Need ideas for wifi setup

quinnlaup

Member
Reaction score
1
Location
N. Ireland
Hi Guys,
I have a client who has a dental practice that requires reliable patient wifi access as well as access for one of the milling machines that they use. I would like to allow for possibly 60 connections at any one time. The building was an old town house (100 years old possibly more) which has been converted for business use. It is split over 3 floors with patient waiting areas on each floor. I've read alot of good things about Unifi AP's on the forum and was wondering if they would be a good fit? I was thinking 1 AP per floor but would appreciate any suggestions that you may have. Is there any other hardware that would be required/advised? There current router is the standard one provided by their ISP.

kind regards,

Paul
 
I setup a dental client with a UniFi AC LR AP. Just needed one as it's small, one floor, 4 operatories. Works great. Has builtin Guest function with full Guest isolation. You might be able to get by with just one on the second floor in your case. My customer has the "business office" on the second floor but still gets great reception.
 
Thanks for your suggestions guys

@Markverhyden i actually bought one of these units for my own home i haven't even taken it out of the box so i think i'll take it with me next week and do a bit of testing. I just spoke with the owner and he wants good coverage on the top two floors as opposed to the bottom floor so one AP may well cover that. Do you know if the unifi controllers required as well?
 
Thanks for your suggestions guys

@Markverhyden i actually bought one of these units for my own home i haven't even taken it out of the box so i think i'll take it with me next week and do a bit of testing. I just spoke with the owner and he wants good coverage on the top two floors as opposed to the bottom floor so one AP may well cover that. Do you know if the unifi controllers required as well?

The unifi controller is used to setup the AP initially and do updates, however you can setup the device with a smartphone. The controller is pretty minimal on resource usage, you could set it up on any of the machines that stay in the office. Otherwise a lot of us have a controller we host or have hosted in the cloud to manage all of our customer deployments. Ours runs out of our office, but there are many options like Rackspace, AWS, etc.
 
We've been huge into Ubiquiti...I strongly recommend it.
I'd look at what they have in place currently....for a firewall and a switch. Might be an opportunity to upgrade current network equipment with a Ubiquiti USG at the edge, and a Unifi POE switch, as well as a Unifi AP or two or three. Hard to say what will work for wireless coverage without looking at the building and layout and construction. But up to 60x client connections...and factoring in a dentist office with lots of "noise" to impact wireless, I'd probably guestimate 3x APs would suffice.

You have those nice "wall plate" access points also, this way you don't have to run more ethernet wiring. They're just rolling out the new AC ones, announcement came out this week. Prior ones are 2.4 only.

The AC APs are nice.
And pickup a "Cloud Key" and plug it into their network...so you can easily manage the APs..as well as the USG and Unifi switches, all remotely.
The Pro models are good because you can also avoid additional wiring..since they have a second ethernet port that can be "bridged". So you can take a long existing network cable...cut it..terminate it, and stick the AC Pro in the middle of it. The added cost of the "Pro" model AP is offset by not having to run an additional ethernet cable for an AP. (depending on existing runs around the office of course).

The Unifi access points will work by themselves...without other Ubiquiti hardware. As mentioned above they have a "guest mode" which works to isolate people in that SSID. And they can attach to VLANs do if you have a good edge router and managed switch, you can get even fancier with separating guest SSIDs onto different subnets. But adding a "cloudkey" and a Unifi USG and Unifi switch can make things better since it's all 1x vendors technology stack. At least adding the cloud key (which is cheap) will pay for itself in short time due to ease of remote management and lower bills from your down the line when called to change or troubleshoot something.
 
Stonecat thanks for your detailed response I've looked at the wall plate models they would definitely make installation a breeze. I'm not sure who much money the customer wants to throw at this issue but I will look at the security gateway and pitch it to him see what he says. The ubiquiti equipment seems to give good bang for the buck.

Sent from my SM-G920F using Tapatalk
 
I spent some time last night looking into this more i found a guy on youtube called Crosstalk Solutions who has a load of videos on these products. What i would like to do is setup guest wifi complete with sigin portal and have this on a different vlan so that this traffic is completely isolated from the production network. This should be possible using either the Edge Router or the USG but is the managed switch also required?
 
Look on YouTube for videos from about Ubiquiti products from Streakwave, who is one of their larger resellers. They've made a lot of videos on UBNT stuff, many are on old disco'd models, but they have quite a bit of new ones also. One of their main instructors, Josh Kwok, made a lot. I've met him, he was the instructor at a recent airMAX certification class I took in NYC for their outdoor products.
 
Thanks Stonecat i'll look for Streakwave on youtube. I was wondering if it would be possible to run multiple SSID's from this type of setup. I'm thinking one for the Guests and another for Staff which would allow them access to files on their server?
 
Not around mine at the moment but seem to remember you can have up to 5 SSID's. If you specify one as guest, which can have a portal/password, I think each IP is handed out is in isolation.
 
I spent some time last night looking into this more i found a guy on youtube called Crosstalk Solutions who has a load of videos on these products. What i would like to do is setup guest wifi complete with sigin portal and have this on a different vlan so that this traffic is completely isolated from the production network. This should be possible using either the Edge Router or the USG but is the managed switch also required?
Check out Willie Howe on Youtube as well. His videos are usually a little more technical. He and Chris Sherwood (Crosstalk Solutions) have done a live video at one time, I think they are going to do another one in the near future.
 
Unifi systems support up to 4x SSIDs
You can enable "Guest mode" independently on any SSID
Guest Mode does not put them on a different subnet, however it will ...basically put each wifi client in their own VLAN, it isolates traffic between each client, and it prevents client traffic from "touching/seeing" the main network. It only allows DHCP and DNS to pass through.

So "Yes", you can have a production SSID for work related computers..that can interact with the primary LAN, and you can have a Guest SSID...and when you enable guest mode, they are blocked from each other and from LAN resources (except DHCP and DNS,,in case you have a Windows Server on the LAN that does this). And...2x more SSIDs if you want...either production or guest. Whatever your choice, each SSID has a checkbox.

You have additional flexibility..where you can allow or deny access to additional LAN resources or subnets. Like..say you wanted to allow an IP printer to people on the guest network.
 
I was looking at the Ubiquiti Security Gateway datasheets, am I correct that it doesn't have any kind of UTM capabilities? For that matter, what's the difference between the USG and the EdgeRouter or is it "one's white, one's black, and the Edgerouters generally have more ports"?
 
I was looking at the Ubiquiti Security Gateway datasheets, am I correct that it doesn't have any kind of UTM capabilities? For that matter, what's the difference between the USG and the EdgeRouter or is it "one's white, one's black, and the Edgerouters generally have more ports"?
That is correct, there are no UTM features. The hardware is very similar. The big difference is the USG and USG Pro is managed via the cloud controller or cloud key, where as the EdgeRouter is managed locally.
 
On the USG Pro, IDS/IPS is on the roadmap. I don't think it will be available on the USG...not enough horsepower, it's the same guts inside as the EdgeRouter "Lite".

EdgeRouters run EdgeOS, which is based on Vyatta router OS. Lots more features available to you within the web admin panel.

The Unifi product line is meant for ease of management. It has most if not all of the features that most SMB clients will need managed on their network. The USG can do port forwarding and even have external ACLs setup on inbound rules (which a lot of SMB firewalls don't have). You can go to Putty and terminal into the USG to tickle some advanced features not present in the GUI of the Controller.

So Unifi product line...ease of management via the Unifi.UBNT portal, which proxies you to your client sites attached to your account. unifi.ubnt.com is not a controller, just a proxy portal to show your connected clients and redirect your browser to those on-prem controllers. On-prem controllers at each client can be the Cloud Key (CK), or installed controllers on Windows or Linux boxes, or your own home-made controller like on a Raspberry Pi or whatever. The newer versions of controller software allow you to bind them to your Unifi.UBNT cloud account.

The EdgeRouter and the EdgeSwitch product line are managed locally on each device, similar to traditional business grade routers and switches. Each device will have its own IP address and you log into each device individually. The web management is much richer in advanced features and settings you can work with, like higher end switches and routers. As well as drop to CLI of course. EdgeSwitchs and Unifi switches are the same hardware.

As much as I love Ubiquiti...I was disappointed a few years ago upon seeing the details of the "USG" after it was announced. With what that name implies...USG...Unifi SECURITY Gateway implies "UTM" features. Of which, it doesn't have. It's just a NAT router. With cool features...but, still..just NAT. But it has become our "go to" router for clients that won't pony up for a UTM.
 
So I took my AP in today and tested the range looks like two AP's will cover the entire building. However as the client specified that he wanted the top two floors covered I will probably only use one. I am looking to install either the edgerouter lite or the USG but I have a couple of questions. Can the voip port on the USG be reconfigured as a second lan port? Is there a content filtering service available on either of the devices? Finally can the controller be setup on Azure? Thanks in advance.


Sent from my iPad using Tapatalk
 
Call me paranoid but I used the "Guest isolation" in combination with a vlan for the guest network on a separate subnet, with deny rules on the firewall. It just irks me when you can fire up Fing on your smartphone and scan IP's and see them populate. I use ZyXEL AP's and USG routers with the built-in wifi controllers. Similar to UBNT, but not nearly as pretty an interface :) They also have "big daddy" AP's that'll function as the wifi controller.
 
So I took my AP in today and tested the range looks like two AP's will cover the entire building. However as the client specified that he wanted the top two floors covered I will probably only use one. I am looking to install either the edgerouter lite or the USG but I have a couple of questions. Can the voip port on the USG be reconfigured as a second lan port? Is there a content filtering service available on either of the devices? Finally can the controller be setup on Azure? Thanks in advance.


Sent from my iPad using Tapatalk

The second LAN port on the USG was originally designed for a separate network for VoIP.....as originally Ubiquiti was converging Unifi and their IP phones. But they're depreciating the VoIP functionality within the Unifi controller, instead going back towards keeping them separate.

Sooo....as it stands, last I knew the 2nd LAN port is just defaulting to a separate 192.168.2.0/24 network. You can do what you want with that, it's just a standard separate network.

You can "bridge" the two LAN ports via Putty/CLI, the ability to bridge them is not in the Unifi controller GUI yet. (I believe it is on the roadmap since they're ditching the converged VoIP controller in it).

Neither device is a UTM, although some form of IDS/IPS is on the roadmap for the Unifi Pro model. Thus no content filtering.

As for a controller, yes you can spin up a controller on Azure, or Amazon, or Rackspace (I did mine at RS) or in your own data center anywhere. But...why take on the maintenance and cost.....when Ubiquiti offers their cloud portal for free? Allowing you to manage all of your Ubiquiti Unifi clients from your free account on their cloud portal. Just add the cost of a Cloud Key to your BOM for the client...or install a local controller instance on their network and bind it to your unifi.ubnt.com cloud portal. Or build a tiny little appliance for the Unifi controller and stick it on their network (roll your own cloud key, which is basically a slim little raspberry pi)

I built our own Unifi controller up at RackSpace on an Ubuntu server quite a few years ago when their controller added the multi-tenant feature, and we have near or over 60 client networks on it now. Hiowever, every new Unifi rollout we do now, we're doing the CloudKey. And I'm moving clients off of our RackSpace controller, over to the CloudKey setup. I just don't want the time spent on maintenance of my own cloud controller.
 
Back
Top