New UniFi Gear. Recs?

[Ecmaster76]

Uhh… update your gear, everybody.

Yeah better get on that.

Oops, no patches for Amplifi in... 2 years!?!

In case anyone pops in here wanting to join the party, Micro Center is having UniFi bundle deals.

Just over $400 for the UDR7 + U7 PRO makes a suitable mesh for my modest home.

Not sure I'm going to go nuts trying to do a lot of VLANs and segmentation like you guys though. Not my hobby.



I've got such a small number of clients though that the turnkey setup is plenty

 

[Exordium01]

I don’t know how many of you have a UTR, but I’ve somewhat fallen out of love with mine. On most hotel networks it works and is fine, but it frequently disconnects from other networks and requires you to go into the UniFi app to reconnect it. This behavior has nothing to do with reported signal strength on the UTR and my individual devices don’t exhibit the same behavior when directly connecting to the same hotel networks and that includes things that are pretty sensitive to disruption like VPN connections on my work laptop. I’ve been averaging 4-5 hotel stays a month and maybe one a month won’t work well with the UTR and another will have issues with teleport but be able to maintain a stable connection to the router.

 

[GaitherBill]

I havent used mine in months. I know there’s been at least one software update for it though that I should apply.

 

[Exordium01]

Mine appears to be up to date. I guess I’ll try a hard reset and configure it as a new device to see if it improves this behavior.

 

[BlueSandbar]

I can run Ethernet (Cat6a) in my new house that I will be moving into next year and have decided to take the opportunity to jump into the world of Ubiquiti. My current network is just a generic cheap router/AP combo and nothing else, so I will be starting from scratch. Been doing a bunch of research and here is what I've come up with so far:

Cloud Fiber Gateway for the router (10gbps ISP)
Flex 2.5.G PoE for the "main" switch. The cables being run in the house will go in this or the gateway
Flex mini (regular or 2.5g version) for rooms where I want to plug more stuff in
U7 Pro Wall AP, one on each floor

Am I missing anything or does this look like a good start? I am thinking that later this year I will start buying some of the equipment (or at least just the gateway and an AP) so I can play with the system and not have the stress of doing my first Ubiquiti network setup on the same day as moving into the house.

 

[meisanerd]

Are you doing a completely basic network setup, or are you wanting a bit more advanced security features? The Flex stuff does basic vlans, but you can't do things like MAC filtering on them, they are pretty basic (as far as smart goes) switches.

 

[BlueSandbar]

Are you doing a completely basic network setup, or are you wanting a bit more advanced security features? The Flex stuff does basic vlans, but you can't do things like MAC filtering on them, they are pretty basic (as far as smart goes) switches.

To be honest this is something I have not even considered so thanks for pointing it out. I was not really imagining a scenario where I would use MAC filtering but I will have to take another look at the available security features and see if anything looks good.

 

[GaitherBill]

MAC filtering is a function of the controller on Unifi gear.

And all of their switches support VLANS. The controller would tell them what to do.

 

[JasterMereel]

I'm starting to look at cameras to replace the Nest cameras that I have. I plan on using G5 Turret Ultra for less critical areas and G6 Turrets for more critical areas. I have thought about getting an AI Turret or G6 Pro Turret for the front of my house, sidewalk, and driveway. Does anyone have any experience with these cameras?

 

[meisanerd]

To be honest this is something I have not even considered so thanks for pointing it out. I was not really imagining a scenario where I would use MAC filtering but I will have to take another look at the available security features and see if anything looks good.

I mean, my intent is probably very much a corner case for home networking. And I would love to discover that I am wrong about what is supported, but I have an individual under our care living with us who we have on a separate vlan. We have a switch at our entertainment center for plugging in laptops to be able to to use those on the TV. I am wanting it so if she plugs her computer (or a guest does) to the switch, it dumps them on her vlan, and if we do one of ours, it goes to the main vlan. This should be doable via a RADIUS server, but from my reading, the Flex switches don't support that.

Latest I had seen when I previously looked into it was
View: https://www.reddit.com/r/Ubiquiti/comments/tnlo7r/uswflex_doesnt_do_mac_id_allow_lists/
, not sure if anything has changed in 4 years or not.

 

[Paladin]

I mean, my intent is probably very much a corner case for home networking. And I would love to discover that I am wrong about what is supported, but I have an individual under our care living with us who we have on a separate vlan. We have a switch at our entertainment center for plugging in laptops to be able to to use those on the TV. I am wanting it so if she plugs her computer (or a guest does) to the switch, it dumps them on her vlan, and if we do one of ours, it goes to the main vlan. This should be doable via a RADIUS server, but from my reading, the Flex switches don't support that.

Latest I had seen when I previously looked into it was
View: https://www.reddit.com/r/Ubiquiti/comments/tnlo7r/uswflex_doesnt_do_mac_id_allow_lists/
, not sure if anything has changed in 4 years or not.

Yeah what you are talking about is NAC (network access control) and possibly beyond that level even, depending on what you want to do. The best option would probably be to do wifi only for that kind of 'guest' device because with decent wifi access points you can do multiple wifi SSID (network names) and each is a separate VLAN and IP network with its own policies enforced at the gateway/firewall.

Doing that on a wired network is much more complex and expensive. Guest networks for wifi are common place even in home wifi routers these days. NAC on wired networks is still an enterprise level feature.

 

[meisanerd]

Yeah what you are talking about is NAC (network access control) and possibly beyond that level even, depending on what you want to do. The best option would probably be to do wifi only for that kind of 'guest' device because with decent wifi access points you can do multiple wifi SSID (network names) and each is a separate VLAN and IP network with its own policies enforced at the gateway/firewall.

Doing that on a wired network is much more complex and expensive. Guest networks for wifi are common place even in home wifi routers these days. NAC on wired networks is still an enterprise level feature.

Oh, Ive figured out what I need to be able to pull it off, I just can't do it on the Flex gear, I have to buy the higher-end Unifi stuff. I just wanted to let the poster know that some of the Unifi stuff does have limitations, so before you buy and then have to upgrade in the future, make sure it supports what you want it to do.

 

[w00key]

MAC filtering is a bit security by obscurity anyway, if you get on to any unprotected port you have a bunch of "good" MACs from broadcasts in no time.

Proper way is port security but that is full enterprise grade network access control, not something for at home.


What is the reason you want to whitelist MACs anyway?

 

[JasterMereel]

I have a VLAN for cameras and my main network can talk to it, but the Camera VLAN cannot initiate any traffic out. Right now, it is only wifi Nest cameras, but I will transfer it over to PoE and wifi UniFi cameras. I have thought about someone ripping down a camera and plugging into my home network. I figured the Camera VLAN is a decent solution since once everything is set up, they will only be able to get to other cameras and that's it.

I have done some configuring of the VLANs and zone based firewalls and port manager. For all the switches in my house, if a port is not is use, I set it up to only use the Default network. I have the ZBF set up so that with the Default network, the device can get an IP address but that's it. All other access is blocked. It is isolated as possible. This works great from a security perspective, but is a PITA when I have to plug something into a blank port on a switch, I forget to update the settings, and then I get frustrated trying to figure out why it isn't working for about 10 minutes.

 

[KD5MDK]

What is the reason you want to whitelist MACs anyway?

The use case was a person who lives in the home but for whatever reason needs to be kept to an isolated network from the rest of the house. That’s easy to do with WiFi, but since physical security at the house layer is out, you either need to lock away each wired device or control which VLAN a clients can connect to when plugged in.

One imperfect option would be to lock each port down to a specific MAC, if the user in question isn’t sophisticated enough to clone a MAC address printed on the device they unplugged. Broadcast traffic wouldn’t do them any good unless they also plug in the source device to another one they control and read the packets off that.


My assumption is the threat model is “grandpa with mild dementia who refuses to stop downloading viruses”.

You can’t lock him in his room, you can’t supervise him strictly enough to ensure he never unplugs the Streaming Box from the entertainment center so he can plug his laptop in, and you don’t want that cesspool of exploits having access anything else in your house.

 

[Arbelac]

You need 802.1x access control if you want to lock down devices to specific VLANs, regardless of port they are plugged into.

 

[gregatron5]

I have thought about someone ripping down a camera and plugging into my home network. I figured the Camera VLAN is a decent solution since once everything is set up, they will only be able to get to other cameras and that's it.

What is your threat status that you think someone might actually do this?

 

[JasterMereel]

I put my camera system upgrade wishlist together. Worst case scenario, it is 12 cameras with an NVR, hard drives, and another POE switch comes out to around $3100. Yes, I need/want that many cameras because I live in a downtown environment where a lot of stuff can happen. And I've used footage from my current cameras and sent to the police several times in the past. I can piecemeal it together over time and I have broken it out into different parts. The biggest expense is the basic NVR and (2) 8TB hard drives at around $800.

 

[BlueSandbar]

I don't know where you guys live or how big your houses are but 12 cameras seems like an insane setup. I honestly never even considered getting a camera for my house until I looked into the Ubiquiti lineup and saw that the cameras looked pretty good. Now I am looking into seeing if I can get a cable run to the front door so I can put a camera there but it would be a pretty low priority future expansion sort of setup after everything else is taken care of.

 

[almostinsane]

Maybe JasterMereel is an aspiring Onlyfans model who also dabbles in enterprise networking? Is that so hard to believe? 12 cameras may just be the start for 24 hour full house streaming.

 

[GaitherBill]

I put my camera system upgrade wishlist together. Worst case scenario, it is 12 cameras with an NVR, hard drives, and another POE switch comes out to around $3100. Yes, I need/want that many cameras because I live in a downtown environment where a lot of stuff can happen. And I've used footage from my current cameras and sent to the police several times in the past. I can piecemeal it together over time and I have broken it out into different parts. The biggest expense is the basic NVR and (2) 8TB hard drives at around $800.

Don’t’ forget to use the Unifi system sizer.

 

[KD5MDK]

I don't know where you guys live or how big your houses are but 12 cameras seems like an insane setup. I honestly never even considered getting a camera for my house until I looked into the Ubiquiti lineup and saw that the cameras looked pretty good. Now I am looking into seeing if I can get a cable run to the front door so I can put a camera there but it would be a pretty low priority future expansion sort of setup after everything else is taken care of.

We bought a new house but have had some delays in moving in. Sometime after we closed, a squatter broke in and lived there for a few days. (Never saw them in person). We moved their things outside and locked up again. The next day they'd broken back in to at least get some things we'd missed. So we moved all their things to the driveway and barred the door. The stuff disappeared that night.
We put up a few cameras but failed to format the SD cards for them to record.
So far we have: Driveway/Sidewalk, Front Door/Carport, Backyard gate, and one indoors pointing at the back door. That leaves plenty of blind spots not covered.
Yesterday I stopped by and someone had torqued the front door handle enough it was bent. Deadbolt was ok. So now we get to review the footage and see who did that.

 

[Zich]

Yikes, that's scary

 

[w00key]

Yesterday I stopped by and someone had torqued the front door handle enough it was bent. Deadbolt was ok. So now we get to review the footage and see who did that.

Yikes. I would add a DIY alarm system to the list if you don't want to pay Verisure / ADT for it.

Motion/shock sensors on all doors and windows, bright as fuck motion lights, and big + outside if it triggers. Motion light is first layer of scare them away, and if someone yanks on the door and/or hits or breaks a window, it goes off.

Most DIY systems also take a SIM so you get a call or sms.


Just observing is too passive. You need agressive posturing so they find an easier target. Fake cameras with blinkenlight also work.

 

[GaitherBill]

I’d park my ass in a lawn chair with a shotgun loaded with beanbag rounds.

But that’s just me.

 

[gregatron5]

I'd vote for a guaranteed minimum income (UBI) initiative so people have less of a need to resort to that sort of behavior.

But this is 'Murica! Cameras! Guns!

 

[JasterMereel]

I'm looking for a G4 Instant camera to start the camera upgrade process. I thought I would go on eBay and potentially find one for below MSRP. Nope, I am seeing new ones being offered for around $150 when you can buy them from UI.com for $99. Yeah, I know there is tax and tariffs and shipping involved too, but it is just crazy to see these listed on eBay for over retail price.

 

[gregatron5]

I'm looking for a G4 Instant camera to start the camera upgrade process. I thought I would go on eBay and potentially find one for below MSRP. Nope, I am seeing new ones being offered for around $150 when you can buy them from UI.com for $99. Yeah, I know there is tax and tariffs and shipping involved too, but it is just crazy to see these listed on eBay for over retail price.

If there's one issue I've found with UniFi gear so far, it's that it's incredibly difficult to find good deals. TP-Link shit goes on sale like every other month. UniFi? Not so much. Even used gear at a decent price is difficult to find.

 

[JasterMereel]

That would explain why my used gear sold in less than a day when I listed both things for about 30% under retail.

 

[Zich]

Oh yeah used unifi gear sells at 90+% retail on a bad day

 

[GaitherBill]

If you have a MicroCenter near you see if they have them in stock.

I have several of the G4 instants. They work well.

 

[Kyuu]

Even discontinued stuff hardly sells below retail, as I found out when I had a sudden need for a Unifi controller and the lowest-end one that supported what I needed was the Cloudkey Gen2 Plus. Only way I got an okay deal was getting one without an HDD and luckily being able to scavenge a 2.5" HDD from something I had lying around.

 

[JasterMereel]

Oh yeah used unifi gear sells at 90+% retail on a bad day

I could have gotten more then, but I'm happy with what I got. It help to partially fund my recent upgrades.

 

[Hap]

I don't know where you guys live or how big your houses are but 12 cameras seems like an insane setup. I honestly never even considered getting a camera for my house until I looked into the Ubiquiti lineup and saw that the cameras looked pretty good. Now I am looking into seeing if I can get a cable run to the front door so I can put a camera there but it would be a pretty low priority future expansion sort of setup after everything else is taken care of.

I have 25 external cameras on a UNVR Pro and 10 internal on a UNVR (they're in the workshop/woodshop/garage - I will not permit any cameras IN the house).

 

[Hap]

I'm starting to look at cameras to replace the Nest cameras that I have. I plan on using G5 Turret Ultra for less critical areas and G6 Turrets for more critical areas. I have thought about getting an AI Turret or G6 Pro Turret for the front of my house, sidewalk, and driveway. Does anyone have any experience with these cameras?

Yes, several. You can get standalone AI add-ons (AI Ports) for cameras too.

The AI processing has gotten better at recognizing stuff with some updates and the ones in my driveway do LPR. My back yard PTZs are effective at tracking my Beagle around the yard and using PTZ to do so. The new UNVR G2 has on-board AI processing.

AI Cameras

• G5 PTZ (AI port)
• AI Turret
• AI Pro
• G6 PTZ x 3

EDIT for a garbled mess.

 

[JasterMereel]

Only camera that’s allowed in the house is one that is plugged in when I leave for a trip.

 

[Scotttheking]

If there's one issue I've found with UniFi gear so far, it's that it's incredibly difficult to find good deals.

Is that another way of saying it's worth what they price it at and they sell all they can at that price?