Ubiquiti – Replacing my home-network and making fibre work with UniFi

I previously blogged about my issues with the Calix 813-G FTTH router being complete rubbish. Despite having moved from a 20Mbps VDSL connection to a 50Mbps fibre connection, my throughput and latency with the Calix were actually worse and I even contemplated going back to VDSL. Since my home network was already very fragmented (Calix router, Netgear-, Linksys and Cisco switches), I decided as a last-ditch effort to standardise on the Ubiquiti UniFi range:

The order came to about R 8,000.00 which is quite reasonable, considering that it comprises of two 8-port Gigabit PoE switches with 2 SFP ports, one Gigabit Security Gateway and the Cloudkey (which is used as the management interface). In a separate order I am expecting the UniFi PoE access points (thanks Aramex Global for dropping the ball) to replace my existing WiFi access points.

Ubiquiti UniFi Security Appliance (USG)

The UniFi Security Gateway (USG) is the router and firewall and sits at the edge of my network and it’s WAN port is connected to the Calix 813G.

The USG has 1 WAN port, 1 LAN port and 1 VOIP port (which can be reconfigured as a 2nd LAN port). The USG acts a the VLAN and subnet router and as you create networks they are provisioned onto the gateway and then made available to the switches for VLAN tagging. The gateway has a sophisticated firewall, but it must be said that the web GUI is a work in progress and some more sophisticated features are only available via the command line.

Ubiquiti 8-Port UniFi Switch, Managed PoE+ Gigabit Switch with SFP, 150W (US8)

The UniFi Switch 8 is a fanless (and quiet) managed switch, providing 10 independent switching ports and provides 8 Gigabit ports offering 802.3af/at PoE+ or 24V passive PoE and two SFP ports for optical connectivity. Compared to my previous “dumb” unmanaged switches, the UniFi managed switches provide intelligent routing can provide information on who and what is connected to each port and is capable of controlling it.

The PoE feature is really handy because it means that devices such as the UniFi CloudKey and the UniFi WiFi access-points can be connected without requiring extra power supplies as the devices are simply powered over the LAN cable instead. I am really impressed with the performance and management of the switches – the switches provision directly from the USG and all VLAN updates are pushed down once a change is made. You can see which ports deliver power and what speed a port is running at.

Ubiquiti UniFi Cloud Key (UCK)

The UniFi Cloud Key is where the UniFi Controller Software will run on your network, the software that will provide your web admin interface and manage all of the devices on your network. The UCK is not really necessary as the UniFi Controller Software can pretty much run anywhere (on a RaspberryPi, a NAS, a Linux box, a Mac etc) – I just felt that getting the UCK and plugging it into a PoE port on the US8 was the cleanest solution and required the least effort.

The Cloud Key comes with a 8GB micro-SD card for storage and can either be powered via micro-USB or through a PoE LAN cable (I used the latter). The UCK essentially provides the web GUI and management interface for all UniFi devices in your network. Additionally you can sign up for UniFi Cloud Access which allows you to manage and monitor your network via the Internet.

The Setup and the Challenges

If you expect the UniFi range to be plug-and-play, you are expecting too much – in most cases it will work, but you do require at least a basic understanding of networking, subnets / IP-ranges and should feel comfortable via SSH / Telnet and CLI. If the last sentence sounds foreign, it is better to look at more trivial consumer grade hardware (don’t get me wrong, once everything is setup and configured, management is a bliss).

Challenge 1: My subnet and DHCP-server in my home-network

Prior to the arrival of the Ubiquiti gear my home network was running on 172.16.0.1/24 and there was never really a particular reason for it. Running a Synology DS1010+ as a file-, DHCP- and DNS-server complicated the setup a little bit more. I learned that the UniFi gear really likes the 192.168.1.1/24 range and especially the central piece of network kit, the USG was quite insistent on reserving 192.168.1.1.

Although it would have been possible to change IP addresses for the UniFi gear, I decided that it will be better to just completely rework my whole home-network (including IP ranges, DHCP server and even cabling).

Initially I hoped that I could provision the USG as 192.168.1.1 and the Calix fibre-router as 192.168.1.2 (or vice-versa), but the Calix was as uncooperative as ever. I then decided to create two subnets:

  • 10.0.0.1/24 for the WAN portion where the Calix FTTH uses 10.0.0.1 and the USG WAN port uses 10.0.0.2
  • 192.168.1.1/24 for the LAN portion where the USG LAN port uses 192.168.1.1. All other devices would use IPs served via my DHCP server on the Synology

Challenge 2: The horrible Calix 813-G fibre router

I still can not understand how a fibre router which is widely used in fibre-installation can be such a piece of junk and misses the most basic functionality. In a typical setup you would switch the Calix into bridged mode to interconnect with the USG but the Calix does not support bridged mode. It also does not support PPPOE connections or even the most basic routing.

In order to make the Calix work, I turned off every single feature (firewall, NAT, UPNP, DHCP, WiFi) and turned the Calix 813G into a true dumb device by assigning it a static IP:

To ensure that the Calix does not interfere with any traffic I also placed the USG’s WAN IP (10.0.0.2) into the DMZ of the Calix in the hope that no QoS or other shaping/filtering would happen.

None of the above would have been necessary if the Calix supported bridged mode or PPPOE. It was also not possible to configure the Calix to use an IP in the 192.168.1.1/24 range as somehow the device interfered with the rest of the network.

Challenge 3: Reworking internal DHCP

Since all my devices used 172.16.0.1/24, I needed to reconfigure DHCP and DNS on the Synology. This was a bit of a chicken-and-egg issue, as I needed to get the USG up on 192.168.1.1 first and then needed to reconfigure the Synology to use a static IP 192.168.1.97 (in the old range it used 172.16.0.97):

Once the Synology was reconfigured, it was smooth sailing from there – the Cloud Key was plugged into the office US-8 and the US-8 was connected to the LAN port of the USG. The USG’s WAN port connected to one of the 4 LAN ports on the Calix. I then reset the UniFi devices and waited for them to boot up.

The initial setup and configuration occurs when connecting to the Cloud Key (in my case 192.168.1.2). All UniFi devices on the network are automatically discovered and need to be “adopted” into the network:

The web UI allows remote configuration (upgrading firmware, restarting devices) and detailed configuration of the devices. In my setup I have USG (called “Gatekeeper”) and one US-8 (“OfficeSwitch”) situated in the office which also hosts the Synology, UPS, Calix ONT. The UniFi web-interface displays detailed information about switch-configuration, up-time, temperature and port configuration:

The setup of the UniFi network happens mostly over the web UI (the only command line configuration I needed to make is to enable UPNP) and all changes are pushed via the Controller to all devices. The configuration is very detailed and includes all options necessary:

Dashboards, reporting and state of the UniFi software

I was surprised about the amount of changes being pushed out by the Ubiquiti team. Let’s be honest – the hardware is top-notch and the software requires catching up. Some more sophisticated features are only available via the command line and some functions (such as the DPI – deep packet inspection) are just horribly broken.

The reporting / dashboards provides insight on performance over the last 24 hours, what devices and clients are connected and it even does a periodic Speed Test (the Speed Test is done against Ubiquiti servers in California and there is no option to select another server).

Traffic Statistics (via DPI – Deep Packet Inspection) should give an insight into traffic usage and ultimately allow you to tune your network. DPI and it’s classification is really broken – in the “Gaming”-section below you will see mention of “XBOX” and “Call of Duty” – problem is that we do not have an XBOX and no-one plays Call of Duty:

The DPI issue has been acknowledged and is mentioned on the UBNT forums and I am quite comfortable that Ubiquiti will dramatically improve firmware and web-UI over 2017.

Annoyances – no Let’s Encrypt / SSL support

Notice how my Cloud Key uses SSL, but has no valid certificate:

Most devices supporting SSL provide support for either Let’s Encrypt or have documentation on how to install a proper 3rd party SSL certificate. Since I could only find various hacks on the web (some involving a separate server or AWS installation), I fired off a support request to Ubiquiti and was surprised to get this:

The above guide does not work as it relies on an AWS installation and since the UCK is not accessible / open, Let’s Encrypt will not be able to auto-renew. Installing a SSL certificate is really as simple as (1) Generating a CSR and (2) Installing the generated cert. Even my 8 year old (!) Synology allows the installation of a purchased SSL certificate via the web-UI and later Synology firmwares even support Let’s Encrypt.

I am reluctant to hack around on my Cloud Key as it requires overwriting keystores (which would get wiped after each firmware upgrade) and for the time being accept the security warning. I have written a follow-up post on how to install a RapidSSL certificate onto the Cloud Key. I have also written a guide on how to use Let’s Encrypt on the UniFi Cloud Key.

Conclusion – should you buy it?

If your home networking requires no wired devices and you do not run a home NAS, then rather go with a standard router and a number of WiFi extenders – this will suffice for your basic browsing experience and streaming. WiFi will always give you higher latency than wired and there will always be interference.

Any setup where you require low latency, Gigabit throughput from your media- / file-server and need wired devices (it is a given that competitive/online gaming via WiFi will introduce higher latencies and slower throughput compared to wired) should consist of a wired setup with switches. It is then really a budget question if you go with low-cost unmanaged switches which lack basic management and insight or if you go slightly overboard and future-proof your setup.

In my mind, if you have a high-speed connection (read: >50Mbps+) into your home, you should go with a setup such as Ubiquiti as it will future-proof your network and provides you with the security and management interfaces. For me it will be very easy to eventually replace the Calix fibre router with another device or ISP without ever having to touch my home-network.

Be prepared to face a “steep” learning curve. Despite having a strong technical background, I did struggle with some of the configuration aspects and I do not think a regular home-user will manage to setup the devices properly. I have been running the UniFi gear for about 10 days and would not replace it with anything else.

Reading through the UBNT forums, Ubiquiti is making significant investments into the software stack of the UniFi range and several beta programmes with new features being introduced are running at the moment and judging from firmware history, the company is committed to continue pushing out enhancements and improvements – something you will certainly not get with cheaper consumer grade hardware. If you have the cash and the technical skill, I would strongly recommend buying Ubiquiti network infrastructure for your homesetup.