We dive into a more enterprise-level of network security and feature set for our offices. Should you?
For longtime readers, it should come as no surprise the robustness of our internal network at the PC Perspective offices isn't necessarily our primary focus. We spend a lot of time here dealing with misbehaving hardware and software, so when something works, we tend to stick with it—especially when our day-to-day workflow depends on it.
However, I have recently taken it upon myself to make some changes. The main impetus for this project was our desire to move to a mostly 10 Gigabit-enabled network. With the release of lower cost NICs such as the ASUS XG-C100C, it finally started to seem like the right time to
upgrade our network.
Previously—and try not to laugh too hard—the backbone of our production network was the Zyxel Gateway included with our Gigabit fiber service from our ISP. Honestly, this piece of hardware worked surprisingly well. We were able to get full Gigabit download speeds (our upload speed is restricted at the ISP level to about 300Mbps), and it worked without much of a fuss. The router interface was fairly awful, and confusing at times, but it worked. Additionally, we were using an ASUS RT-AC66U as an access point, not the built-in wireless from the Zyxel.
In the past few months, we started to see some odd performance issues with our network and streaming video. While we could do standard file transfers and HTTP traffic at the full 300Mbps upload speed, video streaming from applications like Plex seemed to stop working at about 4 or 5 Mbps. After diagnosing our internal network performance, we started to place blame on the ISP-provided Zyxel gateway.
After talking to a few friends who are invested into the HomeLab communities and doing some additional research, I decided that while roll-your-own solutions like pfSense are compelling and have come a long way, they weren't quite right for us. We were looking for more of a turnkey solution that remained flexible, but would also require less initial setup.
In the end, we decided to go with the Unifi family of networking gear from Ubiquiti as the backbone of our new network. Ubiquiti was kind enough to send over the UniFi Security Gateway Pro 4 (USG Pro 4), and the UniFi AC Pro AP to give us a great start. We chose not to integrate a UniFi switch into our network as we already had a Netgear XS716E 10 Gigabit switch available and Ubiquiti doesn't seem to offer an equivalent 10 Gigabit option currently. However, users who are looking for only 1 Gigabit connections should add a UniFi switch as it provides additional integration with the rest of the equipment.
For those of you not familiar with Ubiquiti or their Unifi product line, they are a company that prides themselves on the idea of "Software Defined Networking." Essentially what this means is, if your entire network stack consists of Unifi gear, you gain more advanced control over the network. Originally geared more towards the enterprise market, enthusiasts have started adopting Unifi gear into their home networks due to the impressive amount of customization that they offer while remaining in a similar price range to the highest end of home networking gear.
The USG Pro 4 is the device that serves as the backbone of our internal network. Connected directly to our ONT (Optical Network Terminal) for our fiber connection, the USG acts as both a router and a firewall. Setup of this device from a physical perspective is effortless. Once you plug in your internet connection to one of the available WAN ports on the USG Pro and your switch into the first LAN port, then you are done hardware wise.
The software side of the UniFi networking products is where Ubiquiti excels but is also where I had to adjust my preconceptions the most coming from consumer-level networking gear.
Instead of being controlled individually, all UniFi products link to one central web interface. However, instead of running web servers on all the individual pieces of gear, you instead have to run the Unifi Controller application yourself on any device on your network. The controller is a lightweight application, able to be run on devices like Raspberry Pis, but keep in mind that it should be running at all times.
We had a bit of issue setting this up on our network, and I would recommend that anyone who is seriously deploying a UniFi network pick up a Cloud Key, essentially a preconfigured single-board computer that Ubiquiti sells to run the controller application. It's a $80 device but is dead simple and Power over Ethernet-enabled allowing you to plug it into your network and not worry.
Once you have the Unifi controller application running on your network, you can configure your network using the UniFi web interface. While I haven't had any experience with similar enterprise-grade networking solutions, I can say that the UniFi interface is miles above anything I've ever experienced with consumer equipment.
The UniFi interface is responsive and is organized in a way that allows you to view the data you are most often looking for without having to dig into menus upon menus. Additionally, if configured, you can gain remote access to your network console from anywhere via Ubiquiti's website, as well as apps for iOS and Android.
For the most part, I haven't delved too deep into many of the advanced features of the USG Pro. However, I am in love with a particular feature called Deep Packet Inspection (DPI.) DPI gives you a real-time breakdown of traffic categorized into typical applications, as well as what clients are doing what.
For example, here you can see that someone on our network has been doing a lot of uploading to BackBlaze lately. While this might not be a problem, it's great to be able to see what traffic is slowing down your network when you are running to an issue. From this same menu, you can drill down another level and see what clients are responsible for the traffic from any given application as well. DPI does require additional processing power from the USG, and some users have reported slowdown on their connections in some scenarios, but the USG Pro 4 can handle DPI enabled on our 1Gbps/300Mbps connection with no issues.
One complaint I do have is that there's no way to view historical DPI data. The counters continue counting up from when they were last manually reset. I'd love to see a feature where I can display DPI data over specific time frames such as the previous 24 hours, week, month, etc.
The UniFi Wireless products are one of the areas on which Ubiquiti has built their fantastic reputation. UniFi Access Points are meant to support large numbers of clients, at high levels of performance through technologies like band steering, airtime fairness regulation, and seamless handoff between access points. Our UniFi AC AP Pro is a $130 access point which provides dual radio, 3×3 MIMO 802.11ac support.
Personally, I view our move to this gear from Ubiquiti as a much-needed upgrade to our infrastructure. While we aren't using a lot of the more enterprise-level features of the UniFi product line at this point, we now have a lot more flexibility going forward. If we want to add a couple more wireless APs to the office, we can do that with a simple click in the UniFi interface. If we decide to start segmenting our network with VLANs, we can go down that deep and dark path. And no longer will I worry about our network being artificially packet shaped (at least internally, there's still the ISP-level that we can never quite count out.)
The dual WLAN ports of the USG Pro 4 are also appealing to us. While we currently only have one connection from our ISP, we have the flexibility to get a connection from the cable company as a fallback, simultaneously with our fiber connection. This may seem unnecessary, but our ISP's connection going down for 5 hours while I was writing this article has made it more and more appealing.
The UniFi Access Points, in particular, provide an exciting opportunity for some home consumers. My current router at home is an aging ASUS RT-N66U router that is perfectly adequate for my connection speed and the wired portion of my network, but wireless performance leaves something to be desired when used with more modern devices.
For $80, I can disable the wireless portion of my router and hook up a UniFi AP AC Lite and improve my wireless performance without buying a $350 high-end consumer router. And if I want to upgrade the wireless portion of my network, I can only replace the AP or add more to my house.
Keep in mind you are also getting a higher level of support with networking hardware like this. For example, Ubiquiti published firmware updates for the access points dealing with the WPA2 KRACK vulnerability the same day that the details were released to the public.
While I'll admit this isn't a good solution for all users, I think is appropriate for users who are interested in networking as a way to dip their toes into the water.
Stay tuned for more networking articles soon from PC Perspective as we continue to upgrade our network to 10 Gigabit and beyond!