Feature requests for Omada Controller
Dear @forrest,
I have some feature request for Omada Controller collected over time from our Omada customers and from Omada users here in the forum. I would appreciate very much if you could consider those features in a future version of Omada controller.
1. Statistics page
It would be helpful if the statistics page would allow to select a pie chart for showing numbers of users/guests per EAP, not only per SSID. Often, sites have only one SSID at all and the current pie chart always shows 100% users for this SSID. I know, it's already in Omada App, but sysadmins would like to see this in Omada software controller and OC200, too.
2. Client hostnames
If WiFi hostnames are empty (device shows up as »Unknown«), Omada Controller should query the DNS server for the hostname. DNS servers in small SOHO networks keep track of the hostname sent by DHCP automatically. Business users often use a full-fledged DNS server. Additionally, the client's hostname should be allowed to be set manually – you have accepted the latter suggestion of a manual settings for home users already as far as I know. But DNS names should be queried for power (business) users, too, and it would be beneficial even for SOHO users.
3. Proxying capabilities
It would be helpful to allow use of web proxys such as the nginx or apache web server, which can forward requests to Omada controller. This would just require the ability to bind Omada controller to specific IP addresses set in the properties, thus preventing the controller to listen to all IP addresses of the server. Business class servers often have web front-ends and load-balancing while the software runs on a back-end server. Those load balancing functions of a proxy could be used easily for Omada controller with only small changes in the Java code which allow binding to certain IP adresses.
4. mongod database
Sysadmins should be able to use a system-provided mongodb instance alternatively to the built-in one. Currently Omada controller always starts an own mongod instance. If it would be possible to prevent this start, Omada controller could use an existing (already installed) mongod by just changing the port in the properties. So please make start of the built-in mongod optional for those users who run an own mongod already. No need to run DB servers twice on the same system.
5. Make Java code platform-independent again
In version 2.x Omada controller's Java code was platform-independent. Java classes for Windows could be used on Linux and FreeBSD UNIX without any change. Starting with version 3 Omada controller introduced platform dependency, which isn't really needed (Java has been designed to be platform-independent). Only change required in V3 Omada controller would be to not query for the platform the controller is running on, but instead querying for the existance of platform-dependend helper commands such as ps (then it's running on Linux or FreeBSD) or tasklist (then it is running on Windows).
By querying for the existance of helper commands instead of querying the platform you would have to support only one version of Omada controller's Java code for every platform. No more differences in Java code for Windows, Linux and FreeBSD – just one Java code base like it was in versions 2.4 to 2.7. You only would need to package different software packages versions for distribution of built-in binaries such as mongod, but the Omada community version, which avoids any built-in binary, could run on any platform, whether it's 32 bit, 64 bit or x86, mips or arm architecture.
If R&D doesn't want to unite the Java code base, then please remove at least the platform checks in Java method »com.tp_link.eap.start.EapLinuxMain« and consider removal of the platform checks in the Linux version of Omada controller. For example, if you remove those platform checks, the Linux version could be made easily to run also on FreeBSD, which is often used as an Internet server. And I'm sure, no-one would download the Linux version anyway if he runs Windows.
6. SSL certificates
While it is possible to change SSL certificates in the Linux version easily, it isn't possible at all on OC200. Please consider an upload mechanism for OC200 either through the web UI or maybe through the optional USB stick, which can be added to OC200. There is a lot of space on USB sticks used for auto-backups. Why not use it for other things, too?
7. Client isolation
Please consider to add a setting for »Client Isolation« again. It would be not necessary to change the current existing setting »Guest Network«, which still could co-exist and which could enable client isolation, too. But it would be beneficial to only enable client isolation without the invisible ACLs being set when using »Guest Network« setting. This would also simplify access from guest users to the OC200 portal when OC200 is the only device in the (wired) LAN.
These are the feature requests I'm often asked for by our customers and by users here in the forum. It would definitely improve Omada Controller.
Thanks very much for your consideration.
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
I have the controller running behind a reverse proxy just fine. You just have to re-write the headers to translate between 443/8043 both directions, and 80/8088 if you want the initial re-direct to https to work. I have mine behind the HAProxy package on my pfsense firewall at home. I would be happy to share the settings to make this work if anyone is interested.
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
Hello!)
Congratulations to everyone on the last holidays!
I wish you all the very best!
I have been using TP-Link equipment for deploying wifi networks for a year now. In total, I have about 130 EAP245 access points at several sites (premises). I have a couple of very complex configurations in terms of design and RF environment.
During this year, I understood exactly what functions I was missing. I would like to suggest (ask) to consider these functions for further implementation.
0. Wireless Snooper(Wi-fi scanner):
In the latest version of EAP 245, if I understand correctly, spectral scanning is implemented. You can use it to determine the quality of the channel. That's great, thank you! But for better setup / optimization of the Wi-Fi network, a "Wireless Snooper" is needed. "Wireless Snooper" will be able to show us which networks with which parameters(SSID,BSSID,channel, signal, band, channel width) this access point catches.
1. Client isolation:
This has already been discussed a lot and has long been discussed.
2. Client signal levels when roaming:
It would be very cool if in the logging of client events, it was recorded at what signal level he left the access point, and with what level he connected to another access point.
3. Сontroller redundancy:
On this point, I think everything is clear
I would like to hear the opinion of other users.
@R1D2 , what do you think about this?
@Fae , I am very glad to welcome you!)
Please look at my list, can you comment on it?
P.S. English is not my native language, if something is not clear, please ask a question.
Thanks for attention! Good luck to all!)))
- Copy Link
- Report Inappropriate Content
For your requests, does Rogue AP not give you enough for your point 0.
2. - You can add signal level to the client view, it doesn't record their levels so you can't see what they had or why they moved, but is this something many people would need or use? I understand it may help tweaking power settings, but once set, would it be used, often?
3. I also get why this was noted, but the APs will continue without a controller, the only downside is, you would not be able to make changes to the setup or add new SSIDs/profiles during a controller outage, however if you link the controller to the cloud, you can easily have this as your redundancy. I do accept not everyone want's to use this.
- Copy Link
- Report Inappropriate Content
Hello!
Regarding Rogue AP, it's not very convenient when you have to control a network of 50+ access points. It is more convenient to see spectral scanning information, and Wireless Snooper detailed (SSID, BSSID, channel, signal, band, channel width) information on one page for a specific access point.
In this implementation, you have to constantly switch between windows, which creates inconvenience.
The Client signal levels when roaming function in the event log is only needed:
1. When you make the setting
2. Optimization
3. When customers have problems, using this event log with signal levels, you can find the problem more accurately and in a shorter period of time.
Сontroller redundancy, I just want to sleep well!))) This feature will also help the TP-link to make more sales of controllers
- Copy Link
- Report Inappropriate Content
@matt25 I would also like to see how you have done this. Trying to achieve the same via nginx
- Copy Link
- Report Inappropriate Content
As I mentioned, you have to set the header to the port the controller software is expecting on requests, and then back to the front-end port on the replies. I'll include some screenshots from the pfsense GUI to HAProxy, and the resulting HAProxy config file too. The http/port 80 items are only needed if you want the re-direct from http to https to work for you. I you don't mind just always typing https you can leave that whole part out.
HTTPS/443 front-end:
HTTP/port 80 front-end:
HAProxy config:
frontend EAP-Controller-https-443
bind 10.0.0.50:443 name 10.0.0.50:443 ssl crt-list /var/etc/haproxy/EAP-Controller-https-443.crt_list
mode http
log global
option http-keep-alive
timeout client 30000
acl eap-short var(txn.txnhost) -m str -i eap
acl eap-fqdn var(txn.txnhost) -m str -i eap.localdomain
acl aclcrt_EAP-Controller-https-443 var(txn.txnhost) -m reg -i ^eap(:([0-9]){1,5})?$
acl aclcrt_EAP-Controller-https-443 var(txn.txnhost) -m reg -i ^eap\.localdomain(:([0-9]){1,5})?$
http-request set-var(txn.txnhost) hdr(host)
http-request set-header host eap:8043 if eap-short aclcrt_EAP-Controller-https-443
http-request set-header host eap.localdomain:8043 if eap-fqdn aclcrt_EAP-Controller-https-443
http-response replace-value location 8043 %[hdr(location),regsub(8043,443)] if aclcrt_EAP-Controller-https-443
use_backend server-8043_ipvANY if aclcrt_EAP-Controller-https-443
frontend EAP-Controller-http
bind 10.0.0.50:80 name 10.0.0.50:80
mode http
log global
option http-keep-alive
timeout client 30000
acl eap-short var(txn.txnhost) -m str -i eap
acl eap-fqdn var(txn.txnhost) -m str -i eap.localdomain
http-request set-var(txn.txnhost) hdr(host)
http-request set-header host eap:8088 if eap-short
http-request set-header host eap.localdomain:8088 if eap-fqdn
http-response replace-value location 8088 %[hdr(location),regsub(8088,80)]
http-response replace-value location 8043 %[hdr(location),regsub(8043,443)]
default_backend server-http_ipvANY
backend server-8043_ipvANY
mode http
id 100
log global
timeout connect 30000
timeout server 30000
retries 3
option httpchk OPTIONS /
server server 10.0.0.151:8043 id 101 ssl check-ssl check inter 10000 verify none
backend server-http_ipvANY
mode http
id 102
log global
timeout connect 30000
timeout server 30000
retries 3
option httpchk OPTIONS /
server server 10.0.0.151:8088 id 101 check inter 10000
- Copy Link
- Report Inappropriate Content
@R1D2 I'd vote, as many times as you will let me, for making the installation of security certs easier. I managed to disable ALL logins of any kind to my OC200 just two days ago; the controller said the installation was successful, but "successful" must mean something different to it than to me, as I am now getting SSL_ERROR_NO_CYPHER_OVERLAP errors when I attempt to login using my web browser (FireFox or Chrome, it makes no difference).
Obviously, I made the .jks incorrectly, possibly because the recipe I found was for the Mac and I was running keytool on Ubuntu. Epic fail, as a matter of fact. While everything is still working, I must do a factory reset and a restore from a (reasonably current) backup in order to regain access. Otherwise, I can forget ever adding clients again.
- Copy Link
- Report Inappropriate Content
Dear @ivanlan9,
I'd vote, as many times as you will let me, for making the installation of security certs easier. I managed to disable ALL logins of any kind to my OC200 just two days ago; the controller said the installation was successful, but "successful" must mean something different to it than to me, as I am now getting SSL_ERROR_NO_CYPHER_OVERLAP errors when I attempt to login using my web browser (FireFox or Chrome, it makes no difference).
Obviously, I made the .jks incorrectly, possibly because the recipe I found was for the Mac and I was running keytool on Ubuntu. Epic fail, as a matter of fact. While everything is still working, I must do a factory reset and a restore from a (reasonably current) backup in order to regain access. Otherwise, I can forget ever adding clients again.
This thread is a little old and I'll close it as R1D2 requested to avoid bothering other users who join this post before.
Sorry for any inconvenience caused. Please feel free to start a new thread on the community for further assistance.
Thank you for your great cooperation and patience. Have a nice day!
- Copy Link
- Report Inappropriate Content
Information
Helpful: 8
Views: 13213
Replies: 39