Winbox brute Force

You really should not have your winbox port open to anything but a management network, but if you need a script to help with brute force on the Mikrotik.
add action=drop chain=input comment="drop winbox brute forcers" dst-port=8291 \
protocol=tcp src-address-list=winbox_blacklist
add action=add-src-to-address-list address-list=winbox_blacklist \
address-list-timeout=1w3d chain=input connection-state=new dst-port=8291 \
protocol=tcp src-address-list=winbox_stage3
add action=add-src-to-address-list address-list=winbox_stage3 \
address-list-timeout=1m chain=input connection-state=new dst-port=8291 \
protocol=tcp src-address-list=winbox_stage2
add action=add-src-to-address-list address-list=winbox_stage2 \
address-list-timeout=1m chain=input connection-state=new dst-port=8291 \
protocol=tcp src-address-list=winbox_stage1
add action=add-src-to-address-list address-list=winbox_stage1 \
address-list-timeout=1m chain=input connection-state=new dst-port=8291 \
protocol=tcp
add action=drop chain=forward comment="drop WINBOX brute downstream" dst-port=8291 \
protocol=tcp src-address-list=winbox_blacklist

Of course changing your Winbox port number and disallowing access from anything but trusted Ip addresses is one of the best ways.

What is a BGP Confederation?

In network routing, BGP confederation is a method to use Border Gateway Protocol (BGP) to subdivide a single autonomous system (AS) into multiple internal sub-AS’s, yet still advertise as a single AS to external peers. This is done to reduce the number of entries in the iBGP routing table.  If you are familiar with breaking OSPF domains up into areas, BGP confederations are not that much different, at least from a conceptual view.

And, much like OSPF areas, confederations were born when routers had less CPU and less ram than they do in today’s modern networks. MPLS has superseded the need for confederations in many cases. I have seen organizations, who have different policies and different admins break up their larger networks into confederations.  This allows each group to go their own directions with routing policies and such.

if you want to read the RFC:https://tools.ietf.org/html/rfc5065

Mikrotik Releases 6.42

From Mikrotik

We have released new RouterOS versions in current channel.

To upgrade, click “Check for updates” at “System/Package” in your RouterOS configuration interface, or head to our download page: http://www.mikrotik.com/download

What’s new in 6.42 (2018-Apr-13 11:03):

!) tile – improved system performance and stability (“/system routerboard upgrade” required);
!) w60g – increased distance for wAP 60G to 200+ meters;
*) bridge – added host aging timer for CRS3xx and Atheros hw-bridges;
*) bridge – added per-port forwarding options for broadcasts, unknown-multicasts and unknown-unicasts;
*) bridge – added per-port learning options;
*) bridge – added support for static hosts;
*) bridge – fixed “master-port” configuration conversion from pre-v6.41 RouterOS versions;
*) bridge – fixed bridge port interface parameter under “/interface bridge host print detail”;
*) bridge – fixed false MAC address learning on hAP ac^2 and cAP ac devices;
*) bridge – fixed incorrect “fast-forward” enabling when ports were switched;
*) bridge – fixed MAC learning for VRRP interfaces on bridge;
*) bridge – fixed reliability on software bridges when used on devices without switch chip;
*) bridge – hide options for disabled bridge features in CLI;
*) bridge – show “hw” flags only on Ethernet interfaces and interface lists;
*) capsman – added “allow-signal-out-of-range” option for Access List entries;
*) capsman – added support for “interface-list” in Access List and Datapath entries;
*) capsman – improved CAPsMAN responsiveness with large amount of CAP interfaces;
*) capsman – log “signal-strength” when successfully connected to AP;
*) certificate – added PKCS#10 version check;
*) certificate – dropped DES support and added AES instead for SCEP;
*) certificate – dropped MD5 support and require SHA1 as minimum for SCEP;
*) certificate – fixed incorrect SCEP URL after an upgrade;
*) chr – added “open-vm-tools” on VMware installations;
*) chr – added “qemu-guest-agent” and “virtio-scsi” driver on KVM installations;
*) chr – added “xe-daemon” on Xen installations;
*) chr – added support for Amazon Elastic Network Adapter (ENA) driver;
*) chr – added support for booting from NVMe disks;
*) chr – added support for Hyper-V ballooning, guest quiescing, host-guest file transfer, integration services and static IP injection;
*) chr – added support for NIC hot-plug on VMware and Xen installations;
*) chr – fixed additional disk detaching on Xen installations;
*) chr – fixed interface matching by name on VMware installations;
*) chr – fixed interface naming order when adding more than 4 interfaces on VMware installations;
*) chr – fixed suspend on Xen installations;
*) chr – make additional disks visible under “/disk” on Xen installations;
*) chr – make Virtio disks visible under “/disk” on KVM installations;
*) chr – run startup scripts on the first boot on AWS and Google Cloud installations;
*) console – fixed “idpr-cmtp” protocol by changing its value from 39 to 38;
*) console – improved console stability after it has not been used for a long time;
*) crs1xx/2xx – added BPDU value for “ingress-vlan-translation” menu “protocol” option;
*) crs212 – fixed Ethernet boot when connected to boot server through CRS326 device;
*) crs326 – fixed known multicast flooding to the CPU;
*) crs3xx – added switch port “storm-rate” limiting options;
*) crs3xx – added “hw-offload” support for 802.3ad and “balance-xor” bonding;
*) detnet – fixed “detect-internet” feature unavailability if router had too long identity (introduced in v6.41);
*) dhcp – improved DHCP service reliability when it is configured on bridge interface;
*) dhcp – reduced resource usage of DHCP services;
*) dhcpv4-server – added “dns-none” option to “/ip dhcp-server network dns”;
*) dhcpv6 – make sure that time is set before restoring bindings;
*) dhcpv6-client – added info exchange support;
*) dhcpv6-client – added possibility to specify options;
*) dhcpv6-client – added support for options 15 and 16;
*) dhcpv6-client – implement confirm after reboot;
*) dhcpv6-server – added DHCPv4 style user options;
*) dns – do not generate “Undo” messages on changes to dynamic servers;
*) email – set maximum number of sessions to 100;
*) fetch – added “http-content-type” option to allow setting MIME type of the data in free text form;
*) fetch – added “output” option for all modes in order to return result to file, variable or ignore it;
*) fetch – increased maximum number of sessions to 100;
*) filesystem – implemented additional system storage maintenance checks on ARM CPU based devices;
*) flashfig – properly apply configuration provided by Flashfig;
*) gps – improved NMEA sentence handling;
*) health – added log warning when switching between redundant power supplies;
*) health – fixed empty measurements on CRS328-24P-4S+RM;
*) hotspot – improved HTTPS matching in Walled Garden rules;
*) ike1 – display error message when peer requests “mode-config” when it is not configured;
*) ike1 – do not accept “mode-config” reply more than once;
*) ike1 – fixed wildcard policy lookup on responder;
*) ike2 – fixed framed IP address received from RADIUS server;
*) interface – improved interface configuration responsiveness;
*) ippool – added ability to specify comment;
*) ippool6 – added pool name to “no more addresses left” error message;
*) ipsec – fixed AES-CTR and AES-GCM support on RB1200;
*) ipsec – improved single tunnel hardware acceleration performance on MMIPS devices;
*) ipsec – properly detect interface for “mode-config” client IP address assignment;
*) ipv6 – fixed IPv6 behaviour when bridge port leaves bridge;
*) ipv6 – update IPv6 DNS from RA only when it is changed;
*) kidcontrol – initial work on “/ip kid-control” feature;
*) led – added “Dark Mode” support for wAP 60G;
*) led – added w60g alignment trigger;
*) led – fixed unused “link-act-led” LED trigger on RBLHG 2nD, RBLHG 2nD-XL and RBSXTsq 2nD;
*) led – removed unused “link-act-led” trigger for devices which does not use it;
*) lte – added initial support for Quectel LTE EP06-E;
*) lte – added initial support for SIM7600 LTE modem interface;
*) lte – added support for the user and password authentication for wAP-LTE-kit-US (R11e-LTE-US);
*) lte – do not add DHCP client on LTE modems that doesn’t use DHCP;
*) lte – fixed DHCP client adding for MF823 modem;
*) lte – fixed LTE band setting for SXT LTE;
*) mac-ping – fixed duplicate responses;
*) modem – added initial support for AC340U;
*) netinstall – fixed MMIPS RouterOS package description;
*) netinstall – sign Netinstall executable with an Extended Validation Code Signing Certificate;
*) netwatch – limit to read, write, test and reboot policies for Netwatch script execution;
*) poe – do not show “poe-out-current” on devices which can not determine it;
*) poe – hide PoE related properties on interfaces that does not provide power output;
*) ppp – added initial support for NETGEAR AC340U and ZyXEL WAH1604;
*) ppp – allow to override remote user PPP profile via “Mikrotik-Group”;
*) quickset – fixed NAT if PPPoE client is used for Internet access;
*) quickset – properly detect IP address when one of the bridge modes is used;
*) quickset – properly detect LTE interface on startup;
*) quickset – show “G” flag for guest users;
*) quickset – use “/24” subnet for local network by default;
*) r11e-lte – improved LTE connection initialization process;
*) rb1100ahx4 – improved reliability on hardware encryption;
*) routerboard – added RouterBOOT “auto-upgrade” after RouterOS upgrade (extra reboot required);
*) routerboard – properly detect hAP ac^2 RAM size;
*) sniffer – fixed “/tool sniffer packet” results listed in incorrect order;
*) snmp – added “/caps-man interface print oid”;
*) snmp – added “/interface w60g print oid”;
*) snmp – added “board-name” OID;
*) snmp – improved request processing performance for wireless and CAP interfaces;
*) ssh – fixed SSH service becoming unavailable;
*) ssh – generate SSH keys only on the first connect attempt instead of the first boot;
*) ssh – improved key import error messages;
*) ssh – remove imported public SSH keys when their owner user is removed;
*) switch – hide “ingress-rate” and “egress-rate” for non-CRS3xx switches;
*) tile – added “aes-ctr” hardware acceleration support;
*) tr069-client – added “DownloadDiagnostics” and “UploadDiagnostics”;
*) tr069-client – correctly return “TransferComplete” after vendor configuration file transfer;
*) tr069-client – fixed “/tool fetch” commands executed with “.alter” script;
*) tr069-client – fixed HTTPS authentication process;
*) traffic-flow – fixed IPv6 destination address value when IPFIX protocol is used;
*) upgrade – improved RouterOS upgrade process and restrict upgrade from RouterOS older than v5.16;
*) ups – improved communication between router and UPS;
*) ups – improved disconnect message handling between RouterOS and UPS;
*) userman – added support for ARM and MMIPS platform;
*) w60g – added “tx-power” setting (CLI only);
*) w60g – added RSSI information (CLI only);
*) w60g – added TX sector alignment information (CLI only);
*) watchdog – retry to send “autosupout.rif” file to an e-mail if initial delivery failed up to 3 times within 20 second interval;
*) winbox – added “antenna” setting under GPS settings for MIPS platform devices;
*) winbox – added “crl-store” setting to certificate settings;
*) winbox – added “insert-queue-before” to DHCP server;
*) winbox – added “use-dn” setting in OSPF instance General menu;
*) winbox – added 160 MHz “channel-width” to wireless settings;
*) winbox – added DHCPv6 client info request type and updated statuses;
*) winbox – added missing protocol numbers to IPv4 and IPv6 firewall;
*) winbox – added possibility to delete SMS from inbox;
*) winbox – allow to comment new object without committing it;
*) winbox – allow to open bridge host entry;
*) winbox – fixed name for “out-bridge-list” parameter under bridge firewall rules;
*) winbox – fixed typo from “UPtime” to “Uptime”;
*) winbox – fixed Winbox closing when viewing graph which does not contain any data;
*) winbox – improved stability when using trackpad scrolling in large lists;
*) winbox – made UDP local and remote TX size parameters optional in Bandwidth Test tool;
*) winbox – moved “ageing-time” setting from STP to General tab;
*) winbox – moved OSPF instance “routing-table” setting in OSPF instance General menu;
*) winbox – removed “VLAN” section from “Switch” menu for CRS3xx devices;
*) winbox – show Bridge Port PVID column by default;
*) winbox – show CQI in LTE info;
*) winbox – show dual SIM options only for RouterBOARDS which does have two SIM slots;
*) winbox – show only master CAP interfaces under CAPsMAN wireless scan tool;
*) winbox – use proper graph name for HDD graphs;
*) wireless – added “realm-raw” setting for “/interface wireless interworking-profiles” (CLI only);
*) wireless – added initial support for “nstreme-plus”;
*) wireless – added support for “band=5ghz-n/ac”;
*) wireless – added support for “interface-list” for Access List entries;
*) wireless – added support for legacy AR9485 chipset;
*) wireless – enable all chains by default on devices without external antennas after configuration reset;
*) wireless – fixed “wds-slave” channel selection when single frequency is specified;
*) wireless – fixed incompatibility with macOS clients;
*) wireless – fixed long “scan-list” entries not working for ARM based wireless interfaces;
*) wireless – fixed nv2 protocol on ARM platform SXTsq devices;
*) wireless – fixed RB911-5HnD low transmit power issue;
*) wireless – fixed RTS/CTS option for the ARM based wireless devices;
*) wireless – fixed wsAP wrong 5 GHz interface MAC address;
*) wireless – improved compatibility with specific wireless AC standard clients;
*) wireless – improved Nv2 PtMP performance;
*) wireless – improved packet processing on ARM platform devices;
*) wireless – improved wireless performance on hAP ac^2 devices while USB is being used;
*) wireless – improved wireless scan functionality;

Helpful Tool: WiFi Texas WS-PoE-Tester

The WS-PoE-Tester reports voltage and current for PoE systems. It works with 802.3af and passive PoE, and also 802.3at.

Dual displays show the voltage and current on each set of power pairs (Mode A and Mode B) used in PoE. In 802.3at – both power pairs should be active – and both will be displayed.

The tester is protected from reversed power, with a warning LED in case reversed power is applied. Dual inputs allow with straight or crossover ethernet connections ( 568A or 568B ).

In addition, a power supply brick can be tested using the 2.1mm DC power connectors. This allows DC power supplies for laptops, printers or any other application to be tested.

Available at:
https://www.ispsupplies.com/Voltage-and-Current-tester-for-PoE

Aligning an 80GHZ link at a mile and other licensed backhauls

Recently we had a teaching moment for a couple of folks who had not had much experience with aligning higher frequency antennas with very tight beamwidths.  This particular day we were aligning 2 foot Siklu 80GHZ antennas.

One of the questions we often get asked is how do you align these? These questions are usually asked by someone who is familiar with aligning 5ghz antennas with a 10 or 20 degree beam which you can eyeball and has tried a microwave shot. They find out it is much harder.  The higher you go in frequency the tighter and smaller the beam is.  Distance also affects how far off you can be.  Think of it as a laser pointer.  If you have ever taken a laser pointer out at night and shone it a long distance you will notice even the slightest movement will cause it to jump inches, even feet.  Keep laser pointer analogy in mind for this next section.

In order to understand alignment, we need to understand lobes on an antenna. An antenna is just a device that focuses radiation in a direction.  In a licensed microwave setup, these antennas focus the radiation in a tighter “beam”.  Let’s go back to our laser pointer analogy.  Some laser pointers project a smaller dot at 10 feet than others.  Same for antennas.   The diagram below shows what is called the main lobe and the side lobe.

The way to get the best signal is to get both dishes locked on to the main lobe. Sounds easy right? With higher frequencies, you are talking about millimeter waves. This means the main lobe may only be 3mm wide, about the size of this text on a laptop screen.  Now imagine trying to keep that 3mm beam in the center of a paper plate at a mile.  On top of that, the difference between the main lobe and locking onto a side lobe could be the difference of 1-2mm. A slight wind can move a dish 2mm.

To give you a real-world example. A 2ft 23 GHz antenna having 3 dB beamwidth of 1.6 degrees. Allowing for a path length of about 2.5 miles (this is licensed 23GHZ) the actual beamwidth at the receiving antenna is around 370 ft and is, therefore, likely to be greater than the height of the tower. If the antenna’s out of horizontal by even a couple of degrees to start, the antennas will miss by around 460 ft and not be able to “see” each other. This can be amplified as frequency and distance increase.

This is all fine and dandy, but what about the practical world? How do I align the thing?
It all starts with the FCC path coordination paperwork you will receive on your licensed link. There is a wealth of information in here.  It tells you all of the following:
-Your mounting height (this is typically already known)
-Your heading (more on this in a bit)
-The antenna angle downtilt or uptilt (very important)
-The expected signal target

Armed with this information you will have all of the information you need to align the link.  From this point, the philosophical side of things kicks in.  Some tower climbers are good with using a compass to get their exact bearings.  Others have high dollar tools to do it all via GPS such as microwave path alignment from Sunsight.

What everyone doing alignment should have in their toolkit are the following:
-A small magnetic bubble Level. We want to make sure we start with a level mount.  We would be fighting an uphill battle if the pipe or standoff we are mounting to is not level.

-An angle Finder is very helpful for determining the antenna down or uptilt per the path calculation.

Obviously, the above tools are just one of many examples.  There are more expensive ones and bare bones ones.  Tools are only as good as the person using them.

-Ratcheting wrenches for the left and right and up and down adjustments.
Having ratcheting wrenches makes fine-tuning a very easy process.  You will see why later.

-A good hands-free communication method.  Depending on the tower FM communications may or may not work.  Cell phones may or may not work. Being able to talk to the crew on the other end is crucial.  And yes, to make this smooth you want a crew on the other end.

Aligning backhauls, especially microwave, is a skilled trade.  With any skilled trade, you will get all kinds of tips and tricks of the trade.  Some you may use, others you may not.  Ask any Carpenter, Drywaller, or Mason and they will tell you little tips and tricks. They probably all are great and will work, but you may only use some of them.  I am going to tell you mine. You may find others you like better.

We always start with a google earth plot of the path. I call this Phase 1.  The goal of phase 1 is to get the radios talking.  We make sure the line is exactly on the two points, not just approximate.  If the backhaul it on the left side of the tower, we draw the line to/from the left side of the tower.  We then pick 2-3 landmarks along the path as we can.  We start with something close to the tower the climber should be able to see.

In our photo above we have picked out two reference points close to the tower the climber can see.  The first is the clump of trees on the climbers left.  The path passes “just to the right” of the edge of the end of the trees.  The second reference is the intersection of the county roads about 2-3 miles out.  Our path should be just to the right of those.  That point of reference is more of a sanity check. More than anything. The climber at the other end has a similar printout.   I have found communication during this process works best if both climbers and someone logged to at least one radio on the ground with a laptop are on a conference bridge.  Many radios have lights, tones, or multimeter outputs to indicate signal.  Some modern radios only have web-interfaces and apps.  Hold a phone while trying to align can be cumbersome.  This is where the guy on the ground can take some load off what the climbers are doing.

Regardless of the mechanics of the radio, the goal of Phase 1 is to establish a radio link, no matter how bad it is. Now, here is where the real meat and potatoes of backhaul alignment come into play.  This is a very deliberate and calculated process.  Your goal at the end of the entire alignment process is to end up with the following diagram

What many folks don’t realize is it is possible to establish a signal on a side lobe. So how do you know if you are on a side lobe? Here is how we start phase 2. This is what I call fine-tuning. Real original huh? Depending on good, or lucky you were during phase 1 you may have a long way to go or a short way to go to meet target.  Remember that in your paperwork we talked about earlier?  One side and one side only starts moving their fine adjustment on their antenna to the left and right and up and down.  This is typically called sweeping.  The key thing to note here is you need to find the very edges of the radio signal, not just the lobe you happen to be on.

Let’s take a real-world example to explain how sweeping affects main and side lobes.  At the start of this article, we mentioned an 80ghz link.  With our phase 1 rough alignment, we were able to get linked at a -86.  The target was a -32.   The first side to start alignment started sweeping to the right, signal started going from a -86 down to a -72 rather quickly. This was using very small turns of the adjustment.  The ratcheting wrench was only clicking 1-2 times for each 2-3 db of signal change. Once it reached a -72 it started climbing back up.   The climber then kept going to the right to find the edge of the signal, not just the lobe we were on.  The signal started getting worse until we were back into the upper 80’s.

Now, the climber brings the alignment back to the left, and stops at the -72 and makes a mental note of where that is in relationship to the overall placement of the dish, etc.  Some mounts have distinct notches, some guys use markers, others just remember.  Now the climber continues on to the left and the -72 gets worse and goes back down to the -86 and continues to get worse.  So the climber, at least for now, has found the sweet spot for the left and right alignment.  The climber also knows this will probably change, but has found it for now.   Climber repeats the same procedure for the up and down. Due to the anglefinder, the climbers have with them they feel pretty confident they are fairly close with the up and down so they do not adjust the up and down travel as much as the procedure goes on.

Next, the other side does the same procedure the first side did. They do the left to right and get the signal down to a -62. Essentially, what the climbers are trying to do is find the center, which will contain the strongest signal, by sweeping past the other signals.  Keep in mind there may be only millimeters separating these other lobes.  Due to physics, and the shape of the signal, the first lobe is actually stronger than the edges of the main beam.

Say what? The first lobe is stronger than the edges of the main beam? Yes, but not stronger than the main beam.  Let’s go back to our installers. They have each had a go around at alignment and are only at a -62.  On a 5ghz backhaul that would be respectable, depending on your noise floor. But we are 30db away from our target of -32. Some climbers, incorrectly I might add, try to do a shortcut by scanning in an x pattern instead of x and y-axis separately. This makes it easier to lock onto a side lobe.

80ghz backhaul

So now our first climber goes back to making the left and right adjustments.   At this point, the installer finds something odd.  He has gotten the signal down to a -55, but that’s the best he can do. Even a small turn jumps the signal up    Then our installer remembers the above statement.  The first lobe is always stronger than the edges of the main beam.  He gets the signal back down to a -55 and turns the alignment over to the other side.

Here is a very important thing to note.  Both of our installers have now “gotten a feel” for the few turns needed to adjust the signal on these dishes.  To them compared to 5ghz dishes, these are very tiny and almost insignificant movements. But they sure make a difference in signal.  Now our installer at tower B has his second alignment session.  As he is making adjustments the signal is not changing.  He is moving his wrench for what seems like forever and the signal is barely moving, Any other time their signal would have been a -90 or dropped.  What has happened here? The main lobe of one side has locked onto the first lobe because it is always stronger.  Since the main lobe is bigger it seems like it takes forever to make any change.  If we had a guy on the laptop he was probably also probably seeing very mismatched data rates.  One side was probably much higher than the other by a large margin.

Then boom, all of a sudden the signal goes from a -55 to a -42.  A 17 db jump!   We can now tell we are on the main lobe.  If the laptop person looks at the data rates now they should be more balanced.

Data Rates on a Mimosa B11 Rates properly aligned but not fine-tuned

At this point, it is just a simple matter of each side making finer and finer adjustments back and forth to get the signal down.  If you think of the above circle/crosshair you are making smaller and smaller adjustments to nudge toward the center of the circle. This is where the ratcheting wrenches help by giving a very measured amount of travel.  This helps with the whole feel of alignment.  Much of it is feel to see how much you can move the adjustment mechanisms to make the numbers move.  Sometimes it may be a single click of the wrench.  Sometimes it may be one or two.  It just depends.  As you get closer and closer to target you are moving the adjustment less and less.

As you get closer and closer to target you need to be thinking about how tightening down the adjustment bolts will affect the alignment.  Even tightening them down snug can affect the signal.  That extra amount movement to tighten them down can move them slightly past their alignment center.  You may need to take into account the amount of travel it takes to tighten down the adjustment bolt into account on smaller dishes.  If it takes a half turn of the bolt to get it tight you may need to stop a half turn and tighten “into” target.  As you tighten it down fully that is where you end up in align.  If you wait until you are in align and then snug it completely down, the force of snugging it down may pull it past and you will end up with a worse signal.

This article sprinkled in some examples from a real-world install, with some theory, with some practical knowledge. Your mileage and experience will vary.  Your experience with 6ghz vs 80ghz will vary as well. Each frequency will have it’s own quirks and tricks.

AIrCube Part 2

Part 1 of our AirCube article can be found here

One of the best features about the new aircube is the interface.  On Facebook and other places the aircube has been criticized for it’s lack of features. I believe this is where the simple interface really makes the unit shine.   One thing many people don’t realize is your typical home router really doesn’t have a true firewall. Most routers have features that are firewall like. Most “firewalls” are security by obscurity.  The ability to close off ports is a by-product of a nat router.

Setup was very easy.  I downloaded the ap, scanned the QR code, and then went into the phones wifi and connected to the AirCube wifi. Once I plugged it into my home router I was online.

One of the first things I always do when testing a new device is upgrade the firmware, unless I have a specific firmware version for whatever reason.  Upgrading the firmware on the unit was very easy.  I like the fact you can see the changelog notes with a single click.

Once upgraded the simplicity of the setup really shines through.  By default, the AirCube is in an access point mode. This is probably the default mode which will be the most beneficial for the ISPs out there.  I will explain why in a little bit.

The interface speaks for itself, I could go through screen by screen and spoon feed you the very simple setup screens, but you would get bored very quickly.  It is truly a very minimalist product and interface.

One of the coolest features I like about this product is the scan feature.  For some reason the way it is presented on screen resonates with me.  It makes seeing the frequencies in use handy.  While not a chart or graph, it still accomplishes the same function.

I know this little product has received some ripping from operators on various groups and forums.  However, I think it fills a very basic need.  That need is an easy to configure device which allows devices to access the Internet.  Nat firewalls can be done by the provider, and the user never has to touch them.  This is a trend many operators are headed toward anyway.  Let the provider manage the endpoint for the customer. The customer ends up calling the ISP to do port forwarding or if they have a virus anyway.  If the customer wants to add things in the house, it should be simple, and not add extra layers of NAT and firewall rules.  This is a perfect fit for the Cube.  So don’t dismiss it because it doesn’t have all the fancy features some router have.  Save that for other product lines that you, as the ISP, can manage.