Re: [PLUG] Ubiquiti home setups

[Rich Freeman via plug <plug@lists.phillylinux.org>]

On Sat, Jun 13, 2020 at 6:10 PM Chad Waters via plug
<plug@lists.phillylinux.org> wrote:
>
> Can someone share with me their Ubiquiti network layout (off list if preferred)? I am looking for a 2-3 AP layout, but I'm not sure what other hardware of theirs I would need. Any build out on the web seems to be everything.
>
> I have POE switch. Does their switch offer any added functionality?
> I have firewall (it can do layer 3 filtering, but I let UTM licensing lapse). If their firewall does more application layer filtering (thinking parental controls as my kids get older) without expensive licensing, that is a maybe.
>

So, as far as I'm aware the Unifi gear doesn't really do anything
particularly exotic for its class - its main advantage is the central
management and coordination.  You only get that if you use all Unifi
gear, though I guess you could toss in other stuff and manually
configure it to match.

Note that Ubiquiti has at least three lines of equipment that I'm
aware of and while they all have options for central management, for
the most part these don't interoperate.  So if you're running
UniFi+AmpliFi+EdgeOS you are going to have a ton of manual config
headaches to deal with.

> If the controller is onsite, are the APs doing something like CAPWAP to it? Is it really feasible to have this on a PI like blogs that I see? Is there VLAN tagging? Can I have a guest network SSID that is dumped into its own VLAN?

So, UniFi certainly does provision all its gear centrally but I have
no idea if the protocol is interoperable with anything or if it
follows any standard.  I'd guess no, but maybe it does.  It supports
VLAN and it is trivial to associate an SSID with a VLAN.

Here is my setup which has slowly evolved:

UniFi Security Gateway
UniFi switch attached to the gateway
More UniFi switches at various points in the house which run to the
central switch.
An indoor UniFi AP and an outdoor UniFi AP on two of those switches.

I have VLANs for regular LAN, an IOT isolated LAN, and three networks
for AREDN (WAN, LAN, D2D).  The IOT, LAN, and AREDN-WAN VLANs all go
to the gateway and are routed to the internet.  Most of those VLANs
are associated with SSIDs on the 2 APs.  I also have a couple of SSIDs
for the LAN - one is 2GHz, one is 5GHz, and one covers both - this way
I can force devices on a particular band if needed (especially some
2-only gear).

The beauty of UniFi though is that you define your networks and their
VLAN IDs and routing/etc, and then you define your SSIDs and associate
each with a VLAN, and then all the switches and APs just get
provisioned automatically.  If I add a new VLAN+SSID+routing
everything gets reconfigured in one click.  The switch port profiles
are templated but often need a bit more tweaking since you don't want
VLAN traffic going to non-VLAN-aware hosts - for the most part I'm
either passing all tags or just dropping tags for a specified network
on each port.

The config is not 100% flexible.  In particular you can't remap VLANs
so if data comes in on a port from foreign hardware tagged with VLAN1
you can't tell the switch to remap that to VLAN5 or whatever if that
conflicts.  Also, even if you don't want to serve DHCP or route you
still have to assign an IP range to every network - one of my VLANs
carries a conflicting address space so I gave it a dummy IP range in
the network config and just block it from getting to the router -
there is no routing or DHCP provided by UniFi so the IP doesn't have
to match between the config and the devices.

I'm running my controller on a container on an amd64 box.  It seems
like it is relatively lightweight, though it can use a bit of ram at
times.  It uses java and mongo among other things.  I'm guessing it
would run on a Pi.

Just about everything runs linux and can be accessed by ssh.  Not
everything has a web interface for manual config - it is really
intended to be adopted by a controller.  I think the APs can be web
configured - not much else can, except maybe to set a static IP just
to nudge it onto the network if necessary to get provisioned (I only
really had to mess with this with the security gateway, which is set
to be a DHCP server by default and not a client on the LAN side, so
adopting it into an existing network is a bit painful).

In general UniFi has a ton of features and they're pretty easy to
manage centrally.  The big caveat is that if you want to do something
it doesn't support you can end up having to go into config files -
something I've avoided because the whole point of this is to avoid
having to treat it like OpenWRT and so on.  Mixing GUI and file-based
configs can get messy fast.

You can buy a wall wart controller for the whole thing if you don't
want to provide your own.  The software is packaged for Ubuntu.

As you've probably noticed their stuff is generally priced at a
premium which can add up.  Also, their "cheapest" security gateway
ends up being not much more useful than a router if you have more than
maybe 20Mbps internet because many of the IDS features do not work
with hardware routing.  It can do gigabit (in theory) if you stick to
the hardware routing, but if you want some of the fancier traffic
analysis you're now using the CPU and that can't even keep up with my
50Mbps FIOS.  The more expensive security gateway products are
apparently much more capable in this regard.  Their higher-end stuff
also supports 10Gb ethernet.

Overall I recommend it but you really only get the max benefit if you
go all in.  I'd stick with UniFi. The AmpliFi stuff is basically their
equivalent of Google WiFi - automagic everything with mesh.  The
EdgeOS stuff is fine, but mostly oriented around wired networking and
the controller isn't super-compatible with the UniFi stuff.

Oh, I saw they also have IP cameras and as far as I can tell while
they use the UniFi brand there really isn't any synergy with the
networking gear, so there is no real benefit to sticking with the
brand for that.

If you have any questions I can try to answer them.  Note that I do
NOT consider myself a networking expert compared to professionals in
that field, but I know enough to be dangerous and might be able to
help you a bit.  I have quite a bit of respect for those who have a
lot of experience in that field - it really is its own domain.

-- 
Rich


-- 
Rich
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug