TP-Link Omada Access Point - RouterSecurity.org

TOPICS BELOW
Out Of The Box, Firmware Updating, Firmwarew v1.1.1, About TP-Link Omada, Next Up

These are my initial observations about a TP-Link Omada EAP670 access point. The Omada line is the TP-Link professional mesh line (as opposed to Deco mesh which is for consumers). The EAP670 is a standard frisbee-shaped white plastic access point (AP), but a bit on the large size. I paid about $135 US for it in June 2025.

The EAP670 does Wi-Fi 6 (aka 8012.11ax). At the time that I bought it, there were many Omada Wi-Fi 7 devices. However, there are few Wi-Fi 7 devices and the Wi-Fi 7 APs cost much more. Also, the added speed that Wi-Fi 7 brings is not something I would ever need. Finally, Wi-Fi 7 was fairly new and it is best to stick with mature software.

Omada access points can either be configured individually by talking directly to them (TP-Link calls this standalone mode) or via a controller. Omada controllers can either be a hardware device, software you download or live in the cloud. For more, see the About TP-Link Omada section below. The out-of-box experience described below is, however, based on standalone mode, I was just getting my feet wet so to speak.

This is not a review and is not limited to security issues. There is nothing below about Wi-Fi performance. Maybe later.

TLDR: While my experience with TP-Link is minimal, the company seems to be a notch below Peplink, even using one of their professional devices.

OUT OF THE BOX top

The default userid/password for the AP itself is admin/admin. Not good, even though you do have to change it at your first logon.

The default SSIDs created by the EAP670 are on a label on the bottom. There is no Wi-Fi password. A Windows PC took a long time to connect to each and it never really worked. While Windows said it was connected, the computer never got assigned an IP address by the AP. The documentation from TP-Link said this should work. Bad first impression. Instead, I looked at my router, saw the IP address it gave to the EAP670 and got in that way. In effect, I got in via the WAN port of the AP.

The only light on the EAP670 is a small blue rectangle. If its solid, it means there is power. It might be orange or maybe not, the Quick Install Guide is generic, not specific to the EAP670. Some TP-Link APs can show orange, some can only do blue. Power is not much help, it would be better if there was also an indicator about whether the thing was on-line or not. The blue light can also flash, but there are four possible meanings for the flashing light depending on how quickly its flashing. Good luck with that.

The default device name is EAP670-XX-XX-XX-XX-XX-XX where the Xs are the MAC address. Fine.

At the first logon, you have to change both the default AP userid and password. It does not tell you the rules for user names, most importantly, whether they are case sensitive or not. Likewise, it tells you nothing about the rules for passwords. This is amateur stuff, not professional.

There is an option to allow data collection. Peplink never collects data. The default is NO.

You set the SSID and password for each radio frequency band individually. Can they be the same? Should they? RTFM.

Out of the box, the EAP670 was running firmware version 1.0.4. But, that's not enough, the firmware also has a Build number (20240314) which looks like a date and a "Rel". What is a Rel? Dunno. In my case it was: 53356(5553).

The time was an hour off, even though the time zone was correct. I manually adjusted it. The option for Daylight Savings Time was disabled by default, I turned it on.

The web interface shows both CPU and memory utilization which is great. While CPU usage was, as expected, very low, it showed that 48 percent of the memory was being used with just one user doing nothing but configuring the thing. Yes, this seems like a lot, but memory utilization by any operating system is a complicated topic, so maybe its fine.

TP-Link could use some more native English speakers. When a Wi-Fi frequency band is disabled, it says "Disable" which looks like a command to disable something that is enabled. This same mistake is repeated elsewhere (such as Band Steering). And, when something is Enabled, the status is "Enable" rather than "Enabled".

The list of client devices did not show me, but I was clearly connected to the thing.

As mentioned above, I said NO to the "Allow data collection" option during initial setup. I repeat this here, because data collection is on nonetheless. At the top of the screen is a letter "i" inside a circle, the universal symbol for More Information. When I clicked on the "i", it showed that Data Collection was ON. Not good, and not the way to create trust.

The web interface is fast. When I change a setting, it takes effect in just seconds. The Session Timeout defaults to 15 minutes which is good for security. You can schedule the Wi-Fi to turn on and off.

To get to the web interface it uses the standard TCP/IP ports (80 for HTTP and 443 for HTTPS). Like Peplink, you can change the default ports for both HTTP and HTTPS. However, you can not turn off HTTP (Peplink can) and you can not automatically re-direct insecure HTTP to HTTPS (Peplink can).

You can backup the current settings to a file. The file name is config.bin, which again, is amateurish. There is no date in the file name and no model number. Peplink file names have both, and a serial number. Also, it is not a bin file as that normally refers to an executable file (.exe in Windows). The extension should be CFG or something like that.

Both SSH access and SNMP are off by default. This is good.

I changed the admin password that I had chosen initially. It did not log me out, it should have.

There is a single admin userid/password. Peplink also supports a second read-only userid.

The Peplink web interface lets you make a change, Save it, make another change, Save that, make a third change and save it, and then, finally, apply all the changes at once. The TP-Link web interface does not work that way, each change is put into effect immediately. The upside to the way Peplink works is that you can throw away saved changes that have not yet been applied. Also, if you are making Wi-Fi changes that require a Wi-Fi outage while they are implemented, you can minimize the outage with Peplink. Not a big deal.

The EAP670 does VLANs but it seems like it only allows for one, which means none. There is no button to add a new VLAN, all you can do is modify/activate the default VLAN. Maybe this is not supported in standalone mode? Maybe it does not show up until there is more than one SSID defined? I'll have to check later. There is a management VLAN that you can configure but for whatever reason, it is in a different section of the user interface than the other VLAN. Again, seem amateurish.

There is virtually no documentation in the user interface. Peplink does not have much, but they have more.

There is a System Log. Both TP-Link and Peplink can send their logs to a Log Server, a separate computer on the LAN, which is something only a large company would need. TP-Link can automatically email the system log which Peplink does not. From the little I saw of the log, I was not impressed. It failed to log my logging in to the AP. The log message that says it started up does not say what version of the firmware is running.

FIRMWARE UPDATING top

The EAP670 can not do this on its own, the process is all manual and all my problem. It can not even check for updates on its own, let alone install the update. I have to go to the TP-Link website, find the latest firmware and download it. The router does not even say where on the TP-Link website to look. I found it, the download is a zip file, in my case the file name was
EAP670 2.0_1.1.1 Build 20250326.zip
I think the 2.0 is the hardware version of the EAP670, but the label on the bottom says it is version 2.6, so ... dunno. Sloppy. The 1.1.1 is the firmware version and, again, the Build looks like a date, so this is probably from March 26, 2025.

The zip file I downloaded had three files in it. The actual firmware is a .bin file called
EAP670v2_1.1.1_[20250326-rel59884]_up_signed.bin

Another file was a PDF called: "How to upgrade the firmware on my EAP.pdf". It starts with this: "Visit your product's support page, select the correct hardware version and firmware for your device and check the Release note for the latest improvements added to your EAP. " Thanks for nothing. The upgrade instructions have no date and say nothing about what devices or what firmware versions it applies to. Half-assed again.

As to the correct hardware version, I have now seen mine referred to as 2.6 (on the device), 2.0 (the downloaded zip file name) and v2 (firmware file name). Sloppy amateurs.

As to finding the latest firmware, the TP-Link website is www.tp-link.com. I tried www.tplink.com in three browsers. It failed in one, generated a "www.tplink.com doesn’t support a secure connection" error in another and a "Secure Site Not Available error" in the last one. Sloppy again.

Before upgrading the firmware, the system did not warn me to make a backup of the current configuration settings. Peplink has been doing this for at least 14 years.

The EAP670 has only a single copy of its firmware. Peplink devices have two copies of their firmware. If you update a Peplink device to firmware version 3 and there is a problem, it is simple and easy to re-boot it back into firmware version 2. That is a true professional setup. Some devices will not let you fall back, period. That is, even if you had firmware version 2 available, the device itself would prevent it being installed if it was currently running version 3. TP-Link Omada devices can be downgraded judging by this July 2024 document of theirs: How to downgrade firmware of EAP if it is abnormal after the update.

The thing gets warm. Maybe too warm? This is worrisome.

FIRMWARE VERSION 1.1.1 top

Specifically, my newly installed firmware was version 1.1.1 Build 20250326 Rel. 59884(5553). Got that?

There is now an online check for the latest firmware and it confirms that 1.1.1 is the latest.

There is a new option to automatically check for new firmware. It says nothing about installing> the firmware. Does this both check and install? If not, then what happens when a check finds new firmware? Dunno. So much of what TP-Link does seems half-assed.

There is no more "i" inside a circle at the top of the page, so I can no longer to see if the access point is spying on me. Not good.

The firmware update wiped out the log file. Not good. The Peplink log files persist across firmware updates. And yes, plural. Peplink maintains multiple log files.

There is a new option HTTP Server that be ON or OFF. Maybe this means that HTTP is no longer allowed and all communication from a browser must be HTTPS? Maybe? It's not clear. Not hard to test this, but I have not.

You can change the channel width (Eero this is not) but there is no warning that doing so would disable the Wi-Fi for a bit.

All the DFS channels on the 5GHz band were enabled by default. I think this is bad, at least in the US, but not sure.

The new firmware offers a "Custom Channel Range" but, again, it is half-assed. This refers to the device being able to pick the Wi-Fi channel on its own, but your restricting the choice it has. This is important in the 2.4GHz band as all devices should only use channels 1, 6 and 11. The TP-Link custom channel range is not available for the 2.4GHz band (it is with Peplink). On the 5GHz band, you do not get to chose each channel individually (you do with Peplink). Instead there are five different groups of 5GHz channels and you enable/disable each group.

You control the Transmit Power (Tx Power in the UI) by entering a number from 7 to 28. The default is, no surprise, the highest, 28. Lowering the power comes into play when you want to limit how strong your signal is to your neighbors. It would be nice if there was some guidance as to what a low and medium strength signal is.

The list of attached clients shows the signal strength RSSI (dBm) for each connected Wi-fi device. This is great. Peplink does this too and it can be very handy.

The EAP670 does not have a real time bandwidth display. Peplink routers have this as well as assorted bandwidth history reports.

This TP-Link document from November 2024: Instructions for SSID security settings on Omada Controller describes a security option called PPSK. When using PPSK each user gets a unique pre-shared Wi-Fi password. So, it is a step up from the normal mode of a single Wi-Fi password, but a step down from the Enterprise versions of WPA. But, it is not available in standalone mode, at least with this firmware version. When I get up to using a controller, I'll try it out.

The next day, I was able to connect an Android 14 device to the SSID created by the EAP670. But, the security mode was WPA/WPA2 co-existence. I verified this both on the Android device and using a Wi-Fi scanner on a Windows machine. In the middle of 2025, no device should default to enabling WPA, that is poor security. The only options should be WPA2 or WPA3. The available options in the EAP670 were WPA2 only or WPA2/WPA3 co-existence. There was no option for just WPA3. Bad again. The device can create multiple SSIDs, there is no reason that one SSID can not be restricted to just WPA3. I set it to WPA2/WPA3 and verified that the Android 14 device connected using WPA3.

Then, it appeared that there was a bug in the web interface. In the list of SSIDs, my lone SSID was shown with a Security Mode of "WPA-Personal". It was not a bug just a bad user interface. This is not referring to WPA vs WPA2 vs WPA3, it is referring to WPA Personal mode vs. WPA Enterprise mode. I don't even think there is a WPA Enterprise. The Enterprise mode of Wi-Fi can be WPA2 Enterprise or WPA3 Enterprise. Just use a Peplink device to see that.

ABOUT TP-LINK OMADA top

Why TP-Link Omada? I had heard good things about the line from two sources that I trusted. Still, it was not a viable option for anyone that I work with until September 2024. Omada APs require a controller. Initially there were two options: you could buy controller hardware or you could download the controller software and run it on a computer of yours. Then, in the middle of 2022, TP-Link introduced their cloud-based controller system (aka CBC). Finally, in September 2024, they introduced a free version of the cloud controller.

Even then, there are two downsides to many professional mesh systems.

The first is Power Over Ethernet. The APs are designed to be powered by the Ethernet cable. This allows easy installation in places where there is no power outlet. The downside for me is that you need special hardware to provide power over the Ethernet cable. Some of the Omada APs, such as the EAP670 come with power cords.

Another downside is that professional class Access Points are not designed to sit on a desk/table. The exact opposite of Eero. Professionals install frisbee-shaped APs on ceilings where they look just like smoke detectors and get better Wi-Fi performance. Some APs are waterproof and designed to be attached to a pole. Others are meant to be mounted on a wall. In researching Omada APs at the retailers I usually deal with, these seemed to be the only available form factors. But, at the TP-Link website I discovered the EAP650 which is designed to sit on a table. As of July 2025 it was about $130 US.

For a somewhat dated overview of Omada and where it fits in, see TP-Link Omada In-Depth Overview by Evan McCann. Last Edited: April 2022. McCann is a computer networking professional. Omada competes most directly with Aruba InstantOn and Ubiquiti UniFi. It seems that HP, which owns Aruba, is now referring to Aruba InstantOn as the HPE InstantOn line (for HP Enterprise). Some quotes from the article:

"UniFi is the more mature and complete solution, and Instant On is the easier, more basic solution. Omada offers a lot of value and flexibility, but has some rougher edges".
"For managed switches and Wi-Fi it [Omada] covers all the basics and then some, but it also has a few rough edges. Configuring management VLANs is harder than it should be, and some of the advanced layer 3 switch features require standalone mode to access. TP-Link's public documentation is . . . sometimes incomplete or confusing. "
"... overall Omada competes pretty well. It is cheaper than the alternatives, and mostly keeps up on features. The controller, access points, and switches all work well.
Omada devices "don't require a cloud account. Omada is the only of the three which allow all individual devices to operate on their own. UniFi requires the controller software either locally or in the cloud, and Instant On only supports the Aruba cloud controller."
Someone asked McCann about replacing a Google Wi-Fi mesh system and the response was: " I wouldn't recommend replacing your Google Wi-Fi setup with similar equipment (TP-Link Deco, eero, Orbi, Velop, etc), you would be better off with one of the 'prosumer' options, such as Ruckus, Aruba Instant On, Ubiquiti UniFi, or TP-Link Omada. Choosing between those depends on preferences and budget. Generally speaking. UniFi is the most common, has lots of product variety, a big community of users . . . Instant On is cloud-only, but good for handling layer 2, and good APs and switches. Omada is a budget copy of UniFi, less mature and a smaller of a community of users, but largely the same as UniFi feature-wise, and can be locally managed. Ruckus is the most expensive and least approachable, but likely going to be the best performing and most reliable."

I found a TP-Link Omada Access Point User Guide from 2024. What firmware versions does it apply to? None of your business. Which specific APs does it apply to? Again, none of your business. Amateurs.

NEXT UP top

Eventually, I hope to add another Omada AP and set everything up using the free TP-Link cloud controller. So, to be continued ...