UniFi'd my Home

by ‎01-11-2018 01:32 PM - edited ‎01-11-2018 01:43 PM

Recently my Apple Airport Extreme died, so I decided to go ahead and do something I have been thinking about for a while now, and redid my home network with UniFi gear.

 

I live in a 3 year old house, which had a single Cat6 outlet in each of the 5 bedrooms and 2 living spaces, wired back to a small in-wall cabinet in the garage. Running additional Cat6 to ceiling mounted APs was not really an option, so I decided to use 3 of the AC In-Wall APs, which gives me good 5GHz coverage throughout the house and small section. I have the 2.4GHz power set to minimum, which gives me plenty of coverage for non 5GHz devices.

Screen Shot 2018-01-12 at 8.54.05 AM.png

 

Screen Shot 2018-01-12 at 8.53.10 AM.png

 

 I got a USG, Switch 8-50W, and CloudKey, mounted in the cabinet, along with the Mac Mini which is running ESXi 6.5. This hosts a couple of VMs including an Untangle NGF which I use for content filtering. The cabling has changed slightly since I took this photo. The USG LAN port now connects to the Thunderbolt ethernet adapter on the Mac Mini, which is the external interface for the Untangle VM. 

 

I was able to do away with the ISP provided router. The USG connects directly to the Fibre ONT. 

 

IMG_333139.jpg

 

Untangle web filtering gives me much more comprehensive information and control over what is happening on the network than what can be achieved with UniFi alone. I wish Ubiquity would build something like this into the USG, but the Untangle Home subscription is only US$50 a year.

 

Screen Shot 2018-01-12 at 9.01.02 AM.png

 

Untangle runs in transparent bridge mode between the USG and Garage Switch. Lets just say that Untangle has shown that my children (13, and 17) aren't as sweet and inocent as I would have liked to believe (but never really did.)

 

Screen Shot 2018-01-12 at 8.56.18 AM.png

 

A couple of issues that I have encountered with my setup:

  1. The WiFi adapter on my ducted heat pump system requires WPS to connect. I have seen reports of people using a WPS enabled AP to program the WiFi adapter, and then turning it off and it connecting to a UniFi network with the same SSID and password, but I have been unable to get this to work. As a workaround I enabled WiFi on my old Apple Time Capsule, and connected the heat pump to that. (I intended to keep the Time Capsule on the network as a backup target for my daughters MacBook, but with WiFi disabled.)
  2. If I set the Guest network purpose to Guest (as opposed to Corporate) clients cannot connect to the internet, and get "to many redirects" errors. If I remove Untangle, or setup the network as corporate the problem doesn't occur, so it is something about how those 2 interact. Disabling ICMP redirects on Untangle has no effect. I haven't worked it out yet, so have the network set as corporate for now.

I still have some work to do to lock down IOT devices etc, but it is all running smoothly, and I am much happier with the security of the network now.

 

My next project is improving my video surveillance, which after my good experience with the WiFi, UniFi is on the short list for. I'm very interested in the UVC-G3-Micro when stock becomes available in NZ. Most of the consumer grade products seem to be created for the purpose of selling over priced cloud storage subscriptions to users!

 

 

 

{"location":{"title":"Howick, Auckland, New Zealand","placeId":"ChIJYbqZByNLDW0RgM6iQ2HvAAU"},"addedProducts":[{"id":"unifi-security-gateway","count":1},{"id":"inwall-ap","count":3},{"id":"unifi-switch-8-60w-b","count":1},{"id":"unifi-switch-8-beta","count":1},{"id":"unifi-cloud-key","count":1}],"solved":"","numbers":"","description":"I went all in on UniFi to replace failed Airport Extreme","mainImage":"138210iB4F87E73B8019313"}

UniFi USG3, S8-60W, S8, 3x AP AC-IW, CK
Comments
by
on ‎01-12-2018 09:14 AM

What software did you use for you two mapping pictures? It looks like it's calculating signal levels based on windows and doors, is that right?

by
on ‎01-12-2018 10:36 AM

@Obideuce in the Unfi controller there is a map view, which you can import the floor plan into, then overlay it with walls etc specifying different construction materials, and input measurements so it can calculate the scale. You then place the APs etc on the map, and it generates that approximate coverage from that. I believe there is a beta version of the software that will allow you to place APs that aren't currently on the controller, so that you can plan a deployment before you buy any APs, but in the current version it is only the APs adopted by the controller.

by
on ‎01-12-2018 10:41 AM

Hmm... Last time I used the ubnt mapping stuff in the controller it didn't look anything like what you've done. It just drew a color gradient approximation of coverage, so I just ignored it at that point, was worthless.

 

I'll have to import my floorplan and give it a try on the current RC. If it looks like what you've attached now it might be worthwhile.

by
‎01-12-2018 10:46 AM - edited ‎01-12-2018 10:48 AM

@Obideuce That's part of the UniFi Controller now - in, I think, 5.6. You can see it in action here: https://youtu.be/_ytJb_SMlr0?t=2m55s

 

Edit: Oops, too slow again! But yeah, what @scotttnz said! It's quite powerful now.

by
on ‎01-12-2018 10:50 AM

I don't know how I missed that, I've been using the betas for a while and yet somehow just overlooked it. 

 

Thanks guys.

by
on ‎01-12-2018 11:49 AM

Any comments on the wall APs? I am thinking about getting them.

by
on ‎01-12-2018 02:43 PM

@marcelokurtz They are good. They cover much more than 1 room. 3 of them cover my 210m house (sorry I don’t know what that is in feet) and small garden with 5GHz no problem, in fact I could probably get away with 2 of them, but they are inexpensive, and having 3 gives me more flexibility with placement. The coverage is actually better than the maps show, because the map for each level does not take into account the coverage from APs on other levels. The garage is covered by the AP directly above in bedroom 4 for example.

by
on ‎01-12-2018 03:38 PM

Cool! Awesome post!

 

How did you get untangle to work? Care to share some instructions or how to?

 

I always want to do this for my kids. How much did it cost you.

 

per device? Per month? for the untangle.

by
‎01-12-2018 06:24 PM - edited ‎01-12-2018 06:33 PM

@cardins2u Untangle have a home use license for US$50 per year, which I think is quite reasonable for the functionality it provides.

https://www.untangle.com/untangle-ng-firewall/untangle-at-home/

There is also a free version with restricted apps which may do everything you need, so have a look into that. They main reason I paid for the Home Pro license was to get the ability for multiple user profiles, so that I can have different web filter rules for different users.

 

You can deploy Untangle on your own pc, buy an appliance from them, or as a virtual appliance on VMware, which is what I did. Deploying on VMware is pretty straight forward, as you can download it as an OVA and import that into VMware, but there are a couple of gotchas.

 

  1. Obviously you need 2 NICs, 1 configured  on each of 2 vSwitches, one as the external network, and the other internal.
  2. Both vSwitches must be configured to Allow promiscuous mode
  3. If you arer using multiple VLANs then the port groups for the internal and external networks need to be configured as VLAN 4095 to allow all VLANs.

This is how my networks are configured:

 

 Screen Shot 2018-01-13 at 3.15.48 PM.jpg

So the nework is connected: ISP Fibre ONT>USG WAN>USG LAN>ESXi Host Ext>vSwitch1>Untangle Ext>Untangle Int>vSwitch0>ESXi Host Int>UniFi Switch

 

I followed this guide to configure the VLANs, as I have Untangle in transparent bridge mode (You can set it up as router.)

 

https://wiki.untangle.com/index.php/Network_Configuration#Configuring_VLAN_on_Untangle_in_Bridge_Mod...

 

Hope that helps.

by
on ‎01-12-2018 08:16 PM

thank you. I'm trying that right now. Spinning up my VM. 

by
on ‎01-13-2018 05:34 PM

Great setup!

 

Two things:

 

a) It's Ubiquiti not Ubiquity

 

b) I'm not sure if you did your terminations or you had someone else do them but the outer jacket should be pushed up past the load bar of the connector if not completely flush as far as it goes in. While it may seem nit-picky it is really important

by
on ‎01-13-2018 05:47 PM

@gclockwood I agree. I assume the terminations were done (poorly) by the electrician or another contractor when the house was built. I am undecided if I am going to go and buy a crimping tool and redo them, or get a patch panel and terminate them on that. 

by
on ‎01-13-2018 07:44 PM

@scotttnz I don’t see a real function for a patch panel for this application. The only reason for one in this application is either if you really prefer one for looks or whatever or if your drops are a heavier gauge solid core cable, in that case the transition from solid to stranded would be worth it. Otherwise, I would just buy a crimping tool and use the saved money on higher end connectors.

 

I use sentinel connector systems Cat6 with load bar and strain relief boot but if I don’t have any handy I will go with Platinum Tools EZ-RJ45 with strain relief boots.

 

Also if you use strain relief boots don’t go for the cheap slip over rubber ones, go for the nicer ones that insert into the connector and crimp in place.

by
on ‎01-16-2018 07:15 AM

Never thought you cloud cram that much into that small of a panel but wow! Nice cable management!.... Except thouse cables going into the US-8-60w.... the insulation needs to be in the connector!

by
on ‎01-16-2018 10:43 AM

@MFilmWorks17 Thanks! 

 

Re-doing those connectors has has been on my list of things to do since the day I moved in......but I haven’t decided if I want to shorten the cables, terminate them on a patch panel, or extend them to a cupboard in a cooler part of the house.

by
‎02-10-2018 08:31 AM - edited ‎02-10-2018 08:34 AM

@scotttnz   Nice use of a residential structured cabling cubby.  Its clean, with good spacing and cable management.  You've definitely taken time to keep everything orderly.  Patch panels are nice, but this simplicity has it's beauty as well.   As for moving to a cooler area, you may get enough flow by putting a low rpm fan either in the panel door or utilise whatever space is behind the panel for a fan exhaust.  I've been creative in doing such for built in media cabinets and its really amazing how much cooler things are by just sucking air through the non sealed door/panel perimeter.

 

Reterminating the cat6 ends with crimped insulators is really just for looks in this installation, since you have them well zip-tied in there...  the purpose of crimping on the insulation is to prevent pull strain to lose conduction inside the connector and to ensure the sheathed twist is maintained through at least 13mm to the end to get the rated best performance of the standard.  This doesn't look like a 10GbE solution yet Icon Cool, so you fine unless you are looking for perfection.   In the states, crimpers are pretty cheap for non-everday use on Amazon, but in your paradise I'm sure there's a definite shipping markup.  I'd prolly do it, but I'm a picky bloke.

 

I really like your summary review on the Untangled Home firewall.  If you've posted anywhere else on it, and perhaps how you chose the product, I'd be interested.  And if you resolve the guest network configuration challenge with it.  Thanks for sharing!

 

 

 

 

by
on ‎09-24-2018 02:48 AM

Able to share a bit more detail on the Untangle Transparent bridge mode? I'm trying to do something very similar with Sophos XG, have it between the USG LAN and Unifi Switch.