Posted on 27 Comments

#32: Rock solid WiFi for home automation, part 1

WiFi is a critical part of most home automation systems, but many people simply install the WiFi router that came with their Internet plan and forget about it. However, setting up a good home WiFi network that will handle dozens of IoT devices and still keep your home secure takes a bit more work.

Resources

Planning your network

The typical home network uses an all-in-one router to provide many different network services, including:

  • Router
  • Firewall
  • WiFi access point
  • Ethernet switch
  • Media streaming
  • VPN server
  • DNS resolution
  • DHCP server
  • Printer sharing
  • File serving
  • … and more

This usually results in a network topology that looks like this:

All-in-one WiFi routers try to do too much, so they end up being terrible at everything.

Well structured networks generally separate critical services into different devices that are optimised to do that job, and do it well. Access points don’t try to be file servers, and DHCP servers aren’t Ethernet switches.

Learning from the way that small corporate networks are structured is a great way to improve your home network and improve its reliability, performance, and security.

A better way to structure a home network is like this:

To convert the typical network into the improved network, we’re going to make changes in a series of steps.

For this tutorial I’m using parts from the UniFi range from Ubiquiti Networks, which is a range of networking products designed to be installed across small to medium corporate networks. It uses a management system that provides a single interface to control all your devices, even if they’re installed in physically separate locations.

Shopping list

The specific devices that I installed included:

  • 1 x UniFi Security Gateway
  • 2 x UniFi UAP-AC-Pro access points (probably should have got Nano HD though)
  • 1 x Raspberry Pi 3 B+ (or you can use a UniFi Cloud Key)
  • 1 x UniFi US-8-60W 8-port managed Ethernet switches (not shown in this episode: will feature in Part 2)
  • 2 x UniFi US-24 24-port managed Ethernet switches (not shown in this episode: will feature in Part 2)

Step 1: Set up management system

Ubiquiti Networks provides management software called UniFi Network Controller. It has a web interface, so you run the UniFi Network Controller software on a computer somewhere on your network (or even outside your network) and then access it using a web browser.

The UniFi Network Controller can be run in three different ways:

  1. On your local computer. You can download the software and run it on your Mac, Windows, or Linux computer. This is a great way to test it out and see how it works, but if your computer is turned off the management software will also stop running. If you have a computer that you leave on all the time, such as a home media server, you can run the UniFi Network Controller on it. Download it for your computer from Ubiquiti Networks.
  2. On a UniFi Cloud Key. This is a tiny embedded computer a bit like a Raspberry Pi, which comes with the UniFi Network Controller software preinstalled. You just plug it into your network, open a web browser on your own computer, and log into it. The Cloud Key is a low-power device so you can leave it running continuously.
  3. On a Raspberry Pi or other low power computer. This is what I’m doing. A board such as a Raspberry Pi B+ has plenty of power to run the UniFi Network Controller and still do other things as well, such as run PiHole or other services. Effectively this is just like a DIY version of the Cloud Key, but it’s cheaper and you can do other things with it.

Step 1a: Install Raspbian on a Raspberry Pi

Start with a standard installation of Raspbian, and update all the packages in the usual way. I won’t go into detail of this because it’s very well documented elsewhere. You can either follow the official guide to installing OS images, or use NOOBS to install Raspbian.

Step 1b: Change network settings and password

After installation, make sure your Raspberry Pi is connected to wired Ethernet (not just to WiFi) and log in to the Raspberry Pi as the default “pi” user. The default password is “raspberry”.

Set a static IP address so that the Raspberry Pi will always boot up with the same address, to make it easier for you to log into it in future. Do this by editing the file /etc/dhcpcd.conf:

sudo nano /etc/dhcpcd.conf

Go to the bottom of the file, and add lines similar to this:

interface eth0
static ip_address=192.168.1.2/24
static routers=192.168.1.1
static domain_name_servers=192.168.1.1

Those particular settings suit my network, which has the gateway running at 192.168.1.1 and also providing DNS resolution. You may need to change the values to suit your network.

Press Control-X to exit, then save the file.

Now run the “raspi-config” utility:

sudo raspi-config

Use the menu system to select “Change User Password”, and set a strong password.

Then go into the “Hostname” section, and change the hostname from “raspberrypi” to something more specific. I changed mine to “controller“.

Exit from raspi-config, and allow it to reboot.

A minute or so later your Raspberry Pi should come back up on the network. Now it will be at the IP address you specified above, it will have hostname you set, and the password will have changed.

Step 1c: Install UniFi Network Controller software

Install the haveged daemon to provide a good source of entropy. This isn’t essential, but it will help the UniFi Network Controller boot up faster, because it will be able to generate cryptographic keys more quickly:

sudo apt install haveged -y

Install a version of Java that works nicely with the Controller:

sudo apt install openjdk-8-jre-headless -y

Add the Ubiquiti Networks software repository and GPG key:

echo 'deb http://www.ubnt.com/downloads/unifi/debian stable ubiquiti' | sudo tee /etc/apt/sources.list.d/100-ubnt-unifi.list
sudo wget https://dl.ubnt.com/unifi/unifi-repo.gpg -O /etc/apt/trusted.gpg.d/unifi-repo.gpg

Those lines above may have wrapped in the browser. It should be 2 lines, with the second line starting with “sudo”.

Now update the list of available packages, and install the UniFi Network Controller package:

sudo apt update
sudo apt install unifi -y

In future you can update the Controller package just like you would with any other Raspbian package. If you regularly update your Raspberry Pi using the following commands, it will stay up to date along with all the other packages:

sudo apt update
sudo apt dist-upgrade

Step 1d: Log in to Controller software

After the installation finishes and the Controller software has finished booting, you can log in using a web browser. Use your browser to open the IP address you configured for your Controller, but make sure you prefix it with “https” and use port 8443. With the example configuration I gave above, the URL is:

https://192.168.1.2:8443

Your browser will complain because it doesn’t trust the SSL certificate being used by the Controller. You can click through and load it anyway.

Step through the setup wizard and answer each question. There aren’t many questions and they’re fairly simple to work out. You can skip the WiFi configuration and do it later, as I show in the video.

Click around and explore the Controller interface if you like. There won’t be anything much happening in it because there aren’t any devices configured.

Step 1e: Plan your access point placement

The UniFi Network Controller has an interesting feature that lets you create a plan of the physical layout of your house, and place network devices on the plan. It can then use obstructions such as walls to do estimates of the signal strength in different parts of your house.

Go to the “MAP” menu item on the left, and you’ll see an example map. Edit the example or create a new map and upload a plan of your house, then use the Map Designer tool to draw lines where all your walls are located. Place access points, turn on coverage display in the “Layers” menu, and experiment with different locations for your APs.

Step 2: Replace all-in-one router with dedicated router

If your Internet connection uses a technology such as ADSL, or Cable, or optical fibre, you need to have it terminated in a way that gives you a simple Ethernet connection. A device that does this is called a Network Termination Unit, or NTU. The NTU is specific to the type of connection that your ISP provides.

In some cases, your ISP will have provided an NTU so that you can simply plug your new router straight into it. If that’s the case, you can skip ahead to installing your dedicated router. I’m going to use a UniFi Security Gateway (USG) as my new dedicated router for the rest of this example.

I have a Cable internet connection that comes in on coaxial cable, so it needs a device to convert the coaxial connection into an Ethernet connection. Instead of using an NTU, I used the original Telstra Gateway Max that was provided by my provider, and changed its configuration to put it into “bridge” mode.

Bridge mode is a simplified mode that turns off almost all the features of your existing router and turns it into a dumb adapter that just passes data through without trying to manage it. Effectively this is like taking a router and giving it a lobotomy to turn it into an NTU. This will also disable any WiFi functionality, so it won’t be useful as an access point anymore.

The specifics of how to do this depend entirely on your ISP setup and your existing router, so I can’t provide instructions here.

Once you have converted your ISP’s router into a bridge or replaced it with an NTU, it won’t provide any of the normal services that you need such as routing and DHCP. That will now by done by your dedicated router.

Disconnect everything from your existing router except the ISP connection.

Use an Ethernet cable to connect the “WAN” port of your new router to one of the “LAN” ports of the old router. The connection will then go:

Your ISP -> Your NTU / bridge -> New router [REPLACE WITH IMAGE]

Connect from the “LAN” port of your new router to an Ethernet switch, so that you have somewhere to connect wired devices to your network. This will include the Raspberry Pi that is now running the UniFi Network Controller software!

ADD IMAGE HERE

Turn on the new router, wait for it to start up, and then go back into the management interface on the Controller. If you’re using a UniFi compatible router such as the UniFi Security Gateway (USG) that I show in the video, the Controller should now see that you have a new device on the network. You can “adopt” the new device, which sets up a secure communication link between the Controller and the USG.

The rest of the setup of the gateway is done through the Controller interface. There’s no need to log in directly to the USG itself, because it receives its configuration from the Controller.

Step 3: Install dedicated access points

Ubiquity specialise in WiFi, so they have a huge range of access points available. In my case I stuck to the UniFi range because I wanted APs that could be managed using the UniFi Network Controller. I chose UAP-AC-Pro models because they seemed the best for my needs, but I’ve been told that I probably should have got the nanoHD model instead.

The particular APs that I got use PoE (Power-over-Ethernet) instead of plugging in a power supply directly. This means you can run a single Ethernet cable from your Ethernet switch to your AP, and the AP will take its power from the cable.

If you have a PoE Ethernet switch, there’s nothing else you need to do. Just plug in the cable, and the AP will receive power.

If you have a non-PoE switch, you can use a POE injector mounted near the Ethernet switch as an intermediary, to provide the power source. My APs came with PoE injectors included in the box, but some models of UniFi AP can be bought both with and without the injector in case you already have a PoE switch.

If you want a bit more background on Power-over-Ethernet, I did an introduction to it way back in episode #3! Check it out here:

SuperHouse Episode #3: Power-over-Ethernet for Arduino home automation

I also wrote a tutorial about it on the Freetronics site:

Power-over-Ethernet for Arduino

Once your APs are plugged in and powered up, go back into the UniFi Network Controller interface to find them listed as new devices. You can then adopt them, just like you did with the Security Gateway.

However, don’t configure them directly unless you want to achieve something specific. The simplest thing is to leave them on default settings, which allows them to inherit the settings that you can apply to the entire site. In this context, “site” means your physical premises. The UniFi Network Controller is designed to scale up to installations with many devices across many physical sites, such as a group of remote branch offices, all managed through one central interface. For domestic use, you’ll probably only have one site.

To create a WiFi network that will be advertised through your fancy new access points, go to the “SETTINGS” menu item in the very bottom left of the Controller screen, then select “Wireless Networks“.

Click “CREATE NEW WIRELESS NETWORK“, and enter the details:

  1. Set “Name/SSID” for the WiFi name that you want.
  2. Leave the “Enabled” box ticked. Obviously!
  3. Change the “Security” setting to “WPA Personal“. This is the common authentication type that most domestic WiFi networks use, with a single shared password for all devices.
  4. Type the WiFi password that you want to use in the “Security Key” box.
  5. Leave “Guest Policy” un-ticked, unless you’re specifically creating a guest network. Your first WiFi network will almost certainly be a normal network, not a guest network.

You don’t need to worry about the ADVANCED OPTIONS section for now. We’ll be coming back here in Part 2, when we look at more advanced things that you can do to improve the security of your network and provide compartmentalisation for troublesome devices.

Click the green SAVE button, and your new WiFi network will be created. This will also be automatically applied to all the access points that you have linked to your Controller, so it will become visible and you’ll be able to connect devices to the new network.

That’s all for now, but come back for Part 2 where I’ll show you how to apply more advanced concepts to really make your home network the best it can be.

27 thoughts on “#32: Rock solid WiFi for home automation, part 1

  1. Hi Jon,

    There is another good option for those who run Home Assistant – Cloud/Network controller perfectly integrated with this home automation system as addon. I am running Home Assistant on Raspberry PI and it works very good with Unify software.

    I think Home Assistant founder is working on Unify so it kind of natively supports all its products – controller, cameras, etc.

    1. That’s really interesting. I had no idea about that. Thanks for the tip!

    2. “Was” working for Ubiquity – until a couple weeks ago :). But the add on itself is one of the many community developed add ons for home assistant.

      Hey Jonathan – I think you mentioned posting a link to the hardware for your current firewall too?

      1. Sorry, I forgot about that! They’re available from many sellers, but I got my boards from here:

        https://www.aliexpress.com/item/2017-4-LAN-J1900-Mini-ITX-Motherboard-fanless-Pfsense-itx-board-Q1900G2-M/32796658872.html

        You can also get them in a nice aluminium case. They normally come with no RAM or disk, so you need to source those separately. I’m still considering doing an episode about building the ultimate home router using dual redundant J1900 boards running OPNsense. It’s getting a bit off-topic for home automation but it may be interesting.

    3. Home-assistant.io are awesome.

  2. Why NanoHD over Pro. What is your reasoning. I am upgrading from a disappointing mesh.

    1. The NanoHD is a newer design that is more optimised for 5GHz signals. The Pro has higher throughput at 2.4GHz (450Mbps vs 300Mbps) but the NanoHD has higher throughput at 5GHz (1733Mbps vs 1300Mbps) and is better at handling multiple 5GHz clients simultaneously. They’re both excellent devices, just with different strengths.

  3. You give me a next kick to change my existing network. But damn i will need HW for 500€. 🙂

  4. What about wireless radiation? I find it easy to work with ESP modules but I now have like 5-10 of them on the wifi all the time.

    Was planning on building new devices using NRF24L01+ (most likely using mysensors.org as a platform). Do you think that it will help me reduce wireless footprint?

  5. You mention you should have bought the nano hd access points. Why so?

  6. Hi Jonathan,
    I recently moved to NBN and a couple of weeks ago picked up a USG to replace the rubbish ISP supplied router the move forced me into using. Funnily enough over the last few days I had been looking into using a spare Pi to run the UniFi controller centrally instead of having it sitting on my laptop. Great timing, Thankyou.
    I also would have to say that your ‘How to’ is the most straight forward that I have seen.

    FYI – I found moving the USG to another controller to be quite problematic and may need to reset the device to get the adoption process to work on the new controller.

    1. Thanks Sean! Yes, I had to do a factory reset on my USG when I’d finished playing with the Controller software on my laptop and wanted to set it up more permanently. I don’t think that’s a huge problem though, because the USG gets its config from the Controller, and the Controller config can be backed up before the migration.

      It’s definitely something that can catch you out though. I didn’t mention anything about changing controllers in the video. I probably should have done that.

  7. Your friend’s RPi power supply hat? Where is that available?

    Thx.

    1. I haven’t released that because it’s only rated to 600mA, which isn’t enough if the Pi is working hard or driving peripherals. I’ve since designed a different hat with a higher rated regulator and headers that allow it to be used for DIY PoE with the Pi 3 B+, but I haven’t send the new PCB off for fab yet. It’ll feature in an upcoming video about custom rack mounting things like Pis and Arduinos.

      1. Perfect! Thanks for the swift reply.

        Also just discovered your channel and am highly impressed with the quality and depth of the content. Seriously.

        Can’t wait for the next Unifi episode.

        Cheers
        Gary

  8. Hi Jonathan
    Great video, looking forward to the next instalment.
    I’ve been a VoIP user for many, many years (firstly with work and over 8 years domestically (initially over ADSL2+ and over the last 18 months with TPG’s FTTB bundle)). The TPG terminate their service with a Huawei Home Gateway HG659 (do it all box). Off that, I have gigabit switches, APs, NASs, myriad of computers etc and a multi-handset(portable) DECT phone system (POTS) plugged into the the back of the HG659. The HG659 handles all the POTS to VoIP conversion etc.

    I’d be keen to better protect the network as well as achieving a more scalable network and seemless handoffs when using wireless. Discussions so far tend to suggest as soon as you bridge to the Ubiquiti Secure Gateway you loose the current POTS/VoIP support from the HG659. Do you think that you can cover the solution to that issue within the Unifi framework ) or still being able to use the HG659 for this specific purpose?

  9. Hi Jonathan
    Great video, looking forward to the next instalment.

  10. Hi Jonathan
    I wanted to take this opportunity to thank you for all the wonderful knowledge sharing videos you put out. They are extremely detailed yet fairly straightforward to understand. You have an excellent knack of explaining complex things in a simple way.

    About this video – I have been a Ubiquiti user with EdgeRouterX, UAC AP Pro and AP Lite ( one on each floor of my 3 floor home in USA). I have a bunch of ESP8266 devices(Wemos D1 mini based) for door sensors and Garage Door openers which are communicating to a node.js based server (homebridge) running on my Raspberry Pi. My node controller runs on my Synology NAS in a Docker Instance.

    I want to isolate them into a separate VLAN, but I am not sure how to segregate them to make sure I don’t lose connectivity to the RaspberryPi (since that’s wired to a non-smart Ethernet switch which connects to one of the ports on the EdgeRouterX.

    I am really looking forward to your video to see how you have segregated your devices.

    Thank you once again.

    Ram

  11. Hi Jonathan,

    Thank you so much for sharing your ideas and workarounds with the community. I’ve been looking around on many tutorials with sonoff basic switches, most of them pick up ideas of other people. Going through your tuts I find many hints that are valuable and unique which certainly helped me pushing up my learning curve. Please keep on going, that’s great.

    On what concerns Wi-Fi and IOT, have you ever thought about a separation by VLAN? Separate VLAN for IOT is a topic since it came out that the TVs of a big manufacturer spies out what’s going on on the LAN they’re connected to and report back the track. Maybe paranoiac, but why not consider that this can be done and try to prevent?

    What I’m doing @ my home is 3 VLANs via Wi-Fi
    VLAN1: for personal devices like computers, smartphones etc. of the family members
    VLAN2: for guests with limited speed, captive portal and expiry after 4 hours
    VLAN3: for all IOT devices.

    The benefit of this is that I can setup distinct access between the 3 LANs configuring the bridge on my router. RasPi can be accessed from main VLAN1 where I operate, all the IOT devices are only accessible within their own sub net (vise versa). Guests can access internet but don’t see any of my devices, nor the personal ones nor the ones for IOT. This helps separating things at a very low and important level.

    Wow, your hardware setup is impressive, maybe too big a shot for average smart home enthusiasts? I’m certainly not blaming, but you might not find many followers. I believe my hardware setup is less expensive than what you’re proposing, certainly it’s not so comfortable as yours.

    I use a router which is capable to run alternative firmware like freshtomato.org or DD-WRT (cost +- 90 $). This device does routing, NAT + port forwarding, gives my freedom to configure the 3 VLANs and the bridging between the VLANs. I’m only doing guest Wi-Fi with this main router.

    Wi-Fi for VLAN1 is done by 4 access points which are meshed covering 100 % of house and garden with decent signal strength. My IOT devices are concentrated in 2 areas, so I simply use 2 cheap access points to provide them with signal. Basically speaking, I have full freedom to setup the Wi-Fis for my VLANs. On the other hand, what’s good for me probably is not enough or too much for others.

    1. Thanks for the encouragement, Andi 🙂

      What you describe with VLANs is exactly what I’m covering in Part 2, which should be out soon. I’m also doing some more advanced authentication, with individual passwords managed using RADIUS. In a follow-up episode I’m also going to show how to build your own WiFi access point with PPSK (Private Pre-Shared Key) authentication, for IoT devices that can’t handle WPA2-Enterprise.

  12. Was looking at buying Unifi security cameras so I needed some NVR or storage to keep all my video recordings. Just discovered that new CLoud Key (UniFi Cloud Key Gen2) comes with 1Tb Disk so I can have native cloud key and also enough space to keep the videos from my security cameras. And it is cheaper than buying NVR.
    Will be migrating my cloud key settings from my raspberry to the new cloud key device this week.

  13. Hello Jonathan Oxer,

    I’d like to know how to delete backup files, so it looks like this:

    pi@controller:~ $ df -k
    Sist.fichs 1K-blocos Ocup Livres Uso% Montado em
    /dev/root 7335632 6724568 242264 97% /
    devtmpfs 470116 0 470116 0% /dev
    tmpfs 474724 0 474724 0% /dev/shm
    tmpfs 474724 12300 462424 3% /run
    tmpfs 5120 4 5116 1% /run/lock
    tmpfs 474724 0 474724 0% /sys/fs/cgroup
    /dev/mmcblk0p1 43234 22036 21198 51% /boot
    tmpfs 94944 0 94944 0% /run/user/1000

    1. The UniFi Controller data partition is nearly full. Only 455 MB of 7 GB free

  14. Hi Jonathan,

    thanks for an awesome video. Im glad I checked it before i ordered a “regular” mesh wifi router kit.

    since I will be using a RPi for HomeBridge in my setup, I was wondering if the Pi (RPi 3+) will handle the Unifi management software along Homebridge. in other words, how computing intensive is the software? should I better get another Pi just for the Unifi software?

    thanks!

    1. Unifi plugin worked fine on my Home Assistant RPi 3+, I didn’t notice any load increase after I installed that. p.s. Raspberry just released RPi 4 with more RAM and CPU.

  15. Hi Jonathan
    Thanks for your work. I have tried to follow you write up, and do believe that I have followed all the steps – even with success ;-).
    Now, when I try to access the controller (first time) – 192.168.2.2:8443, I get the message “Bad Request This combination of host and port requires TLS.” at the client browser. Tried both from linux and windows clients.

    Have not had success with google. Have you seen this before ?
    Any hit ?

    /Joern

    1. Use HTTPS and port 8443 – fixed it 😉
      /Joern

Leave a Reply

Your email address will not be published. Required fields are marked *