Going Unifi to keep the wife happy

by 2 weeks ago - last edited Monday

Background and starting situation

My house is two storey, 180sqm (approx 2000sqft) with concrete floors. It was built around 1980, so no UTP cabling when I bought it earl 2000s. Since all walls are brick, it was/is hardly possible to add any new wiring. Some years ago, I moved to glass fiber (500/500) contract and around that time I decided that having only WiFi was not going to give me the bandwidth I was getting in my contract. I needed wiring. So I pulled some existing cables (mostly POTS) from the tubing and replaced it with Cat6 cabling. This gave me a limited but satisfactory number of drops around the place

  • 1 drop in (what used to be) the childrens'  play room
  • 2 drops (1 UTP, 1 POTS) in the living room right behind where the TV is, and
  • 2 drops in my study upstairs.

I was still on my former Linksys hardware (Linksys WRT1900AC and a supporting WAP300N for wifi connectivity). The router would sit (as in most cases) in my fuse box cabinet, the WAP at the opposite side of the house in the kids' play room. I never really bothered to look into roaming, and to this day I am not sure what options the Linksys equipment has to make roaming better. I did notice though that most devices would be connected to the WAP most of the time; not to the more powerful router.

 

In terms of network load, I would say it was average at best. I had a number of devices on wired LAN (desktop, network printer, TV, DVD player, son's PS4, Android set top box, 3 Synology NASes), and everything else was on wifi (bunch of smart phones, two tablets, 4 laptops, including office laptops of me and my wife, e-reader and another set top box in our bedroom where I am unable to run a drop).

 

Everything was pretty much ok; never had too many issues. Had been looking (as I constantly do) to how I can improve on my network. Not because I have to, but because it's fun. Had already noticed the slick design and integration of Unifi equipment, but wasn't sure if I was going to spend that much money on another set up just for the heck of it. At some point, my wife starting to complain about wifi cut-outs when she was working out of home some days a week. While her connectivity in office was fine, her laptop would loose the VPN connection when working out of home causing her to loose work and whatnot. That really started to irritate her.

 

Thank God for that. As I wanted to keep the wife happy, I promised to go fix that and quickly decided to go for an all-out attack with Unifi. Time to go out and get my toys!

 

New set-up

I hooked up the USG to my ISP router (Fritzbox), and only have some port forwarding configured there. Right behind the USG is my "aggregation switch", which only connects to other switches and the CloudKey. Behind that, still in the fuse box cabinet, is a " connect switch" to which I have connected my three Synology NASes. Everything neatly put on some shelves I put up there. In each room, there is anther connect switch wired to the wall drops, connecting the wired devices in those places. Additionally, there are APs in living room (AC Pro) and in the play room (AC Lite). I bought another AC Lite some time later, as my son was unhappy with the wifi coverage in his bedroom upstairs. It took me a few weeks of tinkering with the AP signals strengths to get the right balance for roaming. That is all fine now. The Events screen shows how devices jump from one AP to the other when walking through the house.

 

Network topology

 

2010207 LAN map.png

 

My Unifi core setup, including my three NASes

 

IMG_3055.JPG

 

AC Lite in son's bedroom

 

IMG_1174.JPG

 

AC Lite in play room

IMG_1175.JPG

 

 

The ease with which VLANs can be set up caused me to rethink segregation. I decided to go with a handful of VLANs:

  • Private (subnet 10.1.1.1/24)
    This VLAN connects my 'main' devices, wired or wifi. It encompasses my desktop and NASes and all phones and laptops that connect through my main WiFi
  • Service (subnet 10.1.2.1/24)
    This VLAN connects my printer, Pi-Hole adblocker and an old LG NAS as temp storage / file transfer hub (though this doesn't see so much use till this day)
  • IoT (subnet 172.16.20.1/24)
    This VLAN is for TV, e-reader, DVD and other stuff I don't want connected to my main LAN. IoT is available in wifi as well
  • Guest (Wifi subnet 172.16.10.1/24, wired subnet 172.16.11.1/24)
    This VLAN both wired and wifi (with voucher based portal) connect to guest VLAN
  • VPN (subnet 10.123.0.1/24)
    I use this to connect to my LAN when I am away, and additionally I provide this as a service (although much under used, up till now) to my family and some other relatives so as to have a secure connection available whenever they need to connect to an unsecured wifi anywhere

 

In terms of segregation, my Private LAN can reach any other LAN. IoT can only go out to the internet. Guest wifi can only go out to the internet as well. I have one drop made available on my TV stand, for a guest to connect a wired device. This specific Guest LAN can go out to the internet, and can see my Service LAN for printing or file transfer (using the old NAS). 

 

Future plans

Currently there are a few further improvements / extensions that I have on my network backlog:

  • Introducing a management VLAN, in which only my Unifi devices connect, so other VLAN components cannot access the switches or APs on Level 3
  • Getting QR wifi access sorted out for my guest portal
    Currently, the voucher based access is not really used to provide access to guests. Rather, they (mostly my kids) just use the Apple functionality to pass on password information to my main wifi (I really hate Apple for making this possible; I feel there should be a law against this). Providing Guest portal access through QR code should be much easier. QR works for regular wifi, didn't get this to work for guest portal
  • Introducing Unifi cams / NVR using CK Gen2+
    Just to provide some more security for my residence

Any further suggestions for improvement are welcomed!

 

For now, the wife is happy because her VPN to office never interrupts anymore. And I am happy, because this problem she had, paved the way for me to get my "toyz for boyz" :-)

 

 

{"location":{"title":"Heeze, Nederland","placeId":"ChIJRdQDYn8ox0cRd_qB_wq429U"},"addedProducts":[{"id":"unifi-security-gateway","count":1},{"id":"unifi-switch-8-60w-b","count":5},{"id":"unifi-ap-pro","count":1},{"id":"unifi-ac-lite","count":2},{"id":"unifi-cloud-key","count":1}],"solved":"","numbers":"","description":"","mainImage":"193553i703893E1C56ECD3F"}

Comments
by
a week ago

Ziet er goed uit!

by
a week ago

I demand a host named "Hankel"! Robot LOL

by
a week ago

Are the ssid that you use from every AP different even the key. If this is not so you must connect all the portable divices to every AP. 

anootje

 

by
a week ago - last edited a week ago

Same ssid and pw for all AP

This facilitates smooth roaming

by
a week ago

What did you use to map your architecture?

by
a week ago

The topology map is standard functionality in unifi web controller

by
Sunday

Netjes.. begrijp alleen de switch 8/60 niet

 

rene

by
Sunday

Welke switch? Ze zijn alle 5 t zelfde

by
Sunday

Oeps zag het fout...

 

wel had je beter de onderste 8/60 een 8/150 kunnen maken en de rest een switch 8

 

rene

by
Sunday

"In terms of segregation, my Private LAN can reach any other LAN."   how do i set up my private LAN to talk to any other LAN

by
Sunday

I believe the default policy is to accept inter-vlan traffic. So you will only habe to drop packets when you want to segregate. Heres a snapshot of some of my rules as displayed in iph ap

 

4E7BE410-E735-4E27-89C6-52A24549FA9F.png