The shoemaker’s children always go barefoot – own infrastructure at home

Infrastructure at home is a typical example of two distinct view of the same artifact, some say it must be easy as possible while others make it more difficult than an mid sized company IT infrastucture. I used to be in the first group, I was happy with my TPlink/AP combo device. This has been changed since many ISPs are basically pulluting the 2,4Ghz band with their wifi networks – which is free for their subsribers all around the city – and that results in the picture of unreliable wifi networks of own, even though my rented flat is not in premises with 440 condos. Simply there is not even a single channel without at least 3 SSIDs already. I work from home quite often and this made me to use wired network instead since VPN and VDI connections are happier without distrupting their sessions with random disconnects. Did some search in which direction to go and some colleagues hinted the name of Ubiquiti. It wasn’t new, but really not much besides it is a company which has wifi related products, but not enterprise as Aruba or Cisco, not even Fortinet – but their devices usually top spot in price/value metric. This is what a technie wants to here….

I decided that the AP/switch/router triage must be separated. First step was to check the options available in the portfolio of Ubiquiti. There are two class of devices in the section of Routing & Switching:

  • EdgeMax
  • Universal Security Gateway

The first one has some backlog since it is out on the market a little more, but the second runs the same EdgeOS system – as the EdgeMax – amended with the Unify management layer. EdgeMax can be managed centrally too by using UNMS, but that is in beta still, while some settings can be done through that, but the firewall rule section is completely missing currently. USG is the other side of the story, it “must” be managed using Unify, so it needs a Controller. This makes the central management end-to-end, so the router, the switch, access points etc. can be provisioned and orchestrated from here. This Unify Controller can be materialized in the form of a “pendrive” sized appliance or can run on Windows/Ubuntu etc and even on Raspberry PI – my choice. But hey, I am a techie as said, I need EdgeMax, hardcore is the way to go.

Size and functions of these devices can vary, but I don’t expect high port count from a switch and as my internet bandwith is touching 120Mbits – from below – high througput. I oriented to the top left part of the picutre when made my choice, went for the Edgerouter X. Not saying I regret this decision, but it was a difficult excersise to make it work.

In these days at the edge of home automation era it is not uncommon to have a system like that. I have one too and might be paranoid for sure, but don’t trust them. Same with the IP-cam I have. Also wanted to set up a guest wireless network for visitors at home. The separation of these requires a solution that can separate out these networks to multiple VLANs and it can steer the communications with firewall rules, so I can tell who can communicate, which destination, which protocol and port.

Upon the configuration of the ER-X I configured all four VLANs:

  • wired network – a.k.a. internal network, VLAN1: Hosts can communicate to any other VLAN.
  • internal wifi, VLAN10: Hosts can communicate to any other VLAN.
  • IoT network, VLAN20: Hosts are not allowed to communicate to any other VLAN, nor the internet.
  • guest wifi, VLAN30: Hosts are not allowed to communicate to any other VLAN. They can use only OpenDNS as resolvers – other UDP/TCP 53 outbound is deny – only TCP443/80 allowed outbound. Captive portal is the point of authentication, based or pregenerated vouchers.

Aaaaaand I was finding myself in a two day troubleshooting weekend. Despite of allow-allow-any firewall rules between any VLANs above, hosts in one VLAN could ping the ER-X VLAN interface in same VLAN, also other VLAN interfaces in all other VLANs, but not in any other host in any of those VLANs. Short sweep at Ubiquiti forum and finally solved it. VLAN1 had to be created. I am not a network guy really, but I know for sure that VLAN1 is default VLAN and it is usually blackholed or even disabled, but not here. I had to define it and set it untagged.

One AP might be enough for me as flat is small, downselect of APs were instant, AP AC Lite.

AP setup process requires no Controller, it can be performed using mobile app, but since I have some Pi-hole running rPI boxes, I installed the Controller on one. Setup was easy, a one bit user can do it without headache. Created the SSIDs and assign them to VLANs created before in the Edgerouter X. At this point I experienced the lack of integration between Edge and Unifi line, since if USG is used instead of Edgerouter all this could have been done simply in the Controller.

System was ready for production – and believe me, my wife spots the loss of one single ICMP packet. Nothing is more mission critical than home network.

But I received a message from my former colleague from NL. Erwin van Rens was a role model of mine while was at EDS/HP/HPE and if he says somethings you’d better take it as written in stone….and said he has an USG Pro 4 and ship it if I want. No brainer, with thick discount package was on its way to me.

It is in the middle and I hear you saying, this is optimal choice of course. 2 x 1 Gbit WAN ports with IDS/IPS is something is a must for every household. You CANNOT live without this.

And I had a design review already at day 3 of production and finally my infra looks like this now:

Can be simplified I know, but how cool it is to have a portal for my guest users, restricting those sessions down to certain bandwidth limits, time periods. Also important to mention that wifi has never been this stable. Furthermore there are statistics and reports with data, data that was hidden before.

Neighboring SSIDs that were near my AP:

The utilization of channels, interference and usage counters:

Ok I admit, spent too much time at home building this, but during the Christmas holiday i had – maybe – too much free time. Result is stable wifi and certaly and marginally a higher security level.