Jump to content
BAlGaInTl

Ubiquiti UniFi Thoughts and Questions

Recommended Posts

BAlGaInTl

Okay... so several threads got me thinking about upgrading my network infrastructure again. I see lots of members talking about and/or recommending Ubiquiti gear.  I've thought multiple times about moving from consumer to professional gear, but I'm admittedly cheap, even though I don't have to be.  :D

 

So... I have thoughts and questions.

 

In case you haven't read it elsewhere... my current setup is 4x Google OnHub set up in a mesh. It covers about 5k sq ft across 3 separate floors.  Overall, the Google OnHub mesh provides a very stable and easy to manage system.  I don't have any hard wired AP, they all use wireless for the back-haul.

 

My server, TV, Nvidia Shield, and other media devices, are all hard wired off the main router AP.  I have my personal computer on the second floor hard wired down to the basement using a MoCa adapter and satellite coax cables that were already in place. The rest of the devices (23 at last count) connect to the wireless mesh. 

 

Problems I've run in to:

 

  • Routing options are limited.  Simplicity comes with sacrifice in this case.  It's great for 99+% of users out there, and even 95+% of my needs.
  • You can not use the Google mesh without also using the routing feature.  Putting the network behind another router kills the mesh, and everything just becomes a normal AP.  I don't want to go back to that.
  • I lost the ability to have a simple VPN to access my home network though the router.  This has been overcome using a rPi or by using Wireguard through my Unraid server.  I really don't like having it go through my Unraid server. I'd rather have something more simple/reliable just in case.
  • Losing internet kills all network administration. Because the Google mesh admin is cloud based, no internet = no admin.  This hasn't happened often, but if/when my ISP goes down, I lose all administration of the local network.

 

I'm perfectly happy to stick with the Google mesh for the moment, but I'm starting to consider my options.

 

So some questions:

 

  • I looked at basic Ubiquity routers (EdgeRouter) in the past.  Why should someone go with the UniFi Security Gateway (USG) over say the EdgeRouter 4 or X?
  • My entire wireless setup would have to be replaced.  What APs would work best in this situation?  I see that Ubiquiti offers a lot of choices.  Not sure I really want to ceiling/wall mount everything.
  • What about WiFi 6?  I know I don't really need it yet... but is it on the near horizon for Ubiquiti gear?  Should I hold out until that comes along?
  • What the heck is a cloud key, and what does it do?  Do I even need it?
  • I don't have a PoE switch. Are there other options for powering the AP?  Do they come with the AP, or do you have to use something like an injector at an additional puchase?
  • Is there a better or more cost effective solution?  I've also looked in to pfSense in the past, but it seems that USG would be on par with that?

 

I know that's a lot of thoughts and questions.  I'll probably have more as this conversation goes on.

 

Convince me make the switch.  :)

 

 

 

Share this post


Link to post
Share on other sites
Sammy
Posted (edited)

Crosstalk Solutions has some great videos on Ubiquiti and UniFi. I'd start here.

 

https://www.youtube.com/watch?v=XvWOx3PvYFM

 

Don't worry about WiFi 6 as not many devices support it and you probably don't even need it.

 

The CloudKey is a little device that runs the controller software. It is only needed to set things up or to do a custom Guest Network. I use a 5 year old NUC I had not being used and the Controller App instead. You can probably just run this on your Emby Server PC but I chose a separate PC to keep my network set up separate from my PC with it's multitude of open ports.You can also do this on a rPi too. The CloudKey is not necessarily necessary!

 

The individual UAP ACPros come with a power injector but make sure the one you buy has it as some are out of a five-pack that don't include the power injectors.

 

I needed a switch anyhow so got the Switch 8. The USG has only one or two LAN ports so when replacing my router I needed a switch but you can do with an unmanaged, unpowered switch too. One of my AP's is behind something like 5 Gig Switches due to my wired infrastructure being created with Cat5E that was in the walls but daisy chained like phone (It was phone jacks actually..)

 

Check out the other Crosstalk Solution Videos while you are there..

Edited by Sammy

Share this post


Link to post
Share on other sites
BAlGaInTl

Crosstalk Solutions has some great videos on Ubiquiti and UniFi. I'd start here.

 

https://www.youtube.com/watch?v=XvWOx3PvYFM

 

Don't worry about WiFi 6 as not many devices support it and you probably don't even need it.

 

The CloudKey is a little device that runs the controller software. It is only needed to set things up or to do a custom Guest Network. I use a 5 year old NUC I had not being used and the Controller App instead. You can also do this on a rPi too. The CloudKey is not necessarily necessary!

 

The individual UAP ACPros come with a power injector but make sure the one you buy has it as some are out of a five-pack that don't include the power injectors.

 

I needed a switch anyhow so got the Switch 8. The USG has only one or two LAN ports so when replacing my router I needed a switch but you can do with an unmanaged, unpowered switch too. One of my AP's is behind something like 5 Gig Switches due to my wired infrastructure being created with Cat5E that was in the walls but daisy chained like phone (It was phone jacks actually..)

 

Check out the other Crosstalk Solution Videos while you are there..

 

Thanks. I'll check out Crosstalk Solution.

 

So there is no native guest network feature when using USG and Ubiquiti AP?  I do actually use a guest network for... well... guests.  LOL.

 

I already have a TP-link smart managed switch (that I'm using unmanaged) so I really don't need a new switch.  Plus, I only have wiring to the main AP right now, so a PoE switch doesn't do me much good unless I want to run a lot more cable.

Share this post


Link to post
Share on other sites
Jdiesel

My setup looks like this

 

             ISP Modem

                     |

          pfSense Router

                     |

TL-SG108 8 Port Managed Switch

  |  |  |  |  |  |                       |

Wired Clients            UAP-AC_LR

                                     :           :

                               Private   Guest

 

I used the mobile Ubiquity app to setup my UAP-AC-LR and don't leave any controller running. It supports guest networks and vlans just fine without it.

Share this post


Link to post
Share on other sites
rbjtech

My recommendation is to not go anywhere near their routers or firewalls - they make great switches and a good uniformed interfaces but as for functionality vs pfSense or Sophos XG for example then they are in the dark ages. 

 

I sent back my 'USG Dream Machine Pro' two days after receiving it - as frankly it was an embarrassing mess vs my current firewall with even basic firewall functionality missing (real time logging etc).

Share this post


Link to post
Share on other sites
BAlGaInTl

My setup looks like this

 

             ISP Modem

                     |

          pfSense Router

                     |

TL-SG108 8 Port Managed Switch

  |  |  |  |  |  |                       |

Wired Clients            UAP-AC_LR

                                     :           :

                               Private   Guest

 

I used the mobile Ubiquity app to setup my UAP-AC-LR and don't leave any controller running. It supports guest networks and vlans just fine without it.

 

Do you have just one AP?  What kind of coverage do you get with that?  Is it omni-directional?  Or do they really need to be mounted on the ceiling of each floor to be effective?

 

@@rbjtech and @@Jdiesel - so you both recommend a pfSense along with Ubiquity AP gear over using the USG?

 

@@rbjtech - I haven't even considered Sophos.  What's the advantage of that over pfSense?

Share this post


Link to post
Share on other sites
Jdiesel
Posted (edited)

I use a single AP in a 2500 sq ft home over three levels. The AP is mounted on the ceiling of the top floor near the center of the home. I have zero single issues and have about 30 devices in total throughout the house. I am considering upgrading to the UAP-AC-PRO.

 

I have never used USG before so I can't comment on it. 

 

I even recommend the UAP's for people with basic needs and just want to improve their wifi coverage. I set my brother up with a UAP-AC-Lite connected directly to his ISP provided wireless router/modem. The setup is essentially plug and play.

Edited by Jdiesel

Share this post


Link to post
Share on other sites
BAlGaInTl

I use a single AP in a 2500 sq ft home over three levels. The AP is mounted on the ceiling of the top floor near the center of the home. I have zero single issues and have about 30 devices in total throughout the house. I am considering upgrading to the UAP-AC-PRO.

 

I have never used USG before so I can't comment on it. 

 

Yeah... I was thinking I could probably get away with fewer AP using pro grade gear.  Maybe one each on the main two floors.

Share this post


Link to post
Share on other sites
rbjtech
Posted (edited)

Do you have just one AP?  What kind of coverage do you get with that?  Is it omni-directional?  Or do they really need to be mounted on the ceiling of each floor to be effective?

 

@@rbjtech and @@Jdiesel - so you both recommend a pfSense along with Ubiquity AP gear over using the USG?

 

@@rbjtech - I haven't even considered Sophos.  What's the advantage of that over pfSense?

 

I don't have a great deal of experience of pfSense but Sophos XG is more user friendly 'out the box' and has a nice uniformed GUI interface.  It's a 'free' (for home users) full commercial product, the only limitation is 2Gb mem and 4 threads (which is no limitation at all for a home/soho user).    To note, the entry level USG cannot handle high internet throughput with packet inspection (IPS), even the USG 8 cannot handle full gigabit with IPS.   Sophos XG can run it no issues at all - but it's dependent on the hardware you install it on obviously .. 

 

I started with Ubiquiti AP's, then moved onto their switches (mainly for PoE) and wanted to replace the Sophos XG for the 'full suite' but just couldn't do it as the USG firewall functionality was extremely limited vs pf and XG - yes it looked pretty, but under the hood it was a very immature platform.

Edited by rbjtech

Share this post


Link to post
Share on other sites
Sammy

Can you guys please explain the differences in firewall capabilities between the three (USG/Edge, pFsense and Sophos XG)?

 

A table of a link to one would be nice.

 

That asked, I'm pretty satisfied with my USG choice but what am I missing on the firewall?

Share this post


Link to post
Share on other sites
Jdiesel

Can you guys please explain the differences in firewall capabilities between the three (USG/Edge, pFsense and Sophos XG)?

 

A table of a link to one would be nice.

 

That asked, I'm pretty satisfied with my USG choice but what am I missing on the firewall?

 

https://www.youtube.com/watch?v=bK2_ROQrMcM

 

I really like the Lawrence Systems Youtube videos

  • Like 1

Share this post


Link to post
Share on other sites
BAlGaInTl
Posted (edited)

Can you guys please explain the differences in firewall capabilities between the three (USG/Edge, pFsense and Sophos XG)?

 

A table of a link to one would be nice.

 

That asked, I'm pretty satisfied with my USG choice but what am I missing on the firewall?

 

I'm kind of wondering the same thing.

 

I want a better network... but not sure I want to spend lots of time learning a complex system.  Even rolling my own pfSense would be more expensive than the USG, and a lot more than an ER X.

 

It does come with the nerd cred though.

 

ETA: I do see that Netgate offers an entry level pfSense appliance at a cost that is slightly more than the USG:

 

https://www.netgate.com/solutions/pfsense/sg-1100.html

 

Not sure how they compare on features.

Edited by BAlGaInTl

Share this post


Link to post
Share on other sites
rbjtech

 

That asked, I'm pretty satisfied with my USG choice but what am I missing on the firewall?

 

If you're not missing it - then you likely don't need it ;)

 

As an example, I wanted to investigate packet drops on the UDM Pro and to my disbelief, the dropped packets were not available to be viewed in the Ubiquiti interface !  The view was they should be passed to an external syslog server - which is perfectly acceptable in a commercial environment, but for a soho, the ability to fault find is extremely limited if you can't easily see what is being accepted and what is being dropped.  

Share this post


Link to post
Share on other sites
Jdiesel

I'm kind of wondering the same thing.

 

I want a better network... but not sure I want to spend lots of time learning a complex system.  Even rolling my own pfSense would be more expensive than the USG, and a lot more than an ER X.

 

It does come with the nerd cred though.

 

ETA: I do see that Netgate offers an entry level pfSense appliance at a cost that is slightly more than the USG:

 

https://www.netgate.com/solutions/pfsense/sg-1100.html

 

Not sure how they compare on features.

 

You could always run a pfSense VM on your unRAID server. All you would need in an extra NIC. Lots of people do it with the only major cavet being that if your unRAID server goes down you will lose your network.

Share this post


Link to post
Share on other sites
BAlGaInTl

You could always run a pfSense VM on your unRAID server. All you would need in an extra NIC. Lots of people do it with the only major cavet being that if your unRAID server goes down you will lose your network.

 

I've thought of this... my server mb has dual NICs, so it could do it.

 

But part of all this is to try and get all the extra stuff off my media server. :)

Share this post


Link to post
Share on other sites
Sammy

If you're not missing it - then you likely don't need it ;)

 

As an example, I wanted to investigate packet drops on the UDM Pro and to my disbelief, the dropped packets were not available to be viewed in the Ubiquiti interface !  The view was they should be passed to an external syslog server - which is perfectly acceptable in a commercial environment, but for a soho, the ability to fault find is extremely limited if you can't easily see what is being accepted and what is being dropped.  

 

Packet Loss stats are in the USG Controller Interface. Not sure if there's anything to do but look at the stats though as I'm relativity new to USG.

 

post-110-0-90472800-1587571826_thumb.png

Share this post


Link to post
Share on other sites
BAlGaInTl

If you're not missing it - then you likely don't need it ;)

 

As an example, I wanted to investigate packet drops on the UDM Pro and to my disbelief, the dropped packets were not available to be viewed in the Ubiquiti interface !  The view was they should be passed to an external syslog server - which is perfectly acceptable in a commercial environment, but for a soho, the ability to fault find is extremely limited if you can't easily see what is being accepted and what is being dropped.  

 

That sounds like it's WAY more than I need.  :)

 

I basically miss my router level VPN, and would like to possibly segment my network with a VLAN or two.  The ER X would probably meet my needs just fine... but I also like the shiny. 

Share this post


Link to post
Share on other sites
BAlGaInTl

LOL...

 

I'm in a complete network rabbit hole now...

Share this post


Link to post
Share on other sites
Spaceboy

Pfsense router, 24 port Poe edgemax switch, UniFi controller on an nuc and three UniFi aps (one indoor, one outdoor and one for an iot vlan) here. I knew nothing about networking a year ago, probably don’t know much more now [emoji23] but I’ve enjoyed learning new things and implementing some useful functionality

Share this post


Link to post
Share on other sites
Jdiesel

The two things that made me switch from an Asus router to pfsense a few years back were:

 

-The CPU in the Asus router was not powerful enough handle the VPN encryption which resulted in me not utilizing my full internet connection

-I wanted to do network wide ad blocking

-I had a Zotac CI series NUC that wasn't being used and I felt I should do something with it.

 

My needs are modest but I like to tinker with things and pfsense was something new to try.

Share this post


Link to post
Share on other sites
rbjtech
Posted (edited)

Packet Loss stats are in the USG Controller Interface. Not sure if there's anything to do but look at the stats though as I'm relativity new to USG.

 

attachicon.gifStatistics.PNG

 

I think you mean packet drops (by the firewall), packet loss would be a serious network problem  ;)  

 

I want to see exactly what packets are being dropped/allowed by the firewall - historically as well as real time and use search criteria to search the db/logs based on source, destination, IP, port etc.

 

A good firewall will drop everything by default on all interfaces, incoming and outgoing, so when adding rules to allow traffic for online games for example, it's essential you see the real-time drops - or packet traces - in order to figure out if your rules are correct.  UDM Pro (successor to the USG) had none of this in the GUI, which was a non-starter for me. 

Edited by rbjtech

Share this post


Link to post
Share on other sites
BAlGaInTl

Okay... so after crawling out of my rabbit hole last night, I think I really like the idea of pfSense.

 

Does anyone have any opinion about the Netgate SG-1100 which can be had for just a little more than the USG?

 

I realize I can build my own for a bit more cost, but keep in mind I'll be using it initially as just a router and occasional VPN. I can always build/buy something new if I outgrow it.

 

https://store.netgate.com/pfSense/SG-1100.aspx

Share this post


Link to post
Share on other sites
BAlGaInTl

Okay... so after crawling out of my rabbit hole last night, I think I really like the idea of pfSense.

 

Does anyone have any opinion about the Netgate SG-1100 which can be had for just a little more than the USG?

 

I realize I can build my own for a bit more cost, but keep in mind I'll be using it initially as just a router and occasional VPN. I can always build/buy something new if I outgrow it.

 

https://store.netgate.com/pfSense/SG-1100.aspx

 

I think this question may have gotten lost in all the discussion.

 

Any input @@Jdiesel, @@rbjtech

 

I'm still looking, and have started to prepare for the wife-agro.  Although really she told me to do whatever I want.  

 

:)

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...