Today on the hookup is part 1 of my updated ultimate, secure, smart home network guide. In this two part series I’m going to walk through the entire process of setting up a fast, secure, and reliable home network using UniFi products and cybersecurity best practices. Today in part one I’m going to take you through product selection, wireless technologies and optimal device placement and in part two I’ll cover setup in the new UniFi 6.0 controller including virtual lans, firewall rules, port security and intrusion detection and prevention.
In 2019 I put out a 3 part series on setting up a UniFi home network and a lot has changed since then, UniFi released some new software and devices, WiFi 6 is out, and I got certified to teach Networking and Cybersecurity, so it’s time for an update. Even though I’ve peronally decided to use UniFi products in my house this video isn’t sponsored by UniFi and I’m going to tell it like it is, including some honest opinions of the of the major shortcomings in UniFi systems.
First things first, lets talk about Ubiquiti UniFi. UniFi is what is often called prosumer equipment, which basically means it is suitable, and probably designed for a small to medium sized business network, but it has also been adopted by general consumers for home use.
Traditionally the gap in pricing between home network and business network solutions has been substantial, but UniFi split that difference making it an unbeatable value for small businesses and a compelling option for home users who want more control over their networks. Based on some of their recent changes to the UniFi dashboard I suspect that home users are becoming an increasingly large percentage of their user base, but UniFi certainly isn’t for everyone, and just like their pricing they definitely have a sweet spot.
UniFi is great, but isn’t the most powerful and customizable home network possible. If you are a network professional, or a home lab tinkerer with a lot of networking knowledge and experience you might find UniFi’s customization and event logging to be lacking and you might be better off piecing together your own solution using pfSense, which can get you an overall better performing network for less money. Conversely if you don’t want to mess with any settings and you just want your router to work right out of the box then you should probably just opt for one of the many mesh wifi solutions on the market. Linksys Velop is the one that my network contractor friends recommend most these days, but I’ve also had good luck with the nest and eero solutions that I’ve deployed for friends and family.
However, if you’re in that sweet spot where you want more granular control over your networks and devices, you’re able to follow tutorials, and you want to have confidence in the security and reliability of your network then the UniFi line is probably for you. If that sounds like your niche, stay tuned, and lets talk about hardware selection.
For equipment, every network is going to consist of a few important parts including the router and firewall, switches, and wireless access points. A traditional router like you get from your internet service provider, or one of those spaceship looking devices from Asus actually combine all those parts into one device.
In the UniFi lineup each part was a separate piece of equipment as of my 2019 videos, and even required an additional component called the controller that is used to manage and send configurations to each unifi device, which is called provisioning. But in 2020 UniFi released the dream machine and dream machine pro, which combine the router and firewall, with an 8 port switch, a controller, and in the case of the non-pro model a wireless access point. While it’s nice that these dream machine packages come at a slightly lower price than getting each piece of equipment separately the real reason to choose a dream machine or dream machine pro is the fact that they are equipped with much faster processors than the old UniFi security gateway which enables them it to run security related software like Deep Packet Inspection and Intrusion Prevention Systems that we’ll talk about in part 2, without crippling your network’s throughput speed. In fact, the dream machine pro did away with all the fancy hardware offloading that their old USG routers used to do and tackles all your routing using a quad core ARM processor running at 1.7 gigahertz. This processor is the reason the UDM Pro can examine all of your network traffic and check for malicious activity while maintaining 3.5 gigabits per second of throughput, compared to the USG who’s dual core 500 megahertz processor can only muster 85 megabits of throughput with Intrusion Prevention enabled.
If you saw my last video on the dream machine you know that my first experience was not great, and after 2 weeks of intermittent issues I reinstalled my old network equipment. After a few messages with UniFi support we determined that I had a defective unit and received an RMA for a new one.
Things got busy, so the new replacement unit sat in a closet for the last 3 months, but I’m happy to report that this time the install went perfectly without any issues and I was able to migrate all my settings to the UDM: Pro in less than an hour. This could have been due to firmware updates, non-defective equipment or just good luck, but it was much more of the experience was hoping for when I installed the first UDM:Pro, and what you should expect from an almost $400 device.
All that was a long winded way of saying that if you want to use UniFi the UDM: Pro is currently the best option for your router, firewall, switch, and controller. If you already have a UniFi system in place you’ll need to decide if the additional security features are worth the upgrade, but if you’re building a new system from scratch you should choose the UDM:Pro over the UniFi Security Gateway in almost all cases.
A major complaint at the time of launch was that the UDM: Pro required a ubiquiti cloud account to be able to login and manage your system, but I’m happy to report that you can now add local adminstrators and completely disable the cloud account. Unfortunately, you will still need a UniFi account for the initial onboarding process, but at least it can be disabled after that.
Next lets talk access points and wireless technology and the hype around wifi 6.
WiFi has gone through lots of different standards over the years, 802.11b, g, and n, all operate within the 2.4 gigahertz band but offered improvements in security, speed and data rate, by implementing new technology and protocols. 802.11ac is a set of standards operating strictly in the 5 gigahertz frequency band, but all wireless access points that are labeled as 802.11ac also include an 802.11n radio for compatibility with 2.4 gigahertz devices.
As far as the connection goes, the 5 gigahertz frequency band is superior in almost every way. It has more non-overlapping channels allowing for communication with less interference, it has the ability to serve multiple clients simultaneously if they support the MU-MIMO technology and the single connection radio rate is 4 times faster than the 2.4 gigahertz band.
So why do 2.4 gigahertz devices still exist? First, Physics dictates that as a wave’s frequency increases the amount of energy transferred from the wave to objects it passes through will increase. This is called attenuation, and the more a signal is attenuated the less distance it will travel and the less useful and understandable the signal will be when it reaches its destination. So if speed isn’t the name of the game, 2.4 gigahertz band has a much better range and penetration.
Second, older 802.11n chipsets are much cheaper, so if you want IoT devices under $20 they are going to be using old tech, which unfortunately means they won’t benefit from the fancy new wifi standards.
802.11ax, or what’s being called WiFi 6 has some revolutionary changes that will increase the speed, signal, and density of our WiFi networks. WiFi 6 is also the first standard that covers multiple frequency ranges from 1 to 6 gigahertz. But as great as WiFi 6 sounds actually isn’t as big of a deal as most people are suggesting because just like all the other new standards before it, even though it is backwards compatible with older devices, only new devices will support the new WiFi 6 improvements.
UniFi recently released their first WiFi 6 enabled access point, the UniFi AP-6-Lite. The AP-6-Lite has 2x 2.4gigahertz antennas and 2x 5 gigahertz antennas for non WiFi 6 traffic, which means that compared with the UniFi NanoHD which has 4x 5 gigahertz antennas it has slightly lower total throughput speeds on the 5 gigahertz wifi band for non-wifi 6 devices, but if your home has a lot of IoT devices which almost exclusively use the 802.11n standard and the 2.4 gigahertz band, then the AP-6-Lite will perform exactly the same as other access points like the NanoHD, and FlexHD, with the added benefit of WiFi 6 for your compatible devices, and does it for about half the cost.
If you already have UniFi access points then upgrading your home network to WiFi 6 will probably have very little effect since it will likely be 5-10 years before wifi 6 chipsets start appearing in low cost IoT devices, but if you are deploying a network with a lot of high performance devices like a business where customers and employees are using their cell phones and laptops then WiFi 6 should make a significant difference.
If you’re building a new system, there’s virtually no reason to buy the NanoHD or FlexHD over the cheaper and more future proof UniFi 6 Lite and the soon to be released UniFi 6 Long Range has the potential to increase throughput for all of your devices with its 4x4 MIMO on both the 2.4 gigahertz band and 5 gigahertz band, but it’s still in early access and I haven’t tested it.
The last piece of hardware that you may need to add to your network are additional switches. Though it is a massive oversimplification, you can generally think of a switch like a power strip for your network. If you want to plug in a bunch of devices and you only have one outlet, plugging in a power strip will give you a bunch of outlets. Similarly, installing a switch where you have a single ethernet port will give you a bunch of ethernet ports at that location. The reason I say it’s an oversimplification is that each port on a switch has a specific address so it doesn’t just send every message it receives to every connected device, which would be called a hub. Switches come in two main varieties: Managed and unmanaged. A managed switch will allow you to update its configuration to restrict ports to specific devices or virtual networks, while an unmanaged switch is just plug and play without any additional configuration options, and while you can put an entire unmanaged switch onto one VLAN you can’t configure it per port.
The second big difference in switches is whether they have power over ethernet which means they can provide both power and data over a single ethernet line to your compatible deices. My biggest complaint about the Dream Machine Pro is that despite the inclusion of an 8 port managed switch there are zero power over ethernet ports, which are required if you want to connect your UniFi access points without a separate PoE injector.
In a similar failure, UniFi’s new 16 port PoE switches reduced the number of PoE ports from 16 to 8 without adding additional functionality or lowering the price. They did add a small LCD panel to the front, but I definitely prefer having 8 additional PoE ports to a small clunky touch panel. Thankfully you can still buy the USW-16-150W, which provides the exact same switching capability with 16 PoE ports to power all of your security cameras, access points, and other PoE devices.
Adding it all up, for a typical UniFi deployment in a medium to large sized house you are looking at just under $1000 for the dream machine pro, 16 port PoE switch and 3 wifi 6 access points. As I said before, this is significantly more expensive than a mesh solution from linksys, google, or tplink, but much less expensive than commercial solution from companies like aruba and cisco, and the UniFi system is going to perform much more similarly to the commercial solutions than the mesh systems.
Placement of your networking gear is something that is often overlooked, but it can have a large impact on your satisfaction and the longevity of your equipment. The placement of dream machine pro and switch may depend on where your house terminates its ethernet drops, but here are a few quick tips on placement:
The UDM Pro and 16 port switch both have active cooling fans that ramp up as internal temperature increases. If you put your equipment rack in a space that you need to be silent, you’re going to be irritated listening to the fans ramp up and down as your network traffic changes. For me, the UDM and 16 port switch are not nearly as loud as my desktop computer, so mounting them in the same rack barely changes the overall sound output.
Putting your gear in a closet might seem like an obvious choice, but be aware that most closets don’t have proper ventilation and air conditioning, so you may run into heat issues with your UniFi equipment which can lower its lifespan significantly. The maximum ambient operating temperature for the dream machine pro and 16 port switch is only 104 degrees F, which can easily be exceeded in an unventilated space, which is not to say your entire closet would reach 104 F, but the area directly surrounding your network equipment could. This temperature limitation also largely excludes uninsulated spaces like attics and garages, which again is not to say you can’t have a successful deployment in one of these spaces, but you should be aware of the limitations and issues that can result from it.
Next is placement of your access points. Ubiquiti has provided specific instructions for the two mounting configurations of their disk shaped access points. The strength of the signal is highest radiating out of the front of the device, so Ubiquiti suggests mounting them on the ceiling pointed down for high density wireless environments, but they recommend mounting them on the wall facing out for the longest range. Your specific setup may prevent you from being able to accomplish these configurations, but as a rule of thumb if you need to mount your access point in a central location it should be flat, and if you can mount it near the edge of your coverage area you should put it vertically on the wall pointing in.
Wireless signal is affected by lots of different factors, but the most important for your network are going to be your building materials and interference caused by other wireless devices.
Concrete and metal walls are going to cause wireless signal degradation on all frequencies, but as I talked about before, significantly more on the 5 gigahertz band. Avoid placing your access points in a room surrounded by concrete, and don’t attempt to provide long range coverage through a concrete wall.
The last thing to remember is that WiFi is a 2-way communication protocol. Even if you get an access point with a powerful transmitter the devices it needs to communicate with will still need to be able to talk back to that access point. It’s for this reason that a few lower power access points will provide much better coverage than a single high power access point, and in my next video I’ll show you how to get your access points setup with non-overlapping channels and tweak the transmitting power to ensure they don’t interfere with one another.
If you still have questions relating to equipment selection, wireless protocols, or placement, leave a comment or come join me on the hookup home automation facebook group and I’ll try to answer your question as well as I can. Thank you so much to my awesome patrons over at patreon for your continued support of my channel, and if you’re interested in supporting my channel please check out the links in the description. If you enjoyed this video please consider subscribing, and as always thanks for watching the hookup.