Review on ZyXEL Single Band WiFi Access Point NWA1100-NH with PoE and 2 Long Range External Antennas by Troy Jennings

Background: I bought this about 4 months ago as part of a project to upgrade my typical integrated router/switch/access point with a more flexible and more flexible to replace powerful solution with standalone components. It is connected to a "plus" (semi-managed) Netgear Gigabit Ethernet switch, a Jetway mini PC running VyOS as a router, and another switch that powers other devices. I'm using a 12V DC power supply as I don't have a PoE switch. This access point has most of the features you need in a small business environment: multiple SSIDs, VLAN tagging, RADIUS client for WPA/EAP authentication. , NTP. It can obtain a management IP address either from DHCP or from a static configuration. It also has a feature to automatically email internal log files, but I haven't tested that yet. The housing is essentially the same size and shape as a traditional smoke alarm and uses a bayonet mounting bracket for ceiling mounting. Cables can be routed either along the side of the surface or through the center of the mount if you cut a hole in the ceiling. There are 32 SSID profiles in the configuration system, each of which can use one of 8 security profiles and one of 4 RADIUS profiles. Each radio can have up to 8 active SSID profiles at the same time. This allows you to save multiple available configurations and quickly switch between them, as well as share security settings across different SSIDs or ranges without having to re-enter information in different places. I encountered a few bugs in the original firmware. The first thing I noticed (which was fixed when I upgraded to V2.00) was setting the subnet mask of DHCP. This could be because my subnet length isn't on an 8-bit boundary, or it could be a more general issue. This made it impossible to access the management interface through the VPN (because it wouldn't understand that the VPN addresses were outside of its subnet and should be routed through the gateway) and also caused problems with NTP. Another problem I found when trying to set up a system with multiple SSIDs with two VLANs is using RADIUS with VLAN tagging enabled. It looks like you can't specify which VLAN is used for RADIUS requests (I think they are always sent as untagged) even if the management VLAN is configured. Also, you cannot assign any of the wireless networks to use untagged frames (they must have a VLAN ID between 0 and 4094). So if the RADIUS server is on the same network segment as one of the wireless networks, it doesn't seem possible to set it up so that both can be accessed properly! It might be possible to get around this by using some sort of bridging or routing on the other device, or moving the management interface to a completely separate network, but I haven't had time to look into that yet. There's a telnet server on the access point, but you can't really do anything with it: it just launches a special lightweight shell when you log in with an administrator account, which allows you to reboot the device and turn it on change some other settings. but nothing really useful. However, I found a way to get a full root shell. All you need is a screwdriver and a 3.3V TTL serial connector. The board has a 4-pin header with UART signals; One pin clearly shows the thermal ground connection, and you can measure the voltage on the others to find the rest of the signals. Connect at 115200 baud and login with the same administrator rights and password used for the web interface. This actually gives you a root shell, since both admin and root are listed in /etc/passwd with uid 0, but real root has no known password by default. But since you are actually an admin with uid 0, you can just reset the root password and then telnet in. Then the script running for the telnet session will give you a standard shell instead of the simpleCLI menu when you connect as root instead of administrator. The firmware is based on Linux and you can request source code for most of them from ZyXEL. . However, like most companies, it cannot be downloaded directly from their website, so you will need to fill out a form and they will email you a link to the FTP site within a few days. But unlike many other products, the package you get contains the full set of tools, build scripts and all files needed to build the rootfs image, not just the kernel and busybox sources and other stuff , which they must release under the GPL license. . There are a few binary blobs that are used to implement things like the web interface and device drivers, but most of the control is done through shell scripts, which appear to be easy to modify. I haven't tried uploading a custom firmware build to the device yet, although it should be possible. The update binaries are actually just a disguised .tar.bz2 file containing the kernel and a JFFS2 image (built for a big endian MIPS processor, so you'll need to run it via jffs2dump -e to dump it on to mount a little endian machine byte). I had no idea this thing was so easy to hack.