Jeff's tech blog

Securing my network with a USG Pro part 1 - hardware

 Security/Networking/Hardware  1258  6 mins

This two-part article is about how I installed and configured a Unifi Security Gateway Pro in my home network to make everything more secure and replace the ISP supplied hardware. It covers some inconveniences I encountered and some tips to mitigate them. The first part is a bit of a background story and also covers the installation of the hardware. The second part is about the actual configuration of multiple networks and firewall rules to isolate devices into separate networks.

If you’re considering updating your network in general, it may be good to read both parts. If you’ve already settled and only care about network and firewall configuration, I suggest you move on to part 2 directly.

A bit of background

After having lived with frustrations over bad (or non-existent) network wiring and bad (or non-existent) WiFi reception in previous houses I had lived in, I really wanted to do things right from the start when our new house was built. I wired up the entire house with CAT6A cables and made sure that each and every room was equipped with at least two network sockets. In addition, I had empty pipes come out of the ceiling at central points on each floor so I could place PoE powered access points there. I also wanted to add smart features to the house, but only if it actually made our lives easier, not just because it was possible.

Of course, I initially had plans to make everything perfect from the start, but having to manage all projects and involved parties during the construction of a house means that your personal projects tend to get a bit less attention, especially since some things like replacing hardware or configuring networks can easily be done afterwards. So, I took some shortcuts here and there, carefully balancing between making sure the core infrastructure was future proof while allowing for hardware replacements and configuration later. The initial setup looked like this:

  • a 4U 19" rack
  • a 24 port CAT6A 19" patch panel
  • a 24 port 19" unmanaged switch
  • an ISP supplied FritzBox router
  • 3 Unifi AP-AC-PRO access points, one on each floor
  • 1 Unifi AP-AC-LITE access point in the back of the garden
  • 1 Unifi Cloud Key
  • 2 Philips Hue bridges
  • 1 Tado bridge

Because I only had the ISP supplied router, there was one large network to which everything was connected. While everything worked perfectly and performed flawlessly, it was obviously not the most brilliant setup from a security perspective. If, for instance, a Hue bridge or my washing machine was compromised, the intruder could have easily reached everything else in my network.

This has been troubling me ever since and I finally found time to give the network some well deserved love and improved this.

A better approach

I invested in a Unifi Security Gateway Pro 4 to replace my ISP supplied router and a Unifi Switch 8 to act as the core managed switch so that I can physically separate networks from each other and create rules to secure the traffic between them. The idea was that I wanted to isolate my IoT devices and my DMZ devices from my local LAN, meaning those devices can never access my LAN devices, to secure them from potential compromise of one of those exposed devices.

Replacing the fans

The original fans of the USG Pro are quite noisy and since my meter cupboard is in the hallway that we pass through quite frequently, I replaced them with two Noctua NF-A4X20 fans. They are cheap and it is literally a matter of unscrewing and unplugging the old ones and installing these. It will make the whole experience a lot better, so I definitely recommend doing so.

Adopting the USG to an existing network

The USG has a fixed IP address of 192.168.1.1, so if you currently have a different subnet (like I did with my default FritzBox subnet of 192.168.178.0/24), your controller won’t find it by default because the devices use their subnet’s broadcast addresses which get blocked across subnets.

A choice to make here is whether you want the different subnets to coexist, or whether you want to migrate everything over to the subnet prescribed by the USG.

If you want them to coexist, there are suggestions online by several experienced Unifi field technicians on how to do this best. A suggestion to fix this would be to add a DNS entry “unifi” that points to your cloud key so the set-inform works regardless of the subnet (as long as they can talk to each other). Another suggestion involves hooking up the existing network to the WAN port of the USG, so the USG has both its 192.168.1.1 IP address and one from the existing subnet. Something I figured out myself later when fixing a misconfiguration of one of my access points was that you could most likely also SSH into the device itself and manually call set-inform with the right controller IP address.

However, I never really liked the .178 subnet anyway, so I decided to migrate everything to the new subnet instead.

First, since I did not have any static IP addresses set in my network yet, I simply changed the subnet on my FritzBox to 192.168.1.0/24 and set the IP address of the FritzBox to 192.168.1.2, so that it would not collide with the USG as a gateway later. I restarted the access points and cloud key and once they came back up, they had an IP address in the new subnet in which the USG would be found.

Then, I disconnected the LAN cable from my FritzBox and plugged in the USG and opened the cloud key web interface on the new IP address on my laptop, where the USG was found and could be adopted. I could not upgrade its firmware yet, because the USG did not have an internet connection yet, but that would come later.

Installing the core switch

The other device that I hooked up is the new Unifi Switch 8, which would become my new “core” switch, meaning its uplink is the USG and the distribution gets done from this switch:

Topology

It was simply a matter of connecting it to the network and adopting it, after which I fixed its IP address to 192.168.1.2. Then, I connected the LAN1 port of the USG to port 8 of the switch to create an uplink (you can pick any port, btw) and connected the original unmanaged switch to port 1 of the new switch to connect it to the local network. This will allow me to configure the ports and physically separate networks in a later stage.

Getting connected

Next up was the final cable in the FritzBox before I could get rid of it: the fiber optic cable. It is possible to connect a fiber optic cable to the USG directly, through its SFP ports. I needed to buy an SFP transceiver and there are many different configurations and connector types, so make sure to find the right configuration if you need one. My ISP Xs4all supplied these settings on their website, but you may need to figure them out for yourself.

Once the SFP was inserted and the fiber optic cable was plugged in, all that was left to do is configure PPPoE for the WAN adapter:

PPPoE for WAN adapterTopology

The username and password, in my case, did not matter and the only requirement was that they had a value and were not empty.

Once this was done, the connection was established.

Let’s move on the configuration!

See Also: