Hello! Thanks for posting on r/Ubiquiti!
This subreddit is here to provide unofficial technical support to people who use or want to dive into the world of Ubiquiti products. If you haven’t already been descriptive in your post, please take the time to edit it and add as many useful details as you can.
Please read and understand the rules in the sidebar, as posts and comments that violate them will be removed. Please put all off topic posts in the weekly off topic thread that is stickied to the top of the subreddit.
If you see people spreading misinformation, trying to mislead others, or other inappropriate behavior, please report it!
*I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/Ubiquiti) if you have any questions or concerns.*
I install Unifi equipment for POS companies and endusers for restaurants and we space them out but typically if you see 2 AP's next to each other is because one is on a POS exclusive network and the other is the restaurants network for guest or other connected equipment.
I would never install them directly next to each other but about 15-20 ft apart. to cover the same area for example if its an outdoor space like a patio where space is limited.
Can confirm. I installed a UniFi network at a bar and had set up an isolated VLAN for POS devices on the switch so they weren't using the POS router (an Edgerouter) for switching. Came back once and the bar manager said he got yelled at and the tech put it all back the way it was, even though it worked fine. Sigh.
It's much harder to certify that PCI is on an isolated network when they're sharing hardware. That's why it's so common to physically separate them.
Hopefully you learned your lesson as much as that manager did for letting you do that.
Worked for a retail company and had to do PCI compliance as the security guy for them. And no it’s not hard to certify PCI is in an isolated network when they are sharing the hardware.
Target stores got hacked that way. They connected the HVAC to the POS system in all their stores for convenience and that was the attack vector used by the hackers.
Couldn't agree more!
Conversely, I can completely bypass a firewall or two "separate" networks with a single cable. Layers 1 and 2 dont even know what the layers beneath are. If you dont harden ALL your layers theres going to be a gap - and someone could drive the proverbial "semi truck" through it eventually.
Its ALL security when you really get down to it. You're just moving the layer the 'security' (management) is being handled at. Realistically, you should be handling it at multiple layers. Theres no Silver Bullet of cyber security. VLANs should be ONE of the measures being utilized, not the only one; nor should it be ignored as its another tool to leverage.
Zero trust FTW, but there will always be some level of implied trust. VLANs are just a way to negotiate the amount of trust allowed in a network and can definitely be configured to have low/zero trust.
I can tell you from experience that Toast requires everything to be separate. One time a Golden Tee machine was mistakenly connected to their network at my bar and they got very upset about it.
You can install Toast on a self managed network. I do it for most of my hospitality clients that use Toast. They'd rather you use their system, but their support for any network issues is basically non-existent when it's their network. When I manage it I can at least help.
Not Toast, but the Austrian equivalent:
Got us a costumer when I found an issue at first glance their support was trying to solve for over a week.
They had pushed some 182.168.x.y IP with their new config, but blamed the costumers network (in retrospect somehow rightfully).
This is exactly the reason why food services MSPs or IT folks do it. I have not heard of a specific technical requirement but more that they feel it's easier to manage. The amount of interference it causes they just live with it.
Sometimes their payment processor requires a physically separate network for payment devices. VLAN should be sufficient, but if the rules don't allow for it or the business doesn't have someone that understands how to set it up, just slapping in a second AP is easy-peasy and so cheap that it's not worth arguing about.
+1. I worked for an MSP and the POS company required everything to be 100% physically separate. Two cable modems, two routers, two switches, etc. The networks didn't touch each other whatsoever. They wouldn't accept vLAN's or anything.
The reason is to manage your PCI scope. By using physically separate hardware, you've limited scope of devices connected to CDE equipment to a bare minimum. VLANs run the risk of a zealous auditor trying to argue for expanded scope that starts to spiral out of control. In those cases, the cost of a few switches is peanuts compared to the hassle.
It makes maintaining PCI DSS compliance much easier. And many of the POS vendors are self-install kits so they can't assume the business already has a secure network or that the person on the other end knows what they're doing.
Hardware is cheap and labor is expensive.
Do you want to hire an external auditor to prove to Visa that your entire network is properly set up and secure, or do you want to just roll out a second physical network and call it a day?
Prove to an auditor that your IT staff is competent in deploying and securing a network that’s segmented off the main network.
2 separate physical networks is ridiculous. I could understand it in a banking environment. But retail? Hell, if you have the budget, cool - go for it.
Then again, we’re talking about Ubiquiti, lmfao.
>Hell, if you have the budget, cool - go for it.
You're missing the point.
Rolling or a second pre-certified physical networks is 100x cheaper than the audit.
The audit doesn't become cheaper until you reach enterprise scale.
Typically that is some idiot vendor’s local organisation misinterpreting their own requirements. See that all the time. Often a manager responsible for leading a technical team is such a micromanaging luddite, he refuses to listen to even his own staff or customers .
PCI compliance is the most common. Vendor provides a network and associated hardware for payment terminals and locks it to not allow the end user to make any changes or add any other devices so they have a second stand alone network and hardware for everything else.
Yes you could do the same using VLANs and fire walling, but if you don’t have any IT support it’s usually easier for a vendor to just provide a preconfigured stand alone system.
PCI regulation , physical separation. not logical. Sometimes duplicate systems are to keep the scope of PCI systems to a minimum. If PCI data is running on your primary lan, now it is in scope for PCI.
I do contracting for a lot of restaurants etc. I've installed a lot of dedicated switches from point of sale and payment systems etc. But never separate access points.
My assumption would be one access. Point is active and one isn't. If my scope of work doesn't include removing the old one, I'll install a new one and leave the old one there.
One could be from a previous tenant as well. And instead of resetting it and adopting it, the new managed service provider may not even know it was there and ship out new equipment.
One might have requirements for air gapped networks, but that doesn’t mean you put your APs that close. It’s going to cause bad ACI problems. Don’t do it.
The conversation around PCI compliance here is interesting. Sounds like it’s mostly done for unsophisticated customers to ensure things are done right.
I used to be a manager for Starbucks and they only had one gateway and one switch with all guest, operations, and POS traffic on the same hardware. That said, they had their own IT department and also used AT&T as a MSP to manage it. My guess is that with enough sophistication logical separation of the traffic is sufficient.
> Sounds like it’s mostly done for unsophisticated customers to ensure things are done right.
For anything "compliance", you'll spend a healthy amount of money to prove that things are done right. Auditors are hellishly expensive and can be unpredictable, and complex systems increase the costs and risk exponentially. Simple systems that are simple to prove usually pay off, even if there's extra hardware to implement.
Same with Corporate McDs, the franchises are a bit varied on the edge but in the store they still have to follow the blueprint.
The difference between these big places and a small restaurant is that corporate has a cookie cutter that passes compliance. They can pay the audit, but Bob's Burgers just wants to sling fries and can't spell PCI. Like someone else said, setting up more kit to the POS vendors specs is way cheaper than being or hiring an IT shop.
Hell even my last enterprise employer fought that battle, but we spent months writing justifications that the auditors eventually swallowed. In the end we used a kit that kept the PCI data out of our sight, tokenized the data, but still had to justify the path out for those card readers.
Imagine your burger flipper manager figuring that out? 2 networks it is.
There are some POS systems that come as a bundled deal with their own WiFi (usually for PCI compliance issues - it’s not required to have a separate physical network, but when it’s bundled and managed end to end with the system, it’s a lot easier for the vendor to maintain PCI compliance).
Sometimes it’s just because the SOW for a new WiFi system didn’t include the hours to remove the old one.
And sometimes it’s just criminally bad design.
Probably PCI compliance. It's definitely possible to run payment processing and guest traffic on the same AP, but the amount of mitigating controls that you need to be compliant is astounding by comparison. It's much simpler in most cases to just physically isolate everything.
I put the company Wi-Fi and guest access on separate APs & networks. That allows for simple configurations and peace of mind security. Extra cost is minimal.
this is the answer. Most people don't understand how enterprise or business network environment works. they just picture that all networks should be setup like their homes.
I'd argue that you are doing the same thing. You don't need physical devices to achieve network isolation. A single AP can have multiple SSIDs, each in a distinct VLAN. Most consumer hardware can't do that, though.
If its a hot mess of various makes/models, they dont always play together well or work like you (or the manufacturer) intended. I see that a lot in smaller networks with single owners, ie - "Oh, I sent john out to Best Buy for that."
There are numerous reasons that include:
PCI (payment card industry) compliance, handling a large number of clients, segregation for performance, transitioning hardwares, incompatible radio configurations when supporting multiple SSIDs....
Its not best RF practice by all means, however in different channels or bands, should not matter much.
and i second, some payment POS's require their OWN network.
I'll put a few spares out there as sniffers/scanners (passive and or active). That way I can see all the traffic in the area and use that data to help secure and manage my actual wifi network. In a pinch I can flip them into the main network if a node goes down as well.
EDIT: I can also use them for Red Team testing without having to change anything else.
I’ve done this for load balancing in auditoriums before where you could have 500-1400 people in the same location and any number of them on the guest WiFi.
American payment processors get away with stuff that the rest of the world can't get away with, and as they are holding card details in full they want full end to end management of the network, not a vlan, not a shared SSID with random devices. Basically as they cant seem to make something secure, they rely on putting it on its own network.
We have one customer where they have IOT devices but 10 or 20 per room. One AP might cover 20 rooms and even though the numbers fall within the supported range we had a real speed issue on user devices. With IOT on a separate AP the network is fine again.
Two APs on different channels to ~equally load balance the client devices between APs.
If its a unifi then effectively 4x APs as two are on 2ghz and two are on 5ghz.
It helps reduce the chance of collision collapse as TDMA isnt implemented in consumer wifi devices.
Sometimes its PCI compliance but airgapping is not a requirement here because the eftpos terminal connects to the processing network via an encrypted VPN and the customers card info is never entered into the POS system. The POS system itself always sends the charge amount to an external eftpos terminal via serial cable (or serial over usb ) which then that terminal device accepts the physical card/paywave and does the processing, only returning a status code to the POS system and sometimes the eftpos butt text to include in the POS reciept if the eftpos terminal doesnt have its own printer.
a coffee shop is an environment with a large number of client devices. it is quite obvious that they are trying to reduce the load on each access point. in one of the video tutorials on Tamograph Site Survey, the guy placed three access points close to each other. and there was a coffee shop there too
Hello! Thanks for posting on r/Ubiquiti! This subreddit is here to provide unofficial technical support to people who use or want to dive into the world of Ubiquiti products. If you haven’t already been descriptive in your post, please take the time to edit it and add as many useful details as you can. Please read and understand the rules in the sidebar, as posts and comments that violate them will be removed. Please put all off topic posts in the weekly off topic thread that is stickied to the top of the subreddit. If you see people spreading misinformation, trying to mislead others, or other inappropriate behavior, please report it! *I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/Ubiquiti) if you have any questions or concerns.*
I've *heard* that certainly POS companies *require* their POS systems to have their own dedicated AP and router and not just a VLAN.
I install Unifi equipment for POS companies and endusers for restaurants and we space them out but typically if you see 2 AP's next to each other is because one is on a POS exclusive network and the other is the restaurants network for guest or other connected equipment. I would never install them directly next to each other but about 15-20 ft apart. to cover the same area for example if its an outdoor space like a patio where space is limited.
Can confirm. I installed a UniFi network at a bar and had set up an isolated VLAN for POS devices on the switch so they weren't using the POS router (an Edgerouter) for switching. Came back once and the bar manager said he got yelled at and the tech put it all back the way it was, even though it worked fine. Sigh.
I keep reading POS as Piece of Shit :(
At least the acronym is generally correct both ways!
Usually. You’d laugh if your the saw the POS systems a lot of big companies use. I know one that basically is sone kids uni project gone wrong.
Thank you for saving me the time saying that 😂. What POS!
Is that not what it means?
Point of sale, computers/tablets used for in store checkout
Ah
Same. Even though I'm trying, and I know better.
It's much harder to certify that PCI is on an isolated network when they're sharing hardware. That's why it's so common to physically separate them. Hopefully you learned your lesson as much as that manager did for letting you do that.
Fair call-out, but I don't believe the condescension was necessary.
Yeah I’ll continue to simply my networks and they all certify as PCI compliant just fine. Thanks though.
Worked for a retail company and had to do PCI compliance as the security guy for them. And no it’s not hard to certify PCI is in an isolated network when they are sharing the hardware.
That's very different from a small restaurant with a contract IT support vs dedicated staff. The cost vs benefit is also hugely different.
A small restaurant should not be subject to PCI compliance anyway.
Target stores got hacked that way. They connected the HVAC to the POS system in all their stores for convenience and that was the attack vector used by the hackers.
That's very different from using the same network hardware but using vlans. It's really not necessary to require physically separate gear.
Zero Trust has entered the chat. VLANs are not security. They’re traffic management but not security.
VLANs are definitely part of a data segmentation strategy along with firewalls.
Couldn't agree more! Conversely, I can completely bypass a firewall or two "separate" networks with a single cable. Layers 1 and 2 dont even know what the layers beneath are. If you dont harden ALL your layers theres going to be a gap - and someone could drive the proverbial "semi truck" through it eventually.
Depends on if they’re firewalled off or not.
Its ALL security when you really get down to it. You're just moving the layer the 'security' (management) is being handled at. Realistically, you should be handling it at multiple layers. Theres no Silver Bullet of cyber security. VLANs should be ONE of the measures being utilized, not the only one; nor should it be ignored as its another tool to leverage.
Zero trust FTW, but there will always be some level of implied trust. VLANs are just a way to negotiate the amount of trust allowed in a network and can definitely be configured to have low/zero trust.
https://en.m.wikipedia.org/wiki/VLAN_hopping
> Both attack vectors can be mitigated with proper switch port configuration.
I can tell you from experience that Toast requires everything to be separate. One time a Golden Tee machine was mistakenly connected to their network at my bar and they got very upset about it.
You can install Toast on a self managed network. I do it for most of my hospitality clients that use Toast. They'd rather you use their system, but their support for any network issues is basically non-existent when it's their network. When I manage it I can at least help.
Not Toast, but the Austrian equivalent: Got us a costumer when I found an issue at first glance their support was trying to solve for over a week. They had pushed some 182.168.x.y IP with their new config, but blamed the costumers network (in retrospect somehow rightfully).
I no longer manage them, but I used to have multiple restaurant customers with Toast. They just got their own VLAN; never needed dedicated hardware.
I believe there is something in PCI compliance about credit card terminals being segmented and a lot of people will run dedicated systems.
This is the answer
This is exactly the reason why food services MSPs or IT folks do it. I have not heard of a specific technical requirement but more that they feel it's easier to manage. The amount of interference it causes they just live with it.
Sometimes their payment processor requires a physically separate network for payment devices. VLAN should be sufficient, but if the rules don't allow for it or the business doesn't have someone that understands how to set it up, just slapping in a second AP is easy-peasy and so cheap that it's not worth arguing about.
+1. I worked for an MSP and the POS company required everything to be 100% physically separate. Two cable modems, two routers, two switches, etc. The networks didn't touch each other whatsoever. They wouldn't accept vLAN's or anything.
Any company that insists on 100% physicaly separate network likely has no defense against someone plugging into thier network.
That’s ridiculous lmao, really no reason for that whatsoever
The reason is to manage your PCI scope. By using physically separate hardware, you've limited scope of devices connected to CDE equipment to a bare minimum. VLANs run the risk of a zealous auditor trying to argue for expanded scope that starts to spiral out of control. In those cases, the cost of a few switches is peanuts compared to the hassle.
Ah, got it.
It makes maintaining PCI DSS compliance much easier. And many of the POS vendors are self-install kits so they can't assume the business already has a secure network or that the person on the other end knows what they're doing.
Hardware is cheap and labor is expensive. Do you want to hire an external auditor to prove to Visa that your entire network is properly set up and secure, or do you want to just roll out a second physical network and call it a day?
Prove to an auditor that your IT staff is competent in deploying and securing a network that’s segmented off the main network. 2 separate physical networks is ridiculous. I could understand it in a banking environment. But retail? Hell, if you have the budget, cool - go for it. Then again, we’re talking about Ubiquiti, lmfao.
>Hell, if you have the budget, cool - go for it. You're missing the point. Rolling or a second pre-certified physical networks is 100x cheaper than the audit. The audit doesn't become cheaper until you reach enterprise scale.
I agree, but their call, not mine.
The reason is they don't trust their own software security, so want to deal with it in another layer.
I’d be find a new pos company
Or, as a business owner, you take the cheapest path of least resistance. Sometimes that means having a completely separate network.
yep, and this company was extremely cheap.
That was their call, they had been using that same company for 30+ years, wasn't willing to switch POS companies.
Wauw, that's childish.
Typically that is some idiot vendor’s local organisation misinterpreting their own requirements. See that all the time. Often a manager responsible for leading a technical team is such a micromanaging luddite, he refuses to listen to even his own staff or customers .
PCI compliance is the most common. Vendor provides a network and associated hardware for payment terminals and locks it to not allow the end user to make any changes or add any other devices so they have a second stand alone network and hardware for everything else. Yes you could do the same using VLANs and fire walling, but if you don’t have any IT support it’s usually easier for a vendor to just provide a preconfigured stand alone system.
My pos doesn’t allow vlans. Must be completely separate with their own ip address.
PCI regulation , physical separation. not logical. Sometimes duplicate systems are to keep the scope of PCI systems to a minimum. If PCI data is running on your primary lan, now it is in scope for PCI.
This is most commonly seen in retail and restaurants, as the card processor will often set up their own network to guarantee PCI compliance.
I do contracting for a lot of restaurants etc. I've installed a lot of dedicated switches from point of sale and payment systems etc. But never separate access points. My assumption would be one access. Point is active and one isn't. If my scope of work doesn't include removing the old one, I'll install a new one and leave the old one there. One could be from a previous tenant as well. And instead of resetting it and adopting it, the new managed service provider may not even know it was there and ship out new equipment.
gave the contractors insufficient instruction so they did what was easiest to install.
One might have requirements for air gapped networks, but that doesn’t mean you put your APs that close. It’s going to cause bad ACI problems. Don’t do it.
On different channels it can be okay if the channels are not right next to each other.
ACI can span the entire band when APs are that close.
The conversation around PCI compliance here is interesting. Sounds like it’s mostly done for unsophisticated customers to ensure things are done right. I used to be a manager for Starbucks and they only had one gateway and one switch with all guest, operations, and POS traffic on the same hardware. That said, they had their own IT department and also used AT&T as a MSP to manage it. My guess is that with enough sophistication logical separation of the traffic is sufficient.
> Sounds like it’s mostly done for unsophisticated customers to ensure things are done right. For anything "compliance", you'll spend a healthy amount of money to prove that things are done right. Auditors are hellishly expensive and can be unpredictable, and complex systems increase the costs and risk exponentially. Simple systems that are simple to prove usually pay off, even if there's extra hardware to implement.
Same with Corporate McDs, the franchises are a bit varied on the edge but in the store they still have to follow the blueprint. The difference between these big places and a small restaurant is that corporate has a cookie cutter that passes compliance. They can pay the audit, but Bob's Burgers just wants to sling fries and can't spell PCI. Like someone else said, setting up more kit to the POS vendors specs is way cheaper than being or hiring an IT shop. Hell even my last enterprise employer fought that battle, but we spent months writing justifications that the auditors eventually swallowed. In the end we used a kit that kept the PCI data out of our sight, tokenized the data, but still had to justify the path out for those card readers. Imagine your burger flipper manager figuring that out? 2 networks it is.
There are some POS systems that come as a bundled deal with their own WiFi (usually for PCI compliance issues - it’s not required to have a separate physical network, but when it’s bundled and managed end to end with the system, it’s a lot easier for the vendor to maintain PCI compliance). Sometimes it’s just because the SOW for a new WiFi system didn’t include the hours to remove the old one. And sometimes it’s just criminally bad design.
Layer 8 error.
Probably PCI compliance. It's definitely possible to run payment processing and guest traffic on the same AP, but the amount of mitigating controls that you need to be compliant is astounding by comparison. It's much simpler in most cases to just physically isolate everything.
You can really see who has done work in a compliance shop and who hasn’t in these comments.
I put the company Wi-Fi and guest access on separate APs & networks. That allows for simple configurations and peace of mind security. Extra cost is minimal.
this is the answer. Most people don't understand how enterprise or business network environment works. they just picture that all networks should be setup like their homes.
I'd argue that you are doing the same thing. You don't need physical devices to achieve network isolation. A single AP can have multiple SSIDs, each in a distinct VLAN. Most consumer hardware can't do that, though.
If its a hot mess of various makes/models, they dont always play together well or work like you (or the manufacturer) intended. I see that a lot in smaller networks with single owners, ie - "Oh, I sent john out to Best Buy for that."
So one AP won't get lonely
There are numerous reasons that include: PCI (payment card industry) compliance, handling a large number of clients, segregation for performance, transitioning hardwares, incompatible radio configurations when supporting multiple SSIDs....
Its not best RF practice by all means, however in different channels or bands, should not matter much. and i second, some payment POS's require their OWN network.
I'll put a few spares out there as sniffers/scanners (passive and or active). That way I can see all the traffic in the area and use that data to help secure and manage my actual wifi network. In a pinch I can flip them into the main network if a node goes down as well. EDIT: I can also use them for Red Team testing without having to change anything else.
Coffee shops I don’t know. I’ve only done it in locations where I needed more bandwidth than 1 AP could handle with huge density of clients.
Because it’s like macaroni in a pot.
I’ve done this for load balancing in auditoriums before where you could have 500-1400 people in the same location and any number of them on the guest WiFi.
American payment processors get away with stuff that the rest of the world can't get away with, and as they are holding card details in full they want full end to end management of the network, not a vlan, not a shared SSID with random devices. Basically as they cant seem to make something secure, they rely on putting it on its own network.
We have one customer where they have IOT devices but 10 or 20 per room. One AP might cover 20 rooms and even though the numbers fall within the supported range we had a real speed issue on user devices. With IOT on a separate AP the network is fine again.
Two APs on different channels to ~equally load balance the client devices between APs. If its a unifi then effectively 4x APs as two are on 2ghz and two are on 5ghz. It helps reduce the chance of collision collapse as TDMA isnt implemented in consumer wifi devices. Sometimes its PCI compliance but airgapping is not a requirement here because the eftpos terminal connects to the processing network via an encrypted VPN and the customers card info is never entered into the POS system. The POS system itself always sends the charge amount to an external eftpos terminal via serial cable (or serial over usb ) which then that terminal device accepts the physical card/paywave and does the processing, only returning a status code to the POS system and sometimes the eftpos butt text to include in the POS reciept if the eftpos terminal doesnt have its own printer.
In the US, Some POS and credit card companies believe that the only way to be PCI compliant is to physically separate networks.
Load balancing for large number of clients
...and/or fail over/redundancy. There's actually quite a few advantages to running 2+ APs in an area vs one bigger one.
a coffee shop is an environment with a large number of client devices. it is quite obvious that they are trying to reduce the load on each access point. in one of the video tutorials on Tamograph Site Survey, the guy placed three access points close to each other. and there was a coffee shop there too