<div dir="ltr">Just to clear it up a hair. Cambium screwed that up. They literally broke the law by providing instructions to bypass encryption (The provided it to me, their claims to the contrary are lies.), which is a DMCA violation and isn't covered in fair use because cambium didn't own the devices. They also used a contract encumbered beta firmware they weren't allowed to touch per various trade secret laws and that was provided by a wisp that was also sued for confidentiality breach. Ubiquiti basically had no choice but to sue them. Plenty of rules on the book about having to defend your copyrights, trademarks, and contracts else they are void. Cambium was who screwed up here, big time. They could have and should have made the elevated firmware OR offered it as an openwrt module and published supported chipsets. The community would have figured the rest out from tftp recovery installs or their own beta firmwares which they had fair use on and Ubiquiti would have no obligation to defend anything and no standing. <br><br>I don't like how Ubiquiti handled it, but legally speaking they had little choice but to do something. Cambium on the other hand royally screwed up. As evidenced by Ubiquiti losing nothing, changing nothing except tightening up even more and even disengaging in the community and Cambium lost a product line entirely with immediate halt of sales and barred from distribution or even support and even stroked UI a check... That's an exceptionally one sided settlement.<br><br>open source licenses of course stomped on pretty hard by both parties.<br><br>IMO, there is no practical way to target the CPE with updated firmwares to provide AQM there. Too many vendors, no compliance on GPL for firmware though they are all using openwrt underneath except Mikrotik and cambiums 450 line. Operators have fair use on our products so as long as LibreQOS never provides instructions to bypass or break encryption then that's not an issue, just the practicalities of actually doing this.<br><br>The type of wISP that is really interested in AQM in any way is also likely the ones quickly leaving the old hardware behind. I have a dominantly ubiquiti network and <5% of them are old enough that they came with an unencrypted bootloader or anyone at openwrt has figured out how to work around, and even if I did I wouldnt get airmax anymore, I'd have to go to straight 802.11ac which is substantially inferior. <br><br>In other words, a LOT of work for little to no gain practically speaking. <br><br>Slight divergence here... If you search the mikrotik forums, I've asked for an outdoor device with an ARM CPU that has 12-60V PoE IN and matching PoE out to function as a bump in the wire. Could be used as a bridge device injecting option 82 and doing a bridge shaper, or could act as a router, or even just to capture packets etc. You could use a device like this to sit between an access point and it's POP switch or router, or whatever novel network design you can think of... Then push customer upload shaping off to that device as well. Go bump that if you like the idea. They have the wAP AC that is very close, but it doesn't pass through PoE.<br><br>So I think that the only practical option is to either target just the edge, or edge + tower sites, or find a device that can act as the dmarc for customers like mikrotik's GPEN21 which runs their SWOS and I don't know if you could get openwrt on there. <br><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Nov 9, 2022 at 10:50 AM Dave Taht via LibreQoS <<a href="mailto:libreqos@lists.bufferbloat.net">libreqos@lists.bufferbloat.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">the outcome of the "elevate" tiff between cambium and ubnt was<br>
*extremely* unacceptable to the FOSS community. Both sides stopped<br>
publishing source code entirely, and I was long ago in touch with the<br>
software conservancy about this. I will ping them again on this front.<br>
(for those of you that are not aware,<br>
cambium produced software that ran on some ubnt radios and then...<br>
<br>
Some backing details:<br>
<br>
<a href="http://www.mtin.net/blog/ubnt-vs-cambium/" rel="noreferrer" target="_blank">http://www.mtin.net/blog/ubnt-vs-cambium/</a><br>
<br>
<a href="https://www.channelfutures.com/regulation-compliance/cambium-networks-settles-federal-lawsuit-by-rival-ubiquiti" rel="noreferrer" target="_blank">https://www.channelfutures.com/regulation-compliance/cambium-networks-settles-federal-lawsuit-by-rival-ubiquiti</a><br>
<br>
<a href="https://sfconservancy.org/blog/2019/oct/02/cambium-ubiquiti-gpl-violations/" rel="noreferrer" target="_blank">https://sfconservancy.org/blog/2019/oct/02/cambium-ubiquiti-gpl-violations/</a><br>
<br>
The elevate was a great product (it leveraged all <a href="http://bufferbloat.net" rel="noreferrer" target="_blank">bufferbloat.net</a>'s<br>
work on BQL, fq_codel, etc, etc) and I was *enraged* to see it die,<br>
particularly on the arguments that were used in court, and then<br>
settled and sealed. Microsoft has no say over installing linux on<br>
their hardware, and it is/was insane for anyone to prevent installing<br>
better software on your router - I don't get it, you lose some new<br>
sales, perhaps, but if you built good hardware, it's very green to<br>
keep it running until you need to replace it... and I'm convinced that<br>
mikrotik and ubnt at least actually have a large userbase that ignores<br>
the default (crappy) software and just installs openwrt on top of it,<br>
and that's where at least some of their R&D come from. They still get<br>
the hardware sale and then they have no support costs...<br>
<br>
Anyway, moving forward with <a href="http://libreqos.io" rel="noreferrer" target="_blank">libreqos.io</a> v.1.5 - so long as there is no<br>
"sale" involved, us (IMHO) doing something elevate-like for free on<br>
*old* ubnt or cambium hardware leveraging the openwrt builds, is<br>
untouchable, legally, and of huge benefit (and savings on capex) to<br>
ISPs given how much better modern software works on this old hardware,<br>
in particular. fq_codel "just works" on the wifi and ethernet<br>
interfaces, there's BQL, and IPv6, supported. The ubnt M5s were my<br>
first target for the fq_codel work, the first to get fq_codel for<br>
wifi, and the backbone of my network at lupin. Vastly better than the<br>
original firmware. There is limited flash so the m5s were obsoleted by<br>
openwrt 22.03, but there is another build for them within those memory<br>
requirements elsewhere, and 19.x was more than good enough. So for the<br>
old hardware, openwrt is not presently affected by their<br>
noncompliance.<br>
<br>
But IMHO moving forward! on newer gear they are producing, their lack<br>
of gpl compliance is becoming a real problem, and lag on things like<br>
ipv6, etc, also.<br>
<br>
Ideally we find ways of integrating with their current products (or<br>
they end up using our stuff!) and otherwise, we should steer clear of<br>
the lawyers in our pursuit of a better internet for everyone, running<br>
on everything.<br>
<br>
We're all in this bloat together.<br>
<br>
PS Also to this day, I love the ubnt Picostations. Incredible range<br>
compared to what you can get today, and they last forever....<br>
<br>
On Wed, Nov 9, 2022 at 8:39 AM Dave Taht <<a href="mailto:dave.taht@gmail.com" target="_blank">dave.taht@gmail.com</a>> wrote:<br>
><br>
> On Wed, Nov 9, 2022 at 8:27 AM Herbert Wolverson via LibreQoS<br>
> <<a href="mailto:libreqos@lists.bufferbloat.net" target="_blank">libreqos@lists.bufferbloat.net</a>> wrote:<br>
> ><br>
> > I've no idea. We only have a few M2/M5 CPEs left, and all of the access points are running AirMax AC. Since that's neither an open nor standard protocol, I don't think OpenWRT would work for us.<br>
><br>
> You just update both sides.<br>
><br>
> ><br>
> > I have no doubt that it outperforms the Mx code, though. Elevate (Cambium's "turn CPEs into Cambium SMs" program that turned into lawsuit city) makes them perform really, really well.<br>
><br>
> I know. They were running "my stuff", inside, on all interfaces.<br>
><br>
> ><br>
> > On Wed, Nov 9, 2022 at 10:23 AM Dave Taht <<a href="mailto:dave.taht@gmail.com" target="_blank">dave.taht@gmail.com</a>> wrote:<br>
> >><br>
> >> does dhcp option 82 work on openwrt?<br>
> >><br>
> >> I long ago reflashed all my m2 and m5s to openwrt. outperforms ubnts<br>
> >> default build across the board if you tune down the txop size to<br>
> >> 2.5ms.<br>
> >><br>
> >> On Wed, Nov 9, 2022 at 8:20 AM Herbert Wolverson via LibreQoS<br>
> >> <<a href="mailto:libreqos@lists.bufferbloat.net" target="_blank">libreqos@lists.bufferbloat.net</a>> wrote:<br>
> >> ><br>
> >> > We have a bespoke solution to do similar (I keep meaning to make it more generic and open source it). The basic operation is (using our Mimosa devices as an example; it's actually a lot more complicated than that since we have everything from apartment complexes with Ethernet jacks to regular Ubiquiti devices in bridge mode):<br>
> >> ><br>
> >> > A server contains an instance of FreeRADIUS.<br>
> >> > Periodically, a script runs and queries UISP. It finds client sites with a device matching the type "Mimosa C5x" and an "other device" entitled "Service IP".<br>
> >> ><br>
> >> > A radius record is then added for the CPE (using the MAC and IP from the Mimosa device), placing the Mimosa CPE on the IP address in the "mimosa" record.<br>
> >> > A second radius record is added that matches Option 82 headers to see that a request passed through the Mimosa. This will always hand out the IP address from the "Service IP" record.<br>
> >> > The radius database is refreshed with this information.<br>
> >> ><br>
> >> > When a CPE comes online, the DHCP server sends a RADIUS request. If the MAC address matches a RADIUS record, the device is assigned to the CPE address from the RADIUS records.<br>
> >> > When a customer's device sends a DHCP request, it passes through the CPE. The CPE's "option 82" support decorates the DHCP request with the CPE's MAC address in a header. This then matches the second rule in Radius, ensuring that no matter what device the customer plugged in - it gets the Service IP.<br>
> >> ><br>
> >> > This then dovetails into the QoS - because we can be 100% sure that the customer's router has the IP address of the Service IP record in their client site.<br>
> >> ><br>
> >> > It took about an afternoon to setup, and is really nice. We have additional rules like "place unknown CPEs into a block that is redirected to a page reminding the installer to call in the account for setup", special handling of suspended accounts and similar.<br>
> >> ><br>
> >> > People have been begging Ubiquiti to a) support option 82 properly on the M5/M2 line (I have a 10 year old request still unanswered!), and b) provide some sort of RADIUS setup baked into UISP. The latter won't happen, because it reduces vendor lock-in. But it's really easy to setup, and use UISP as a "source of truth". (Obviously, when your clients are bridged you need to take precautions - client isolation, switch port isolation and DHCP snooping)<br>
> >> ><br>
> >> ><br>
> >> > On Wed, Nov 9, 2022 at 10:07 AM dan <<a href="mailto:dandenson@gmail.com" target="_blank">dandenson@gmail.com</a>> wrote:<br>
> >> >><br>
> >> >> How are you linking UISP to RADIUS?<br>
> >> >><br>
> >> >> On Sat, Nov 5, 2022 at 10:29 AM Robert Chacón via LibreQoS <<a href="mailto:libreqos@lists.bufferbloat.net" target="_blank">libreqos@lists.bufferbloat.net</a>> wrote:<br>
> >> >>><br>
> >> >>> In our particular case we use RADIUS tied to UISP so we don't have the immediate need, but I think it's an important feature to add.<br>
> >> >>><br>
> >> >>> Perhaps cpumap-pping can have a feature to define "shaped subnets" during the filter setup, and then we could query cpumap-pping for a JSON output of IPs detected in traffic that are in the "shaped subnets" groups, but not defined in the hash map.<br>
> >> >>><br>
> >> >>> Curious to hear what others think here. Would others need this in order to adopt LibreQoS?<br>
> >> >>><br>
> >> >>><br>
> >> >>> On Sat, Nov 5, 2022 at 7:33 AM Herbert Wolverson via LibreQoS <<a href="mailto:libreqos@lists.bufferbloat.net" target="_blank">libreqos@lists.bufferbloat.net</a>> wrote:<br>
> >> >>>><br>
> >> >>>> As we approach the v1.3 pre-release feature freeze, I've been thinking a little bit about nice things to have. One thing I found useful in both BracketQoS and Preseem was the ability to grab a list of IP addresses that had been through the shaper, but weren't mapped to a queue (obviously, only from within the "allowed IP" range - we're not trying to map the Internet!).<br>
> >> >>>><br>
> >> >>>> In Preseem, there's a link to download a CSV file containing all the unmapped IP addresses and how much traffic they have consumed. BracketQoS (pre cpumap-pping) has a report showing the IPs (no traffic).<br>
> >> >>>><br>
> >> >>>> *Why is this useful?*<br>
> >> >>>><br>
> >> >>>> Knowing which local IP addresses were processed but not mapped lets you find:<br>
> >> >>>><br>
> >> >>>> * the times that a device was installed, but the on-boarding process wasn't completed. Yes, that shouldn't happen. And - unfortunately - it occasionally does. If you're using RADIUS-based authentication, it's really difficult for this to happen - but not everyone is.<br>
> >> >>>> * If there's a bug in your shaper integration, it's helpful to see "oops, I put X on the default"<br>
> >> >>>> * Just occasionally, you get a customer who needs a special setup; it's helpful to see that it worked.<br>
> >> >>>><br>
> >> >>>> *Current Status*<br>
> >> >>>><br>
> >> >>>> Before cpumap-pping, Bracket was grabbing them by reading the pping output and listing addresses that didn't match a shaping rule. That doesn't work now:<br>
> >> >>>><br>
> >> >>>> * xdp_pping is spitting out TC handles, rather than IP addresses.<br>
> >> >>>> * With a default rule in place, and handling for IPv6 and IPv4 subnets, an IP address might not exactly match an entry (requires an LPM trie lookup) - and IPs matching a default rule (::/0 or <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a>) will always come back with the "default" handle.<br>
> >> >>>><br>
> >> >>>> It's currently pretty tricky to do.<br>
> >> >>>><br>
> >> >>>> So I'm curious; would others like to see this? I have a few ideas for how to make it work, but don't want to start serious planning/design if I'm the only one who wants the feature.<br>
> >> >>>> _______________________________________________<br>
> >> >>>> LibreQoS mailing list<br>
> >> >>>> <a href="mailto:LibreQoS@lists.bufferbloat.net" target="_blank">LibreQoS@lists.bufferbloat.net</a><br>
> >> >>>> <a href="https://lists.bufferbloat.net/listinfo/libreqos" rel="noreferrer" target="_blank">https://lists.bufferbloat.net/listinfo/libreqos</a><br>
> >> >>><br>
> >> >>><br>
> >> >>><br>
> >> >>> --<br>
> >> >>> Robert Chacón<br>
> >> >>> CEO | JackRabbit Wireless LLC<br>
> >> >>> Dev | LibreQoS.io<br>
> >> >>><br>
> >> >>> _______________________________________________<br>
> >> >>> LibreQoS mailing list<br>
> >> >>> <a href="mailto:LibreQoS@lists.bufferbloat.net" target="_blank">LibreQoS@lists.bufferbloat.net</a><br>
> >> >>> <a href="https://lists.bufferbloat.net/listinfo/libreqos" rel="noreferrer" target="_blank">https://lists.bufferbloat.net/listinfo/libreqos</a><br>
> >> ><br>
> >> > _______________________________________________<br>
> >> > LibreQoS mailing list<br>
> >> > <a href="mailto:LibreQoS@lists.bufferbloat.net" target="_blank">LibreQoS@lists.bufferbloat.net</a><br>
> >> > <a href="https://lists.bufferbloat.net/listinfo/libreqos" rel="noreferrer" target="_blank">https://lists.bufferbloat.net/listinfo/libreqos</a><br>
> >><br>
> >><br>
> >><br>
> >> --<br>
> >> This song goes out to all the folk that thought Stadia would work:<br>
> >> <a href="https://www.linkedin.com/posts/dtaht_the-mushroom-song-activity-6981366665607352320-FXtz" rel="noreferrer" target="_blank">https://www.linkedin.com/posts/dtaht_the-mushroom-song-activity-6981366665607352320-FXtz</a><br>
> >> Dave Täht CEO, TekLibre, LLC<br>
> ><br>
> > _______________________________________________<br>
> > LibreQoS mailing list<br>
> > <a href="mailto:LibreQoS@lists.bufferbloat.net" target="_blank">LibreQoS@lists.bufferbloat.net</a><br>
> > <a href="https://lists.bufferbloat.net/listinfo/libreqos" rel="noreferrer" target="_blank">https://lists.bufferbloat.net/listinfo/libreqos</a><br>
><br>
><br>
><br>
> --<br>
> This song goes out to all the folk that thought Stadia would work:<br>
> <a href="https://www.linkedin.com/posts/dtaht_the-mushroom-song-activity-6981366665607352320-FXtz" rel="noreferrer" target="_blank">https://www.linkedin.com/posts/dtaht_the-mushroom-song-activity-6981366665607352320-FXtz</a><br>
> Dave Täht CEO, TekLibre, LLC<br>
<br>
<br>
<br>
-- <br>
This song goes out to all the folk that thought Stadia would work:<br>
<a href="https://www.linkedin.com/posts/dtaht_the-mushroom-song-activity-6981366665607352320-FXtz" rel="noreferrer" target="_blank">https://www.linkedin.com/posts/dtaht_the-mushroom-song-activity-6981366665607352320-FXtz</a><br>
Dave Täht CEO, TekLibre, LLC<br>
_______________________________________________<br>
LibreQoS mailing list<br>
<a href="mailto:LibreQoS@lists.bufferbloat.net" target="_blank">LibreQoS@lists.bufferbloat.net</a><br>
<a href="https://lists.bufferbloat.net/listinfo/libreqos" rel="noreferrer" target="_blank">https://lists.bufferbloat.net/listinfo/libreqos</a><br>
</blockquote></div>