Second opinion on a new network setup (Ubiquiti + long range)

Toggle sidebar Toggle sidebar
Z

Zahzi

Reputable
Jan 4, 2015
5
0
4,510
I am looking into replacing my current wireless network with something better. I currently have a ~4 year old airport extreme and express to cover inside (one on the first floor, and one on the other side of the second floor). I would like to expand my network's range to cover a good bit of outside; throughout our greenhouses (located ~15-125m away), as well as fields (the edge of which is ~175m). Note that I don't need great coverage at the extremes; the most intense thing I would be doing is probably streaming music. I am currently looking at getting Ubiquiti products; specifically:
- EdgeX Router
- UniFi AP Pro (placed around the middle of my house)
- Ubiquiti PicoStation M2-HP (placed on my roof, or in a window on the top floor (these are pretty weather resistant, right?)

Before purchasing, I wanted to get a second opinion, and make sure of some things:
- Can I set the AP Pro and PicoStation to the same SSID, and will they support seamless handoff? If not, how much of an impact will this have, and what would my best alternate option be?
- Can I have a main AND guest network on BOTH APs, or will only one network bet supported for both?
- Will this be enough to get the desired coverage? If not, what other suggestions do you have? Placing APs in the greenhouses is possible, but seems much more costly and more inconvenient.

Thanks in advance for the help!
 
Solution
B
If you place the device outdoors say on top of the house you should get pretty good coverage outside. If you were the only person using WiFi it is a pretty good bet it would work. The major issue now days is not the signal power as much as all the crap signals you are getting from everyone else around your interfering with your signals. No way to predict this all you can do is try.

You will not get seamless hand off with any consumer AP system. Only extremely expensive commercial systems can get a truly non disruptive hand off and even they lose a packet or two. There are some other systems in between that do attempt this but you will still get a disruption the end user can detect..ie they may see a slight stall or hang. All...
Sort by date Sort by votes
If you place the device outdoors say on top of the house you should get pretty good coverage outside. If you were the only person using WiFi it is a pretty good bet it would work. The major issue now days is not the signal power as much as all the crap signals you are getting from everyone else around your interfering with your signals. No way to predict this all you can do is try.

You will not get seamless hand off with any consumer AP system. Only extremely expensive commercial systems can get a truly non disruptive hand off and even they lose a packet or two. There are some other systems in between that do attempt this but you will still get a disruption the end user can detect..ie they may see a slight stall or hang. All these systems require some form of controller server that causes all the AP to act as a one system.

For home/small business users you have 2 choices. You use different SSID and the person decides when to change. You use the same SSID and the end device which is very stupid will change when it wants. Generally it will only change when the signal get totally unusable. Since it is using the radio to talk to the current AP it can not scan for another.

The concept of main and guest does not work with AP, only with a router that has internet access. You would need to have vlans to keep the traffic separate between the AP and your router and again consumer equipment does not support vlans. The guest concept is very simplistic all it is doing is forcing the traffic to go out the wan port. Since AP do not have direct access to the wan port they can not use this simplistic trick.
 
Upvote 0 Downvote
Solution


So would you say the best solution would be to put the main AP inside and then the PicoStation on the roof with an "outside" network?
 
Upvote 0 Downvote
To your first question: no. Zero handoff only works for unifi devices. Pico is not unifi, it is airmax, and uses a different Operating system. Furthermore, after having completed the ubiquiti wireless administration course I have to advise you to stay away from zero handoff. I realize that it's a selling point, but our instructor made an extremely compelling case for not using it. Instead, you should enable and scale the rssi feature to strip off devices which are barely connecting from one antenna, and then let them rejoin using the next. Example: you connect to antenna a, then walk to the far side of antenna b. You're still connected to a, and now causing network latency to all devices connecting to the network because it has to work that much harder to keep listening to a device which is barely broadcasting enough signal. By limiting rssi you would shed this device from antenna a, to then let it rejoin to b with a stronger signal. Zero handoff doesn't do this until the signal is disconnected. At this point, v5 of the controller software does not allow rssi AND zero handoff, so invariably you will do,what I did prior to the class and pick zero handoff. After all, it says so on the box, right? Wrong. It causes all network traffic to drop down to slower speeds, even if other devices have a stronger signal. Maybe in v6 or 7? You can set both devices to the same ssid, but use different channels in both the 2.4 and 5 ghz ranges. Enable bandwidth steering on the uap (to prefer 5 ghz). If you have connection issues near the edges, disable 40 mhz bands and switch to 20. You trade speed for distance. Also, less interference with neighboring systems with 20 mhz width than 40 mhz.

2. Yes. You can have both. On the uap, I recommend disabling access to the network subnets your devices are on using the denial list. If you want someone to access just a printer, add that ip (obviously make it static on the device) on the previous authentication list. For example: deny 192.168.1.0/24, allow 192.168.1.55/32. This will allow access to guests for one device on that ip, but nothing else. Make sure your dhcp includes dns servers outside your network (public dns servers), or else your guests won't be able to find little things yahoo.com and google.......

3. Can't answer that without a site survey (download some software) and the devices. Too many variables, including the direction in which you mount the antennas (yup, it matters for the uap too, signal is not a bubble), your walls, noise floor, surrounding interference, temperature, quality of cables, etc.

 
Upvote 0 Downvote
No offense, bill, but I don't think you've worked with ubiquiti before. They are not consumer devices. They separate the antenna from the switch from the router; all sold separately. Just the antenna takes a 2 day class to learn. Software runs on a pc (I recommend a cloudkey instead, sold by ubiquiti but hard to find in stock at times). Also, you don't need vlan to keep riff raff off your network. The UAPs can filter based on destination network, and anyone with half a brain turns off the SSID of their main network these days to keep everyone off. The edgerouters are solid devices but terminology is difficult and much harder to set up than home routers. We only use them for internal networks, ie to translate between subnets.
 
Upvote 0 Downvote


Reread my post

I consider ubiquti almost consumer devices, they have some of the features of commercial systems but they are not even close to the cisco or aviya implementations. It is a ok alternative for people who don't have the money to buy a actual system.

The cisco system can move between floors of buildings where the IP addresses change. It can even move from a wifi signal to a cell broadband signal and back to a wifi signal in a build at a remote location. Of course it does lose a packet here and there but your session tend to not drop. But you pay a fortune for the hardware and software license.

I am so glad you are so proud of yourself for going to a 2 day course. You are the one that needs much more time working on other wireless platforms so you know what options are available. You also really need learn how security in general works in a enterprise install. The use of 802.1x on the AP with a radius server to assign users to vlans is accepted security practice to prevent attacks even between authorized users. I am pretty sure even the ubiquiti product support this.

I tend to over generalize on this forum to not confuse the type of people posting. I have CCIE certs in routing and securtity as well as some certs in things like wireless I do not keep current. I spent more time just taking the tests for the CCIE than you did taking your 2 day course. Do not assume you know more than other on a forum. Even I will never claim to know everything in this ever changing field.

 
Upvote 0 Downvote
Bill, I don't want to get into a shouting match about who is better at this or that, or who is an expert at this or that. I am certainly not a network expert - I'm a generalist who works on everything from wiring to endpoints, and everything in between. That, btw, does include network security, HIPAA compliance at the "actual endpoints" (some call them "humans"), and little stuff like multi-AP wireless networks. And yes, I've been neck deep in Ubiquiti for about 3 years now, not just 2 days.

Btw, Bill, you should know that over the past five years I've thrown out a few boxes worth of Cisco "SMB WiFi" systems, and right next to me on the floor is a Meraki MR26 which they sent me a few months ago for free. You're totally right: If one can afford the higher cost, systems like Meraki are much better. The problem is always the same: COST. $1k per access point and ~$200 per year license fee (and that does include nonprofit discount pricing, btw). That's $1,200 PER ACCESS POINT, according to my fingers (and 1190 additional ones I borrowed from my coworkers just now). Compare that to a basic setup of ~$450, including labor, for the first Ubiquiti AP setup, including two USGs, one PoE switch (not required, but anyway), a cloudkey, a few wires, and one 2.4 Ghz UAP. You might break into $500 territory once you go with a 2.4/5Ghz system.

And that math is just for the FIRST system. As it turns out, systems like Meraki scale really well. For Meraki's accounting team, that is. For two access points, the cost of entry is $2,400. For three, $3,600. At that point, a Ubiquiti system starts to look like a freakin' steal at ... $700 if you go with their most expensive components, less if you realize that your home modem doesn't run at 450 Megabits so spending money on that speed for AP's is money spent on nothin'. Just today I certified a two AP (yes, the old 2.4 Ghz APs) setup for one of our locations. They only have a couple of PC's, and are located in a Plaza which has lots of other traffic already. 5Ghz would be nice, but there's that little problem called "your budget", so we're going to use the cheap $70 AP's. Heck, street price is probably closer to $50 by now - we've had these so long already. Anyway. I tuned them down the lowest power setting, and still broadcast to the far side of the parking lot. My heat map is all green where it counts (and even some places where it shouldn't). My RSSI values are just low enough to keep the riff-raff from the other end of the plaza off our network.

And yes, I'm using the subnet exclusion rules to keep our "guests" off the segments I don't want them to see. Because a simple network with <5 endpoints shouldn't need VLAN's. If you're using VLANs at that level, frankly you're doing it wrong. You're busy securing wired traffic after it passes through the mother of all security holes, aka "WIRELESS TRAFFIC", which anyone with a laptop and 5 minutes worth of google can evesdrop on. Heck, a couple of years ago I watched a couple of preteens do exactly that at a nearby Barnes and Noble. The WiFi signals are not tagged, and one shouldn't expect guest traffic to be either. Feel free to tag the bejeezus out of your traffic once it's in the wires - heck, save some money in hardware while doing so - but please don't pretend that VLAN tagging somehow magically safeguards radio signals which travel in every direction. I don't even think Cisco would claim this. One does not find VLAN under their "Security" chapter. It's just a routing protocol, and doesn't encrypt the data anymore than putting a physical toggle switch would. At 65536 possible tags, how secure could that actually be?

Ubiquiti, is just now, in the coming weeks, going to release their 1st ever "consumer device" advanced AP (in the euro market they had something similar to what most people have seen netgear and linksys peddle at Best Buy (aka: "Worst Price"). They are packaging three different sets of their routers/switches/AP's in a neat little box at $250-400, including 2 repeaters. At that pricepoint it's definitely steeper than buying a simple WiFi router (heck, even a top-tier gaming one), but once you factor in the repeaters it's actually somewhat cheaper.

In any case, I think we can both agree that he's not going to go Meraki. Or anything else even close to that. When someone shops Unifi, the next logical step in the progression of price/performance is not Meraki. Not even close. There are probably lots of "Netgear", "Linksys", and even the occasional desperate "Ciscrap" in between before someone ends up at that level of cashflow. Home users don't give two craps about all the wonderful graphs and figures systems like Meraki provide. "Rogue access points"? Last thing they want is to try to sniff out their neighbor's garage door opener at 3 AM in the morning, don't you think? And yeah - they do show up as Rogues. Wireless phones, CB radios, etc.... it's amazing how much extra information a few thousand bucks can buy you.

As far as I know, the network filtering is done at the AP level, i.e. the AP's filter out subnet traffic. I know this because I've done setups without USG's, and the filtering does work anyway. Or in other words, the router doesn't filter, the AP's do. So in terms of security, subnet filtering prevents guest access to any subnet listed. They can literally ONLY access everything else. By default, the private subnets are already baked in, but they're easy to change in the controller software.

Not so sure if the same would be true for VLAN filtering (sneaking through the network switches/routers), but suffice it to say that in my experience, everything Ubiquiti makes supports VLANs. Except, perhaps, their mounting brackets.

With all due respect Bill, you're offering solutions by introducing more problems. Meraki doesn't sell to home users precisely because there are very few users who shop for WiFi systems at that price point. Maybe the Rockefellers do, but I suspect that the Zahzi's don't. Not to mention, the Rockefellers probably think that VLAN tagging has to do with clothes, not networks. They don't know that VLAN filtering is done at routers and switches, i.e. another layer down. My "cheap and easy" method would stop the traffic BEFORE the first wire. Just sayin'.




 
Upvote 0 Downvote
You must log in or register to reply here.

TRENDING THREADS

Latest posts

Moderators online

Share this page

COMPANY
RESOURCES
FOLLOW
Top Bottom