To finish out my misadventures in home networking, I wanted to capture the process to add a second site and setup the site-to-site VPN. It was less than obvious.

Preparing Your First Site

The first thing one needs to do is prepare the first site. This involves enabling Multi-Site Management and then configure the USG to expose the needed ports for the controller.

Enabling Multi-Site management can be accomplished using the following steps:

1. Configure your controller to use the New User Interface.
2. Open Settings
3. Open System Settings
4. Expand Controller Configuration
5. Expand Site Configuration (within Controller Configuration)
6. Make sure your first site has a name
7. Check the Multi-Site Management dialogue to enable it
8. Apply these settings

Now, in the upper left under the Ubiquiti logo, you will see a circle with an abbreviation of your site name in it. This is how you switch sites. Click on that and you can add a second site.

Once you have added that, go into the second site, open Settings, and create your Network and WiFi networks. Note: You must configure a different subnet than your current site. (E.g. If your current site is the default 192.168.1.x, you should configure for example 192.168.3.x.).

Upon completion, it is time to configure the USG. See Ubiquiti’s knowledge base article and create port forwarding rules for everything in the “Ingress Ports required for L3 management over the Internet” to point to your controller.

To make things easier, it is probably easiest to setup a DDNS service to make it easy to find the controller from the second site.

At this point, it is time to move onto configuring the second site.

Configuring the Second Site

All Unifi security gateways by default are on the 192.168.1.x subnet. Because this is a second site, it will have to be configured differently. You will need a laptop connected via Ethernet to the LAN port of the gateway to do this. For the sake of this blog, we’ll assume the second site is 192.168.3.x. The steps required are as follows:

1. Connect the laptop into the USG LAN port.
2. Setup a static address on 192.168.1.x network – any address is fine other than the default of 192.168.1.1. Set 192.168.1.1 as the gateway and a public DNS server such as Google’s at 8.8.8.8/8.8.4.4.
3. Open in a browser https://192.168.1.1/.
4. Change the address to the new subnet (192.168.3.1) and apply these changes. Ensure that the WAN connection is active/valid.
5. Change your laptop’s IP to the new subnet.
6. SSH into the USG using the default credentials.
7. Enter set-inform https://yourddns:8080/inform/
8. Wait a few minutes and the device should show up in the Unifi portal at the first site. Adopt the device into the second site and this phase is complete.

Once the USG is adopted, other devices can be setup and adopted accordingly.

Configuring the Site to Site VPN

Once both networks are online, setting up a Site-to-Site VPN is very easy. In the Unifi portal, go to the Networks section in either site. Create a New Network. Pick Site to Site VPN and select the other site – and that’s literally it.

My own experience is that occassionally it will get disconnected and the easiest fix is to simply delete and re-create the VPN network.

******

Hope this has been helpful!

One of the perils of having a large square footage house built in the 1980s is that it is impossible to get WiFi coverage from a single access point. And there is no Ethernet wiring in the walls. This is the tale of how I actually got this problem reliably resolved such that there is decent WiFi coverage in the house and on the two outdoor patios.

Resolving the Cable Backbone (or lack thereof)

Short of pulling CAT6 through the walls, there represents two technologies to create a virtual cable backbone. Powerline Ethernet (which as its name implies uses the electrical wiring) and MoCa (which uses the coaxial cable for TVs). Both offer several hundred megabits of capacity.

MoCa seemed the ideal solution – except that I was unable to get it to work due to IP address conflicts with the neighbors (seriously!). Turns out (from a very helpful upper tier tech at Comcast) that I probably need a MoCa filter as the cable enters the house – and these did not exist in the mid-1980s.

Instead, I used PowerLine networking with hubs/access points in strategic locations going back to my office, where it is patched into a Gigabit Ethernet switch, which in turn is connected to my router. I plan to go back and revisit MoCa once I can source and try a filter.

WiFi Hardware

For the routers themselves, I went with the Asus RT-87 and am using the open source Merlin firmware. The main one is configured as a router, the second and third as access points. IPs are managed by redundant DHCP Servers running on Windows Server 2012 R2. DNS and WINS are both local, though DNS forwarding is going to Comcast’s DNS servers. The reason I went with this approach is, beyond having greater control, DNS is automatically updated so it makes it easy for other devices to find each other on the network. The other custom setting besides WPA2 AES encryption I enabled was dropping signals if less than -70 to force devices to switch access points while traversing the house.

The WiFi Channel Config

Getting the three access points to play nice with other is no mean feat. The reason is that if they are all configured identically, they will be overlapping with each other. So the 2.4 GHz and 5 GHz radios each need to be configured to not broadcast over each other.

The 2.4 GHz Channel Configuration

2.4 GHz channels can be configured to use one of a handful of channels and 20 Hz, 20/40 Hz, or 40 Hz channel widths. 20 Hz channels should be selected unless one only has a single access point, in which case 20/40 Hz should be selected. 40 Hz likely won’t be compatible with many devices. If any 40 Hz channel width is selected, effectively the entire spectrum is then consumed. So, with three access points, the only channels that don’t overlap are:

• Channel 11
• Channel 6
• Channel 1

– making the choice quite simple, with a cap of 3 semi-overlapping access points.

The 5 GHz Channel Configuration (and where it really gets complicated)

5 GHz channels are a bit more complex, as you can configure 20 Hz, 40 Hz, or 80 Hz channel widths along with respective fallback. Using 20 Hz channels makes little sense, as you’d be unable to leverage the higher bandwidth of the newer WiFi standards. The latest AC standard requires 80 Hz channels.

Using a 40 Hz channel width, you can get Channels 36, 44, 149, and 157 on most access points – none of which will overlap. This means you are limited to four access points. If you want to use 80 Hz channels, then you are limited to two access points – on Channels 36 and 149 only.

The other wrinkle is that the 1xx channels are not visible to devices several years old. But since everything here is new enough (2012+ or could use 2.4 GHz), I went with 40 Hz channel width and Channels 149, 157, and 44. At some point, I may explore enabling 80 Hz frames on Channel 149 for the main floor access point (and most used) and then using the other two at 36 and 44.

Parting Thoughts

This was far more complicated to get right than I ever envisaged. at this point, if I need more coverage, I’ll have to get repeaters given channel saturation. And there is not a lot written on how to set this up. Commercial grade WiFi solutions make this easier – such as a Cisco Meraki system – but those cost far more than anyone would reasonably be willing to invest in home WiFi. Eero looks very promising – but is not yet available. So hopefully this helps you if found in a similar situation.

The point of this post is to hopefully save any reader the aggravation I just went through over the last several hours coupled with the years of missed performance.

The Topology:

The main access point is an Apple Airport Extreme 802.11ac access point connected to a Comcast cable modem at 1GB/s. The access point is connected to a 600MB/s PowerLine network via Gigabit ports and a Gigabit switch for local hardwired clients. There are two Apple Airport Express 802.11n access points connected via the PowerLine network for the upper and lower floors of a three floor home, respectively. Everything was auto-configured using Apple defaults.

The Symptom:

I just purchased a Surface Pro 3. And discovered that its WiFi speed was 3MB/s. After resolving several Microsoft-related issues, I boosted performance to a whopping 15-20MB/s. Not settling for this, I spent several hours researching…

The Problems:

I discovered several issues upon troubleshooting everything:

• The out-of-box defaults use a single SSID for both the 2.4 GHz and 5 GHz band. It turns out that a number of Windows systems do not like this configuration and will end up on the 2.4 GHz band. Based on anecdotal testing, I may have had some Apple devices in this category as well. 
• Out-of-box defaults left no control over channels. Clearly I had some channel overlap between the access points going, which explained why performance degraded when devices were active across more than one access point.

The Solution:

• Configure a separate SSID for the 2.4 GHz and 5 GHz ranges. Point any 5 GHz capable device to the 5 GHz SSID. 
• Manually configure the channels for the 2.4 GHz ranges
  • Channels 1, 6, and 11 were used – as they do not overlap. Note: You can really only get 3 2.4 GHz access points in a given location before you start getting channel overlap as the spectrum used per channel overlaps with its neighbors (e.g. – Channel 1 overlaps with 2, 3, 4, and 5).
• Manually configure the channels for the 5 GHz ranges
  • Channels 36, 40, and 44 were used; there are varying reports that these would slightly overlap but no issues were seen in routine testing

Now, 5 GHz devices routinely get 100MB/s+ from the Internet when on the main access point and 50-60 MB/s when on a remote access point going through the PowerLine network. 

Hope this helps!