Background and starting situation
My house is two storey, 180sqm (approx 2000sqft) with concrete floors. It was built around 1980, so no UTP cabling when I bought it earl 2000s. Since all walls are brick, it was/is hardly possible to add any new wiring. Some years ago, I moved to glass fiber (500/500) contract and around that time I decided that having only WiFi was not going to give me the bandwidth I was getting in my contract. I needed wiring. So I pulled some existing cables (mostly POTS) from the tubing and replaced it with Cat6 cabling. This gave me a limited but satisfactory number of drops around the place
- 1 drop in (what used to be) the childrens' play room
- 2 drops (1 UTP, 1 POTS) in the living room right behind where the TV is, and
- 2 drops in my study upstairs.
I was still on my former Linksys hardware (Linksys WRT1900AC and a supporting WAP300N for wifi connectivity). The router would sit (as in most cases) in my fuse closet, the WAP at the opposite side of the house in the kids' play room. I never really bothered to look into roaming, and to this day I am not sure what options the Linksys equipment has to make roaming better. I did notice though that most devices would be connected to the WAP most of the time; not to the more powerful router.
In terms of network load, I would say it was average at best. I had a number of devices on wired LAN (desktop, network printer, TV, DVD player, son's PS4, Android set top box, 3 Synology NASes), and everything else was on wifi (bunch of smart phones, two tablets, 4 laptops, including office laptops of me and my wife, e-reader and another set top box in our bedroom where I am unable to run a drop).
Everything was pretty much ok; never had too many issues. Had been looking (as I constantly do) to how I can improve on my network. Not because I have to, but because it's fun. Had already noticed the slick design and integration of Unifi equipment, but wasn't sure if I was going to spend that much money on another set up just for the heck of it. At some point, my wife starting to complain about wifi cut-outs when she was working out of home some days a week. While her connectivity in office was fine, her laptop would loose the VPN connection when working out of home causing her to loose work and whatnot. That really started to irritate her.
Thank God for that. As I wanted to keep the wife happy, I promised to go fix that and quickly decided to go for an all-out attack with Unifi. Time to go out and get my toys!
New set-up
I hooked up the USG to my ISP router (Fritzbox), and only have some port forwarding configured there. Right behind the USG is my "aggregation switch", which only connects to other switches and the CloudKey. Behind that, still in the fuse cabinet, is a " connect switch" to which I have connected my three Synology NASes. Everything neatly put on some shelves I put up there. In each room, there is anther connect switch wired to the wall drops, connecting the wired devices in those places. Additionally, there are APs in living room (AC Pro) and in the play room (AC Lite). I bought another AC Lite some time later, as my son was unhappy with the wifi coverage in his bedroom upstairs. It took me a few weeks of tinkering with the AP signals strengths to get the right balance for roaming. That is all fine now. The Events screen shows how devices jump from one AP to the other when walking through the house.
Network topology
My Unifi core setup, including my three NASes
AC Lite in son's bedroom
AC Lite in play room
The ease with which VLANs can be set up caused me to rethink segregation. I decided to go with a handful of VLANs:
- Private (subnet 10.1.1.1/24)
This VLAN connects my 'main' devices, wired or wifi. It encompasses my desktop and NASes and all phones and laptops that connect through my main WiFi - Service (subnet 10.1.2.1/24)
This VLAN connects my printer, Pi-Hole adblocker and an old LG NAS as temp storage / file transfer hub (though this doesn't see so much use till this day) - IoT (subnet 172.16.20.1/24)
This VLAN is for TV, e-reader, DVD and other stuff I don't want connected to my main LAN. IoT is available in wifi as well - Guest (Wifi subnet 172.16.10.1/24, wired subnet 172.16.11.1/24)
This VLAN both wired and wifi (with voucher based portal) connect to guest VLAN - VPN (subnet 10.123.0.1/24)
I use this to connect to my LAN when I am away, and additionally I provide this as a service (although much under used, up till now) to my family and some other relatives so as to have a secure connection available whenever they need to connect to an unsecured wifi anywhere
In terms of segregation, my Private LAN can reach any other LAN. IoT can only go out to the internet. Guest wifi can only go out to the internet as well. I have one drop made available on my TV stand, for a guest to connect a wired device. This specific Guest LAN can go out to the internet, and can see my Service LAN for printing or file transfer (using the old NAS).
Future plans
Currently there are a few further improvements / extensions that I have on my network backlog:
- Introducing a management VLAN, in which only my Unifi devices connect, so other VLAN components cannot access the switches or APs on Level 3
- Getting QR wifi access sorted out for my guest portal
Currently, the vouchers based access is not really used (especially by my kids) to provide access to guests. Rather, they just use the Apple functionality to pass on password information to my main wifi (I really hate Apple for making this possible; I feel there should be a law against this). Providing Guest portal access through QR code should be much easier. QR works for regular wifi, didn't get this to work for guest portal - Introducing Unifi cams / NVR using CK Gen2+
Just to provide some more security for my residence
Any further suggestions for improvement are welcomed!
For now, the wife is happy because her VPN to office never interrupts anymore. And I am happy, because this problem she had, paved the way for me to get my "toyz for boyz" :-)
Background and starting situation
My house is two storey, 180sqm (approx 2000sqft) with concrete floors. It was built around 1980, so no UTP cabling when I bought it earl 2000s. Since all walls are brick, it was/is hardly possible to add any new wiring. Some years ago, I moved to glass fiber (500/500) contract and around that time I decided that having only WiFi was not going to give me the bandwidth I was getting in my contract. I needed wiring. So I pulled some existing cables (mostly POTS) from the tubing and replaced it with Cat6 cabling. This gave me a limited but satisfactory number of drops around the place
- 1 drop in (what used to be) the childrens' play room
- 2 drops (1 UTP, 1 POTS) in the living room right behind where the TV is, and
- 2 drops in my study upstairs.
I was still on my former Linksys hardware (Linksys WRT1900AC and a supporting WAP300N for wifi connectivity). The router would sit (as in most cases) in my fuse closet, the WAP at the opposite side of the house in the kids' play room. I never really bothered to look into roaming, and to this day I am not sure what options the Linksys equipment has to make roaming better. I did notice though that most devices would be connected to the WAP most of the time; not to the more powerful router.
In terms of network load, I would say it was average at best. I had a number of devices on wired LAN (desktop, network printer, TV, DVD player, son's PS4, Android set top box, 3 Synology NASes), and everything else was on wifi (bunch of smart phones, two tablets, 4 laptops, including office laptops of me and my wife, e-reader and another set top box in our bedroom where I am unable to run a drop).
Everything was pretty much ok; never had too many issues. Had been looking (as I constantly do) to how I can improve on my network. Not because I have to, but because it's fun. Had already noticed the slick design and integration of Unifi equipment, but wasn't sure if I was going to spend that much money on another set up just for the heck of it. At some point, my wife starting to complain about wifi cut-outs when she was working out of home some days a week. While her connectivity in office was fine, her laptop would loose the VPN connection when working out of home causing her to loose work and whatnot. That really started to irritate her.
Thank God for that. As I wanted to keep the wife happy, I promised to go fix that and quickly decided to go for an all-out attack with Unifi. Time to go out and get my toys!
New set-up
I hooked up the USG to my ISP router (Fritzbox), and only have some port forwarding configured there. Right behind the USG is my "aggregation switch", which only connects to other switches and the CloudKey. Behind that, still in the fuse cabinet, is a " connect switch" to which I have connected my three Synology NASes. Everything neatly put on some shelves I put up there. In each room, there is anther connect switch wired to the wall drops, connecting the wired devices in those places. Additionally, there are APs in living room (AC Pro) and in the play room (AC Lite). I bought another AC Lite some time later, as my son was unhappy with the wifi coverage in his bedroom upstairs. It took me a few weeks of tinkering with the AP signals strengths to get the right balance for roaming. That is all fine now. The Events screen shows how devices jump from one AP to the other when walking through the house.
Network topology
My Unifi core setup, including my three NASes
AC Lite in son's bedroom
AC Lite in play room
The ease with which VLANs can be set up caused me to rethink segregation. I decided to go with a handful of VLANs:
- Private (subnet 10.1.1.1/24)
This VLAN connects my 'main' devices, wired or wifi. It encompasses my desktop and NASes and all phones and laptops that connect through my main WiFi - Service (subnet 10.1.2.1/24)
This VLAN connects my printer, Pi-Hole adblocker and an old LG NAS as temp storage / file transfer hub (though this doesn't see so much use till this day) - IoT (subnet 172.16.20.1/24)
This VLAN is for TV, e-reader, DVD and other stuff I don't want connected to my main LAN. IoT is available in wifi as well - Guest (Wifi subnet 172.16.10.1/24, wired subnet 172.16.11.1/24)
This VLAN both wired and wifi (with voucher based portal) connect to guest VLAN - VPN (subnet 10.123.0.1/24)
I use this to connect to my LAN when I am away, and additionally I provide this as a service (although much under used, up till now) to my family and some other relatives so as to have a secure connection available whenever they need to connect to an unsecured wifi anywhere
In terms of segregation, my Private LAN can reach any other LAN. IoT can only go out to the internet. Guest wifi can only go out to the internet as well. I have one drop made available on my TV stand, for a guest to connect a wired device. This specific Guest LAN can go out to the internet, and can see my Service LAN for printing or file transfer (using the old NAS).
Future plans
Currently there are a few further improvements / extensions that I have on my network backlog:
- Introducing a management VLAN, in which only my Unifi devices connect, so other VLAN components cannot access the switches or APs on Level 3
- Getting QR wifi access sorted out for my guest portal
Currently, the vouchers based access is not really used (especially by my kids) to provide access to guests. Rather, they just use the Apple functionality to pass on password information to my main wifi (I really hate Apple for making this possible; I feel there should be a law against this). Providing Guest portal access through QR code should be much easier. QR works for regular wifi, didn't get this to work for guest portal - Introducing Unifi cams / NVR using CK Gen2+
Just to provide some more security for my residence
Any further suggestions for improvement are welcomed!
For now, the wife is happy because her VPN to office never interrupts anymore. And I am happy, because this problem she had, paved the way for me to get my "toyz for boyz" :-)
{"location":{"title":"Heeze, Nederland","placeId":"ChIJRdQDYn8ox0cRd_qB_wq429U"},"addedProducts":[{"id":"unifi-security-gateway","count":1},{"id":"unifi-switch-8-60w-b","count":5},{"id":"unifi-ap-pro","count":1},{"id":"unifi-ac-lite","count":2},{"id":"unifi-cloud-key","count":1}],"solved":"","numbers":"","description":"","mainImage":"193553i703893E1C56ECD3F"}
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.