[UniFi] Network Controller ver. 6 | Intermediate Setup

This is an updated version of UniFi controller intermediate setup guide using version 6 UI interface.

Are you not satisfied with the result of your basic UniFi network setup? Are you curious what happens if you turn on the other settings? Now that you have solid functioning setup, you can start playing around at your own risk.

Pre-requisites

• Basic Setup

List of features covered in this article

• New Dashboard
• Custom DNS
• Fast roaming
• Optimize for High Performance Devices (5G band steering)
• Uplink Connectivity Monitor
• Deep Packet Inspection
• Deep Fingerprinting
• Intrusion Detection and Protection System (IDS/IPS)
• Wi-Fi AI
• Multicast DNS (added 1/25/2021)
• Flow Control (added 1/26/2021)

This article will be updated as I learn/play with other different configurations.

Before starting, there are two suggestions:

• Only make one to two changes at a time. Ideally wait a day or even longer to make sure all is still working as intended.
• Keep a track of what you have changed. You may even consider using spreadsheet to create a log if you intend to change many things eventually.

System Setup

As of the time of this writing, here are system I have, which has vastly expanded since the original set up I had.

• UniFi Dream Machine Pro (Firmware 1.8.5.2964)
• UniFi Network Controller Version 6.0.43
• USW Aggregation (5.43.18.12487)
• USW-Pro 24 Gen 2 (5.43.18.12487)
• USW-Flex Mini x 3 (1.7.5.636)
• Access Points 
  • UAP-IW-HD x 1 (5.43.19.12493)
  • UAP-HD x 1 (4.3.24.11355)
  • UAP-SHD x 2 (4.3.24.11355)
  • UAP-nanoHD x 1 (5.43.19.12493)

New Dashboard

Setting > System Settings > New Settings

Function

Checking this option will change main dashboard to show real time data use. I personally like the appearance so have it on. However, this has no effect on actual network performance.

• 

• 

Potential Issue

Displaying information are different in beta dashboard when compared to classic. For instance, there is no Anomalies section. If this or other information are important, you might want to hold off using Beta dashboard.

Recommendation: Optionally, turn on New Dashboard based on personal preference.

Custom DNS

Setting > Internet > WAN Networks > Edit  > DNS Server

Function

DNS is a phonebook of the Internet. The proper DNS selection can help improve internet connection latency.

DNS can help improve internet connection latency.

DNS can also be used for malicious site or adult content site filters. I would try 1.1.1.1 DNS.

With it, your web surfing experience may be better by having faster loading web pages.

Potential Issue

Not every site may benefit from a given DNS. Imagine different phone books. One is built for country A vs. another country for country B and the last is for combined country A & B. Dedicated single country book has less content in the book so the content can be found quicker than combined book. However, if a wrong book is used, it will take longer as one has to bring second book.

Recommendation: Try using 1.1.1.1 DNS

You can try use ping command to some of your commonly visiting website before and after changing DNS and see how things improved. However, in reality, user experience is what matters. So if you do not notice any improvement or perhaps slow down of webpage loading, consider reverting back.

Alternative

DNS server can be set at LAN/VLAN level.

Enable Fast Roaming

Setting > Wi-Fi > Edit Wi-Fi Network > Advanced 

Function

Enabling fast roaming will make supported client device to roam faster (ref). This is only for those supported clients. In another word, if client does not support 802.11r protocol, you won’t gain anything.

For instance, iOS devices do support 802.11r (ref).

Potential Issue

When the original version of this article was written, enabling fast roaming resulted in asymptomatic “long association time for access point” anomalies.

This still continues to happen with version 6 controller; however, if you turned on new dashboard, anomalies are no longer showing up on the dashboard so you may not notice it.

Recommendation: For WPA Personal, keep it off. For WPA Enterprise, turn it on and see if makes any difference.

In general, you need to meet all 3 criteria below to benefit from Fast Roaming option:

• Client supporting 802.11r
• Need seamless roaming e.g. Wi-Fi call
• WPA Enterprise

In general, this feature is for setting up seamless roaming experience. One application needing seamless roaming is Wi-Fi phone call where one needs to move around from one area of home to another and unable to tolerate temporary drop of voice (one or two sentences). If you are not in such situation, this has no reason to be turned on.

If you are using WPA-Personal for security, the practical gain of 802.11r fast roaming feature is minimal. In fact, I have tested fast roaming “on” and “off” using my iPhone 12 Pro. It is not the most object measure but I walked from one area of my home to another with iPhone 12 Pro running Wi-Fi Sweetspots app. Tested APs were SHD and HD. Transition from one AP to another happened at relatively similar spot with more dip in speed from HD to SHD transition than the other way around. This was true whether I had “fast roaming” on or off. So my current personal set up see no reason to turn it on.

 in a network using WPA2 Personal security, shrinking the number of messages from eight to four is naturally helpful for efficient airtime utilization, but is really unimportant to the roaming process from a perceived service-quality perspective.

https://www.networkcomputing.com/wireless-infrastructure/wifi-fast-roaming-simplified

If you are using WPA-Enterprise for security and requires as seamless as possible experience, it may be worth giving a try.

Optimize for High Performance Devices

Setting > Wi-Fi > Edit Wi-Fi Network > Advanced Settings 

Function

This is a “band steering”. Enabling this feature preferentially make devices to connect on to higher performance 5 GHz band over 2.4 GHz when the client device is capable.

Potential Issue

Issue: Selected devices unable to connect to Wi-Fi

Description: For my case, out of 40+ home network devices, B&W Formation Wi-Fi speakers will not be able to connect. Sonos speaker connects fine, on the other hand.

Also, I’ve found my Nest CO detectors had issue when I tried to newly connect them/switch one SSID to another while band steering was on, but as soon as turning it off, the setup went smoothly.

Symptom: Selectively severely symptomatic. As devices are not able to connect to Wi-Fi at all, this can be a major issue. B&W Formation suite is fairly new product, released in 2019, so this will be very client dependent.

Recommendation: Recommend keep high performance devices turned off. Turn it “on” at your own risk.

You may be lucky and all your current Wi-Fi devices may connect fine but if you purchase a new device and suddenly notice an issue with it, you would never know if it is due to the client device itself or possibly from this setting.

Enable Uplink Connectivity Monitor

Setting > System Settings > Controller Configuration > Uplink Connectivity Monitor 

Function

This feature is required when mesh unit or wireless uplink exist in your network. By default this is enabled.

Disabling this option can reportedly improve your system speed and UniFi recommends it.

Disabling uplink connectivity monitor can improve your system speed and UniFi recommends it.

Unless your network needs to use wireless uplink or benefits from the use of this feature, we recommend you disable the Connectivity Uplink Monitor & Wireless Uplink setting. 

[…]

Disabling this setting can offer some improved speed and is often suggested when network speeds with UniFi are less than ideal.

https://help.ui.com/hc/en-us/articles/115002262328-UniFi-Configuring-Wireless-Uplink

Potential Issue

Mesh or wireless uplink system will not work when this is turned off. This includes UniFi Smart Power Plug.

Recommendation: Recommend leaving it “on” as disabling it could create issue with mesh products.

Deep Packet Inspection

Setting > Security > Traffic & Device Identification

Function

DPI analyze i.e. gives type of traffic usage in your network e.g. video streaming vs. file transfer etc. Such information may be used to later create restriction on traffic, looking into what’s using more data etc.

Above is an example of what information I get by turning on DPI. It is our main smart TV system. On this, we can see we have both Amazon and Netflix traffic but Amazon is far dominating, which indeed is our current use pattern. Unfortunately, the most data use is coming from Unknown category, unknown application. My guess here is our local Plex server streaming, but it simply shows the limitation of the DPI though still cool feature to have. The same data can be gathered for any device connected on my UniFi network.

Potential Issue

DPI requires processing power and reduces system throughput though far lesser extent than the IDS/IPS. Below is a table from official UniFi document.

As we can see, turning on DPI without IDS/IPS should have no true impact on the throughput. It is worth mentioning that this only applies to internet traffic. So I get full local network throughput of 10G (9.4 Gbps) on my devices while DPI and IPS turned on.

For dream machine base and USG users, DPI alone should still give you essential full gigabit throughput.

Recommendation: Turn DPI ‘On’.

DPI should have no real throughput issue. If you noticed unsatisfactory throughput degradation, simply turn it off.

Device Fingerprinting

Setting > Security > Traffic & Device Identification

Function

Enable Device Fingerprinting automatically identifies the network connected device type and even assign icon on network controller UI for the device. For instance, by turning this on my network topology shows iPhone and iPad with correct icons.

• 

• 

Potential Issues

This works far better than my former setup (Asus). However, there are still many that do not get proper icon assignment or simply corresponding icon is missing. Though UniFi has far more options to change icons, so although this is entirely visual, I enjoy this functionality. I am just hoping they will add custom images in the future.

Recommendation: Turn device fingerprint “on”

The worst case, you can change icon own your own. It may save a few devices from you doing so manually.

Intrusion Detection and Prevention System

Setting > Security > Internet Threat Management

Function

IDS detects and alert when threats or malicious activity on the network. IPS automatically blocks them. Basically, this is another level of network security besides commonly talked about Firewall. This can be one of a major reason why someone is interested in purchasing UniFi system. For example, I used to get 10+ message on my Network storage device for attempted unauthorized user login. Ever since I have turned on IPS with UniFi, I get none.

Potential Issue

IDS/IPS requires processing power and reduces system throughput. So you have to take this into a consideration when turning this on.

This throughput degradation/limit applies only to internet traffic i.e. local traffic throughput is unaffected. I have level 3 IPS and DPI turned on yet my iPerf test still gives 9.4 Gbps up and down on 10G connected devices.

Recommendation: For UDMP users, recommend turning IPS “on” because even with this and DPI on, you will still get 3.5 Gbps internet throughput.

For UDM users, I still recommend it “on” as one can still get close to full gigabit throughput.

For USG even Pro, the trade off seem significant unless your internet speed is slower than the limited throughput.

Wi-Fi AI

Settings > System Settings > UniFi AI > Wi-Fi AI

Function

This is UniFi way of radio resource management (RRM) where system automatically select the best Wi-Fi channel setting for each AP to minimize co-channel interference.

Potential Issue

Channel selection algorithm detail is not revealed. In general practice, overlapping channel should be avoided as much as possible. However, UniFi WiFi AI does not seem to take this into consideration. Although it is possible overlapping channels can be utilized with sophisticated algorithm, I doubt UniFi does such advanced level of channel management.

Overlap channel exclusion

Settings > System Settings > UniFi AI > Wi-Fi AI > Advanced Settings

For 2.4 GHz, I have excluded all channels except non-overlapping channels: 1, 6, and 11.

Recommendation: Turn Wi-Fi AI “On” with channel exclusion setup

My personal setup is having WiFi AI running daily at 3AM ever since I got UniFi system i.e. over 9 months. It may appear not the smartest AI but it works reasonably well as I can achieve 500-600 Mbps on Wi-Fi Wave 2 Access Points, which is essential theoretical peak for 2×2 MIMO clients. WiFi environment is changing as your neighbors may be changing their setting.

Alternative

If you’d rather set channels manually, proper manual channel selection may indeed do a better job than UniFi’s WiFi AI. Also, you can avoid any unpredictable change to your network channel setting. Here is detail of concept and technique of manual channel setting. If you have time and interest, it is worth giving a try to manual setting and compare to Wi-Fi AI running a few days. If you do so, please share with rest of us how much performance change you see.

Multicast DNS

Settings > System Settings > Advanced Features > Advanced Gateway Settings > Multicast DNS

Function

From the general user perspective, turning this “On” allows certain types of devices like network connected printers and wireless speakers on one VLAN become discoverable by another so long as firewall rule is not blocking.

Network Printer

Without mDNS turned on, my Epson network speakers on one LAN is not discoverable from another VLAN. Turning mDNS on allowed me see printer from other VLANs.

Airplay

By default, Airplay across separate VLAN will not work even inter-VLAN traffic is open. By turning “on” mDNS, I can see Airplay devices across VLANs.

A popular implementation of mDNS is Apple’s Bonjour. The service is primarily intended to more easily connect network printers to a PC or Mac. Because the devices exchange information via their IP addresses, the user must not configure the connection independently. In addition to Apple’s service, you can now also use the open source software Avahi as an mDNS service. This makes it possible to connect different devices without having to perform configurations beforehand. Since Windows 10, mDNS is available as part of the Microsoft operating system.

https://www.ionos.com/digitalguide/server/know-how/multicast-dns/

Potential Issues

1. Processing power burden.
2. Security risk

In many cases, the mDNS is open. This means that it also reacts to external queries (via the Internet). Cyber criminals can find these types of open services and use them for DDoS attacks. The network’s devices are then misused in order to bombard a target server with queries. Furthermore, sensitive data can be discovered via an open multicast DNS. Attackers can, in this way, read the Mac addresses of connected devices, for example, and use this information for further attacks.

https://www.ionos.com/digitalguide/server/know-how/multicast-dns/

Recommendation: If you have multi-VLAN system and have network printer, Airplay that you like to have access across multiple VLAN networks, turn multicast DNS “On”.

Flow Control

Device > Switch > Config > Enable flow control

Function

When there is significant high to low throughput interface mismatch, speed degradation can occur (ref). This manifest as a peculiar asymmetric throughput. Enabling flow control will fix this issue.

Of note, if you have UDM Pro and utilize WAN 2 SFP+ and the link to modem is > 1G i.e. 10G link, you may be at the risk of high to low interface mismatch issue.

Potential Issue

Flow control have no positive effect when there is no need. At this point, I am not certain if there is negative impact when turning it “on” when one does not really need it.

Recommendation: If you have a >=10Gbps link in your network, recommend turning on flow control on switches that are involved in the pathway.