Network Best Practices? Advice, Suggestions, Fun Naming

I had that for quite some time.

I’m on my third generation of Unifi networking equipment, in the second house I’ve set it up in. I like and recommend their products, and I’m looking forward to upgrading to a fourth generation, once Wi-Fi 6e gets finalized and there are mature products with it.

Like others, my advice to the original poster is to not make your network configuration any more complicated than you’re confident in managing. You can create a rock solid Wi-Fi network with Unifi, and with just a couple of settings changes you can create an unholy mess that will have you sleeping on the couch, or a motel. (Or, more likely, the rest of your family will leave you for a hotel where they can actually use the Internet.)

If “guest networks” and “VLANs”, subnets and DNS and DHCP, and so on are unfamiliar terms, you might want to back away from Unifi. As Marco once said on ATP, “Get Unifi if you want to mess around with your network, get Eero if you just want set-and-forget.” (With the caveat that back then Eero was a frequent sponsor of the show.)

So, start simple, with a single, combined network. Make sure it works. For at least a week. Save your configuration. Practice restoring your configuration from backup. (This is how you avoid the couch. Don’t skip it.) Now and only now should you contemplate getting fancy.

The simplest thing to add is a second “guest” network. That’s the kind of thing you’re offered at hotels, cafés, and so on. The idea is, devices on this network have access to the Internet, but nothing on YOUR network. This is great for friends, family, contractors, and so on. It’s also super-simple to set up (as long as you’re not tempted to make it more complicated, with capture portals, vouchers, and other features Unifi includes that are designed for cafés and other small businesses).

Guest networks are not great for smart home (or “IOT”) devices, which often need to talk to each other, or a hub. They need to be on a more feature-complete network. You need to talk to them, and they need to talk to each other. And, especially with cheap devices from overseas, they can be notoriously insecure, or deliberately invasive (TVs that track and report what you watch, etc.).

Setting up a separate network for your IOT devices involves creating the network, a VLAN, and firewall rules at a minimum. (At least in Unifi.) It’s not for the faint of heart. It took me (IIRC) three tries before everything worked. And I have to keep some particularly stupid devices on my primary network, because they can’t handle talking to a controlling device (an app on my phone) across networks. So in some sense you could say I gave up before I finished the job successfully.

You also have to be prepared for your smart devices to balk at your network. Once you have a dedicated IOT network, you’re no longer on the “happy path” for setting up new devices. Each and every one will require you to read their instructions, and then translate that into steps to perform on your network.

Sometimes that’s easy. Much of the time, I simply change wireless networks on my phone to the IOT network, and then follow the standard instructions to connect the device. Many of those generate their own, temporary Wi-Fi network that you connect to, provide credentials for your own Wi-Fi network, and then they reboot and connect to that network. It’s cumbersome, but straightforward.

But sometimes it’s not so simple. I was setting up a couple of Yeelight smart lightbulbs three weekends ago. They can take advantage of a new feature in iOS, where instead of generating its own network that you connect to, an option appears in Settings > Wi-Fi that lets iOS connect directly to the bulb and communicate the details of your network directly. When it works, it’s lovely, and quite a bit simpler than the traditional method. (I’m sure Apple would say “magical”.) But I could not get it to work with the Yeelight bulbs. I eventually found an old phone running an older version of iOS that didn’t have this “smart” feature, and did the traditional dance. That worked.

That’s the thing, though. Different devices, different firmware versions, different app versions, different versions of iOS (or other OS) — they can all change the setup process. There’s some great YouTube videos and other resources for configuring an advanced home network, and with focus and care, you can follow them, even if you’re not quite sure what you’re doing. But once your network is more complicated than just one unified network, you’re going to have to solve problems yourself. It’s not impossible! “If I can do it, you can do it”, as Miles V. used to say. But, go into it with your eyes open.

My Network

To answer a few of OP’s questions:

  • I have two APs at two strategic points in my house.
  • I have three networks: Main, guest, and IOT (named ID107, semi-leetspeak for “idiot”, since most of the devices on it are “smart”, with quotation marks).
  • The main network has no VLAN, the other two use VLANs and separate subnets.
  • For the IOT network, I’ve configured the wireless network to use 2.4 Ghz only. Most IOT devices don’t do 5 Ghz anyway (the chipsets are more expensive), so this avoids confusing them.
  • For the other two networks, I combine the SSIDs for both frequency ranges.
  • Networks are named for my cats. It’s their house, after all.

More Advice

  • Whatever you do, don’t enable the “AI” network “optimization” feature in UniFi. It’ll make changes without asking you, and they won’t be good ones. No one I know recommends using this feature; many people have horror stories. (Couch time.)
  • Similar to @zkarj, I’ve had at least one device that could not deal with a combined network. It needed to connect to a 2.4 Ghz network, and for there to be no other options. It was a PITA to get it set up, and I live in fear that it’ll need to be reset at some point, and I’ll have to try to remember how to get it to work again. It’s the wireless interface for the mini-split air conditioner in my wife’s office, so failure is a “go directly to the couch” situation. (Fortunately, there’s a dumb wireless remote that doesn’t care about Wi-Fi, so I have a Plan B. If I can find it again…)
  • There are folks whose advice I respect who recommend naming your 2.4 and 5 Ghz networks different, just suffixing them with “_24” or “_5g” or whatever. If you can stand seeing the extra networks, it’s good advice. Which I freely admit I didn’t take.
  • If you have security cameras on your network, put the controller/recorder on the same network. With a Unifi network, if you put the cameras on the IOT network and the recorder on the main network, the video data streams need to cross the network boundary, which means it needs to go through your router, even if all of the devices are connected to the same switch. You’ll crush your router with the traffic, and everyone will be unhappy with you. This is most likely to happen if you’re using a Unifi Cloud Key G2+ as your recorder, and one of the USGs as your router. (That’s what I have.) If you have a Unifi Dream Machine Pro (combines router, switch, and camera recorder), it’ll be much less of a problem.

Resources

The two best resources I recommend for leveling up your Unifi skills are these two YouTube channels:

Hope this is useful!

5 Likes

Better couch gags than The Simpsons. :laughing:

I just replaced my Eero-based home system with a UniFi. I can vouch for Crosstalk Solutions. I’ve got pretty much everything up and running well now as far as I can tell. Planning the next two enhancements (doorbell plus two exterior cameras)

One issue I do need to dig into is the Guest network and guest isolation. My understanding is that the guests should not be able to see each other but I do have successful pings going through between two guests.

1 Like

Which cameras are you planning?

I’m thinking of a pair of the G4 Pro cameras on the back corner of my house - one covering the backyard entrance and the other the driveway. The G4 Doorbell will cover the front. I think it’ll be straightfoward to run PoE to the two cameras

As much as I am not a fan of the Ring Cameras. Most of my reasoning to get the Unifi Cameras, are to cover the alleys of my house (extremely dark at night). Backyard watching the kids play and the driveway. It’s just a lot to hunker down, I hope the quality is good.

@Alderete Hey there, a question for you about why you chose your network VLANs that way.

I went a slightly different arrangement.

LAN is the backbone on 10.0.0.x and only the switches and APs are on that network
Main is my trusted network and has my servers, NAS drives, DNS, and printer
Home is where kids can have a LAN party - no access to Main other than DNS and printer, but they can see each other
IoT for my IoT devices. There are are a couple that need to communicate to my home assistant so there is a firewall rule for them to get back to Main
Guest is for guests and isolates from each other and can’t get to any of the other networks.

I have SSIDs for the latter 4.

It sounds like my LAN and Main VLAN are the same as your main network. If I think about it closely in my situation, they are both trusted so likely there isn’t a need to isolate them from each other so I could probably combine them.

Is that the right way to think about what should be a VLAN or not?

@scotte I’m far from a networking expert! You’ve exceeded my experience and knowledge with your questions, but I would say that if you’re confident at managing your somewhat more complex network, then don’t fix something that’s not broken.

I have the three separate networks (main/default + 2 VLANs) for three separate use cases. I have three “classes” of devices: fully trusted, IoT (untrusted, but need to talk to each other, and be reachable by some trusted devices), and guests (untrusted, no need to talk to other things, just the Internet). It’s pretty much the maximum complexity I want to manage.

But it’s not a stretch to start thinking of more, or fewer. If you want to consolidate a couple of your use cases, with all of the “trusted” zones being unified, that’s not unreasonable. But it’s also reasonable to say “they don’t need to talk to each other, so why combine?”

I mostly went with the design I came up with because it’s reasonably similar to what folks were doing in some of the videos I linked to. I don’t want to have to learn and think about more complex network designs, firewall rules, and so on. Adapting the network designs from The Hook Up and Crosstalk Solutions was pretty easy; coming up with my own design, less so.

Not sure if that helps. I guess my final words would be, there’s no One True Answer or network design for the home. Everything is a trade-off between security, performance, reliability, complexity, and so on. You need to look at your needs, and make decisions based on that.

2 Likes

@scotte Just a quick follow-up to my last post. Rob from The Hookup’s latest video on setting up secure home networks just came out yesterday, and answers your questions far better than I can. Here’s the video: GUIDE: UniFi 6.0 VLANs, Firewall Rules, and WiFi Networks for IoT and Smart Home Devices - YouTube

In particular, he speaks directly to the issue of security-vs-convenience with more examples and clarity than I can write in a post. Even if you’re not planning to invest in a Unifi-based network, the discussion is worth viewing, because it’s applicable to any home network.

2 Likes

Thanks! I’ll definitely take a look at it

@Alderete Watched the video and it was pretty good! Definitely waiting for his Part 3. My network config is probably a bit more secure than what he was describing and follows what he described as more secure. (My main trusted devices are not on the untagged VLAN but on their own VLAN)

He did explain a couple of the settings and why they should be set that way. That was nice. Also about the WLAN groups which is an interesting feature. I don’t think I need that for my particular setup.