Question Ubiquity network expansion. Adding 2 NanoBeam AC gen2 and want to setup 2 individual lans.

DaaQ

Golden Member
Dec 8, 2018
1,278
923
136
Making a new thread due to the question I asked here. Post 38 . Thank you to @ch33zw1z for what was provided so far.

Here is the gist of the original question.
So I have Edgerouter x sfp and AC pro LR IIRC. This is currently running fine in my home.

Issue is that the plan from the beginning was to add the parents in law home to the mix. I have 2 NanoBeam AC gen2. They are now mounted, wires run but no rj45 fittings put on yet. Have not mounted the second AC pro LR to their ceiling, although I have the wire sticking through, which I am sure drives them nuts LoL.

So I have figured out I need to factory default my AP due to running in stand alone mode. I want to run 2 VLANs to keep our data separate (not sure how to configure this yet) and bandwidth limit them to 100M which is what they currently pay for and use without issue.

Do I need to run the controller software on a machine that never sleeps? or is the USG or the cloudkey device described above a better solution?

I have time because I am waiting for a 10G SPF to RJ45 adapter incoming which will offer me an extra port this way. I do have 1G service provisioned to my home, modem is in bridge mode, or baselined as we call it around here.

I have received the 10G SFP+ to RJ45 adapter UF-RJ45-10G

The following is the gear I have already purchased.
Advanced Gigabit Router with PoE and SFP
nanobeam-ac-gen2 I have 2 of these.
802.11ac Long Range Access Point I have 2 of these.

What I did fail to account for, is that on the other end of the air bridge. I have the POE injectors for each device the NanoBeam and the WAP, I have now realized that I will need a switch to plug each POE injectors LAN side port into in order to bridge the Nanobeam and the wap together.

@ch33zw1z is this correct? and can a simple switch fulfill that function? The inlaws have a linksys e3100 or something along those lines, but I have several netgear gig unmanaged switches.
I ask because no management will be occurring at the inlaws home, it will all be from my end where the Edgerouter is.

Side note, I dont't know why I was thinking I could just plug POE side of the antenna to the nanobeam, and the lan side to the WAP. Obviously the WAP needs its POE injector as well.

EDIT: Could I not just patch cable the 2 LAN sides of the 2 POE injectors to one another so that all traffic goes from the WAP to the Nanobeam to the RX nanobeam to the edge router? @ch33zw1z ??

Also, with this configuration, wouldn't the edgerouter be taking care of all the management? IE no need for controller? ( I could add dream machine regular later down the road)
 
Last edited:

ch33zw1z

Lifer
Nov 4, 2004
37,733
18,003
146
Management first:

- ER-X is managed via router GUI or UNMS, imxp the router GUI is better to do the config with. UNMS is fun to mess with, but I still had to use the router GUI to make changes work.

- Nano's are managed via UNMS, UI recommends the mobile app to config, but you can get on it with the default IP's if you really wanna. The mobile app will likely require you to be on the same subnet to manage them.

- Unifi AP's require a controller to manage, but it's not necessary to run it full time from what I can tell with regard to your config specifically.

Next, switches:

Correct, you will need some ports on each end for the nano's and the AP's. An unmanaged "dumb" switch can work, but I think you'll find it will be problematic to work with. Here's why: You want to isolate VLAN's, but unmanaged switches won't pass VLAN (VID) traffic. So while you can set it up to make it work, you'll end up managing the remote AP on the VLAN you run to it. Since you can only pick one, you'll be stuck with mixing management networks which gets really confusing and can become a real pain in the butt.

IMO, a better solution is to setup everything on the default IP scheme (192.168.1.x), that's always your PVID, and then run a VID for the isolated VLAN. This way, you manage everything from a single management VLAN (still the PVID), and can be flexible with VLAN's throughout the network.

*Something like a UI Flex mini is probably a good solution at the in-laws side.

Unfortunately, this just doesn't make the unmanaged switches a workable option 100%, BUT there's still use for them at your side. You'll need one port off the ER-X to go to the nano's and one port for your AP.

Now you have 3 ports left off the ER-X (since one will be for the modem). You can run the 192 PVID of off those ports, and if you plug in a switch it WILL pass PVID traffic because it's untagged

Edit:
I suppose you may be able to go from the nano station directly to the AP, but you gotta check the airOS guide for configuration like that. I would just keep in mind that a switch is likely going to be required.
 
Last edited:

DaaQ

Golden Member
Dec 8, 2018
1,278
923
136
Management first:

- ER-X is managed via router GUI or UNMS, imxp the router GUI is better to do the config with. UNMS is fun to mess with, but I still had to use the router GUI to make changes work.

- Nano's are managed via UNMS, UI recommends the mobile app to config, but you can get on it with the default IP's if you really wanna. The mobile app will likely require you to be on the same subnet to manage them.

- Unifi AP's require a controller to manage, but it's not necessary to run it full time from what I can tell with regard to your config specifically.

Next, switches:

Correct, you will need some ports on each end for the nano's and the AP's. An unmanaged "dumb" switch can work, but I think you'll find it will be problematic to work with. Here's why: You want to isolate VLAN's, but unmanaged switches won't pass VLAN (VID) traffic. So while you can set it up to make it work, you'll end up managing the remote AP on the VLAN you run to it. Since you can only pick one, you'll be stuck with mixing management networks which gets really confusing and can become a real pain in the butt.

IMO, a better solution is to setup everything on the default IP scheme (192.168.1.x), that's always your PVID, and then run a VID for the isolated VLAN. This way, you manage everything from a single management VLAN (still the PVID), and can be flexible with VLAN's throughout the network.

*Something like a UI Flex mini is probably a good solution at the in-laws side.

Unfortunately, this just doesn't make the unmanaged switches a workable option 100%, BUT there's still use for them at your side. You'll need one port off the ER-X to go to the nano's and one port for your AP.

Now you have 3 ports left off the ER-X (since one will be for the modem). You can run the 192 PVID of off those ports, and if you plug in a switch it WILL pass PVID traffic because it's untagged

Edit:
I suppose you may be able to go from the nano station directly to the AP, but you gotta check the airOS guide for configuration like that. I would just keep in mind that a switch is likely going to be required.

OK, I'm not sure if I am describing this correctly. (few drinks involved)
Modem edgerouter and 1 Wap at my home. I got the SPF adapter, so that will give me 5 open ports. all are POE capable except eth5 which is the SPF. I need POE for my wap in my home, plus the Nanobeam mounted to my home. I have a pc and a moca device to bridge my tivo cable box onto the same network.

At the inlaws, they have 1 Nanobeam, with an injector plus 1 WAP with an injector. All of their devices are wifi.

Could I not just bridge the LAN to LAN port on the 2 injectors, so that all data flows back to my end where the Edge router handles traffic?

I realize I will have to factory default my WAP in my home to re set all this up. I can use the mobile app to align the 2 bridges, this is not an issue afaik.
 

DaaQ

Golden Member
Dec 8, 2018
1,278
923
136
Reason, I'm questioning the need for a switch, is because the edgerouter will be the switch. UNLESS I have to put a switch between the 1 nanobeam and the 1 wap at location 2
 

ch33zw1z

Lifer
Nov 4, 2004
37,733
18,003
146
OK, I'm not sure if I am describing this correctly. (few drinks involved)
Modem edgerouter and 1 Wap at my home. I got the SPF adapter, so that will give me 5 open ports. all are POE capable except eth5 which is the SPF. I need POE for my wap in my home, plus the Nanobeam mounted to my home. I have a pc and a moca device to bridge my tivo cable box onto the same network.

Right, so a poe to you wap, poe to the nano, and one to the modem, so 3 ports leftover.

At the inlaws, they have 1 Nanobeam, with an injector plus 1 WAP with an injector. All of their devices are wifi.

Could I not just bridge the LAN to LAN port on the 2 injectors, so that all data flows back to my end where the Edge router handles traffic?

I understand, I'm just saying that I dunno of that will work. I would check our the OS config guide. But if you end up needing a switch, a small managed one is probably a better plan.


Reason, I'm questioning the need for a switch, is because the edgerouter will be the switch. UNLESS I have to put a switch between the 1 nanobeam and the 1 wap at location 2

Yep, I was just going thru where I recommend using the unmanaged switches. You could use them locally to expand the main VLAN rather easily, but at the in laws it would be better to use a managed switch, if the switch is needed.

I probably wouldn't have even came up with direct connecting the nano and ap, but as long as you plug in the injector connections correctly, it may work. Now you got me curious lol
 

DaaQ

Golden Member
Dec 8, 2018
1,278
923
136
Right, so a poe to you wap, poe to the nano, and one to the modem, so 3 ports leftover.



I understand, I'm just saying that I dunno of that will work. I would check our the OS config guide. But if you end up needing a switch, a small managed one is probably a better plan.




Yep, I was just going thru where I recommend using the unmanaged switches. You could use them locally to expand the main VLAN rather easily, but at the in laws it would be better to use a managed switch, if the switch is needed.

I probably wouldn't have even came up with direct connecting the nano and ap, but as long as you plug in the injector connections correctly, it may work. Now you got me curious lol

Some reading on the Ubiquity forums, came across a couple posts saying this did in fact work.

I will report back if so. I really hope to work on it tomorrow. Although some other IRL stuff may get in the way.
 

DaaQ

Golden Member
Dec 8, 2018
1,278
923
136
@DaaQ any progress on that particular config ? Im am genuinely curious. As I've pondered it, there's no reason it shouldn't work lan to lan.
Yes I was told by my Air bridge guy that has several bridges in my area for non serviceable people. He said yes it will work, as long as there is no need for any hardwired devices, which my In Laws do not need, they are strictly wifi.

So while we are on this subject. I have one more ethernet connector to install on my Nanobeam mount. Which I will probably do tonight. And my plan is to try and set it all up tomorrow. Weather and energy depending.

I do have to get this going though, because I got an early promotion into Maintenance dept, so I will have to return all my company issues tools back to tech ops. which is my line toners and crimp tool. My line toner is a Klein set that does coax rj11 and rj45, will test if any pairs are crossed as well.

i have until Feb 11th before tool turn in happens.
 
  • Like
Reactions: ch33zw1z

DaaQ

Golden Member
Dec 8, 2018
1,278
923
136
@DaaQ any progress on that particular config ? Im am genuinely curious. As I've pondered it, there's no reason it shouldn't work lan to lan.
Question, does the dream machine pro replace the edgerouterXspf? If I was to get one of those?

Reason I am asking is my Edgerouter has 5 PoE ports on it.
@DaaQ any progress on that particular config ? Im am genuinely curious. As I've pondered it, there's no reason it shouldn't work lan to lan.
So I either have a bad 10G SPF adapter, or the SPF port on my router doesn't work, or I just don't know. Going to return the 10G spf since it was 65 bucks, and opt for a 1G adapter, if that doesn't work. I will have to opt for the DM. Which I also understand I will need a PoE switch?
 

DaaQ

Golden Member
Dec 8, 2018
1,278
923
136
Ok spent, ALOT of the weekend trying to get this working.
Well Unifi controller, needs work.
WAP AC-LR that was originally set in stand alone mode, would not adopt.
Got frustrated. ect ect ect.

The UF-RJ45-10G Did NOT work. No matter if running off 1G port, 2.5G port, CAT6 Cat5e , nothing. Thing got hot as hell. I recorded 95F at one point with a IR temp probe.

Long story short. I will RMA the 65 dollar 77+ with ground shipping. Willing to try the spf 1G to RJ45 to see.

But with tax time coming and such. are they any other suggestions on gear? I do still need the Air Bridge setup so that is a factor.

It has to be reasonable price wise. I'm not rich.

TYIA
 

ch33zw1z

Lifer
Nov 4, 2004
37,733
18,003
146
You don't really need the SFP to complete the install, you need 3 ports to get everything working, and you have two ports left on the ER-X for your network, which you can hang unmanaged switches for your main PVID network traffic.

Focus on getting the AP's adopted, and the wifi stuff configured, and the ER-X running a PVID for your network, which is also the management VLAN.
 

DaaQ

Golden Member
Dec 8, 2018
1,278
923
136
MY one ap that was adopted long ago in stand alone mode would not adopt into the controller,

I got frustrated today, had a friend come to hekp setup the lans, vlan. and that ONE wap would just not adopt. wound up setting up in stand alone mode, like before but it is not visible in the controller.

Then wife got on my nerves because kids were coming to visit. so I didnt get the bridges aimed. Which by the way is all for her parents. but whatever. FML

Any suggestions besides Ubiquity, that is not in the thousands range?
 

ch33zw1z

Lifer
Nov 4, 2004
37,733
18,003
146
MY one ap that was adopted long ago in stand alone mode would not adopt into the controller,

I got frustrated today, had a friend come to hekp setup the lans, vlan. and that ONE wap would just not adopt. wound up setting up in stand alone mode, like before but it is not visible in the controller.

Then wife got on my nerves because kids were coming to visit. so I didnt get the bridges aimed. Which by the way is all for her parents. but whatever. FML

Any suggestions besides Ubiquity, that is not in the thousands range?

You'll be hard pressed to find anything to fit your needs that you don't already have. Sounds like just one AP is being a PITB, and that can happen. Did you set the other AP up already? Is there a chance there's an IP.conflict between the AP's?

You're running the default 192.168.1.x for main network? And what VLAN is it?
 

DaaQ

Golden Member
Dec 8, 2018
1,278
923
136
You'll be hard pressed to find anything to fit your needs that you don't already have. Sounds like just one AP is being a PITB, and that can happen. Did you set the other AP up already? Is there a chance there's an IP.conflict between the AP's?

You're running the default 192.168.1.x for main network? And what VLAN is it?
192.168.1.x for my lan, the other will be 192.168.2.x
 

ch33zw1z

Lifer
Nov 4, 2004
37,733
18,003
146
192.168.1.x for my lan, the other will be 192.168.2.x

Ok, that's cool. VLAN ID 1 and 2 will match great then.

Is there anything specific you need help with? Factory resetting the AP can be a pain. I had success by "unadopting" it from the controller software before I adopted it to the UDM, the AP took 5-10 minutes to adopt, I thought it was gonna fail lol.
 

DaaQ

Golden Member
Dec 8, 2018
1,278
923
136
Ok, that's cool. VLAN ID 1 and 2 will match great then.

Is there anything specific you need help with? Factory resetting the AP can be a pain. I had success by "unadopting" it from the controller software before I adopted it to the UDM, the AP took 5-10 minutes to adopt, I thought it was gonna fail lol.
Not sure I need 2 vlans, Really just need the 1 for the inlaws. but we played hell for hours trying to get my wap to adopt, it never did, we cli reset it SSH into it and reset it, just kept failing but then would attempt again ect.
I finally got aggravated and just used the mobile app and standalone set it up again. at lease I got to change SSID this time.
 

ch33zw1z

Lifer
Nov 4, 2004
37,733
18,003
146
Not sure I need 2 vlans, Really just need the 1 for the inlaws. but we played hell for hours trying to get my wap to adopt, it never did, we cli reset it SSH into it and reset it, just kept failing but then would attempt again ect.
I finally got aggravated and just used the mobile app and standalone set it up again. at lease I got to change SSID this time.

You'll need a VLAN for each network.

Dunno what to do about the WAP other than keep trying. I use the windows software controller as opposed to the phone app. Have you tried the hard reset button?
 
Last edited:

DaaQ

Golden Member
Dec 8, 2018
1,278
923
136
You'll need a VLAN for each network.

Dunno what to do about the WAP other than keep trying. I use the windows software controller as opposed to the phone app. Have you tried the hard reset button?
Yes about a half dozen tries, I may have a go again and just give it about a half hour or more to adopt. Later in the week, Maybe it wouldn't adopt due to the one vlan. i really only need the 1 vlan for the poe port to the nanobeam to the inlaws, which will rx their nanobeam + WAP ac lr
 

ch33zw1z

Lifer
Nov 4, 2004
37,733
18,003
146
It may work with a single VLAN, but my understanding is that once you enable the VLAN aware part of the switching, everything will default to one VLAN unless you separate it out. Either way, setting up 2 is really not more complex than setting up one. And when you create the firewall rules later to isolate them, then you apply it to the in-laws VLAN interface.

The biggest problem I see with only trying to use one is keeping the network gear on the admin network.


It's pretty basic, all ports are PVID 1, and just the port going to the nano beams / remote AP will have VID 2. Then in the unifi config, add a VLAN only network with the same VID of 2; then when you create your in-laws Wireless network, tell it VLAN 2. The traffic isolation happens back at the firewall. Before you isolate the traffic, you should be able to ping / send traffic between the VLAN's.


In step 10, instead of applying it to a hardware port, apply it to the VLAN interface.

This is how I created an IoT isolated network and a guest isolated network.

Generating the same config on the UDM-pro is very similar. The only issue I ran into was assigning physical ports to VLANs; turns out you can't assign physical ports to VLAN only networks, so I had to create LAN networks with the VLAN's and then could assign physical ports to those.

In the end, the Ubiquiti gear may be smart enough to just work with only a VID field populated, but if not...you may just have to call the default VID "1"
 
Last edited:

DaaQ

Golden Member
Dec 8, 2018
1,278
923
136
It may work with a single VLAN, but my understanding is that once you enable the VLAN aware part of the switching, everything will default to one VLAN unless you separate it out. Either way, setting up 2 is really not more complex than setting up one. And when you create the firewall rules later to isolate them, then you apply it to the in-laws VLAN interface.

The biggest problem I see with only trying to use one is keeping the network gear on the admin network.


It's pretty basic, all ports are PVID 1, and just the port going to the nano beams / remote AP will have VID 2. Then in the unifi config, add a VLAN only network with the same VID of 2; then when you create your in-laws Wireless network, tell it VLAN 2. The traffic isolation happens back at the firewall. Before you isolate the traffic, you should be able to ping / send traffic between the VLAN's.


In step 10, instead of applying it to a hardware port, apply it to the VLAN interface.

This is how I created an IoT isolated network and a guest isolated network.

Generating the same config on the UDM-pro is very similar. The only issue I ran into was assigning physical ports to VLANs; turns out you can't assign physical ports to VLAN only networks, so I had to create LAN networks with the VLAN's and then could assign physical ports to those.

In the end, the Ubiquiti gear may be smart enough to just work with only a VID field populated, but if not...you may just have to call the default VID "1"

Yes I had a friend come over to give me a hand setting it up. My setup is basically the reverse of his. except I'm using newer gear beside the Edgerouter X which he has. But he set his up over a year ago and was a little rusty.
We really ran into the problem of my one WAP which I had setup in stand alone mode 2 years ago. It was just a PITA so I am kinda up and running. The inlaws are not setup yet. But they are still paying for their own connection atm so it is not a has to be done tonight kinda thing.

I could not get the 10Gspf adapter to work at all on eth5. My modem has 3 1G ports and one 2.5G port.
He suspected it maybe because the adapter will only work in 10g or 1g modes?? Either way I've submitted it for RMA and will get a 1Gspf adapter instead.

FYI my modem is a Sagemcom model# F@ST3896 UM . It is a gateway but is in bridge mode. Although all 4 ports will provide internet connectivity, I have never tried if I plug more than one into it if it will route. I doubt it. But in order to get into the modem GUI I would have to disconnect from the coax and factory default it to be able to access it's internal GUI. Once it receives provisioning info, or once it registers on the CMTS it will lock you out of that. I've tested this with other modem brands. Ubee, Technicolor 4131 ect.

So my main problem atm, is I cannot get my WAP AC LR to adopt on the controller. Had to standalone set it up off the app just to get my wifi back up again.

I am debating on whether the DM or DM pro would be worthwhile. Main issue I see is there is no PoE on ether of those. Unless I can just use my EdgerouterX as a managed switch for the PoE.

EDIT: I am considering possible WAP upgrade to the Unifi 6 LR AP since it has 4x4 MIMO in it. (All depends on if wife talks me into a new phone, which I have so far resisted. HER phone)
 

ch33zw1z

Lifer
Nov 4, 2004
37,733
18,003
146
Ok, so the single WAP is really the problem this point. You may be able to get just one WAP for you and the in laws can run the AC-LR.

The UDM or pro model won't fix the WAP thing, still uses the same software controller under the covers.

Are you using the latest controller software?
 

DaaQ

Golden Member
Dec 8, 2018
1,278
923
136
Ok, so the single WAP is really the problem this point. You may be able to get just one WAP for you and the in laws can run the AC-LR.

The UDM or pro model won't fix the WAP thing, still uses the same software controller under the covers.

Are you using the latest controller software?
Yes on latest controller.

I am wondering if I just did not let it have enough time to adopt. Although I had someone here helping, so we both were kind of rushing to get the basics back up.
 

DaaQ

Golden Member
Dec 8, 2018
1,278
923
136
Ok, so the single WAP is really the problem this point. You may be able to get just one WAP for you and the in laws can run the AC-LR.

The UDM or pro model won't fix the WAP thing, still uses the same software controller under the covers.

Are you using the latest controller software?
OK, I ALMOST had the damn thing working. then catastrophe strikes. (grand daughters got here and it became chaos because no internet. FML) I had to do a factory on the router. 1 of the nanobeams, I'll probably have to go up the hill to reset that one, because I don't remember which I defaulted first.

NEEDLESS to say, the DMPro, are there any discount codes available anyone knows of?

I had the Bridge link up and running, at about -50dbmv with it saying throughput was around 305 Meg. I could see the in laws WAP even. Wouldn't adopt tho. I think the subnets or whatever the old co worker setup was off a bit. They would only link and see when using a PoE injector on my end connected to the non PoE enabled port of the ER.

I'm seriously thinking of biting the bullet on the DMP. Would be great if I could catch a sale.

EDIT: I can admit I am a networking NOOB when it comes to this level of administrating this level of a network. It has all been consumer gear to this point. So please be easy on me.

Edit edit: Should proxy ARP be enabled?
 
Last edited:

ch33zw1z

Lifer
Nov 4, 2004
37,733
18,003
146
Ok, slow down a little bit. Factory resetting things isn't necessarily going to help. You should be able to run the ER-X and an AP at your house without impacting the nanobeam + inlaws AP. So, get things configured on your side, then proceed to the nano beam + in-laws. It's really just building the network one step at a time. I'll put together a diagram if you think it will help and you can refer to the links above for the VLAN config, then the firewall rules, and build it one piece at a time.

You really gotta get the AP's adopted, and if you can SSH to the AP you can manually update the firmware if it's needed, there might be some fixes.

Proxy arp isn't checked off IIRC

You can adopt the in-law AP locally, then relocate it to the in-laws house. If the nanobeams are setup correctly, the AP shouldn't care at all.

The adopting issues seem to be your hurdle. I don't think the UDM-Pro will necessarily fix that, and the only time I've seen it on sale if for about an hour 11/30/2020.

I ran an ER-X and a AC-LR with no issues, windows 10 unifi controller.
 
Last edited: