UnIFi & pfsense Deployment, Setup and Planning with WiFi, VLAN & Guest Network

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
what I have here is a ready to ship network deployment well it's not kidding ship too far Corey is actually going to be installing this this is one of our clients our installs so top to bottom something we own for one of our managed clients and this is for one of their locations and what I have here is a unify 16 port POS which one two three four five unify AC Pro HDS and one neki firewall to be the head end of this now there's Network shredders simple it's actually going in an arena and what I have here is the whole deployment ready to go because we test everything in office test it set it up configure it upgrade it see if there's any issues randomly power cycle it we go through all the steps to make sure there's no problems and technically it's kind of a burnin period for when we get it to the install date we just leave it set up and running that way we know because generally hardware and it's not always the case I know and there's no exact science of this but it does seem to fail frequently in its very earliest stages of deployment if you're gonna have a problem now knock on wood with unify we have had absolutely an excellent track record and we've never had one of these devices fail out on us and that's pretty amazing but you know there's one reason to be like your products so much is because the reliability has been excellent we some of these have installed for you know years and obviously they're not something you turn off you leave your Wi-Fi in all the time and even up in ceilings running in offices that we've been deploying for a long time without any issues but I still like to test it I like to test it beforehand and we have no idea in one unit didn't adopt the first time we hit it adopt we had to hit the reset button and adopted that was weird I can't repeat the problem I don't know what the error was I don't know if the new guy cuz we had him walking him through all this was it fault at all for one reason or another one didn't adopt after an upgrade which like I said first time that's ever happened and it was obviously just click the reset and that's way easier to do before these that which are gonna be mounted almost Oh 25 feet up in the air before they're deployed it's always better to have them all up and adapt it I mean they could do it in post but probably not the most ideal way to do this that's because it to get to some of these a man lips has to be rent rent it and then used to put them up so if you're wondering what the blue stickers are this is part of the deployment process so the install and the Installer may not be exactly the same person so our wiring team is going to go out and be doing the install we don't know exactly where each one of these will go so instead we just put numbers on them 1 2 3 4 and we put it with this blue tape because it's easy to peel the glue tape off as the Installer which is gonna be corey displace as he puts up each one he'll name the location he'll be like unit 3 and this has the 3 on it was installed in you know East hallway and we have a map of all this and then he'll put that unit exactly where it is he'll send us a picture of it for documentation and in the system because we're remotely managing this to our table he will name it the name of where it was deployed so that way it the set up process and I was having the new guy do all this when he runs true he just has to put some stickers on him as he adopts them he names them in the system the same as their name right here so just becomes a very easy way to deploy them and not have to coordinate the two of them to go oh no that one went over here I meant west side we wait till the install day to actually name them as we mount them into the hallways and areas that these places are going into now I have up here and I got it turned around so you can see the network cables but this is the neck 8 SG 3100 and I'm showing you how it's plugged in now at present this client probably won't be doing redundancy in terms of internet connection it's a maybe they talked about it they're deciding if they need it or not because this is a sports venue kind of stadium area that's also why there's not a bigger switch that's also why we use high-density wi-fi's because a lot of this is dedicated towards their guests network they only need a few things in the office and the neck e SG 3100 is capable of failover with two internet connections and certainly capable of gigabit routing despite what people keep telling me it's not I tested it I have it deployed it works perfectly fine so we're just using the LAN port the opt one is the optional port that can be used for different two things we're going to be using it maybe for redundancy but for now the clients only getting one internet provider so this is going to be perfectly fine because like I said a lot of this is dedicated to a guest network then we have one cable Anna so I want to show you just one cable going out of the land side with VLANs on it so you don't necessarily on the su 3100 now need to do anything these have four ports on here that act as a standard switch ports so this is set technically like one logical port here then the Lanza logical port and then the opt ones a logical port that way I can use each of these and program them but then I just set the VLAN to come out here and then it goes right into the unifier we're gonna use a software setup here as a second from there one is the mainland which is for the office people and administration which there's only a handful of there's gonna be I think they said seven people in the building at need computer access so pretty minimal there then the other side is the VLAN is for the guest that is the larger side of the network and of course with the guest network there's a couple rules that we'll talk about we have AP isolation because we don't want the guests to be able to see each other so we have that deployed in here we're not worried about a guest portal they do want a password on there and what they do with their guest access is they have a pass for it up on the wall and then I know what someone's say it's not the most secure yeah it's not really supposed to be it's a guest network and that's kind of the idea so each guest is isolated but Kesey they change the password to be something promotional so that's something to consider they didn't want to go with the captive portal they said that they don't want to make it a challenge just give a password and all the guests that are fans of ours can just come in there that's what they plan now but we can always change is I know it's captive portals pull support even unify or we even put a captive portal into the neck eight device and you can set all that up too it's in the works and cancer raishin these are these are sometimes things that get changed in posts from the client this is what they told us now but the venue doesn't open for a little while so we're getting on the ground floor and putting all this physical layer stuff in and maybe later it'll change it that's the beauty of the way this stuff works it's just a few commands to send it back out and modify these to do it however they don't change it but it's a pretty simple setup and this is a very common setup and now I'm gonna jump now over to the network side of this and login to the net gate log into the unify and actually show you the settings that we put in there and kind of walk you through the why of how we set this up in this pretty simple Network okay so we'll start at the PF sense and talk about the network settings I know because this is in our internal networks for those of you wondering this is not a public IP adjust of course 192 168 3 220 I guess it's plugged into like our general network that we have here at the office here is the land that is going into that it says 2000 2500 base key X well duplex this is the 4 ports that you have right here for the land so lamb 1 land to land 3 this is the logical network for it these are the different physical ports that are on there so when we look at the land we have it set to 192 168 10.1 and whenever you're sending up any type of business network just don't make it 1.1 or 0.1 or 10.1.1.10 series pretty much 10.1.1.1 92168 1 1 that's the default for well a lot of consumer routers and one night ooh once they say 0 1 is a default for a lot I've seen of the d-link routers I know there's probably a few others that use this and the problem you run into is if you have to do a VPN later and you end up with another network you want to start out with the business network being something a little bit different because a lot of the home users connecting when you set up the VPN or if you're an existing network that was kind of amateur set up you frequently see one one well then you have to decide about how you want the routing to do when you ever want a VPN these networks together that mean never happen at this client but it's still kind of a practice I follow to set this up now slash 24 like I said maybe ten devices at most probably I think there's seven people in the office they're not gonna be a ton of users or devices on the business network there's not a lot of staff there it's pretty basic and straightforward so I don't really have to worry about allocation on the other one I set up the DHCP server now we're gonna go over here to assignments and we're gonna take a look at the VLAN and we built this VLAN 20 and we descriptively called it guest Network VLAN tag of 20 interface assignments it's called guest network VLAN 20 on land so MV and ETA 1 is that land port this is VLAN 20 so all of that is being shrunked right through so all the VLAN data goes through to the unified because it's sharing just that one cable you've seen at the beginning so let me look over here and we go to the guest network interface as we named it and we see that this is a 1 7 to 16 Oh dot 1 and we did a slash 22 and the reason we did a slash 22 and we'll go over here to the DHCP server / 22 will give us the range of 170 to 1601 through 172 16 3.125 for the reason you want a fairly large range because as a bunch of random people and the majority these are going to be phones that are connecting to this so not a ton of bandwidth but a lot of devices on there so once again we're gonna cover in second how we did the AP isolation but you want to have a wide range of people now this is also going to drive over why I'm using these the high density unify a pc h DS because they support up to 500 clients on one and because of the way this is laid out first people may be in the arena area because it's a sporting arena then they may move over to a large bar area where one of these will be so we have a high density of people kind of clustered together so there may be a lot of them per device now one of the things that people ask about capacity planning is one make sure you always go a little bigger if you can and in this case these are very reasonably priced and have the support for 500 client connections on there they're very fast we found them very we deployed these a few times I found them very reliable especially with these high density groups of people on there and still able to maintain a good system but when you kind of ask the question of capacity you also can do things like find out what the fire marshal said is allowed in the building oh there's only a maximum capacity of 1,100 people in the building well I know and you just can't push in the range of one of these 1,100 people and that dense of an area so we know each area is capacity I listed by the fire marshal so we know there at least be that many people or maximum that many people in there so you can kind of plan accordingly so we know that we'll never over saturate these but we know potentially sprint out through the building because there's more than one arena area and a very large like bar area there's going to be a high density of users so that's where we chose these because it's able to really have no problems with Wi-Fi and interference but whenever you're setting up in just a gym general rule for subnetting is never put more than a thousand devices per subnet because it can get noisy and a lot of traffic on there so if you are getting bigger that would go beyond the scale of what I'm deploying right here but for what we're doing on this here it's not likely that every one of these all five of them we get 500 users but it's that density of users moving around that will is why we chose these units we probably still could have got away with smaller ones but honestly for the price difference in everything we went ahead and went with these HDS because they're very reasonably priced they're not substantially more MSRP of 349 you can frequently find these for I think we paid under 300 for them when we got them on sale so or if you buy them in bulk you buy five at a time or four at a time in a bulk pack you you know get them cheaper as well so that's the ones we went with here these UA PhDs so now I'm gonna go back over to the settings and we just used pretty much the whole network so we started at 172 16 0 10 172 16 3.2 50 so there's quite a few IP at that can be assigned there for different devices that jump on and off the network now in a way it works here and pfSense we have the land network and then the guest network or separate I like to put one I'm doing a separate like guest Network any completely different ranges by chose the 172 range it just makes it really easy if you're ever doing any troubleshooting you know if it begins with 172 it belongs to the guest network there's no hard fast rule about this this is kind of a convenience thing for when I'm set up a lot of networks I know right away if I see some problem where I'm just generally looking through logs 172 is stuff coming from the guests 192 is coming from the office and if I ever had to build out another separate network for the office let's say for like a credit card network or a point sale system network we could build a land to another office network and still keep it in to 192 range and just not use that that 10 use something else create another VLAN and the same thing it keeps kind of a consolidated way that I view things I don't want to make sure I mention it on the guest network we do allow access and we have this which means they can't access the land net so here's your guest network versus land and we want to give them internet access but not access the local networks now normally I would have done this in an alias and you alias in all the different land networks but there's only one so we simply you know edit the rule real quick here and show you we allow the source to be any invert match means land network I they cannot get to the land network now this is also further protected by the routing within the unified devices which also with when you apply guest network policies stop them from seeing both each other and other local devices through exclusions set in the guest policies now that's pretty much it for the firewall setup not a lot to it it's pretty like I said straightforward there's not a lot on here I will probably load PF blocker on here that's about all they really need to make this system work and likes it potentially failover if they add it later now let's jump into the unified side of the configuration so in the 16 port POA we have the one uplink port which is this one here so this is actually where I plugged it in for the uplink and this is where all the data is coming in from the PF sense box so just to follow me on the VLAN setup here we have the four ports the switch ports on the PF sense we have one cable coming out of that and going into this port which becomes the uplink port there is no special settings on this switch profile all so we do see the land and guess what you actually want the full all profile because we're not at this time splitting out any of the POA ports or ports in general on the 16 port POV switch to be their own VLAN because if you wanted to you could plug in the Wi-Fi and use an example of like this port here let me close that and we can look at this port and we can edit this port and we could say hey port 3 has one of the Wi-Fi devices plugged in we could say hey make that only the guest number but ideally the reason we don't do that is because you want them to be able to get all the profiles because you want to do the actual veel and setup inside of the devices themselves so let's show you how we do that so first we convert here settings go to here to networks so here are networks we have our guest network VLAN only and we have our land and how do we create this was pretty easy you can literally hit create network and hit VLAN only and put the VLAN ID in there pretty straightforward so I'll actually edit this one real quick to show you we named it guest network because that's what it is this is just our own naming convention VLAN 20 which matches VLAN 20 right here so you know we have to keep all that matching so guest network VLAN only feel and 20 pretty straightforward here's the corporate network LAN and we just left this at 192 and 60 10 dot 1/24 so it knows what the network settings are so we have the land corporate here so that's set and configured and that's gonna get everything now here's where we build the wireless networks I have one called guest network one called office networked it's not the names they'll get in actual deployment but for the nature of this video and probably putting helping him in there so guests that work WP personal and we do have a pastor the other thing we checked here is apply guests policies captive portal gasification you set the guest control policies we have a set just for really the isolation and that's an important piece so that's in the guest setting so I'll get to that one second this is the part that is important use VLAN and then what the VLAN number is so we use VLAN 20 that slices off all the data coming to there so all the data goes from the pfSense out of the port into the 16 port POV with all the VLAN data the whole is a 4 - as a trunk data so everything comes through then it goes through all the way to the Wi-Fi devices so the access points get all the data and then they can slice out the VLAN which is VLAN 20 and they slice it out and put it on its own SSID so when we creates this guest network SSID VLAN 20 is sliced out of there and that becomes that 1/72 network I'll go back over here - where else networks and with the office network what we're doing here is not using a VLAN because we do the office now if we were to set up another office network or you wanted to create further isolation but the office network is the trusted network per se you could create a separate VLAN just for the office network that way you have a management network an office network if you really wanted to break things down really tight like that but it doesn't really need to be in this use case there's a few computers on there for updating scores and things like that that the office people would be using but all that data is coming through that wireless network and so we don't need to break this one out it's gonna pull the 192 Network and so back to a little bit how VLANs work all the data comes down the pipe and we're using the access point to slice out that VLAN and remove that tag data so it is carrying over one single cable and if we ever needed to have more bandwidth these do have the dual cable support so you can bond them together if there was a speed issue but you gotta remember that - is that on the physical side of it one cable is carrying both networks it's just segmented out inside the VLAN now the last thing I want to cover here is the user group is guest network not to fall now this is because we're using the access points themselves as a layer of protection for not giving them full bandwidth and they generally don't you got a bunch of people there because this is gonna be a lot of kids playing sports and it's a lot of parents who are gonna be taking pictures and sending them and uploading that's why they need the guests network on there and that's what this user group is for but we have a user group called guest network so default is unlimited bandwidth limit bandwidth to 2 Meg's limit upload bandwidth to 2 Meg's and what this is doing is slowing down their network so this the service are getting is a 500 Meg's circuit going in here and you don't necessarily want all the users to have full all the time now they don't all the time phones are somewhat efficient unless you're watching YouTube or Netflix they're somewhat efficient about their data usage because you know they kind of expected over 3G but you don't want to give them just a full pipe on there so each one of these limited download bandwidth to to limit download bandwidth to and away we go and we're good later we may do if if needed and this is actually the second deployment this is another location for this particular client if needed we can also have PF sets to do some traffic shaping but at the other location we haven't had an issue and they have quite a few guests on the network and it hasn't really caused any problems but an option we can do is traffic shaping where you prioritize one network over another and it's reasonably easy to do inside of PF sense you can also just put restrictions on that network like hard limits and say this network can never exceed this much bandwidth and then everyone just can the phones can all fight it out for the available bandwidth down there but it's all you have to do though because we're gonna start at the unify least limiting so no one phone can have more bandwidth than 2 Meg's is not super fast but it's fast enough for them to you know update facebook and tweet out pictures and Instagram things so it's good enough for that it'll get the job done and that's one of the nice things about things like Instagram it does cut the resolution down making that a little bit more less of a challenge getting the data out so that's pretty much it for the setup here it's pretty straightforward and like I said you can see how we did the naming scheme naming him putting the blue stickers on him so now once they get installed we just go through each one and are gonna rename them as they get installed but pretty easy to do this will be called you know hallway or wherever it goes in each location then we overlay the map on there and then the system is deployed and we manage it it's pretty straightforward setup but that's it for the video hopefully this was insight nning this is literally a job that's going to be installed I believe the job is scheduled for Thursday right now if I have a chance I'll film some on-site there getting this built out which would be pretty cool but I don't always have time to do that so I at least want to show you the prep work that goes into a deployment like this prior to the deployment so this is these are all the things we have to get ready in the office for this and we do this sometimes for other technicians so in this case this is a job from top to bottom that's ours and it's another location for an existing client doing the same thing you know having a stadium venue where they do sports training and you know I had a lot of parents they're bringing her kids to the sporting event this is like I said a repeat of something we've already done before so we know this whole setup works perfectly fine but we do do this as well for other technicians that just want to do the physical layer and have us help with the setup work because managing this is not too hard to do a lot of it does come down to getting it set up is the important part and kind of thinking through all right this is how I want to do it this is the layout I want to do so hopefully this was enlightening or maybe you have comments concerns or things you think I could be doing better I'm always you know listening to feedback because how we do things is always shaping and changing over time and now we're always trying to you know improve processes and become more efficient when we do this but this is gonna sit on a desk running for like I said a couple days until it gets to the deployment time and from there pickets sent out and works so that's it thanks thanks for watching if you liked this video go ahead and click the thumbs up leave us some feedback below to let us know any details what you liked and didn't like as well because we love hearing a feedback or if you just want to say thanks leave a comment if you wanted to be notified of new videos as they come out go ahead and to subscribe and the bell icon that lets YouTube know that you're interested in notifications hopefully they send them as we've learned with YouTube anyways if you want to contract us for consulting services you go ahead and hit Lawrence some calm and you can reach out to us for all the projects that we can do and help you we work with a lot of small businesses IT companies even some large companies and you can farm different work out to us or just hire us as a consultant to help design your network also if you want to help the channel in other ways we have a patreon we have affiliate links you'll find them in the description you'll also find recommendations to other affiliate links and things you can sign up for on lawrence systems comm once again thanks for watching and I'll see you in the next video
Info
Channel: Lawrence Systems
Views: 143,512
Rating: undefined out of 5
Keywords: access point, ubiquiti networks unifi, unifi setup, ubiquiti unifi, virtual networks, ubiquiti networks, unifi switch, pfsense, router, firewall, pfsense (software), tutorial, pfsense router, pfsense firewall, guide, pfsense tutorial, pfsense setup, build, open source, networking, rules, pfsense vlan, vlan
Id: LNAAfja_ZOY
Channel Id: undefined
Length: 24min 44sec (1484 seconds)
Published: Tue Sep 18 2018
Related Videos
Part 1 | Ultimate Home Network 2021 | WiFi 6 and UniFi Dream Machine Pro
The Hook Up
321K
2020 Getting started with pfsense 2.4 Tutorial: Network Setup, VLANs, Features & Packages
Lawrence Systems
585K
Managed VS Unmanaged Switches and Support For InterVLAN Routing / Layer Three Switch Routing
Lawrence Systems
181K
Is The tp-link Omada SDN platform A UniFi Alternative?
Lawrence Systems
75K
Firewall Comparison, Which Ones We Use and Why We Use Them: Untangle / pfsense / Ubiquiti
Lawrence Systems
528K
pfsense VS OPNSense
Lawrence Systems
100K
How to Have One UniFi AP-AC-LR & Two WiFi Networks with pfsense, VLANS, & No Managed Switch.
Lawrence Systems
69K
UniFi Network Deployment Tutorial & In Depth Look At The Platform / Port Forwarding, WiFI, & VLANS
Lawrence Systems
221K
DIY Home Rack Build
Lawrence Systems
389K
pfsense Firewall Setup and Features in Depth Version 2.4
Lawrence Systems
280K
2018 Getting started with pfsense 2.4 from install to secure! including multiple separate networks
Lawrence Systems
491K
Netgate SG-2100 pfsense Firewall Hardware Review
Lawrence Systems
105K
Inexpensive Budget Switch: TP Link TL-SG108E HW Rev. 3.0 With VLANS & pfsense Review
Lawrence Systems
325K
Best Home Network 2021 - A Guide to the Best Available Network Equipment
Crosstalk Solutions
114K
Which UniFi Wireless Unit Should You Buy Based on Different Use Cases & Scenarios
Lawrence Systems
130K
UniFi Guest WiFi
Crosstalk Solutions
341K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.