Installing Unifi In-Wall Access points

The Retired Moocher decided to make the move to all Ubiquity UniFi home networking equipment. The moocher’s home network is typical of that found in a residence or small business. We have a wired Ethernet network that serves all of the high bandwidth stuff plus a WiFi network that serves the Moocher’s iThings, guests, and Internet of Things. A Netgear Orbi had been carrying this traffic with the occasional mysterious fade. Desiring more visibility into the network’s behavior, the Moocher decided to retire the Orbis and install UniFi In-Wall HD and AC access points. The Moocher describes his deployment.

References

  1. Ubiquity UniFi Controller User Guide V5.
  2. https://community.ubnt.com/t5/UniFi-Routing-Switching/Disable-SIP-ALG-on-USG/td-p/1671570
  3. Image courtesy of Ubiquity https://images.app.goo.gl/CcTbqC3Xft6oPWEo6

Thanks to Ubiquity for providing the stock image at the top of the article. This is an image of the notional coming patterned access point covers. Actual covers may differ from those shown.

Ubiquity has a good UniFi controller user guide that will guide you through the setup workflow. The guide is pretty good but it is “switchology” focused. I found I could read the guide, note the tricky bits, and then set up my environment without further reference to the guide.

Ubiquity does not currently offer a deployment guide that gives an overview and takes you through the deployment planning process. One is not needed until you touch one of the feature switches or check boxes that does not correspond to RFC or IEEE standards for basic routing and switching. As long as you’re using the router in an edge access role, this is not a problem. The tricky stuff is on the carrier’s edge ingress router

This works rather well actually because Ubiquity UniFi is “software defined networking”. You describe the topology and intended network use to the UniFi controller and it makes all of the device configuration happen behind the curtain for you.

I managed to go a little wrong by enabling the auto-optimization and mesh back haul features. Ubiquity Support quickly helped me find the error of my ways.

One example of where a deployment guide would be helpful is the connectivity monitor. UniFi Controller offers a connectivity monitor for the WAN up link and will bring up alternate link if the primary link fades. We have not used this at home but it is something my church may consider as the elevator phone is on a VoIP analog telephone adapter. So far, our local provider has been sufficiently robust that we’ve not entered this cave.

Physical Installation

We’ll begin this adventure by reviewing the things I did to prepare Dismal Manner for moving to UniFi WiFi. Over time as excuses arose, I purchased UniFi network components and use them to replace older unmanaged consumer grade kit. The thing that prompted this was that I was seeing the occasional WiFi fade in the lounge. WiFi plays an important part in controlling Roon, the music distribution system I use to play my CD resolution music collection.

Preparation

In preparation for installation, the Moocher completed the remainder of his UniFi installation. A couple of years ago he installed a Switch-8-150 to power 3 UniFi G3 video cameras and UniFi Video DVR. Later, he added a CloudKey G2+ to take over DVR chores. Happy with the DVR, he added a USG and 2 Switch-8-60W rack top switches. When the access points were ordered, the following gear was in and happy.

  • UniFi USG router
  • NetGear Orbi in access point mode
  • UniFi Switch-8-150 core switch
  • UniFi Switch-8-60 rack top switches at each equipment cluster
  • UniFi CloudKey G2+ and 3 G3 cameras

The moocher used a telco toner to trace the AP cables back to the network closet. Once located, he ensured the proper ends were on the two cables and checked each cable using his basic network tester. We found one cable was made up A to B rather than A to A or B to B. This fixed, we found one bad pin and moved that drop to the telephone cable (also Cat 5 here at Dismal Manor). Once we knew the cable was good out to the wall plate, we patched up the closet end.

Most Ethernet service circuits connect from a patch panel to the core switch using RJ-48 straight cables. The 8 port patch panel was full so I borrowed some unused Cat 5 telephone circuits to pick up the master bedroom access point. This cable needed a keystone. It and the 3 camera cables have floating keystone ends.

Adoption

UniFi kit requires adoption and configuration to make it usable in the objective network. Once adopted and configured, access point installation is almost trivial. The Moocher did adoption, updating, and configuration at the study rack top switch using known good patch cables. Once this preparatory work was complete, the AP could be installed at its final location without the hassle of trying to adopt an it and configure it over a bad bit of back haul. I only had to sort out the bad bit of back haul that was limiting the bedroom AP’s performance.

Finishing up at the wall

With the access points configured and working, the Moocher next moved them to their room locations. Each location previously had a phone, Ethernet, and coax face plate cut in as low voltage old work. The Moocher removed the old face plate, connected the new access point using a 1 foot or 1/2 meter ribbon Cat 5/6 cable and allowed the AP to start, provision and settle. The access point is then mounted to the cover plate retaining device using the mounting plates in the access point kit.

Network stuff

The Moocher formerly had one network on site, Greydogs. To become somewhat more secure, the Moocher wanted to install a guest network for visiting trades and friends, a network for the internet of things stuff here at Dismal Manor, and a new main network for the Moocher’s iThings. This gives us a total of 8 channels active: 2G and 5G for each of the for WiFi segments.

  • DismalManor — the Moocher’s network
  • DismalGuests — the trades and visitors
  • DismalThings — the new IoT bits (just a Nest Thermostat for now)
  • Greydogs — the Nest Protect constellation and Ring doorbell until migrated

General Workflow

The network workflow is pretty easy. Select the controller’s settings page from the left sidebar. Work the individual pages from top to bottom starting with the Site tab.

Site

Two key things here for a small home network.

  • Turn off the “advanced features” checkbox.
  • Turn off or confirm off the “auto optimize” switch
  • Set your country correctly so the correct RF frequency and transmit power provisioning data are used.
  • Set up your time zone or stay on UTC as you prefer.
  • Enable MDNS forwarding

These things turned out to be important to the happiness of the Nest Protects per communications with Ubiquity Support and Nest Support.

Wireless Networks:

Set up each wireless segment that you plan to have. For each, you will need a VLAN tag number and an RFC1918 network segment. I picked 3 adjacent VLAN tags and left my wired net untagged. This is an advantage of UniFi over NetGear home stuff. You can have multiple VLAN networks rather than primary and guest nets.

I set the trades net as having a Guest portal and used the minimal acceptable use policy statement built into the UniFi controller (be good). The controller presents this page first on mobile device check-in.

It is also here that you set QOS limits for each net. This is specified in the user groups so come back to this item after your user groups are established.

Networks

Here you set up each logical network giving it a network name, address range, DHCP setup, VLAN tag and DNS and routing stuff. If you don’t recognize a checkbox label, leave the feature off. If you’ve done this before with Linksys or NetGear routers, you should be OK here. The only new thing is that there can be up to 4 networks per network group.

The only tricky bit is to keep your VLAN tags straight between wired and wireless. UniFi controller assigns a port to a VLAN as part of its port configuration on the switch. For our deployment, we had no VLANS on the hard. But this must be right for UniFi controller to correctly set up trunking for back haul.

Don’t forget to set up your preferred DNS servers. Also, be careful that DHCP address ranges are correctly entered for each network. I used a unique RFC 1918 Class C slice for each net, 1, 2, 3, 4.

IPS

Set up the intrusion protection and reporting here. I enabled intrusion prevention but otherwise took the recommended settings.

DPI

The DPI page sets up deep packet inspection. Unless strapped for capacity in your USG, enable DPI. You’ll be able to see which host is doing what in the traffic statistics. These are pretty detailed and will identify traffic from iTunes, BackBlaze, iCloud, Google Drive, One Drive, etc.

Guest Control

Here’s where you set up the guest portal, guest hours, guest registration time to live, etc. You can also configure most of the appearance of the page shown to guests on login. You can also set up WAN link rationing here in bits per second limits for each user group.

Services

There are two stops on the services page. Services -> MDNS to enable MDNS forwarding between subnets. This allows Bonjour/Zeroconf to work across my 4 subnets.

MDNS Forwarding

This is one place where the Ubiquity UniFi software defined networking model shines. One frustration of the Netgear Orbi was that I had to put my iPad, iPhone, printer, etc on the same network as my file servers and audio endpoints.

Everything was using MDNS to configure itself using the MDNS muticast service advisory protocols. If I put the iThings on the guest WiFi network, the iThings couldn’t find their AirPlay endpoints over on the wired.

The normal fix with most SOHO gear is to add a fixed route for the proper multicast groups between the two nets. With UniFi SDN, you set a slide switch and UniFi controller determines and creates the routes needed.

I was lazy so I never set up a NetGear guest network.

SIP Settings

If you use a VoIP service at home like a mobile VoIP over WiFi app, subscribe to OOMA, or enable mobile phone WiFi assisted calling, you may need to disable “SIP ALG”. Ubiquity gives the procedure in reference 2. Your carrier can advise. This must be done using command language for the moment. I’ve encountered no issues so it may finally be working.

Reference 2 gives the command language used to turn off this feature. This information is also available from most VoIP carriers such as OnSip.

The Services -> SIP tab configures paging system supported by “educational access points”. These AP’s have a built in page speaker, amplifer, and voice hardware to allow paging in schools (intended market) but these can be used in retail and offices needing paging.

DHCP

I also had to visit the Services -> DHCP page to complete the DHCP setup. On the DHCP Server sub-page, I accepted the suggested settings (always wise). On the DHCP relay page, I configured one DHCP server for my 1, 2, 3, and 4 subnets. Note that the DHCP and static ranges are configured on the network page by editing the network’s settings.

Admins

Change the administrator name and password here. Add additional admins as needed. Helpers can have rights limits applied.

User Groups

Here’s where you provision guest share of the WAN connection. Dismal Manor has 3 groups. Set these up, then go back to the Networks page and assign each net to a group policy.

  • Denizens (the Moocher) which is generously provisioned
  • Guests provisioned sufficiently to watch a Netflix stream or 3.
  • Things provisioned at T1 speed, sufficient for VoIP and checking in with the thing’s mother ship.