Second opinion on a new network setup (Ubiquiti + long range)

To your first question: no. Zero handoff only works for unifi devices. Pico is not unifi, it is airmax, and uses a different Operating system. Furthermore, after having completed the ubiquiti wireless administration course I have to advise you to stay away from zero handoff. I realize that it's a selling point, but our instructor made an extremely compelling case for not using it. Instead, you should enable and scale the rssi feature to strip off devices which are barely connecting from one antenna, and then let them rejoin using the next. Example: you connect to antenna a, then walk to the far side of antenna b. You're still connected to a, and now causing network latency to all devices connecting to the network because it has to work that much harder to keep listening to a device which is barely broadcasting enough signal. By limiting rssi you would shed this device from antenna a, to then let it rejoin to b with a stronger signal. Zero handoff doesn't do this until the signal is disconnected. At this point, v5 of the controller software does not allow rssi AND zero handoff, so invariably you will do,what I did prior to the class and pick zero handoff. After all, it says so on the box, right? Wrong. It causes all network traffic to drop down to slower speeds, even if other devices have a stronger signal. Maybe in v6 or 7? You can set both devices to the same ssid, but use different channels in both the 2.4 and 5 ghz ranges. Enable bandwidth steering on the uap (to prefer 5 ghz). If you have connection issues near the edges, disable 40 mhz bands and switch to 20. You trade speed for distance. Also, less interference with neighboring systems with 20 mhz width than 40 mhz.

2. Yes. You can have both. On the uap, I recommend disabling access to the network subnets your devices are on using the denial list. If you want someone to access just a printer, add that ip (obviously make it static on the device) on the previous authentication list. For example: deny 192.168.1.0/24, allow 192.168.1.55/32. This will allow access to guests for one device on that ip, but nothing else. Make sure your dhcp includes dns servers outside your network (public dns servers), or else your guests won't be able to find little things yahoo.com and google.......

3. Can't answer that without a site survey (download some software) and the devices. Too many variables, including the direction in which you mount the antennas (yup, it matters for the uap too, signal is not a bubble), your walls, noise floor, surrounding interference, temperature, quality of cables, etc.

No offense, bill, but I don't think you've worked with ubiquiti before. They are not consumer devices. They separate the antenna from the switch from the router; all sold separately. Just the antenna takes a 2 day class to learn. Software runs on a pc (I recommend a cloudkey instead, sold by ubiquiti but hard to find in stock at times). Also, you don't need vlan to keep riff raff off your network. The UAPs can filter based on destination network, and anyone with half a brain turns off the SSID of their main network these days to keep everyone off. The edgerouters are solid devices but terminology is difficult and much harder to set up than home routers. We only use them for internal networks, ie to translate between subnets.

Reread my post

I consider ubiquti almost consumer devices, they have some of the features of commercial systems but they are not even close to the cisco or aviya implementations. It is a ok alternative for people who don't have the money to buy a actual system.

The cisco system can move between floors of buildings where the IP addresses change. It can even move from a wifi signal to a cell broadband signal and back to a wifi signal in a build at a remote location. Of course it does lose a packet here and there but your session tend to not drop. But you pay a fortune for the hardware and software license.

I am so glad you are so proud of yourself for going to a 2 day course. You are the one that needs much more time working on other wireless platforms so you know what options are available. You also really need learn how security in general works in a enterprise install. The use of 802.1x on the AP with a radius server to assign users to vlans is accepted security practice to prevent attacks even between authorized users. I am pretty sure even the ubiquiti product support this.

I tend to over generalize on this forum to not confuse the type of people posting. I have CCIE certs in routing and securtity as well as some certs in things like wireless I do not keep current. I spent more time just taking the tests for the CCIE than you did taking your 2 day course. Do not assume you know more than other on a forum. Even I will never claim to know everything in this ever changing field.

Bill, I don't want to get into a shouting match about who is better at this or that, or who is an expert at this or that. I am certainly not a network expert - I'm a generalist who works on everything from wiring to endpoints, and everything in between. That, btw, does include network security, HIPAA compliance at the "actual endpoints" (some call them "humans"), and little stuff like multi-AP wireless networks. And yes, I've been neck deep in Ubiquiti for about 3 years now, not just 2 days.

Btw, Bill, you should know that over the past five years I've thrown out a few boxes worth of Cisco "SMB WiFi" systems, and right next to me on the floor is a Meraki MR26 which they sent me a few months ago for free. You're totally right: If one can afford the higher cost, systems like Meraki are much better. The problem is always the same: COST. $1k per access point and ~$200 per year license fee (and that does include nonprofit discount pricing, btw). That's $1,200 PER ACCESS POINT, according to my fingers (and 1190 additional ones I borrowed from my coworkers just now). Compare that to a basic setup of ~$450, including labor, for the first Ubiquiti AP setup, including two USGs, one PoE switch (not required, but anyway), a cloudkey, a few wires, and one 2.4 Ghz UAP. You might break into $500 territory once you go with a 2.4/5Ghz system.

And that math is just for the FIRST system. As it turns out, systems like Meraki scale really well. For Meraki's accounting team, that is. For two access points, the cost of entry is $2,400. For three, $3,600. At that point, a Ubiquiti system starts to look like a freakin' steal at ... $700 if you go with their most expensive components, less if you realize that your home modem doesn't run at 450 Megabits so spending money on that speed for AP's is money spent on nothin'. Just today I certified a two AP (yes, the old 2.4 Ghz APs) setup for one of our locations. They only have a couple of PC's, and are located in a Plaza which has lots of other traffic already. 5Ghz would be nice, but there's that little problem called "your budget", so we're going to use the cheap $70 AP's. Heck, street price is probably closer to $50 by now - we've had these so long already. Anyway. I tuned them down the lowest power setting, and still broadcast to the far side of the parking lot. My heat map is all green where it counts (and even some places where it shouldn't). My RSSI values are just low enough to keep the riff-raff from the other end of the plaza off our network.

And yes, I'm using the subnet exclusion rules to keep our "guests" off the segments I don't want them to see. Because a simple network with <5 endpoints shouldn't need VLAN's. If you're using VLANs at that level, frankly you're doing it wrong. You're busy securing wired traffic after it passes through the mother of all security holes, aka "WIRELESS TRAFFIC", which anyone with a laptop and 5 minutes worth of google can evesdrop on. Heck, a couple of years ago I watched a couple of preteens do exactly that at a nearby Barnes and Noble. The WiFi signals are not tagged, and one shouldn't expect guest traffic to be either. Feel free to tag the bejeezus out of your traffic once it's in the wires - heck, save some money in hardware while doing so - but please don't pretend that VLAN tagging somehow magically safeguards radio signals which travel in every direction. I don't even think Cisco would claim this. One does not find VLAN under their "Security" chapter. It's just a routing protocol, and doesn't encrypt the data anymore than putting a physical toggle switch would. At 65536 possible tags, how secure could that actually be?

Ubiquiti, is just now, in the coming weeks, going to release their 1st ever "consumer device" advanced AP (in the euro market they had something similar to what most people have seen netgear and linksys peddle at Best Buy (aka: "Worst Price"). They are packaging three different sets of their routers/switches/AP's in a neat little box at $250-400, including 2 repeaters. At that pricepoint it's definitely steeper than buying a simple WiFi router (heck, even a top-tier gaming one), but once you factor in the repeaters it's actually somewhat cheaper.

In any case, I think we can both agree that he's not going to go Meraki. Or anything else even close to that. When someone shops Unifi, the next logical step in the progression of price/performance is not Meraki. Not even close. There are probably lots of "Netgear", "Linksys", and even the occasional desperate "Ciscrap" in between before someone ends up at that level of cashflow. Home users don't give two craps about all the wonderful graphs and figures systems like Meraki provide. "Rogue access points"? Last thing they want is to try to sniff out their neighbor's garage door opener at 3 AM in the morning, don't you think? And yeah - they do show up as Rogues. Wireless phones, CB radios, etc.... it's amazing how much extra information a few thousand bucks can buy you.

As far as I know, the network filtering is done at the AP level, i.e. the AP's filter out subnet traffic. I know this because I've done setups without USG's, and the filtering does work anyway. Or in other words, the router doesn't filter, the AP's do. So in terms of security, subnet filtering prevents guest access to any subnet listed. They can literally ONLY access everything else. By default, the private subnets are already baked in, but they're easy to change in the controller software.

Not so sure if the same would be true for VLAN filtering (sneaking through the network switches/routers), but suffice it to say that in my experience, everything Ubiquiti makes supports VLANs. Except, perhaps, their mounting brackets.

With all due respect Bill, you're offering solutions by introducing more problems. Meraki doesn't sell to home users precisely because there are very few users who shop for WiFi systems at that price point. Maybe the Rockefellers do, but I suspect that the Zahzi's don't. Not to mention, the Rockefellers probably think that VLAN tagging has to do with clothes, not networks. They don't know that VLAN filtering is done at routers and switches, i.e. another layer down. My "cheap and easy" method would stop the traffic BEFORE the first wire. Just sayin'.