Deployed Ubiquiti UniFi Network from Firewall to Access Points

ES
100 people affected
3 month project

Project Description

I deployed a secure network environment using Ubiquiti UniFi products, which included a firewall w/DMZ for Guest access, a guest authentication portal, managed switches with VLAN's, 802.11 AC wireless access points configured for mesh and roaming, and bandwidth control to ensure that the primary functions of the network were not overwhelmed by the guest user consumption. One of the requirements we faced was ensuring that users of the guest network could access print resources on the internal network via Airprint, which was an interesting challenge. One of the benefits of using the UniFi products is that the underlying operating system is linux-based, which meant that I could bring my linux experience to bear when figuring out firewall rules and routing when solving the Airprint challenge. I suspect that there's very little we can't do with these products, but time and messing around will tell...

Lessons Learned

I don't think I would have done things much differently. In fact, I pulled out other technologies I deployed in favor of these products. A driving factor behind that decision was the VLAN management; with the UniFi Cloud Key central management, it's easy to configure the infrastructure and consequently deploy the necessary pieces out to the affected components fairly quickly. One of the downsides I experienced was that certain pieces needed to be configured uniquely - case in point: Airprint across firewall boundaries. The worry here is that when the time comes for me to make any adjustments to the network or to deploy software/firmware updates, I will run the risk that my unique changes will be lost, in which case, I'll need to re-author those changes in order for them to continue to be in affect.  I believe this will only be a short-term problem, however, knowing that Ubiquiti is constantly modifying and adding functionality with each update. Airprint is a "fact of life" in today's networks. It's just a matter of time before they will institute the necessary switches that will automate turning this functionality on between firewall boundaries, IMHO...

Products Used

Technical Skills Used

  • iptables
  • Leander (TX-US)30.5788-97.8531