Home Network Setup

Thanks. I already have a guest network running on a DDWRT router. But I wanted to remove that and replace it with the UAP. On that setup, I am able to throttle down the speeds of my guests. Here on the UAP, there's also an option to throttle them down. But, I am unable to separate the main LAN and the guest LAN.

 

Been reading this thread and Im confused

 

You're not alone

I'm still trying to figure out how to separate my guest network from my home network. This is what I have been doing since 5AM my whole Saturday and now it's 6:55PM, and I have zero success. But, I read you can use VLAN, which I think stands for Virtual LAN, and I have no idea how to go about it. I did it before on a DDWRT(fancy word for flashed router) but if you ask me now, I wouldn't know how I did it. I also have zero knowledge on computer networking. I'm just the average guy tinkering and trying to figure things out through trial and error. I still have jet lag, so sometimes I think I had solved the problem, but it turns out it was just a short dream from my nap.

 

Not sure if this will help, but here goes:

I was running a Netgear R7000 as my router and main wireless station for about a year and a half. I followed these instructions to setup my guest network - http://www.alexlaird.com/2013/03/dd-wrt-guest-wireless/ and it worked fine.

However, my 2.4 ghz radio broke on the R7000 recently, which is when I was introduced, incidentally by this thread, to Ubiquiti. Now, I am running the R7000 as my main router, but with all WiFi radios turned off. Two Unifi AP AC LR devices provide WiFi. When I changed out my WiFi APs, the settings in the above link don't work anymore.

On the new setup, I did enable Guest WiFi on the UniFi Controller. To do this, I have two SSIDs: SSID1 is for my home devices, with WPA as authentication. SSID-Guest is for my guest network. SSID-Guest is on open access mode, but with the option to enforce guest policies on that SSID ticked.

Next step was to go to the page in the Controller settings to control guest settings. I enabled my preferred guest authentication method -- captive portal with voucher authentication. At the very bottom of that page, there are a bunch of fields that contained some IP ranges. These fields allow you to either block or allow devices that are connected to SSID-Guest to access the other devices on the network. There are a few pre-filled IP blocks in there already. Since the IP range I defined for my network (on the DHCP server running on the R7000) fit the IP ranges pre-filled in, I didn't need to make changes. These ranges are, I think 192.168..., 172.X...., 10.0... You need to ensure the subnet you are using fits within these ranges (or you can edit or add another range) and devices connected to SSID-Guest will not be able to access your network devices. I did not have to do any VLAN settings on the R7000 for this to work. Note that the IP blocks you add must be in CIDR format.

Of course, the downside of this blocking setup, which is configured in only on the APs, is that devices connected to any other non-UniFi AP on the network or devices that are wired to the switch directly will be able to see the whole network.

 

Ok, I have given up separating the Guest network from my network. The Guests that are logged in cannot access any IP address on my Home devices anyway. Is there a security problem with it?

@zChris How did you make your guest have a different IP subnet? I have blocked my networks subnet but, the guest is still using that IP subnet. But it cannot access the main IP addresses. In other words, the Home and Guests share the same IP pool but the guests can't access any other IPs. Do you have the same results?


I too had a similar setup. I had 2 WRT1900AC and 2 AEBS, AE and 2 Linksys Wireless extenders because my house has many walls blocking the signal. Withe the introduction of Ubiquiti here on this thread too, I was able to remove one WRT1900AC and kept one for routing purposes and turned off the radios on that router. I have 2 AC LR and one AP LR and repositioned the 2 extenders. But, now I am able to walk in my garden and garage because of the Unifi LRs .

I love how you can manage the Unifi and see important details like traffic and the ability to troll...I mean block users from the network. I also like that it's easy to manage the guest network with throttling their upload and download speeds, the option to enter a password, voucher, or pay.

 

@Juice

Sorry, I finally understand your requirement specifically. You want to place Guest devices on a separate subnet. In my case, using the settings from my previous post, the wireless clients connected to the Guest network do not see the devices on the Home network. However, all these devices currently share the same subnet. I confirmed this just now using one of my devices which is now connected to Guest. I don't think this is a security issue, at least for my house. Anyway, I expect that the users that get a voucher are guests to my house, who presumably I know, and presumably would be my friends and not hack my network.

AFAIK, to make a separate subnet for Guest, a few things need to be done:
1. Router - setup separate VLAN for Home and Guest networks
2. Router / Switch - assign these VLANs to a trunk port
3. AP - tag traffic going through Guest to go through the VLAN tag you assigned for your Guest network.
4. Router - Fix DHCP settings
5. There could be more, I'm not sure. Perhaps some firewall settings to make sure the VLAN traffic is isolated?

I'm happy with the current setup of Guest devices not seeing the Home devices so I didn't bother going beyond basic research on VLANs. Having said this, it seems that on the UniFi Controller, setting up a VLAN and VLAN trunking can all be done via the UI. I have a USG arriving in a week so if I have an afternoon to kill, I may consider playing around with this just to get some basic VLAN experience. I know it's a very nerdy thing to say but I actually am in the IT industry, it's just that my job doesn't require me to do hands-on config work.

In any case, a hands-on networking pro like @oj88 would be the best person to solve your problem here.

 

@oj88
@zChris
Ok, I just found out that my Linksys WRT1900AC has VLAN simple setup. But I wouldn't know how to go about it and i'm satisfied with the guest network now seeing other IP addresses in the IP pool. How do you give the guest access to a the network printer? Is it possible? I read you can but I tried it and it can't see it.

I have another question. I noticed the 5GHz radio isn't encrypted. The main SSID and the guest SSID are both encrypted except the 5GHz. Normal? What did I miss?

 

@Juice

I haven't done it myself, but to give access to a specific machine to guests, there is a setting in the controller right above the one where you blocked your IP ranges to allow specific IP ranges after guest authentication.

Your printer would probably need to have a static IP and you enter the IP address of the printer in that field with /32 right after the IP address.

On the 5G issue, I can't seem to find that screen you attached on my IOS app. Do you run a controller or are you running the app in controllerless mode. In any case, my guest network is open on both 2.4 and 5 and I do voucher authentication for guests. So anyone can associate to my guest SSID and see the captive portal but they will not be able to authenticate without a voucher code.

 

Thanks. I did that but there's another problem that came up when I added the printer's IP address. All other IP addresses were now accessible, which shouldn't be, right? To revert back, I have to delete the guest network again, cause simply putting back the same values to the original doesn't work.

 

Strange... I would think it shouldn't be like this. I suggest that you join the Uniquiti forum and ask for advice there. The community is very active and extremely helpful.

As for myself, I went all-in on Ubiquiti now. I have 2 AC AP LRs, a Cloud Key for my controller, and a USG for my router. Setup especially of the router was a bit hair raising but now everything is humming along.

 

Alright, I got it. I can share the printer for the guest network by adding the printer IP at the pre authorization.

Yeah, I've been browsing the forums. I might as well participate. I also bought 2 more AC LRs added to an AP LR(accidentally bought the wrong LR). I'm planning on getting the USG too. Does it have DPI too?

 

Yup, the USG has pretty good DPI, but it's for info only at the moment. I haven't seen functionality to block or filter any DPI categories or sites. I guess blocking specific site IPs is possible with the firewall, but it's a manual affair at the moment.

On a side note, to get what I would term as minimum viable functionality on USG via GUI (specifically static routes and firewall control), you need to be on version 5.1.X of the UniFi Controller. That version is still on beta, but no issues on my end running it either on AWS or on a Cloud Key. You need to sign up to be a beta tester to access this version, but signing up is self service via their forum. Installation of the beta Controller is also manual, possibly via CLI if you use a Linux based server for your controller. However, detailed instructions are available. if you don't n Ed static routes or firewall control on your USG, then the GA release of the controller, which is 5.0.7, is fine.

For reference, my guide for getting USG integrated to my network was a part of this article that specifically referred to the USG: https://www.dashos.net/getting-the-most-out-of-unifi/

 

@zChris

Hi, I have a USG arriving in about a week's time. I read that the IP address and the router address is different. Is this correct? Like this one which I got from the community. The image is from a poster at ubnt community.


So instead of static IP, I should use DHCP. What's the IP address and the router address? Why are they different? Or is it because the IP he chose is static that's why he's using 192.168.0.2? And the router is 192.168.0.1.

I just wanted to be prepared when it arrives, so I can install it quick. Thanks.

 

Thanks. That's what I thought, I just wasn't sure.

 

It arrived! Now testing the USG.




I love the the DPI feature. It's like voyeurism for network admin. There's port forwarding, which I needed. But, there doesn't seem to be a DHCP reservation available on the GUI and only through CLI. I didn't wan to tinker with it cause, i'm not that confident in using that. I'm not sure if it's just my imagination or this thing is snappier than my previous Linksys WRT1900AC that it replaced. All the pages loads like it was cached on the network. Even my Xbox accessing the store feels like it was preloaded. I also was able configured the iOS app, so I have control on on my iOS and Mac. With the cloud access, I can control it even when i'm not at home now.(no need for USG to do that)

 

@Juice

Apologize I missed your previous post as I haven't been checking Philmug the past few days.

In my case, I set my WAN setting to PPPoE and filled in the relevant fields. My modem from the ISP is set to bridge mode so the PPPoE connection to Internet is controlled from the USG, not the modem.

Anyway, good to see you got it all figured out.

 

any leads where I can buy a custom length CAT5E cable (and how much per meter)?

 

Some computer shops will do it for you. PCexpress charges 10pesos per meter for normal Cat6 and 20 pesos per meter for the DLink Cat6. May I ask why Cat5E and not Cat6?