Limitations of Unifi on 173 Unit Apartment Project

I’m wondering if anyone has deployed the Unifi equipment in a large apartment project - 200+ units. I’ve done about 30 projects with unifi equipment where the building has fewer than 60 apartment units. I use all unifi equipment and pfsense as the firewall. So long as I don’t use the Unifi APs, I have no issues at all.

The new network for my 173 unit community will be simple:

  • pfsense firewall in HA
  • 10G core Unifi switch
  • 48 Port Unifi Switches in all the IDFs connected with fiber to the core switch
  • 8 port Unifi switch in each unit connected to the IDF with (1) cat 6
  • Every unit has a separate vlan off pfsense

Tenants are required to provide their own router in their apartments where they manage their own wifi. This eliminates 95% of all support calls. In my experience this setup for works up to 50 units. But I’ve never done 173 units with this setup.

Any feedback / comments on my proposed setup?

1 Like

Off the top, it seems like 173+ VLANS is needlessly over complex.
Why?
Maybe I’m missing something here, but that setup seems, frankly, painful.

For context I operate a tech service house like Tom and work with hotels, motels and resorts here in FL. Most of these setups are 3 VLANs and sometimes 4. Many of the hotels networks support over 1000+ devices per site.

that good to know. And yes, it is very very painful… especially in HA.

Historically I’ve setup each apt on its own vlan. That way if I chose to provide wifi in the units, I can give each unit their own SSID (with unifi equipment). In addition, by giving each unit a vlan I can bandwidth shape / limit more easily by unit. It’s easier for renters to add their printers / IOT on their own network and avoid conflicts / hacking across all units. This is basically a “poor mans” version of a managed service solution provided by AT&T or others. I’m the real estate developer of the building, so this is a profit center for me when I manage the solution myself.

I would love to have 4 vlans but I’ve researched this question before and there is no way to setup 173 SSIDs on one network. But I’m open to new ideas / suggestions.

The programing of this setup a very hard and takes a long time when you do pfsense in HA.

Without knowing more, this would be my preferred approach on this project

  • K.I.S.S. Keep it stupid simple
  • Guessing that the ISP is providing a large connection (not a typical user connection) see about getting a block of public IPs to cover the 173 units plus the office and any additional IPs needed for management devices or functions like HA router. Most leased lines SPs include this but many seem to hide the fact
  • pfSense has DHCP service and doesn’t care if the IPs are private class A B or C IPs or public IPs so it can serve public IPs just as easily
  • If you want to be “extra nice” to the residents, statics can be offered, again easy to do with pFsense. Some places sell this as markup service
  • If you can’t get a block of IPs to cover the residents, no problem, use a class C with a /23 subnet, that will yield 510 IP addresses, more than enough to cover the 173 residents and devices consisting of infrastructure (switchs, APs, etc)
  • Resident DMARC for connectivity is a wall jack RJ-45, they can plug their own WiFi router in and if functionally no different then how ISPs deliver their services.

VLANs
3 Total

  • One VLAN for the infrastructure (switches, APs, IP security cameras, pfSense firewalls, etc) (example private class A IPs for infrastructure 10.0.0.0/24)
  • One for resident IPs (If public IP block/23 or private class C IPs 192.168.0.0/23)
  • One for the property managers (example private class B IPs for property managers 172.16.0.0/23)
  • Possibly a 4th VLAN for guest wifi network, available in public spaces and recreation areas like gym, pool game room etc.
  • By setting it up this way it makes it easier to identifying the source or destination of traffic
  • Because of the need for HA suggest redundant switches behind the pfSense firewalls. Basically 2 switches operating in layer 3 mode and the layer 2 switches after that. Some Unifi switches do layer 3

Logical Diagram

Internet Modem

pfSense FW routers in HA mode

(Optional) (2) Layer 3 Switches

Layer 2 Switches

(Optional) Guest WiFi network and Resident Router

Resident Devices

Tools
CIDR calculator
https://www.subnet-calculator.com/cidr.php

Public and Private Networks
https://www.meridianoutpost.com/resources/articles/IP-classes.php

2 Likes

If you have to provide WiFi, suggest the Unifi AP in wall. Access Point In-Wall – Ubiquiti Inc.

Understand these devices do not have the ability for NAT (router) so they would need to be behind either the resident’s router or you would have to provide each resident with a router (either physical or virtual).

Understand that even if the AP is behind a resident’s router, the AP can still be managed behind the residents device if the AP is pointed at the controller by either FQDN or IP address. Set the upstream pfSense DNS service to have a static host override so when the AP needs to find the controller if won’t get lost.

To address the potential for hacking, Unifi APs have the guest traffic isolation feature that keeps them from communicating with with other devices on the same local network. This is generally good, but does occasionally break stuff. Hotels and resorts don’t see users bringing in their own TVs or IoT light bulbs and thermostats. With residents bringing their own stuff like smart TVs and smart hubs, client isolation interferes and breaks this stuff. At this point your deep into configuration per resident times 173. Not fun

The simple way is deliver the service to them and let them run their own wifi router.

2 Likes

Interesting approach. I’ve thought of this but could not not find good / easy solutions to:

  1. Bandwidth shaping / limiting. I give everyone a 100Mbps limit to the unit (not per device). They can upgrade for a price

  2. When you enable client isolation, users with little IT experience will have a very hard time connecting a printer, IoT device, smart speaker. I have not played with this a lot, but can imagine the issues.

Thank you very much for taking the time to look at this. I am considering hiring someone to program everything for me when I finalize the design. But the project is in Grand Rapids, MI.

1 Like

pfSense does traffic shaping and limiting
https://docs.netgate.com/pfsense/en/latest/trafficshaper/limiters.html

On the subject of WiFi

1 Like

No problem. Grand Rapids is my home away from home, Mom’s side of the family is from Baroda, South Bend, Niles and Benton Harbor. Grand father was a real estate tycoon, had a construction company and established Holiday Inns all over Michigan. I worked with a logistics company in Grand Rapids up until 2018. One of my favorite places to get breakfast was the 76th Street Diner

small world indeed… Love Grand rapids. My building is at 470 Market. I’m converting an old warehouse into an apartment building. It has a TIF, historic tax credits, Opportunity zone, and more!!

Re traffic shaping on PF, I’m using that now. However, there is no way to share / limit bandwidth to an apartment if it’s not on a vlan per unit. I’ve done both limits and sharing. But the only way I found to do it is by IP range. If everyone is on the same subnet, there is not way to limit to 100 Mbps per unit.

I’ve had issues in the past with one unit running datacenter like operations out of a unit. They consume > 50% of the bandwidth. And I’m constantly chasing MAC addresses or IPs… This is really why I have all the vlans. But would love to remove them.

I’ve looked at 3rd party bandwidth managers. They are expensive.

1 Like

here is my building

Glad I kept the link for this.

For pfSense bandwidth limits I took this years ago and have been using it since with no issues.

2 Likes

That’s amazing. I wish you well with this new endeavor.

This time of year is great, did many 4th of July celebrations with family at Uncle’s farm in Sodus and Stevensville TWP

Planning a trip up there to Novi in the 4th qt to visit friends and may even drop in on Tom lol

1 Like

Seems like a perfect project to learn ansible to program both pfsense and the unifi switches, it’ll mean about 15 lines of code to program everything

1 Like

Going back to the KISS principle, why not just set the port on the switch, in the rack that connects to the Unifi device in each apartment, to 100Mbps? If the customer wants more, say a 1Gbps connection? Increase the bandwidth at the switch, no traffic shaping necessary, it’s a hard limit of 100 Mbps.

Then you could traffic shape to other speeds if you think 1Gbps is too much.

4 Likes

that is good idea… Easy to implement for sure.

Another option would be to use PPPOE with rate limiting in the pppoe stack. Looks like it’s possible in pfSense, but requires some delicate handholding

I have never done it so ymmv.

Is that possible with UniFi? If so that would be one way to do it but then it’s effort duplicated x173

Instead of an 8 port switch in each apartment ($99 * 173 = $17,127), why not run the cable from your IDF straight to a wall jack? The resident will provide their own router and simply get a DHCP public or private IP (based on feedback from this thread) from that, then dish out their own local IPs to connected devices in that unit. Or is there a reason to have multiple ports in the same unit that I’m not seeing?

1 Like

In the past I’ve provided multiple jacks per unit. But in this case I’m only providing 1 per unit, so I’m going to do exactly what you suggest. I’m going to remove that switch and save $$ and mgmt!!

Thx for the feedback!

I’ve been thinking a lot about this and am going with many of the recommendations here. I’m not doing 1 VLAN per unit. Way too Complex. I will deliver 1 ethernet connection to each unit and require the tenant to install a router / AP. All units will be on a vlan and on a /23 subnet.

That way I can do bandwidth sharing per unit @ the firewall level. If someone is abusing BW I can drop them down to a 100 Mbps port on the switch. Each unit will be responsible for their own wifi and firewall. I’m going to remove the 8 port in the media enclosure and simply cross connect from the unit to the IDF in the media enclosure (making sure to limit to < 300’).

Thank you everyone for your experience and feedback!

1 Like