thoughts on the AmpliFi Alien (AFi-ALN-R) gateway/router
in the news review networking
☆: Thursday, November 28, 2019. ∆: Wednesday, December 4, 2019. Belief: likely.

How does the AmpliFi Alien work on 1 Gbps (symmetric gigabit) Internet? Pretty well. I haven’t seen many reviews of this residential gateway, so I figured now was a good time to get my thoughts out. If you have gigabit Internet, reading this is probably worth your time.

The Alien is top notch. Purely from a speed perspective, the Alien is easily the fastest wireless gateway I’ve tested.

background

Internet routers for residential customers are a bit of a mixed bag business. I say routers, but they’re really a sort of all-in-one device. Most places call them Internet gateways, because they contain a variety of different devices. These are:

  • Routers. Routers route packets at the IP layer with a minimum level of intelligence. These are bastions that usually cross network boundaries. For home users, this is something that “bridges” your local network to the Internet.
  • Wireless access points. You can have a network without wireless, but most people want wireless these days. That’s what this thing is.
  • Switches. Switches are like routers, for shuttling packets1 around, except they only care about getting packets from A to B. They don’t want to know what’s inside them. This is done by hardware addressing. A switch is “dumber” because it operates at a lower level and provides no firewall, attack detection, IP features, or anything else2.

The AmpliFi Alien is a gateway, so it combines all of these functions in one box.

This distinction is important, because AmpliFi is owned by Ubiquiti, a company that sells two additional product lines, EdgeMax (but branded as Edge-[device]) and UniFi. AmpliFi is the more “consumer focused” line, where as UniFi and EdgeMax are typically preferred for small ISPs or for prosumers3.

In this article, I’ll talk more about the functions of the Alien as if they were separate products, even though they’re one product. This is because you can assemble your own network with Ubiquiti gear and have a similar setup, albeit with some interesting trade offs. Depending on who you are, you may or may not have the need for a more complex setup.

My ISP is AT&T Fiber, which provides me with a symmetric 1 Gbps connection. This means that both upload and download speeds are theoretically 1000 Mbps in both directions. In practice, the “real world” speed is roughly 980Mbps up and down with no barriers or obstacles, over Ethernet.

I also have an iPhone 11 Pro, one of the first devices that supports the Wi-Fi 6 (802.11ax) standard.

speed

At the core of the AmpliFi Alien is a packet switching router4.

One of the software features that AmpliFi provides is a really neat system for testing your “ISP speed.” I use the quotes of doom here, because there’s nothing that really says that this speed is what your ISP offers. Depending on any number of factors, the speed that the test reports could be wildly different than for a number of reasons.

This test serves an important purpose: it should help you set expectations for what types of speeds you should and shouldn’t be able to get across your network. Other UniFi devices have offered in-router speed tests, but these have always been inaccurate. Ubiquiti says that the source for the inaccuracy is that many of their routers lack the sufficient CPU power to generate enough bandwidth for the test.

This is not a problem on the AmpliFi Alien: against the theoretical maximum of 1Gbps up and down, the speed tests I ran consistently showed a peak of 984Mbps up and down, multiple times.

configuration

For the purposes of transparency, these are the settings I have configured during these tests, as well as software versions. It’s important to remember that the test results may change as the software is updated.

  • AFi-ALN-R:
    • Versions:
      • Hardware ID: 41.
      • Firmware version: 3.2.3.
      • Firmware revision: 25-0-gfe0a3be77b.
      • Application (AmpliFi app) version: 1.12.3 (3).
    • Configuration:
      • DHCP: On.
        • Subnet: 10.0.x.x subnet.
        • No static leases assigned to test devices.
      • DNS: 1.1.1.1 & 1.0.0.1
      • UPNP: On.
      • Clone MAC address: Off.
      • VLAN ID: Off
      • IPv6: On (DHCPv6).
      • Common SSID Name: On.
      • Wireless security: WPA2 with PSK.
      • Additional 5Ghz radio: On (same SSID as parent network).
      • Router additional SSID: All disabled.
      • Guest network: Disabled.
      • Country: US.
      • Band steering: On.
      • Router steering: Off (no mesh).
      • Advanced:
        • 2.4 Ghz:
          • Automatic: On.
          • Channel: 11.
          • Bandwidth: 20 Mhz.
        • 5 Ghz:
          • Automatic: On.
          • Channel: 36.
          • Bandwidth: 80 Mhz.
    • Settings from amplifi.lan:
      • IPv6: On (DHCPv6) (reflected in the app).
      • Advanced settings:
        • Bypass DNS cache: Off.
        • Allow incoming IPv6 connections: Off.
        • 802.11k - Neighbor report: Off.
        • 802.11v - BSS Transition Management: Off.
        • Ad blocker: Off.
        • QoS Settings:
          • Enable Latency Optimization: Off.
          • Speeds (unchanged from default):
            • Download: 100000 Kbps.
            • Upload: 50000 Kbps.
          • I think this doesn’t matter if QoS latency optimization is off.
        • Receive beta firmware updates: On.
  • iPhone 11 Pro Max:
    • Versions:
      • iOS 13.3 (17C5046a).
        • Tests conducted via Safari on this iOS version.
  • Mac Pro (mid 2012):
    • Versions:
      • macOS High Sierra (10.13.6).
      • Mozilla Firefox 70.0.1 (64-bit).

tests from the Alien to the ISP on Ethernet

TestAvg downPeak downAvg upPeak upPing
5880.3 Mbps984 Mbps858.6 Mbps984 Mbps3 ms
4835.3 Mbps984 Mbps884.2 Mbps984 Mbps3 ms
3854.7 Mbps984 Mbps884.7 Mbps984 Mbps3 ms
2861.1 Mbps984 Mbps889.1 Mbps984 Mbps3 ms
1879.9 Mbps984 Mbps892.1 Mbps984 Mbps3 ms

These tests were initiated from the router itself, on the touch screen. These tests serve as an important baseline. They validate that the Alien is capable of operating close to the theoretical maximum speeds that I’ve been promised. I assume that the reported speeds include the “ramp up” from the start of the test to the end. In addition, this round of testing validates that the in-box Ethernet cable, when connected to my ISP, is capable of the highest speeds too. We can trust that part of the link.

Router age and trust are key. I’ve personally diagnosed many friends & family Internet problems as attributable to a dying gateway. These all-in-one devices age very quickly when used a lot. They generate a lot of heat and are typically left to rot in one part of the house. I’ve even seen them covered up with insulation and other materials, which harm heat dissipation.

Being able to measure the speed on the router itself can help diagnose problems down the line, which is pretty valuable.

tests on Ethernet

My Ethernet tests are run from a Mac Pro from 2012. The Mac Pro is wired via gigabit Ethernet to an EdgeRouter X running as a layer 2 switch. The EdgeRouter X is then wired via gigabit Ethernet to a Cat 5e drop, which connects to a UniFi Switch 8 60W switch. That switch is connected via an Ethernet drop to the Alien, also via gigabit Ethernet. The Alien has two devices connected to its switch directly: the UniFi Switch that runs to all of the Ethernet drops, and an Apple TV.

This setup has a lot of networking technology in the stack. I’m not able to easily change my setup to test directly, and I don’t think it’s really worth it.

When I was connected to the ISP provided gateway, everything was the same, save for the last connection to the gateway. The ISP gateway was in place of the Alien. During this time, I routinely ran speed tests on the network from the Mac Pro, and got downstream speeds from fast.com of no less than 800 Mbps. These tests are to fast.com5 too.

TestAvg downObsv6 downAvg upObsv6 upU7 PingL8 PingServers
1790 Mbps800 Mbps520 Mbps560 Mbps3 ms37 msLos Angeles, US & San Jose, US
2820 Mbps1.3 Gbps440 Mbps440 Mbps3 ms32 msLos Angeles, US & San Jose, US
3800 Mbps1.5 Gbps440 Mbps490 Mbps3 ms34 msLos Angeles, US & San Jose, US
4910 Mbps940 Mbps470 Mbps490 Mbps0 ms53 msLos Angeles, US & San Jose, US
51.0 Gbps1.1 Gbps460 Mbps490 Mbps3 ms42 msLos Angeles, US & San Jose, US

Overall, I’m extremely satisfied with these tests. I have zero complaints with the numbers I saw. It is relatively impossible to get a download test that looks “perfect” but these came pretty close.

tests on an iPhone 11 Pro (Wi-Fi 6)

Wi-Fi speed was not the primary reason why I got the AmpliFi Alien, surprisingly enough. However, it’s important to test because this was a major selling point of the product. The Alien promises “The Fastest Whole-Home Wi-Fi,” after all.

My apartment is relatively small (< 1000 sqft), but it has an interesting wireless environment.

On a given day, there are a minimum of 20 different neighboring access points, and often many more depending on how long I listen for broadcasts. At least four of these are screaming out at high power. In my apartment complex’s infinite wisdom, they made sure that the Ethernet drops that AT&T picks are directly on top of each other stacked in the building. They also equipped every apartment with a Wi-Fi enabled thermostat, which screams out its SSID in infrastructure mode (2.4 Ghz, thankfully).

The AmpliFi is stationed in the living room (right along with every other AT&T router below it).

The “line of sight tests” use Fast.com over Wi-Fi on an iPhone 11 Pro. Presumably, this means that they’re over Wi-Fi 6. I don’t know, because Apple doesn’t tell you what type of technology it’s using. I can see in the AmpliFi app that it’s 5 Ghz, but that’s it.

As these are line of sight tests, I’m under 5 feet away, and can see the router during this time.

TestAvg downObsv6 downAvg upObsv6 upU7 PingL8 PingServers
1590 Mbps600 Mbps630 Mbps630 Mbps5 ms12 msLos Angeles, US & San Jose, US
2510 Mbps510 Mbps410 Mbps420 Mbps5 ms19 msLos Angeles, US & San Jose, US
3500 Mbps500 Mbps530 Mbps540 Mbps4 ms21 msLos Angeles, US & San Jose, US
4530 Mbps540 Mbps600 Mbps610 Mbps4 ms15 msLos Angeles, US & San Jose, US
5400 Mbps400 Mbps590 Mbps590 Mbps4 ms19 msLos Angeles, US & San Jose, US

As a reminder, wireless tests are heavily dependent on environment noise and congestion. I have plenty of that. Wi-Fi 6, or 802.11ax, has a theoretical maximum speed of about 4x higher than 802.11ac Wave 2 with MU-MIMO. From personal experience, tests on my ISP gateway never went above 470 Mbps down, and that gateway had 4x4 802.11ac MU-MIMO. The theoretical maximum speed of 802.11ac is “at least” 500 Mbps of single-station throughput. In practice, access points that implement 802.11ac do so very differently. A cheaper gateway or access point from Wave 1 will be much slower than Wave 2, and this is a subtle enough difference that many companies get away with “802.11ac” branding and mention neither Wave 1 nor Wave 2.

Next up are tests from the master bathroom. There are a minimum of four walls between the gateway and the bathroom. In practice, the bathroom door is usually closed when users expect to be able to use Wi-Fi in the bathroom, thus the door is closed during bathroom speed tests.

On the ISP gateway, speeds reaching 50-60 Mbps were not uncommon in the bathroom. The bathroom is also stationed next to a machine room for an elevator, and at least one of the walls contains electrical conduits for a breaker box, and the network closet where one of the wired switches lives.

During these tests, the AmpliFi app showed the device connected via 5 Ghz Wi-Fi.

TestAvg downObsv6 downAvg upObsv6 upU7 PingL8 PingServers
1590 Mbps620 Mbps450 Mbps470 Mbps5 ms22 msLos Angeles, US & San Jose, US
2500 Mbps500 Mbps350 Mbps380 Mbps4 ms15 msLos Angeles, US & San Jose, US
3470 Mbps470 Mbps410 Mbps460 Mbps5 ms15 msLos Angeles, US & San Jose, US
4360 Mbps410 Mbps390 Mbps400 Mbps4 ms22 msLos Angeles, US & San Jose, US
5320 Mbps320 Mbps400 Mbps420 Mbps4 ms37 msLos Angeles, US & San Jose, US

I’m pretty happy with these results too. I’m definitely getting much better speeds than I did with the ISP gateway.

bad iPhone?

It could be the case that my iPhone, which is reportedly a Wi-Fi 6 device, is not operating at Wi-Fi 6 speeds. Timothy Farley’s suggestion on the AmpliFi forums suggested a possible 1.2 Gbps data rate via an Intel 802.11ax card. Unfortunately, I’m in no position to test said card, having no Windows devices to use. I intend to continue sporadically testing my iPhone and software updates to it, and will update the above tables if the results change.

Update 1: On a hunch, I tested with the ‘additional 5 Ghz radio’ setting disabled. No changes from the tables.

paper comparison to other Ubiquiti products

As I’ve touched on before, Ubiquiti is a huge company that offers many different products, for many different use cases. It’s important to remember that they’re not selling most of their Edge or UniFi products with the intent of a consumer picking them up for their house. Many of them serve really specific, well-defined needs. It’s easy to pick the wrong tool for the job if you don’t know what you’re doing.

routers

The Ubiquiti router product line is pretty diverse right now.

  • The AmpliFi Alien ($379) offers a 2.2 Ghz 64-bit quad core processor.
  • The AmpliFi HD ($149.99) makes no mention of its processor, but Ars Technica lists it as a Qualcomm Atheros QCA956X.
  • The UniFi Security Gateway ($129) offers a 500 Mhz dual core MIPS64 processor with 512 MB of DDR2 RAM.
  • The UniFi Security Gateway Pro with 4-port switch ($344) has a dual core 1 Ghz MIPS64 processor with 2 GB of DDR3 RAM.
  • The UniFi Dream Machine ($299) has a 1.7 Ghz quad core ARM Cortex-A57 processor.
  • The EdgeRouter-X ($59) has a dual core 880 Mhz MIPS1004Kc processor with 256 MB of DDR3 RAM.

Does the CPU matter? Does the RAM matter? Yes. These are both required for doing any kind of traffic analysis, like packet correlation, as well as IDS/IPS activities. Core routing functionality is almost always hardware accelerated, which makes the processor less important for those tasks.

Looking at the summary, the recently released UniFi Dream Machine gets closest to the Alien in terms of raw processing power and performance. The Dream Machine is less expensive than the Alien, but comes close in terms of what its backbone is. Not a terrible machine.

The oddball is the UniFi Security Gateway, a terrible router with a 500 Mhz processor and DDR2 RAM. DDR2 RAM! I have personal experience with not one, but two of these devices, and it cannot route gigabit Ethernet without some serious configuration effort. Most of the time, it performed worse to me than my ISP provided gateway. Heck, even the EdgeRouter-X, which isn’t even advertised as a gigabit router, has a better processor than the USG! For $59!

It seems to me that if you want to get into the UniFi ecosystem as a consumer, you absolutely need to buy the Dream Machine, but that still doesn’t match the Alien in processor speed.

Just stop buying the base model UniFi Security Gateway, people!

switches

UniFi and EdgeMax switches are expensive. Switches are the cheapest things to make, so they’re not a cost center for Ubiquiti. They work in the ecosystem quite well, but you’re paying an arm and a leg.

access points

The UniFi & AmpliFi product line is extremely fun for mixing and matching wireless standards.

  • The UniFi product line does not offer 802.11ax / Wi-Fi 6 right now.
  • UniFi’s HD-AP-AC access point supports 4x4 802.11ac with MU-MIMO at $349.
  • UniFi’s nanoHD access point supports 4x4 802.11ac with MU-MIMO at $179 (with less range).
  • UniFi’s AP-AC-LITE, AC-LR, AC-PRO, and AC-EDU devices are 802.11ac Wave 1 3x3 devices.
  • The UniFi Dream Machine also includes 4x4 802.11ac MU-MIMO (remember, that’s a $299 device).
  • The other AmpliFi products do not offer 802.11ax either.
    • The AmpliFi HD router is an 802.11ac Wave 1 (!) device.
      • It has mesh points. They are a joke.
      • The mesh points have supported data rates of 1750 Mbps but the maximum user speed is 1300 Mbps over Wave 19.
    • The AmpliFI HD “gamer’s edition” is just the HD in black and green. Nothing is different, except for the fact that it has “GeForce NOW QoS Mode” which claims to lower latency.
  • The AmpliFi Instant is also not a Wave 2 device, but nobody cares.
  • The AmpliFi Alien supports 802.11ax (Wi-Fi 6) with a devoted 802.11ac Wave 2 (Wi-Fi 5) 5 Ghz chip and “16 spatial streams” by way of an “8x8 super antenna system” and OFDMA + MU-MIMO.

The cheapest possible combo of router and access point with 802.11ac Wave 2 support is the UniFi Dream Machine at $299, followed by a UniFi nanoHD access point combined with a USG but this will not include everything you need to run the network, and may not route at gigabit speeds.

As of the time this was written, the best possible10 access point that Ubiquiti sells is the AmpliFi Alien. All other products in their line do not have Wi-Fi 6. Few devices support gigabit speeds when routing, and even 802.11ac Wave 2 is hard to come by.

Building your own UniFi or EdgeMax network is a fool’s errand if your goal is speed and you’re a home user.

why Ubiquiti?

At this point, you might be wondering why I’m only considering Ubiquiti products.

Here’s the answer: it all comes down to security. I know that a lot of other manufacturers offer gateways and routers and access points. All of Ubiquiti’s major product lines, while complex and hard to justify spending money on, are well supported after release. Firmware updates are common, and especially in the case of security patches, a necessity. It is irresponsible to run a home network without regular updates.

You can get cheaper 802.11ac Wave 2 access points from other places. Wi-Fi 6 is still pretty expensive, but that’s just because it’s new. There will be cheaper devices, but I don’t consider them viable contenders because of this one key element.

I also kind of trust them, just a tiny bit?

should you mesh?

Mesh networking is one of those hot new things that’s just taken the world by storm. For most people, mesh networking is at best a waste of money, and at worse will severely destroy your network performance. Unless you live in a small stadium, have a very spread out house with concrete and metal lined walls, or have multiple stories to cover, meshing is almost always the wrong answer. Meshing causes devices to have to pick which access point is “closest” to talk to. If your phone picks the wrong one, or you walk in the wrong direction, it now has to change base stations. This has a real speed cost.

Ars Technica tested the Plume SuperPods, and judging by the fact that ISPs are buying Plumes in droves, I’d say they may have the best meshing techonology. Maybe the Alien is great when meshing too, but I haven’t seen a test of this (and I don’t want to test it!)

backhauls

It all depends on which backhaul you have. If you use Ethernet as a backhaul, where the mesh points talk to each other over wires, you have a good mesh network almost by default, as long as the access points are far enough away from each other. This is because the mesh points now get to use their radios exclusively for client traffic.

On wireless backhauls, things are more interesting. Again, Plume seems to have “intelligent” routing down, and I’m not sure if other companies come close to that. The Alien has a dedicated radio for talking to its mesh friends too, which is nice. Obviously, though, you have to have the mesh points within range of each other to talk, which paradoxically, is not what you want if you want to have clients connecting to the right mesh point at all times. This decision making has a cost and often leads to reduced speeds, even with dedicated wireless backhaul radios. That’s not even saying anything about the RF interference.

ISPs are buying Plume devices in droves, and while that has to do with what Ars Technica notes – that remote management is a win – it’s not just that. ISPs do not want customers to have shitty devices. If they fail or start to be unresponsive, wireless access points cause customers to get frustrated, waste time talking to support, or bash them on social media. They’re incentivized to go with reliable systems, which is why looking at Plume is a very serious idea if you need a tried and tested mesh system.

the AmpliFi app

AmpliFi Alien’s app is pretty spare compared to UniFi’s controller and management software. If you didn’t already know that, you do now.

It supports many features that you care about out of the box.

  • Bridge mode is supported.
  • WPS can be optionally enabled, from inside the app.
  • Remote management is possible.
  • Port forwarding over IPv4 is possible.
  • DHCP static lease assignment (essentially, a static IP by way of only ever assigning the same DHCP address) is possible.
  • Internet can be “paused” (lol) for all or some devices, on-demand or via rules. You can assign devices to “profiles” which are really just supposed to be people, and pause the Internet individually on them. You can even pause Ethernet devices.
  • Accounting of current speed is available for all Wi-Fi devices.
  • QoS rules for “gaming” and “streaming” can be setup, as well as latency based QoS in the amplifi.lan control panel.
  • A guest wireless network with with an optional time and user limit can be setup, for your “friends.”
  • You can see the historical speed tests from the ISP speed tests you’ve run, as well as estimated current throughput. You can also see the data usage from the router, and reset the data usage counter.

Here’s what I’ve found most blatantly missing:

  • You can’t port forward IPv6. Even though you can’t do this, you can allow all external IPv6 traffic amplifi.lan. This means that you essentially have no hardware firewall protecting any IPv6 device, which is a bad life plan.
  • The app doesn’t show the speed of active Ethernet devices (at least, behind other switches).
  • No IDS/IPS/DPI features, including traffic analysis or usage. These are common in the UniFi world, but do not exist in the AmpliFi world.

the LAN web control panel

The AmpliFi Alien comes with the amplifi.lan control panel, which lets you control some really eccentric settings on the Alien via the LAN. I’ve listed off many of these features already, but here they are in entirety:

  • Connection type: Lets you configure DHCP / Static / PPPoE / bridge mode for the WAN. Also lets you set a DHCP client ID.
  • Bypass DNS cache: Uses upstream DNS for all DNS requests from DHCP clients.
  • Allow incoming IPv6 connections: Turns your network into swiss cheese.
  • 802.11k - Neighbor report: Listed as “Improve AP scan speed” which isn’t a very helpful description.
  • 802.11v - BSS Transition Management: Helps clients transition between access points in a mesh.
  • Ad blocker: Provides a DNS based ad-blocker (like a Pi-hole).
  • QoS Settings related to latency. There is a field that allows you to specific upload & download speeds, but the control panel does not say what they do. You can turn on “latency optimization” from here.
  • Beta firmware updates: Lets you update your firmware to experimental versions. Currently, no beta firmware is available.

The presence of this control panel is expected in a gateway, but kind of surprising given what the app does. At first glance, you might not know it exists, and then miss out on some features that you might need if you just use the app alone.

the beta web controller

AmpliFi offers a beta version of a web controller. You can use this if you enable remote management in the app, which I did. Because I already have UniFi products, and thus already have a Ubiquiti account, I signed in using my Ubiquiti SSO account.

Unfortunately, you cannot sign into the beta controller with a Ubiquiti SSO account. So I can’t sign in. The only way to change which account the gateway is tied to is by doing a factory reset right now, which is hilarious, and I refuse to do it.

the screen & LED ring

The AmpliFi Alien ships with a screen, like the AmpliFi HD. The screen is kind of neat looking. By default, it shows a planet (green) with a ring (like Saturn), as well as two orbs that contain the number of connected wireless and Ethernet clients, respectively. It also shows the date, time, and current estimated active throughput in terms of up and down speed.

If the WAN goes down, such as due to a cable disconnection or ISP problem, the planet turns red, and the screen turns red too. It will also advise you if the cable is connected, but the gateway has no IP address, if configured to use DHCP for the WAN. This can be useful to visually debug problems without opening the app.

You can swipe through different pages. If you swipe right, you get the ability to launch a speed test. This also graphs what the speed looks like, and shows you the results on the screen as they come in. It’s pretty neat.

Swipe right again and you get the current WAN IPv4 address, the current router LAN address, and whether or not IPv6 is enabled (yes or no). You can’t change any of these settings from this screen.

Go right again and you get the current port status, which shows the total throughput on the 4 internal LAN ports, as well as the WAN port, separately. Grey ports are disconnected, and green ports are connected at gigabit speeds. Presumably, it changes color if there are devices connected at non-gigabit speeds, but I don’t know because I don’t care that much.

The next screen shows data usage. Right now, mine shows data from the last two days, but presumably it lets you track your total data for accounting purposes over a month. I believe you can reset this counter in the management app too.

The screen also has haptic feedback (neat) and while not directly a part of the screen, it also has a speaker. If you make any changes to the gateway, the speaker makes a chime and the screen shows a check mark.

There is an LED ring at the bottom of the device. It is green. It is not RGB. It’s just green. It has no features.

Both the screen and the LED ring can be turned off by way of reducing the brightness to zero in the app. It ships with a night mode that, by default, turns the LED ring and screen off at night so as to not be distracting, and to save the life of the screen.

remote management

The remote access function in the app allows you to remotely manage your gateway. This means that you can change most, if not all settings without being on the LAN. This function worked on the Android version of the AmpliFi app, currently 1.12.3. It worked after reinstalling 1.12.3 on iOS from the original device that set the Alien up, as well as other test devices. It took a lot of time to get remote management working.

Special thanks to my good friend Abraham Tunison, who helped verify that the Android app worked out of the box.

thoughts on AmpliFi Teleport

My friend Abraham was able to get Teleport working on his Android device with a Teleport code. This permitted him to piggyback off of my local Internet connection and access common Internet resources. Similarly, when “local network” was enabled in the AmpliFi app, he was able to access resources on the local network at their local IP addresses. In other words, a service at 10.0.5.4:9090 was accessible on his smart phone at 10.0.5.4:9090, and did not require any additional work or hoops to jump through (like a separate IP address that proxied back or a separate subnet).

This was tested and working on the Android version of Teleport (1.0.5), but not working on the counterpart iOS version of Teleport (1.0.3) on the device that set the network up. On other iOS devices, Teleport was able to successfully connect, but never on the first device I used. I presume this is a transient bug.

According to Ubiquiti, the AmpliFi Alien does not support the Teleport hardware device, which creates a wireless network that “extends” your home network to some other location. Ubiquiti isn’t selling this anymore, though, so maybe it’s okay for this to not work. They don’t even advertise it as working with the Alien, so they get a free pass here.

The worst part about Teleport is that it has a time limit associated with each code. This means that it’s infeasible to use it as a permanent mobile VPN. You need to continually re-generate Teleport codes, which is a manual process.

conclusion

Earlier in this review, I alluded to the fact that I had other things than speed in mind when considering a new wireless gateway. I believe there to be more factors than speed that should go into any networking purchase. Those factors are:

  1. Speed. I just said it wasn’t the most important, but it’s definitely important. Below gigabit speeds, you should be getting what your ISP promised you, if not more, all the time, as judged by reliable third party speed test sites.
  2. Baseline security. Unless you want to be running a botnet, you need a gateway with updates and a firewall. Ideally, you want WPA3, but only a Netgear device supports this so far11. So you can just expect that you’re vulnerable to KRACK (probably) with WPA2 unless you’re reading this in the Wi-Fi 6 and 5G-prolific future.
  3. Initial connection latency and TTFB. Most devices go into a power saving mode when on Wi-Fi, so as to save battery. When the connection “warms up” again, it takes time for the networking stack to work. This is how a “fast” Internet connection can be slow. If it takes 2-3 seconds before you can connect to anything every time you unlock your phone, you’re going to feel that even if the connection’s theoretical speed is great.
  4. Latency. Once the connection is ongoing, how fast do packets go back and forth across the airwaves? If there’s a lot of latency, you’re in for a really bad time.
  5. Traffic congestion & interference. Using the same network frequency as everyone else is a great way to get slower speeds due to RF interference. This can be overcome by using different radio spectrum, different transmission power, and different collision avoidance and detection algorithms. People who hate themselves will fiddle with these settings and regret it later when everything stops being fast.
  6. Specification support. Features like MU-MIMO (multiple users / multiple inputs + multiple outputs) and OFDMA (orthogonal frequency-division multiple access) improve almost every part of the wireless experience.
  7. Features. Some people really like router features. Some of these are IPS/IDS (intrusion prevention and detection systems), which are common in enterprise routers, but others are parental controls. Custom DNS, port forwarding, DMZs, and all of the other fun knobs you can play with go here.

My primary interest was in improving the initial connection latency, the ability to change my DNS (something my ISP gateway does not allow, lol), and to do so without sacrificing speed and security.

It turns out that I don’t have a table to measure the subjective feeling of the network, but the AmpliFi Alien without a doubt fixes the initial connection latency I felt on my ISP provided gateway. The raw speed over wireless is also much improved, and I can finally change my DNS servers. So it’s a win for me, and I’m keeping it for sure.

Objectively speaking, as of the time this was published, this is the fastest possible access point that Ubiquiti sells, and they should be applauded for producing such a great product. The AmpliFi HD line was quite disappointing to me, but the Alien is a cut above the rest. It really does deserve the title of “best gigabit router” – at least for now.

appendix: major changes to this article

  • On November 30, 2019, I removed a section called “broken things” and retitled it “remote management and access.” I also updated this article with more information about the remote management features. This article previously stated that the remote management function was not working. Based on a forum thread on the AmpliFi community, I tested remote access with the help of a friend on an Android device. It worked flawlessly. Thus, I believe the issue to be with the iOS app and stack, not the AmpliFi Alien hardware or firmware. Likewise, I added additional information about AmpliFi Teleport, which also worked on Android, but not iOS.
  • On November 30, 2019, I continued to test multiple different combinations of devices with remote management and Teleport. I was able to get Teleport working on iOS devices that weren’t used to setup the initial network. I was also able to get remote management working after reinstalling the AmpliFi app on my original test device. I no longer have a concrete conclusion as to whether or not the issue I faced was transient or not. As such, I amended the remote management and Teleport sections for a second time, clarifying my mixed success with both.
  • On December 2, 2019, I removed a section called “Stadia on the Alien” as the problems with Stadia were found not to be attributed to the Alien.
  • On December 4, 2019, I documented workarounds for AT&T Fiber’s DMZ+ mode.

appendix: why you should trust me

I like to think I’ve tested a lot of the important features about the AmpliFi Alien. I’ve also run a UniFi network myself, thoroughly tested the WAN on that network, and ultimately rejected it. I’ve maintained gateways from Linksys, D-Link, TP-Link, Belkin, Apple, and Tenda. I’ve also been using Wi-Fi products heavily, from the 802.11b days, all the way to now.

I also have an okay understanding of RF interference, selecting broadcast channels, and spectrum pollution. I know the basics of Ethernet, as well as things like CSMA/CD and CSMA/CA, as well as OFDMA.

I am not a networking expert or certified professional, but I know more than your average journalist. I am a hacker after all.

appendix: why you should not trust me

These are all things you might consider to be anti-features of this review:

  1. I didn’t do repeated testing across multiple days and multiple hours of each day with multiple test sites. I intentionally tested on a holiday, when I assumed lots of people would be home using the Internet, during the day time, not the night time.
  2. I didn’t do any statistical analysis of my results. I didn’t even sum them or average them.
  3. I didn’t bother with factory resetting the network or doing crazy things to try to get remote access, a feature I don’t need or care about, working.
  4. I spent a lot of money on a wireless gateway that I really wanted to solve my problems. Maybe this is all just me falling to hype over a new purchase? Who knows. Maybe you think this is true.
  5. I don’t live in a big house, so I can’t test the Alien’s range. It was also raining a lot, so I wasn’t really inclined to go outside and test the range outside of my apartment (where I don’t care about performance anyway). Maybe your house won’t work with it.
  6. I don’t use mesh networking, so I didn’t test the mesh features. For god’s sake, don’t make a judgement call about mesh networking from this review, which did not test mesh networking!
  7. I don’t have craploads of money. Therefore, I don’t have enough money to buy every Wi-Fi 6 router, nor do I care enough about this problem to go buy more routers when the one I have works fine.
  8. I don’t have craploads of Wi-Fi 6 clients right now. As a result, I don’t have the capacity to verify that my iPhone 11 Pro is capable of operating at Wi-Fi 6 speeds. In the past, I’ve had success with using iOS devices to test reference speeds, but this may not be the case with this standard yet.

appendix: no iperf3 tests?

I just don’t find it worthwhile to test using iperf3, when I have WAN tests and gigabit Internet. What realistically matters is that the WAN works as expected in my case. If the WAN is able to deliver good speeds, then the LAN should follow. I don’t have any other gigabit systems than my Mac Pro to test with that can verify that the Ethernet speed on the LAN is okay, either. iperf3 expects you to be able to have a client and a server to generate traffic to test with, as far as I can tell.

On the LAN, most of my devices are behind UniFi switches that I’ve already done extensive WAN based speed tests on. Layer 2 switches are really good at switching packets, so I have confidence the LAN is okay and operating at gigabit speeds as expected.

appendix: other speed test sites

In this article, I exclusively relied on Netflix’s fast.com because it provided the highest speed results. These were not to OpenConnect appliances. I also tested and rejected the following speed test sites:

  • Ubiquiti’s own speed.ui.com. Never above 700 Mbps down.
  • Speedtest.net by Ookla. Kept matching me to stupid servers hosted by moronic ISPs like Frontier, and never faster than Netflix’s test.
  • SpeedOf.me. A joke. Maybe 100 Mbps down.
  • Google Fiber Speedtest. Surprisingly slow. Less than 600 Mbps down.
  • Google’s speed test via M-Lab. You get this if you Google “speed test” and try to use Google’s. Actually the most pathetic results I’ve seen. 50 Mbps down.

The sole exception was the speed test run by the AmpliFi Alien itself, which was controlled by Ubiquiti, and was the best.

appendix: AT&T Fiber review

I have AT&T Fiber at their highest speed tier (1000 Mbps up/down)5. This comes with the side benefit of not having a data cap.

For raw speed, nothing beats fiber. Literally. Any other provider, by definition, will not be able to beat fiber optic with anything other than fiber optic. That’s how light works. AT&T Fiber is fast, but that’s about the only positive thing I have to say.

AT&T Fiber is not reliable. I consistently have packet loss to hosts over their network, and it’s a problem that exists with their equipment, not mine.

AT&T firmly believes that the edge of their network is the router/gateway12 they give you. It is not your gateway, if you have one. This means that with Fiber, you get an ONT (optical network terminator) that’s effectively a stationary object for your house or apartment. If you’re the first customer at the address, you get the first ONT. Then when you leave, you leave your ONT there. The router they assign you does 802.1x authentication with their ONT, which is how you get on their network. This means that you’re forced to use their gateway, and you cannot work around this without a convoluted bypass.

The way you connect a third party gateway to their network is by using “DMZ Plus” mode and on the router control panel. If this gateway gets fried, your downstream performance will be affected.

The router itself, if you choose to use it, is a 4x4 802.11ac Wave 2 device that makes actual acoustic noise when operating at max speeds. Neat! More importantly, the control panel is terrible, and you can’t even change your preferred DNS servers. Because AT&T hijacks NXDOMAIN DNS responses, you’re treated to ads any time you hit a non-existent domain. Of course, this makes programmatic DNS lookups also unreliable, because you will always get an answer, even if the domain doesn’t exist.

bypassing their garbage

You can follow a guide on how to bypass the AT&T router using a UniFi security gateway. You can follow a similar process on an EdgeRouter. This all relies on having multiple WAN ports on a router, having arbitrary code execution, being able to change the interfaces at will, and finally proxying the 802.1x authentication packets between the AT&T router and the ONT. Once completed, you’ll be able to sit on the AT&T network at the very edge.

And it’s terrible. By doing this process, I instantly lost half of my performance. Maybe it was just because I was using a USG at the time, but it was not worth the trouble. Worse still, the process requires a script to run when the USG or EdgeRouter boots up to start the proxying and authenticate to the network. If power is lost to your router and you don’t have the script starting at boot (which is extremely easy to screw up), you will have no Internet access until you run the script again. Any time you install an update, you may also lose your script if Ubiquiti changes the firmware.

You could conceivably build your own device that proxies the 802.1x packets, or hack another router to do it. But I think this is a dumb thing to have to do in the first place. If I were able to choose a better fiber provider, I would, but I’m stuck with AT&T. I also refuse to do the bypass anymore.

To be abundantly clear, this review was done on AT&T Fiber in DMZ Plus mode. I didn’t see any overhead issues as a result of this configuration.

the downfalls of DMZ+ mode

The entire review was written using AT&T Fiber’s DMZ+ mode. I discovered that Stadia and git had problems when running over it. In particular, over git, I would routinely get these error messages when trying to clone or fetch repositories over git using ssh as the transport:

fatal: early EOF
fatal: index-pack failed

# and:

client_loop: send disconnect: Broken pipe
fatal: the remote end hung up upon initial contact

This led me down a rabbit hole. A thread on /r/HomeNetworking showed another customer having the exact same problem as me, and the very last comment had a link to a solution from AT&T. The solution is reproduced here, in the event that the link breaks.

  1. Go to your gateway settings and choose Settings.
  2. Scroll to Software Version. If you have version 11.1.0.xxxx or above, continue with these steps. If you have earlier versions, you don’t need to do anything else.
  3. Select LAN and then LAN IP Address Allocation.
  4. Scroll to Devices. Check Device Status for one identified as DMZ device.
  5. In Address Assignment, choose Private from Pool or Specific Private IP.
  6. Select the Firewall tab and scroll to Edit firewall settings for this computer.
  7. Choose Add a new user-defined application. You’ll see the Firewall Application Profile Definition window.
  8. In Application Profile Name, enter All UDP and do the following:
    1. In Protocol, select UDP.
    2. In Port, enter 1 in From and 50999 in To.
    3. Select Add to List and then Back.
  9. In Application Profile Name, enter All TCP and do the following:
    1. In Protocol, select TCP.
    2. In Port, enter 1 in From and 50999 in To.
    3. Select Add to List and then Back.
  10. In Select a computer, choose the device you want to forward all traffic to. Or, enter the IP address of the device.
  11. In Hosted Applications, select All UDP and All TCP, then Add them.
  12. Select Save.

Essentially, this makes your “WAN IP” a local IP to the Alien while bulk port forwarding all TCP and UCP traffic to the Alien on the AT&T LAN. This is an obtuse solution, but it does work. If you experience issues with Stadia or git when using the AmpliFi Alien, or any other gateway, this workaround will fix edge case problems associated with DMZ+ mode.


  1. A packet is a small chunk of data. Depending on the technical layer, the most technical term is either packet, datagram, or frame. [return]
  2. Strictly speaking, this is a bit of an exaggeration. This overview is supposed to help you if you don’t know what these things are. If you do, more power to you! [return]
  3. A prosumer is a pro consumer. In practice, these are power users who have specific needs, or are really nerdy and just want a cool network with advanced features. [return]
  4. Not to be confused with a switch, which is also a packet switching device. [return]
  5. I push and pull several gigabytes of docker containers each day as part of my job. As a result, having really good upload and download speed saves me a lot of hassle each day. [return]
  6. Observed peak speed. This is the speed observed on the fast.com UI when testing. It seems to be based on some pretty liberal math since it very regularly goes above the theoretical max speed for my connection. [return]
  7. Unloaded latency. From Netflix: “Unloaded latency measures the round-trip time of a request when there is no other traffic present on a user’s network.” [return]
  8. Loaded latency. From Netflix: “Loaded latency measures the round-trip time when data-heavy applications are being used on the network.” [return]
  9. From the AmpliFi HD datasheet. [return]
  10. “But I’m trying to run Wi-Fi in a stadium full of angry Overwatch League fans” you protest. For consumers! It’s the best for consumers! It doesn’t have crazy high range like some of the more expensive and tailor made UniFi products have. [return]
  11. Originally, I said that no routers on the market support WPA3. This appears not to be the case, as per a suggestion from Timothy Farley. Thanks, Timothy Farley! Also, awesome avatar on the AmpliFi forums! 💚 [return]
  12. The router they provided me was an AT&T branded Arris 5268AC “Pace” router/gateway. [return]