It’s been a while since I’ve updated my blog with something useful. I’ve recently been working diligently on home networking connectivity, following a house move so it seemed like a good time to write up new developments.
Moving out to rural Wales brought with it some Internet connectivity challenges, but fortunately as I wrote about in my previous blog post, having 4G LTE capability on a router paid dividends. The first challenge was encountering, to my surprise, a remarkably low guaranteed speed with no green-cabinet capacity, resulting in a line speed of around 0.4Mbps (down from 70Mbps). This made 4G LTE indispensable, and to cut a long story short, it worked extremely well while I turned my attention to Plusnet and BT OpenReach in an attempt to resurrect at least some level of usable connectivity.
Fortunately, it has proven possible to improve the line speed, although guaranteed speed remains incredibly low. I am unsure how OpenReach and Plusnet can have such a difference in their picture of a VDSL line, but erring on the side of caution I have kept my DrayTek 4G LTE router for emergencies.
As I wrote about in a previous blog post, the Unifi AP Lite is an excellent unit and in my new abode, despite 100-year-old stone walls in some cases a foot thick, it does a sterling job of creating both 2.4Ghz and 5Ghz 802.11 bubbles that extend to all parts of the house.
However, the Unifi AP is only partially functional using the phone App – and the area of particular concern is that, using the App, it’s only possible to configure the AP in WPA/WPA2 mode. It’s not possible using the App to access many of the desirable features – this being possible only when you install a Unifi Controller on the network.
In the rather confusing diaspora of Unifi product names, to get access to the Controller functionality you either buy and install the Unifi Cloud Key, which is a hardware device that is basically a Unifi Controller, or you download and configure it yourself either on a dedicated system or as a VM.
I opted for a VM and installed the Controller using a vanilla Ubuntu VM. Unifi do not make the process of rolling your own controller particularly easy, and it’s not straightforward to install and certainly not turn-key. It requires some manual work to reconfigure and bring up the controller daemon, which listens on a predefined web port offering up a web application and the Unifi Controller interface. This can take a couple of hours researching forums for configuration settings. Once all of the configuration work is complete, it is fortunately easy to use.
I also added a new Unifi Security Gateway (USG) to the mix, which I’ll return to in a moment.
Some of the features the controller offers include:
On the security front the controller adds a lot more in terms of features, including:
Wireless networks can be fully configured using the controller. It’s also possible to create segmented guest SSIDs and to isolate users using them, including a variety of guest portal options. The controller also allows the following features of 802.11 to be configured:
The USG is capable of talking PPPoE out of the WAN port, which allows a conventional VDSL modem to be used. I previously bought a DrayTrek Vigor VDSL modem, and had it integrated with a Cisco firewall, which offered PPPoE. As I talked about in my previous blog posts, I boxed this up when I switched over to the Draytek 2862 with 4G capability.
So I decided to relegate the DrayTek LTE router as a separate hotspot, and instead brought the Vigor modem back into the mix by directly connecting it to the WAN port of the USG. Adding the Plusnet account details in, it was quickly connected. The reduced latency over the whole stack of kit seemed to be improved using a modem, edging below 9ms.
I then connected the Unifi AP Lite to the WAN2 port of the USG (reconfigured as a second LAN port), and connected the fixed network to the LAN port.
After adoption, the controller was able to adopt both the AP and USG. Some of the interesting features I enabled after integrating the USG included:
The USG in particular allows a number of useful capabilities:
The unified DHCP management offered through the controller is useful in achieving a number of goals, including:
With integrated updates using the controller, updates can be scheduled, and you can configure separate schedules for specific devices, allowing the impact of upgrades to be minimised.
Perhaps the most useful element of the USG is that it is effectively a culvert for all Internet-bound traffic. This allows the firewall engine to be used to implement a default-deny with exceptions on outbound traffic, potentially also allowing the implementation of enforced proxy access. While this creates some management overhead, it is helpful for SMEs who need more capable Internet connectivity patterns e.g. in support of certification routes such as Cyber Essentials.
So what have I been able to implement using all of this?
One of the most useful things I've been able to do is segment my WFH traffic and move it back from Ethernet to a dedicated 802.11 SSID. I've also been able to rate limit this SSID alongside rate limits on the rest of the network, to achieve a simple QoS.
The multi-SSID capability of the AP Lite using UC has also allowed me to create a guest WiFi. Interestingly, the UC is also able to take payments for guest WiFi so if you were in an area with demand for WiFi connectivity you might be able to start up a small business providing Internet connectivity.
The most significant benefit has been stability. The network is a lot more stable than previous setup, and easier to manage.
June 21, 2021