house makking 2 total and 1 So for outside since I have a few acres and like streaming music for parties and doing work outside.
 
tangoseal said:
I have learned that Nothing in ubnt product line will work if it isn't stamped Unifi.

I got the USG running last night. It's actually a decent firewall. As I can tell the same as ERx but more potential as an actual security device potentially.

Lots more to figure out but having Unifi manage everything is really nice and having all the metrics listed in Unifi is super nice too. Now I just need to return my Amplifi and order 2 more APs. Another for the inside of my house makking 2 total and 1 So for outside since I have a few acres and like streaming music for parties and doing work outside.
Click to expand...


Can it create act as an l2tp/ipsec client?
HammerSandwich said:
Unifi does not integrate the Edge series, so Unifi Controller's gateway section will be empty with an Edgerouter. Or any other non-Unifi router, obviously.

Edgerouters offer their own web portal & the CLI.
Click to expand...

It seems obvious, but their documentation is pretty shitty, and they have no good examples of the web interface pages, so tbh without someone like you having told me this, i would still be scratching my head.
 
i prefer the edgerouter, as i don't need/want the SDN features of unifi on my router... unifi is great for access points, and it's also not bad for access switches, most everything else i want the edgemax line....
 
You must log in or register to reply here.
Back
Top