Now that we have an idea on how the Ubiquiti UniFi Network Controller operates. It’s time to configure it and optimize our WiFi network. As I’ve stated on our tour in the last guide, in order to get full functionality you will need to get a UniFi Security Gateway. In the end it is optional and won’t hinder your experience using the WiFi portion.
What can we do with the Ubiquiti UniFi Network Controller?
There’s a reason why more and more businesses by the day are going with Ubiquiti. Hotels, retail and many establishments, big and small, are slowly adapting to the Ubiquiti ecosystem. Small gatherings and festivals can configure “Guest portals” to allow users to simply fill in their contact details or a ticket number to authenticate to their WiFi network. Hotels, for example, can segregate guest traffic from their own internal business network with just a few configuration options on their end. Data consumption can be defined and controlled, allowing only a certain connection speed for each user.
Configuring Site Settings
Head over to your Ubiquiti UniFi Network Controller in the web browser and on the left hand side go to “Settings” at the bottom.
Under settings if you’re not there already go ahead and click “Site”. A site allows you to define a location for a group of UniFi access points such as in the break room or in the building which makes it easier to manage when deployed in multiple places. We will now be configuring the following settings under “Site”:
- Site Name – This will be the name of your first site. Name is however you see fit, I will be going with “Building”.
- Country or Territory – The country in which you reside, this is important as the access point will adjust your WiFi frequencies slightly based on local government regulations.
- Timezone – The timezone where your controller resides.
- LED / Screen – Whether to enable or disable the light ring on your access point. If enabled adjust “Screen Brightness” if your controller is running on a server with an LCM screen.
- Rack Multi-Screen Synchronization – Allows for synchronization of the controller to servers with an LCM screen. Screen Timeout is the time it takes to shut off the screen due to inactivity.
- Advanced Features – Only enable this if you know what you’re doing. Allows for additional configuration of the access point’s WiFi antennas.
- Automatic Upgrades – Automatically updates UniFi access points with new firmware, when available from your Ubiquiti UniFi Network Controller.
- Alerts – If you’ve set up an ubnt account with an email address, you will receive alerts from your controller through your email.
- Speed Test – If you have an USG, it will perform a speed test every certain amount of minutes.
- Uplink Connectivity Monitor – This allows the access points to ping your router and check for internet connectivity. It is recommended that you disable this due to causing random disconnects for wireless clients.
- Remote Logging – Allows you to specify a remote server to save all your log files to from the Ubiquiti UniFi Network Controller. For the most part this is unnecessary unless you have a central server dedicated to storing logs, in a business environment.
- Provider Capabilities – You will want to set download and upload to your maximum internet connection speed. To find out your internet speed, go to Speed Test and run it, then multiply by 0.95 and configure accordingly.
- Auto-Optimize Network – Improves performance and stability through optimization techniques. Turn it on and see if you experience any issues. For the most part you should see an improvement depending on your connection.
Under “Wireless Networks”, the name(s) and password(s) of your access point(s) are displayed/configure here. Please note that all of the UniFi access points connected to this controller all share the same set of wireless networks. You can also segregate multiple groups of wireless networks through the “WLAN Group” drop down menu. You may also create additional network names. The configuration is as follows:
- Name/SSID – The name of your new wireless network.
- Enabled – Checkbox that determines whether you want this network activated. Unchecking turns it off.
- Security – This is how devices will be authenticating to your network, the most commonly used option is “WPA Personal”. You will be asked to put in a password.
- Guest Policy – Turns this particular network in a guest portal with authentication. This can be configured later under “Guest Control”.
- Multicast and Broadcast Filtering – If there is more than 1 access point on your LAN, and they need to communicate leave this off. Otherwise, turn this on to avoid any complications.
- VLAN – Defines a Virtual LAN. Only use this if you know how to set up VLANs.
- Fast Roaming – Allows devices that support 802.11r to roam freely quick between access points. It is recommended to leave this off.
- Hide SSID – Hides this wireless network from being seen by wireless devices. This requires you to manually enter the name and password into each device.
- WPA2 Encryption – Encryption strength of the wireless connection. Leave it at “AES/CCMP Only”.
The “User Group” option lets you set a default group for the network. This will be explained later under the “User Groups” setting.
Networks are defined by the IP address used by your primary router. By default, one has been already created for you. You should only configure this setting if you plan on adding additional networks/subnets.
Routing & Firewall
For the most part, these settings are only available when an USG is provisioned with the controller and serves as your primary router.
Threat Management is Ubiquiti’s experimental anti-virus, protecting your network from potential threats and programs from send malicious internet traffic. You will need a USG for it to work. Under “Protection Mode” there is “IDS” and “IPS”, IDS(Intrusion Detection System) prevents malicious data from reaching the target computer. An IPS(Intrusion Prevention System) scans for data packets between the WAN and LAN network and determines if each packet presents a threat and drops it.
DPI stands for Deep Packet Inspection. This sort of technology is used throughout the internet to determine what kind of traffic is passing through a router and where it originated from. Ubiquiti may have the best implementation of DPI for consumers around. Again you will require an USG for it to function.
This is where you will configure how your guests will be accessing your WiFi access point(s). Ubiquiti has made it incredibly easy to set one up, which has led to many hotels adopting their products.
- Guest Portal – Enable it, additional configuration options will appear.
- Authentication – This is how your guests will be authenticating to your WiFi network. A simple password will need to be entered before handing it to guests. With a “Hotspot”, users will need to first connect to your WiFi and make sure the guest network has no WiFi password configured. Your guests can also authenticate with their Facebook account, but you will need to register your gateway with them first before use. See “Gateway Configuration” down below with “Facebook WiFi” selected.
- Default Expiration – Depending on what you’ve configured as your authentication method, you will be able to set an expiry date for guest connections.
- Landing Page – This is where your guest users will end up once they’ve connected to the WiFi network, here they will enter their credentials in order to connect to the internet. We will be leaving it at “Redirect to the original URL”, “Promotional URL” is entirely optional and allows you to make your own web page.
- Redirection – Unless you have a widely-accepted certificate such as Let’s Encrypt, then none should be checked.
- Portal Customization – This is where you can make changes to the design of your landing page. Feel free to change it as you like, the options are pretty straightforward.
- Hotspot – By default, “API” and “Vouchers” is enabled which means you will need to generate a ticket to give to your guests. The easier way would be to enable the other ones. You can also customize your voucher page if desired.
- Access Control – This is the single most important step, because your network will need to be separated from your internal network so that guests do not have access to your primary LAN. You will need to configure your router(s) adjacent to what’s being configured here. Pre-Authorization Access will allow guests to access a certain network before they’re authenticated through the captive portal. Post-Authorization Restrictions prevents guests from connecting to certain devices on a different subnet(such as 192.168.1.0/24) once authorized to surf the internet.
Profiles allow you to configure additional servers for RADIUS and ports for switch ports. Unless you’re planning a deployment with many users that need some form of authentication, you do not need to configure this. Switch ports allow you to make changes to the ports on your Ubiquiti device, its best to leave these settings as is.
For the most part with the exception of SNMP, NTP, and “Scheduled Upgrades”, you will need a USG for everything else. SNMP allows external network software to monitor the status of your UniFi gear. NTP synchronizes the controller’s system time to a particular server. Scheduled upgrades allows you to define how often each access point should check for updates and install them.
This setting is pretty straightforward. It allows you to add multiple users that can access the controller. One has already been made for your during setup. For best results, add an email address and verify your account.
User groups lets us define a connection speed limit for our clients. When someone connects to your WiFi network, they will be assigned an user group will grants them a certain speed limit. If a custom one isn’t defined, they will default to the WLAN user group with no limits placed. Creating a new user group is as simple as naming it and defining an upload and download limit, or either, or both.
Part 2 can be found here.