TL:DR; Home network Wi-Fi upgrade, some observations about it.
Preface
I have enjoyed some home wifi kit (e.g. I think Apple’s Airport series was simply brilliant piece of hardware AND software), and some I have tolerated. Most of the OpenWrt based ones belong to this camp; while they work, usually setting up multi-node things has been clunky or they somehow fail at awkward times and that isn’t great.
The old setup (2020-2024)
We bought Netgear Orbi mesh system (750 series) almost exactly four years ago. It replaced more vanilla OpenWrt-based Turris Omnia, and brought with it actually working mesh system.. Most of the time.
Early on (2020-2021) when we used it for ‘everything’ (e.g. used it as first-hop router, which does DHCP, DNS, etc) it behaved quite badly every now and then ( for example, DHCP just stopped working suddenly ). After that Orbis were switched to stupid (mesh) AP model, and they worked better and Turris was used as DHCP/DNS/.. server.
I think the reliability of it was in 99+% range in the AP-only mode, which is nice, but inexplicably sometimes meshing didn’t work well, and there was zero visibility in the normal consumer-oriented app, or the jurassic looking web UI, as to why. I did not get around to telneting to the box to try to figure what was wrong (of course it does not support ssh, and telnet is behind hacky knocking system). Due to this one of our security cameras kept losing connectivity every now and then and there were also occasional user complaints. This continued long enough early this year (couple of months) that I decided to change to something with better visibility.
The new setup (2024+)
I looked at various options that were available on the market, and in general the fully consumer-oriented setups were not tempting. I wanted something with reasonable degree of visibility to what it does, but I also had hard requirement of networking stuff working well.
Ubiquiti UniFi line seemed to fit the bill; IT organisations in some earlier places of employment had been quite happy with them, and so had some of my more keen friends. What to buy for home use was not quite obvious, and in general it seems that UniFi line requires ‘controller’ which is master node which controls the rest of the devices. The controller can be either hosted on a PC, or be co-located on one of the devices. I wanted to go for the on-device solution first as that sounded less fragile.
So I kept looking at the different options available on the market. UniFi Express - Ubiquiti seemed like most promising of the bunch - relatively modern, although only 1Gbit ethernet ports and not that strong WiFi 6 radio. I identified it during the summer, and then sort of forgot about the upgrade as Orbis seemed to be working better (according to my monitoring). But then about week ago I spotted (little used) Express and U6 Mesh (AP) in the local second-hand marketplace, and bought them outright. I did not get around to installing them immediately, though, due to relatively busy schedule, but during the weekend I spent some time with it.
Initial disappointment (Saturday afternoon)
I did not want to replace my frankenrouter as first-hop router (see other blog entries for scary details - it is Intel N305 + 32GB RAM + 2 TB SSD + 4 2,5GBit ports I set up last year). Due to that, I wanted to
- use UniFi Express as controller, and AP
- use U6 Mesh as second AP
without any NAT or other weirdness - just same thing my Orbi setup did after I stopped using it as first-hop router. This turned out not to be possible, or at least too awkward for me to configure:
- UniFi has ‘third-party router’ network concept, but unfortunately if Express was being controller, its default network could NOT be anything else than Express-controlled one (which implied NAT, which I did not want)
- I found various resources on the internet about how to get around this (basically, extra networks with VLAN ID > 1, which can choose ‘third-party router’) but unfortunately I could not get them working in the time I felt like spending on it
- also, e.g. ‘internet detection’ and most of the statistics functions on Express would not work anyway if actual internet traffic did not go through its NAT
- A lot of the material on the internet was also outdated, being aimed at different UniFi models
- e.g. wrong ssh parameters, different ways of setting some hacky way of making the node ‘big bridge’
During these iterations, I factory reset and installed the Express couple of times and it was quite frustrating experience; it took perhaps 10 minutes each time, and additionally I needed to use the iOS app more than I would have liked. Later on I learned I could have also done it on computer, but that was already too late for this controller experiment.
If it fails, try harder (Sunday morning)
While I am certain I could have gotten the UniFi Express as controller working eventually with the different VLAN ID hacks (I do control the upstream network after all, and while the native tag = 2 did not work for some reason, I could have just omitted tag 2 in the upstream port too), I figured having Express as controller was not worth the trouble. Due to that, I instead added a container to my frankenrouter, which runs UniFi controller ( jacobalberty/unifi-docker: Unifi Docker files ). This took all of couple of minutes to set up, including:
- cnames to OpenWrt dhcp file to ensure the auto-discovery works (not sure if it uses search path, so I added both):
# Unifi cnames
config cname
option cname 'unifi'
option target 'fw.lan'
config cname
option cname 'unifi.fingon.iki.fi'
option target 'fw.lan'
- reverse proxy fragment to Caddyfile (I don’t like ignoring certificates when I log in):
# unifi controller
# From https://blog.lanzani.nl/2022/caddy-v2-and-unifi/
https://fw.fingon.iki.fi:8443 {
log
@denied not client_ip private_ranges
abort @denied
reverse_proxy fw.lan:18443 {
transport http {
tls_insecure_skip_verify
}
header_up - Authorization # sets header to be passed to the controller
}
}
and after that I tried to adopt the Express. Unfortunately, this did not work, for reasons that are somewhat unclear to me. However, once I plugged in U6 Mesh its adoption worked fine, and after that I could adopt the Express too (presumably via some wifi magic U6 Mesh was doing).
After this, the whole mesh just worked and it worked quite well. After these initial steps I added monitoring for the AP nodes’ availability (using SSH port) to Gatus.
Network tuning (Sunday evening)
UniFi has really cool looking radio environment visibility tool. It shows all other APs within range, and how strong their signals are (this is reasonably good proxy for business of the channels - although noisy weak signal can be bad too). Our neighbours seem to favour low 2.4GHz channels (several APs with about -55 dBm signal at channel 6 and some at 1) but on channel 11 I found relative peace. The 5GHz band is not as bad as 2,4GHz.
The 2,4GHz ‘auto’ setting kept hopping between 1 and 6, but for some reason never picked 11 (possibly because I had picked 40 MHz wide band), but I picked 20 MHz band at 11 as I want mostly peace and quiet and bandwidth on 2,4GHz does not matter as much.
Jurassic software as usual
I find it somewhat worrying that base of UniFi seems to be 7 years old LEDE OpenWrt (at least for U6 Mesh); while I am certain it has been upgraded for security stuff, it might still have something that doesn’t have security upgrades. Express I am not sure about, as ssh login to it has started inexplicably failing although it worked when I was setting up. While authentication is fine, when it should open shell, it just closes connection. Oh well, I will worry about that when I need to (which is hopefully never).
Future thoughts
I would like to see the Internet usage statistics in the UniFi controller, and for that, I would have to migrate from having frankenrouter as first-hop router to the Express being first-hop router. I might consider doing this one of these days, if I’m happy enough with the system. For now, though, I will let UniFis be just APs.
I will most likely also buy some Wi-Fi 7 supporting AP, once one shows up, and place it so that most of our devices can use them if they support it. At the moment I think we have none, though, so I am not in a hurry.