After a couple months of testing Siklu’s Terragraph hardware (see related article), we were approached by Cambium asking to run a side by side test using their solution. We have had a long working relationship with Cambium on their ePMP product line so despite running into some “testing fatigue”, we agreed to try out the V5000 distribution node and the V3000 client nodes on a site in our downtown area.

The chosen test site is:

• V5000 connected via 10 Gbps fiber to a core switch and powered by 48 VDC. Site is connected to 10 Gbps fiber

• Five V3000 client nodes all within 300 meters servicing a large apartment building full of college students, a food hall with free WiFi, a couple condo buildings and the city Visitors Center.

All sites are fairly heavy users, especially the apartment building with the college students. These sites were currently being connected via 4 different 60 GHz APs all at the same location as the proposed V5000 install. We had a mix of Mikrotik and Kwikbit 802.11ad products. Much like our other test site with Siklu, we were seeing our own self interference at this location due to the amount of 802.11ad radios (three others are also on this same roof but not part of this test).

The Cambium Terragraph solution requires an E2E controller that handles the back end work of connecting the links, sending configurations, upgrading firmware, etc. This is tied into Cambium’s cnMaestro solution. There are two options for this controller:

1. Run it on the V5000 distribution node

2. Run it as a container on an on-premise box

If you use the onboard E2E controller on a radio, you can use the web interface of that radio to control everything. Or, in either case, you can attach this to your cnMaestro instance and manage it though that site. We run cnMaestro as an on-premise server on our Proxmox box. You can also run the cloud hosted version of cnMaestro.

We initially spun up the E2E container on a Ubuntu instance on our Proxmox. This was then connected to the cnMeastro on-premise server. Once we started working with Cambium tech support on the initial configuration, they suggested we use the onboard controller on the V5000 radio. This was partially related to the fact that the radios must see this E2E controller to get programming. We were programming these radios off-line in the shop and they did not have layer 2 connectivity back to the E2E controller we set-up.

Cambium has provided a list of videos that help with the deployment of your first link. We had a call with Cambium engineers to help get our link operational - but it is not difficult to follow the video instructions. Once your first link is up, the rest become trivial.

We deployed our links with Cambiums cnWave software version 1.2-beta3. This was at the request of Cambium engineers. We normally do not run beta code on the network but as part of our testing agreement, we would run their latest code for this project. So you don’t have to skip to the end, this code branch appears to be very stable. We have not had any software issues.

Step 1 is to configure your V5000 distribution node to run as your E2E controller and make it your “POP Node”. This is important in Terragraph world and helps set the network topology.

We then set the channels we were going to use on the two radio sectors as well as the IPv4 information for management. Yes, there is a bunch of IPv6 going on but Cambium has made this automatic. We did not touch any IPv6 settings - we let the E2E controller handle all of that for us. You can get in there and build your own IPv6 networking for this. You can use BGP on your IPv6 network. We opted to keep it simple for this test and since we are running this as a “star” configuration, we did not feel the need to customize this portion of it. We did turn on “Layer 2 bridge” mode which is important for us. This basically creates a layer 2 bridge across the IPv6 network so as far as your devices are concerned, they are on a layer 2 bridge.

Once the V5000 is configured and the E2E controller is running, now you add your client sites. This is where things got pretty cool.

From cnMeastro, you need to do a couple things to get your first link working:

1. Add a “site” to your configuration. Think of this as your building where the client radio will go.

2. Add a “node” to that site you just created. A node is your physical radio.

All you need for the site is a location on a map. All you need for the node is the MAC address of the radio you are going to deploy there.

Now, the final step is to build a “link” from your DN (the V5000) to your node (V3000 in our case). This link is what tells the controller this radio is authorized to connect. When you build a link, this is done in cnMaestro and you only need to tell it the A and Z end of the link. On the A end, you tell it which of the two sectors you are going to connect to on the V5000 and on the Z end, there is only one radio.

Once the link is built in cnMaestro, all you need to do is deploy the radio. You don’t need to touch it or log into it in advance. You can take a brand new radio out of the box and put it on a roof. As long as that radio MAC address is attached to the “node” in cnMaestro and the link is built, it will work. When the radio starts to beacon, it will see the V5000 and the E2E controller will authorize the radio to connect. Once it is connected, the controller will automatically send the configuration to the new node (IP address, VLANs, etc) and can push new firmware.

We found this process takes about 60 seconds from the time the new radio connects to the V5000 to the time is a fully programmed and able to pass traffic.

This is the part I really liked with Cambium. I never had to log into the client radio and do anything to it. In Siklu’s configuration, you need to log in and at a minimum, give the client radio a unique 8 character name. That name is what authorizes it to the distribution node. Cambium uses the MAC address for authentication and everything is pushed from the E2E controller to the new client. It allows us to program everything in the office and just hand a new radio to an installer to hang.

The Hardware

A main difference between Siklu and Cambium with the DN is the coverage. Siklu is 360 degrees of coverage with 4 90-degree sector antennas. Cambium is 280 degrees of coverage with 2 140-degree antenna sectors. That leaves ~80 degrees of no coverage on the back side of the DN.

The DN has 2 copper Ethernet ports and a SFP+ port. One of the copper ports is POE in, one has POE out and the SFP+ cage will handle up to 10 Gbps fiber modules. We are powering ours with 48 VDC into a terminal to Ethernet adapter (not POE but just power).

The DN is all metal and appears well built. It is about the size of a shoe box with the ports on the bottom and the mounting hardware on the back.

We are using the V3000 exclusively for our client ends. They make a V1000 client radio as well that is much smaller. Our clients were all 200+ meters from the DN so we opted to test the high gain antenna (44.5 dBi). Using Cambium LinkPlanner, we could easily hit five 9’s of reliability in our rain zone with this antenna.

A smaller antenna is available for the V3000 as well (40.5 dBi). It is the same exact radio, you just change the antenna that is bolted onto it.

The precision mounting bracket for the V3000 is decent. It is a little difficult to install on the back of the V3000. The 4 bolts that hold it on are not all accessible with a wrench and you need to use a metric Allen wrench to tighten the bolts. Another tool to carry.

For fine adjustment aiming, it actually works pretty well and does not have much play in it as you tighten it down (a good thing).

You will want to invest in an aiming scope if you are doing any aiming past a couple hundred meters.

Cambium sells a plastic aiming tube (pictured on the right) that slides into a bracket. It works ok for short links. There is a mount on the left top side of the radio that will accept aiming scope. This scope was dead on in our experience (looking your direction IgniteNet) and made aiming super simple.

Performance

Well, how well does it work? One of the issues we have heard about (and experienced) with Terragraph radios is a loss of overall throughput on a sector when a second client radio is added. This is an area we really wanted to test with Cambium.

Our test set up was a OSX laptop with the speedtest.net client testing back to our own in house speedtest.net server running on a Proxmox box in the same rack as our fiber terminates from the V5000. We tested by plugging the laptop directly into the V3000 client radio’s AUX Ethernet port.

With a single client radio on the V5000 sector, we were easily able to saturate the laptops Ethernet port speed. I don’t have a test configuration that lets me test faster than a gigabit Ethernet port. Sorry. But, since we are handing off with 1 Gbps connections in most cases, this was fine for us.

We then added additional client radios to the V5000 and tested at each install. Once the V5000 sector got its second client attached, we did see a drop in overall throughput - mostly on the download side of things. We were no longer able to saturate the Ethernet port on the laptop.

We repeated these tests over and over again. We consistently see between 850 Mbps and 900 Mbps on the download and over 900 Mbps on the upload side.

We are NOT channel bonding on the V5000. This is with a single channel per sector.

We have been very pleased with this performance. We have taken down four 802.11ad radios, eliminated our self interference and are offering faster speeds to our customers with the Cambium hardware.

Latency has also decreased. Here is a client (the large apartment building) ping test before (using Kwikbit PtMP radios) and after on the Cambium Terragraph. This is a test from PRTG pinging a CCR1009 in the apartment building every 30 seconds. You are looking at a 2-day average result graph:

Would we spend our own money on this hardware moving forward? Without hesitation. It is a solid addition to a growing product line in the 802.11ay space and one we have had very good experience with.

January, 2022 update

As of the first of this year, we have installed a V3000 point to point link at 1,030 meters to test that part of the product portfolio. We are able to push ~ 950 Mbps through this link in our tests. I think we are inhibited by port speed currently. It is not connected to fiber but only the copper port negotiated a 1 Gbps.

In addition, we added a second V5000 and 7 clients to the network. These were a mix of V3000 and V1000 clients.

We have had one significant snow event. We got about 5” of very light cold snow one night. It did impact a couple of our V3000’s. The point to point never went down but RSSI degraded and power increased to full on both ends. We had two client nodes bounce a couple times and one go down for an hour until wind blew the snow off. Upon inspection, most of our V3000 radios were totally covered in snow on the reflector dish. These have been jokingly called a “snow shovel” and they did in fact act like that for this storm. I am afraid of what will happen in one of our wet spring storms when the snow really sticks to things and has a much higher water content.

We also have had a V5000 fail on us and it is still in the support group at Cambium to figure out why. When we ran the software upgrade from 1.2-beta4 to 1.2, the V5000 came back up after the reboot and the sector 1 radio was not working and the V5000 would reboot about every 10 minutes. We tried for about 90 minutes to get it working including software upgrades and downgrades. We finally had to swap out the node with a spare. I will post the findings with Cambium but we have requested an RMA on that unit. It had previously been upgraded a couple times with various firmware without issue.

May, 2022 update

We have been working with Cambium testing some snow covers for these radios. After a couple big snow events, I can tell you the covers work well. We did not lose any links that had snow covers on them in our last two storms. These covers are still being tested and are not the final color or design but I can tell you Cambium is listening and working on a snow solution.

As for the V5000 that failed, Cambium reported there was a firmware issue with that one that caused a very rare event to take place. They say that has been fixed in the current 1.2.1 firmware.

If you are in the wireless Internet service provider (WISP) business, you should know about The Brothers WISP. This is a weekly podcast with industry leaders that discuss the WISP business, hardware, software, trends, etc.

This week, I was asked to participate in the panel with Simon Westlake, the CEO of Sonar Software, one of the leading software platforms for ISPs (and the software Au Wireless uses).

We operate in an apartment building with over 50 units we provide service to. Initially, we thought the best plan of action was to put an Ethernet network jack in every unit, cable that back to the switch on each floor and let the resident choose their own router. We set up DHCP Option 82 to manage IPs and billing. On our end, this was dead simple. On the resident end, it was less than desirable.

What we ended up with was an unusually large support call volume for “slow Internet”. When a network jack was tested via Ethernet, speeds were over 900 Mbps upload and download. But, on WiFi, most residents were seeing under 10 Mbps. The problem? massive WiFi interference from all those customer routers.

It was impossible to even read individual SSIDs in our WiFi scan. But, look at all that dead 5 GHz space in the DFS channels! An opportunity to fix this problem was waiting…

We decided the solution was to go with managed WiFi so we could control the airwaves and mitigate this problem. Now, we had to decide which way to go. We looked at a handful of options:

• Mikrotik hAP AC in every unit with a separate SSID for each unit. We control the channels and power.

• UniFi solution with an AP in each unit and same SSID for the building. No way for a resident to plug in any devices like an X Box and single password for everyone (ie: flat network).

• Same as above but with dedicated SSID to each unit on separate VLAN.

• Real managed solution with Cisco or Ruckus using a single SSID but dPSK security (more on that below).

As we put costs / benefits on paper, Ruckus began to emerge as the leading solution. The reason is two fold.

1. Virtual Zone Controller can be run on existing Proxmox hardware for less cost

2. 10,000’s of grey market APs available for dollars an AP

The sheer volume of Ruckus grey market equipment made them a popular choice. We could buy the 60 APs we needed for $20 each and get a modern 802.11 AC AP with 4 LAN ports allowing the resident to still plug in their own devices if they wanted (using the H500).

We took the plunge into managed WiFi and set up the building like this:

• Mikrotik CCR 1009 router serving over 50 VLANs (one for each unit). Each VLAN has a /24 of private IP space (from the 172.16.x.x/16 block). Each VLAN was SRC-NATd to a separate public IP. This allows us to track take down notices and do our shaping with our Preseem boxes.

• Mikrotik 24 port POE switch on each floor. Each port powers an AP and sends all VLANs tagged to that AP as well an untagged management VLAN.

• The untagged management VLAN is using DHCP Option 43 to insert the address of the Ruckus virtual smart zone so a new AP knows how to get to the controller which is off site (see below for example).

• Controller has a single SSID for the building and then over 50 dPSK passwords. Each unit has a dedicated secure password that when used, puts devices on that unit’s VLAN / subnet. This allows a device to roam to any AP in the entire building and still be on their own private LAN.

• Each AP has 4 LAN ports and they are all set to be access ports for the VLAN for that unit. This way, you can plug in an X Box and be on the same subnet as your WiFi devices.

• Sticker on each AP gives the resident the building SSID, their unique password and our support number.

• APs set up to only use 20 MHz channels in the DFS range. 2.4 GHz radios are shut off in many of the units to cut down on noise but still allow coverage.

Now, we can take a factory reset (or brand new) AP out of the box, plug it into the Ethernet jack in each unit and that AP will power up, get the controller information from Option 43, get correct firmware from the controller and receive the configuration for that building all automatically, We only need to log into the controller and set the LAN port access VLANs to untag the correct unit’s VLAN. But that is a one time setting.

This now allows us full control of the RF environment and we can see into the network to troubleshoot resident connections. The residents have over 50 APs their devices can connect to all with the same password dedicated to them. VLANs can not see other VLANs for security. Each VLAN has its own public IP address and we can traffic shape each public IP separately using our Preseem boxes.

For setting up a Mikrotik with DHSP Option 43:

• Go to this site to get hex value of controller IP: https://shimi.net/services/opt43/

• E.g. 10.254.254.101 option 43 hex 060e31302e3235342e3235342e313031

• On Mikrotik go to DHCP Server – Options – add

• Need to add 0x in front of hex value to let Mikrotik know it is hex

• Name ‘Ruckus-controller’, code 43, value 0x060e31302e3235342e3235342e313031

• Go to DHCP Server Network and assign the option just created

For setting up Ruckus virtual Smart Zone (vSZ) on Proxmox:

There are a couple things to note on this. For those familiar with Proxmox, you probably have this workflow down. We were not there yet and ended up re-doing it a couple times.

One big catch… If you are using end of life APs, like we are (the H500’s), you need to figure out what the latest version works for them (in our case, 3.6.2) and build the vSZ with that version first. You can upgrade but you can not downgrade vSZ versions.

Once we build the vSZ with 3.6.2, you can then have up to three consecutive versions of the software on the vSZ. For us, those three versions would be (in order):

• 3.6.2

• 5.0.0

• 5.1

No one wants to run a 5.0.0 of anything so we skipped 5.0.0 and have 3.6.2 and 5.1 running on the vSZ. This means, when we create a “zone” on there for APs (ie: a building), we can decide which version the zone gets. If we plan on using old EOL hardware, we choose 3.6.2. If it is new hardware that is still active, we choose 5.1. We can’t go any further with versions on this hardware if we want to continue to support the H500s we have deployed.

Here is a step by step document for getting the vSZ up and running on Proxmox.

Thanks to CBS 4 in Denver for alerting their viewers to alternative Internet providers!

Our newest on-net building is operational at 615 Water St. This is the newly renovated The Gold Apartments. Renovations are complete, the building looks fantastic and we are providing services from 25 Mbps up to gigabit speeds in all units via a dedicated Ethernet connection.

If you are looking for an affordable place to live in Golden, check these guys out: https://www.castellpropertyservices.com/vacancies/

As of June 1, we are suspending the creation of additional tower sites in the city limits of Golden - with very few exceptions. This is being done for two reasons:

1. The City is currently exploring municipal broadband (ie fiber). It is difficult for us to invest $10,000's into new tower sites when they have a potentially short lifespan.

2. We are hitting technological limitations on the frequencies our radios use to service single family homes. We use the same WiFi channels that you use inside your house for us to service you. This is currently the only available frequency space available in the US to use at these distances. It is getting very crowded and full of noise due to the sheer number of devices that are competing for airtime both in your homes and outside. You are likely noticing this with your current Internet provider when you use WiFi and we are experiencing it trying to service you.

That being said, for the past year, we have been using brand new technology (5G technology) in the downtown area to service condo, apartment and businesses along Washington Ave and surrounding streets. This is working very well and we are able to provide near gigabit speeds to those properties. Our growth in the foreseeable future will be using this new technology. The downside of this new tech is we can only go about 500 meters from the tower before the signal fades. Our normal towers are typically much further than that (up to 3 miles) from your house so we can't simply start upgrading our current towers and service you.

We do add new customers as we loose existing customers off tower sites. However, our "churn" rate is lower than 1%. That means people tend to only leave us when they move away. We are extremely proud of this. That is an unprecedentedly low churn rate for our industry and we take great pride in our network and customer service. However, it is not great news for those that are trying to get service from us.

I wish this was a problem we could solve with money or people but the two reasons listed above are not able to be overcome easily. Even if the city decided not to do municipal broadband (which it may not), we would still not be building new towers due to the second reason. Radio vendors are working on new technologies to service single family homes reliably using frequencies outside of the WiFi band but we are not there yet and probably won't be for at least a year.

This spring, we have added three new buildings to our "on-net" portfolio. These are buildings that are supplied by at least 500 Mbps dedicated bandwidth and in most cases, 1 Gbps links.

1211 Avery St is a multi-unit commercial building that also services our Avery tower site. Units in this building have access to our dedicated 500 Mbps microwave link.

The condo building located at the corner of 19th St and Ford is now on-network. This building is being upgraded to a gigabit dedicated wireless link by Q1 2019. 

The two 6 unit condo buildings on 8th St between Washington and Cheyenne are serviced with a dedicated 1 Gbps link.

For service in any of these buildings, visit our sign-up form!

Yes, it's been a while. We have made some major upgrades to our network and added a bunch of new buildings. I know I need to update this with those details and will in early March - after a badly needed vacation!