I run a small dev office with a few remote employees. We use pfsense + unifi.
I’d like to set up site to site vpn for remote employees, and include a unifi switch and ap at their location. I’m curious as to best practices here. It would be nice for those remote aps to have the same ssid/password as our main office.
- Should I set up each remote employee as it’s own site in our unifi controller?
- How do I have them all use the same ssid and password? I do only have a handful of remote sites so if it has to be a manual process that’s not the end of the world.
What kind of site-to-site are you talking about? From what I am aware the unifi switches don’t have the capabilities of site to site. Now unifi recently launched a product that will solve your problem with having multiple devices.
Now this little box has everything in 1 package and you can setup your site-to-site with it and has wifi built-in. I don’t know how many network ports they will need, but its got 1 LAN port.
I would set this up and have a site built in the controller for each dev. You’ll still need to configure the SSID’s manually on each, but I would think it would be better management if they were each a site.
If you wanted to keep each site separate but with an SSID that’s identical, how about using a RADIUS server for authenticating clients? That way you wouldn’t have to propagate credential changes over every single site.
Thanks for the info, I saw those unifi express boxes, they look like a great option.
I’m using pfsense and wireguard site to site. I have that working very well, I’m happy with it. I’ve just ordered another AP and I want to get that set up now.
It sounds like I should go down the path of separate sites. Thanks.
Thanks, I’ll have to look into the radius server option. I’ve never used one.
Why not just use one site? All the AP’s can have the same config, this is just L2 stuff.
If user management is needed then RADIUS works great, but if this setup only requires KISS then I wouldn’t bother.
I wouldn’t think that would work, but this is why I’m asking around. My current wireless networks (corporate and guest) are assigned to vlans 25 and 35 with subnets 10.25.0.0 and 10.35.0.0. Since those networks won’t exist in the remote site, I wouldn’t think it would work. I’m not sure what would happen if I configured an AP at our office and then shipped it to a remote site and plugged it in.
We are a small shop and I am the part time IT guy so I truly appreciate the KISS approach.
If you want to KISS, then I would just match up the VLAN IDs at each remote site. That way the APs can all be the same. Then just point the APs back to the controller through the tunnel. Simple.
I’d have the subnets be unique though, I could see some routing problems if they were all identical (depending on how much east/west traffic you expect).
i’m a big fan of tailscale (overlay networks in general) you could install the tailscale pfsense addon (toms got a good video on how to do it) then have the tailscale client installed on the remote workers machines which they use to acess resources at the remote site, VERY KISS
Yep, there are different types of simple. There is a payment for that level of easy with trust and dollars.