— Tech — 6 min read
Managing a home Wi-Fi network so that you have good coverage everywhere can be challenging.
Let's quickly review the basic components of a network.
Most consumer Wi-Fi products act as a 4-in-1 device combining a Security Gateway, Router, Wi-Fi Access Point, and Switch, with varying success given how complex each element is (let alone stitching them all together).
There are different approaches you can take depending on your willingness to take on more technically intensive solutions.
https://help.ui.com/hc/en-us/articles/115006567467-EdgeRouter-Hardware-Offloading The following improve throughput performance so that they are not handled by the router CPU which is underpowered:
1$ set system offload hwnat enable2$ set system offload ipsec enable
1configure23set system offload hwnat enable4set system offload ipsec enable56commit ; save
Download updated firmware and install in the System tab at the bottom of the dashboard screen.
If using Synology or another NAS to host your Unifi Controller dashboard, you'll need to open in the Firewall TCP ports
8080,8443,8843,8880,6789 and UDP ports
3478,10001 in Security > Firewall > Edit Rules.
You'll also need to set environment variables for the container
RUNAS_UID0 environment variable when set to off defaults to running the dashboard more securely with a non-root custom user/group of 999/999. You'll need to create a user in Synology with minimal permissions (except for the Docker folder where UNMS runs) and then edit the uid/gid to be 999 in
/etc/passwd with the command
sudo vim /etc/passwd.
Setup Unifi Network Management System (UNMS) using these great Docker image and instructions: nico640/docker-unms.
Sometimes, an Access Point will fail to adopt in the Controller and cycle between adopting and disconnecting. This can because the adoption process requires the AP to ping the controller and if the DNS is not configured in a way that the hostname
unifi resolves to your controller IP address, then the AP will fail to connect.
To resolve this, you can find the IP address for the AP, then login and run the following
set-inform command twice where
A.B.C.D is your controller's IP address and
W.X.Y.Z is the IP address of your AP.
1$ ssh ubnt@W.X.Y.Z2Password: ubnt34$ UBNT-BZ.v4.3.21# set-inform http://A.B.C.D:8080/inform56Adoption request sent to 'http://A.B.C.D:8080/inform'. Use the controller to complete the adopt process.78$ UBNT-BZ.v4.3.21# set-inform http://A.B.C.D:8080/inform910Adoption request sent to 'http://A.B.C.D:8080/inform'. Use the controller to complete the adopt process.
Alternatively, you can have certain discovery ports for the controller that aren't open or a myriad of other issues but for my setup, the missing DNS record for the controller and failure for the AP to
set-inform was my problem. Many thanks to this community help article that spelled it all out.
As a long term solution to the above adoption problem, in EdgeRouter you can go to
Services > DHCP Server > LAN > Actions > View Leases and then
Map Static IP for the device that the Unifi Controller is running. Once it is assigned a static IP, you can set that IP in the
Details > Unifi Controller box to prevent future adoption problems long term.
Using this tutorial and the following summarized steps, I set up separated networks using VLANs for guests and for work devices.
The below example assumes a basic setup where all Unifi Access Points connect directly to EdgeRouter ports and not through a secondary switch. If another switch is involved, the setup will be a bit more complicated and use specific
ethX interfaces instead of just using the entire
switch0 to apply this setup across all ports.
Create the VLAN
Dashboard > Add Interface > Add VLAN
1VLAN ID: 102Interface: switch03Description: VLAN10_GUEST4Address: 192.168.10.1/24
Add a DHCP Server
Services > DHCP Server > Add DHCP Server
1DHCP Name: VLAN10_GUEST2Subnet: 192.168.10.1/243Range Start: 192.168.10.24Range Stop: 192.168.10.2545Router: 192.168.10.16DNS 1: 192.168.10.17DNS 2:8Unifi Controller:
Add DNS listener to the new VLAN
Services > DNS > DNS Forwarding > Add Listen Interface.
switch0.10and save so DNS requests on the new VLAN can resolve to the router.
Optionally support port forwarding over the new VLAN interface, I've done this only on the work device network, not for guest network to lock down internal services.
Add Firewall rules to restrict VLAN talking to other devices on your primary LAN
Firewall/NAT > Firewall Policies
IN rule to drop all requests to primary LAN IP addresses
1Name: VLAN10_GUEST_IN2Description: VLAN10_GUEST_IN3Default action: Accept
Add New Rule to block all traffic to primary LAN
1Basic2Description: DROP access to 192.168.1.03Action: Drop4Protocol: All Protocols56Destination7Address: 192.168.1.0/24
Configure the applicable interface in
1Interface: switch0.102Direction: in
LOCAL rule to drop all requests to the router except for DNS requests
1Name: VLAN10_GUEST_LOCAL2Description: VLAN10_GUEST_LOCAL3Default action: Accept
Add New Rule to allow DNS requests only
1Basic2Description: Allow VLAN10 DNS3Action: Accept4Protocol: TCP & UDP56Destination7Port: 53
Add New Rule to block all traffic to router
1Basic2Description: DROP access to 192.168.10.13Action: Drop4Protocol: All Protocols56Destination7Address: 192.168.10.1
Configure the applicable interface in
1Interface: switch0.102Direction: in
In the controller you can now build on the new VLAN to create your new networks and wifi networks.
Create a new network for the VLAN in
Settings > Networks
1Name: Guest23Advanced4VLAN ID: 105Device Isolation: True6Auto Scale Network: False7Gateway IP/Subnet: 192.168.10.1/248DHCP Range: 192.168.10.2 - 192.168.10.2549DHCP Guarding: 192.168.10.1
Create a new wifi network for the VLAN in
Settings > WiFi
1Name: Wafflehouse-Guest2Password: abc1233Network: Guest45Advanced6Client Group: Guest
Optionally create a new Client Group to set rate limits in
Settings > Advanced Features and then update your wifi network to use a custom Client Group.
1Add a Client Group2Name: Guest3Limit download bandwidth: 10 mbps4Limit upload bandwidth: 2 mbps
EdgeRouter can have custom DNS records. Login using the CLI and run the following (help article):
1$ configure2$ set system static-host-mapping host-name host1 inet 18.104.22.168commit4$ save
You can also add CNAME records to redirect to name (not an IP address) (CNAME records) as follows:
1$ configure2$ set service dns forwarding options cname=storage.localdomain,backup01.localdomain3$ commit4$ save
A local DNS server can be very useful for ad-blocking a la Pi-Hole or for having custom DNS records for local devices.
Firewall/Nat > Port Forwarding you can add configuration so requests to certain ports on your external IP address are forwarded to a specific device that can handle them. For example, I've setup all requests on ports
80 (HTTP) and
443 (HTTPS) to forward to my home Synology Server where the different dashboards and other services run in Docker.
Note, you'll need to set the WAN interface to
eth0 and use
switch0 to have port forwarding take effect (thanks to this help article).
All requests on
443 arriving at our external IP address are terminated at the Synology server, but how does it know which requests are for which Docker service?
A Reverse Proxy allows you to define rules (generally based on domain name of the request) to handle routing from the generic public ports
80,443 to the specific local Docker ones that your services are running on
The following help article explains it thoroughly though the process is straight forward from the
Control Panel > Application Portal > Reverse Proxy settings page.
Great instructions here on how to add a virtual host with a basic
.htaccess file to force all calling clients that request over HTTP to re-request using HTTPS.