I’m getting ready to deploy a Unifi network at a 52 unit apartment building. I have 1G asymmetric fiber coming into the building. I will have a pfsense firewall and all Unifi switches and wifi.
Ideally I would like to install APs in all the units and throughout the building. I would establish a building wide Public Wifi with the goal of allowing tenants to roam through out the building on the same Class B network. Within each unit, I would have a separate vlan on a dedicate LAN network for each unit with a separate wifi for that unit.
For Example - Unit 201
Public Wifi (LAN) = 192.168.0.0/16
UNIT-201 Wifi = 10.1.1.0/24
UNIT-201 LAN = 10.1.1.0/24
Here is my plan to do this.
Create a WLAN Group for each unit. In this unit I would create WLAN Group UNIT-201
Setup 2 Wireless Networks for each WLAN Group specific to each unit (Public Wifi & Unit Wifi). Under the wifi network setting for the Unit I would enable VLAN and assign the vlan number 201.
I would setup a switch port profile. Native Network is LAN and Tagged Network is the UNIT-201. I would assign this to the port the Wifi device is connected to in the unit. The uplink in Unit 201 would be on Native Network of LAN and all other ports in the unit would have a Native Network of UNIT-201
In the WAP for the unit, I would change the default WLAN group to UNIT-201
My question is, will this setup allow users to roam throughout the building on the public wifi? I’m wondering if this will cause users to somehow drop their connection as they roam from WAP to WAP rather than seamlessly exchange access.
Note: if I could establish 53 SSIDs in one WLAN group, this would be simple. I would have 1 WLAN Group, setup Public and 52 unit SSIDs. But because of the 4 SSID limit, this is the only solution I could come up with.
You would need to lab it I think to be sure but I would guess that SSID’s across groups are not going to roam.
You can disable the 4 SSID limit but it might then only allow 8 I don’t recall for sure. Even if that did allow you to have 53 you would need to only allow the 2 that are are required on each AP on an AP by AP basis manually else your APs will spend all their time sending beacons and no time doing data transfer.
I do wonder however how many people are going to roam. I guess if there are public areas then you may want a generic SSID in those areas but it would probably make more sense to have separate AP’s in those areas as it will significantly reduce complexity.
I have never tested roaming against SSID’s in groups or created that many groups in UniFi. Sounds like it would work, but I would test it before deployment.
Wanted to close the loop on this. I submitted the same question to Support at https://www.ui.com/.
Here is their answer below for anyone else trying to do this.
“If the 2 wifi networks are part of 2 different wlan groups, then even if the wifi networks have the same name and password, the clients wont be able to roam between the 2 wifi networks.”
And this is why Unifi’s network setup has always bugged me. I shouldn’t have to make the same SSID 10 times if I have 10 WLAN groups. Every other wireless controller I’ve used has a single list of SSIDs, and the WLAN groups just define which of the SSIDs from that list are included. But Unifi’s way makes a separate SSID list for each WLAN group.
@dfriestedt unfortunatly that’s what I thought. It might not be “proper” roaming but might still work for what you need though, like I said, how many public areas are there and how big are they. You might just be better with some additional AP’s on a separate group for public.
@brwainer I had never really thought about that before. I did the ubiquity training and exam a few years ago but I don’t think groups was ever really covered (although my memory is terrible so it may have been). It would make much more sense to define the SSID then assign that SSID to a group particularly on a site where you need a setup like Drew does (or for a school campus)
I would love to see it tried… I think it does work possibly. I say this based on my experience with a group I created. It let me copy my ssid from one group to the other. That would imply it is all the same.
In the end it may be coming down to the definition of “roam”. In my mind if you have the same ssid and same password the device connecting will tend to go to. The better connection. Do we really need the unifi controller to force this behavior? I had dumb access points in the past and this type of behavior worked.
It works but the devices tend to hold onto the AP they are connected to until the signal gets to a specific point then start looking for a stronger signal rather than jumping to the current strongest.
This generally means they connect at a lower speed as the signal degrades and slows the whole system down rather than switching to the stronger signal.
Just so it’s noted here as well, someone send me a DM to ask how to lift the 4 SSID limit;
If you goto settings, wireless networks you will see that it says;
A maximum of 4 wireless networks are allowed per WLAN group when connectivity monitor is enabled
go to site, enable advanced options if it is not currently enabled then look for uplink connectivity monitor, untick it, apply setting, head back to wireless networks.
I do have Guest Wifi APs in the elevator lobby on each floor and community spaces, but not down the hallway.
The more I think about this the more I’m rethinking my goals. In all honesty, what I’m trying to do is establish a building wide wifi network that is unique to each user (which is different than my original question / post). I envision the tenant walking into the building and having wifi in all areas of the building. From the main lobby to the halls to the unit. The tenant in Unit 201 would be on vlan 201 everywhere. When the tenant goes into the unit they can connect their wired devices to any one of the 4 LAN points in each unit (which would be on vlan 201) and they can connect their wireless devices to the WAP in their unit on vlan 201. The wireless connections within the unit (from a printer or TV) should not use a captive portal. They need a SSID and PW.
Herein lies the rub. I think I can assign vlan 201 via captive portal when the tenant walks into the building. They can roam everywhere as expected on vlan 201. However, when they get into their unit, how do they connect a wireless printer or TV over the captive portal? They would need a std SSID / PW on vlan 201. That then requires 52 SSID on all WAP, which is why I was thinking WLAN Groups instead…
Maybe this problem is beyond the capabilities of Unifi and I need to change my requirements Public Wifi in common areas only and wifi in the units that cannot roam.
I know AT&T and others have some managed building wifi system that allow this. I wonder how they do it.
The fact that you had to “copy” the SSID means it is not the same. But this is easy to prove - change a setting that wouldn’t be noticeable to users, like enabling/disabling 802.11d, and then look to see if the “same” SSID in another group has changed also. In any other controller they would have, but in Unifi it will not.
This is where RADIUS and Dynamic VLAN come into play. The wireless printers and TVs which can’t do a portal get registered into RADIUS by their MAC address. But this can’t be done just with Unifi - you need a lot of server side programming to make the portal register users and devices into the RADIUS server with the correct config. I’m not aware of any premade system for this - the companies that do this for large numbers of apartment complexes and/or hotels have all made their own bespoke systems (I used to work for one).
Interesting. That is sort of what I figured. As a real estate developer, I know just enough to be dangerous… And now I’m into DANGEROUS territory.
@brwainer How do the apartment communities handle users that are adding / subtracting printer and TVs? I can see how this would work for a hotel where TV / Printers are static (not changing frequently). And anything that does change can be managed one by one by an admin. But for an apartment community, this would be hard to administer because things would be changing constantly at the whim of the tenant.
The old way is that people need to call the customer support to add a new device. Inactive devices get purged annually (especially for apartment complexes that target college students). The new way is that each tenant has a user account on the website, and there can add and remove their own devices.
I’d recommend talking to managed service providers that specialize in this, since the portal and customer service aren’t feasible at the single-complex level. There are two that are capable of something like you’re asking for:
Single Digits
Guest-Tek
For others you can use search terms like “Managed wifi MDU”
Edit: Note that almost any MSP that has built out their portal to do what you are wanting, is more or less beyond using Unifi, Grandstream, etc for networking - they are using Aruba, Ruckus, etc. But at the scale of these companies, pricing can be very good.
I’ve actually got an installation that does exactly what you are wanting to do, but it works slightly different than your approach with the unifi AP’s. I’m using Aerohive AP650’s (they’re now Extreme Networks). They have a feature that lets you have unique private keys, which in turn place you on the appropriate network. I basically have three networks, Guest, Staff and Project. The Guest network is a standard capture portal, and the staff network is a single network that’s spread across all of my AP’s.
The project network is where it’s a little different. The project SSID is configured as a special private key authentication, and each of about 12 projects I’ve got in our facility have their own private key. There are multiple ways to implement this, but we just assigned a unique SSID password to each project. When you join the SSID, the private key assigns the user/device to a specific vlan that is routed and controlled with pfsense. Since I’m using a common backbone to connect all AP’s, roaming is fluid across all of the campus.
You can also use RADIUS to do the assignments, but that was more complex than we needed for that installation. A single AP650 could probably serve several apartments. If you’re wanting to try their solution and have a device in each unit, I’d go with a smaller and cheaper unit.
So far, they are the only ones I’m aware of that can do that type of setup. Cisco comes close, but I got tired of fighting with their AP’s doing non-advertised things, and their support was not good.
That Aerohive feature sounds really neat and useful. Just be careful when picking APs from Extreme - they have purchased many different companies over the years, and they have at least two different sets of wireless devices. You do NOT want the “WiNG” series, that is from their acquisition of Zebra (spin off from Motorola). It would not have this feature you are looking for. I’m looking at Extreme’s website, and they don’t make it obvious which models are which. The only way I can even tell for some of them, is to look at the release notes for the WiNG Controller. So these models are WiNG and you should avoid:
AP310/360
AP410/460
AP505/510/560
anything with a 4-digit model number
My only experience with Extreme has been with the WiNG series, and overall I was not impressed. Neither was the large hotel chain which Extreme had convinced to let them show how good they were. It was right after that when they announced the Aerohive acquisition.
I can’t really say I’m an advocate for Extreme, either. Their support is better than unifi, but it comes at a premium. Their products are not near as user friendly from an administrative standpoint as the unifi, either, but you do get more powerful features. I’m not really a MSP, but I’ve got 10 sites that use unifi and two that use Aerohive. I’ve never had issues with the unifi installations from a WAP standpoint, where I have had some weird DHCP issues with the aerohive WAP’s. Support for aerohive was much better before they were bought out by Extreme.
The main reason I’m mentioning the feature at all is that it is a perfect solution for what the OP was requesting. I’d LOVE for unifi to introduce a PSK feature to their controller so that we could implement these on their WAPS.
Ok, so I did a bit more testing to prove to myself that what others have said is correct (forgive me, I know you guys are all professionals but I’ve been stung by “no that just works” before) and as expected, creating a new group, copying the ssid’s then changing the ssid on one group does not replicate to the others. (tested a change to vlan and to encryption type).
It looks like they run some sort of voting system but you have to be logged on to the forums to view and vote. If we could get @LTS_Tom to mention this on Thursday (and tweet, etc) and get a few people to up vote then maybe, just maybe, Ubiquiti might look at it…
Shame it’s behind a login page but I guess that helps Ubiquiti keep it from getting trolled.
