portrait picture


balancing software engineering & infosec

Building our home and office network

posted on July 7, 2018, 6:08 p.m. in soho

When moving into our new home nearly two years ago I was committed to building a network that does not suck. During this journey I posted some photos of new gear when it was delivered - and was asked a few times to do a small write up how the final network looks like and how the different components are performing. While home networking might sound pretty uninteresting (which it actually is if you only use some cheap Netgear or Asus gear or some other vendor shipping a plastic box without features and wonder why you can only copy data with 5MB/s to your network toaster ^W NAS) there is some nice additional functionality you can get out of proper equipment.

When looking at our options the requirements were pretty easy to define, especially because we were in the fortunate position to choose our new home to fully match our needs and likings. I wanted full wifi coverage of the house, including the garden and driveway for as few clients as possible, which means everything that has a port for an Ethernet cable will have wired network. Since we are renting the house I only wanted to drill a few holes into walls, floors and ceilings, so directly connecting everything to the backbone was not an option. My wife and I are both working from home and we are both creating some decent traffic, be it remote VMs running on the server, moving VM images, assets for her digital and print projects or simply backups of six systems.

There were actually not many challenges to get it all set up once we could move in. We have two offices on the second floor, our living room on the first floor and enough space in the basement for a server rack. (Floors named according to the US standard, for the rest of the world just deduct one. :) ) All cables are CAT7 Siemens suitable for two 10GBit Ethernet ports - basically 16 copper wires in one cable, properly shielded.

A few holes later we had two cables in the living room - one for WiFi and a spare Ethernet port close to the dining table and one connecting a 8 port switch with the backbone for entertainment (AV receiver, Steam link, Nintendo Switch, Apple TV). The second cable goes into my office to an 8 port switch connecting a second access point and out computers. Since our offices are right next to each other it was pretty easy to pull another cable from my office to my wife's - this time without a patch panel but Ethernet sockets on each end. The only thing I am currently considering changing is another cable to my office for a direct connection of the access point to the backbone, but so far I do not really see a need for that, it would just be for the feel-good effect of having done it right(tm).

Shopping time

After evaluating most gear on the market I went for UniFi. Besides lots of recommendations, the price of a little below 1000€ for everything was within the budget I allocated based on a rough feeling what it should cost and there were a few things I really liked:

The final setup consists of

I did not go for PoE equipment since I am not room constrained in any way where the gear is mounted and either had power outlets close by or a direct wire from the basement where I can just place the Ethernet - PoE adapter in the server rack. The gateway is the larger one to support a LTE box as backup in case our main Internet connection would go down. The switch is nearly maxed out with a NAS, two servers and three RaspberryPIs, so I couldn’t go for a lower port count.

Unboxing and setup

My first impression when unboxing the gear was very good, except for the CloudKey. The gateway and switches look and feel very robust in their metal cases. The access points, while plastic that bends a bit under pressure, still make a good impression and the wall mounts fit perfectly. The raw plugs are clearly not meant for concrete, but this is okay, adding raw plugs for every potential mounting location seems like a waste. Actually adding raw plugs at all seems like a waste. The CloudKey in its shiny white plastic looks good, but getting the SD card in - I still do not know why it needs an 8GB SD card... - is a bit of work with large hands and the Ethernet cable is ridiculous. It is super short and does not bend, it is not really clear to me what you are supposed to do with it. CloudKey unboxing

The web interface is shockingly good and gets better with every update, the same goes for the iOS applications. The initial setup, including link aggregation for the switches and for the servers four port NIC and the NASs two ports was a matter of ten minutes. The only thing to look out for is that you always have to configure the switches in the correct order - so first the edge, then the backbone while connected to the backbone. Otherwise you are in for a bad time when you enable LAG on the backbone but your edge does not know about it. Thanks to the central configuration both access points are configured identically with a few clicks and without annoying copy & paste, with separate 2.4g and 5g networks and roaming worked immediately without problems. I had to separate the networks because a few clients preferred 2.4g over 5g, but even with a worse signal strength 5g performs better in all locations. Two features I find more convenient than I initially thought are the ability to name ports and the analytics for clients and the network itself the software provides. Well, analytics are a bit of a two edged sword, after looking at them I wonder if anyone in our house is really working... traffic stats for June.

June traffic graph

Something that is very nice is that the controller software does not have to run for the devices to function. Initially I ran the controller on an RaspberryPI which showed some reliability issues before getting the CloudKey, but beside configuration and analytics not being available there were zero problems with the controller being down. Something I feel like it is worth mentioning is the fact that the UniFi cloud service is optional, you can simply create a local account and you are good to go. Firmware updates are announced via the device list and are installed with one click, so keeping your gear up to date and on the latest feature set is a matter of checking the software, clicking the update button and five minutes for the device to restart.

Features that just work

So far this is not very impressive and could have been done with slightly cheaper hardware but a bit more work configuring everything. So, let us get to the fun stuff.

Configuring VPN access for clients and site to site takes a bit of reading, compared to the rest of the web interface it is not as intuitive as you would imagine, but it is manageable. I cannot remember the exact issue I had, but for some reason I ended up on DuckDuckGo. Documentation around UniFi is luckily great - you find tutorials, howtos and answers to even the most obscure questions on the help and community page, I have yet to find something that is not solvable through those two resources. Once configured both, client and S2S worked flawlessly. I remember sitting in San Francisco during a business trip being pinged by a friend who also was on a business trip to China and noticed some sites not working. Since I was already connected to my network adding a user and sending him the credentials was a matter of a minute - and all Internet problems were solved. S2S also opened the option for spreading backups easily over two locations, one NAS running in our basement, one in my parents.

Setting up VLANs is stupidly simple and should be hard to mess up. Our gaming systems are in a network separated from the rest. If you followed all the ridiculous stuff EA / Origin did the last few years this decision might immediately make sense to you, otherwise I would not recommend searching for it if you do not want your blood pressure to go up. Another VLAN is used to separate my infosec box and all the VMs running on it to safely experiment with things you usually do not want in your network.

DNS does not sound spectacular in itself and is, even with the cheapest consumer hardware, solved in a decent way. For smaller setups it might even not be that relevant. A nice feature I really enjoy and which is one of the reasons I basically use an always on VPN profile on my iOS devices is DNS blacklisting of ad and malware domains. If you are annoyed by ads I can highly recommend this solution and with something like Pi-hole it is simple and cheap to setup for every home network. But we got a security gateway with sufficient resources to handle this. Did I mention the awesome UniFi community? They have a solution ready to go. Login credentials for SSH are the same as for the web interface.

Would buy again!

I am running this setup and gear for nearly two years now and have not used all features the hardware and software provide - I likely never will. There are just too many and with software updates new ones are being added on a kind of regular basis. Most recently they even added IPS and IDS features, but it would limit the throughput too much to actually give it a serious try. The build quality is solid, the performance is great, WiFi range is more than sufficient even for 5g to cover all areas of our 1900 square feet home and the documentation and community is very helpful. All features actually work as advertised. 10/10 would recommend and buy again.