HomeLAN

It’s An All Ubiquiti Shop Now

Leave a comment

Thanks to a lucky sequence of events elsewhere, I inherited a Ubiquiti Cloud Gateway Ultra router.

My Netgate 1100 running pfSense was not underperforming and didn’t need to be replaced, but I took the opportunity to replace the only major piece of network gear left in the house that wasn’t Ubiquiti.

I have a moderately sophisticated home LAN, beyond what most of the people I know need, but not as over the top as some others. I currently have one internet service provider, Starlink, though for a while I had an LTE provider as well. There is a fiber provider building out in our area and we have signed up. They have installed our ONT to a fiber stub that runs the the curb and all over our neighborhood, there are runs along the street between stubs. Still waiting for the rest of it to be completed somewhere. Whenever that does happen, we will have fiber and Starlink for long enough for me to trust the fiber.

I have the router, a switch and two WiFi access points in the house, a switch and a WiFi access point in the workshop and a wireless bridge connecting them. The main complications to this otherwise fairly straight forward deployment are: 1) My ISP is currently Starlink and to avoid all the trees around the house, the Starlink dish is physically installed at the workshop, requiring the use of an isolated VLAN to backhaul Starlink across a wireless bridge to the house where the router and all the other central gear is and 2) I have a moderate number of IoT devices, particularly inexpensive home automation devices, that should be somewhat isolated from the rest of the network.

I had set up a Unifi Network Controller running as a Docker container on my Synology NAS to administer the Ubiquiti switches and APs. No more CPU than this task takes, this has hardly been a load on the NAS at all. However, the Cloud Gateway Ultra can take over this task as well.

I read that there are ways to back up the running configurations for all of my devices and restore them to the new controller. It’s not particularly complicated, but I elected to take the opportunity to clean slate my configurations and reset each of these devices and configure them anew. This may have cost me more time than was necessary, but it definitely made me understand and address specific elements of the configurations.

I started by locating an ‘as built’ drawing that I made after adding the Ubiquiti switches and APs.

I used this drawing and consulted the existing configurations to verify the port numbers and VLANs, particularly dealing with the Starlink backhaul.

The flow of the VLANs are better illustrated here.

The thing to realize is that VLAN 50 allows data to and from Starlink to connect directly between port 7 of Flying Dog switch and port 15 of the Hippy Hollow switch without being available to any other ports on either switch. The router then processes it as a WAN source and distributes it out it’s LAN port, connected to port 16 of Hippy Hollow switch. All other ports on both switches have all VLANs except VLAN 50 available, so nothing can connect directly to Starlink, bypassing the router.

In any case, because I was going to deploy these devices with factory resets, establishing this VLAN backhaul added a twist. I had already brought the Gateway up in the house and changed it’s network IP from the default 192.168.1.0/24 to my existing 172.29.0.0/24. I then took the Gateway over to the workshop and connected it directly to Starlink and a random switchport and importantly, I plugged the workshop AP in to one of the Gateway’s switchports. This let it come up with the Gateway easily reachable from my phone. When things settled down, I reset the switch, adopted it, configured the VLAN on port 7 and the trunk on port 8 (which has the bridge between the workshop and house) then I moved the Gateway back into the house to reconfigure that switch.

In the house, I had the advantage of a laptop in the network cabinet, so I didn’t have to necessarily worry about the AP immediately.

I was able to quickly get the VLAN backhaul for Starlink up and going. Then came everything else.

I understand there is some method of resetting APs over the ethernet cable, but I needed a ladder to reach only two of the four and adoption to the new controller went smoothly.

There were two mildly troublesome parts to all the wireless stuff. First, it took so long for me to get all the APs reset that all the open DHCP scopes assigned IPs that were previously fixed and I couldn’t conveniently reassign them to the addresses they once had. There was kind of a plan there at one time. I just sighed and left the things that needed to be fixed where they landed, mostly cameras and printers. Second, the whole idea of having a separate IoT subnet is that devices on that network can reach the internet, but not your other local networks. A simple checkbox enables this isolation, but if something *does* need access, if for example if your Home Assistant server is on the main network and a bunch of your wireless home automation devices are on the IoT network, then this simple network isolation checkbox is not the solution; you need a couple of appropriate firewall rules instead. That is why all of my WiFi Home Assistant devices were grayed out. 🙂

To get all these devices up and running, I elected to remove the network isolation checkbox and work on setting proper firewall rules later.

As is often the case, a couple of months have passed between the previous paragraph and this one. In the interim, Ubiquiti has released Zone Firewall for my router, so I need to figure that out. It’s not expected to be difficult, but I haven’t even looked at it yet 🙂

I have four APs, three in the house and one in the workshop. Two U6 Lite APs were purchased together, one in the house and one in the workshop. I needed to add one in the house later and managed to secure a used AC Pro for free, which is a significantly older unit. By itself, that didn’t matter much, but it would probably be better if both of the units in the house were at least similar in features, such as WiFi 6, so I swapped the older one to the workshop. I also have an AC Mesh AP for some outdoor connectivity.

Also, that AC Pro had complained about the wiring ever since it was installed, claiming that it was Fast Ethernet instead of Gigabit. Not surprisingly, the U6 Lite didn’t like the wiring either. I shuffled the attic wiring around so that my USW Flex in the attic now powers one of the AC Mesh and one of the U6 Lites instead of the AC Mesh and a camera. The wiring that was on the troubled AP is now going to that camera, which is only Fast Ethernet anyway. I started by just running all three on the USW Flex, but it ran too close to the max PoE power budget for the switch and kept dropping the newly added AP.

There is one more VLAN thing I’d like to solve. I’d like for all the cameras to be in either the IoT VLAN or maybe their own VLAN. It is pretty trivial to move the WiFi cameras, but for some reason, I can’t seem to get the wired camera to be happy in anything except the default VLAN. I can definitely make the switch port appear to be in the expected VLAN, but then the camera just stops communicating. It seems to refuse to get a new IP from the DHCP in the new network. Maybe the zone firewall rules will make that easier to understand and manage. 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.