Hardware

60 GHz

60 GHz is an unlicensed band that now has some cheap gigabit point to point (p2p) antennas that we are using.

60 GHz is extremely susceptible to "rain-fade", which is why it is not used in licensed spectrum

Often these radios come with a 5GHz backup, which isn't really useful for bandwidth but it will keep your link online during rain.

Ubiquiti

There's a very confusing range of Ubiquiti 60GHz. Basically there's dishes and enclosed headlight looking ones

Ubiquiti Gigabeam

Ubiquiti Gigabeam Plus GBE-Plus

This is a well-designed router that is small and reliable. We have a couple of these at our Rivington hub

Ubiquiti Gigabeam GBE-LR

Ubiquiti airFiber 60 Long Range

Ubiquiti airFiber 60 LR (dish)

We are currently running two links with these. Grand to Navy Yard, and PH to 5283

The Navy Yard link:

The 5283 link:

MikroTik LHG 60G

We originally installed these for 800m links but they will go down every time in heavy rain. 200m seems a good distance for them. It's a cheap way to connect neighboring buildings. We use these between the Grand St towers.

IgniteNet Metrolinq One 60-19

We use these between Henry and Grand. It never got over 300 Mbps

Configs

List of devices we use and links to standard configs and firmware

This doc is in progress. Please add links below to the specific config instructions

Important: Note that we use a Network Number (or NN) from now on to configure devices. The Network Number is not the Install Number (or request number) you received when registering. You can find out your NN using your Install Number (request number) received by email when you registered. To find out what is your NN please see Network Number

LiteBeam / LiteBeam-LR

All supernode and hub clients use DHCP for the IP address and use WPA password:nycmeshnet

OmniTik

SXTsq

LiteAC / LBE120 Sector

EdgePoint

NanoStation NSM5


LiteBeam client for Supernodes and hubs with sectors

First, download the WA firmware in case your LiteBeam is running an outdated version. We currently recommend 8.7.11 for new installs in our network. Do not use 8.7.4 or 8.7.5 as there are bugs that break connectivity after several days.

Second, download the config file for either a standard LiteBeam or LiteBeam LR. You will need your network number which is obtained by entering your Install Number below (you should have received this your email after completing the join form). If error: no address for **** is displayed, please reach out to us on Slack at #install or via email to register your installation. If Sorry, unable to open the file at this time is displayed, try using Incognito Mode or Private Browsing.

Plug in LiteBeam to PoE and connect via management wifi- SSID- "LBE-5AC-Gen2:...." or "NBE..." (booting turns on wifi for 15 minutes)

Go to https://192.168.172.1 in your browser if your device does not automatically redirect you. You may be met with a warning due to a self-signed security certificate, which you can bypass.

At the "Please Set Up Your Device" prompt, select United States under Country and English under language. Select the Terms of Use checkbox and click Upload Backup Configuration. Chose the .cfg file you downloaded from Configgen.

You will see a prompt on the top-right corner of the screen saying Configuration backup file uploaded. Select Apply and wait a minute for the page to reload. Sometimes you will have to refresh the page to get back into the interface.

The username/password will be changed. Please mention your network number and that you’re looking for the new credentials on Slack in #diy-install-support, and they will be sent to you. Please do not share them publicly!

To pair with the supernode or hub, go to Settings>Wireless and click the SSID "SELECT..." button. This will do a scan. Click the button next to the best AirMac AC signal. (-80 is bad, -50 is good, -62 is typical) Click "SELECT" and then "SAVE CHANGES" (twice if necessary)

Troubleshooting: If you are unable to log into the LiteBeam, reset it to factory defaults- press and hold the Reset button for more than 10 seconds while the LiteBeam is already powered on.

What the config file does: The config file sets DHCP for the IP address, WPA password: nycmeshnet, adds the building number to the device name, adds the UNMS key for monitoring and sets the SNMP location and contact to "nycmesh".


Standard Omnitik mesh config

1. Download Stable Firmware and Generate Configuration

Don't use version 7 of firmware. It won't work! Use 6.47.x

==> You will need your Network Number or NN. You can find out your NN using your Install Number (request number) received by email when you registered. To find out what is your NN please see Network Number

  1. Download the latest stable v6 firmware - see Mikrotik Firmware.
  2. Generate a configuration file for your Network Number by going to the NYC Mesh configuration generator. Configgen. Type in the network number and click “Download Config”. For SXTsq config file see below

2. Connect to the Router

  1. To connect to the Omnitik wirelessly, find the router’s SSID and connect to it. (For SXTsq connect via cable)
  2. To connect with a cable, plug one end of a patch cable into the Omnitik’s Port 2 and the other end into your computer’s LAN port. Set your computer to DHCP (automatic) and it will get an address like 192.168.88.xxx.
  3. Navigate to the default Mikrotik IP 192.168.88.1 in your web browser. This will open the Mikrotik GUI. The default username is admin and there is no password.

3. Upload Firmware

  1. Open the Mikrotik GUI in your browser.
  2. Click “Webfig” in the top right corner.
  3. Click “Files” in the left side menu.
  4. Click “Choose File” at the top.
  5. Navigate to where you saved the firmware, select the file and click “Open”. You will see the file appear in the interface.
  6. Wait for the firmware to fully upload (you will see the upload progress in the bottom left corner). This firmware will automatically be installed when you reboot with the new configuration (see next section).

4. Upload Configuration

  1. If you are using a Mac or Linux operating system, go into Terminal, navigate to the folder where you’ve saved the config and enter the following command:
scp -o StrictHostKeyChecking=no rooftop-ospf.rsc admin@192.168.88.1:flash/

  1. If you are using a Windows operating system, go into Command Prompt, navigate to the folder where you’ve saved the config and enter the following command. You must download pscp.exe from PuTTY (64-bit or 32-bit) to the same folder then run:
pscp -scp rooftop-ospf.rsc admin@192.168.88.1:flash/

  1. If asked “Dangerous Reset anyway?” type in Y and return/enter.
  2. Reopen the Mikrotik GUI in your web browser and navigate back to “Files” as described in section 3 above. You should see the config file you just uploaded.
  3. Click “System” in the left side menu.
  4. Click “Reset Configuration” in the left side menu dropdown. Select:
  1. Click "Reset Configuration"
  2. The Omnitik will now reboot (and install new firmware if you uploaded it). If it plays some beeps, ending with a short tune Kernkraft 400, the configuration was a success!

The Omnitik IP address has changed to a 10.69.x.x address. This is generated from the network number, e.g. for network number 1234 the IP address will be 10.69.12.34

5. Change the Password

  1. Click “System” in the left side menu.
  2. Click “Password” in the left side menu dropdown.
  3. Type in the standard NYC Mesh password.

6. Force on POE for a LiteBeam

A typical install also has a LiteBeam on port 5 that is powered from the OmniTik. To do this you must-

  1. Go to Webfig>interfaces>ether5
  2. Change "POE Out" to "forced on"

Other devices can be powered from other ports if you change this setting


OmniTik mesh config with WinBox

You can configure OmniTik routers and all MikroTik equipment with their WinBox software and associated app.

1. Download WinBox and other files

First you will need to download a WinBox-compatible client to configure the OmniTik.

Windows

On the MikroTik website, you can navigate to the WinBox button to download the version of WinBox that suits your computer.

macOS

Joshaven Potter has complied a version of WinBox with Wine which you can download from their website and run without any additional configuration.

Android

The MikroTik Pro app uses the same WinBox protocol to upload files and configure your router without a computer. You can download it from the Play Store.

iOS

The MikroTik app uses the same WinBox protocol to upload files and configure your router without a computer. You can download it from the App Store.

Next you need to download new firmware from the [MikroTik website](https://mikrotik.com/download). In the RouterOS table, find the `MIPSBE` section and click on the floppy icon that corresponds with the "Main package" and "Stable" categories. You should see the downloaded file named `routeros-mipsbe-***.npk`.

Lastly you will need to download the network configuration specific to your location. After completing the join form you should have received an email containing your Install Number. Enter this number below. If error: no address for **** is displayed, please reach out to us on Slack at #install or via email to register your installation. If Sorry, unable to open the file at this time is displayed, try using Incognito Mode or Private Browsing.

Once you have your Network Number, go to the [Configgen utility](https://configgen.nycmesh.net/?device=Omnitik5AC&template=rooftop-ospf.rsc.tmpl) and enter the number into the "network\_number" field and click "Download Config". You should see the downloaded file named `rooftop-ospf.rsc`. If the file has a `.csv` extension, rename the file to remove the extension so that it ends in `.rsc`.

2. Connect to the router

You can connect to the router using an Ethernet cable or through Wi-Fi. There are caveats to both, but configuring wirelessly is the easiest to do when doing the install outside.

Wired

Assuming your Ethernet adapter is setup to get an IP from the router using DHCP (probably default), all you have to do is plug an Ethernet cable from your computer to a Port 2-4 on the router.

Do NOT plug the computer into the PoE injector (Port 1) as the default configuration blocks all inbound connections to this port, including WinBox.

Do NOT plug the computer into Port 5, as we may be configuring this later to do PoE-Out which will damage any devices plugged in here that are not expecting power.

Wireless

Assuming your Wi-Fi adapter is setup to get an IP from the router using DHCP (probably default), all you have to do is look for a network in your Wi-Fi settings named MikroTik-xxxxx. This network will only appear after the router has fully powered on (two short beeps).

If you are on a phone, sometimes you will have to turn off your Mobile data/turn on airplane mode in order to reach the router that technically does not have any internet yet.

Make sure any VPN software you have is disabled at this point, as it will likely block any connections to the router.

From your WinBox software, find the "Neighbors" tab on the lower-half of the screen. On the MikroTik app, click on the "Discover" tab. You should see an entry on the list with Identity MikroTik. If you do not see anything, click "Refresh" or swipe down to rescan for devices. Double-check your connections and confirm you are getting an IP from the router (will be in the 192.168.88.*** range).

Double-click or tap on the entry to load the IP into the software. On the App, you will be prompted to select either MAC or IP; select IP. Now, the default login admin/[no password] will be displayed and you can hit "Connect".

You will get a prompt saying "RouterOS Default Configuration". Hit OK to get out of here (do NOT remove configuration or use quick setup). Now for the fun part.

3. Upload the configuration

On the sidebar (hamburger menu on mobile), click Files. Here is where we will upload those files from earlier.

From your WinBox software, drag and drop the routeros-mipsbe-***.npk file into the blank space in the window. You should see the file transfer take a few seconds before it finishes. Next, drag and drop the rooftop-ospf.rsc file onto the flash folder. You should see the uploaded file labeled flash/rooftop-ospf.rsc.

From your phone, hit the upload arrow button on the bottom-left of the screen and select the routeros-mipsbe-***.npk file. You can save as the original name and hit OK. You should see the file transfer take a few seconds before it finishes. Next, do the same with the rooftop-ospf.rsc file, but this time make sure you prepend the file name with flash/ and hit OK. You should see the uploaded file labeled flash/rooftop-ospf.rsc.

4. Flash the config and party

On the sidebar (back button on mobile), click "System". Find the "Reset Configuration" option. Select the "No Default Configuration" checkbox, and under "Run After Reset", use the arrows to drop down the menu to reveal the files. Select flash/rooftop-ospf.rsc, and finally hit "Reset Configuration". The software will now disconnect and nothing will happen for a while; the router is upgrading the firmware. After you hear the two beeps and some music the configuration is complete.

5. Confirm settings and configuration

WinBox will inform you that the router has been disconnected. Hit Cancel. If you are connecting wirelessly, look in your Wi-Fi settings for nycmesh-****-omni. Connect to that wireless network with the password nycmeshnet. If you are connecting via Ethernet, you can test this on another device to make sure the Wi-Fi is working correctly. If you are not planning on adding devices or changing the configuration further, you are done! 🎉

If you are planning on connecting a LiteBeam to your router or just want to learn about the configuration, go back to "Neighbors" or "Discover" depending on your platform; you should see an entry on the list with Identity "nycmesh-****-omni". Login to it like before.

On the sidebar (hamburger on mobile), click "Interfaces" (then "Ethernet" on mobile). Double-click or tap on ether5. Click on the PoE tab, and change the "PoE Out" drop-down from auto on to forced on. Hit OK or the checkmark button on mobile. This improves reliability for connected PoE devices.


LiteAP 120 sector

Connect to the LiteAP GUI. Upgrade the firmware

In Wireless set:

In Network set:

In Services:

In System set:


Ethernet

You must use black outdoor cable outside. Indoor cable will last about 6 months outside due to UV damage. We mostly use Ubiquiti ToughCable Pro CAT5.

There is one commonly used standard for crimping ethernet: T-568B. (oO-gB-bG-brBR)

window/wall install source

A straight cable will work as long as both ends are the same configuration, but to stop confusion we only use the standard T-568B, which is the most common one in this country.

In 100base-T (100Mbps most old ethernet), orange is data transmit (pins 1 & 2) and green is receive (pins 3 & 6) pins 4,5,7,8 are not used for data.

In 1000Base-T (gigabit ethernet) all pins are used for data. If pins 4,5,7 & 8 are not connected the speed falls back to 100Mbps.

For Ubiquiti and Mikrotik 4,5,7,8 are used for 24 volt passive power over ethernet (POE). Pins 4 & 5 are positive and 7 & 8 are negative. Passive POE doesn't negotiate with the other device so it will always send power even if a wrong device is plugged in. If you plug a live POE cable into an adapter or some device that does not expect POE it can break. This is often how ethernet adapters and cable testers break! A cheap USB 100Base-T ethernet adapter will survive as it doesn't use the POE pins.

There isn't a standard for passive POE so you need to check compatibility (which pins are used) if using a different manufacturer.

For active POE there are standards PoE 802.3af, PoE+ 802.3at and PoE++ IEEE 802.3bt. Again you need to check which one to use. Active POE negotiates with the device so it shouldn't fry your cable tester.

Ubiquiti POE is 24V DC, half the voltage of standard (802.3af/at) 48V DC POE. If you use standard POE you need to use a Ubiquiti 8023af-adapter

Ethernet cables need to be shorter than 100m (300'). Longer than that you will have data loss and the POE voltage will drop too low.

MikroTik NetPower 15FR

The NetPower 15FR is an outdoor 16 ethernet ports switch with PoE output on one port. Since the device has a waterproof outdoor case, you can mount it on a tower, or in other outdoor locations.

It supports passive PoE input on 15 ports and passive PoE output on one. We have successfuly used this POE output to power a OmniTik POE 5 AC which in turn powered an SXTsq G-5acD.

Recently, we have been phasing out and avoiding installing 15FRs for new installs. The ethernet ports on this device are 100mbps max, not gigabit ethernet. As speeds increase across the network and we are installing more high speed 60GHz links, the 100mbps ports have become the limiting factor for many members. For this reason we have been removing them and replacing them with NetPower 7Rs where practical.

MikroTik PowerBox Pro

Device specs are available at mikrotik.com.

MikroTik OmniTik 5 POE AC

The Omnitik 5ac is an outdoor switch/router with a built-in 5Ghz 802.11ac access point, omnidirectional antenna, and 5 gigabit ethernet ports. Be sure to get the POE version. Here are the config instructions

The OmniTik serves as a central rooftop hub with several purposes:

Please be sure to see MikroTik Specifics for extra info about Mikrotik devices, how to connect, etc.

MikroTik OmniTik PoE 5ac Front View

The PoE version accepts 12-57V passive PoE on port 1 and can be configured to provide PoE out to ports 2-5.

MikroTik OmniTik PoE 5ac Ports

The small round plastic tabs, shown in the picture above, should be removed for those cable ports you will use - push them firmly inwards to remove. Leave the tabs in unused ports to prevent water entry.

Device specs are available at Mikrotik.com

Uses

How to reset

  1. Press reset
  2. Apply power
  3. Watch the power led, once it blinks, STOP pressing the reset button
  4. It will beep one time
  5. Once you hear two beeps, you should be able to access it.

How to upgrade the firmware

  1. Upload the routeros-mipsbe-x.x.x.npk file in http://192.168.88.1/webfig/#Files
  2. Select System Reboot

How to downgrade firmware

  1. Upload the routeros-mipsbe-x.x.x.npk file in http://192.168.88.1/webfig/#Files
  2. Go to Terminal and type /system package downgrade;

Configurations

Omnitik config

Here are the current config instructions. As discussed in the MikroTik Specifics page, these devices need a script to be generated and loaded onto the device rather than a saved config file.
We now have a script generator you can find here https://configgen.nycmesh.net/
Here is a slideshow of configuring an OmniTik

Wireless interface explanation

Expand for `OLD nycmesh-omnitik-v3.2.rsc` example

The is our obsolete 3.2 template script which needs some variables filled in.
This script only works on the OmniTik 5ac PoE model

Version 3.2 Changelog:

:global nodenumber 1111
:global bgpasn 61111
:global ipprefix "10.70.111"
:global iptenantsrange 10.70.111.5-10.70.111.119
:global iptenantsgw 10.70.111.1
:global ippublicrange 10.70.111.130-10.70.111.180
:global ippublicgw 10.70.111.129
:global dns 10.10.10.10,1.1.1.1

/delay 15

:for j from=1 to=4 step=1 do={
  :for i from=2000 to=50 step=-400 do={
    :beep frequency=$i length=11ms;
    :delay 11ms;
  }
  :for i from=800 to=2000 step=400 do={
    :beep frequency=$i length=11ms;
    :delay 11ms;
  }
}

:foreach x in=[/interface wireless find] do={ /interface wireless reset-configuration $x }

:for t from=1200 to=350 step=-50 do={
  :beep frequency=$t length=33ms;
  :delay 33ms;
}

:beep frequency=500 length=100ms

/ip address add address=192.168.88.1/24 interface=ether3 network=192.168.88.0

:beep frequency=600 length=100ms

/interface ethernet
set [ find default-name=ether5 ] poe-out=forced-on

:beep frequency=700 length=100ms

/interface wireless security-profiles
add authentication-types=wpa-psk,wpa2-psk management-protection=allowed mode=\
    dynamic-keys name=nycmeshnet supplicant-identity=nycmesh \
    wpa-pre-shared-key=nycmeshnet wpa2-pre-shared-key=nycmeshnet

:beep frequency=800 length=100ms

/interface wireless
set [ find default-name=wlan1 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-Ceee disabled=no distance=indoors frequency=auto mode=ap-bridge security-profile=nycmeshnet ssid=("nycmesh-" . $nodenumber . "-omni")  wireless-protocol=802.11 wps-mode=disabled
add disabled=no master-interface=wlan1 name=wlan2 ssid="-NYC Mesh Community WiFi-" wps-mode=disabled

:beep frequency=900 length=100ms

/interface bridge
add auto-mac=yes name=publicaccess
add auto-mac=yes name=tenants

:beep frequency=1000 length=100ms

/ip address
add address=($ipprefix . ".1/25") interface=tenants network=($ipprefix . ".0")
add address=($ipprefix . ".129/26") interface=publicaccess network=($ipprefix . ".128")

:beep frequency=1100 length=100ms

/interface bridge port
add bridge=tenants interface=ether1
add bridge=tenants interface=ether2
add bridge=tenants interface=ether3
add bridge=tenants interface=ether4
add bridge=tenants interface=wlan1
add bridge=publicaccess interface=wlan2

:beep frequency=1200 length=100ms

/ip pool
add name=tenants ranges=$iptenantsrange
add name=publicaccess ranges=$ippublicrange

:beep frequency=1300 length=100ms

/ip dhcp-server
add address-pool=tenants disabled=no interface=tenants name=tenantsdhcp
add address-pool=publicaccess disabled=no interface=publicaccess name=publicaccessdhcp

:beep frequency=1400 length=100ms

/routing bgp instance
set default as=$bgpasn disabled=no

:beep frequency=1500 length=100ms

/routing bgp network
add network=($ipprefix . ".0/24") synchronize=no

:beep frequency=1600 length=100ms

/ip dhcp-server network
add address=($ipprefix . ".0/25") dns-server=10.10.10.10 gateway=($ipprefix . ".1") netmask=25
add address=($ipprefix . ".128/26") dns-server=10.10.10.10 gateway=($ipprefix . ".129") netmask=25

:beep frequency=1700 length=100ms

/ip firewall filter
add action=accept chain=input protocol=icmp
add action=drop chain=forward in-interface=publicaccess out-interface=tenants
add action=drop chain=input in-interface=publicaccess
add action=accept chain=forward
add action=accept chain=input

:beep frequency=1800 length=100ms

/system clock set time-zone-name=America/New_York
/system identity set name=("nycmesh-" . $nodenumber . "-omni")

:beep frequency=500 length=200ms;
:delay 500ms;
:beep frequency=500 length=200ms;
:delay 200ms;
:beep frequency=800 length=500ms;
:delay 50ms;

How to apply config:

  1. Acquire config parameters ( BGP ASN, IP range, node number, etc. )
  2. Fill in config file parameters at the top of the script.
    Save as nycmesh-omni-####.rsc where #### is your node number.
    The file must be named with .rsc at the end.

MikroTik PowerBox Pro

The PowerBox Pro is an outdoor five gigabit ethernet port router with PoE output on four ports. Since the device has a waterproof outdoor case, you can mount it on a tower, or in other outdoor locations.

It also supports passive PoE input and passive or 802.3af/at PoE output. Ethernet ports 2-5 can power other PoE capable devices with the same voltage as applied to the unit. Less power adapters and cables to worry about! It can power 802.3at and af mode B compatible devices, if 48-57 input voltage is used.

MikroTik PowerBox Pro

Device specs are available at mikrotik.com.

MikroTik Specifics

Mikrotik routers have a few interesting things to note in order to understand and use them well. This page documents those interesting pieces and might help clarify some things. This page will be referenced by other pages and should be Mikrotik general.

Device variants

License

Mikrotik software usually requires a license, though all Mikrotik devices come with an internal license, which varies with the model. This router comes with a Level 4 license which is sufficient for its use.

US vs International version

The US versions of the OmniTik and SXTsq don't support the DFS range of 5GHz WiFi. We use the US version of the OmniTik. The US version of the SXTsq is not compatible with a LinkNYC kiosk. All LinkNYC kiosks are on DFS channels.

PoE vs non-PoE

There are models that both have PoE and do not. Be sure to buy a PoE model.

Platform how-tos

Reset

To factory reset a mikrotik router, hold down the reset button (located near the PoE-in port), then plug in the power, until the main power ( or USR led ) light starts flashing, then release the button to reset RouterOS configuration (total 5 seconds).

Connecting

The initial IP address out of the box is 192.168.88.1, so set you computer’s local IP to something similar ( 192.168.88.5 ). The username is admin and there is no password.
Note: Many models have ether1 / Port 1 as WAN by default, you may need to connect your computer to a port besides Port 1 for initial configuration

Configurations

Mikrotik devices don't directly work well with the old "restore a file" method of configuration. Instead, you need to generate a script that, when run, alters the config from the default. Technically, yes, it's possible to restore a file, however, the format and ability to restore might change each version, for each devices, and depending what hardware is connected.

Each device should have a config template which needs some blanks filled in. The result is a script that can be run to setup the device after a factory default.

Mikrotik SXTsq 5 ac

The SXTsq 5 ac is a small client access antenna that is 802.11 standards compliant antenna (and also nstream mikrotik if available).
The device was released in early 2018 and is capable of gigabit-level speeds with 80Mhz wide 802.11ac wifi connections.

Please be sure to see MikroTik Specifics for extra info about Mikrotik devices, how to connect, etc.

MikroTik SXTsq 5 ac

Device specs are available at mikrotik.com.

Uses

Device idiosyncrasies

License

Mikrotik software usually requires a license, though all Mikrotik devices come with an internal license, which varies with the model. This antenna comes with a "Level 3" license which technically only allows it to function as a CPE, not an AP. Therefore this device can not be used as a base station.

US vs International version

On the positive side, it is a great CPE and can connect to DFS channels (international version) and has other interesting features such as EAP TTLS authentication.

Be aware during purchase -- this antenna has a US version and an International version. The US version is locked to "united states3" channels which are the non-DFS range. The international version also has US settings, but it has two additional "united states" channel selections all for valid legal US channels. You cannot connect to a LinkNYC kiosk with the US version.

To function on LinkNYC and other DFS networks, the international version is required, but be sure to put it in "united states2" mode before using it.


Configurations

Wirelessly connect SXTsq to OmniTik

1. Download configuration file

First, download the configuration file for your network number. If you only have an install number, enter this number below. If error: no address for **** is displayed, please reach out to us on Slack at #install or via email to register your installation. If Sorry, unable to open the file at this time is displayed, try using Incognito Mode or Private Browsing.

Once you have your Network Number, go to the Configgen utility to download the correct configuration for your use case.

Plug SXTsq into port 5 of an OmniTik

Plug SXTsq directly into indoor home router

Enter your network number into the "network_number" field and click "Download Config". Make note of the filename for later.

2. Connect to device and upload file

Next, plug in the device to power by connecting an Ethernet patch cable from the device to the POE injector. Plug the other end of the POE injector to your computer's Ethernet port or USB-to-Ethernet adapter.

What if I cannot use Ethernet with my computer?

If your computer does not have Ethernet and you do not have an adapter, plug in the device to a LAN port on your home router.

If you are using the WinBox method, no changes to the proceedure are needed.

If you are using the Terminal method, find the IP address of the device in your router's settings, and use that instead of 192.168.88.1. No need to change your computers's IP settings.

There are two methods you can use to upload the file to the device.

WinBox (Windows and Mac)

Download the WinBox utility from the MikroTik website for Windows, or from Joshaven Potter's website for Mac.

Open the utility and click the "Neighbors" tab on the lower-half of the screen, and click "Refresh".

Double-click on the MAC Address (important!) that appears in the list. When the MAC Address populates into the "Connect To" box, hit "Connect".

You will get a prompt saying "RouterOS Default Configuration". Hit OK to dismiss.

On the left sidebar, click "Files". Open a File Explorer or Finder window alongside winbox and and drop the configuration file you downlaoded earlier into the "flash" folder. You should see the uploaded file have flash/ before the filename (important! if it doesn't have flash before it, make sure you drop the file onto the flash folder and try again).

On the left sidebar, click "System", then "Reset Configuration". Check the "No Default Configuration" box, and click the down arrow next to "Run After Reset" to select the file you uploaded. Finally, hit "Reset Configuration" and you will be disconnected. After a couple of minutes, the LED next to the person icon on the device will turn on, indicating that the configuration has been applied.

Terminal

First, disable any other interfaces such as WiFi you may have on your system other than the Ethernet interface connected to the device. Then, you will have to change your IP address to 192.168.88.5 (this process will vary depending on your operating system).

Open your terminal or command prompt and navigate to the directory where your configuration file is saved. Enter the following command into the terminal, replacing [CONFIG FILE] with the name of the downloaded file from earlier:

scp -o StrictHostKeyChecking=no [CONFIG FILE] admin@192.168.88.1:flash/

After the file transfers, then enter the following command into the terminal to reset the device with the new configuration, replacing [CONFIG FILE] with the name of the downloaded file from earlier:

ssh -o StrictHostKeyChecking=no admin@192.168.88.1 /system reset-configuration no-defaults=yes run-after-reset=flash/[CONFIG FILE]

The device will reboot in the background. After a couple of minutes, the LED next to the person icon on the device will turn on, indicating that the configuration has been applied.

3. Configure the link

Depending on your use case, you will connect to the antenna differently based on the configuration you selected above.

Plug SXTsq into port 5 of an OmniTik

Disconnect the device from the POE injector and plug the device into Port 5 of the OmniTik on the roof. Then, connect your computer to the OmniTik's WiFi or use Ethernet (if you modified your Ethernet adapter to use a static IP, change it to DHCP). Find the Gateway IP from the interface (this process will vary depending on your operating system) and enter it into your browser.

Log into the OmniTik. On the left sidebar, click "Bridge". Click on the "Filters" tab, and disable the first item on the list, so you will be able to access the device locally (important: when you are done, come back here to reenable the filter!). On the left sidebar, click "IP", then "DHCP Server". Click on the "Leases" tab, where you will see a device with the hostname containing "sxt". Type this IP address into a new tab on your browser.

Plug SXTsq directly into indoor home router

Ensure your computer is plugged directly into the SXT's POE injector via Ethernet (if you modified your Ethernet adapter to use a static IP, change it to DHCP). At this point, you will need your device to be outdoors to perform the alignment, so an battery pack is recommended to power the device outside.

Find the Gateway IP from the interface (this process will vary depending on your operating system) and enter it into your browser.

Log into the SXT. On the left sidebar, click "Wireless". Click the item named wlan1.

If you already know what node to connect to

If you already know what node you are connecting to (if you only have the install number, see above to convert the install number to its network number), scroll down to "SSID" and replace the xxxx with the network number of the node you are connecting to. Scroll down to Description and do the same, then scroll to the top and click "Apply".

Roughly align the device towards the desired node. If the alignment is sufficient, the status will change from searching for network to connected to ess, indicating that the connection has been established with the other OmniTik. If the status does not change, verify that the device is aimed towards the other node and that the other node is powered on.

If you do not already know what node to connect to

Look at the map to determine what might be around. If you see a nearby node, click the node and see above to convert the displayed install number to its network number.

Roughly align the device towards the desired node. To verify that the connection will work, click "Scan..." on the top of the screen. Click "Start", and click "Radio Name" twice to bring all of the NYC Mesh nodes to the top. If your desired node does not appear on the list, verify that the device is aimed towards the other node and that the other node is powered on.

Click "Cancel". Scroll down to "SSID" and replace the xxxx with the network number of the node you are connecting to. Scroll down to Description and do the same, then scroll to the top and click "Apply".

4. Align the antenna

Scroll down to "Tx/Rx Signal Strength" and look at the numbers. Align the device to get the values closest to 0. -30s are excellent, -40s are great, -50s are good, -60s are fair, and -70s will be unusable.

Once the device is aligned for best signal, tighten the clamp and secure all cables. Congratulations, the SXT install is complete!


Legacy OSPF configurations

Wirelessly connect SXTsq to OmniTik via WDS

The SXTsq also supports WDS, which allows the device to automatically connect to nearby NYC Mesh OmniTiks. However, if there are multiple OmniTiks in range that have equal-length paths to a supernode, there may be routing issues and performance degradation.

Plug SXTsq into port 5 of an OmniTik

Plug SXTsq directly into indoor home router

Wirelessly connect SXTsq to OmniTik

The SXTsq also has a variation of the first configuration that uses OSPF to communicate with the OmniTik, instead of DHCP. This is only needed if the SXTsq needs to be a router instead of a simple bridge.

Plug SXTsq into port 5 of an OmniTik


LinkNYC Kiosk connection (encrypted)

LinkNYC kiosks have both an unencrypted and encrypted network available. They function similarly and have the same Internet available.

The encrypted version uses a feature marketed as "passpoint" which allows you to roam across an area with a user name and password using EAP TTLS. The encrypted network is more secure because no traffic can be sniffed between the kiosk and your CPE. Another benefit is it skips the captive portal (a webpage that pops up when you connect).

When you login to the LinkNYC unencrypted network, a captive portal prompts you to click a button, and if your device is supported, download a profile and reconnect to the encrypted network. Currently only iPhones are supported with the auto-config feature. However, it's technically possible to connect with any capable device once you have a connection profile. By taking the profile from an iPhone, we can extract the pieces needed to connect a standard antenna such as the sxtsq.

After powering on an sxtsq you should configure it as a CPE with routing, NAT, and DHCP on the internal port.

Then, to configure the radio, apply the following lines on the command line interface (CLI): (This can be performed using the graphical user interface, but it may be faster to paste these lines.)

/interface wireless security-profiles
add authentication-types=wpa-eap,wpa2-eap eap-methods=eap-ttls-mschapv2 group-ciphers=tkip,aes-ccm mode=dynamic-keys mschapv2-password=5fsOpxER mschapv2-username=anonymous@citybridge.com name=linknyc supplicant-identity=anonymous@citybridge.com tls-mode=dont-verify-certificate unicast-ciphers=tkip,aes-ccm

/interface wireless
set [ find default-name=wlan1 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-Ceee country="united states2" default-authentication=no disabled=no frequency=auto security-profile=linknyc ssid="LinkNYC Private" wireless-protocol=802.11

/interface wireless connect-list
add interface=wlan1 security-profile=linknyc ssid="LinkNYC Private" wireless-protocol=802.11

Be sure to shutdown the antenna properly the first time to ensure the config is saved. This is not required, but Mikrotik antennas are especially sensitive to being powered off with no proper shutdown.


Create a Point-to-Point link

The following works with two new SXTsq or a reset SXTsq. To reset an SXTsq, hold the reset button for about 5 seconds while the unit is booting and release as soon as green LED starts flashing (to reset RouterOS configuration to defaults). It is recommended to update the firmware of your SXTsq to the latest. The under has been tested with firmware v.6.43.12

One of the SXT will act as an "AP" but can be associated to only one "client". The second SXT will be the "client".

After the configuration there will be no DHCP Server or Client, thus you will need to configure your laptop IP mannually in the same network range, for exemple 192.168.88.11

The SXT-AP and SXT-Client port address will be change in order to not interfere with another potential SXT default IP.

Connect to the SXTsq via ethernet and DHCP. You will get a 192.168.88.xxx address

In the terminal

ssh -o StrictHostKeyChecking=no admin@192.168.88.1

Say 'yes' to the warning and paste this for the SXT-AP-

# Feb 25th 2019 for RouterOS 6.43.12
# model = RBSXTsqG-5acD

# SXT PtP / This is the AP

# Set the SXT Identity
/system identity
set name="sxt ptp ap"

#add security profile (to secure wifi connection login) and SSID
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk management-protection=allowed mode=\
dynamic-keys name=sxt-ap supplicant-identity="SXT PtP AP" \
wpa-pre-shared-key=nycmeshnet wpa2-pre-shared-key=nycmeshnet

#set the wireless (wlan1) to USA 2 and the proper band
/interface wireless
set [ find default-name=wlan1 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-Ceee country="united states2" disabled=no mode=bridge \
security-profile=sxt-ap ssid=nycmesh-nn-sxtptp

# disable the NAT and disable all the firewall filters
/ip firewall nat
set numbers=0 disabled=yes

/ip firewall filter
set numbers=1 disabled=yes
set numbers=2 disabled=yes
set numbers=3 disabled=yes
set numbers=4 disabled=yes
set numbers=5 disabled=yes
set numbers=6 disabled=yes
set numbers=7 disabled=yes
set numbers=8 disabled=yes
set numbers=9 disabled=yes
set numbers=10 disabled=yes

# disable the dhcp-client and server
/ip dhcp-client
set [find interface=wlan1 ] disabled=yes
/ip dhcp-server
set [find interface=ether1] disabled=yes

#add a bridge and add port ether1 and wlan1 (switch)
/interface bridge
add name=bridge1
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=wlan1

#change IP address of the "sxt ptp client" to not mix with potential other SXT default IP address
/ip address
add address=192.168.88.3/24 interface=bridge1 network=192.168.88.0
set [ find interface=ether1] address=192.168.88.2/24

Say 'yes' to the warning and paste this for the SXT-Client-

# Feb 25th 2019 for RouterOS 6.43.12
# model = RBSXTsqG-5acD

# SXT PtP / This is the Client

# Set the SXT Identity
/system identity
set name="sxt ptp client"

#add security profile (to secure wifi connection login)
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk group-ciphers=\
tkip,aes-ccm mode=dynamic-keys supplicant-identity=MikroTik \
unicast-ciphers=tkip,aes-ccm wpa-pre-shared-key=nycmeshnet \
wpa2-pre-shared-key=nycmeshnet
/interface wireless security-profiles
add authentication-types=wpa-psk,wpa2-psk group-ciphers=tkip,aes-ccm \
management-protection=allowed mode=dynamic-keys name=sxt-ap \
supplicant-identity="sxt ptp client" unicast-ciphers=tkip,aes-ccm \
wpa-pre-shared-key=nycmeshnet wpa2-pre-shared-key=nycmeshnet


#set the wireless (wlan1) to USA 2 and the proper band.
/interface wireless
set [ find default-name=wlan1 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-Ceee country="united states2" disabled=no frequency=auto \
mode=station-bridge security-profile=sxt-ap ssid=nycmesh-nn-sxtptp

/interface wireless connect-list
add interface=wlan1 security-profile=sxt-ap ssid=nycmesh-nn-sxptp

# disable the NAT and disable all the firewall filters
/ip firewall nat
set numbers=0 disabled=yes

/ip firewall filter
set numbers=1 disabled=yes
set numbers=2 disabled=yes
set numbers=3 disabled=yes
set numbers=4 disabled=yes
set numbers=5 disabled=yes
set numbers=6 disabled=yes
set numbers=7 disabled=yes
set numbers=8 disabled=yes
set numbers=9 disabled=yes
set numbers=10 disabled=yes

# disable the dhcp-client and server
/ip dhcp-client
set [find interface=wlan1 ] disabled=yes
/ip dhcp-server
set [find interface=ether1] disabled=yes

#add a bridge and add port ether1 and wlan1 (switch)
/interface bridge
add name=bridge1
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=wlan1

#change IP address of the "sxt ptp client" to not mix with potential other SXT default IP address
/ip address
add address=192.168.88.5/24 interface=bridge1 network=192.168.88.0
set [ find interface=ether1] address=192.168.88.4/24

Legacy Client Node

Set your computer to connect using DHCP ("automatic" on PC)
Connect via ethernet and you will get an address like 192.168.88.xxx

Reset
press the reset button WHILE powering on the unit by plugging in the POE cable.
Once one of the LEDs begins to flash white/blue (about 5 seconds), release reset button while it's flashing. After one minute the device will be ready

Connect to GUI
open your browser and connect to http://192.168.88.1/
default username: admin
default password: (leave empty)
Click the button that says "Webfig" in the top right

Name the device
system > identity
"n--". So if your network id is 1000, your device name could be: n1000-sxt-0

Set a password
System > password
IMPORTANT: You must use a unique and strong (at least 8 characters, the longer the better) password to ensure the security of your device!

IP > Services

Other security precautions to consider https://wiki.mikrotik.com/wiki/Manual:Securing_Your_Router

IP > firewall
Find and disable this input rule:
4
;;; defconf: drop all not coming from LAN

Bridge

IP > DHCP Server
disable by clicking the small [D] button

IP > DHCP Client

Wireless > security profiles (tab)
add new
name: nycmeshnet
uncheck wpa psk
leave wpa2 psk checked
write in wpa2 Pre-Shared-Key field: nycmeshnet
apply and ok

Wireless > wlan1
Set mode to station-bridge
Set SSID of the hub you want to connect to e.g. nycmesh-xxx
Set channel width to 20/40/80MHz XXXX
Set frequency to auto
Set security profile to nycmeshnet
(below only if you have SXT international version)
Click Advanced Mode button at top
Scroll down and set country drop down to united states

When all settings are correct and the station connects the status should change from "searching for network" to "connected to ess".

Bridge > Ports
Add new, set interface to ether1, set bridge to bridge1
Add new, set interface to wlan1, set bridge to bridge1

IP > Addresses

Change your computer network settings back to automatic or DHCP
(Note you must be connected to the access point to proceed beyond this point)

Access GUI via routable IP address
Use the name you used for your device, plus the name of the access point to generate the correct URL. For example if your network id is 1000 and the hub id is 500, the URL would be:
http://n1000-sxt-0.n500.mesh/

Update (2 step process)

  1. system > packages
  1. system > routerboard > update
    Reboot

Ubiquiti NanoStation Nsm5-Flash Notes

We have been moving towards MikroTik OmniTik as our mesh device. Before using a NanoStation, you should check with us that you are in range of another NanoStation. Some use the NanoStation when they are out of range of the mesh network using the built-in tinc vpn connection.

Don't forget to read our FAQ on the main site.
Also, please fill out the Join form.

When finished, read how to install a NanoStation outdoors

Order a router

For Supernode connections you need a different router (usually LiteBeamAC)

Buy on Amazon:
Ubiquiti NanoStation NSM5

Buy at B&H: (free delivery)
Ubiquiti NanoStation NSM5

Download the firmware and flash your router

NanoStation NSM5 instructions
(for old NSM5s or if you are upgrading see below)

FOLLOW ALL THE STEPS OR YOU MAY PERMANENTLY BRICK THE ROUTER!

Wait ten minutes or so. It now has a SSID name like "nycmesh 1a2b" and a random IP of the form 10.x.x.x

You must also install a watchdog script to keep the network stable. Here are the instructions. Email us if you are not comfortable doing this. This script will be included in the next version of our firmware.

You're done! Now your router is flashed, read how to install a NanoStation

Upgrades
Upgrades are for when your router is already running nycmesh/qMp or another version of OpenWrt.

WR842N upgrade download
WDR3600 upgrade download
NSM5-XW upgrade download

Older (2014 or earlier) XM NSM5s
NSM5-XM download
NSM5-XM upgrade download

Firmware
Our firmware is based on qMp, which is an OpenWrt package using BMX6 meshing protocol. Thanks to Roger at qMp for all of his help.

Am I on the mesh?

After you successfully flash your router and you have emailed us, and we have added your tinc tunneling key, you should be on the mesh. If you re-flash your router (not usually necessary) you will have to email us again so we can add your new tinc tunneling key. Emailing us also lets us know who's router was just flashed.

A quick test to see if you are on the mesh is to go here- http://10.100.4.10/

This URL should resolve after an hour or so of being online-
http://wiki.mesh/

Here are our old TP-Link instructions in case you find an old TL-WR842N on ebay-

Wait ten minutes or so and connect to the router via Wi-Fi. It now has a SSID name like "nycmesh 1a2b" and a random IP of the form 10.x.x.x

New Hardware Template

Title goes here

Description with a link

TP-Link Indoor Router

Some Archer A6/7 models have a function that disables the WiFi if the WPS button on the back of the router is held down. If you encounter a router that doesn't appear to have WiFi working, try holding the button to re-enable it. Also make sure the button isn't stuck or otherwise damaged.

An indoor router, connected by ethernet cable to the outdoor router, is required for an NYC Mesh member to connect their personal devices to the Internet. For volunteer-led installations, the install team will supply the new member with a TP-Link Archer A6 or a TP-Link Archer A7.

alt text

Pre-Configuration Best Practices

For volunteer installers

Before configuring, ask the user member to tell you:

For volunteer installers and DIY installers

alt text

  1. Plug the ethernet cable from the outdoor antenna/router into the TP-Link’s blue WAN port.

  2. Plug the power adapter into the wall and the cable into the power socket of the router. The router will turn on automatically.

  3. Connect the installation laptop to the router by plugging an Ethernet patch cable into the yellow LAN port or via Wifi (see the underside of the router for SSID and pwd)

  4. Navigate to the router dashboard in an Internet browser. The Default IP address is 192.168.0.1

    • Username: admin (or whatever it says on the underside of the router)
    • Password: admin (or whatever is says on the underside of the router)
  5. Set up the guest WiFi to “-NYC Mesh guest-” (including the dashes). Navigate to “Guest Network” and set as follows: alt text

  6. Set up the home WiFi. Navigate to Wireless > Basic Settings to set the home WiFi network SSID you wish to use and navigate to Wireless > Wireless Security to set the password.

  7. Replace the router’s admin/admin login with a more secure username and password. Navigate to System Tools > Password and input a new username and password.

  8. Please read Obligations

For volunteer installers

If you have time you should pre-configure the router as much as possible, including upgrading the firmware to the latest version. To do that the router does not need to be connected to a network. It can be pre-configured following the above steps excluding point 1.

  1. Download the latest firmware file here for the A6or here for the A7.
  2. Connect to 192.168.0.1 and log in with the username and password you set for the router.
  3. Go to System Tools > Firmware Upgrade.
  4. Click Choose File to locate the downloaded firmware file, and click Upgrade.
  5. Setting the time is not a necessity but nice to do. Go to System Tools > Time Settings. You can use apple NTP, pool.org and/or Google.

Support

For volunteer installers and DIY installers

A Quick Installation Guide and User Guide can be downloaded here for the Archer A6 and here for the Archer A7.

Ubiquiti EdgePoint R6

The EP-R6 is an outdoor rooftop switch/router with 6 ports (5 GigE, 1 SFP). It supports PoE, but only Ubiquiti's 24v Passive PoE style, not any of the fancier types.

It can be configured in switch mode (just a switch, with a management console) or routing mode (hub node setup, BGP, etc).

Ubiquity EdgePoint R6 Front View

Ubiquity EdgePoint R6 Ports

Device specs are available at store.ubnt.com.

Reset

To factory reset an EP-R6, press and hold the reset button, by the ethernet plugs, for about 10 seconds until the eth4 LED begins to flash, then release the button. The device will reboot and reset.

Or, reset it via the CLI by running the following commands:

sudo cp /opt/vyatta/etc/config.boot.default /config/config.boot
reboot 

Connecting

The EP-R6 has a Web GUI and CLI.
The initial IP address out of the box is 192.168.1.1, the Web GUI is at https://192.168.1.1 Set you computer's local IP to something similar ( 192.168.1.5 ), and connect to switch on port eth0.

Although there is a Web GUI, using SSH can allow for a much more rapid workflow. If possible, use that.
Here is an example of SSHing to the EdgePoint when it is in factory default mode:

laptop$ ssh -o StrictHostKeyChecking=no ubnt@192.168.1.1
Welcome to EdgeOS
...

ubnt@192.168.1.1's password: ubnt
Linux ubnt 3.10.14-UBNT #1 SMP Wed Nov 11 14:42:04 PST 2015 mips
Welcome to EdgeOS
ubnt@ubnt:~$

From here you can apply commands such as the ones below.

Device idiosyncrasies

Hardware NAT

If using the device as a router in NAT mode ( not router on the mesh ), the default settings will yield a very slow connection.
Hardware NAT should be enabled, which was just possible as of firmware version v1.9.7.
This page at Ubnt discusses more: https://help.ubnt.com/hc/en-us/articles/115006567467-EdgeRouter-Hardware-Offloading-Explained

To enable hardware offload on this model, perform the following commands on the CLI:

configure
set system offload hwnat enable
commit
save
exit

Safely Upgrading Old Devices

As some of these devices can be nearly a decade old (datasheet released in October 2015), you may come across devices with varying versions of firmware. A problem can present itself when you upgrade these older devices to the v2 line of firmware from the v1 firmware without taking the steps to upgrade the bootloader first, which is a manual process that can result in a bricked device (not unrecoverable, but requires disassembly and a TTL serial adapter - best to avoid!).

If you come across such a device, the first thing to do is to upgrade the device to a safe firmware that is new enough to contain the new boot-image but old enough to support devices running the old firmware. v1.10.7 seems to work for this purpose, and its changelog references significant bootloader-related fixes that result in an easier experience.

Once you have downloaded the .tar file, you can use the GUI to upgrade the firmware by uploading the image as described in the documentation. However, to avoid frustration it is recommended to take the steps on checking for free space on the device before uploading the file as the file upload fails uncleanly when there is no space and you may not realize what is going on.

  1. ssh into the device (ubnt@192.168.1.1, for example)
  2. df -h
  3. check the output and confirm that the root / mount point has enough free space to accept the 70-80MB image you will upload
ubnt@ubnt:~$ df -h
Filesystem                Size      Used Available Use% Mounted on
ubi0_0                  214.9M    141.1M     69.1M  67% /root.dev
overlay                 214.9M    141.1M     69.1M  67% /
...

Uh-oh, looks like we have less than 70M free on the root partition, so uploading the file via the GUI will fail and cause problems. We can solve this by removing the backup firmware first.

  1. show system image, and confirm that there are two images uploaded to the device
  2. delete system image, and confirm that you want to remove the backup image
  3. df -h, to confirm that the space has been freed
ubnt@ubnt:~$ show system image
The system currently has the following image(s) installed:

v2.0.9-hotfix.7.5622731.230615.0857 (running image) (default boot)
v1.10.7.5127989.181001.1227

ubnt@ubnt:~$ delete system image
The system currently has the following image(s) installed:

v2.0.9-hotfix.7.5622731.230615.0857 (running image) (default boot)
v1.10.7.5127989.181001.1227

You are about to delete image [v1.10.7.5127989.181001.1227]
Are you sure you want to delete ? (Yes/No) [Yes]: yes
Removing old image... Done
ubnt@ubnt:~$ df -h
Filesystem                Size      Used Available Use% Mounted on
ubi0_0                  214.9M     66.7M    143.5M  32% /root.dev
overlay                 214.9M     66.7M    143.5M  32% /
...

Now you can proceed to upload the firmware via the GUI. Once you reboot, it is time to upgrade the bootloader by SSHing into device again, and it may have prompted you to do this on login:

Linux ubnt 4.14.54-UBNT #1 SMP Thu Jun 15 09:00:10 UTC 2023 mips
Boot image can be upgraded to version [ e52_002_4c817 ].
Run "add system boot-image" to upgrade boot image.
Last login: Wed Dec 31 22:33:11 2014 from 192.168.1.100
ubnt@ubnt:~$

You can do as instructed and it is recommended to reboot the device before moving onto the next firmware:

ubnt@ubnt:~$ add system boot-image
Uboot version [e52_001_1e49c] is about to be replaced
Warning: Don't turn off the power or reboot during the upgrade!
Are you sure you want to replace old version? (Yes/No) [Yes]: yes
Preparing to upgrade...Done
Copying upgrade boot image...Done
Checking boot version: Current is e52_001_1e49c; new is e52_002_4c817 ...Done
Checking upgrade image...Done
Writing image...Boot image has been upgraded.
Reboot is needed in order to apply changes!
Done
Upgrade boot completed
ubnt@ubnt:~$ reboot now

Broadcast message from ubnt@ubnt (pts/0) (Wed Dec 31 22:41:05 2014):

The system is going down for reboot NOW!

Connection to 192.168.1.1 closed by remote host.

Once it comes back, you can now upgrade to a v2 firmware using the GUI without any risk of bricking. Be sure to check for free space and remove the old backup firmware again before uploading the new .tar file by following the above instructions again.

Common Configs

Switched Mode (Extend an OmniTik)

To convert the EP-R6 to switched mode, there's now a simple wizard in the GUI to help.

A common use case for the EP-R6 as a switch is to add more PoE-capable ports to an OmniTik router on the roof. In order to preserve isolation between these ports and on the OmniTik, we need to make the switch VLAN-Aware. The following instructions assume the OmniTik has been configured with the standard configuration and IP allocations.

1. Start the Wizard

In the web interface, navigate to the "Wizards" tab on the top right of the screen. On the left sidebar, click "Switch". Choose Static IP. You are probably connected directly to the switch right now, so you don't want to lose access to it while there's no DHCP server!

Log into the OmniTik you are planning on connecting the switch to; we are going to find an unused IP in its /26 subnet. On the left sidebar under IP->DHCP Server, click the "Leases" tab, and hit "Add New". Type in the address you are allocating, uncheck "Enabled", and type nycmesh-xxxx-epr6 in the "Comment" (where xxxx is the network number to which this will be attached).

Type this address into the switch with a /26 subnet with the OmniTik's /26 IP Address as the gateway. Use 10.10.10.10 as the DNS server.

2. Set the VLANs on the EP-R6

Under "VLAN Aware", check "Enabled". Depending on which port will be connected to the OmniTik (the "trunk" port), you will set the VLANs using a combination of the OmniTik's and the EP-R6's port numbers.

Example: EP-R6 is plugged into Port 3 on the OmniTik, and we want to isolate Ports 1-5 on the EP-R6.

eth0: vid 301,302,303,304,305
eth1: pvid 301
eth2: pvid 303
eth3: pvid 303
eth4: pvid 304
eth5: pvid 305

In layman's terms, The PVID tags the port and VID tells where to send the tagged traffic out. The first digit will be the port number of the OmniTik, and the last digit will be the port number of the EP-R6. After setting up your credentials you can hit apply and reboot the router.

3. Add the VLANs to the OmniTik

Because eth0 did not have a PVID set, you should be able to access the switch using its new IP address without additional hardware. However, we need to configure the OmniTik to receive the tagged traffic and add them to the mesh bridge.

On the OmniTik, navigate to Interfaces on the left sidebar. Click Add New->VLAN for each port on the EP-R6 we are configuring. Let's use the EP-R6 eth1 from above as our example:

Name: ether1.301
VLAN ID: 301
Interface: ether3

Hit OK to save. Once you do this for each port on the EP-R6, you can navigate to the left sidebar and go to Bridge. Under the "Ports" tab, click "Add New" for each VLAN you are configuring. Select the Interface you just created (ether1.301) and the Bridge mesh. Hit OK, and do this for each VLAN interface.

4. Test it!

The easiest way to test your configuration is by connecting a DHCP client (like a router) to the port and testing traffic flow. Plug it into any of the configured ports of the EP-R6, where you will see the port turn purple, orange, or green on the top of the EP-R6's GUI (purple:10Mbps, orange:100Mbps, green:1G).

In the left sidebar of the OmniTik, under IP->DHCP Server, click on the "Leases" tab and check that it got an IP. Lastly, under Interfaces, check if traffic is visible on that particular VLAN. If you can see activity on that interface, you did it! 🎉

Routed Mode ( NYCMesh Hub Node - BGP )

You will need to know the following to be able to continue: BGP ASN - Autonomous System Number within the network Gateway Node Y/N - Are we going to be a gateway exit node Peers ASN and IP - What are our Peer ASN and IP that we will connect with Local Subnet - What local network will we have? One? Many?

Configuration: The following sections below may be used in-part or in-whole depending on the need:

Example Parameters: ASN: 65012 Gateway: N Peer ASN: 65010 Peer IP: 10.180.14.1 Local Subnet: 10.70.50.0/24

configure

## Filters ##
set policy prefix-list nycmeshprefixes rule 10 prefix 10.0.0.0/8
set policy prefix-list nycmeshprefixes rule 10 ge 22
set policy prefix-list nycmeshprefixes rule 10 le 32
set policy prefix-list nycmeshprefixes rule 10 action permit

set policy prefix-list nycmeshprefixes rule 20 prefix 172.16.0.0/12
set policy prefix-list nycmeshprefixes rule 20 ge 24
set policy prefix-list nycmeshprefixes rule 20 le 32
set policy prefix-list nycmeshprefixes rule 20 action permit

set policy prefix-list defaultroute rule 10 prefix 0.0.0.0/0
set policy prefix-list defaultroute rule 10 action permit

set policy route-map nycmeshroutes rule 10 action permit
set policy route-map nycmeshroutes rule 10 match ip address prefix-list nycmeshprefixes

# BGP Config
set protocols bgp 65012
set protocols bgp 65012 neighbor 10.180.14.1 remote-as 65010
set protocols bgp 65012 neighbor 10.180.14.1 soft-reconfiguration inbound
set protocols bgp 65012 neighbor 10.180.14.1 nexthop-self
set protocols bgp 65012 neighbor 10.180.14.1 route-map import nycmeshroutes
set protocols bgp 65012 neighbor 10.180.14.1 route-map export nycmeshroutes

# BGP Network Config
set protocols bgp 65012 network 10.70.50.0/24
set protocols static route 10.70.50.0/24 blackhole

# Save and Reset BGP
commit
save
clear ip bgp all

Ubiquiti LiteAP Sector

The confusingly named LiteAP (LAP-120) is a very good, cheap 120' sector antenna. 120' means you need three to get a full 360'. It used to be called a LiteBeam 5AC AP LBE-5AC-16-120, and is still named that on parts of their website.

We use it as a sector antenna for most hub and supernode installs. As with all Ubiquiti gear you need to flash it with the latest firmware first.

The AC in the name is not 802.11ac, it is Ubiquiti's own protocol. These devices can only connect to other Ubiquiti "AC" devices like the LiteBeam we mount on everyone's roof.

Ubiquity LiteAP

Device specs are available at ubnt.com.

The default IP is https://192.168.1.20/ with name:ubnt pwd:ubnt

Ubiquiti LiteBeam AC

The LiteBeamAC is a very good, cheap directional router. We use it for most rooftop installs. As with all Ubiquiti gear you need to flash it with the latest firmware first. Often they ship with old beta firmware, and the latest firmware usually gets you faster speeds. Our config instructions are here.

The AC in the name is not 802.11ac, it is Ubiquiti's own protocol. These devices can only connect to other Ubiquiti "AC" devices.

Ubiquity LiteBeam 5AC Gen2

Device specs are available at store.ubnt.com.

There are two versions- gen1 and gen2. By default they are on two different sets of channels which causes much confusion. The gen1 cannot use the DFS channels unless you unlock it with a code on the System tab. Once you unlock a gen1 it has the same channels as the gen2. We have the unlock code for "NYCMesh". Ask us if you need to connect a gen1 to one of our hubs or supernodes.

Gen2 comes with a more sturdy mount (though less range) and also a management 2.4Ghz radio. The new mount has no movement clockwise so the only way to get the level bubble in the middle is with a straight mount! The management radio is very handy as you don't need to know the IP of the device. The management radio is on a timer so it will go off after about 5 minutes.

LiteBeams are very directional so use the built-in alignment tool to get the strongest signal. We like to get better than -65db. Very close to the supernodes you can get -45db.

The default IP over ethernet is https://192.168.1.20/
If you connect to the management radio the IP is https://192.168.172.1/

Default login:

Standard config instructions are here.

How to save a LiteBeam via SSH

These instructions were adapted from a Ubiquiti Community post.

Sometimes due to a bad configuration change or issue with the connected sector, the LiteBeam signal will be too low to log into the web interface. This can be a big issue especially if the users at the node are unable to locally revert the change. Luckily, SSH can be used to reconfigure the LiteBeam to change any settings to restore proper connectivity to the node, even over a poor connection.

1. Connect and log into the LiteBeam

Using your favorite SSH software, log into the LiteBeam using the configured credentials, which will be the same as those used for the web interface. You will then be presented with a standard Linux shell.

2. Prepare for the change

Since this shell does not have any nice text editors like nano, we will use the sed command to replace text in the config file. In this example, we will be changing the SSID nycmesh-sn1-ev to nycmesh-sn1-northeast and saving the changes. Make sure that the LiteBeam will be able to connect to the new radio! (We will cover this part in the following section.)

This command confirms that the current SSID is what we expect (current SSID goes after the grep):

# cat /tmp/system.cfg | grep nycmesh-sn1-ev
wireless.1.ssid=nycmesh-sn1-ev

If the command does not return anything, that means that the current SSID does not match what you provided after grep. Run this line removing everything after the pipe | to review the config file before proceeding.

3. Edit and save the file

Now we will edit the file by finding and replacing the old SSID with this command (old and new SSIDs go before and after the middle slash / respectively):

sed -i 's/nycmesh-sn1-ev/nycmesh-sn1-northeast/' /tmp/system.cfg

Confirm that you made the change by running this command (new SSID goes after the grep):

# cat /tmp/system.cfg | grep nycmesh-sn1-northeast
wireless.1.ssid=nycmesh-sn1-northeast

Finally, run these two commands to commit the change and reboot the device:

save
reboot

Wait 2-3 minutes for the device to reboot and rescan for the new radio and you should be good to go.

How to scan for radios

If you are positive that the LiteBeam can connect to another radio's SSID, you do not need to perform a scan (known in the web interface as a Site Survey). However, it is a good idea to confirm that the signal of the other radio is strong enough to connect to before potentially losing the device.

To perform the scan, follow Step 1 from the previous section to connect to the LiteBeam. Then, run the following command to start the scan:

# iwlist ath0 scan
ath0      Scan in progress :
          Cell 01 - Address: 04:18:D6:4C:BB:07
                    ESSID:"ubnt-3P7-N"
                    Mode:Master
                    Frequency:5.165 GHz (Channel 33)
                    Quality=26/94  Signal level=-70 dBm  Noise level=-90 dBm
                    Encryption key:off
                    Bit Rates:6 Mb/s; 9 Mb/s; 12 Mb/s; 18 Mb/s; 24 Mb/s
                              36 Mb/s; 48 Mb/s; 54 Mb/s
                    Extra:bcn_int=100
                    Extra:wme_ie=dd180050f2020101810003a4000027a4000042435e0062322f00
                    Extra:ath_ie=dd0900037f01010000ff7f
                    Extra:ieee_mode=802.11n
                    Extra:center1=5165 Mhz
                    Extra:chanbw=20 Mhz
          Cell 02 - Address: E0:63:DA:D4:41:6B
                    ESSID:"nycmesh-sn1-northeast"
                    Mode:Master
                    Frequency:5.205 GHz (Channel 41)
                    Quality=41/94  Signal level=-55 dBm  Noise level=-90 dBm
                    Encryption key:on
                    Bit Rates:6 Mb/s; 9 Mb/s; 12 Mb/s; 18 Mb/s; 24 Mb/s
                              36 Mb/s; 48 Mb/s; 54 Mb/s
                    Extra:bcn_int=100
                    Extra:hostname="nycmesh-sn1-northeast"
                    IE: IEEE 802.11i/WPA2 Version 1
                        Group Cipher : CCMP
                        Pairwise Ciphers (1) : CCMP
                        Authentication Suites (1) : PSK
                    Extra:wme_ie=dd180050f2020101000003a4000027a4000042435e0062322f00
                    Extra:ath_ie=dd0900037f01010000ff7f
                    Extra:airmax_ie=enabled
                    Extra:airmax_mode=ptmp
                    Extra:ieee_mode=802.11ac
                    Extra:center1=5215 Mhz
                    Extra:chanbw=40 Mhz

...

This scan takes about a minute to complete. You may notice the terminal freeze during this time; the LiteBeam switches to another wireless mode while scanning which can sometimes disrupt the connection. As you can see in this example, our target radio with SSID nycmesh-sn1-northeast has a signal level of -55dB which should be more than adequate for us to connect.

Ubiquiti LTU Sector

Ubiquiti has a new "technology" which is the successor to AirMax , called LTU. (more about AirMax )

LTU and AirMax are not compatible. You need a different device/antenna to connect to the LTU sector.

We have one LTU sector mounted on the west side of 1340-Saratoga. Try it.

Here the approximate coverage.

photo



The sector is a LTU-Rocket radio and a AM-5ac21-60 antenna. It is positioned about 260o azimut, and it's a 60o angle.

We have one node using that new LTU sector right now. 944-Flo It uses a LTU LR antenna and so far is better with a more stable bandwidth then the Litebeam Gen2 to a LiteAP it was using before.

See the LTU devices available

Ubiquiti Nanostation M5

The NanoStation M5 is a workhorse of mesh networks. There are two versions XM (pre 2016) and XW. It is 802.11n and 10/100 ethernet, so not the fastest on the block, but it has good support from OpenWRT. It also has two ethernet ports usually set up as WAN and LAN. Recent versions require downgrading AirOS before you flash.

For new installs we use the OmniTik router for meshing. The following page is mainly for our legacy installs.

Ubiquity NanoStation M5

Device details are available at ubnt.com.

NanoStation NSM5 installs

Hardware

The simplest install is to use an existing vertical pipe and the two plastic ties that are included with the router. Also a thick PVC pipe can be attached to a railing using clamps.

roof install

If you need to aim the router up or down you can use a nanobracket.

nanobracket

The Ubiquiti window/wall mount is a versatile mount that comes with a suction cup for windows or a screw mount for walls. The parts are reversible so the NSM5 can face either way and it also has vertical and horizontal adjustment to point in almost any direction.

window/wall install

The Ubiquiti universal antenna mount can be used on rooftops or walls, where a very strong mount is needed.

universal antenna mount

Window

Outside:
On the outside of the window it is best to use a Ubiquiti wall/window mount. The suction cup is not recommended for long-term installs.

window outside

Inside:
It is often more convenient to install inside the window. You will lose about 2db of signal but that is usually ok.

Velcro is the easiest way to install a NanoStation if it will be facing the same direction as the window. Use more velcro than in the picture (this install slipped down the window after six months!)

velcrovelcro

window velcro

A Ubiquiti suction cup mount can be used if you need to point the router at an angle. The suction cup will fail eventually (usually on very hot or very cold days), so do not use this for long-term installs.

window/wall install

Rooftop

Often rooftops have an existing unused pipe or abandoned antenna pole that can be used.

pipe

A Ubiquiti bracket is good if you have a drillable surface such as brick or cement.

bracket

Wall

A simple wall mount can be made using a small, thin piece of wood and the two plastic ties that come with the router. This will not give you much choice in direction.

window/wall install source

window/wall install

The Ubiquiti window/wall mount comes with both a suction cup for windows and a screw mount for walls. Use this screw mount on a wall so you can point the router in the best direction.

window/wall installwindow/wall install

Tree

Sometimes a tree is the best place for your NanoStation.

tree

Ethernet

Outdoor routers use "power over ethernet" (POE). A small adapter is used to add power to the ethernet. This means you only need to run one ethernet cable to the device.

The most important thing about the cable and is that it is "outdoor" cable. Otherwise the plastic will decay in the weather. We use Cat 5e. A cable run must be less than 100m (300 feet), or the signal and voltage drop will be too much.

There are two ethernet ports on the NanoStation and these are a source of confusion. Like most outdoor routers they get their power over the ethernet cable. They come with an adapter that adds 24V of power to the cable. Be careful plugging live cables into ports that are not expecting a voltage.

Here are two ways to wire your NSM5:

Setup 1 (client)

You are connecting to a remote gateway that is providing your internet. You plug the ethernet cable into the "main" (LAN) port of the NSM5. The cable goes to the power adapter POE. "LAN" on the POE adapter goes to the WAN of an indoor router.

(Sometimes people are close enough to the NSM5 that they don't bother with the indoor router.)

Setup 2 (gateway)

You are sharing your existing internet with your neighbors. You plug the ethernet into the "secondary" (WAN) port of the NSM5. The cable goes to the power adapter POE. "LAN" on the POE adapter goes to the LAN of your existing indoor router.

Powering two from one adapter

If you need to install two NanoStations you can simply run a cable from the spare ethernet port to the other NSM5. If the POE is plugged into the secondary port (gateway setup) then the "main" will act as passthrough to the second NSM5.

To turn on passthrough from main to secondary you need to do this (source)-

# older nanostation XM (pre-2015)
echo 8 > /sys/class/gpio/export
echo out > /sys/class/gpio/gpio8/direction
echo 1 > /sys/class/gpio/gpio8/value
# disable with echo 0 > /sys/class/gpio/gpio8/value
# nanostation XW (2015-)
echo 2 > /sys/class/gpio/export
echo out > /sys/class/gpio/gpio2/direction
echo 1 > /sys/class/gpio/gpio2/value
# disable with echo 0 > /sys/class/gpio/gpio2/value

I've found this setting doesn't stick after reboot, so you need to add it to /etc/rc.local (local startup)-
http://admin.qmp/cgi-bin/luci/admin/system/startup

LAN vs WAN confusion

On the NSM5 the "main" port is LAN and the secondary is "WAN". This is the most confusing thing about the router and mixing this up is the cause of most problems. Always connect WAN on one router to LAN on another!

If you connect LAN to LAN it will be unstable as each LAN port usually has a DHCP server and both ports will be trying to assign an IP address to the other. Also don't connect WAN to WAN as this makes no sense. This is by far the biggest problem with people setting up routers and it is so simple to avoid.

Configuration Videos

Ubiquiti Unifi-Ap

We are using more UNIFI access points on installs these days. These devices are very frustrating to set up, so this document is designed to help.

As of 2021 the latest firmware 4.3.28 has very short uptime (<30 days), so we are using a stable older version 4.3.20 (copy this link)

Never use 4.3.28 or later, as the device will go down and require a site visit to reboot!

The devices are coming with very old firmware that isn't even compatible with the controller so step one is to SSH into the AP and upgrade it to 4.3.20.

Adopting wirelessly doesn't work, so we adopt the AP to the controller wired before installing!

After moving on site, you may need to ssh in and set-inform to tell it the address of the controller

SSH firmware instructions

Here's Ubiquiti's instructions

We usually download the 4.3.20 update and choose the "Updating without internet..." option using scp.

Meshing

We mostly install these devices with one wired connection for every two or three unwired ("meshed"). It's best to avoid more than one wireless hop.

Wireless meshing basically doesn't work after version 4.3.20. Apart from later versions being unstable, when one goes down it can take down all the other meshed devices! We're in a very long conversation with Ubiquiti about this.

UAP-AC-M (rabbit ears)

We've installed these at Clemente and they have proved to be reliable when running 4.3.20

UAP-AC-M-PRO

We've installed these at Grand St and Vernon

They are designed to mount on a wall. We've been mounting them on light poles which means creating your own mount (a lot of work!)

They seem ok and we haven't had any completely fail yet. The case is just snapped together. I had one randomly come apart before installing.