You don’t need it, but you might want it any way: Ubiquiti Unifi

TL;DR;

The Ubiquiti Networks UniFi products are absolutely worth considering if you’re looking to upgrade your home or small office network to a reasonably affordable, manageable, configurable, and expandable setup.

A complete setup probably costs more than you’re comfortable spending on network infrastructure, but you’re worth it.

Details

There’s a lot of information available generally about this company and their products available on the Internet. I won’t attempt to do a 15-25 page Ars Technica style expose on the details. Instead, I’ll focus on the features that I’ve been using and the some highs and lows of the product experience.

Lesson 1

Cloud keyI made the mistake of installing the controller software on a laptop first. I hadn’t understood that for maximal data logging and the best management experience, it’s best if it’s installed on a server or workstation that is available 24×7. I decided the ideal option is the Ubiquiti Cloud Key was the most effective choice. Low power, no moving parts, plug and play. The cloud software uses a bunch of software like Java that you may not want to install on your server or shared workstation, so take my advice and include one in your budget for a robust Ubiquiti setup. There are instructions available for installation on a Raspberry Pi if you’re so inclined to go it on your own tiny hardware.

I will say that I’ve needed to reboot the device/software a few times over the past few months, but it’s been generally very stable. I’m not sure what caused the issue. So, make sure you don’t tuck this away so far you can’t unplug and restart it if necessary.

Devices

I live in a larger house and when we built it I had 4 ethernet jacks installed in nearly every room. Rather than try to determine which jacks had equipment installed, I’ve always had every jack wired for ethernet to a series of network switches. So, for the Ubiquiti equipment, I bought 3 Ubiquiti US-24 managed switches. These switches don’t support power over ethernet, so if you’re considering it, you’ll need to upgrade to the more expensive US-24 250W.  Not wanting to connect the switches with a boring Ethernet cable, I opted for several sets of the fiber connections, the Ubiquiti Networks UF-MM-1G. Compared to the overall setup price, these and the corresponding fiber cable is inexpensive. By using the fiber connection, none of the ethernet ports were used as interconnects.

Patch Cables

SlimRun

I took it as an opportunity to recable the patch panel connection terminals as well with what is now my favorite network cable, the Monoprice SlimRun Ethernet 6A patch cable. As my new setup was about double the length from where I’d mounted two network switches in the past, new cables were necessary. I bought a few different colors to indicate types of connections …, but the result was so pleasing…, just a nice manageable bundle of cables. It felt almost organized vs. a cabling nightmare. These cables are more expensive and the boot is 50-100% longer than typical patch cables. So, be sure that you have room to accommodate them, especially if you’re using a patch panel. My patch panel with these cables isn’t a perfect fit, but I made it work.

I picked colors based on cable prices. There’s a variety of colors and it seems if you buy them on Amazon that they vary quite a lot in price depending on the color and length combination. Blue and a gray were the least expensive when I purchased. I bought some orange to indicate “interconnects” (between managed switches) and “red” to indicate a power over Ethernet style connection or other critical infrastructure.

Software Defined Networking

I’ve explored quite a few networking switches, routers, firewalls, SOHO devices, custom firmware, including consumer, prosumer, and professional models over the years. There have been a lot of highs and lows. I used various open source routers for many years with a “Tomato” based firmware replacement (on various pieces of hardware). While it was generally very stable and had a number of useful features, it wasn’t fun anymore (and new features useful to me weren’t being added). I wanted to try something new.

My first attempt was Google’s OnHub and later I added a more complete Google’s Wifi setup. Admittedly, I bought in too early. The Google Wifi was missing a lot of features from the Tomato firmware (and other competitive products). But, over a period of 18 months, it reached a reasonable feature parity (and exceeded in several cases). Most of the functionality was easy to use. I liked the setup well enough that I bought one for my father’s house so I can help him when he’s having trouble. It’s been rock solid for 9+ months for him with no unplanned reboots needed. If you read reviews of Google Wifi, make sure the reviews are recent, as there was a lot of people that bought it too early, and then complained LOUDLY when they realized that it didn’t have the features they wanted (even though Google hadn’t mentioned them in marketing literature — there was just an expectation that it would have an identical or better feature set).

My biggest issue was that I have a number of Internet of Things devices that just wouldn’t work with the Google Wifi. Several of the devices in my house still require 2.4Ghz connections and couldn’t successfully negotiate with Google Wifi. So, I had to strategically place a few older 2.4Ghz routers around my house to provide service to the older devices. Honestly, it was workable, but sucked from a configuration and reliability perspective. I’m sure I didn’t have the frequencies adequately arranged and there were likely constant conflicts.

Ultimately, I decided that I wanted a setup that would allow me to have more control over my network without needing multiple Wifi access points around to service both new and old devices. I also really wanted a web based portal for configuration. Google Wifi is only through an Android or iPhone app (there isn’t even an app that takes advantage of an iPad’s larger screen — it’s simply a scaled iPhone app).

In the prosumer price point, Ubiquiti hardware seems to lead the pack. They have lines for consumer as well, but I wanted the middle ground option.

Their Software

Given that their solution is built to provide a software defined networking stack, I’ll walk you through a bit of the experience from my perspective.

Firstly, I mentioned I had some experience with a number of hardware and firmware options. The easiest to use overall was Google Wifi. The hardest is a race to the bottom, many of the options blur together in my memory to form a perfectly awful experience. Ubiquiti can never be as simple to use as Google Wifi — they just are not in the same markets nor are the features comparable. That being said, I’m remarkably competent using the Ubiquiti Cloud Controller software. Thankfully Ubiquiti has seriously good documentation for many real world scenarios that you might want to use. Some of the documentation is a bit out of date, but the core is generally still accurate and gets the job done.

For example, it took about 10 minutes to setup a robust L2TP/IPSec VPN service so that I could connect from my devices back to my home network. It’s great as it’s supported on iOS and Windows 10 out of the box.

I’d never had a virtual LAN setup in a useful way in our house before. I’d tried, but it was always very limited and only functioned with a select group of Wifi connected devices. Now I can configure VLANs both for physical connections and for wifi connections. For example, in the photo above, there’s a red cable on the right side that connects to a PoE (externally powered) security camera (I use red to indicate it’s a special connection). I’d read enough scary things about cheaper IP based security cameras that I decided to sandbox it entirely. My security camera software can access it directly, but the camera can’t access other devices on the network.

Distrusted IOT VLAN

There are actually two reasonable ways of putting in a VLAN. As a device, or via a specific port. As shown above, I’ve chosen to associate the device with the Distrusted IOT VLAN explicitly. Otherwise, I could have selected a port and placed it in the desired profile (again, the Distrusted IOT profile as shown below).Ports Port Profile

Configuration of a Virtual LAN

As with many things in the Ubiquiti Cloud Controller software, it’s only a few straightforward steps. Below, I’ve added a Network called Distrusted IOT and assigned it the VLAN identifier of 100.

On the settings page for the new VLAN, I’ve specified the ID (100), I gave it a custom gateway/subnet (for example, you could use 192.168.100.1/24), provided a custom domain name, DHCP Server and a DHCP range. To prevent rogue DHCP servers, I’ve also enabled DHCP guarding. As I wanted to lock this one down, I’ve disabled UPnP LAN support. I’ve found that some devices need IGMP snooping to work correctly, so I did enable it. It’s up to you.


Configuration of VLANFinally, I added a Firewall WAN Traffic rule (Settings > Routing & Firewall > Firewall > WAN OUT). Click [+ CREATE NEW RULE]

Firewall WLAN

Then:

  • name it (like Block All IOT WAN TRAFFIC)
  • enable it
  • select that it runs Before predefined rrules
  • Action: Drop
  • IPv4 Protocol: All
  • Advanced
    • Enable Logging (optional)
    • IPSec: Don’t match
  • Source:
    • Source Type: Network
    • Pick the VLAN you created earlier (like Distrusted IOT)
  • Destination
    • Address Port/Group
      • Group: Any
      • Port: Any

Now, the security camera is isolated on it’s own distrusted network, but my security camera software can still access it by IP address. Beautiful. I have the POWER! (Use your imagination to picture He-man right now!).

Insights

As a resident of rural Wisconsin, I find the insight functionality of “neighboring access points” far more fascinating than I probably should. Seriously. The nearest neighbor is 300 foot (100m) away and the nearest secondary road is about 1200 foot (365m). I presume some of these are phones and cars — but the fact that Ubiquiti catches these and logs these is tremendously interesting.

Neighboring Access Points

Static IP

It’s thankfully easy to configure fixed IP addresses. Select Clients, click on the device you want to configure, select the Configuration tab, click “Use fixed IP address” and then type in the IP Address.

Static-ip

Upgrading

Upgrading a Ubiquiti device is stupidly simple.

When logging in, you’ll see a notice that one more more devices has firmware updates available. After navigating to the Devices tab, you’ll see the word UPGRADE next to any of the devices that has an upgrade available. Click upgrade and a confirmation shows (by default) and a second click later, the process begins. Minor updates take a few minutes at most.

Of course, there’s a little downtime when the device reboots, so plan accordingly. I applaud the developers for making this so painless. I don’t need to find a SUPPORT link and DOWNLOAD link on their web site, carefully match hardware revisions, find the correct update given the devices current patch level, download a binary gzipped file and use a crappy uploader to install the firmware. It’s one or two clicks.

Dashboard

The dashboard looks great. I don’t find it very useful though. It’s not “real time” enough to satisfy my needs. In particular, I’d like real-time throughput of download and upload. There are a LOT of folks that bought the hardware expecting the functionality. I however, had done sufficient research to know it didn’t exist. So, my expectations were set properly. Their forums mention it a lot, but it hasn’t gotten traction. Don’t hold your breath until it shows up.

dashboard

Missing Features

Here are some things I’d like to see added:

  • A better live view of what devices are using an unfair share of Internet. I mentioned this already, but there’s not a way to at a glance see all known clients and their current usage. In fact, there’s not a way to reliably do it all. The Edge Router series apparently has it, but it won’t integrate with the controller, so you may not want that combination.
  • A way to shape traffic live, and demote or promote specific devices for a length of time (or maybe indefinitely)
  • A method to limit a class/network of devices to a maximum total amount of bandwidth (for example, all IoT devices limited to .25Mb of upload traffic). You can limit a class of devices to each have a specific bandwidth cap, but it’s applied individually rather than as a group.
  • A few wizards for common workflows.
  • The setup and configuration for the UniFi Security Gateway feels out of place — while it’s part of the overall system, it requires love and attention on its own, which is confusing at first, and later, and later….

Final Thoughts

Even though the product has a few warts and missing features, I’m generally very happy with the hardware and software. Like many things reviewed, not everyone’s experience has been like mine, but of course, many people with successful installations don’t bother talking about it. It’s the people with problems that are often loud. So, make sure you temper what you may read in forums with a healthy dose of reality. The product does work and can work very successfully if you properly manage expectations and use it in the manner in which it was designed.

As of the end of July 2018, I’d recommend their products.

If you’ve found this helpful and are ready to make a purchase, you may of course buy the hardware from various parties on Amazon. As few (if any) are authorized resellers, you may want to opt for one of the few authorized resellers: B&H Photo and Video. As the links are affiliate links and don’t add anything to the cost/price of the purchase, I’d certainly appreciate it if you used them.

Thanks for reading! I hope this was helpful. If you have any questions, ask away! :)

Ubiquiti UniFi WiFi and Haiku Big A** Fans Wall Controllers

If you’ve purchased either a UniFi access point or a Haiku/Big A** Fan recently, you may encounter a problem with wall controllers failing to control the associated fan. While the setup nearly works, the final verification step for the wall controller always fails from the app. Further, and confusingly, if you look at the clients list in the Ubiquiti controller, it’s very likely that you’ll see the wall controller listed with a valid IP address. However, that’s not enough to make everything work as expected.

There are two settings that seem to enable the wall controller to work properly. I discovered these after reading an article about setting up a Google Home/Chromecast. You don’t necessarily need to setup a new SSID and VLAN for your wall controller. That’s up to you. However, you will need to enable IGMP Snooping and MulticastDNS for the Wifi that the wall controller and the fan use.

IGMP Snooping / multicast enhancement is found here: Settings > Wireless Networks> WIRELESS NETWORK [EDIT] > Advanced Options and at the end, Enable multicast enhancement (IGMPv3).Edit Wifi Settings to Enable ICMP

Next, enable multicast DNS: Settings > Services > MDNS > [ON]

Enable Multicast DNS

As soon as I enabled these, the two wall controllers we have for two Haiku fans began to operate nearly immediately.