This is Part 2 of my Ubiquiti Unifi Home Networking How To. If you haven’t already, be sure to read Part 1

Update: since I first wrote this article, we have upgraded our Ubiquiti Cloud Key to the Cloud Key Gen 2 and our USG to the USG Pro 4. Additionally, we supplemented the aggregator switch in the networking rack with a PoE US‑16‑150W switch for POE devices like the Cloud Key Gen 2 and Unifi AP’s. Finally, I sunset the Sonos Boosts in favor of a Sonos networking architecture that leverages multiple Ethernet-connected Sonos Beams.

 

Overview

Following are my recommended configuration changes for an optimized Ubiquiti UniFi home network. I use them in our home with a gigabit-speed Internet connection. If you don’t use Unifi Protect, Sonos, IoT, or femtocell devices, some of these settings below may not be necessary for you.

Your network design is the greatest factor for poor wireless roaming. To get the best results, you will need to tune your wireless home network. This includes accounting for neighboring networks, interference, the density of your APs, the number of your wireless clients and their idiosyncrasies in terms of wireless standards support. Don’t expect to deploy a multi-AP network in your home, leave everything at the default settings, and have it work flawlessly. The location, power settings, and additional configuration parameters of your AP’s are critical.

Your wireless clients control roaming handoff between AP’s. Because the 802.11 standard leaves the roaming decisions to the client device, all that your wireless infrastructure can do is to leverage standards-based or proprietary mechanisms to influence client roaming behavior.1 Most client devices factor received signal strength, data rates (PHY rates), frame retry rates, and other metrics to determine when to roam between AP’s. Since many wireless clients use cases include video streaming and video conferencing, I recommend keeping roaming times between AP’s below 150ms.

The UniFi AP’s are extremely strong. But high AP transmit levels are only one part of the equation. You may receive a high AP signal on your mobile device. But your mobile phone needs to transmit a strong enough signal to cover the distance back to that AP.

• I found that I needed to turn down the UniFi AP’s signal, especially on the 2.4Ghz band, in order to better roam across AP’s in our home. I also needed to tweak the minimum RSSI and band steering settings to drive wireless clients to the 5Ghz radios.2
• Similarly, my mobile devices had a hard time transmitting back to my AP through my garage’s firewall. I solved the problem by installing a UniFi mesh AP at the edge of the garage to better blanket the driveway with WiFi.

Spectrum Planning

2.4Ghz Channel Selection

Ideally, every network client would use the 5GHz band rather than the 2.4GHz band because there are fewer devices, less interference, and more throughput in that band. Microwave ovens, cordless phones, analog cameras and other 2.4Ghz devices compete with WiFi for available bandwidth. Because the 2.4GHz has longer range, it will be used by wireless clients when the 5GHz band is not available. In the US, there are only three non-overlapping channels in the 2.4Ghz band: 1, 6, and 11.

I manually assign each AP to a particular channel in the 2.4Ghz band to avoid channel overlap. Depending on how many AP’s are in use, you can select 20MHz or 40MHz. I use 20MHz because I use all three channels (reserving one channel for Sonos, as described below).

5Ghz Channel Selection

Wireless-AC only applies to the 5Ghz band. Where the 2.4GHz spectrum offers only 3 non-overlapping 20Mhz channels, the 5Ghz band offers theoretically as many as 25 non-overlapping 20Mhz channels, all free from interference from those microwave ovens, baby monitors and old cordless phones. These can be combined for 40, 80 or even 160MHz wide channels. The chart below shows available spectrum by channel width.

Don’t focus on 160Mhz throughput for two reasons:

1. there aren’t any client devices currently available supporting that channel width and
2. using 160Mhz necessarily means using lower power output (and therefore usable range) from your access point (250mW v 1W) while also avoiding weather and airport radar

That leaves 80Mhz as your best choice. It is widely supported in client devices. What the chart doesn’t make clear is the maximum permitted power output: only UNII-1 (channel 36+upper) and UNII-3 (channel 149+upper) domains are permitted as 80Mhz channels at 1 watt.3 In the UNII-2 domain, your AP will operate at a quarter of the transmit power (250mW at best) and only if there’s no weather or airport radar detected in your area.

Provisioning

To distill the Ubiquiti UniFi device user guides:

1. Since we are using the UniFi Cloud Key, launch Google Chrome and go to https://unifi.ubnt.com.
2. Install the Ubiquiti device discovery tool.
3. Adopt and configure the discovered UniFi CloudKey controller
   • As part of the configuration wizard, you should specify the name of your WiFi network and whether you want guest access.
   • Note that the administrator name and password is for your CloudKey and not your master administrator Ubiquiti account.
4. Within the UniFi controller, adopt the USG gateway and all of your switches and access points
   • You will likely need to upgrade the firmware for each device too

Recommendations

UniFi Account

• Two Factor Authentication: be sure to enable this feature here to add an additional layer of security to your administrative login via Google Authenticator or similar password manager.
• Cloud access: if you don’t need regular remote administrative access, then I recommend disabling this feature.

UniFi Controller

Following are my recommendations as of Controller v5.10.

In the Controller, go to Settings:

Site

• Advanced Features: you should enable this in order to then be able to individually enable airtime fairness, bandsteering, minimum RSSI, and load balancing
• Enable status LED: on
• Enable alert emails: on
• Periodic speed tests: enable this if you wish to see your WAN speed history over time. This will add load to your security gateway and may not be accurate if you have the USG and a gigabit Internet connection. I disable this feature
• Uplink connectivity monitor: enable. This will disable the SSID broadcast when an AP does not have connectivity to the gateway
• Provider capabilities: either prepopulate or run a speed test and enter the results here. This will ensure accurate calculations of your Internet capacity on your dashboard
• Auto-optimize network: on. This blocks high performance clients from connecting to the 2.4Ghz band. Less relevant for home users, it blocks multicast and broadcast traffic when there are more than 100 clients per WiFi network

Wireless Networks

First, I recommend scanning your wireless environment. Ubiquiti has a free Android app to do this, here.

Then, I suggest creating three wireless networks:

1. your primary wireless home network
2. a guest network for visitors to your house
3. a network for your IoT devices, as described below

For each wireless network, I recommend the following settings:

• Always use the highest possible encryption. For home networks, this is WPA Personal (WPA2 AES/COMP Only encryption)
• Disable fast roaming between your access points. This feature is primarily intended for WPA Enterprise clients and is buggy
• Enable GTK rekeying every 1800 seconds. This shortens the time that a particular wireless encryption key is used to 30 minutes
• Test whether UAPSD (Unscheduled Automatic Power Save Delivery) works well in your environment. UAPSD is a QoS facility defined in IEEE 802.11e that extends the battery life of mobile clients but some clients have experienced dropouts.
• Enable multicast enhancement (IGMPv3). This will limit the multicast traffic that is sent to client devices that aren’t participating in a particular multicast group

If you need an advanced guest network configuration, I recommend reading this article by Ubiquiti.

Networks

I recommend creating at least two separate networks (and VLANs):

1. your primary home network
2. a network for your IoT devices on a different subnet and VLAN, and
3. if applicable, a network for your Unifi Protect cameras on a different subnet and VLAN

Within each of the networks that you create, you should:

• enable IGMP snooping to reduce multicast traffic
• enable the DHCP server for each subnet

If you also use a femtocell, you may wish to create a fourth network (and VLAN) for that device. This is particularly true if your femtocell carries third party calls and data. You should plug your femotcell into your aggregator switch. Then, reassign the Ethernet port on the aggregator switch where the femtocell connects to your femtocell network (VLAN) to isolate its traffic.

Intrusion Detection System (IDS) and Intrusion Prevention System (IPS)

UniFi 5.7.x and later includes a new intrusion detection system and intrusion prevention system.As their names suggest, IDS will detect and alert you to threats. IPS will do that plus block the detected threat. Both the IDS and IPS are based on the open source Suricata engine. I cover both the functionality and configuration of Unifi’s IPS in greater detail here.

Deep Packet Inspection

Enable the deep packet inspection feature. This populates the UniFi controller dashboards with historic traffic data. It will, however, add load to your security gateway.

Guest Control

While you can configure a comprehensive guest portal with Unifi, this is primarily of value for SMB deployments that need a landing page, terms of service and similar features. Most residential deployments are better off with the guest network described above.

Services

• DHCP:
  • enable register client hostname
  • enable dnsmasq. It is more memory and CPU-efficient than the default ISC-dhcp-server.
• MDNS: enable multicast DNS
• UPNP: disable UPNP due to security concerns
• NTP: select your preferred time server

 Controller

• Make controller discoverable on L2 network
• Google Maps API Key: it is easy enough to obtain and add your key. However, I think that this feature is primarily valuable to multi-site deployments
• Mail server: add your SSL-enabled mail server credentials so that you can get emailed notifications of events

User Interface

• Statistics time zone: gor a home network (a single site), you should change the time zone that all the data is presented from UTC to your local time zone

Cloud Access

Unless you need remote access to your dashboard, I recommend disabling this feature. Even if you need cloud access, I wouldn’t enable it without also enabling two-factor authentication.

Auto Backup

Enable this, with daily backups.

Devices

Go to the Devices dashboard. For each of your UniFi access points, change the following in Config:

• Radios: I recommend manually specifying the channel width, channel, and transmit power used by each AP.4 Your settings will depend on your country, other networks operating in a particular band and channel, interference, and wireless clients served. The RF Environment scanner is a great tool to plan for your site.
  • Radio 2G: I use HT20 and manually select one of two channels. I use medium or even low transmit power.5
  • Radio 5G: I use VHT80 and then use the channels, as described above on, medium or high power.
  • I recommend enforcing a minimum RSSI of -80dBm as a starting point. Every AP has a different optimum minimum RSSI level, so you should tune accordingly
• Band steering: enable band steering to the 5Ghz band to conserve available capacity in the 2.4Ghz band
• Airtime Fairness: enable this function
• Wireless Uplinks: ensure that “Allow meshing to another access point” is not checked. If checked, then your APs will not honor the 5Ghz channels that you manually set

IoT Configuration

We maintain a separate network and wireless network just for our IoT devices for three reasons:

1. If an IoT device doesn’t need use the home network to talk to a mobile controller (like Google Cast and Sonos devices do)6, then it is a good security practice to wall that IoT device off in a separate network.This is particularly true because some IoT vendors don’t actively update their firmware, posing a potential security threat to other devices within your home network
2. My Belkin Wemo smart plug devices and switches are incompatible with the UniFi default wireless network settings. Enabling legacy compatibility mode in my main wireless network to support the Belkin devices would slow down the rest of my wireless network7
3. As IoT devices proliferate, it is possible that you will run short of IP addresses in your primary subnet

First, you need to create a new network, on a separate subnet and VLAN from your default LAN network.

• In Settings > Networks, create a new corporate (not guest) network
• Give it a new VLAN number
• Give it a new gateway/subnet and DHCP range
• Enable IGMP snooping

Second, you need to create a new wireless network:

• Use WPA Personal security
• Specify the same VLAN tag that you used above
• Disable fast roaming
• Under the 2G Data Rate Control, enable minimum data rate control. Use 1Mbps for full device compatibility and range

Belkin Wemos will not work properly if you enable either of the following:

• guest, rather than corporate, network
• block LAN to WLAN multicast and broadcast data

Sonos Configuration

We use three Sonos BOOST devices to serve as a wireless offload network specifically for our Sonos speakers, as described here. First, you need to reserve one 2.4Ghz channel just for Sonos to avoid interference with your SonosNet network.

You shouldn’t try to run an extensive Sonos system using your UniFi WiFi access points because Sonos speakers can’t see across UniFi APs and because Sonos audio streams will be unicast, not multicast. Of course, your Sonos desktop and mobile controllers will be on your UniFi network. And your USG will use DHCP to issue IP addresses to your Sonos speakers on SonosNet.

Second, Sonos requires changes to your UniFi switches’ STP and multicast settings as described for Cisco switches here. Go to each of the switches in your network, under Config > Services. Under Spanning Tree, select STP8. Priority: 4096 (for your aggregator UniFi switch), 8192 (for secondary UniFi switches), or 12288 (for tertiary UniFi switches).

If it isn’t already enabled then, under Settings > Networks, you should enable IGMP snooping. This should reduce multicast traffic that interferes with Sonos multicast traffic.

Synology NAS and Link Aggregation

If you have Ubiquiti Unifi managed network switch and wish to use link aggregation mode with your Synology DS1817+, you should configure it as follows:

1. On the Synology, in Control Panel > Network > Create Bond, select IEEE 802.3ad Dynamic Link Aggregation: This mode optimizes the network traffic received and sent by your Synology NAS, and requires IEEE 802.3ad (Dynamic) Link Aggregation (LACP, 802.1AX) to be enabled on the switch(es).”
2. In Unifi, select two or more adjacent Ethernet ports, then under Profile Overrides select Operation > Aggregate and Link Negotiation = Auto.

Parental Controls

In short, there aren’t any in UniFi. However, you can use Cisco’s OpenDNS for DNS resolution. They have a free service, Family Shield. This blocks adult content by default. You can add other categories of web sites to block as well such as hate/discrimination, weapons, and adware. You can also enable basic malware/botnet protection and phishing protection. Finally, you can filter suspicious responses by blocking internal IP addresses.

Resources

• UniFi Security Gateway Quick Start Guide
• UniFi Controller v5 User Guide
• UniFi Cloud Key Quick Start Guide
• UniFi – Managing Broadcast Traffic
• UniFi – New Feature Showcase: Debugging Metrics
• UniFi – Debugging Intermittent Connectivity Issues on your UAP
• UniFi – WLAN Roaming FAQ
• UniFi – How to Manually Change the Cloud Key’s Controller Version via SSH
• Ubiquiti UniFi support forum
• Ubiquiti UniFi introductory videos

Updated on February 23rd, 2019