Among the new crop of mesh routers, the Ubiquiti AmpliFi seemed the most promising. So, when a client was having Wi-Fi problems, yet again, I thought that perhaps this might be the time to set them up with a mesh network with a single Wi-Fi password.
The AmpliFi routers are very new, and normally, I would wait until there is more feedback, but I was willing to make an exception because Ubiquiti is a well-known networking company.
But first, I checked the User Guide looking for the one feature every techie needs when setting up a network for someone else - remote access (a.k.a Remote Administration). Typical articles on router security say to disable Remote Administration, but that's an overly simplistic view, common among the art history majors that write so many tech articles.
Remote administration exists for a reason, it beats having to travel to a client every time they are having Internet access problems. And, good routers can lock it down.
Page 22 of the AmpliFi User Guide clearly states "The Router can only be configured in the local network; there is no cloud or remote access."
No AmpliFi for me.
The AmpliFi website
My favorite router company, Peplink, offers three types of remote access and, although I am the guy behind RouterSecurity.org, I have no hesitation in using any of them.
To begin with, they offer the normal remote access which requires either a static public IP address or Dynamic DNS (DDNS). Peplink supports four DDNS providers and, theoretically, they can work with other providers too.
Remote access to any router is protected with a password, but Peplink offers much more. You can, for example, change the port number. So rather than listening on the standard ports of 80 or 443, a Peplink router can listen on port 60,123. Peplink also lets you force remote access to use HTTPS and lets you change the router userid, you are not locked into "admin". Finally, remote access can be restricted by source IP subnet, a great feature, even though I once locked myself out using it.
The second type of remote access is not for the owner of a Peplink router, but for the company itself. They call it "Remote Assistance" and it's disabled by default. If you open a tech support problem with Peplink, they may need access to your router for debugging purposes and Remote Assistance gives it to them. Does your router company offer this service?
The third way in, is with a cloud service, InControl2. It offers both its own reports and remote access to the same web interface you would see locally. One of the InControl2 reports - an audit trail of outages - came in handy recently. When a client had Internet access problems, I was able to check with InControl2 that the router was off-line because of an ISP problem. Saved myself a trip.
InControl2 is optional and disabled by default. It's free for the first year and $25/year thereafter, at least for the low end Surf SOHO model that I typically use.
Another thing that Ubiquiti is missing is documentation.
When the AmpliFi router/system initially shipped, it could only be configured with a mobile app. The User Guide says (page 22) that while there is no web interface now, "you will be able to monitor and configure your AmpliFi network using a web browser." A very recent review mentioned that the web interface now exists. Will Ubiquiti update the manual? Maybe not.
My previous experience with a Ubiquiti router showed their documentation to be quite lacking. Also, I judge a company's interest in documentation by the first couple pages of the User Guide.
A professional company puts both a date and a version number in the beginning of the manual, fully expecting it to be updated in the future as the product changes. The AmpliFi User Guide has no date and no version number. A company that doesn't do this, is probably not expecting to ever update the manual. Apple doesn't do it either.
Peplink, although their documentation is far from perfect, puts a date and a firmware version number on their manuals, and, they update the documentation in sync with the firmware.
Over the last few years, many router flaws have been in the web interface, so a newly developed one scares me a bit. I'd like to be able to lock down access to it, but ... there's that documentation issue again.
As a consumer oriented router, it is no surprise that the AmpliFi does not support Quality of Service or parental controls. The goal, as with many other routers, is to remove configuration options that scare away non-techies. What surprised me though, was support for WPA encryption. Any Wi-Fi capable device that does not support WPA2 should not be coddled, it should be retired.
I did not set out to bash Ubiquiti. Everywhere else on the Internet you can find articles extolling the virtues of their AmpliFi router system. Those very articles had convinced me that AmpliFi was the best of the current round of mesh router systems. But, in stripping out remote access, Ubiquiti has gone one step too far.