1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

*** Official Ubiquiti Discussion Thread ***

Discussion in 'Networks & Internet Connectivity' started by RoyMi6, Apr 10, 2016.

Tags:
  1. WJA96

    Capodecina

    Joined: Jul 13, 2005

    Posts: 13,812

    Location: Norfolk, South Scotland

    A couple of points about the USG;

    1. The LAN ports are routed, not switched so you basically always need a switch unless you specifically want completely segregated networks on different IP subnets.

    2. If you have a 330Mpbs FTTP line then you'll need a USG 4P (Pro) to run IPS/IDS which is the main extra feature you get with the Unifi part over the EdgeMax part. If you don't want IPS/IDS then the standard USG 3P would be fine and for most users the EdgeRouter won't deliver anything extra.

    I think Unifi is the way to go if you are planning for the future as the feature set gets better all the time. The EdgeRouters are good if you want to do more advanced stuff from a GUI but ultimately you have to go to the CLI with both if you want to do the really advanced stuff.
     
  2. SupraWez

    Wise Guy

    Joined: Nov 17, 2007

    Posts: 2,036

    ^^ good advise :)
     
  3. HEADRAT

    Capodecina

    Joined: Oct 18, 2002

    Posts: 17,898

    Location: Cambridge, UK

    Got my first hit on IPS today!
     
  4. SupraWez

    Wise Guy

    Joined: Nov 17, 2007

    Posts: 2,036

    Not much happening eh, I had to do an intended IPS test just to be sure it was working :D
     
  5. nick

    Gangster

    Joined: Oct 18, 2002

    Posts: 395

    Location: Chester, Manchester

    So I got my USG and nanoHD - amazing! Tried the nanoHD at the position where the blue dot is, really decent signal throughout the house pointing up and down (although down is better, get 1gb down in the basement). Think I can run a flat network cable discreetly from the red dot along the old picture rail to the blue dot, so once installed it should all be pretty neat.

    Now I'm thinking about switches and VLANs etc. Completely new to VLANs so hope this is correct...

    My plan is to have 2 VLANs. VLAN1 would be for laptops, tablets, phones, NAS, Sky. VLAN2 would be for everything else (Apple TV, Nest, Alexa, Hue, Sonos, etc). Both VLANs need wired and wireless access. Would the following work?
    • USG LAN1 connected directly to AP.
    • Two wireless networks created on the AP, one for VLAN1, another for VLAN2.
    • USG LAN2 connected to an 8-port switch - I already have a Netgear managed which does VLAN tagging, although I may get a Unifi one!
    • 2 ports on the switch are tagged as VLAN1 (for the NAS, Sky).
    • Other ports on the switch tagged as VLAN2 (for all the other stuff).
    So my question is - in this configuration, would I leave LAN1 and LAN2 on the USG untagged, and just do the VLAN tagging on the 8-port switch?

    Not sure if using a Unifi 8-port non-POE switch would offer me any benefit over the Netgear one?
     
    Last edited: Feb 12, 2019
  6. sparkymark75

    Wise Guy

    Joined: Jan 8, 2003

    Posts: 2,399

    Location: Scotland

    I have BT FTTP too and had the USG3 for a few months. I've since upgraded it to a nEdgeRouter 4 as it allows me to turn on Smart Queues (QoS) for upload only and not lose any performance. With the USG, Smart Queues is enabled for both directions and would throttle my speeds. I have a Unifi switch and 2 x Lite APs so still use the Unifi software to manage those (via a Cloud Key) and just manage the Edge Router via it's GUI. If they release a new USG which is essentially an EdgeRouter 4 but for the Unifi family, I'd get that instead to go back to a single management environment.

    Saying all of that, I can't fault the ER4, it's rock solid.
     
  7. ChrisD.

    Capodecina

    Joined: Sep 20, 2006

    Posts: 22,748

    Why? It's unnecessarily overcomplicating your setup for no benefit.
     
  8. ChrisD.

    Capodecina

    Joined: Sep 20, 2006

    Posts: 22,748

    On another note, is either the USG or the Pro-4 due a refresh or upgrade soon? I want to upgrade my USG but may wait if there's something around the corner?
     
  9. nick

    Gangster

    Joined: Oct 18, 2002

    Posts: 395

    Location: Chester, Manchester

    Yeah I was thinking about that after the post. I suppose originally was thinking from a security point of view - if there was a vulnerability on any of the IoT-type devices, the rest of the network wouldn't be accessible. But all the stuff I'm using is from reputable vendors, so maybe this is a non-issue. Plus the firewalling rules could be complex (e.g. Sonos still being workable when using VLAN1).
     
  10. ChrisD.

    Capodecina

    Joined: Sep 20, 2006

    Posts: 22,748

    All other devices should be running a software firewall and be up to date anyway, so the risk is negligible. I know a few people who do it, but like I said it's a bit of work.
     
  11. WJA96

    Capodecina

    Joined: Jul 13, 2005

    Posts: 13,812

    Location: Norfolk, South Scotland

    You can do one-way smart queues on the USG 3P if you make the changes at the CLI and if you save the script into the JSON file it is sticky after a reboot.

    Now, I would argue that you shouldn’t have to mess about with the JSON file route but the bottom line is that there is nothing you can do with the EdgeRouter line that you can’t do with the USG, it’s just that the EdgeRouter has more options in the GUI at this time. The underlying OS is the same (a branch of Vyatta) and, given equivalent hardware specs, the Unifi line-Up will do exactly the same things an ER will do, but you might need to get your hands dirty with the CLI to do it. That said, the Unifi GUI gets better with every update and SDN really is the future of networking in my opinion.
     
  12. sparkymark75

    Wise Guy

    Joined: Jan 8, 2003

    Posts: 2,399

    Location: Scotland

    The USG hardware is old though and can't handle fast internet connections when you start enabling services such as Smart Queues and IDS/IPS.
     
  13. WJA96

    Capodecina

    Joined: Jul 13, 2005

    Posts: 13,812

    Location: Norfolk, South Scotland

    Well, yes. And no. A lot of people on the UBNT forums talk about the USG equivalent of the EdgeRouter 4 (the much trailed USG HD) but the EdgeRouter 4 costs double what a USG 3P costs, so they’re not really comparing oranges with oranges. And if you look at the rated speeds of the ER-4 if you did take that hardware and “Unifi” it you’d only see 500Mbps with IPS/IDS switched on so it’s still not fast enough for US users who now routinely seem to be getting 1Gbps symmetrical connections.

    The EdgeRouter 4 doesn’t do IPS/IPS anyway and it’s only another £60 from the ER-4 to the USG-4P and that will do IDS/IPS and Smart queues at BT FTTP or Virgin cable speeds (350/50). If you want faster than that then it’s the US-XG-8, which will run 2Gbps line speed with EVERYTHING turned on.
     
  14. OllyM

    Soldato

    Joined: Aug 16, 2004

    Posts: 6,148

    Location: New Jersey, USA

    It is slightly frustrating though, I have a USG4 with a symmetric Gigabit fiber connection and can't use IPS/IDS, but a $2500 router is definitely overkill for a home network. I do wish they'd come up with something in the middle that can at least do IDS/IPS at 1Gbps.
     
  15. WJA96

    Capodecina

    Joined: Jul 13, 2005

    Posts: 13,812

    Location: Norfolk, South Scotland

    It’s not really an issue - just rip out the USG and replace it with a Netgate SG-3100. Problem solved.

    UBNT are obviously REALLY struggling with the USG. In October 2016 they hired one Chris Buechler (half of the original team behind pfSense) to sort out the USG and after an initial bout of enthusiasm, we see or hear very little from the USG team now.

    If you were being VERY kind you might say the USG-XG-8 launch was less than perfect and some folks might describe it as a total shambles. You have a MOUNTAIN of power and it’s crippled by the same Unifi controller as the USG-3P and USG-4P. In testing, the USG-HD wouldn’t have massively outperformed a USG-4P for IPS/IDS so that was shelved. Whatever comes out next needs to run IPS/IDS at Gigabit line speeds or it just won’t cut the mustard.

    So all you can do is wait, and if you can’t wait, then Netgate and Untangle have reasonable products that do what the USG should do, and if they do launch a new USG, you should be able to sell an SG-3100 or Untangle box and get most of your money back.
     
  16. WJA96

    Capodecina

    Joined: Jul 13, 2005

    Posts: 13,812

    Location: Norfolk, South Scotland

    Possibly a daft question but have you upgraded the RAM on the USG and tried IPS/IDS recently? They have made pretty big optimisations on that in the last couple of firmware releases and just the RAM upgrade helps in many cases as it’s not paging the lists at all with 8Gb RAM whereas with 2Gb RAM it has to load and unload the lists sometimes.
     
  17. Mark M

    Mobster

    Joined: Jan 6, 2006

    Posts: 2,965

    Location: Newcastle upon Tyne

    Just about to purchase the UAP-AC-LR but just wanted to check if it comes with a POE injector or whether it’s just a plug to power it to the mains (which is no use in this install). Thanks.
     
  18. WJA96

    Capodecina

    Joined: Jul 13, 2005

    Posts: 13,812

    Location: Norfolk, South Scotland

    It will come with a PoE injector.
     
  19. WJA96

    Capodecina

    Joined: Jul 13, 2005

    Posts: 13,812

    Location: Norfolk, South Scotland

    No, there is nothing in the Beta or Early Access programmes so anything new is at least 3-6 months away. Although they did launch the US-XG-6 PoE very, very, quickly it's still not actually available to buy and the new AP-IW-HD and UCK Gen2's were launched and brought to the market quite quickly as well.

    Realistically - you're still looking at 3-6 months.
     
  20. memyselfandi

    Sgarrista

    Joined: Oct 10, 2005

    Posts: 8,406

    Location: Nottingham

    Personally I have split my IoT devices onto a separate VLAN from anything important and it is not a lot of work to do so.

    Given I had quite a few things like wifi enabled bulbs I created a new SSID for non-IoT devices and then assigned the old one to a separate VLAN via the Ubiquiti controller (seemed the easiest way to do that as it meant that the IoT devices did not need to be reconfigured as they were just using the same SSID as before as far as they were concerned and its a lot easier to reconfigure normal devices). Add any wired IoT devices to the new VLAN at the switch port level (e.g. Hive Hub).

    Create firewall groups for the address ranges of each VLAN and then create a firewall rule on the Controller which blocks devices on the IoT VLAN from instigating connections to the "main" network. This means that devices on the "main" network can access the IoT network for management and then devices can then respond but IoT devices cannot communicate on their own to the "main" network.

    Took maybe 30 minutes including Googling to find out how to do it.