Reply
Emerging Member
Posts: 100
Registered: ‎11-12-2017
Kudos: 26
Solutions: 6

Best practice for Streaming devices - Wifi

Now that I have a working Guest VLAN coupled with SSID (except 1 feature yet to be resolved .. but its in a separate thread) I wanted to know the best practices for all these streaming devices these days homes have. I have quite a few of these which as a family we use to watch/stream stuff. 

 

Before I had 1 SSID = General which connected these streaming devices along with any smart phones, etc. LAN = CORPORATE and had a VLAN. By doing this I had automatic access to services like AirPlay and few other proprietary sharing screen software. 

 

Was wondering if this okay or from a Best Practice perspective its better to segregate the two, considering smart phones these days tend to have a lot of personal stuff. 

Also - if there are any other suggestions - highly appreciated.

 

To be noted:

 

  1. I do have iOT devices like Smart Things, Amazon Echo, ecobbe, etc. but they utilize a different network - VLAN and SSID.
  2. I have inter-LAN blocking in place in firewall - LAN_IN.
  3. None of the streaming devices support Radius authentication. 
  4. I do not wish to have too many (more than 4) SSID networks since it'll effect my overall performance, considering I have a small home and have 1 AP per floor - basement (LR), 1st (PRO) and 2nd: (LR), Currently, I have 1 : GENERAL (this), 1 for guest and 1 for iOT devices. 
Senior Member
Posts: 16,712
Registered: ‎08-04-2017
Kudos: 3059
Solutions: 819

Re: Best practice for Streaming devices - Wifi

[ Edited ]

Hello @BengalTiger,

 

I would recommend creating 4 VLANs.

 

VLAN 1 | CORE NETWORK

VLAN 2 | WIRELESS/WIRED NETWORK

VLAN 3 | IOT VLAN (guest policies enabled or interVLAN routing blocked)

VLAN 4 | GUEST NETWORK (Guest Policies enabled)

 

 

Regards,

Glenn R.

Cloud Hosted Controllers | Glenn R. | UniFi Installation/Easy Update Scripts | UniFi-VoIP Installation Scripts
USG-4-PRO • USG
USW-48-500W • USW-24-POE-250W 2x • USW-16-POE-150W 3x • USW-24 • USW-8-150W • USW-8
UAP XG • UAP-SHD • UAP-HD • UAP-NanoHD • UAP-AC-PRO 2x • UAP-AC-LITE • UAP-AC-IW • UAP-AC-M
UAS-XG • UCK-G2-PLUS • UCK-G2 • UCK
Emerging Member
Posts: 100
Registered: ‎11-12-2017
Kudos: 26
Solutions: 6

Re: Best practice for Streaming devices - Wifi

CORE NETWORK - you mean the default management network?
Guest network - yes, created.
IOT network - yes, created.
WIRELESS/WIRED NETWORK - WORK n/w, where my NAS, PRINTER, Work PCs, etc. are present.

Question is - should I put my streaming devices - like TV, etc. in the IOT or WORK n/w?
IF I PUT THEM INTO WORK n/w: The smart phones we have - need to be able to connect to these wireless streaming devices. So, the easier solution will be to put smart phones and the streaming devices in WORK network so that they can talk to each other and sometime from my smart phone (iPhone) I need access to NAS/PRINTER/iTunes in my PC.
Caveat: Security. I see a possibility of exposing my work n/w via my smart phones and/or streaming devices.

IF I PUT THEM IN IOT: Then there might be special configurations, setups required to enable Airplay, etc. from my smart phones to streaming devices which after reading thru forum threads is not very straight forward. Of course - I can put all my smart phones into iOT n/w too but in that case they will loose access to PC based iTunes, NAS, etc.

Personally, I feel putting everything in iOT makes sense as its less difficult to establish connectivity from iOT to NAS/PRINTER/PC than trying to configure and make it work - Airplay and some other screen mirroring solutions depending on streaming device manufacturer.

Emerging Member
Posts: 100
Registered: ‎11-12-2017
Kudos: 26
Solutions: 6

Re: Best practice for Streaming devices - Wifi

Also - I feel that I can use Radius based MAC authentication across all my streaming, smart phone and other iOT devices with dynamic VLAN. This way each and every device even though connected to the same SSID in WLAN will be isolated from each other. 

[I do know MAC based authentication via Radius is not very good as its easy to spoof the MAC but not sure if that's more dangerous than an intruder entering my n/w remotely and traversing thru my network because its exposed. All I feel even if someone spoofs the MAC is to be able to connect to my SSID but after which still remain isolated due to the dynamic VLAN in use]

 

I just wanted to run it via you - good folks before attempting to configure likewise.

Emerging Member
Posts: 100
Registered: ‎11-12-2017
Kudos: 26
Solutions: 6

Re: Best practice for Streaming devices - Wifi

After spending quite a large chunk of time with Unifi support they were not able to provide a solution whereby I can define Radius users with VLANs and then system automatically accepts them providing them their own subnet using the VLAN tag. After trying various options like disabling VLAN in AP, ensuring the Radius profile has the 2 check-boxes enabled, nothing worked.
Senior Member
Posts: 16,712
Registered: ‎08-04-2017
Kudos: 3059
Solutions: 819

Re: Best practice for Streaming devices - Wifi

Hello @BengalTiger,

 

You can use Radius MAC Authentication if you have a USG.

Take a look at this article.

 

 

Regards,

Glenn R.

Cloud Hosted Controllers | Glenn R. | UniFi Installation/Easy Update Scripts | UniFi-VoIP Installation Scripts
USG-4-PRO • USG
USW-48-500W • USW-24-POE-250W 2x • USW-16-POE-150W 3x • USW-24 • USW-8-150W • USW-8
UAP XG • UAP-SHD • UAP-HD • UAP-NanoHD • UAP-AC-PRO 2x • UAP-AC-LITE • UAP-AC-IW • UAP-AC-M
UAS-XG • UCK-G2-PLUS • UCK-G2 • UCK
Established Member
Posts: 2,141
Registered: ‎01-29-2015
Kudos: 313
Solutions: 80

Re: Best practice for Streaming devices - Wifi

To answer one of your questions:

 

My streaming devices are on my local LAN, because I have various sharing services on my network, such as Plex, and right now I don't feel like stripping them out to another VLAN for now.

 

If you don't have any need for those streaming devices to see your regular LAN, send them over to IoT. There's no reason not to that I can think of.

Emerging Member
Posts: 100
Registered: ‎11-12-2017
Kudos: 26
Solutions: 6

Re: Best practice for Streaming devices - Wifi

Hello @AmazedMender16

 

I did see the article. I can do as per the article, i.e. all my devices authenticated using MAC thru the in-built Radius server and attach themselves to the SSID with a VLAN defined in the configuration parameter of that SSID.

 

However, the only change I want is to be able that VLAN # when creating the Radius server, which is nothing but the device MAC. 

This would allow me to place each device in its own VLAN with all my devices going from 20 to 29 VLAN numbers. All of them continue to be linked to the same SSID.

 

This is not working! Until and unless I hard-code the VLAN #, dynamic VLAN pickup from Radius user - is not working.

Emerging Member
Posts: 100
Registered: ‎11-12-2017
Kudos: 26
Solutions: 6

Re: Best practice for Streaming devices - Wifi

@RobbieH

 

Thank you. At this point in time - I am keeping all my streaming devices and my publishers - i.e. the tablets/smart phones in the same iOT network.

Reply