Hi all…
I’m looking at “improving” my network a bit, in anticipation of Fiber being commissioned in the next 30-45 days.
Attached is the Current, Future 1 (which is itself 2 options) and then Future 2.
Some comments please.
Oh this change is 2 fold, HW refresh and also a network relayout, the black IP’s is current, the red is the planned future.
some comments please, some suggestions please.
G
Anyone ?
G
Cleanest and easiest to manage is your option 2 as you would use Unifi Network Controller so its one place for complete management. Also, pfsense is way better then USG (I have it - its not very good as pfsense, but then pfsense you can’t manage from Unifi, so its up to your preference).
Stacking firewalls in option 1 is, I believe unnecessary and not recommended.
If you want complete management in one spot, then go unify all the way - usg, switch with poe, ap’s.
I have it like that with 100mbps link and it works fine. If you want more speed, you would need unify usg pro.
running to work, but ask if you have questions 
I like the idea of everything under one cover… of a Unifi end to end, but then I’m already running a mix stack, so it’s not the end of the world.
Think the pfSense as a edge device is amazing. Happy to manage the switch and AP’s via the controller and manage the pfSense separately.
Was thinking,
#1 I can vLan tag the networks and run them over a single link between the pfSense and the switch OR #2 3 links between the pfSense (LAN2/3 and 4) mapped to 3 ports on the Unifi switch and then split the Unifi switch - map physical ports to vLan’s.
(comment)
G
… oh btw My Internet will be 200/200Mbps day 1, and ye I doubt I will stay with that for long, sort of what started this itch… / refresh.
What pushed my firstly to the pfSense is its incoming and outgoing VPN capability with OpenVPN and NordVPN.
G
One link will be fine and make ports to be trunks (so all vLans go through)
That is easy to setup and you want have mess with cables, also you will save network ports.
Pfsense can do you inter vLan routing as well, so you all good there
With a 200/200 link, don’t use the USG…pfsense is the right way
This is what opened this pandora’s box… realised the USG won’t cut it… leading to a pfSense leading to a managed 24 PoE switch now also… 
Question 1, I noticed I can only have 4 x SSID’s… anyway to be able to do more, just simpler to have the current set and the to be set and then one for one move devices over.
Question 2, why the hellllll does the wifi reset when you make changes, it disconnects everyone, can’t believe that a sudo enterprise product does that ?
G
Me: Hey honey, make me a sandwich?
Her: Go make your own sandwich!
Me: Honey, sudo make me a sandwich?
Her: OK my love!
… what made you think you had sudo rights granted.
G
@Bobby …
so have a IONN on the way to host the pfSense (sadly their shipper will take a week, apparently it’s a day/overnight to get to PE and then 5-6 days for the last 60km…
and
a Unifi 24 Port PoE Management Gen 2 switch.
While I wait… I’ve created my new networks, and moving them from SSID A on old network to SSIDB on the new network.
Once all been moved will then move the services like MQTT and then go back top all the IoT device to update them with the new MQTT IP… and then there is the Paradox IP150 and all those bits.
going to be interesting.
See if I can get this re-IP assign/layout done before the devices get here.
G
Can I please check this quickly for myself: I’ve got a 200/100 Fibre link and want to upgrade to Ubiquiti. Was thinking a USG should be fine, never crossed my mind that anything in the Ubiquiti ecosystem will be less than 1Gbps. Does the USG only cater for a 100Mbps link? That would be very outdated…
Surely you thought of expanding your subnet?
Also, you can create SSIDB to be the same as SSIDA, at least temporarily so that the “move” is seamless
USG can do 1Gbps switching, but not routing. And the moment IPS and IDS is on, it drops to 85Mbps, which is sadly not enough these days. USG Pro has capability for the link you have but it has bigger footprint (I think 1U) and its more expensive
Wow, they should make it abundantly clear in their product documentation. I’m now quite wary as I’ve had a system specced and ready to pull the trigger.
Are the UDM or UDM-Pro viable alternatives? It also seems that with them you don’t need a separate Cloud-Key device?
I’m sure you meant USG …UDM (Unify Dream Machine) is all in one device (switch, ap, fw).
USG and USG Pro do the same. Difference is in “horse” power…USG Pro has up to 250Mbps throughput with both IDS and IPS turned on. Other then that, no other major differences.
Unifi Network Controller software is needed. It can be in the Unifi cloud (Ubiquiti Account), Cloud key device (little dongle thingie) or virtual appliance.
I run my “cloud key” in docker on synology, but it can also be ran Home Assistant.
Found a nice pic showing some throughput stats…the top is UDM Pro, the latest and greatest from Unifi…
No I did mean the UDM and UDM-Pro as I’ve read that those integrates the Cloud-Key software as well but with more modern routing capabilities.
The soon-to-be-released UXG-Pro seems like the more “drop-in” replacements for the USG-Pro as it doesn’t host the software as well but should do routing as well as the UDM-Pro.
Regardless, it seems at the moment that Uniquiti doesn’t have a viable router really for me. I’d prefer to keep the software on a separate device so the UDM line isn’t entirely what I want. I’d just have to wait?
dammm… broke my network… bit stuck.
original
LAN_192.168.0.0 - ye, flat as the kalahari, there was no planning when I rolled this out/5-6 yrs ago. 192.168.0.1 sits on the LAN side of the USG (10.0.0.2 sits on the WAN, 10.0.0.1 sits on the LAN side of my ISP Router)
I’ve configured static routes
192.168.0.0 via 10.0.0.2
172.16.10.0 via 10.0.0.2
172.16.20.0 via 10.0.0.2
172.16.100.0 via 10.0.0.2
original
lan_192.168.0.0
I’ve added Additional networks
services_172.16.10.0 GW 172.16.10.1
mobile_172.16.20.0 GW 172.16.20.1
iot_172.16.100.0 GW 172.16.100.1
original SSID:original to hand out ip’s on lan_192.168.0.0
Added
SSID:services to hand out ip’s on services_172.16.10.0
SSID:mobile to hand out ip’s on mobile_172.16.20.0
SSID:iot to hand out ip’s on iot_172.16.100.0
ye needless to say internet access is not to healthy for services and mobile, IoT does not need so haven’t even checked.
(strange I’ve placed a Rpi3b on 172.16.10.0 network and it can happily see clients on 192168.0.0
trying to make it better, prepare for new equipment seems to have broken it badly now, hehehe.
G
… undoing some of the configs, get network working again. might have to park some of this until the switch and pfSense is here.
G
he he he… hmmmm…
what you mean by below…
