Help me spec out a replacement home network using Ubiquiti bits

Build-Troys-Network

That's it - I've finally lost it with Linksys and both my WRT 1900ACs that are only a year old are getting chucked. Don't get me started on all the reasons why, but it's primarily down to continued degradation of wifi signal and the constant need for reboots. Going by the responses to this tweet, that's just what they do: https://twitter.com/troyhunt/status/778867707655487488

I’m going all out with Ubiquiti instead. No, I'm not interested in [insert the other thing you think rocks here], there's a really vocal majority in favour of Ubiquiti so that's that. Now I need help speccing out what I need for my house as it’s not quite as straight forward as just chucking in a couple of (dodgy) routers.

Here’s what I’m working with:
- Large multi-level house about 500m2 (needs at least 2 APs, probably more)
- Wired ethernet to every room (I believe Cat 5e, was here when I got here)
- Patch board in the garage and a 100Mbps hub (running patch cables out to a Linksys 8 port gigabit switch instead)
- 4 wired connections used in the lounge (presently has 1 Linksys WRT 1900AC + ISP cable modem which needs to be the because that’s where the cable enters)
- 6 wired connections used in office (presently had 1 Linksys WRT 1900AC + a Linksys 8 port gigabit switch)
- Internet connectivity: Cable modem -> Linksys WRT 1900AC (lounge) -> patch board -> Linksys WRT 1900AC (office)

Here’s the Ubiquiti bits I think I need:
- UniFi Security Gateway (sits between switch and cable modem): https://www.ubnt.com/unifi-routing/usg/
- 3 x UniFi US‑8‑150W 8 port UniFi switches, 1 for the lounge, 1 for patch board and 1 for office, both with PoE: https://www.ubnt.com/unifi-switching/unifi-switch-8-150w/
- 2 x UAP-AC-PRO access points for lounge and office (or go all out and get a 5 pack of them): https://www.ubnt.com/unifi/unifi-ap-ac-pro/
- UniFy Cloud Key to manage it all: https://www.ubnt.com/unifi/unifi-cloud-key/

Network topology wise, it then does this:

           Cable modem in bridge mode (lounge)
                            |
                            |
             UniFi Security Gateway (lounge)
                            |
                            |               Wired lounge devices
                            |             /
              US‑8‑150W switch (lounge)
                            |             \
       UAP-AC-PRO           |               UAP-AC-PRO for lounge wifi
    (somewhere else)        |
                     \      |
                       US‑8‑150W switch
                     /   (garage)
       UAP-AC-PRO           |
    (somewhere else)        |       Wired office devices
                            |     /
                       US‑8‑150W switch
                        (office)  \
                                    UAP-AC-PRO for office wifi

Questions:
- What would you do differently / better?

Thank you!

Hi Troy,

I just woke up (07:00 on this end of the planet).

I have a few questions:

• can you switch your cable modem to bridge mode?
• do you have two wired ethernet between the lounge and the garage?

If you answer yes to both questions, you'll be able to put the Edge Router at your central point (garage). One wire bringing the internet to the Edge Router then other bringing the LAN to the lounge.

I'm not sold on the UniFi Cloud Key. I have one sitting on my desk for two month. In two instances, I used a plain Debian to run the official UniFi Controller. It straight forward to add the official repository and install the unifi5 package. A Raspberry Pi 3 will do the trick.

I would keep watch works (Linksys switches). Then only reason to replace them is to use VLANs to keep "weird" devices in their own area.

Regards,

Fabrice Roux (Marseille, France)

Yes, should be able to bridge the cable modem and also yes, lounge to garage is wired.

I could put the router in the garage and patch the cable modem in the lounge through to it, but then I also have to patch it back to another switch in the lounge given there are multiple wired devices running there. Perhaps that's the best thing to do anyway: router sits at the central point and then just happens to run a connection back to the lounge to a switch as well.

Actually, that's a bit of a problem in that unless I go to a rack mount (which I really don't want to do), I'll run short of ports if the router is in next to the patch board. If I put a switch in there I've got a few more, plus I'm not sure it really matters...

I just realized that the first post is a moving target (we are on GitHub after all).

If you go the UniFi Security Gateway road, you can get rid of the Edge Router. And you definitively want to put in the garage since it has a couple of 40mm fans in the back. The kind that has a low Woman Acceptance Factor.

One thing you might be able to use the UAP-AC-PRO secondary port to bridge your 8 port switches in the lounge and the office. TBH I never tried it. This would allow to use a single PoE switch in the garage to power upto 7 UAPs. Given the power output, these babies probably come with their own fans. :)
https://help.ubnt.com/hc/en-us/articles/204959454-UniFi-How-do-secondary-Ethernet-ports-work-on-UAPs-

FYI each on my UAP-AC-PRO (at room temperature) drains between 4W and 5W. At least this is what the PoE switch reports.

One can make a parallel between Ubiquiti and photography. You can take pictures with a smartphone, a point and shoot, a DSLR,...

Smartphone = ISP triple/quaduple play box. It can do the job but it's a lottery... from really bad (checking features on a spreadsheet) to decent (ie the Freebox in France).
Point and shoot = dedicated blue box wifi router. Probably works most of the time... but with little to no support.
DSLR with a 28-200 zoom lens = brand name wifi router with OpenWRT/Tomato/DD-WRT. The usual option for people that aim above the masses.
DSLR with a 50mm fixed lens = Ubiquiti. Gives you the best an enthusiast can expect... for an acceptable premium. The key is dedicated devices.

To give you a metric of the Edge Router performance, when I saturate the pipe (1Gbps fiber €40/month). My Edge Router CPU load hovers between 6 and 10%... and one chunk of this includes the webserver than runs the router interface.

I concur with tweaking the setup a little bit, mostly eliminating the EdgeRouter for a few reasons:

• You won't be able to manage it the same way (you can't manage them from the UniFi controller)
• I'm not sure it has enough ports. You said you're using 4 ports - with 1 to USG, 1 to AP, 1 to the switch, are the 2 remaining enough? I'm not sure what that 4 ports you listed currently includes.
• Do you need a router here at all? I'd imagine you only want a switch anyway, possibly desiring VLAN/isolation support.

I think you're better off with a third 8-port here if management via a single interface is a big draw. It'll make VLAN isolation management and such easier to deal with. There are no fans in the ES‑8‑150W, they're silent. Non-rack form factor and silence were a bonus for me.

Cloud Key: I'm using one. I've had it lose configuration once when re-plugging switch power several times in a short period. Otherwise it's been solid, always keep a backup of the controller after changes no matter what you decide to run it on. I also know several people running it on a Pi 3 with no issues, it's just not as clean on the wiring (if that matters).

APs: while you can bridge through the APs (for example in the office), just keep in mind that settings changes (triggering a re-provision) will interrupt that connection. So they're good for chaining 1 thing (e.g. a bedroom TV or something) but not chunks of the network. There's also the shared bandwidth issue in doing that.

Switches: Just to node, if cost is an issue at all, keep in mind that the US‑8‑150W is mostly about management and a clean wiring setup. They're not essential since each AP has a PoE injector in the box, but they are damn nice :)

I'm very happy with the Ubiquiti setup here with 2 UAP-AC-PROs, 1x US‑8‑150W, 1x USG, and 1x CloudKey and I'll add another 1-2 APs when we finish the basement and likely stack another ES‑8‑150W over the 2x SFP over the next few months. Let me know if you have more questions or want a dashboard tour to poke at - happy to do a hangout or something. Good luck!

Is there a reason for both the USG and the edge router? Other then also allowing you to manage your AP's (which you could do with a cloud key or even if you wanted to setup a cloud controller on AWS) they both fill a similar role in the network. If you need extra ports the edge router will probably be a better option. I would suggest a cloud key and edge router instead of the USG and Edge router. you can place the the key at any point in the network where there is a free POE port.
https://www.reddit.com/r/Ubiquiti/comments/4dyarr/usg_vs_edgerouter/

The rest of your layout is pretty spot on. with only the 5 ports in the lounge, you may end up wanting another switch for expansion in the lounge but you can add that when needed. Having just setup a edge router lite recently, the included wizards in their latest firmware make sure for initial configuration very simple. just remember any config you do before running the wizard will be wiped out once you run it! Unbox -> update firmware -> run wizard -> modify as needed.

Do you really need 24 ports of POE? You're spending $600 for 24 gigabit ports otherwise, which is really costly. You can get 8 port VLAN capable switches for ~$35 and then a couple of POE injectors for your APs.

If you think you may need additional ports in any location, I'd get a bigger switch now, vs adding another later.
Unifi works great for simple networks, and my experience with USG is a little dated, but there were two things that made my life difficult at one point:

1. IPSec L2L VPN to another entity was only achievable via hacking a JSON POST manually, and it would be overwritten if you saved the config in the GUI that called that same place again.

2. Switches were unable to configure only specific VLANs on VLAN Trunks. All Trunks got all VLANs.

Either/Both of these may be fixed by now, or may not be an issue for you at all.

I'm also not much of a fan of the CloudKey. It doesn't take many resources for the controller. I normally use Debian stable as a base install, and host one publicly for F&F sites that I manage. Add the Unifi repository, and away you go. 2GB of RAM though, Java is a pig!

Hi Troy,

I would recommend getting a 24 port edge switch as that would provide POE and have enough ports to bring all the cables back to one point. I would also encourage you to run cat 6 for more headroom. check our the belden Reconnect for the AP. I found out some of my crimp jobs were only getting 10Mbit dispute looking perfect. these connectors would solve that problem. I would also ditch the gateway for the $500 PFsense box and it has 3 ports allowing for IOT isolation. I have some of the PFsense hardware at work and it has fantastic throughput and is easy to configure. with plugins you can also block ads, filter sites and protect the kids.

one last thing. don't skimp on the wall jacks and the patch cords. I did some home testing and found a noticeable improvement my using high qualify cables ($7) over the generic $1 cable.

my config is a follows:

PF sense home built PC
8 cat 6 runs and cat 6 jacks
12pt patch panel
meraki 10 port switch (POE) .. it was free
same AP as you have listed
raspberry pi 2 running ubnt controller
DSL modem

Hi Troy

For the last 6 months or so, I've running a USG, 8 port POE Switch with 2 UAC AP Lite's - 1 in bridge mode and a Cloudkey.

It's been super reliable and even the bridged AP has been almost flawless (I think I had to reboot it once). I love being able to manage everything from a single interface and that the Cloudkey is just another appliance, not a another "computer" to manage.

In a few weeks, we'll be moving to a house similar to yours - 2 stories and +- 550m2. The USG, switches (I'll add another 8 port) and cloudkey will all be in the garage with cat6 cables to each room/tv (multiple to some locations like office) etc. I'll also be adding a 3rd AP but this time they'll all be wired. I'll report back on coverage once I'm up and running in the new house.

Good USG vs EdgeRouter vid
https://www.youtube.com/watch?v=XvWOx3PvYFM&spfreload=1

What are peoples thoughts on fewer UAP-AC-PRO vs more UAP-AC-LITE? My thoughts behind this are to provide more 5Ghz APs so you get better performance in more rooms.

More APs running at lower power is generally better than one or two high power APs. Less power required on both ends, leading to longer battery life in mobile devices and decreased RF pollution. The main issue with that kind of setup is that a lot of devices have very poor roaming and will hold onto a low quality signal for way too long before switching to another AP. There are workarounds such as forced deauth if a client signal gets too low, but when you "kick" a client as opposed to letting the radio roam by itself you will interrupt active connections.

Just wanted to add some thoughts:

I'm running the controller on a Pi2 with no issues, While I admit the PoE is nice I don't really think it's needed unless you have LOTs of network devices using the power and/or they're in places where getting power is hard. For just two (or even five) APs I don't think it's worth it. Just use the power injectors that come with them.

I suggest you to analyse the UBNT firmware before deciding to go all UBNT. You can get their firmware online from the support / firmware updates page and just take a look at how they do stuff. At least years back when I had to deal with support for bunch of ubnt hardware, the general rule of thumb was that their hardware is great, but products get released before software is even 50% ready for release - especially regarding locking down the system and doing basic attack surface reduction. Might be better now.
Suggestion: get one device, have some fun breaking it, and then decide for or against it 😄

regarding the wifi side: rule of thumb is to favor 5GHz over 2.4 GHz if all devices support it. Much more stable data transfer. Also, make sure to lower down the transmission power setting to only cover te area that you need. More transmission power on just one side will only raise noise level, but not improve connectivity because your laptop/smartphone/tablet will only send with the usual low dBm values and are optimized for low power consumption.
Do not use more then 3 SSIDs on one 40MHz wide channel and do not place nearby wifi APs on same or overlapping channels.
Also yes, always use proper CAT 6 or CAT 7 cable or you will have to redo some cabling in a few years. Don't be too greedy on the network cable. Replacing anything else is done quick and easily, but redoing network cable which might even be hidden inside some walls is lots of work.

I have 2 x UAP-AC-PRO covering my house using POE from an edge switch, works really well love that I can use schedules to turn off the kids ssid to make sure they are not staying online all night! Only issue I have had is the 24 port edge switch runs pretty hot. Mine is in a wall mounted mini rack cabinet (in my attached garage) along with my adsl router, qnap nas , 2x hd homerun tv tuners and a cloudkey and I had to put a fan in the cabinet to stop the switch overheating (everything else runs cool enough, even in a 42 deg C Canberra summer).

The cloudkey lost it settings last time I did a firmware upgrade but has been rock solid since then, I have not touched it in 6 months. Roaming didn't work too well so I ended up turning it off, the ap's are on different channels and do overlap slightly, in practice the range is good on both aps over most of the house.

The ap's are fussy about the cabling, one ap (furtherest from switch) will only connect at 10Mb even with Cat6, have recrimped the connectors on both ends twice, and it checks out just fine with cable testers or even my macbook... so not sure what's up there, if I take the ap and plug into short cable into the switch it connects at 100Mb.. haven't had time to look into it further and with my 5Mbit adsl1 connection it's not really an issue!

I've been looking at Ubiquiti too for a similar reason but I keep encountering posts about quality like this
https://lukas.im/2016/01/25/replace-broken-usb-stick-in-ubiquiti-edgemax-routers/index.html

So they use USB sticks for storage, power it off by pulling power and youre likely to corrupt things.

one ap (furtherest from switch) will only connect at 10Mb even with Cat6, have recrimped the connectors on both ends twice, and it checks out just fine with cable testers or even my macbook...

@vincentparrett not unusual for Ubiquiti to have some deaf units. Check if you get 100Mb/s on a very short cable and reset he device. If you don't get it to connect at 100Mb/s, send it back to your seller and request a replacement.

@basisbit - I decided to update the firmware tonight (1st time in 6 months) and now both AP's are now connecting at 1Gbps. Go figure!