After spending over a grand on Alta Labs equipment, I believe I have the right to say all of this.
When did it become acceptable to sell equipment that either wasn’t finished or complete?
I like the idea of Alta Labs, I even like the nice user interface. But, in my limited experience of setup and configuration of said equipment I have found the following issues.
It seams you are tied to Alta Labs servers or in the least their DDNS servers.
Tried as I may, I couldn’t get all of the equipment setup without an Internet connection and that is troublesome for several reasons.
The feature set, while nice is far from complete or even fully stable.
Alta Pass is an awesome feature, but even that is incomplete in some ways.
I could go on and list more, but that is for a later time.
If I wanted to be a beta tester, send me the hardware and I would be more than willing to go through the hardware and software and provide lists of issues. I also don’t like being tied to a company that is collecting or connecting to my equipment without my express ok. That is just a class action lawsuit waiting to happen.
In the grand scheme of things, I have the hardware and will revisit a setup at a later time. I don’t think that releasing more hardware until the software is complete is a good idea. I hope that Alta Labs will step up and complete the software and remove the dependency on their servers or a connection to their systems. Hopefully unlike another large company that started out the same way, it won’t take 20 years to get there. Also, if your users are going to be tied to your servers or services then there needs to be a disclaimer.
As an fyi, I have been in IT for over 25 years and have seen companies like this come and go because of simple poor decisions.
I bought Alta labs gear right after it first released and in May 2024 I deployed a new home network using 2x AP6 Pros and 2x S8s. Route 10 wasn’t out at the time so routing remains on my UDM (for now).
My partner and I work from home 5 days a week and I have never once had any stability issues with any of the Alta labs gear. In fact, on my old setup using the U name APs, I was constantly fighting 2.4GHz devices from dropping off the network. Those issues disappeared instantly after switching.
No vendor, not even the big boys (Cisco, Arista, Juniper, etc) are going to have every feature available day 1, and no vendor will come close to having a bug free product.
I see this is your first time posting. Did you provide your feedback to the Alta team and give them a chance to fix any issues? They are very receptive to feedback and improvements.
For updates yeah, but if you have the local controller deployed (with custom reverse proxy) no. It’s the exact same as UniFi.
Interested to hear more about this, what kit are you using that won’t connect to the internet at least once?
Whats not stable? I have not had a single drop out.
Again, how is it incomplete? I have seen numerous deployments of the AltaPass working flawlessly (on here, youtube and on reddit)
I really don’t think thats fair at all. Nothing is being collected? Heck when an issue comes up you need to physically invite one of the Alta team to your site as they can’t access your site without you allowing it. Once in then they can see your device logs (via remote terminal the same way you can). The hardware is so well thought out and priced its giving UniFi a damn good run for its money. Granted there have been some RMAs but nowhere near the amount to suggest “beta”.
Why would I or should I need to mess with any sort of custom reverse proxy?
Lets see, what kits have I setup that didn’t require an internet connection? pfsense, OPNsense, Palo Alto, Sophos, OpenWRT, MikroTik… I guess I could go on, but why.
The first several times I worked through the setup stability was a major issue. I will not go into great detail here, but I will say this. If you pay attention you will see what I mean.
Alta Pass is great and I said that, but where is WPA3? Oh, that’s right. It’s not there or at least you can’t use it yet with Alta Pass.
You might not think what I had to say is fair, but it is a matter of fact. If you unplug your WAN connection from the Route10 you will see exactly what I mean (if you are using Alta’s Control locally). Alta Labs Control unit does not hold all of the software it needs to complete its tasks. I don’t doubt that the hardware is solid, it’s more the software is what is lacking.
And it is very relevant.
I hope that Alta Labs succeeds and this platform becomes second to none, but in its current configuration it is seriously lacking. Will I still use it and experiment with it? Of course, why not.
The initial device setup has internet dependencies for a couple reasons. One, because the devices each get a Let’s Encrypt certificate of their own. Two, if the time isn’t synced via NTP, certificates cannot be validated and the devices validate their controller. Some competitive products don’t use a highly secure means of communicating with their controller, so it doesn’t matter if their time is off, and they don’t have device certificates. Did you notice any issues past the initial setup without internet? I unplugged the WANs from one of my Route10s and the Control behind it is still working normally.
The dependency on our DDNS service is because we use legit trusted certificates from Let’s Encrypt, so you have real security rather than the completely useless self-signed certs you find on most all competitive products.
We definitely want to support WPA3 with AltaPass. The problem there is the WPA3 spec itself is not compatible with the use of multiple PSKs. No one supports multiple PSKs on WPA3 because it’s impossible. Changing that will be an industry-wide effort, and we’re far from the only ones who want it. We’re doing our part to collaborate and help make that happen.
I understand the use of Let’s Encrypt and NTP for the use of certification. However, the use of self-signed certificates can be just as if not more secure is certain situations. But, this brings up the entire debate about how few people understand certificate chains and chains of trust.
One of the issues that I ran into was, once the WAN connection was unplugged or disabled. The icons for your items disappeared. Then slowly the UI became unstable.
The dependency on DDNS is a mystery to me. I have used Let’s Encrypt as well as other major certificate authorities for multiple reasons and situations and never been forced down the rabbit hole of DDNS. I can understand if your ISP only provides dynamically allocated IP’s, but for those of us that have static or multiple static IP’s it becomes a pain. I quite literally had to call my ISP and get another static IP for the Alta Labs equipment because I could not tie it into any of my existing enterprise grade networks.
I my honest and humble opinion, I think being tied to DDNS creates another attack vector. I can understand the use of DDNS especially if you have a dynamically assigned IP and want to use a VPN, but like I said, if you have a static IP it becomes a pain to deal with.
Is there a way to modify the Alta Pass code to make it compatible with WPA3? Just curious as I don’t have a lot of knowledge about the Alta Pass, but I do think it is a better approach to WPA setups.
To my knowledge this is a technical limitation with the way PPSK currently on hostapd, you’ll notice that most if not all other vendors are limited in that manner currently. Please note that AltaPass itself is more than just PPSK; however, PPSK remains an essential function at its core. There are recent developments and investments with a few prominent industry names, and they apparently have grant money to investigate making multi-password technology WPA3 compatible.
I’ve read about some users being able to assign one MAC to an SAE passphrase at a time, but that would be painful at best, and there may be 1-2 that offer dynamic passphrase via via RADIUS, but some of these systems outright have you join using WPA2 first, then transition allow roaming to say WPA3-SAE on 6GHz. But none of these are truly like the implementation available today on WPA2-only environments.
All that said, adding WPA3 support for AltaPass definitely is of interest to us.
There are a few topics to discuss here, so let’s start from the top. You’ll have to excuse any redundant information as I was awaiting a rock solid, 100% confirmation about any upcoming features/adjustments/improvements that I state in this reply.
First, I’d like to thank you for your candid feedback. We truly welcome any constructive criticism, feedback, suggestions, etc. from anyone using or is looking to use our products. Your feedback and concerns are not falling on deaf ears, I assure you. We are committed to constant improvement and there will be some more details later in my response to demonstrate this.
Some of this will be rehashed from previous replies, but I trust the words carry a bit more weight coming from an official employee.
To clarify, you don’t have to spend a single penny on Alta products for us to listen to your feedback. In fact, you don’t have to spend a single penny on Alta products to get a taste of what Alta has to offer. Anyone can create a free account at manage.alta.inc and get a feel for the workspace they’d be operating in. Yes, it will be slightly limited without hardware, but it’s an option nonetheless.
An argument could be made that, in the tech space at least, no product is ever “complete” or “finished”. Consider your cell phone, you receive regular updates that address new security concerns and/or vulnerabilities, but that update will also come with some new features, user experience improvements, performance enhancements, etc.
You buy a computer, Windows/MacOS is releasing updates all the time. I have a fairly large setup of batteries for home power backup, they have WiFi and they get updates.
This is a fundamental core of internet connected devices; the ability to improve and stay secure over time.
Another important aspect to consider is the shifting definitions of what a specific product is. Take a router for example, the purpose is right there in the name, it routes between networks. But that definition is antiquated. Now you can do many different VPNs, DNS forwarding, IDS/IPS, PoE out, content filtering, parental controls, multiple WANs the list goes on and on. The bulk of these things didn’t even exist when you started in the IT industry. Same with cell phones, really. It’s a phone but how often does one use their cell phone as a phone?
Is this an excuse for bugs? Absolutely not, I want to make that clear. But the concept of firmware updates exists for bug fixes as well.
We would love to hear about any issues you’ve encountered. When you have a list, please feel free to share it here or in another thread, whichever you’re more comfortable with; feel free to share a link to the other thread here if you choose to go that route. Addressing your points individually:
This is accurate for the time being and has been raised by others. We opted to provide the most seamless user experience, which is why we’ve focused on our own DDNS first. We will be adding more DDNS providers by way of controller and firmware updates
There’s no question that there needs to be some improvement to the user experience when setting up a local controller. For now, the recommendation is to set it up using the internet, then feel free to block its access to the internet
The controller was built for the most common use-cases in order to streamline user experience, which includes using our own cloud for initial setup. Some great examples of why our cloud is required are DDNS as you pointed out, offline device alerts, access requests as it pertains to scheduling, and many more.
All of these are contingent on 3rd party services, however. With the cloud, it’s a known quantity because we set it up and we know how it works, all the configuration parameters, etc. When we need to implement 3rd party SMTP support for the purposes of offline device alerts and access requests, we have to plan and test for literally millions of different providers’ parameters. DDNS is similar, but not quite the same scale as all know.
At present, the UX for the local controller is to be as automated as possible, but greater granularity will come. It’s also worth noting that this won’t be a deluge of changes, but rather incremental changes. I.e. you may see 10 DDNS providers added over 4 or 5 different releases. It’s way easier to debug any issues that may arise if the changes are small.
I suppose this is best served in your followup post, but again, we want to hear where you feel we can improve.
I’m a bit surprised to hear this as it is our flagship software feature. There have been some suggestions/pointers here and there but most everyone is happy with it that I’ve seen. Again, looking forward to hearing your thoughts on what additional features you’re looking for.
And as a general note, one person’s network and experience will be different from yours almost 100% of the time. We want to hear the good, the bad, and the ugly. Always.
This one is a hard showstopper and is quite misleading. Every software has a terms of use, privacy policy, etc. often required by law. We are no exception. I encourage you (and everyone for that matter) to review our privacy policy and our Trust site. These sites outline our policies in great detail. If you have questions or concerns, we have plenty of ways for you to reach out and we’ll be happy to address them. We do not connect to any devices without express and recorded consent. And even when that consent is provided, the user can easily remove us after that permission is granted.
I don’t think it’s a secret which company you’re referring to and it’s worth noting that the vast majority of Alta employees once worked at the presumed company. We collectively learned vast amounts of information during our tenures there and do our absolute best to learn and improve upon said experiences.
With all of that said (sorry, I do tend to get long winded) the bottom line is that we are committed to positive evolution in hardware, in software, in policy, as a company and as people. We want to hear every reasonable critique anyone has to offer so I sincerely look forward to reading your followup notes.