Video Production Suite

I’m going to veer off from my usual diet of wireless posts to bring you a howto post on the new video production desk that I built for the Family Life Center at our church.

Over the past year, we’ve been putting together a major upgrade to the video equipment in the FLC, because this is what we had…

Tech Booth with 1980s vintage video equipment

If you’re young, you may not recognize some of this. That switcher is a Panasonic AG-MX50, coupled with a 3-camera PTZ system of the same era. The AG-MX50 was introduced sometime around 1990, and quickly gained popularity not just for live production, but for anyone doing tape to tape edits – I first used this same system when working in the A/V department in college, and it was a pretty slick piece of kit then. Our FLC was built in 2002, and eventually inherited this video system from the sanctuary when it was upgraded several years back. To say that this system is past its prime would be a gross understatement.

The projectors in the room were also getting on in years, and in dire need of replacement. So we looked at what we needed to bring the video in our most attended venue into the 21st Century, and continuing a video ministry that has been in operation since the mid-1970s.

Background: We are a United Methodist church in a county seat town in central Kansas – about 250 a week in worship between two venues – while that’s big by United Methodist standards, we’re not one of these big high-tech churches – we do a lot with a little. (Long-time readers of the blog will remember that I worked at one of those big high-tech churches about a decade ago… It’s remarkable how much of those ideas can be scaled down to a “normal” sized church. The overall project budget for this video upgrade was under $40,000, and we included in that about 20-25% wiggle room for random cables, connectivity, and, apparently, building furniture. That little stuff adds up after a while.

The first piece was to add a couple of 75″ TVs (Samsung 7 series) in the front of the room on either side of the stage. This allowed people sitting in front to see what was on the screens, which were roughly even with the first row of seating. Our existing projectors were running 4:3 off a VGA signal that was being split and amplified and sent over some heavy duty cables to the projectors. The TVs didn’t support any kind of analog input, so I ran some Belden 9116 RG6 cable and put a Decimator MD-HX on the computer end, and a couple of BlackMagic HDMI converters at the TVs, and a WiiStar VGA converter on the projectors, as well as an SDI to analog converter for the switcher running the stream. Later, when we added the new projectors (Panasonic PT-VMZ60), I put a Decimator MD-LX to get the signal to HDMI. the Projectors and TVs were daisy-chained on the SDI link.

The next piece of the puzzle was to upgrade our switcher – We started with a BlackMagic ATEM TV Studio, and added a couple of WiiStar analog to SDI converters, but the ATEM TVS is rather finicky about input formats, which only one of the converters managed to output correctly. So we ran the SDI from the Decimator into the TVS, and then used an analog to SDI converter to get the output of the analog switcher into the TVS as well, and switched using both. This is also when we added an Aja Helo encoder to the mix, as my Teradek VidiU (a demo from the vendor) had decided to call it quits.

After several months of this, the funds were finally available to purchase the Ross Carbonite Solo switcher we had decided upon (cheaper than the ATEM 1ME unit, with more features, but most importantly, it had 6 build in scan converters, meaning I wouldn’t have to get a small platoon of Decimator MD-HX units just to make the ATEM happy. We opted for the 9-input unit rather than the 13, as this was plenty for our needs. We also purchased the AW-RP150 camera controller so we’d be ready when the funds came in for the new cameras – We had to replace a lot of infrastructure in order to be ready for the cameras.

Naturally, this meant we were going to have to make a major update to our workspace – as you can see above, it was kind of cluttered and not very functional. So I set about making a custom desk that would accommodate all the gear, keeping cable messes out of sight, and making the overall system much more user-friendly.

I then considered the overall layout and found that a 50″ TV as a central multiviewer with two 24″ monitors stacked on either side would give us an array of displays that would give us a good overview of the production. I had initially planned on mounting it about 8″ above the surface of the desk, but that ended up being a lot less ergonomic than we had figured, so I ended up moving them down almost flush with the flat surface of the desk, meaning I had to mount the sound bar above (suboptimal, but functional).

A rough early layout.

I had about 8 feet of space to work with, and could go about 3 feet deep. After tinkering around in Visio, I was able to come up with a design that could be cut from two sheets of cabinet grade plywood, provide a sloped front, in which the switcher and camera controller could be flush mounted, while also providing four bays with 4U of rack space each, where I could mount things like power strips, network switch, a patch panel, and various other bits.

Cut sheet for the first sheet

Note: the vertical dotted lines on the ribs are NOT CUTS! the lumber yard missed that memo, and I had to work around that.

Cuts for the second sheet of plywood

An artifact of this being a two-sheet design means that there’s bar at the top of the sloped face that is fixed in place – That does somewhat impede the access to the top rack space (more on that in a second) – you could use a third sheet and make the movable panels go the whole height.

This is also where I discovered that the “imported birch faced cabinet plywood” that my local lumber yard sells is basically 3/4″ worth of layers of cheap luaun with a birch veneer and a whole lot of glue. I would not recommend this material or use it again. It’s a pain in the ass to saw and sand, and it splinters like crazy. It got the job done, but it’s got some challenges (running a hole saw on this stuff sucks). Well worth spending an extra few bucks on actual hardwood cabinet plywood.

Once I got the big cuts done by the lumber yard, I had another member of the tech team handle the angle cuts with his table saw (where he also noticed that the wood quality was poor), since I lacked that particular bit of equipment.

Pile of boards ready for assembly
Ready to start putting together…

Getting down into the details of the assembly required some planning ahead. I had initially planned for 6″ space inside, until I realized that our current presentation computer is 6.2″ high. Then I remembered that 4U of rack space is 7″, so I altered the design (before cutting!) to create four bays of 4U each, and ordered four sets of rack mounting rails to go in the space.

Working design for the assembly – there are three bays: two with a pair of 19″ rack bays, and one on the end that is a few inches short – Things like power supplies and a Mac Mini live in here. Because of the updated monitor placement, the Qu-PAC ended up inside.

You’ll notice here that I have a bunch of passthru holes and outlet packs on the back deck – those have mostly gone away owing to the TVs and screens taking up the back 5″ or so of the deck. I may still add a few on the back deck between the rack bays. Once I get the hinged lids going, they will contain a wireless charging pad for mobile devices.

The side view – Holes between the ribs allow for airflow and cable passthrough.
Assembling the unit – using a piece of rack equipment to get the spacing right. Holes in the back are for cable and ventilation. They were carefully placed so as not to encounter a stud when installed.
Making some headway.

When it came time to haul it over to the church, I removed the top panels just to make it easier to maneuver and carry into the booth.

Installation time: A couple of scraps from cutting the ventilation holes were squared off on the radial arm saw and I used them as cleats to support the desk (using a laser to align it with the top of the legs)

We got it within about 1/64″ of level… I’ll take it.
Got it at least somewhat functional for Sunday… We thought we had a few weeks to do this before we re-opened in-person worship, but then our council accelerated the timeline.

I left the front lip open to provide for airflow.

First sunday with the new desk. Lid is off as we figure out best arrangement and connections of the equipment. Once we get that all figured out, we’ll clean it up real nice.

I was able to find a set of matching Asus monitors that were inexpensive and used a VESA mount, and while those were on their way, I painted the wall behind them in flat stage black (makes the displays blend in better, and the wall was in dire need of a coat of paint anyway, so I used some of the paint left over from painting the stage)

Aligning the monitors required a lot of careful planning and the laser level. Here you can see the cable passthroughs and the fan packs.
Final layout without the lids – Still not 100% sure they’ll ever make it on… We shall see. Sound bar had to go up high (suboptimal) to keep the displays lower. It works OK for what we need it to though.

Materials List:

  • 2 or 3 sheets of 3/4″ cabinet grade hardwood plywood
  • 2″ finish screws (recommend Torx or Robertson head)
  • 4 sets of 4U rack brackets
  • 2 36″ piano hinges
  • 1 24″ piano hinge (you’ll need to cut this one to length)
  • Any trim or edge veneer you wish – We’re putting a lip on the bottom edge of the lid.
  • 2 AC Infinity AirPlate fan packs – Based on the way I built our desk, I had to flip the fans around to change the flow direction. You can either vent below the cabinet into the existing space, or vent to the rear (in our facility, the wall leads to a big empty ceiling space above the kitchen. These have a manual speed control, but a thermostat control version is also available.

Optional Components:

Tools:

  • Hole saws for the large holes
  • Forstner bits for smaller holes
  • Drill (and small bits for pilot holes)
  • Kreg Jig for pocket screws
  • Belt Sander with coarse belt (for evening things out)
  • Laser level (for installation)
  • Orbital sander with 120/180/220 grit pads (for smoothing things out)
  • Power driver (impact or drill – cordless helps a LOT here)
  • T square/Try square
  • Clamps
  • Table Saw
  • Radial Arm or sliding miter saw
  • Jig saw or reciprocating saw

Tech Equipment:

And that’s the story so far… I’ll update the post as changes warrant.

Tag, You’re It!

Cover Image: Unmasked (detail), (Brian Wall, 2014)

Just this past week, Ekahau released the latest iteration of their excellent wireless network planning software, and with this version, they’ve added a few features that many of us have been wanting for quite some time. Of course, we always want more, and there’s only so much the elves at Ekahau can do! So this leaves us with building our own tools to extract the data we need out of the project file. (Hey, Ekahau, you know what would be really awesome? an SDK for doing this!)

Fortunately, Ekahau has been really good about building a standards-based project file format (and not encrypting it or doing things that make it a pain to use your own data). Since the Ekahau software is built in Java (cross platform on Windows/Mac!), it’s logical for the data file to be in something like XML or JSON, and they have chosen the latter, and have effectively built a relational database in JSON, and bundled the whole thing up into a convenient zip file. It’s almost like they understand that their core market is made up almost entirely of customers who like to tinker with things.

Disclaimers:

Naturally, manipulating this file is something to be done entirely at your own risk, and if you break it, don’t go crying to Ekahau, because they don’t support mucking with their data file outside of their application (nor should they be expected to!) Make sure you have backups, etc, etc.

Also, this post is in no way based on any inside information from Ekahau, nor is it anything official from them – this is simply an analysis of the contents of the project file that anyone could do, whose nature as a zipped file full of JSON has been known for quite some time.

“I’m gonna get some tags… This is f’ing awesome”

Probably the coolest new feature in v 10.2 is the ability to add key:value tags to stuff. You can apply these tags to APs, either just the tag by itself, or a tag with a value associated with it. The Quick Select also lets you select any APs that have a particular tag key (although somehow they missed the ability to refine based on tag value, which I hope will be corrected in the near future).

Why is this useful? This allows you to add free-form information to access points, whether simulated or measured, that allows Ekahau to be more than just an RF simulation tool, and extends it into a full blown planning and deployment tool. Tagged information can be any kind of metadata you wish. things like:

  • Mounting hardware
  • Wired MAC address
  • AP Group
  • Serial Number
  • Zone
  • Switch
  • Port
  • Cable
  • IDF
  • … and the list is nearly endless.

This is in addition to the already rich metadata that is associated with the AP that are directly relevant to the RF modeling, such as mounting height, mounting surface, antenna angles, power, channel, antenna types, and so forth.

So how does it work? Pretty simple: on an AP, simply open the sushi menu at the top right, select “Tag AP”. You can also do this from the Edit AP or bulk edit screen when doing multiple APs. This will give you a list of existing tag keys already associated with the project (as well as tags you’ve used before on other projects), along with a free form box to enter your own, or add a value.

As of right now, there’s not a whole lot you can do within the Ekahau software once you have those tags (I would LOVE a table view of my APs and all the metadata, as well as ability to import/export to CSV or Excel), nor is template-based reporting on those tags documented at this point (although I expect they’re working diligently to document this). One key weakness of the template reporting system is that it all has to go through Microsoft Word (with a whole bunch of limitations imposed by that format), and that gets really hairy once you start creating data tables, especially if you want them in Excel or something else.

Side note: Using Excel as a database is really a terrible use of a spreadsheet, but it happens all. the. time.

Which brings me to manipulating/extracting your data by building your own tools. Several people have been doing this unofficially for years, but Ekahau doesn’t offer anything for this… yet.

I mentioned earlier that Ekahau’s data is stored mostly in JSON, which makes it really easy to work with using Python (or, for that matter, Java or perl if you’re into self-flagellation). Every object in the data file has an ID that ties it back to other objects. And that’s the key thing (literally). There are about 2 dozen separate files that track various data, and that’s how they all tie together. Notes and tag keys are each kept in their own file, while the AP data file has a data object that contains a list of the note IDs, and another that keeps a list of tag IDs and the value associated with that tag:

accessPoints.json:

{
   "accessPoints": [
     {
       "location": {
         "floorPlanId": "b799747a-e2ed-49ad-8c5e-c9ea8c36fa61",
         "coord": {
           "x": 2475.397796817626,
           "y": 1537.8008975928194
         }
       },
       "name": "Simulated AP-1",
       "mine": true,
       "userDefinedPosition": false,
       "noteIds": [
         "37faa8ef-c5c8-4d9d-a882-916db175b935",
         "663419b4-ddb4-4ddb-b3f2-d50233743c5c"
       ],
       "vendor": "Aruba",
       "model": "AP-515",
       "tags": [
         {
           "tagKeyId": "59650f76-3e4b-4c40-b78b-2d0088f5b227",
           "value": "123456789"
         },
         {
           "tagKeyId": "5c9cb127-8ba2-4a60-84e5-75f47ce87f99",
           "value": "C-Suite"
         },
         {
           "tagKeyId": "991b12b7-dbb0-47de-9cd2-260ee064b3e3",
           "value": "aa:bb:cc:dd:ee:ff"
         }
       ],
       "id": "a0b90f2a-8b1b-4339-8362-dc51122931ed",
       "status": "CREATED"
     }
   ]
 }

tagKeys.json:

{
  "tagKeys": [
    {
      "key": "Serial",
      "id": "59650f76-3e4b-4c40-b78b-2d0088f5b227",
      "status": "CREATED"
    },
    {
      "key": "AP Group",
      "id": "5c9cb127-8ba2-4a60-84e5-75f47ce87f99",
      "status": "CREATED"
    },
    {
      "key": "MAC",
      "id": "991b12b7-dbb0-47de-9cd2-260ee064b3e3",
      "status": "CREATED"
    }
  ]
}

notes.json:

{
  "notes": [
    {
      "text": "This is another test note",
      "history": {
        "createdAt": "2020-06-08T16:25:11.868Z",
        "createdBy": "Ian Beyer"
      },
      "imageIds": [],
      "id": "663419b4-ddb4-4ddb-b3f2-d50233743c5c",
      "status": "CREATED"
    },
    {
      "text": "This is a test note",
      "history": {
        "createdAt": "2020-06-08T16:25:04.883Z",
        "createdBy": "Ian Beyer"
      },
      "imageIds": [],
      "id": "37faa8ef-c5c8-4d9d-a882-916db175b935",
      "status": "CREATED"
    }
  ]
}

simulatedRadios.json:

{
  "simulatedRadios": [
    {
      "accessPointId": "a0b90f2a-8b1b-4339-8362-dc51122931ed",
      "accessPointIndex": 2,
      "transmitPower": 0.0,
      "antennaTypeId": "bdf0702a-42be-456a-8891-4cf54940a5c2",
      "antennaDirection": 0.0,
      "antennaTilt": 0.0,
      "antennaHeight": 2.4,
      "antennaMounting": "CEILING",
      "radioTechnology": "BLUETOOTH",
      "spatialStreamCount": 1,
      "shortGuardInterval": false,
      "defaultAntennas": [
        {
          "radioTechnology": "BLUETOOTH",
          "frequencyBand": "TWO",
          "antennaTypeId": "bdf0702a-42be-456a-8891-4cf54940a5c2"
        }
      ],
      "enabled": true,
      "id": "c4f3c521-873c-40de-8076-b1f02b655993",
      "status": "CREATED"
    },
    {
      "accessPointId": "a0b90f2a-8b1b-4339-8362-dc51122931ed",
      "accessPointIndex": 0,
      "transmitPower": 8.000293592441343,
      "channel": [
        1
      ],
      "antennaTypeId": "785280d6-168c-4eab-9819-88e6010e2bef",
      "antennaDirection": 0.0,
      "antennaTilt": 0.0,
      "antennaHeight": 2.4,
      "antennaMounting": "CEILING",
      "technology": "AX",
      "radioTechnology": "IEEE802_11",
      "spatialStreamCount": 2,
      "shortGuardInterval": true,
      "greenfield": false,
      "defaultAntennas": [
        {
          "radioTechnology": "IEEE802_11",
          "frequencyBand": "TWO",
          "antennaTypeId": "785280d6-168c-4eab-9819-88e6010e2bef"
        },
        {
          "radioTechnology": "IEEE802_11",
          "frequencyBand": "FIVE",
          "antennaTypeId": "4ef1637e-06e5-415a-96fd-a97a82273242"
        }
      ],
      "enabled": true,
      "id": "bb7304d1-d564-4018-aa92-e6ca52cba37b",
      "status": "CREATED"
    },
    {
      "accessPointId": "a0b90f2a-8b1b-4339-8362-dc51122931ed",
      "accessPointIndex": 1,
      "transmitPower": 13.979400086720377,
      "channel": [
        36
      ],
      "antennaTypeId": "4ef1637e-06e5-415a-96fd-a97a82273242",
      "antennaDirection": 0.0,
      "antennaTilt": 0.0,
      "antennaHeight": 2.4,
      "antennaMounting": "CEILING",
      "technology": "AX",
      "radioTechnology": "IEEE802_11",
      "spatialStreamCount": 4,
      "shortGuardInterval": true,
      "greenfield": false,
      "defaultAntennas": [
        {
          "radioTechnology": "IEEE802_11",
          "frequencyBand": "TWO",
          "antennaTypeId": "785280d6-168c-4eab-9819-88e6010e2bef"
        },
        {
          "radioTechnology": "IEEE802_11",
          "frequencyBand": "FIVE",
          "antennaTypeId": "4ef1637e-06e5-415a-96fd-a97a82273242"
        }
      ],
      "enabled": true,
      "id": "4ab4a7e1-708d-4f18-b33e-d8891a808e9f",
      "status": "CREATED"
    }
  ]
}

One thing you can do with simulatedRadios.json is go through and adjust your antenna orientations to the nearest 5 or 15 degree increments – having decimal granularity in the antenna orientation isn’t really useful unless you’re doing some very long point to point shots, and it will make the maps look cleaner when your antenna is at 90° instead of 88.6367879° because you manually rotated it by dragging it with the mouse.

I’m also going to omit the antennaTypes.json here, but it’s worth noting that if you have any custom APs/Antennas in your Ekahau setup, that data is included in your project file for portability, and you don’t need that custom config replicated on the next machine that opens up this file, and aren’t limited to the APs and antennas that Ekahau offers by default (although it would be really nice if they made it easy to add custom APs/antennas that survived a code update)

So here’s the basic process to report on your tags and notes:

  1. bring in the list of access points from accessPoints.json. This will get you a list of notes, as well as the tag key IDs, along with that tag’s values.
  2. You’ll need to then cross-reference the tag key IDs from tagKeys.json to get the key values (this approach seems a little convoluted at first, but ensures that a key value can be consistent from one file to the next based on not merely the text in the key value, which will come in to play when merging multiple data files into one. Ekahau was very smart about designing it this way.)
  3. Extract any notes from notes.json.
  4. Cross-reference any additional radio-specific data you need (including orientation) by looking for the access point ID in simulatedRadios.json
  5. Cross-reference any antenna pattern data by looking for the access point ID in antennaTypes.json.
  6. information such as floor number lurks in buildingFloors.json and buildings.json.
  7. and so forth.

Hopefully you’re starting to get the general idea of how this data is put together. It should be a fairly straightforward matter of running a little code against the data file and being able to generate not only a drop list for your installation contractor, but also a big chunk of your configuration script for deploying against your wireless controller. If you’re feeling especially adventurous and saucy, you can even use your wireless system’s API for this and be able to orchestrate a large chunk of your configuration from within Ekahau.

Once I build some actual code, I’ll be sure to share it here.

Here is the big gnarly mind map of the Ekahau data file. It’s probably still very much incomplete and I don’t promise 100% accuracy of data types, but it gives a good visual reference of how the whole thing goes together:

Resolution got smashed by WordPress, so you can check out the full resolution version, or a PDF version.

Working From Home: Home Network

Continuing the series about working from home, today I’m going to talk about the network inside your home, after it gets to your side of the router.

I posted some time ago about solving home wifi woes, so you can read that piece if you’re just trying to fix Wi-Fi weirdness.

In the previous post about internet access, I talked about the router being the gateway between your home network and the rest of the internet. For many home users, your modem, your router, ethernet switch, and your Wi-Fi access point are all stuffed into the same box, which can lead to some confusion when troubleshooting. It also means that if one of those components fails, you likely need to replace the whole thing, which can be a pain. So I’m going to talk about the various components, but just remember that they can sometimes be separate, or sometimes all in that one box we call “router”.

Network Switches

The network switch is the first stop after the router. The switch is what allows you to connect multiple Ethernet devices together. This forms the basis for your entire home network, known as a Local Area Network, or LAN. If you need more ports (not uncommon, since most all-in-one router devices usually only have 4 ports), you can attach a network switch to another. I won’t get into the gory technical details, but this is what allows you to split your network connection among multiple devices. For some homes, 4 ports is enough. For others (such as my own, where I have seven switches comprising nearly a hundred ports), you need to add switches to connect everything.

As a general rule, if a networked device in your house doesn’t move (or is bolted to the structure of the house), you should connect it via a wire, even if it’s capable of wireless. This includes things like TVs, printers, desktop computers, gaming consoles, and so on. A wired network connection will always be more secure and perform better than wireless. If you are a gamer, the reduced latency (“ping”) of a wired connection is something you desperately seek.

Many switches (mostly enterprise grade, but there are growing numbers of small business and home office switches) can also provide DC power over the Ethernet connection – this is known as PoE (and it is spelled out, not pronounced as in “Edgar Allan”), and allows you to power a variety of network devices such as access points and IP phones from a single physical connection. If you have your PoE power source equipment (switch) on a UPS, it can keep all the devices on the network running during a power outage. PoE comes in 3 basic flavors: 15 Watts (802.3af/PoE), 30 Watts (802.3at/PoE+), and most recently, 60 Watts (802.3bt/UPoE). Most devices you’ll encounter at home are perfectly happy to use the 15W variety.

A quick note about network patch cables: Don’t buy into the “Cat 7” marketing hype. This standard doesn’t even exist in the IT world because it doesn’t add any benefit to Ethernet connections. Unless you’re a huge nerd like me, the most you’re ever going to use on your home network is going to be 1 gigabit, which only requires Cat 5e cabling. Buying a more expensive Cat 6, 6a, or 7 cable isn’t going to make your network run any faster (and be very wary of all advice from anyone who tells you otherwise, because they’re about to sell you a whole bunch of crap you don’t need. Cat6 is the norm these days, so it’s probably the cheapest and most common. It will also run 10 gigabit connections within the distances presented in most residential environments. In any case, you’re never going to need 10 gig at home. Not even if you’re a big nerd. See my post about cabling categories for more details.

Wireless

Your Wi-Fi is simply an extension of your home network (LAN) without wires. The device that provides the Wi-Fi signal is called an Access Point, or AP. (Some people still call it a “WAP” for Wireless AP, but that’s not really helpful, because the W could also mean “Wired”). Even inside your residential gateway/router, the access point is a separate piece of hardware that connects internally to the built-in network switch.

The major downside to having an all-in-one gateway device is that what is optimal placement for the gateway (usually where the ISP installer could get a wire through the wall with a minimum amount of effort and damage) is rarely the best place to put an access point. Access points should be centrally located, and the ISP/Cable tech usually likes to be on an outside wall. When you put your wireless there, you’re sending half your signal outside and into your neighbor’s house, especially if you have it turned up to full power to hit the other end of the house.

A recent development in residential Wi-Fi is the rise of “Mesh” devices. This is basically a system of multiple access points which are centrally managed as one system, which allows you to extend wireless throughout your house. “Mesh” refers to those access points themselves connecting to the network wirelessly, rather than using an ethernet connection. Remember what I said earlier about wiring in devices that don’t move? This applies to access points as well. If an access point has to connect wirelessly to your network, it’s going to suffer from all the same wireless problems as any other device. Wire it in unless you have no other option. It’s going to perform a LOT better that way. And, as I mentioned earlier, you may be able to centrally power the access point with PoE.

IoT

As we get more connected, we have more and more smart devices at home. These are collectively referred to as the “Internet of Things”, or IoT. It’s a broad category that includes everything from connected thermostats to smart appliances, wearables such as smart watches, and so on. This is more of a side note to the Work From Home discussion, as IoT is one of those things that potentially impacts a network, but is largely tangential. There’s a saying that “The S in IoT stands for Security”. You’re already saying to yourself, “but there’s no S in IoT!” That’s precisely the point. IoT devices can pose a major security threat on your home network because most of them were not designed with network security in mind. Bottom Line: Isolate them from everything else as much as you can.

Summary/tl;dr

This was just a quick review of your home network components and how they interact, even if they’re all inside the same box. As usual, comments and questions below!

Winnie the Pooh in a honey pot

Working From Home: Firewalls and Honeypots

Yesterday, I saw a social media post from my friend Thorsten, who is an engineer for a large network security company, in which he shared some nifty dashboard graphics from his installation of a nifty little Linux distribution known as T-Pot (I’m a total sucker for great dashboards!).

T-Pot is a collection of various network honeypots with a very nice reporting backend. The project is maintained by Deutsche Telekom, who use it extensively within their own networks. (disclosure: If you run it, it will send back anonymized collected information about the threats seen to their data lake)

So I’m going to veer off a little bit from my regularly scheduled Working From Home series and talk about the importance of securing your networks. T-Pot won’t actually secure your network, it will merely report on the threat actors (most of them automated) that are attacking your network every second of the day. And to a small extent, time they spend “attacking” your honeypot is time they’re not spending attacking real targets (like Pooh up there at the top)

T-Pot takes about 30 minutes to install on a virtual machine (put it in a VLAN that is isolated from everything else!) and then all you do is add a firewall rule to port forward all TCP/UDP (I also did ICMP) to that machine (after any rules to forward to actual stuff), and let it do its thing.

Results will start coming in almost instantly. In a matter of minutes, I’d collected literally hundreds of attacks. After a couple of hours, the numbers were a little disturbing. About 90 minutes after going live, I saw a sharp uptick in one type of attack, as it seems the attackers had found a new target and relayed that information to other attackers.

2.5 hours worth of data.
China, Russia, and.. Canada?
the T-Pot dashboard will show you what usernames and passwords are being used against your honeypot, as well as which known vulnerabilities were being exploited.

If you’re a business hastily trying to get people to work from home, did you just open up a port forward on your Layer 3 firewall to allow Remote Desktop? That probably wasn’t a great idea. As you can see, threat actors are constantly scanning each and every IP address on the internet, probing for vulnerabilities. All it takes is one successful entry into your network, and you’re toast. That can come through your homebound workers as well, if their networks aren’t secure.

Do you still think you don’t need a Layer 7 firewall?

Working From Home: Internet Access

In my previous post, I went over the basics of working from home. It’s worth noting here that many of these concepts can also be applied to your kids who might be taking school online – they’re teleworking just like you are, and face many of the same challenges. In this and future posts, I’ll be dealing with the tech basics required for a successful and productive home office.

I was originally going to do a single post on all things tech, but it started getting lengthy, so I decided to break it down into a couple of parts. This post will deal specifically with external network connectivity.

The Internet

No surprises here – a decent internet connection is pretty much a given for remote work. One thing that is becoming apparent during this quarantine period is that a whole lot of people have abysmally bad internet connections at home. I’m hearing horror stories from the trenches, from my colleagues and friends who work front-line IT support.

The word “Broadband” is thrown around a lot by ISPs intent on selling you a service package, but what does it really mean? In the United States, the Federal Communications Commission updated their definition of “broadband” most recently in 2015, to mean a connection speed of at least 25Mbps downstream (from ISP to your house), and 3Mbps upstream (from your house to your ISP. But what do those speeds really mean? The FCC also has a handy guide listing what activities require what level of speed.

So your Cable ISP touts their “SuperGigaFast” service with “gigabit” service. Sounds great, right? Not so fast. Cable-based ISPs that come into your house via a coaxial cable use a technology called DOCSIS, which has great downstream speeds, and (usually) abysmally bad upstream speeds. The cable companies originally designed this technology back in the late 1990s when internet usage consisted largely of downloading web pages and sending small bits of control data. This meant that an asymmetrical connection would work great for most users, and they would be able to leverage their existing wiring infrastructure.

Fast forward 25 years to 2020, and cloud-based data storage and teleconferencing and the like mean that you need a lot more upstream speed than you used to. But that hasn’t stopped cable companies from selling “gigabit” packages with a paltry 10Mbps upstream connection. When getting an internet service package for teleworking, your upstream speed should be at least 10% of your downstream speed – because if you saturate your upstream link, it’s going to negatively impact your downstream traffic and limit it. This lets the cable company sell you “gigabit”, knowing full well that they’ll never have to deliver on that promise. They also usually provide really cheap equipment which means your Wi-Fi speeds are going to be limited even more, and they still don’t have to deliver on those gigabit speeds they’re charging you for. If you have the option of a symmetrical connection (usually delivered over fiber optic cable), it will be a lot more functional.

Much of what applies to DOCSIS cable connections also applies to DSL connections from the local telephone company. Make sure you have enough upstream bandwidth to do what you need to do. Also beware of any service that has a data cap – working from home can blow through a data cap in a real hurry.

It’s usually worth investing in your own router – the equipment provided by the ISP is, in most cases, absolute junk. AT&T is notoriously bad about this on both their U-Verse DSL and fiber-based services, and they have it configured such that it’s very difficult to use a “real” router with their service.

And in some places, cable, fiber, or DSL aren’t an option, and you’re stuck with either a wireless ISP or cellular.

Hardware

The typical internet connection requires a couple of devices. ISPs and telcos generally refer to this as “Customer Premises Equipment”, or “CPE”.

1950s-era dial telephone using an acoustic coupler modem

The Modem

This is the device that interfaces your ISP’s connection with your home network, usually via an Ethernet connection. The term comes from “modulation/demodulation”, which is the process of converting a data stream into a series of electrical signals. This operates between what us network nerds call “Layer 1” (electrical signals) and “Layer 2” (data link). I posted on network layers in this post from 2018, if you want to get into some of the details of those. The modem’s primary function is extending your ISP’s physical network to your house. Before the days of direct internet connections, the data link was established over a telephone line by modulating the data signals into electrical signals in the narrow audio range supported by the telephone system.

Modems can take many forms, and in many cases, your ISP’s modem is integrated into a single device with a router. In the case of cable, you can usually supply your own. In the case of DSL or fiber service (where it’s usually called an Optical Network Terminal instead of a modem) it’s usually provided by the ISP and you won’t get much choice in the matter, although sometimes it’s possible to request a specific type or model.

Your smartphone also contains a modem that interfaces to the cellular networks – it likely uses LTE (4G), but older ones (3G) would use CDMA or GSM, and newer ones (5G) use a few different things, mostly based on LTE. If you need to interface a cellular network to your home network, either as a primary or backup link, there are dedicated cellular modem devices for that (more on that in a moment).

GIF from "The IT Crowd" where Moss shows Jen a small black box, and tells her, "This, Jen, is the Internet"

The Router

This is the device that connects your network to your ISP’s network. It operates at “Layer 3”, which for the vast majority of people means “the internet”. The internet is nothing more than a whole bunch of interconnected networks. A protocol (known as the “Internet Protocol”, or “IP”) has been in place for decades, specifying how all these networks can talk to each other. Each network is connected to other networks by way of a router (also known as a “gateway”). Its job is to look at traffic that comes in, and decide where it needs to go next. If it’s for another device on a network it’s directly connected to, it sends it directly. For something elsewhere on the internet, it sends it to the next router down the line (usually your ISP) to deal with and eventually get it to where it needs to go. This process usually happens in a matter of milliseconds (you can use the “ping” command to see how long this takes, or “tracert” (windows)/”traceroute” (everything else) to see the path it takes. The whole idea is that you don’t see what’s happening under the hood.

The term “Router” is often misconstrued to mean “WiFi”. This is often because the equipment provided by an ISP or purchased consists of a router, a network switch, and a Wi-Fi access point (and sometimes a modem) all in one box referred to as “the router”.

Owing to a general shortage of IP addresses, your ISP will assign a single IP address (which is unique on the entire internet!) to your router’s Internet-facing connection (the Wide Area Network/WAN interface), and your own network devices (on the Local Area Network/LAN interface) will occupy address space that is defined by RFC1918 as “private” address space (which can not be used directly on the internet, but can be re-used by anyone – in most cases, your network will be 192.168.something, the specifics vary from one devices to another). The router will then perform Network Address Translation (NAT) to move data between the two networks. Most of the time, you don’t need to worry about the details of how it’s set up, although when it comes to troubleshooting, having at least a general awareness of how it’s set up can be useful.

3D Illustrated representation of a firewall.

The Firewall

This is a key piece of the network, as it is what decides which traffic is and isn’t allowed. This is critical to providing network security. It is usually integrated into the router. It examines each packet and checks a list of rules (which can be updated multiple times a day to react to ongoing threats) to determine if the packet should be sent along its merry way, or dropped into a deep, dark hole.

LAN Party

The Local Area Network

The router is the transition point from your network to the rest of the internet. I’m not going to get into the details of the LAN for the moment (that’s for another post), but this is where you will connect all your equipment, either wirelessly via Wi-Fi, or via a wire to an Ethernet switch.

Single car in a tunnel

Virtual Private Networking (VPNs)

This isn’t really a hardware component, but is usually a key piece of any home office (it sometimes uses dedicated hardware, though). The function of a VPN is to connect you to another private LAN located elsewhere (either physically or just another part of the network.) When working from home, installing a dedicated private network connection between the main office to a home office is cost-prohibitive (although there are some interesting new technologies with 5G that will allow you to connect mobile devices directly to the corporate network, essentially making the corporate network its own cellular carrier.)

Enter the VPN – It uses the public internet to establish a connection to the corporate network, and it builds an encrypted tunnel that allows corporate traffic to pass through securely. Sometimes, this is an application that runs directly on a computer, establishing the tunnel directly to that computer, and sometimes, the tunnel is established by the network equipment you have at home, and it just presents another LAN for you to connect anything to. In most cases, in order to use bandwidth more efficiently, any traffic destined for the internet will go out directly from your router rather than through the tunnel and go out from the corporate network. This is known as a “split tunnel”. Some companies, however, will choose to pass all traffic through the tunnel in order to benefit from high-power corporate firewalls to better secure traffic against malware, data leakage, or to just filter content.

As cloud-based services such as Office 365 become more prevalent, VPN connections back to the office are becoming less important.

It’s worth noting that this is very different from public “VPN” services that claim to offer privacy when accessing the internet. While the underlying technology is similar, all these are doing is relocating where you hop on to the internet, sending it through the VPN service’s network where they can inspect all your traffic.

Home Network Equipment

Equipment

A quick rundown of connectivity equipment:

Cellular Modems

If you need to connect to a cellular network, you can use the following:

  • Your smartphone hotspot (easiest in a pinch, can also usually connect to your laptop via a USB cable if you don’t want to or can’t use Wi-Fi)
  • A portable hotspot, sometimes called a “Mi-Fi” or a “Jetpack”, both are brand names for common devices in this category. Many of these also can connect via USB.
  • A USB cellular modem (check your cellular carrier for options)
  • An Ethernet cellular modem or router such as a CradlePoint IBR series device

Some home routers and most enterprise routers will support a USB cellular modem as a WAN connection, either primary or as a backup.

Home Routers

There is a wide variety of these out there, and most of what you can get commercially will do the job better than what the ISP provides. NetGear and Asus both make devices that perform well, but these devices have limited security capabilities. TP-Link and Linksys are cheap, but tend to underperform. Plan on about $200-300 for these types of devices. I’ll get into this a little more when I talk about the LAN side of things.

Many people recommend Ubiquiti equipment, but that’s a lot more complex than I feel is appropriate for non-technical users. If it’s what a managed service provider supplies, then it’s quite adequate, but make sure they’re the ones that have to deal with the technical side of it. If you’re a network nerd, then you already know this stuff.

Enterprise Firewalls

This is where your corporate IT department or managed service provider usually comes into play, and provide you with a firewall/router device that is pre-configured for corporate networking and security standards (and will often set up a dedicated VPN connection as well). These devices come from a vendor like Fortinet, Aruba (in the form of a Remote Access Point), Palo Alto, Cisco/Meraki, and other enterprise networking vendors. These are helpful in a home office because they are generally managed by your MSP or IT department and are essentially plug and play, giving you a secure network connection that is functionally equivalent to being on the network at the office.

You can also purchase your own standalone firewall from these vendors, all of which have a home office model or two in their lineup. They usually come with an annual subscription cost which gives you frequent updates to the security profiles and rules, to adapt to the changing network threat landscape. These will typically provide much better security than a residential gateway device, but are more complex and expensive to operate.

Summary/tl;dr

This got long (which is why I’m breaking tech up into multiple posts), but the bottom line is that your internet connection is a vital piece of the home office puzzle, and it’s one where you’re going to want to spend some time and money getting it right. If you have to go cheap somewhere, this is not the place to do it, but you also don’t need to go overboard.

My colleague Scott Lester also posted on his blog about temporary internet access.

Please share your internet access related tips and experiences in the comments.

Home Office

Working From Home: The Basics

Since working from home is a hot topic right now with everyone practicing social distancing, I thought I’d present a couple of posts about what works for me. I’ve been working from home in some form or another since 2011, and I think I’m starting to get the hang of it. We’ll start with some of the basics of remote work in this post, and in later posts, I’ll dig into the details of home office technology and creating a functional work space.

Cat on Keyboard working from home

Help : About

Working from home has this almost mystical quality about it – that office lizards crave, and teleworkers almost take for granted. You can’t beat the commute. For me, it’s down a flight of stairs to the basement. The only time I have to contend with “traffic” is when the cats are sitting on the stairs demanding to be fed.

One common misconception about “working from home” is that it’s something you can do as an alternative to paying absurd sums of money for childcare when you have small children around. Don’t fall into this trap!. It’s literally impossible to focus on both work and kids at the same time. When I started working from home, my kids were 8 and 6. They’re now teenagers. They need supervision (and later, surveillance), and that’s simply not something you can do while working, and still provide the attention either one needs. If you’re splitting your time between kids and work, you’re doing both part-time. Your employer probably won’t be OK with this. If you’re self-employed, your income may also suffer.

The Bobs from the movie Office Space

Office Space

Make sure you dedicate space for “work” that is distinct and separate from “home”. If you work from the living room couch all day, your family won’t know when you’re “at work” and when you’re “at home”. This can also lead to spending too much time on one, and not enough on the other. Your family probably won’t be OK with this. And whatever you do, don’t ever work from your bedroom. It will be almost impossible to shut off work if you do that. If you’re married, your spouse will definitely not be OK with this. Bedrooms are for resting, not working.

Ideally, your space should have a door that you can close to separate yourself from the rest of the house. If you have the misfortune of living in a big city where living accommodations are reminiscent of concentrated animal facilities, then you may not have the luxury of a separate room. If you need to operate in the corner of the living room, get a divider like a shōji that can delineate that space (or if for some reason you’re feeling particularly nostalgic for cubicle life, you can buy actual cubicle furniture!). Being able to close yourself off is important when you’re on a video call, and it also doesn’t have your living space in the background.

Ideally, your space should also be able to be acoustically separate from the rest of the house. If you do have the kids at home, you don’t want their noise intruding on your conference calls. They also don’t really want to hear your call either.

Remember that the biggest enemies of productivity at home are:

  • The Television
  • The Couch (or even the bed!)
  • The Fridge

Make sure you don’t have any of those in your work space.

I not only don’t have a fridge in my home office, I don’t have a coffee machine or any other beverage dispensing device. Because when I need to get a beverage, it forces me to get up, go upstairs, and move around. Nobody works in the break room. Likewise for bathroom breaks. Moving around periodically is vital. If you have a smart watch that reminds you to do so, take advantage of that feature.

Cartoon of man at laptop wearing jacket and tie with no trousers.

Etiquette

A few points of etiquette:

  • If you’re on a call and not speaking, MUTE YOUR MICROPHONE. Always.
  • If you’re on a call with video, WEAR CLOTHES, preferably business-appropriate attire. Don’t forget that if you stand up, everyone on the call can see that you’re wearing Hello Kitty pajama bottoms… Or no bottoms at all!
  • Also on video calls: Be aware of what’s in the background. Both in your work environment and on your computer desktop. Audio calls, be aware of background noise. See also: Point #1
  • Conference Call Bingo: It’s a thing. Don’t be that co-worker that wins it for someone else.
  • If you’re the one scheduling the calls, allow time between calls for people to take care of basic physical needs like standing, going to the bathroom, or getting coffee. Nobody wants to be on back to back to back calls all day long. The converse is that you need to allow that same time between meetings when accepting them. Don’t overschedule yourself.
  • When you “go to work”, do so just like you would if you were to commute… Get up, exercise if that’s your thing, shower and make yourself presentable, and put on actual clothes. It’s easier to get into a work mindset if you do this.
  • Likewise, take a 15-minute break, and an actual lunch break. When you’re not self-quarantining, leave the house and get lunch somewhere local. Your brain will appreciate the break. Take a walk outside.

What are your favorite WFH tips? Leave them in the comments below.

Up next: Teleworker Tech. Stay Tuned!

Another cool use of the WLANpi

Recently, the nice people that employ me to be a wireless network engineer for them were kind enough to add a WLANpi to my toolkit (as well as that of several of my co-workers), and it is indeed a very handy gizmo for network engineering work.

The other day, I found yet another useful trick I could do with it: Software repository. Sounds basic, because it is. But useful nonetheless. Necessity is the mother of invention, after all.

The WLANpi, with a little customization

The situation was that I needed to update AirWave on a customer server, and the WLAN management network at this site is isolated from the rest of the world (and even if it wasn’t, a satellite connection is not a fun thing to download a couple of gigabytes over!) Fortunately I came prepared for this and while I was at home on my gigabit fiber connection, I downloaded a whole host of software images I might need and stored them on my laptop.

AirWave’s heavily locked down CLI does give you the option of uploading a file, but it does it in a strange way that is in fact initiating an SCP download from somewhere. There’s not really any way to push a file to the box. No worries, Macs are Unix-ish, and this should be trivial, right? Nope, in Mojave there appears to be a strange quirk where ssh won’t respond on anything but localhost. So, my plan to scp from my Mac was shot to bits. I needed a linux box, and didn’t want to download an install ISO over the satellite any more than I wanted to download AirWave (after all, AirWave is itself Linux-based). Then I remembered I had my WLANpi.

Like an increasing number of gadgets these days, the WLANpi’s USB port (used for power) also happens to be an OTG port, and presents itself to the host system as an “RNDIS Ethernet Gadget”, and sets up an Ethernet link over the USB. This allows gadgets like the WLANpi and the Ekahau Sidekick to easily communicate with the host without going through the brain damage of custom device drivers (incidentally, Aruba is taking a similar approach to IoT support on its APs). RNDIS handles the messy layer 1 and layer 2 stuff, sets up layer 3 (the WLANpi defaults to 192.168.42.1) and then the application only has to implement standard upper-layer network communications.

So all I had to do was open an ssh session to my WLANpi (I use Emtec’s ZOC, which I have been using since the days of OS/2!) to see if I had enough storage space on the device to hold the 2.5GB AirWave update (Narrator: it did). Then I fired up Transmit, my go-to file transfer application on MacOS (whatever your platform, anything that supports scp will fit the bill), and sent the Airwave update over to a newly created files directory in the WLANpi user’s home directory.

Once the file was on the WLANpi, I plugged the WLANpi’s Ethernet port into a VLAN that was accessible to the WLAN management devices (I used the AP management VLAN since it already had a DHCP server), and then opened an ssh session to the AirWave server from my existing session on the WLANpi, essentially using it as a jump box. This served to verify port 22 connectivity, and also meant I didn’t have to put my laptop on that VLAN either.

Once I was able to copy the file from the AirWave server, the process was a snap to get the thing upgraded.

I think I’m going to get a bigger SD card for my WLANpi and store a full set of code and images that I may need, and also set up a tftp server on there, and maybe a file manager for the WLANpi’s web interface.

What’s In That Survey Kit? (Fall 2019 Edition)

The life and contents of a survey kit is a dynamic one. Here’s what’s in my kit these days. The Pelican 1510 is airline carry-on size, because there’s no way they’ll let you check that stuff with the batteries (which are all just under the airline limit of 100Wh), and the contents are valuable enough that you probably don’t want it out of sight, or trust it to the airline baggage handlers. If you’re carrying this stuff, it’s because you need it at your destination. Downside is that the 1510 doesn’t allow the overhead bin to be closed on Embraer 135/145 regional jets.

Links go mostly to Amazon where I get all this stuff

All this fits inside the case…
See? Whole thing weighs a little over 20 lbs, and there’s room to spare. Bright yellow inside makes it harder to lose stuff in there. Tripod is held in place with some velcro straps screwed to the lid.

  • Floater items that go between kits:
    • BatPower PDE2 96Wh USB Battery Pack (Amazon has removed this item. The upcoming Accelerator 2.0 battery pack from AccelTex will have full power type C PD ports on it)
    • EU/US power plug adapter
    • Swift Body Platform Harness (for carrying survey laptop and avoiding Survey Elbow, the nerd version of tennis elbow)

Also, if you’ve started adding this up in your head, you can see why I carry this on instead of leaving it to the baggage system. Make sure your business has insurance, especially if you’re self employed. If you’re traveling overseas, you’ll need special insurance coverage. I used to carry audiovisual insurance (the kind news crews carry) when doing streaming, and those policies will even cover against force majeure and acts of God. I don’t know if there’s an IT equivalent.

How It Works: HTTP Live Streaming

For those of us that work on wireless systems with a strong guest access component, the fine folks at Wowza Media Systems posted earlier this month about the inner workings of HTTP Live Streaming (Apple’s proprietary streaming protocol, or HLS) which accounts for about 45% of all streaming traffic – which tracks pretty closely to Apple’s market share of mobile devices.

Prior to getting hot and heavy with wireless networks, I did a lot of streaming infrastructure implementation for Wowza’s customers (as many of this blog’s readers are well aware – just go look into the archives!) HLS, which was released with the iPhone 3Gs, is designed from the ground up to handle the highly variable bandwidth and delay conditions inherent to mobile connections on Wi-Fi and cellular, while delivering a good streaming experience to the end user. It also allows streaming providers to leverage existing HTTP-based content delivery infrastructure.

Older streaming protocols like RTMP and RTSP are particularly unfriendly to wireless networks as they require a constant data stream at the stream bandwidth. For a video stream, much like a VOIP call, this requires consistent and timely medium access, which is definitely not a sure thing on Wi-Fi the way it is on Ethernet. The tradeoff is that the delay from live on HLS (a minute or two) is much higher than it is on RTSP (a few frames/milliseconds) or RTMP (a few seconds).

When working down at Layer 2, it’s usually helpful to understand what’s going on up the stack, especially with regards to what kind of unholy things are being done inside HTTP (which we may or may not have visibility into because of encrypted packet and segment payloads). In terms of the ISO model, HLS is probably best described as Layer 5 (the HTTP segmentation) and Layer 6 (the video data).

My good friend Jim Palmer (Not the baseball player) spoke at the Wireless LAN Pros Conference last year about the effects of user bandwidth throttling in a guest wireless environment with heavy streaming usage (predominantly Netflix). Understanding how HLS works in this context is key to understanding why the network behaves the way it does when you do that throttling. His talk is well worth ten minutes of your time. He’s also had some informative appearances on the Clear To Send Podcast (Episode #136, on antennas and filters), the Wireless LAN Pros podcast (Episode 116 on Captive Portals), and WiFi Ninjas Podcast (Episodes 19 and 20 on Airport Wireless Design).

So, here’s the link to Wowza’s post on the subject. I hope they post one about MPEG-DASH soon (from an HTTP standpoint, DASH works in a similar fashion).

https://www.wowza.com/blog/hls-streaming-protocol

Hiding In Plain Sight

One of my favorite things to do when I’m at a Disney park is to play the wireless nerd’s version of Hidden Mickeys: Trying to spot the myriad creative ways in which Disney’s Imagineers have blended their excellent wireless network into the carefully contrived scenery. It truly is magical how they can make wireless everywhere while keeping it nearly invisible.

So naturally, when I’m wearing the wireless engineer hat and have a challenge where I get to flex some of that creativity, I’m all over it.

A few years back, I helped a church in Wichita overhaul their aging and underpowered WiFi by designing and installing a new Ruckus system. Last year, they embarked on a new project to add a chapel to their campus. Naturally they wanted to extend the wireless LAN to this new building.

But… It’s a chapel aimed at doing weddings and other sorts of events, so it was paramount that the wireless equipment not be visible, to maintain clean architectural lines with a minimum amount of obvious tech equipment. Some concessions had to be made for audiovisual, but visible access points were a (network) bridge too far.

After pondering the problem as well as observing drawings and renderings, I happened upon the architectural lighting elements in the plan that were mounted on each of the columns. I dug into the design of these and discovered that they were a pair of LED fixtures concealed inside some finish carpentry with a textured plastic surface. And most importantly, there was an empty space in the middle between the two light fixtures that measured about 20cm square by 40cm high, and centered approximately 8 feet off the floor. Not only was that low enough to keep the APs close to the clients, there was plenty of room to put in one of the Ruckus H510 Wall APs designed for the hospitality market (which I also currently have in my house running Unleashed, although they will soon make way for some of the Aruba AP303H units or their new Instant On AP11D counterpart). I’m a big fan of these in-wall units for many reasons.

I asked the electricians to give me a box and conduit to four of these columns, as well as a pair of data cables. I only planned to use two access points initially, but since running cable would be prohibitively difficult after the buildout, I wanted to keep my options open should capacity needs increase in the future.

After many months of construction (Summer of 2019 was an utterly awful weather summer if you were in the construction business), I finally got the green light to install these. I took a bit of personal time on my way down to another job in Oklahoma for my employer, and executed the plan. I’m pretty happy with the results.

The lighting fixture: two pieces of dark wood on either side floating 1″ off the wall with a textured face and tunable color temp LED fixtures facing up and down
The lighting fixture with the plastic face slid up (there’s a stop at the bottom). An electrical box was placed behind it and a 2″ hole drilled for cable access. The overall construction of this fixture is beautifully simple: a few pieces of solid oak and some stain. The overall look in this space is one of stone, wood, and glass, with 90° and 45° angles being dominant.
The Ruckus H510 bracket screwed directly to the finish carpentry. The mount could also have screwed to the electrical box but that was an unnecessary level of effort.
The Ruckus H510 access point mounted on the bracket.
The fixture with the AP mounted inside. The wood and textured face provide minimal attenuation, and in this environment, I’m using the attenuation constructively. The recess in white is where a large TV (in lieu of projection) will be mounted on a swing arm and can fold into the wall when not in use.
Side view – the gap was just enough to get a screwdriver in to secure the AP to the bracket using the provided T10 screws. I was concerned that this wouldn’t be possible.
Lighting fixture side view. Is this with or without the AP installed? If you can’t tell, that means I was successful.
The AP was mounted on the second column from the back of the room, near the sound booth. The corresponding column on the other side is wired for an AP if capacity requires one.
The AP was mounted on the third column from the front of the room, near the front of the stage. The corresponding column on the other side is also wired for an AP if additional client capacity requirements dictate it.