When all of your network devices lose access to the internet all at the same time regularly throughout the day, there is not much to blame other than a bad network cable to your Wireless Access Point (AP), or the Access Point itself. It wasn’t the cable. My old Cisco-Linksys E3000’s days were numbered. Skype calls were dropping, Emby videos streams were getting interrupted, websites weren’t loading. As with most technical things, the burden to set things right fell on my shoulders.
Ubiquiti UniFi
It was past time to upgrade to 802.11ac anyway. I use pfSense for my router so all I want is a Wireless AP, I don’t need a combo, so I started my search. I don’t really like researching APs because consumer devices are pretty awful at security, and enterprise devices involve support contracts and enterprise software and sometimes the security is just as bad. But WiFi router recommendations are one of the most frequently asked questions from friends and family, and I’ve never had a good answer …until now. I came across UniFi made by Ubiquiti. These are the wireless AP’s that Linus Torvalds uses. The products appear to be marketed towards Businesses and Enterprises, but the software to run it is free, and pretty much all I need for my home/soho environment can be configured through the web-interface.
UniFi Access Points (AP)
I purchased the UAP-AC-PRO which is their high end model as well as the budget model, the UAP-AC-LITE.
The UniFi AP (Wireless Access Point) looks more like a smoke detector than a wireless access point. A typical install is mounting them on the ceiling. Here’s mine mounted on a wall (the circular ring LED is normally blue which is too bright at night, but fortunately it can be turned off).
Power over Ethernet (PoE)
The AP is powered by PoE. This means you don’t need an AC-DC adapter, instead it gets it’s power from the Ethernet cable. This works on standard Cat 5e, Cat6, or Cat6a cable. Normally PoE devices require an expensive PoE capable switch, and I was a bit hesitant of getting into the PoE world, but as long as you buy a single unit and not their bulk pack the UniFi APs usually comes bundled with a PoE injector to get you started.
I had no idea what a PoE injector was, but it turns out to be really simple. It’s a little box with a power cable, and two Ethernet ports, LAN and PoE. Just plug the LAN port into your switch and your AP into the PoE port. Couldn’t be any simpler. Now, if you’re running a fleet of WiFi access points it probably makes sense to get a PoE switch. But for one or two in a house the PoE injector is fine.
Switch -> Ethernet -> PoE Injector -> Powered Ethernet -> AP
Two PoE Options: Passive or IEEE 802.3af/at
Now, there are a couple of different kinds of PoE.
Here’s the difference: Passive PoE is as dumb as an electrical outlet. It just sends power through the Ethernet cable whether you need it or not… and this can damage devices not designed for Passive PoE if you accidentally plug a powered Ethernet cable into them. The much better standard is 802.3af and 802.3at PoE. With this power isn’t provided until the device requests it, which means it’s very safe and you can plug non-PoE devices into PoE ports without blowing them up.
The UAP-AC-PRO uses 802.3af.
The UAP-AC-LITE and UAP-AC-LR products require passive PoE. However, I have seen possible signs that Ubiquiti is switching all their products to the IEEE 802.3af/at standards, so it may be worthwhile waiting for the newer models if you don’t want to spend the extra for the Pro model and can afford to wait.
The UniFi Controller
So, these Access Points don’t run a web-server with a management interface. This is a business/enterprise class solution so it’s meant to be centrally controlled from a single controller. You will need to download the UniFi Controller (which is free). Once it’s running you can access it via web browser or the UniFi App for Android or iOS. The controller can be installed on Windows, Linux, or MacOSX. If you don’t care about collecting stats it doesn’t need to be up and running all the time so it can be run on a workstation, but if you have a server I recommend running it there. I created an Ununtu 16.04 VM called “unifi.b3n.org” I gave it 1GB RAM, 30GB HDD, and 1 core which seems to be plenty.
The install process is straight forward…
Create a file, /etc/apt/sources.list.d.100-ubnt-list
deb http://www.ubnt.com/downloads/unifi/debian unifi5 ubiquiti
Then add the GPG Keys and install the software.
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv 06E85760C0A52C50 sudo apt updatesudo apt install unifi
Go to https://unifi.example.com:8443 (See the bottom of this post for info on setting up a real certificate).
The first time you access it you get Wizard to set it up, after creating an account and such it will have you adopt the UniFi APs on your network. If they’re plugged in it will find them automatically. It not only manages APs but also manages UniFi branded routers, switches, cameras, VoIP devices, etc.
I can see how it would help manage a fleet of wireless equipment across multiple sites. You can see all the devices connected, the AP they’re connected to, signal strength, connection speed, data they’ve used, how they’re authorized to be on the network, VLANs, etc. I’ve hidden a lot of columns in the screenshot below but it gives you an idea of the data you can get on wireless clients.
Neighboring APs
The UniFi also keeps track of every wireless AP that it has seen. My neighbors seem to have a lot of HP Smart Printers and TVs that need to waste RF spectrum running their own APs for some reason. Cars Have APs? It looks like a lot of cars have their own APs now days? At least I’m guessing these MitsumiE APs are automobiles that have driven by my house.
UniFi Android / iOS App
The Android app is is just as capable (and I presume it is on iPhone as well), I didn’t do a thorough comb through but at a quick glance it appears every screen and configuration setting in the web interface is available in the Android App.
AP Models Comparison
The APs perform well. Since I installed the UniFi we have not had a single wireless connection drop, even if I put the AP power settings at their lowest it has better range than my previous AP. I also setup both APs and my devices had no trouble roaming between the two APs as needed while maintaining connections.
The three main models are:
- UAP-AC-LITE – 2×2 MIMO on both bands (budget)
- UAP-AC-LR – 3×3 MIMO on 2.4, 2×2 MIMO on 5GHz (middle)
- UAP-AC-PRO – 3×3 MIMO on both bands (fastest)
Does 3×3 MIMO make a difference for 2×2 clients? You might get better reception, but probably not a noticeable difference. However, if you do have 3×3 capable clients you should see a benefit going to a 3×3 AP.
UAC-AP-PRO vs UAC-AP-LITE Performance and Coverage with 2×2 Clients
Most wireless clients are only 2×2 MIMO these days, and even though I tend to run the latest hardware I only have 2×2 devices which can connect at a maximum speed of 866.7Mbps. A 3×3 MIMO AP can improve performance of 2×2 MIMO clients because the extra antenna might provide a better signal. That’s the theory anyway.
I can’t really tell a difference between the two routers in my house, in the Android App Wireless Test I get better uploads speeds on the Pro than I do the Lite, which might be due to it’s extra antenna but I don’t see that performance benefit on our laptops when transferring files back and forth between them and my FreeNAS unit.
I do think I get slightly better upload speeds on the Pro model when I’m far away from the AP. This may be due to the extra antenna or it could just be subjective.
As far as real life performance on 5GHz setting the channel width to 80Mhz I get about 50-60Mb/s down and 30-40Mb/s up pretty consistently throughout the house, and that’s with multiple wireless clients connected and a pretty saturated RF spectrum. Here’s an RF Scan at my house… there’s really not a single empty channel even on 5Ghz.
UniFi Managed Switches
Ubiquiti also sells managed switches, ranging from 8 to 48 ports with a variety of PoE options. I’ve been wanting try out managed switches so I picked up their small 8-port. Since I’m running these at home low noise is extremely important. The two switches that fit the bill are the 8-port US-8-60W (with 4 PoE ports) and the 24-port US-24 (without PoE), both of these models are fanless and silent.
The US-24 doesn’t have PoE on it. The US-8-60W has four 802.3af PoE ports. I should note that this switch cannot do passive PoE so it won’t be able to power UniFi’s passive PoE equipment (such as the UAP-AC-LITE).
There are two banks of LEDs, top row is only for the four PoE ports on the right and light up orange if PoE is activated. The bottom row lights up green on gigabit links and orange for 100Mbps links. There’s also a blue/white LED on the far left front of the router that’s off. I do not like blue or white LEDs. Fortunately as soon as I provisioned it the UniFi Controller automatically turned it off based on my site preferences.
VLAN Configuration
After getting a quick primer from a Network Engineer on how VLAN tagging works I decided to start VLAN tagging my network.
Under the UniFi Controller you can setup your VLANs, I programmed all of mine in above. Something that is a bit confusing is there are two Network Purpose types that support VLAN tagging, “Corporate” and “VLAN-Only”. There is no difference between the two, unless you are using the USG (UniFi Security Gateway), which can run a DHCP server for each “Corporate” network type. Since I’m using pfSense instead of the USG I setup mine as vlan-only.
Then it’s fairly trivial to manage the ports, setting up trunking and access ports for certain VLANs. In my case port 2 is my trunk port and goes to my pfSense router. I also ran my Northland Cable connection through the switch so I could get some bandwidth insights.
As always, the UniFi Controller provides some pretty neat insights, it picked up devices not only connected to it but also found devices connected to other switches (notice most of the devices below were found on port 2 which connects up to my VMware vSwitch).
Switch Insights
And UniFi provides great statistics and insights into traffic flow on the switch.
Appendix A: Setting an SSL Certificate on the UniFi Controller.
By default the Unifi controller runs on port 8443 with a self-signed SSL certificate. It is ridiculously difficult to set a custom cert… I know how to work with Java keystores but I just couldn’t get the ace.jar Java cert importer to accept my intranet cert. Then I read the CA cert had to be in DER format which also didn’t work…. arrgh. Suddenly it hit me that setting up certs on nginx is easy, it would be much simpler to set up an SSL certificate on an nginx reverse proxy on port 443. I want the UniFi Controller listening on 443 anyway, and even better, I don’t have to touch any UniFi configuration files or certs.
If you’re running an internal CA like I am you can just generate an internal Cert, or if you need a public cert Let’s Encrypt should work just as well. Here’s an example of generating one from FreeNAS.
Export the certificate and key and save them to /etc/nginx/cert.crt and /etc/nginx/cert.key. The configuration is a pretty standard nginx reverse proxy, the only issue I initially ran into was the UniFi controller reported a “WebSocket connection error” warning, so I enabled nginx’s proxy support for WebSockets (which the configuration below takes care of). Other than that it’s a straight forward reverse proxy.
Edit /etc/nginx/sites-available/default :
server { listen 80 default_server; listen [::]:80 default_server; server_name _; return 301 https://unifi.b3n.org; } server { listen 443; server_name unifi.b3n.org; ssl_certificate /etc/nginx/cert.crt; ssl_certificate_key /etc/nginx/cert.key; ssl on; ssl_session_cache builtin:1000 shared:SSL:10m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4; ssl_prefer_server_ciphers on; location / { proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_pass https://unifi.b3n.org:8443; proxy_read_timeout 90; proxy_redirect https://unifi.b3n.org:8443 https://unifi.b3n.org; proxy_ssl_verify off; } }
And restart nginx and then I was able to browse to https://unifi.b3n.org with a green SSL cert.
service nginx restart
If you can deal with a cloud controller, check out IgniteNet. Very similar to UBNT, but without the known history of GPL violations and super buggy code.
I did see you can download the GPL archives for various products, have those issues been fixed? I wonder if it has to do with the new FCC rules for wireless devices. So far I haven’t encountered a bug, but have seen a couple of updates that I deployed so they must be fixing some. |:-)
Hey Ben, I too have the UAP AP AC Pro (Purchased in Dec ’16) and noticed my connection speed has dropped from 878Mbps to ~300 on average, some research on the UBNT forums led me to this https://community.ubnt.com/t5/UniFi-Wireless/Macbook-Pro-Tx-Rate-with-UAP-AC-Pro/td-p/1579124 not just a MacBook issue though, I have the same problem with my Thinkpad, they’re RMA-ing mine.
Check yours ;)
Thanks for the heads up, I’m connecting at 867mbps, I checked all my laptops and my fastest wireless NIC is a Wireless-AC 7265 and looks like it’s not capable of 1300mbps so I don’t have a way to test for that issue. I’d be curious to hear if your RMA sped it up, I might have to have a friend drop by and test mine out.
Thanks for sharing! Do you have any experience with APs from MikroTik, are they better than UniFi?
Hi, Earthwalker, I have very little experience with MikroTik, MikroTik takes a little more skill to program where the UniFi can all be setup pretty easily by clicking around in the web interface. At the time I checked MicroTik didn’t have the newer 802.11ac technology for wireless and were still on 802.11n. If you’re goal is to get up and running quickly I’d go UniFi, if your goal is to learn (particularly if you’re interested in networking but don’t want to invest in Juniper or Cisco) the MicroTik might be a good way to go… but I’d probably just use their router and get a separate Wireless AP for faster speed.