Upgrading my home network with UniFi gear
This task has been on my to do list for a while now and I’m glad I finally took the plunge and made it happen. It has been something I really wanted to spend time on and learn how a network and different network devices really work to fine tune the needs of our family. And how to learn something and improve things? Yes! By reading a lot of stuff on the internet and doing it yourself and learn to get it right at the end of the journey! There are still a lot of things that can be improved but I’m already happy what I discovered and how the home network is setup now. To be clear: I’m definitely not a network expert, but as a geek I had a lot of fun exploring the different possibilities to roll out a (more) secure and reliable network.
Main reasons to upgrade: Security & Reliability
One of the reasons to upgrade my home network was to finally get more control over all (IoT) devices that already run inside my network and to only provide these devices what they need (Internet connectivity) without having full access to the private network. No need to tell you anymore how important it is to secure your network as much as possible to avoid any potential intrusion from outside. I see this as a big challenge for all personal/home networks as the number of (IoT) devices is growing exponentially. Many consumers are totally unaware of the involved risks. Another reason was to make sure that my home network is always reliable and fast for everyone in our family, using any device from anywhere. Before COVID-19 I have been working already from home for about 30% of my time and it’s important to use my home network as as professional network with maximum performance and reliability. Also my wife is often working from home and my 2 daughters need the network for school and have become heavy users who require some decent bandwidth. They are actually the first to complain when the Internet drops or when something doesn’t work as expected.
Before
We live in our house for about 8 years and in the past I have been using some different wireless routers and managed to get something in the air that worked pretty stable. Latest configuration: a Zyxel Switch, a Netgear R8500 Nighthawk X8 router and an old D-Link router, configured as an extra access point with dd-wrt. The internet cable from my Internet Service Provider (Telenet) comes into the garage but I didn’t want to put my router in the garage. I wanted to position my powerful wireless router in the most central location of my house which is on the first floor. Luckily, the house we bought had already UTP cables (CAT 5E) patched in every single room (from the garage), so it was quite easy to get the LAN cable from my router (DHCP) back to the switch in my garage to patch all other connections to the different rooms from the garage. With that easy setup, most of the rooms in the house were covered with WiFi (separate SSID for 2GHz and 5GHz). To fix a blind spot, I added the old D-Link router as an extra access point. The only weak area left was the 2nd floor where we have the children’s bedrooms.
UniFi
Without any doubt I have been looking for quite some years at Ubiquiti/Unifi and their products to setup my future home network. They have a strong reputation to provide high-end, innovative devices for wireless (enterprise) networks. These products are geared towards commercial/business users and require some basic network knowledge to install/use correctly.
I bought the following devices to get started:
- UniFi Dream Machine Pro: the core component in my network which serves as the security gateway, including the UniFi controller and 8-port Gigabit Switch with support for UniFi Protect, all nicely to be mounted in a 19" server rack (1U). Other (cheaper) options were definitely possible but I decided to go for the all-in-one enterprise product.
- Unifi Switch 24 PoE Gen 2: powerful 24 port switch with 16 Power over Ethernet (PoE) ports to power UniFi Access Points or other PoE devices. Perfect switch for adding it to the 19" rack (1U) in my garage together with the Dream Machine Pro.
- UniFi AC Pro Access Point: high speed dual-band access point, up to 1750 Mbps, powered with PoE. Only UTP cable required for activation. Installed in a central location (first floor).
- UniFi nanoHD Access Point: compact high speed dual-band access point, up to 1733 Mbps, powered with PoE. Only UTP cable required for activation. Installed in a central location (ground floor).
- UniFi AC In-Wall Access Point: dual WiFi access point to convert an existing Ethernet wall jack into an access point with two Gigabit Ethernet ports. Installed in bedroom (second floor).
Getting Started
The unboxing of all products was already a joyful experience. Everything was very nicely boxed and the devices felt premium at first touch. I had done the necessary preparations in a week-end to have my new patch cabinet (21U) ready for adding/cabling the Dream Machine and the Switch.
Configuration UniFi Network Controller
Once booted, the Dream Machine Pro can be configured via a mobile device (Bluetooth) but I decided to connect my laptop to one of the LAN ports to follow the setup using the UniFi Network Controller management interface. Don’t forget to add 2FA when you sign up for a new UniFi account. Adding extra UniFi devices is as simple as clicking the adoption links in the devices overview screen. Very straightforward to add and manage these from the controller.
There’s also no extra action required anymore (with the Dream Machine Pro) to enable remote access. Logging in from anywhere via https://unifi.ui.com/ and you are good to go. Also the apps for mobile devices (phone/tablet) are pretty sleek and extensive for administration activities. I tend to login mostly via these mobile apps instead of the browser. There aren’t a lot of things which cannot be done from the mobile apps.
I like the intuitive display of the different ports to quickly identify what devices are connected and to look into all the details. The + icon in the ports indicate the Power over Ethernet (PoE) capability which is extremely handy for the configured Access Points.
Different Local Networks
Up to the real work now and getting some value for my money. Using the controller I ended up creating 3 different local networks (LAN).
The LAN is my private/default corporate network and I also wanted to have a dedicated corporate IoT network for all IoT devices and of course also a separate Guest network which has full isolation by default (no extra configuration required). Note the virtual LAN (VLAN) which is enabled for the other networks in order to separate network traffic in the same physical network. The only requirement to avoid (new) traffic from the IoT network to my private network is to drop all new packets by configuring a firewall rule (LAN out, source = IoT network, destination = LAN network).
You can test this result by pinging the devices from the different networks and see a ping success when going from LAN >> IoT and a ping failure when going from IoT >> LAN. When you have different local networks you can now also update the port configuration in the switch to explicitly assign a device to one of these local networks. My solar panels for example have a wired connection to my switch on port #24 and that port is assigned to the IoT network. Very powerful and exactly what I need!
Different Wireless Networks
Conform my local networks I have created 3 dedicated wireless networks to also have wireless separation of traffic with multiple SSIDs.
There are a ton of configuration options available for the wireless networks but the options I was looking forward to was to combine 2 GHz and 5 GHz WiFi network names into one and to enable fast roaming to make a switch as seamlessly as possible. Make sure you also enable the VLAN to map the IoT/Guest wireless network with the local IoT/Guest network. Nothing more, nothing less. Most of my requirements are already met with a clear separation of the local and wireless networks.
What’s again interesting with the UniFi gear is that you can still control what SSIDs need to be active on every single access point. For example, I only wanted to have the 5 GHz radio signal available for the Sparkles SSID in the AC-InWall access point and only the 2 GHz radio signal for the IoT SSID. No problem!
Guest Network
Having a wireless guest network at your home should be an absolute must. Having someone over (family/friends/colleagues), please always redirect them to use the isolated Guest network. It’s not that I personally don’t trust family/friends/colleagues to use my local network, it’s about avoiding any risk that they bring with connecting their (personal) devices to my private network. What if their device was somehow already infected or what if they happen to browse to malicious websites via my private network. If people need internet access at your home, just provide them access via the guest network and that network will simply provide what is was intended for: provide internet access for guests without allowing them access to your private network.
The UniFi Controller has many different options to setup a Guest network. Guests will typically use WiFi for internet access and that’s why I don’t foresee a scenario for wired guest access which could be done with assigning the guest network at the port level of the switch.
I started with setting a basic password (WPA Personal) for the Guest SSID. Once connected, they will be redirected to the guest portal where guests need to provide a voucher code which can be easily generated on the fly from the UniFi controller app.
The voucher add-on is in fact nice to have, but in the end it might be sufficient to just secure the Guest SSID with a password that can be easily modified from time to time (no extra authentication needed once connected with the WiFi). It actually depends on the specific scenario and how much control you want to have.
A feature which I have found useful in the controller is to schedule the Guest network so the Guest SSID is only broadcasting during specific hours (for example from 9AM to 9PM). Another configuration I activated was limiting the download/upload bandwidth via a custom Client Group. Or simply turn off the Guest wireless network when you are away.
There are also many new options available with Hotspot 2.0.
The main thing to remember about a Guest network is to always enable it for your guests and don’t be lazy to allow them on your private network!
One extra additional configuration in the controller was added to allow guests access to my (Xerox) network printer (fixed IP address) which is running on my private network. This can be done by setting pre-authorization access to the fixed IP address of my printer.
Link Aggregation for my Synology NAS
For many years now I’m running a Synology NAS (DS412+) as a local backup for my documents, pictures, videos, … With the arrival of my new patch cabinet I also moved the Synology box closer to the UniFi switch and I made use of link aggregation (LAG) to combine 2 physical ports to make a single high-bandwith data path to increase throughput (2-gigabit connection using two separate 1-gigabit ports) to/from my NAS and it also offers redundancy in case one of the links should fail. Doubling throughput can definitely help to move over some big files over the local network!
Using Pi-hole as a DNS resolver to block ads
In the Local Network settings I also pointed the DHCP Name Server to Pi-hole which is running in a Docker container on my Synology NAS. You can do this for the various local networks you have.
Speed
Doing some speedtests now around the house gives me great satisfaction. Wired devices have never caused an issue and are still my preferred choice if possible (printer, Sonos, desktop/laptop). Wireless devices need to get their data from the different access points in the house and the coverage/speed is now definitely better than before. Also, no blind spots anymore! Full power for everyone on every floor. Only one improvement for the future: providing outdoor WiFi in the full backyard. When I later decide to upgrade my internet package (speedboost) and get a download speed of 1 Gb / second, my current access points will now flawlessly follow and automatically benefit from the higher download rate.
UniFi Protect
Finally I should tell you that I also bought the (outdoor) UniFi G3-Flex Camera which allows to explore the UniFi Protect surveillance system.
Buying the Dream Machine Pro had the advantage of offering built-in support for the UniFi Protect video surveillance Network Video Recorder (NVR). For storing the video recording, I added an old 3.5" Hard Disk Drive into the Dream Machine Pro. My house was already equipped with UTP outdoor endpoints at the different corners of the building and sending over PoE from the switch was a short patch cable away. So, why not taking full advantage and adding a security camera to the network. Again, the adoption of the camera was extremely simple and offers a number of options to specify what and what not to record (motion zones).
I was a bit surprised to configure the motion zones in the opposite sense. Instead of configuring a motion zone where the activity needs to be monitored I had to configure the motion zone where I didn’t want to track activity (road). Still a bit puzzled why, but it’s working now for me with this opposite configuration.
The UniFi protect app also helps to manage all configurations and shows a nice timelapse of the events. I think I might extend the number of cameras in the future.
Conclusion
Well, this has been a longer post than I expected but it has been an interesting and fun ride to upgrade my home network to a (more) secure, fast and reliable network. I did learn a lot the last couple of weeks but there’s still some homework left for me and there are definitely some topics I want to dive in a little deeper. Next todo on the list for example is to configure a VPN Server so I can also remotely login to my private network via VPN.
