Technolitero

Unifi Advanced Networking

Enhancing your Network

Starting with Unifi can be overwhelming and while I won’t cover all the advanced settings I will cover the ones that I have found helpful for maintaining a robust stable network.

Networks

  • If you are changing the IP range of the Default network there is no need to change the name. If you are creating a new network you need to give it one.
  • The default Router should be sufficient. This give you access to firewall policies in the Zone Based Firewall instead of switch ACLs
  • The Zone should be internal for the Default network but you can create Zones or select one of the defaults for other networks.
  • Uncheck Auto-Scale Network, I personally have never seen a need for that.
    • I personally don’t like things automatically doing anything by itself unless I can define the guardrails.
  • The Default network is really VLAN 1, I would suggest you change the IP range from 192.168.1.0/24 to something else. I personally use the 10.0.0.0/8 range and pick a /24 from it that aligns with a range that I will never use for a VPN Connection at an external site or would be on my internet router.
    • You can change this by editing the Gateway IP/Subnet and updating the Host Address and Netmask to your requirements. I personally would do a /24 for each network. This will give you around 249 potentially usable IP addresses.
  • Click Manual, Auto does some of the normal best practices but I like my networks to be under my control so that I can decide about VLAN, Spanning Tree, Multicast etc.. I do this even if I am editing the Default network.
  • Options for a standard routed network as I typically configure them unless there is a reason to change it for a specific use case.
    • VLAN ID: Select an available VLAN ID 2-4096
    • Isolate Network: unchecked
    • Allow Internet Access: checked
      • Unless this is a network that needs no internet, such as a storage network
    • IGMP Snooping: checked
    • Multcast DNS: checked
      • I will uncheck this for IOT networks with a lot of foreign hardware
    • DHCP Mode: DHCP Server
      • If the network has another DHCP server you can also use None or DHCP Relay if you know what you’re doing.
    • DHCP Range: Put a starting and ending range that will never have static IPs assigned in the range.
      • I usually do .100 – .199 unless its a wireless only network.
    • DHCP Guardian: Add a Trusted DHCP Server here
      • This keeps DHCP from being assigned from a device that you have no control over. Users have a tendency to do silly things like plug in an old router to get WiFi when its not available. This makes your equipment the only thing that can respond. This will typically be the router address on the VLAN that you are creating or .1 on the Default network.
    • Default Gateway: Auto
      • There is no reason to change this unless you have another router providing network paths.
    • DNS Server: If you chose auto you will get the UDM listed as the DNS server by your clients.
      • I typically will set up the UDM as primary and then add a couple of extra DNS servers to google or OpenDNS. This means that even if the DNS service is down I can still get out as long as routes are available.
    • Lease Time: This is for DHCP and is in seconds. To high and leases take a long time to expire, too short and you are re-requesting a lease all the time. 86400 is 1 Day.
    • Domain Name: I set this to something that I can identify the network with.
    • Ping Conflict Detection: checked When a lease is requested it tries a ping to see if the IP is in use. Typically this happens when somebody sets a static IP but it can create havoc on your network if an IP is used more than once and can kick in Spanning Tree which turns off ports.
    • Network Boot: unchecked
      • You can check this if you have a device that a machine can network boot from, this is typically disabled.
    • NTP Server: Enter the IP of public NTP server in here, this will keep your device times in sync.
    • Option 43: checked and enter the IP of the Default Network’s for your UDM
      • You don’t need this but it makes Unifi device connect faster if its part of the DHCP scope
    • TFTP Server: unchecked
      • This is only checked if you need to use TFTP for a device, you would then just add the IP of the device to this option.
    • Time Offset: unchecked
      • No need to offset if you are using public NTP servers.
    • WPAD URL: unchecked
      • Who uses WPAD anymore?
    • WINS Server: unchecked
      • WINS is fairly old and not really used much either.
    • Custom DHCP Options: empty
      • You can add your own DHCP options if you have a need for that.
      • These are typically only added if a device is looking for a specific option code for configuration.
      • This is not a typical configuration.
    • Click Add
      • This will add the Network/VLAN but you won’t be able to use it until you configure a Port Profile.

Creating Port Profiles

I love Port Profiles, they make configuring multiple ports much easier and allow you to keep consistency across switches.

  • Open the Unifi Admin Console
  • Click the Gear near the bottom of the page.
  • Click Profiles
  • Click Ethernet Ports
  • Click Create New
  • Give it a name
    • I typically will use this naming convention based on the port type.
      • Uplink Port: Uplink Port – DeviceType
        • Uplink Port – AP for example
        • Uplink ports are used to allow access to VLANs from another device. It allows all traffic. APs with multiple SSIDs for example will probably have multiple VLANs and will need to be on an Uplink Port. Switches that that the AP is plugged into will also need Uplink Ports so that the traffic can go from the AP to the switch and then to the router.
      • Access Port: Access Port – VLANID (Purpose)
        • Access Port – VLAN2 (IOT) for example
        • Access Ports are assigned to a single VLAN and are considered a tagged port, only allowing access to one VLAN.
      • Disabled: Disabled
        • This type of Profile is used to disable a port completely, this is used if you have many ports configured and plugged in but you don’t want users to plug into a port without letting you know. This also comes in handy if you have devices that are only used as backups to Uplinks so you can turn them off to avoid loops.
  • Configure an Uplink profile
    • Port: Active
    • Native VLAN: The VLAN of the network you created.
    • Tagged VLAN Management: Allow All
      • If you want to restrict it down further you can click Custom and select only the VLANs that the port should support.
      • I typically just leave it as Allow All so that as I add additional VLANs I don’t have to update the Port Profile.
    • POE: checked if you need it, unchecked if you don’t. APs for example will need POE most of the time where switches will not.
    • Multicast Router Port: unchecked
      • You can consider checking this if you have a need but you will need to have the Multicast Port created and then select the Ports needed. This is used primarily to allow Multicast to bleed over to other networks. Things such as Airplay, Streaming across VLANs work better but if your network is flat it doesn’t offer much.
    • Click Manual
      • Link Speed: Automatically Negotiate
        • If you have a device that has a hard time connecting you can also hard set this so that it doesn’t have to negotiate, typically that is not an issue.
        • 802.1X Control: Auto
          • If you have a need for this you have various options based on your needs.
        • Port Isolation: unchecked
          • This stops traffic between ports that are isolated. In most cases it is not needed, especially on a trunk port, but if you have devices that shouldn’t talk to each other on the same network you can enable this. I typically don’t.
        • Storm Control: unchecked
          • This is an Uplink Profile and multicast is happening on all the networks all the time. This can cause weird network issues.
        • Loop Protection: unchecked
          • Checking this can cause issues on an Uplink port and cause it to disable itself. Since Uplink Ports are used by network devices and it can affect anything downstream I don’t enable it.
        • Spanning Tree Protocol: checked
          • Spanning Tree helps loops from taking down an entire network. Ironically it can also take down a network if its misconfigured.
        • Egress Rate Limit: unchecked
        • LLDP-MED: checked
          • This allows the UDM to discover the type of devices on the network.
        • Voice VLAN: unchecked
        • QoS: unchecked
          • QoS is a double edge sword, in the past it was needed , less so know with High Speed internet.
  • Configure an Access Profile
  • Port: Active
  • Native VLAN: The VLAN of the network you created.
  • Tagged VLAN Management: Block All
  • POE: checked if you need it, unchecked if you don’t.
  • Multicast Router Port: unchecked
    • You can consider checking this if you have a need but you will need to have the Multicast Port created and then select the Port for your VLAN as needed.
  • Click Manual
    • Link Speed: Automatically Negotiate
      • If you have a device that has a hard time connecting you can also hard set this so that it doesn’t have to negotiate, typically that is not an issue.
    • 802.1X Control: Auto
      • If you have a need for this you have various options based on your needs.
    • Port Isolation: unchecked
      • This stops traffic between ports that are isolated. In most cases it is not needed, especially on a trunk port, but if you have devices that shouldn’t talk to each other on the same network you can enable this. I typically don’t.
    • Storm Control: unchecked
      • This is an Uplink Profile and multicast is happening on all the networks all the time. This can cause weird network issues.
    • Loop Protection: checked
      • This keeps devices from going into a loop engaging Spanning Tree which can cause network connectivity issues.
    • Spanning Tree Protocol: checked
      • Spanning Tree helps loops from taking down an entire network. Ironically it can also take down a network if its misconfigured.
    • Egress Rate Limit: unchecked
    • LLDP-MED: checked
      • This allows the UDM to discover the type of devices on the network.
    • Voice VLAN: unchecked
    • QoS: unchecked
  • Configuring a Disabled Profile
    • Port Disabled
    • That’s it.

Assigning Port Profiles

  • Now that we have the various Port Profiles configured we want to use them.
  • Click on the AP looking icon on the left inside the console.
  • You can filter by clicking switches.
  • Click the switch and then click Port Manager.
  • Check Available if you wish to change ports that don’t have anything plugged in yet.
  • Click the ports you wish to assign to the same profile. You can do multiple.
  • On the right you will see a menu go to that screen.
  • Ethernet Port Profile: check
  • Select the Profile from the drop down
  • Click Apply Changes
  • It will assign the profile to the ports and apply the settings you defined in the Port Profile you created.
  • If you wish to change something, edit the Port Profile and it will apply to all the ports the Profile has been assigned to.
  • I use these for making sure that all ports are consistent.

Global Network Settings

  • Open the Unifi Console
  • Click the Gear on the left
  • Click Networks
    • mDNS: checked
      • I use this on all networks, you can select the network you wish to use by editing and adding or removing the networks that should support it.
    • mDNS Proxy: All
      • Forwards mDNS across all VLANs
    • IGMP Snooping: checked
      • Use this on all networks you have queriers that you wish for multicast traffic to go across. It reduces multicast traffic giving better performance for that traffic type.
    • Forward Unknown Multicast Traffic: Multicast Router Ports
    • Fast Leave: checked
      • Allows a port to leave the Multicast group as soon as the IGMP Snooping discovers its not needed.
      • You will need to select the network that are allowed to do this.
    • Querier Switch: checked
      • This will require an IP on the VLAN you wish to use it on.
      • This IP cannot be used for anything else.
    • Multicast Router Port
      • This is a special port that is used for multicast traffic. I set this up on the main switch uplink port to the UDM
    • L3 Network Isolation (ACL): unchecked
      • Don’t over complicate it if you don’t have to.
      • This setting allows you to create ACLs on L3 switches which has its use cases.
      • The only one I can think of is an isolated network that you wish to do port level blocking on. Typically a firewall policy is a better choice.
    • Device Isolation (ACL): unchecked
      • Same issue, this will keep devices on the same network from talking. Typically you don’t need to do this.
    • Spanning Tree Protocol: RSTP
      • You can use STP or disable it but Rapid Spanning Tree Protocol is the best practice unless your devices don’t support it.
    • Rogue DHCP Server Detection: checked
      • Alerts you if if discovers a device that is actively responding to DHCP requests. This is in addition to locking it down on the network VLAN.
    • 802.1X Control: unchecked
      • This is only if you are doing NAC and want it to be done on physical network ports.

Changing the Internet Port

  • You can change the default Internet Ports.
    • The reason you may want to do this is for performance from your ISP.
    • If you are in an area that supports faster than 1Gig you will want to use a different SFP(Fiber or Copper) to uplink to the internet at 10GB
    • You may want to also use the 10GB ports for client traffic.
  • Open the Unifi Console
  • Click the Gear Icon on the Left
  • Click Internet
  • Click the WAN port you wish to change.
    • The UDM Supports multiple WAN Ports and they can be setup as failover or as load balancing. The UDM will only have 2 10GB Ports so you will have to decide what makes sense for your configuration.
  • Click on Port and change it to the one you wish to use.
  • Click Apply Changes and after it syncs the port you selected becomes active so make sure you have it cabled or your Internet will not work.

Uber Nerd

Leave a Reply

Your email address will not be published. Required fields are marked *