Router Security Mesh Routers Website by     
Michael Horowitz 
Home Site Index Bugs News Security Checklist Tests DNS Resources Stats Search Popular Pages
Also see my Defensive Computing Checklist website
 
Table of Contents
Mesh Overview Non Security Issues 
Netgear Orbi Pro Asus
AmpliFi TP-LINK Deco M5
Linksys Velop Synology Mesh
Plume Tenda Nova
Nokia Beacon Eero

MESH OVERVIEW

A mesh router differs from older routers in that the mesh is a system of multiple devices that work together. Older routers are single devices. The mesh router system can consist of two, three or more devices. They are normally sold together as a set of two or three devices.

With some mesh systems, such as the Linksys Velop, all the devices are exactly the same, but that is the exception not the rule. The device that plugs into the modem via Ethernet may be called the router or the base station. There really is no official term, as far as I know. Often this main device is physically bigger than the other devices.

The other devices have been called Mesh Points (AmpliFi), WiFi Points (Google), Beacons (Eero) and Satellites (Netgear Orbi). More generically, they may be referred to as Access Points or APs. There may well be other terms too.

From the beginning routers have been complex devices with more configuration options than anyone could possibly understand, myself included. On the whole, however, I view the complexity as a good thing, as it offers many options for better security. But, these dozens of options are too much for consumers and non-techies to deal with.

So, when the time came in early 2016 for new mesh routers to appear on the market, hardware vendors took it as an opportunity to make routers more user-friendly by removing 90% of the features. By then, everyone had a smartphone so management of the router was moved from a web interface to a mobile app. But phones have small screens and thus little room for the many features that legacy routers offered. See the Google Wifi page for some critiques of its mobile app.

Most mesh router systems are managed solely with a mobile app are Eero, Google Wifi, Luma, Plume and Ubiquiti AmpliFi. The one exception had been Netgear, their Orbi routers still (as of April 2017) offer a full web interface with the classically large number of features. When the Linksys Velop system was introduced in January 2017 management of the system required a mobile app. In June 2017 they added a web interface, one that is similar to the interface on their WRT and Max-Stream routers. As far as I know, Velop, Orbi and the D-Link Covr are the only mesh router systems with a web interface (technically Cover is not a mesh system).

But, every coin has two sides. The flip side of easy-to-use is inflexible. Consumer focused mesh routers can hardly be tweaked at all. For example, they all have a single guest network. My favorite router, the Pepwave Surf SOHO can create eight networks as do some Asus routers.

Still, this latest generation of mesh routers is generally better than legacy models in a number of ways.

Mobile security, however, seems to be a downside. Configuring a legacy router always required you to enter a password. No more. There doesn't seem to be anything securing access to the mobile apps that control these newer routers. And, hardware vendors still drop the ball on UPnP, enabling it by default, no doubt, to minimize tech support calls.

Another trend with mesh router systems is the constant involvement of the hardware vendor in your network. With most of these systems you must establish an account with the hardware vendor and the mesh router phones home with data about your network. There are multiple downsides to this approach:

Some mesh routers that require you to establish an account with the vendor are Eero, Google Wifi, Plume, Luma, Amped ALLY and TP-Link Deco. Systems that do not require an account are the Ubiquiti AmpliFi, D-Link Covr, Netgear Orbi and the Linksys Velop. AmpliFi only requires an account for remote admin access to the network. AmpliFi does not have its own accounts, it uses either a Google or Facebook account.

On another note, I have yet to find a mesh router system that supports WPA2 Enterprise. While it is common to think that WPA2 is the best Wi-Fi security available (at least before WPA3 is released) the reality is that WPA2 Enterprise is more secure than WPA2. Its also more complicated and since these are consumer devices, the lack of support makes sense. One big advantage of WPA2 Enterprise is that instead of a single password, each Wi-Fi user gets their own userid and password. The mesh routers that definitely do not support WPA2 Enterprise are Eero, Netgear Orbi, Google Wifi, TP-LINK Deco M5, AmpliFi and Linksys Velop. Needless to say, the Pepwave Surf SOHO does support WPA2 Enterprise.

For an overview of mesh routers see Wireless mesh networks: Everything you need to know by Glenn Fleishman (May 2020).

NON SECURITY ISSUES  Top Of Page

Diverging from security, after testing the Wi-Fi performance of a few mesh router systems, Tim Higgins of SmallNetBuilder.com observed: ... no matter which mesh wireless system you choose, be prepared to experiment with node locations. Unfortunately, only Amplifi provides signal strength information to guide mesh node placement and also provides a clear indication of how nodes are connected. With the others, you're on your own to devise your own methods to determine best node placement. Let's hope vendors improve the situation, because it's clear mesh node placement matters...a lot!

Some mesh systems can be connected via Ethernet, some can not. The official term for the connection between satellite mesh devices and the main device (the one directly connected to an ISP) is "backhaul." In August 2017, Tim Higgins wrote that eero, TP-Link Deco and Google Wifi support Ethernet backhaul, while the Netgear Orbi does not. Netgear has promised support for a while now.

In the same article, Higgins notes that the systems differ in radio design. Both generations of Orbi and eero Generation 2 have three radios; one for 2.4 GHz and two for 5 GHz. Google Wifi and TP-Link Deco have only two radios. Orbi and eero dedicate one radio to the 5 GHz low band (channels 36 - 48) and the other to the high (channels 149 - 165). Orbi always uses the 5 GHz high band radio for backhaul, and nothing but backhaul. In contrast, with eero Gen 2, Wi-Fi devices can connect to any of its three radios. He implies, but does not explicitly say that Google Wifi and TP-Link Deco can use either frequency band for backhaul. With Google Wifi you have no control over this, I don't know about Deco. The article did not include AmpliFi, so I will add that AmpliFi lets you easily chose the wireless frequency band used for backhaul. This is a great feature - when a satellite device is close to the main device, then 5GHz provides better speed but when they are far apart, 2.4GHz provides a stronger connection.

In the same article, Higgins notes that eero Gen 2, TP-Link Deco and Google Wifi can continue to operate if their cloud services are off-line. Eero originally could not do this, but this has changed. Still, for these devices, the cloud service is an essential part of the product, which is not true for Orbi and AmpliFi.

The final useful nugget from the same Aug. 2017 article concerns channel width on the 2.4GHz frequency band. The vast majority of routers use narrow (20 MHz wide) channels on this band to avoid interference. A few routers use wider 40 MHz channels so they can appear faster. The downside is that, in an area with many wireless networks, the wider channels might result in worse performance for both you and your neighbors. Higgins found that Eero, the TP-LINK Deco M5, and the Netgear Orbi all use wide channels. They are supposed to downshift to normal narrow channels, but this behavior is iffy. I blogged about finding an Eero using wide channels in a very crowded Wi-Fi neighborhood: Two things about Eero routers having nothing to do with Amazon (Feb. 18, 2019).

A good article by Dave Hamilton for the Mac Observer: How to Choose the Best Mesh Wireless System For Your Home. Hamilton has done extensive testing with Amped ALLY, Eero, Google Wifi, Linksys Velop, Luma, Netgear Orbi, TP-Link Deco and the Ubiquiti AmpliFi HD. That the article does not focus on speed is a breath of fresh air. Also, it talks about problems with a Netgear Orbi firmware update. Originally written Aug. 2017, last updated March 30, 2018.

EERO       Top Of Page

This was moved on February 23, 2019 to a new Eero page.

NETGEAR ORBI PRO       Top Of Page

The Netgear Orbi Pro is not nearly as well known as its consumer sibling, the plain Orbi.

The first generation Orbi Pros were released in August 2017. They did Wi-Fi 5 (aka 802.11ac) and the model number was SRK60. The primary difference vs. the consumer models was that it supported three different SSIDs - one for administration, one for employees, and another for guests. The LAN ports are part of the administration network. Each network is isolated from each other, with the guest network offering restricted time allotments and a captive portal for allowing access. The main network supports WPA2 Enterprise. As of October 2020, Netgear sold a pair (base station and one satellite) for $400, Amazon wanted $350. Initially, VLANs were not supported, but they are now. Initially the Guest Wi-Fi did not support WPA2, not it does. By default there is no password on the Guest Wi-Fi. Other later additions were a syslog server and an IoT network where devices can not see other IoT devices. The IoT network is, by default, blocked from the main network but you can change this. See the User Guide (pdf).

The second generation Orib Pro was released in September 2020 and supports Wi-Fi 6 (aka 802.11ax). The base station router is the SXR80, the satellite is the SXS80 and the pair is sold as the SXK80. The pair was $770 in October 2020, an additional satellite was $420. It is hard to get. According to Anandtech, it " ...borrows the internal hardware components of the consumer Orbi ... and reorients the internal antennae for better stability (rather than the peak performance aspect that is important for the consumer model)." How interesting.

The same article says: "The firmware is also tweaked for features required by SOHOs and SMBs. Management is done via the Insight app, rather than the Orbi app used by the consumer version. The product includes a free 1-year subscription to the Insight Cloud Management service ... Insight app-based management is not a must for the device. It can be configured using a web UI on the local network also." And: "Firmware features that are specific to the Orbi Pro (and not directly supported in the consumer Orbi) include better network separation and client isolation."

It can create four SSIDs (administration, employees, guests and IoT devices) each with a dedicated VLAN. Client isolation prevents devices in an SSID from seeing other devices using the same SSID. It does WPA3 and WPA3 Enterprise is coming soon (as of Sept. 2020).

According to Dong Ngo you get what you pay for. For example, there is a 2.5Gbps Ethernet port. Cloud management is optional (as with Peplink) and there is a small cost after the first year (also like Peplink). It supports wired backhaul (the connection between the main router and a satellite) and you can even use the 2.5 GB ports on each device for the backhaul connection.

Compared to the consumer Orbi line: consumer Orbi offers parental controls through the Circle App by Disney. The Pro line has no parental controls. The Pro line does not do Alexa or Google Assistant, the consumer line does. The Pro line supports up to 40 users, the consumer line only 20. The Pro line lets you manage the download bandwidth per SSID by assigning a percentage of the total bandwidth to each SSID. Businesses can use the Pro line to offer customers free WiFi access if they check in to an existing Facebook business page.

Personally, I find it hard to trust Netgear as their tech support is poor. How long they provide bug fixes for their routers is also questionable. Reader comments at the Sept. 2020 Anandtech article point out that Asus still patches the 7-8 year old AC68U router and is still updating other routers released in 2012. Read the comments on the first generation Orbi Pro models at Amazon before buying.

ASUS  Top Of Page

June 25, 2021: The below was written about the Asus Lyra mesh system, their first generation. They currently have three generations of mesh. For more on Asus mesh see:

- - - - - - - - - - - - - - - - - - - - -

I have no hands on experience with the Asus Lyra mesh system.

On the plus side for privacy, no account is needed to setup and configure the system. On the minus side, it includes the same Trend Micro malware protection system, AiProtection, that Asus uses on their single box routers. For more on the privacy issues with this see the bugs page under May 2017, the topic is "Privacy issues with Trend Micro software in Asus routers".

As noted on the WPS page, Lyra supports WPS. Or does it? According to Tim Higgins (Aug. 2017) it does not.

It does not seem to self-update. We can't know for sure as there is no User Guide to look it up in. There is a function in the mobile app to update the firmware: Settings => System => Firmware update. Asus says to use this to manually check for any new firmware versions.

It does not supported wired Ethernet connections for backhaul. There are no USB ports.

According to this FAQ item, remote access to the system just works. I take this to mean that the router maintains a constant connection to Asus which must be functioning as a middleman when an Android/iOS device wants to administer the system from afar.

From ASUS Lyra Home Wi-Fi System Reviewed by Tim Higgins (Aug. 2017) it does not rely on a companion cloud service. Quoting "it has both app and web interfaces, which provide a disjointed administration experience. Not all features are available in both interfaces and the web interface does not contain all the features you find in the app." The one Guest W-Fi network can be enabled for 3,6,12,24 or unlimited hours. You can not disable UPnP. Wowzy, that's bad.

AMPLIFI by UBIQUITI  Top Of Page

July 2020: FYI. This is a long thread, going back months, on the AmplFi forum with gripes about it working as a mesh. To be clear, if you have just an AmpliFi router, you are fine. If you a system with just two AmpliFi devices, again, you are fine. But, in a system with three AmpliFi devices, it often fails to daisy chain correctly. That is, when the obvious configuration is MeshPoint -> MeshPoint -> router, it often has each MeshPoint talking to the router. And, there is no manual over-ride.

October 22, 2019: I had a poor experience with AmpliFi tech support. See the Secure Routers page for details.

The AmpliFi mesh router system does not self-update, but it does check for updates on its own. There is a problem with this approach.

I administer two AmpliFi setups, both remote from me. To fix the KRACK flaw, in October 2017, AmpliFi released new firmware, as did many router vendors. So, I went to update each AmpliFi system. The first one reported that it was running firmware version 2.4.2 and that 2.4.3 was available to be installed. Fine.

The second system was also running firmware 2.4.2 but it was ignorant of the newly released firmware. The mobile app has no manual check for update feature, so all I could do was wait until it detected the new firmware on its own. Only then, could I manually update it.

When the AmpliFi app says there is an available update it reports both the currently installed version and the available updated version. However, it only gives you numbers, there is no way to see the Release Notes for the new firmware.

On a completely different note, my experience has been that it is best to avoid the AmpliFi Mesh Points. AmpliFi uses the term Mesh Point to describe candlestick shaped antennas designed to plug directly into an electric outlet. Their standard configuration is a single router and two Mesh Points, but you can also make a network with just routers, a setup that has worked well for me. You can also use a Mesh Point as a Wi-Fi extender to extend any Wi-Fi network, even one created by a non-Ubiquiti router. I have had bad experiences with this however. See my February 2018 blog, Ubiquiti AmpliFi Mesh Point Problems.

In August 2019, I updated the AmpliFi app to version 1.9.2 on an Android device. The new version of the app does not find the remote AmpliFi systems that I have been administering for about 2 years or so. My guess is that it must talk to a new version of the router firmware, but there was no warning. This is the final straw - I do not recommend AmpliFi. This is sad, as they made so many good decisions out of the gate. The blog below about the VPN server feature that was added in Aug. 2019 is also quite poorly done. And, it is not clear what parts of the Privacy Policy apply to the router vs. their mobile apps. All mobile apps spy on us, but I don't want my router spying on me. I just don't trust them.

See their Privacy Policy (last updated April 2019) and their Terms of Service (Last updated July 2017).

VPN SERVER

In August 2019 a new VPN feature was introduced for AmpliFi routers (mesh or not). See Secure networking is now available to all AmpliFi users anywhere in the world with the AmpliFi Teleport App for some details. This writeup from the company leaves much out. It's really a press release.

There is a new free AmpliFi Teleport app for iOS and Android. It is a VPN client app. The owner of the AmpliFi system creates codes that are given to anyone running the Teleport app. Somehow the code lets people VPN into your AmpliFi router. There does not seem to be any other security. The AmpliFi owner can turn the codes on and off. They can also see the devices currently using the VPN and kick them off.

Some questions not answered are:

  1. What release of the router firmware and AmpliFi mobile app are required to enable this new feature?
    Update: AmpliFi app version 1.9.2 released Aug 14, 2019. Firmware v 3.1.0 released Aug. 2019
  2. What type of VPN is it?
  3. The article says: AmpliFi Teleport is based on 1:1 connectivity. What the heck does that mean?
  4. How many concurrent VPN clients are allowed?
  5. How does the remote client connect into the AmpliFi router?
  6. How many codes can be generated? How many can be active at once?
  7. Are the codes subject to brute force guessing? Are they globally unique or unique just to one router?
  8. Can anyone with a code use it, or is the some additional security?
  9. What is the duration limit?
  10. Are there bandwidth reports? Bandwidth limits?
  11. Can you have a code time out after 2 days?

I spent a few minutes with the upgraded AmpliFi app remotely controlling an upgraded AmpliFi router. I did not try the Teleport app. It seems like a beta product:

When you first run the Android app (v1.9.2) it warns you to read the Privacy policy and Terms of Service. It says nothing about the new VPN feature. The app has a permanent link to the Terms of Service in the normally hidden sidebar, but no link to the Privacy Policy. I looked all over the AmpliFi app and found nothing about a VPN or Teleport. Turns out, the function is hidden in the sidebar and it is called "Generate Code". Clear as mud. The generated code is valid only for a few hours. You can increase this up to a max of 24 hours. To me, this greatly limits the usefulness of this feature. You can set the maximum number of devices that can use the code. Devices are called "slots" to make things as confusing as possible. Codes are also called "tokens" in case you weren't already confused. The codes seem to all be 5 characters long, two letters followed by three numbers. It seems like only one code can be active at a time, but, of course, there is no documentation about this, so I am not sure.

TP-LINK DECO M5  Top Of Page

The TP-Link Deco M5 does not self update. According to the User Guide the mobile app tells you when there is an available update and then you have to manually install it by clicking a button. It doesn't say if there is any passive notification for people to never go into the app. In fact, it doesn't say much at all. The User Guide is lame as heck. That its only 18 pages tells you all you need to know; but, 6 of the pages are legal stuff. That leaves 12. Take away the cover page and table of contents and we are down a 10 page pamphlet.

The mobile app requires a TP-Link ID to even get started. It has the mandatory one and only one guest network. It includes Trend Micro antivirus software that we have seen, when used with Asus routers, can spy on you. For more on that see here and here.

The Deco M5 can not disable UPnP.

LINKSYS VELOP  Top Of Page

From Linksys Velop Dual-Band Intelligent Mesh WiFi System Reviewed by Tim Higgins May 29, 2018. This was a review of the second generation Linksys Velop mesh router system. It is cheaper but with less horsepower than the first generation. Downsides: the Velop still supports the ancient WEP protocol for over-the-air encryption. It also supports WPS. As for wireless issues, you can not control the frequency band it uses for backhaul and you can not set a fixed Wi-Fi channel. On the plus side, there is no mandatory cloud service for administering the thing, it uses a standard web interface. The review did not say if the router can self-update.

A July 2018 review at TidBits paints a slightly different picture. It says that a Linksys account is required for setup. And, while there is mobile app, it says there is also a browser-based interface, but it is not easy to find, and Linksys does not want people using it. As for self-updating, this review says it is available as an option. Velop has the seemingly mandatory single Guest Wi-Fi network. The reviewer had two different problems with the initial setup.

SYNOLOGY MESH  Top Of Page

In February 2019, David Gewirtz write about living with both Google Wifi and Synology mesh routers: Why I replaced Google Wifi with Synology's mesh networking gear (and why you might, too).

The information below comes from the Dong Ngo review Synology MR2200ac review: A fantastic mesh Wi-Fi router on Oct 31, 2018.

The picture of the back of the router tells us two things about security. One is that it supports WPS, which is not good. The other is that the router ships with a default Wi-Fi password of "Synology" which is a bad practice. On the other hand, you do not need to establish an account with Synology to administer the router.

As for non-security issues, the MR2200ac has a single LAN port and neither of its two Ethernet ports have LEDs. The on/off button on the back scares me. For one thing, it serves no purpose. By the time you reach behind and down to press the button, you might as well unplug the power. Worse, is that the button might break. I have seen this type of button fail on a router, the result being that every time it was pushed in, it popped out again. The router was thus useless.

On the upside, the USB port on the MR2200ac can connect to a cellular antenna to provide a backup Internet connection. The Pepwave Surf SOHO does this too. As for mesh, you can buy a single MR2200ac and if it provides the Wi-Fi range you need, fine. If not, you can add up to seven MR2200ac devices to form a mesh.

In September 2019, I added my take on Synology routers to this site.

PLUME   Top Of Page

On Episode 745 of the Mac Geek Gab Podcast, which aired on Jan. 21st, 2019, John Braun and Dave Hamilton spoke highly of the Plume SuperPods, which are second generation devices.

TENDA NOVA  TopOfPage

From Tenda MW6 Nova Whole Home Mesh WiFi System Reviewed by Tim Higgins of Small Net Builder. February 8, 2018.

During initial setup you have to give Tenda either an email address or a mobile phone number to establish an account.

Quoting: "Nova is a self-contained system that doesn't rely on a cloud service for system operation. It does, however, rely on a Tenda-hosted relay service to authenticate Nova logins ... I had intermittent problems reliably connecting to Nova. Some days the app would connect just fine. On others, I couldn't get past the screen below, no matter what I did, including multiple reboots, app reinstalls and memory clears and even after resetting Nova to factory default. Even when I could connect, the "Failed to connect to the router" message would often come up and I'd get sent back to the No Connection screen. Very annoying ... I later learned the trick to local management is to disconnect your modem or ISP router from Nova. Once the WAN port was disconnected, I was able to get past the connect screen to the other administration pages. Tenda has some work to do here. The good news is the network appears to keep running if internet goes down, so at least local traffic will be ok."

For over-the-air encryption, the Nova only supports mixed WPA/WPA2. It does not have a WPA2 only mode of operation.

NOKIA BEACON  TopOfPage

Who knew? Nokia makes mesh routers. The first generation was the Beacon 3 and it sold for $200 as of July 2019. It has 3 LAN ports. The second generation, released around July 2019, is the Beacon 1 which sold for $130 as of July 2019. It has one LAN port. They can also be purchased as a set of two or three devices. The Ethernet ports are plastic with no LEDs.

The routers self-update their firmware. By default at 3AM, but you can change the time. The support WPS. You need to create an account with Nokia. They only support one Guest network but it can be set to turn itself off after a period of time. The mobile app, when you get the details on one Nokia router, shows all the client devices connected to that device.


Best Home Mesh Brands in Brief: AiMesh, eero, Orbi, Google, Velop, and More by Dong Ngo June 15, 2021. Ngo sees and tests many more routers that I do. In this article he compares home mesh Wi-Fi systems of different vendors (eero, Netgear Orbi, TP-Link Deco, Linksys Velop, Google Wifi, AiMesh, Synology).

Top 
Page Created: April 26, 2017      
Last Updated: September 20, 2021 7PM CT
Viewed 69,283 times
(25/day over 2,765 days)     
Website by Michael Horowitz      
Feedback: routers __at__ michaelhorowitz dot com  
Changelog
Copyright 2015 - 2024