UniFi AP Bridged Me Onto a Neighbor’s Private Subnet
Posted by pyth0000n@reddit | sysadmin | View on Reddit | 24 comments
Ran into a really strange UniFi situation today.
I was setting up a new shop and only had 3 devices connected to my switch:
- Laptop
- U6 Plus
- Cloud Key Gen2+
No router connected. No internet uplink. No DHCP server on my side.
But somehow both my laptop and Cloud Key pulled IP addresses and had internet access.
I checked the gateway address I received from DHCP and it was a UniFi UDM Pro labeled with a neighboring business’s name. I looked it up and the business is right next to the building I was working in.
At that point I suspected the U6 Plus had wirelessly uplinked/meshed to their UniFi network somehow.
What confirmed it for me was this:
The second I unplugged the U6 Plus, all connectivity to that subnet and the internet disappeared. When I connected the AP again, I never meshed again and was unable to replicate the scenario.
Their SSIDs were secured, so I’m confused how this could happen. Does UniFi wireless uplink allow APs to connect to other UniFi deployments under certain conditions? Or does this sound like some kind of misconfiguration on their side?
Curious if anyone else has seen this happen.
lemachet@reddit
Automesh and uplink allows devices to just show up
Did the neighbour adopt your AP by chance? Or was it already adopted?
If it's already adopted it shouldn't automesh
Internet-of-cruft@reddit
This is a huge pro and con of auto-meshing.
On the one hand, you did nothing and it just worked.
On the other hand, you did nothing and you (unintentionally) accessed a business network without authorization.
Proper configuration should restrict the auto-meshing feature, ideally disabling it where it's not required (i.e., every AP is LAN uplinked).
This is totally normal behavior.. just a risky default configuration that your neighbor should have disabled.
Funny_Wing3136@reddit
Please, can you guide me? Can I get a fully accurate, highly secure, and up-to-date WBA OpenRoaming profile? Do you think this file will allow my phone or computer to automatically connect to any network in my country and around the world? If you think it’s reliable, could you provide me with links to access the complete file, and explain the best practical methods for implementing it? If you have other suggestions that allow my phone to automatically and securely connect to all networks, I’d appreciate your help. I look forward to your response, Thank you
auriem@reddit
I’m amazed this is normal behaviour.
Its’s a giant security hole if an attacker can just automesh into your lan from off property.
music2myear@reddit
It's a setting. You can turn it on when you need to bulk enroll a lot of APs, and you can disable it when it's no longer needed. Good systems will give you tools. Some of those tools may be "security holes" technically, but you are the intelligent actor who chooses how to use the tool.
Gnump@reddit
Yeah, it is not.
pyth0000n@reddit (OP)
I agree. Meshing is pretty much the first thing I disable in a UniFi network.
Do you think this is out-of-box behavior, or the neighbor made configuration changes that led to this?
Internet-of-cruft@reddit
I'm not 100% confident because it's been a literal decade since I set up a UniFi controller from scratch.
When I upgraded my old controller to one where mesh was supported, I had to explicitly disable it.
They probably had it implemented and it was never turned off.
Ubiquiti makes it mostly config free (as in, making custom config changes after setup), so I would not be surprised it was out-of-box defaults.
pyth0000n@reddit (OP)
My AP was factory at the time. I adopted them afterwards, implying that someone else didn’t beat me to it.
Particular-Way8801@reddit
ah Unifi,
where the "Cloud key" is on-prem and your neighbourg owns your AP and you their data.
Perfect situation.
Pay Peanuts. get monkeys.
yeah, I do not like them.
I am wondering how many business have that setting on, and how many could get hacked, that is a really disturbing hole.
NNTPgrip@reddit
We use them at work.
I have a U6-Pro and U6-Enterprise as the house. U6-Enterprise is a steaming pile of crap. I have to keep it on a year and a half old firmware just to keep devices connected to it, and they all still favor the U6-Pro, which is further away.
Needless to say, yeah I heard their 7 shit is better, but fool me once right?
I wish Ruckus was still doing their Xclaim line, that was the most rock solid performing AP I ever had at the house.
RykerFuchs@reddit
Isn’t a U6 Pro a WiFi 6 and the U6 Enterprise a WiFi 6E? You shouldn’t be mixing WiFi generations in the same physical environment/roaming area, full stop.
U6 Pro and U6 Enterprise should never be in the same roaming domain for the end user devices. Even mixing different AP types inside of the same generation in the same roaming area will cause full reassociation and clients to hold onto sessions longer than they should.
Very much a “just because you can, doesn’t mean you should” situation.
(Has full Cisco WiFi environment at home (9 AP’s) and managed enterprise WiFi for a decade)
NNTPgrip@reddit
I disagree
6E is ONLY the 6ghz band expansion of Wifi 6, no changes to 5 or 2.4
I always split SSIDs for the different bands.
Shutting off the U6-Pro and noticing terrible dropouts with just the Enterprise is what lead me to peel back the firmwares until it started to behave.
The U6 enterprise, is, a piece of shit.
flunky_the_majestic@reddit
Do you recall what firmware you landed on to resolve the issue?
NNTPgrip@reddit
6.6.65
flunky_the_majestic@reddit
2.4GHz and 5GHz has been normal for a long time. 2.4GHz is often shut off now, mostly because of density concerns. So, what's the problem with starting up 5GHz and 6GHz simultaneously?
RykerFuchs@reddit
Instead of fast roaming, clients have to full de-associate and re-associate when transitioning between AP’s. This breaks in-process streaming, and because RF is always a messy environment does affect devices that don’t move. In a home environment things like WiFi calling or security cameras and smart doorbells become “unreliable” or “problematic” when the WiFi is “good”
flunky_the_majestic@reddit
I'm a generalist who occasionally works with wireless, not a domain expert. However, I'm not able to find anything that indicates clients would need to fully de-auth and re-auth simply because of mixed bands. If WPA2 and WPA3 are mixed, then of course that would do it. Can you point to a mechanism or some documentation which describes what the mechanism of this problem would be?
appmapper@reddit
Connected wired or wirelessly?
If wired, id guess the building is wired for multiple ISPs and the other tenant has a LAN interface connected to the wall jack for meant for one of the ISPs. The other tenant’s DHCP server replied before the ISP’s, bingo-bango you’re on the other tenant’s LAN.
What IPs did your gear get? that would be the telling piece.
Jazzedd17@reddit
Sorry what? This should bot be a acceptable behavior.
RykerFuchs@reddit
This is why its /sysadmin and not /networking. :D
newtmewt@reddit
Wild, there is some auto uplink sort but I thought they had to be devices on the same management plane 😂
SamakFi88@reddit
It definitely sounds like the neighbor has AutoLink enabled. It "streamlines" the adoption process for new APs if they detect adopted/managed APs. OPs AP definitely popped up in the neighbor's Dream Machine for a few minutes, but sounds like the neighbor didn't actually adopt the AP.
Brilliant-Advisor958@reddit
Maybe the neighbour has it setup wrong and is somehow broadcasting i to the public space