I had that for quite some time.
Iâm on my third generation of Unifi networking equipment, in the second house Iâve set it up in. I like and recommend their products, and Iâm looking forward to upgrading to a fourth generation, once Wi-Fi 6e gets finalized and there are mature products with it.
Like others, my advice to the original poster is to not make your network configuration any more complicated than youâre confident in managing. You can create a rock solid Wi-Fi network with Unifi, and with just a couple of settings changes you can create an unholy mess that will have you sleeping on the couch, or a motel. (Or, more likely, the rest of your family will leave you for a hotel where they can actually use the Internet.)
If âguest networksâ and âVLANsâ, subnets and DNS and DHCP, and so on are unfamiliar terms, you might want to back away from Unifi. As Marco once said on ATP, âGet Unifi if you want to mess around with your network, get Eero if you just want set-and-forget.â (With the caveat that back then Eero was a frequent sponsor of the show.)
So, start simple, with a single, combined network. Make sure it works. For at least a week. Save your configuration. Practice restoring your configuration from backup. (This is how you avoid the couch. Donât skip it.) Now and only now should you contemplate getting fancy.
The simplest thing to add is a second âguestâ network. Thatâs the kind of thing youâre offered at hotels, cafĂ©s, and so on. The idea is, devices on this network have access to the Internet, but nothing on YOUR network. This is great for friends, family, contractors, and so on. Itâs also super-simple to set up (as long as youâre not tempted to make it more complicated, with capture portals, vouchers, and other features Unifi includes that are designed for cafĂ©s and other small businesses).
Guest networks are not great for smart home (or âIOTâ) devices, which often need to talk to each other, or a hub. They need to be on a more feature-complete network. You need to talk to them, and they need to talk to each other. And, especially with cheap devices from overseas, they can be notoriously insecure, or deliberately invasive (TVs that track and report what you watch, etc.).
Setting up a separate network for your IOT devices involves creating the network, a VLAN, and firewall rules at a minimum. (At least in Unifi.) Itâs not for the faint of heart. It took me (IIRC) three tries before everything worked. And I have to keep some particularly stupid devices on my primary network, because they canât handle talking to a controlling device (an app on my phone) across networks. So in some sense you could say I gave up before I finished the job successfully.
You also have to be prepared for your smart devices to balk at your network. Once you have a dedicated IOT network, youâre no longer on the âhappy pathâ for setting up new devices. Each and every one will require you to read their instructions, and then translate that into steps to perform on your network.
Sometimes thatâs easy. Much of the time, I simply change wireless networks on my phone to the IOT network, and then follow the standard instructions to connect the device. Many of those generate their own, temporary Wi-Fi network that you connect to, provide credentials for your own Wi-Fi network, and then they reboot and connect to that network. Itâs cumbersome, but straightforward.
But sometimes itâs not so simple. I was setting up a couple of Yeelight smart lightbulbs three weekends ago. They can take advantage of a new feature in iOS, where instead of generating its own network that you connect to, an option appears in Settings > Wi-Fi that lets iOS connect directly to the bulb and communicate the details of your network directly. When it works, itâs lovely, and quite a bit simpler than the traditional method. (Iâm sure Apple would say âmagicalâ.) But I could not get it to work with the Yeelight bulbs. I eventually found an old phone running an older version of iOS that didnât have this âsmartâ feature, and did the traditional dance. That worked.
Thatâs the thing, though. Different devices, different firmware versions, different app versions, different versions of iOS (or other OS) â they can all change the setup process. Thereâs some great YouTube videos and other resources for configuring an advanced home network, and with focus and care, you can follow them, even if youâre not quite sure what youâre doing. But once your network is more complicated than just one unified network, youâre going to have to solve problems yourself. Itâs not impossible! âIf I can do it, you can do itâ, as Miles V. used to say. But, go into it with your eyes open.
My Network
To answer a few of OPâs questions:
- I have two APs at two strategic points in my house.
- I have three networks: Main, guest, and IOT (named ID107, semi-leetspeak for âidiotâ, since most of the devices on it are âsmartâ, with quotation marks).
- The main network has no VLAN, the other two use VLANs and separate subnets.
- For the IOT network, Iâve configured the wireless network to use 2.4 Ghz only. Most IOT devices donât do 5 Ghz anyway (the chipsets are more expensive), so this avoids confusing them.
- For the other two networks, I combine the SSIDs for both frequency ranges.
- Networks are named for my cats. Itâs their house, after all.
More Advice
- Whatever you do, donât enable the âAIâ network âoptimizationâ feature in UniFi. Itâll make changes without asking you, and they wonât be good ones. No one I know recommends using this feature; many people have horror stories. (Couch time.)
- Similar to @zkarj, Iâve had at least one device that could not deal with a combined network. It needed to connect to a 2.4 Ghz network, and for there to be no other options. It was a PITA to get it set up, and I live in fear that itâll need to be reset at some point, and Iâll have to try to remember how to get it to work again. Itâs the wireless interface for the mini-split air conditioner in my wifeâs office, so failure is a âgo directly to the couchâ situation. (Fortunately, thereâs a dumb wireless remote that doesnât care about Wi-Fi, so I have a Plan B. If I can find it againâŠ)
- There are folks whose advice I respect who recommend naming your 2.4 and 5 Ghz networks different, just suffixing them with â_24â or â_5gâ or whatever. If you can stand seeing the extra networks, itâs good advice. Which I freely admit I didnât take.
- If you have security cameras on your network, put the controller/recorder on the same network. With a Unifi network, if you put the cameras on the IOT network and the recorder on the main network, the video data streams need to cross the network boundary, which means it needs to go through your router, even if all of the devices are connected to the same switch. Youâll crush your router with the traffic, and everyone will be unhappy with you. This is most likely to happen if youâre using a Unifi Cloud Key G2+ as your recorder, and one of the USGs as your router. (Thatâs what I have.) If you have a Unifi Dream Machine Pro (combines router, switch, and camera recorder), itâll be much less of a problem.
Resources
The two best resources I recommend for leveling up your Unifi skills are these two YouTube channels:
- Crosstalk Solutions: Chris Sherwood installs Unifi (and other IT systems) for a living, and heâs a great communicator. Heâs been doing UniFi videos for years, and you can get lost in his channel, in a great way. Youâll have to watch more than a couple videos to get everything you need, but here are a couple of good starting points:
-
The Hook Up: Rob Tait is a science teacher, and while heâs not a professional network installer, heâs an outstanding instructor. His videos are scripted, tightly written and delivered, and very dense. Youâll watch the good ones more than once, to make sure youâre getting it all. And youâre in luck, heâs just this month releasing updated videos about setting up UniFi home networks.
- Ultimate Home Network 2021: WiFi 6 and UniFi Dream Machine Pro
- How To: UniFi Setup From Scratch - Ultimate (Smart) Home Network Part 2 (2019)
- Setup IoT VLANs and Firewall Rules with UniFi. ULTIMATE (Smart) Home Network Part Three (2019)
- Z-Wave vs. Zigbee vs. Wi-Fi! Smart Home Basics: How To Pick The Right Protocol
Hope this is useful!
6 Likes
Better couch gags than The Simpsons. 
I just replaced my Eero-based home system with a UniFi. I can vouch for Crosstalk Solutions. Iâve got pretty much everything up and running well now as far as I can tell. Planning the next two enhancements (doorbell plus two exterior cameras)
One issue I do need to dig into is the Guest network and guest isolation. My understanding is that the guests should not be able to see each other but I do have successful pings going through between two guests.
1 Like
Which cameras are you planning?
Iâm thinking of a pair of the G4 Pro cameras on the back corner of my house - one covering the backyard entrance and the other the driveway. The G4 Doorbell will cover the front. I think itâll be straightfoward to run PoE to the two cameras
As much as I am not a fan of the Ring Cameras. Most of my reasoning to get the Unifi Cameras, are to cover the alleys of my house (extremely dark at night). Backyard watching the kids play and the driveway. Itâs just a lot to hunker down, I hope the quality is good.
@Alderete Hey there, a question for you about why you chose your network VLANs that way.
I went a slightly different arrangement.
LAN is the backbone on 10.0.0.x and only the switches and APs are on that network
Main is my trusted network and has my servers, NAS drives, DNS, and printer
Home is where kids can have a LAN party - no access to Main other than DNS and printer, but they can see each other
IoT for my IoT devices. There are are a couple that need to communicate to my home assistant so there is a firewall rule for them to get back to Main
Guest is for guests and isolates from each other and canât get to any of the other networks.
I have SSIDs for the latter 4.
It sounds like my LAN and Main VLAN are the same as your main network. If I think about it closely in my situation, they are both trusted so likely there isnât a need to isolate them from each other so I could probably combine them.
Is that the right way to think about what should be a VLAN or not?
@scotte Iâm far from a networking expert! Youâve exceeded my experience and knowledge with your questions, but I would say that if youâre confident at managing your somewhat more complex network, then donât fix something thatâs not broken.
I have the three separate networks (main/default + 2 VLANs) for three separate use cases. I have three âclassesâ of devices: fully trusted, IoT (untrusted, but need to talk to each other, and be reachable by some trusted devices), and guests (untrusted, no need to talk to other things, just the Internet). Itâs pretty much the maximum complexity I want to manage.
But itâs not a stretch to start thinking of more, or fewer. If you want to consolidate a couple of your use cases, with all of the âtrustedâ zones being unified, thatâs not unreasonable. But itâs also reasonable to say âthey donât need to talk to each other, so why combine?â
I mostly went with the design I came up with because itâs reasonably similar to what folks were doing in some of the videos I linked to. I donât want to have to learn and think about more complex network designs, firewall rules, and so on. Adapting the network designs from The Hook Up and Crosstalk Solutions was pretty easy; coming up with my own design, less so.
Not sure if that helps. I guess my final words would be, thereâs no One True Answer or network design for the home. Everything is a trade-off between security, performance, reliability, complexity, and so on. You need to look at your needs, and make decisions based on that.
2 Likes
@scotte Just a quick follow-up to my last post. Rob from The Hookupâs latest video on setting up secure home networks just came out yesterday, and answers your questions far better than I can. Hereâs the video: GUIDE: UniFi 6.0 VLANs, Firewall Rules, and WiFi Networks for IoT and Smart Home Devices - YouTube
In particular, he speaks directly to the issue of security-vs-convenience with more examples and clarity than I can write in a post. Even if youâre not planning to invest in a Unifi-based network, the discussion is worth viewing, because itâs applicable to any home network.
2 Likes
Thanks! Iâll definitely take a look at it
@Alderete Watched the video and it was pretty good! Definitely waiting for his Part 3. My network config is probably a bit more secure than what he was describing and follows what he described as more secure. (My main trusted devices are not on the untagged VLAN but on their own VLAN)
He did explain a couple of the settings and why they should be set that way. That was nice. Also about the WLAN groups which is an interesting feature. I donât think I need that for my particular setup.
Weâre approaching the fifth anniversary of installing several Eeros throughout the house. It works great, but their recent sale got me thinking: should they be replaced even if weâve had no problems?
Iâd hate having to change them if something goes wrong unexpectedly.
We also use wi-fi calling at home since weâre in a dead spot, so weâd lose our phone calling service too.
It might be worth keeping a spare, or understanding how to rearrange what you have to provide temporarily reduced coverage due to a failure. That second option only works if youâre using full units everywhere instead of satellites.
Thank you for your thoughts!
I went to check the price on Amazon. Itâs lower than itâs generally been since June if Camel is correct. I wonder if theyâre coming out with a new version soon. HmmâŠ
1 Like