*** Official Ubiquiti Discussion Thread ***

Soldato
Joined
13 Jul 2005
Posts
19,205
Location
Norfolk, South Scotland
A couple of points about the USG;

1. The LAN ports are routed, not switched so you basically always need a switch unless you specifically want completely segregated networks on different IP subnets.

2. If you have a 330Mpbs FTTP line then you'll need a USG 4P (Pro) to run IPS/IDS which is the main extra feature you get with the Unifi part over the EdgeMax part. If you don't want IPS/IDS then the standard USG 3P would be fine and for most users the EdgeRouter won't deliver anything extra.

I think Unifi is the way to go if you are planning for the future as the feature set gets better all the time. The EdgeRouters are good if you want to do more advanced stuff from a GUI but ultimately you have to go to the CLI with both if you want to do the really advanced stuff.
 
Associate
Joined
18 Oct 2002
Posts
395
Location
Chester, Manchester
I'm considering getting a Unifi setup in my house and could do with some help from you knowledgable people :)

Current setup is Sky Fibre, 3x Q boxes, 3x Orbi in AP mode, with the Q boxes using the ethernet on the Orbi to communicate with each other (rather than Sky's mesh). Sky Fibre proving very unreliable (need to restart daily), Orbi boxes need often restarts too and are generally unreliable. Planning on switching to BT Business Fibre (also because I need a static IP), put the Sky boxes back on their own mesh, and get Unifi sorted for everything else.

My plan is:
BT Business Smart Hub (in bridge mode) OR Draytek Vigor 130 for the modem
USG for the router
1 or more Unifi APs - this is the bit I'm unsure about

Here is a plan of my house, except the living/dining are now knocked through into one room. Old Victorian terrace with thick walls. Internet enters the house in the bottom-left corner of the living room (behind TV) - red dot.

https://www.dropbox.com/s/c5qjqou36z0sl9g/TAP0974001.jpg?dl=0

Here's the issue - I can't easily run ethernet cables to APs inside the house and ceiling mounting would be very difficult. Do you reckon if I put an AC PRO in the living room, this could cover the whole house? I could run a cable over to the blue dot quite easily, so it would be fairly central. The only thing, it would be on top of a shelving unit, so would be "upside down" (i.e. pointing upwards), which I guess isn't ideal?

Or maybe if I got somebody round to run a network cable, from the living room, outside up the side of the house, and into the loft - then have an AP (which one?) pointing downwards in the centre of the house? This could be either in the loft of on the upstairs landing ceiling (can route cable through loft hatch).

My office is in the basement, so I need good coverage there. Running a network cable from the living room, outside and down into the basement, would be relatively easy. Not sure if that helps?

Any advice really appreciated!

So I got my USG and nanoHD - amazing! Tried the nanoHD at the position where the blue dot is, really decent signal throughout the house pointing up and down (although down is better, get 1gb down in the basement). Think I can run a flat network cable discreetly from the red dot along the old picture rail to the blue dot, so once installed it should all be pretty neat.

Now I'm thinking about switches and VLANs etc. Completely new to VLANs so hope this is correct...

My plan is to have 2 VLANs. VLAN1 would be for laptops, tablets, phones, NAS, Sky. VLAN2 would be for everything else (Apple TV, Nest, Alexa, Hue, Sonos, etc). Both VLANs need wired and wireless access. Would the following work?
  • USG LAN1 connected directly to AP.
  • Two wireless networks created on the AP, one for VLAN1, another for VLAN2.
  • USG LAN2 connected to an 8-port switch - I already have a Netgear managed which does VLAN tagging, although I may get a Unifi one!
  • 2 ports on the switch are tagged as VLAN1 (for the NAS, Sky).
  • Other ports on the switch tagged as VLAN2 (for all the other stuff).
So my question is - in this configuration, would I leave LAN1 and LAN2 on the USG untagged, and just do the VLAN tagging on the 8-port switch?

Not sure if using a Unifi 8-port non-POE switch would offer me any benefit over the Netgear one?
 
Last edited:
Soldato
Joined
8 Jan 2003
Posts
3,692
Location
Scotland
A couple of points about the USG;

1. The LAN ports are routed, not switched so you basically always need a switch unless you specifically want completely segregated networks on different IP subnets.

2. If you have a 330Mpbs FTTP line then you'll need a USG 4P (Pro) to run IPS/IDS which is the main extra feature you get with the Unifi part over the EdgeMax part. If you don't want IPS/IDS then the standard USG 3P would be fine and for most users the EdgeRouter won't deliver anything extra.

I think Unifi is the way to go if you are planning for the future as the feature set gets better all the time. The EdgeRouters are good if you want to do more advanced stuff from a GUI but ultimately you have to go to the CLI with both if you want to do the really advanced stuff.

I have BT FTTP too and had the USG3 for a few months. I've since upgraded it to a nEdgeRouter 4 as it allows me to turn on Smart Queues (QoS) for upload only and not lose any performance. With the USG, Smart Queues is enabled for both directions and would throttle my speeds. I have a Unifi switch and 2 x Lite APs so still use the Unifi software to manage those (via a Cloud Key) and just manage the Edge Router via it's GUI. If they release a new USG which is essentially an EdgeRouter 4 but for the Unifi family, I'd get that instead to go back to a single management environment.

Saying all of that, I can't fault the ER4, it's rock solid.
 
Man of Honour
Joined
20 Sep 2006
Posts
33,883
My plan is to have 2 VLANs. VLAN1 would be for laptops, tablets, phones, NAS, Sky. VLAN2 would be for everything else (Apple TV, Nest, Alexa, Hue, Sonos, etc). Both VLANs need wired and wireless access.
Why? It's unnecessarily overcomplicating your setup for no benefit.
 
Man of Honour
Joined
20 Sep 2006
Posts
33,883
On another note, is either the USG or the Pro-4 due a refresh or upgrade soon? I want to upgrade my USG but may wait if there's something around the corner?
 
Associate
Joined
18 Oct 2002
Posts
395
Location
Chester, Manchester
Why? It's unnecessarily overcomplicating your setup for no benefit.

Yeah I was thinking about that after the post. I suppose originally was thinking from a security point of view - if there was a vulnerability on any of the IoT-type devices, the rest of the network wouldn't be accessible. But all the stuff I'm using is from reputable vendors, so maybe this is a non-issue. Plus the firewalling rules could be complex (e.g. Sonos still being workable when using VLAN1).
 
Man of Honour
Joined
20 Sep 2006
Posts
33,883
Yeah I was thinking about that after the post. I suppose originally was thinking from a security point of view - if there was a vulnerability on any of the IoT-type devices, the rest of the network wouldn't be accessible. But all the stuff I'm using is from reputable vendors, so maybe this is a non-issue. Plus the firewalling rules could be complex (e.g. Sonos still being workable when using VLAN1).

All other devices should be running a software firewall and be up to date anyway, so the risk is negligible. I know a few people who do it, but like I said it's a bit of work.
 
Soldato
Joined
13 Jul 2005
Posts
19,205
Location
Norfolk, South Scotland
I have BT FTTP too and had the USG3 for a few months. I've since upgraded it to a nEdgeRouter 4 as it allows me to turn on Smart Queues (QoS) for upload only and not lose any performance. With the USG, Smart Queues is enabled for both directions and would throttle my speeds. I have a Unifi switch and 2 x Lite APs so still use the Unifi software to manage those (via a Cloud Key) and just manage the Edge Router via it's GUI. If they release a new USG which is essentially an EdgeRouter 4 but for the Unifi family, I'd get that instead to go back to a single management environment.

Saying all of that, I can't fault the ER4, it's rock solid.

You can do one-way smart queues on the USG 3P if you make the changes at the CLI and if you save the script into the JSON file it is sticky after a reboot.

Now, I would argue that you shouldn’t have to mess about with the JSON file route but the bottom line is that there is nothing you can do with the EdgeRouter line that you can’t do with the USG, it’s just that the EdgeRouter has more options in the GUI at this time. The underlying OS is the same (a branch of Vyatta) and, given equivalent hardware specs, the Unifi line-Up will do exactly the same things an ER will do, but you might need to get your hands dirty with the CLI to do it. That said, the Unifi GUI gets better with every update and SDN really is the future of networking in my opinion.
 
Soldato
Joined
8 Jan 2003
Posts
3,692
Location
Scotland
You can do one-way smart queues on the USG 3P if you make the changes at the CLI and if you save the script into the JSON file it is sticky after a reboot.

Now, I would argue that you shouldn’t have to mess about with the JSON file route but the bottom line is that there is nothing you can do with the EdgeRouter line that you can’t do with the USG, it’s just that the EdgeRouter has more options in the GUI at this time. The underlying OS is the same (a branch of Vyatta) and, given equivalent hardware specs, the Unifi line-Up will do exactly the same things an ER will do, but you might need to get your hands dirty with the CLI to do it. That said, the Unifi GUI gets better with every update and SDN really is the future of networking in my opinion.

The USG hardware is old though and can't handle fast internet connections when you start enabling services such as Smart Queues and IDS/IPS.
 
Soldato
Joined
13 Jul 2005
Posts
19,205
Location
Norfolk, South Scotland
The USG hardware is old though and can't handle fast internet connections when you start enabling services such as Smart Queues and IDS/IPS.

Well, yes. And no. A lot of people on the UBNT forums talk about the USG equivalent of the EdgeRouter 4 (the much trailed USG HD) but the EdgeRouter 4 costs double what a USG 3P costs, so they’re not really comparing oranges with oranges. And if you look at the rated speeds of the ER-4 if you did take that hardware and “Unifi” it you’d only see 500Mbps with IPS/IDS switched on so it’s still not fast enough for US users who now routinely seem to be getting 1Gbps symmetrical connections.

The EdgeRouter 4 doesn’t do IPS/IPS anyway and it’s only another £60 from the ER-4 to the USG-4P and that will do IDS/IPS and Smart queues at BT FTTP or Virgin cable speeds (350/50). If you want faster than that then it’s the US-XG-8, which will run 2Gbps line speed with EVERYTHING turned on.
 
Soldato
Joined
16 Aug 2004
Posts
6,324
Location
New Jersey, USA
Well, yes. And no. A lot of people on the UBNT forums talk about the USG equivalent of the EdgeRouter 4 (the much trailed USG HD) but the EdgeRouter 4 costs double what a USG 3P costs, so they’re not really comparing oranges with oranges. And if you look at the rated speeds of the ER-4 if you did take that hardware and “Unifi” it you’d only see 500Mbps with IPS/IDS switched on so it’s still not fast enough for US users who now routinely seem to be getting 1Gbps symmetrical connections.

The EdgeRouter 4 doesn’t do IPS/IPS anyway and it’s only another £60 from the ER-4 to the USG-4P and that will do IDS/IPS and Smart queues at BT FTTP or Virgin cable speeds (350/50). If you want faster than that then it’s the US-XG-8, which will run 2Gbps line speed with EVERYTHING turned on.

It is slightly frustrating though, I have a USG4 with a symmetric Gigabit fiber connection and can't use IPS/IDS, but a $2500 router is definitely overkill for a home network. I do wish they'd come up with something in the middle that can at least do IDS/IPS at 1Gbps.
 
Soldato
Joined
13 Jul 2005
Posts
19,205
Location
Norfolk, South Scotland
It is slightly frustrating though, I have a USG4 with a symmetric Gigabit fiber connection and can't use IPS/IDS, but a $2500 router is definitely overkill for a home network. I do wish they'd come up with something in the middle that can at least do IDS/IPS at 1Gbps.

It’s not really an issue - just rip out the USG and replace it with a Netgate SG-3100. Problem solved.

UBNT are obviously REALLY struggling with the USG. In October 2016 they hired one Chris Buechler (half of the original team behind pfSense) to sort out the USG and after an initial bout of enthusiasm, we see or hear very little from the USG team now.

If you were being VERY kind you might say the USG-XG-8 launch was less than perfect and some folks might describe it as a total shambles. You have a MOUNTAIN of power and it’s crippled by the same Unifi controller as the USG-3P and USG-4P. In testing, the USG-HD wouldn’t have massively outperformed a USG-4P for IPS/IDS so that was shelved. Whatever comes out next needs to run IPS/IDS at Gigabit line speeds or it just won’t cut the mustard.

So all you can do is wait, and if you can’t wait, then Netgate and Untangle have reasonable products that do what the USG should do, and if they do launch a new USG, you should be able to sell an SG-3100 or Untangle box and get most of your money back.
 
Soldato
Joined
13 Jul 2005
Posts
19,205
Location
Norfolk, South Scotland
It is slightly frustrating though, I have a USG4 with a symmetric Gigabit fiber connection and can't use IPS/IDS, but a $2500 router is definitely overkill for a home network. I do wish they'd come up with something in the middle that can at least do IDS/IPS at 1Gbps.

Possibly a daft question but have you upgraded the RAM on the USG and tried IPS/IDS recently? They have made pretty big optimisations on that in the last couple of firmware releases and just the RAM upgrade helps in many cases as it’s not paging the lists at all with 8Gb RAM whereas with 2Gb RAM it has to load and unload the lists sometimes.
 
Soldato
Joined
13 Jul 2005
Posts
19,205
Location
Norfolk, South Scotland
On another note, is either the USG or the Pro-4 due a refresh or upgrade soon? I want to upgrade my USG but may wait if there's something around the corner?

No, there is nothing in the Beta or Early Access programmes so anything new is at least 3-6 months away. Although they did launch the US-XG-6 PoE very, very, quickly it's still not actually available to buy and the new AP-IW-HD and UCK Gen2's were launched and brought to the market quite quickly as well.

Realistically - you're still looking at 3-6 months.
 
Soldato
Joined
10 Oct 2005
Posts
8,706
Location
Nottingham
Yeah I was thinking about that after the post. I suppose originally was thinking from a security point of view - if there was a vulnerability on any of the IoT-type devices, the rest of the network wouldn't be accessible. But all the stuff I'm using is from reputable vendors, so maybe this is a non-issue. Plus the firewalling rules could be complex (e.g. Sonos still being workable when using VLAN1).

Personally I have split my IoT devices onto a separate VLAN from anything important and it is not a lot of work to do so.

Given I had quite a few things like wifi enabled bulbs I created a new SSID for non-IoT devices and then assigned the old one to a separate VLAN via the Ubiquiti controller (seemed the easiest way to do that as it meant that the IoT devices did not need to be reconfigured as they were just using the same SSID as before as far as they were concerned and its a lot easier to reconfigure normal devices). Add any wired IoT devices to the new VLAN at the switch port level (e.g. Hive Hub).

Create firewall groups for the address ranges of each VLAN and then create a firewall rule on the Controller which blocks devices on the IoT VLAN from instigating connections to the "main" network. This means that devices on the "main" network can access the IoT network for management and then devices can then respond but IoT devices cannot communicate on their own to the "main" network.

Took maybe 30 minutes including Googling to find out how to do it.
 
Back
Top Bottom