Connected Home

How To: Home Network 4.0 with Ubiquiti Unifi Dream Machine Pro, Switch Pro, Flex Mini, Smart Power Plug & UPS Review & Calibration Updated

Overview

My friends laugh (and my wife sighs) at how often I upgrade our home networking gear. Our biggest equipment swap occurred two years ago, when we consolidated our entire home network on Ubiquiti Unifi gear. Last year, I upgraded our firewall, network controller, and WiFi access points. I also added a PoE-powered switch to our data closet. Separately, we replaced one of our home security camera systems with the Ubiquiti Unifi Protect system.

Now it’s time for more upgrades:

  1. consolidating our USG 4 Pro firewall and Cloud Key 2 Plus controller with a single device, the UniFi Dream Machine Pro;
  2. consolidating our aggregator switch (a layer 2 switch that lacks integrated POE) and our secondary POE switch with a single layer 3 and POE-enabled, aggregator switch, the UniFi Switch PRO 48 POE;
  3. connecting all of our TVs and Apple TV 4K settop boxes with USW-Flex-Mini switches;
  4. adding two UniFi Smart Power Plugs for WAN outage recovery,
  5. swapping out our old server rack with a new cabinet, and
  6. upgrading our UPS battery backups.

By upgrading to the UDM Pro and UniFi Switch PRO 48 POE, we regained 2U space in our server rack. We also reduced power consumption (and UPS backup) by two devices.

In this article, I will also cover new features included in the Unifi controller 5.13.x release such as WiFi AI (an automated WiFi configuration utility), improvements to the intrusion detection system, WPA3 wireless encryption, and layer 3 switching.

1st Generation: Unmanaged Home Network (Before Ubiquiti)
2nd Generation: Managed Home Network (Ubiquiti)
3rd Generation: Managed Home Network (Ubiquiti)
4th Generation: Managed Home Network (Ubiquiti)

Unifi Dream Machine Pro

Overview

The UniFi Dream Machine Pro is an “all-in-one” device that includes a network firewall and IDS/IPS, the Unifi Network controller, and (optionally) the Unifi Protect video camera controller+video storage functionality. Additionally, it is possible to run the Unifi Talk and Unifi Access controllers on the UDM Pro.

Some professionals dislike “all-in-one” devices on principle. Some dislike the idea of rotating hard drive disks that are prone to mechanical failure.1 Some object because they desire to isolate network firewall functionality from network controller functionality in discrete physical devices. And, some commentators rightly point out that the new UDM Pro, running the new UbiOS firmware, does not match the USG 4 legacy feature set and stability at this time.

Here’s my take: for prosumers, the UniFi Dream Machine Pro has a sufficient feature set for home office use. My belief is that the UDM Pro will match the USG 4’s feature set at some point in the future (with respect to firewall and threat management, it is already far ahead). To be candid, UbiOS remains a work in progress: more stable as of v1.7.2 but nowhere near as reliable as our old USG. Critically, it lacks STP/RSTP, which impacts enterprises and prosumers with large Sonos systems.

If you do not want a built-in hard drive, you need not populate the HDD slot.2 Alternatively, if you have higher storage requirements for Unifi Protect than the UDM Pro supports, then you can purchase the UNVR-4 NVR.3

4th Generation: Managed Home Network (Ubiquiti)

Comparison with the UniFi Dream Machine

Several months prior to the introduction of the UniFi Dream Machine Pro, Ubiquiti introduced the UniFi Dream Machine. The UniFi Dream Machine is intended for advanced consumers while the UDM Pro is intended for small and medium sized businesses. Both are all-in-one devices including network firewall, IDS/IPS, and the Unifi Network controller. Both the UniFi Dream Machine and the UDM Pro include 1.7 GHz quad-core CPUs. As of v1.7.2, both run the same UbiOS firmware.4

The two devices differ in several respects:

  • The UniFi Dream Machine includes a 4-port managed gigabit switch whereas the UDM Pro has a an 8-port gigabit switch.
  • Additionally, the UDM Pro has two 10G SFP+ ports for interconnecting with second generation Unifi switches.
  • The UniFi Dream Machine has a free standing form factor while the UDM Pro has a rack-mounted design.
  • The UniFi Dream Machine includes a dual band 802.11ac 4×4 Wave 2 WiFi access point.
  • The UniFi Dream Machine includes a single WAN port while the UDM Pro includes two WAN ports5 for redundancy and load balancing.
  • The UDM Pro does not have an embedded WiFi AP but does include support for an optional hard drive for Unifi Protect.

Optional Hard Disk Drive

Although any 3.5″ hard drive should work with the UDM Pro,6 I recommend using a HDD on Ubiquiti’s confirmed compatible drive list here. The UDM Pro is rated for 32 cameras with a 5400 RPM hard drive.7 Reportedly, a 7200 RPM drive enables even more cameras though I haven’t seen a confirmed higher number of cameras.

For our home, I installed a Western Digital 8TB Purple (“Surveillance”) 7200 RPM hard drive with a 256MB SSD cache. This particular model is designed for 24/7 surveillance including up to 64 (not necessarily Ubiquiti) HD video cameras. It features a 3-year manufacturer’s warranty. One gotcha: the UDM Pro did not recognize the hard drive when I inserted into the UDM Pro chassis (“hotplugging”). Instead, I had to reboot the UDM Pro. After that, the hard drive was recognized and I could then install the UniFi Protect controller.

Western Digital Purple Hard Drive in UDM Pro

 

Internet Security

Beyond consolidating multiple network appliances into a single device, the primary reason that you should consider upgrading to the UDM Pro is for the massive improvements to both firewall and IPS/IDS functionality. Following are my observations about the UDM Pro’s new capabilities and recommended settings.

IPS / IDS Throughput Improvements

We have a symmetrical gigabit Internet connection in our home. Notwithstanding, with the USG 4 Pro when IPS/IDS was enabled, we could only achieve a fraction of our available WAN speed (400 to 600 Mbps under the best circumstances). With the UDM Pro, we now consistently see symmetrical gigabit throughput even when IPS/IDS is enabled with significantly more enabled IPS services, such as GeoIP blocking. Ubiquiti’s internal iPerf3 benchmarks for UDM Pro throughput (with DPI and IPS/IDS enabled) show an astounding 14x improvement over the USG Pro 4.

Threat Management

Like the USG Pro 4, it is possible to block a variety of potential threats to your network including:

  • virus & malware
  • P2P
  • hacking
  • internet traffic
  • bad reputation
  • network protocol, and
  • advanced protocol

For our home network, I took a cautious approach that blocks almost all of these potential threats.

GeoIP Filtering

With the USG Pro 4, it was possible to block traffic to/from up to 15 countries. Or you could enable the IDS/IPS. But not both.

With the UDM Pro, it is possible to enable both geoIP filtering and IDS/IP. Further, it is possible to block up to 150 countries. (I currently block 150 countries including as many sources of spam and malware bots as possible).

Content Filtering

This new feature enables you to block specific categories of sites based on their profile. For example, you can block malicious sites, phishing sites, and adult sites. These filters can also be applied by VLAN. So, you can have a more restricted policy for your guest, IoT, or security camera networks, for example.

Settings include:

  • Security: malicious domains are blocked (e.g. phishing and malware).
  • Adult: in addition to Security settings, adult domains are also blocked and search engines default to safe mode.
  • Family: in addition to Adult settings, proxies, VPNs & mixed adult content are also blocked and Youtube is set to safe mode.

 

Additionally, you can block a site, allow a site, and block a top level domain.

Deep Packet Inspection

I recommend enabling both deep packet inspection and device fingerprinting. Deep packet inspection analyzes traffic on your network. Device fingerprinting identifies edge devices on your network.

Network Scanners

Endpoint Scanner

I recommend enabling the endpoint scanner, which scans your edge devices for potential security threats and vulnerabilities.

Internal Honeypot

In computer security, a honeypot is a means of detecting and deflecting malicious actors or programs. The honeypot appears to be a legitimate site or network service but it is actually isolated and enforcing your network security.

The UDM Pro includes a service that reports when internal devices on your LAN attempt to connect to any of the following virtual ports:

  • 21 (FTP)
  • 22 (SSH)
  • 23 (telnet)
  • 25 (SMTP)
  • 80 (HTTP)
  • 110 (POP3)
  • 445 (SMB)

Because devices on your LAN probably do not need one of these services–especially on the honeypot server–if a device on your LAN hits the honeypot, then it likely indicates that device has been infected with a virus/malware. For our LAN with three VLANs, I configured a separate honeypot per VLAN. The advantage of using both multiple honeypots and VLANs is that you can more quickly identify and isolate threats within your network.

Advanced Threat Management

I recommend restricting access to both malicious IP addresses and to TOR.

Unifi Switch Pro

I selected the UniFi Switch PRO 48 POE (Gen 2) to replace and consolidate our previous aggregator switch and secondary POE switch. The USW-Pro-48-POE is a configurable gigabit layer 2 and layer 3 switch with auto-sensing 802.3at PoE+ and 802.3bt PoE++. It has forty PoE+ and eight PoE++ RJ45 ethernet ports, with a total 600W PoE budget. It also has four SFP+ ports, with 10Gbps uplink options. Ubiquiti’s second generation switches offer near-silent cooling, in contrast with the previous version.

Like the UDM Pro, the second generation Unifi switches include a 1 x 1.3″ touchscreen display for quick status information, With the latest firmware, these displays can be used in tandem to display more information simultaneously.

Layer 3 Switching

Previous UniFi switches were layer 2 switches: they sent packets to a specific switch port based on the destination MAC address, as resolved using Address Resolution Protocol (ARP). Devices on the same segment do not need to be routed to local devices. Because layer 2 switches operate on the same broadcast domain, broadcast traffic on that switch is forwarded to all other ports, potentially creating broadcast storms.

Second generation UniFi switches will soon be upgraded to support layer 3 routing.

For VLANs, layer 3 benefits include:

  • reducing broadcast traffic,
  • simplifying network security, and
  • better isolating network faults.

SPF+ Cable Interconnection

The USG Pro v4 has two SFP ports, which are limited to 1 Gbps and only usable for WAN connections. In contrast, the UDM Pro includes two 10Gbps SFP+ ports, one of which can be used for a LAN interconnection. For our 4th generation home network, I purchased a Cable Matters SFP+ 10GBASE-CU passive direct attach copper Twinax cable. This interconnects the UDM Pro and the UniFi Switch PRO 48 POE with a 10Gbps uplink.

USW Flex Mini

In an ideal world, all of your stationary devices (TVs, STBs, Blu-ray players) would be wired rather than connected by WiFi. Realistically, there are only so many Ethernet runs that are exist at a given location (drop) in your home. This is particularly true for retrofit installations like our 40+ year old house.

For this reason, you will likely need a hub or switch at the drop to multiple the number of available Ethernet ports. Of course, you could buy a cheap unmanaged hub/switch but that defeats the purpose of creating a fully managed network where each edge device is enumerated and each port is individually controlled. The USW Flex Mini is a low cost managed gigabit switch with an innovative power design: it can use either a USB Type-C power adapter or an 802.3af PoE Ethernet connection. For our home network, we power the USW Flex Mini via PoE  from either the primary UniFi Switch PRO 48 POE or a secondary UniFi Switch 8 POE-60W.

Unifi Smart Power Plug

We already have a comprehensive smart switch solution for our home using Lutron Caseta. The Lutron switches have been far more reliable than our previous Belkin Wemo solution. So, I was wary when I learned about Ubiquiti’s new Smart Power Plug: I didn’t think that I need another smart outlet even if made by Ubiquiti.

However, Ubiquiti’s smart power plug  differs from competing smart outlets because it serves a unique purpose: rebooting your cable modem or fiber optic ONT/gateway when your Internet connection has not been detected for an extended period of time. In our house, I attached one Unifi Smart power Plug to our Fios ONT and one to our Fios Quantum Gateway. Note: you must manually enable the modem reboot option as a configuration setting.

Tripp Lite 12U Rack Enclosure Server Cabinet

A key issue that I didn’t pay enough attention to dimensions when ordering the UniFi Switch PRO 48 POE. It is much deeper than our old Unifi switches. Our old UniFi switches could fit in a wall mount with a depth of 12 inches. The new UniFi Switch PRO 48 POE is 16 inches deep. Factoring in the power cord in the rear, it requires a rack  that is 20 inches deep.

Therefore, I swapped out our previous Monoprice wall-mounted rack with a new Tripp Lite 12U wall-mounted rack enclosure server cabinet. The cabinet is well ventilated and it includes a lock to discourage tampering or theft.


New CyberPower UPS

For our upgraded data closet, I also decided it was time to upgrade our 8 year old UPS units. I selected the CyberPower CP1500PFCLCD PFC Sinewave UPS System for our new UPS units.

I debated whether to purchase rack-mounted UPS units because I had spare capacity in my rack. I ultimately purchased stand-alone units because they were much cheaper and because it meant less heat concentrated within my rack.

Advanced Configuration

New URL Shortcuts & Local User Configuration

To access your UDM Pro (Unifi OS), you can now visit: https://unifi.ui.com

Alternatively, you can directly access the Network and Protect controllers by IP address with a local account. To create a local account, select the profile icon next just above the local profile, as depicted below. Then create a user with superadmin privileges for all desired services.

WiFi

WPA3

WPA3 is an enhancement to WiFi security that uses the latest security methods, prohibits outdated legacy protocols, and requires the use of Protected Management Frames (PMF). While WiFi 6 is just emerging, WPA3 can be retrofitted on select Ubiquiti WiFi 5 access points.89. WPA3 is an extra option for WPA-PSK and WPA-EAP networks.10 For now, if you have a compatible AP, I recommend that you enable transition mode so that WPA-2 and WPA3 can coexist. Additionally, I suggest that you enable OWE (WPA3 Open Wireless Extensions).

WiFi AI

In the past, I advocated manually configuring both the WiFi channel configuration and the individual access point’s power level to achieve the optimal wireless network design. This manual method works well for experienced users with either very few (under 4 adjacent wireless APs) or who are operating in ultra high density environments such as college campuses or sports stadiums.

Now, Ubiquiti includes a new feature, WiFi AI, that automatically configures and continually optimizes your wireless network (including both the channel and the transmit power of each AP). WiFi AI is a genetic algorithm that uses daily statistics to average traffic peaks. In contrast with Auto-Channels, WiFi AI runs every day. It uses collected data–the mean WiFi Experience score11–to propose a better wireless network configuration. Additionally, WiFi AI calculates the best backup channel if the selected primary channel is in DFS range. WiFi AI is an ideal solution for our home where we have six WiFi access points.

Migration

In theory, migration from our old Cloud Key 2+ to the UDM Pro should have been as simple as exporting the Unifi Network controller and Protect controller backup files from the Cloud Key 2+ and then importing them into the UDM Pro. In practice, as an early adopter, it was a completely manual process that required me to copy each setting from the Cloud Key 2+ to the UDM Pro.

The reasons for this were two-fold:

  1. I was running a beta Network controller a point version ahead that could not be downgraded and which was not available on the UDM Pro.
  2. Although functionally equivalent, the UDM Pro (UbiOS) version of the Protect controller has a different, higher version number than the Protect controller on the Cloud Key 2+. Although the Protect controller should be capable of importing earlier versioned backups, I continually received error messages that prevented me from restoring from backup files.

This migration process has been improved since I purchased my UDM Pro, but I still read a number of users with migration issues.

In  the Future

WiFi 6

I look forward to a WiFi 6 version of the Ubiquiti nanoHD access point. This model hasn’t been announced yet but it is a logical upgrade to Ubiquiti’s WiFi access point models.

Rack-mounted Synology NAS Devices

In an earlier article, I presented an overview of the two Synology DS1819+ NAS devices that we run in our data closet. We have used Synology DS series NAS since 2012. Before that, we used Netgear’s ReadyNAS devices.

When I rebuilt our data closet, I researched whether Synology offered a rack-mounted NAS that was the functional equivalent to our 9-month old DS1819+. As of this writing, the DS1819+ remains the best option in terms of price/performance. I will update this article when Synology offers a similarly priced and capable NAS in a 2U rack-mounted form factor. For now, I covered the four empty 1U slots with an AC Infinity Rack Panel Accessory Blank 1U Space for 19″ Rackmount.

Issues

  • All Unifi switches (other than the Flex Mini) as well as the USG/USG Pro support STP.  The UDM Pro does not support STP or RSTP even though these features were included in early marketing literature. We have a large number of Sonos speakers in our home that require STP to be enabled on all Unifi routers and switches. The lack of support for STP in the UDM Pro is the cause of constant routing loops, kicking Unifi switches and APs offline as well as clients. I have pulled the Ethernet from a number of our Sonos speakers (crippling the ability of Sonos to stream to multiple rooms). However, routing loops persist. I asked Unifi engineers to prioritize adding these capabilities to the UDM Pro.
  • Similarly, the USW Flex Mini does not support STP configuration. (I found this out after buying six of them).12


Updated on July 5th, 2021

  1. By default, the UniFi Dream Machine Pro doesn’t include a hard drive. Administrators must elect to add a hard drive after provisioning the UDM Pro.

  2. Indeed, Unifi Protect is not installed by default and cannot be installed without first installing a HDD.

  3. The UNVR-4 NVR supports up to four 8 TB HDDs in a RAID 5 configuration. It can provide up to 30 days storage for up to 15 4K (UHD) video cameras or up to 50 1080p (full HD) video cameras.

  4. However, migration for the UDM remains in beta. I recommend backing up you UDM, factory resetting it, upgrading it, then restoring your settings. Even this may fail for certain users.

  5. One 10G SFP+ port and one gigabit RJ45 Ethernet port.

  6. Unifi has tested various HDDs up to 14TB in their lab.

  7. By contrast, the Cloud Key Pro currently tops out at 20 cameras.

  8. As of this writing, these models include Qualcomm chipset based devices such as: UAP-HD/SHD/XG/UWB-XG, UAP-AC-Pro/Lite/LR/M/M-Pro/IW/IW-Pro, UAP/UAP-LR/Outdoor/Outdoor5, UAP-v2/UAP-LR-v2, UAP-Pro, UAP-Outdoor, and UAP-IW.

  9. Unfortunately, Mediatek based APs including my NanoHD do not currently support WPA3 but are expected to so in the future.

  10. WPA3 Enterprise is not supported on gen1 or gen2 Unifi APs.

  11. The WiFi Experience score is a complex formula that factors both throughput and latency.

  12. Later datasheets included the following guidance: “USW-Flex-Mini uses port-based VLANs only and does not support SSH, STP (forwarding only), 802.1X, DNS suffix, or experience in the controller”