For a while, I've been eyeing an upgrade of my home network. It's basically been running on ISP-provided equipment, and consumer ISP equipment is usually quite bad.

Back in the good old days, my ISP gave us a cable modem, and then we were responsible for the rest. Nowadays, ISPs ship devices which act as a modem, router, switch, and Wi-Fi access point. They're not particularly good at most of those jobs, and it very much becomes a case of "jack of all trades, master of none."


I very much like the UNIX philosophy of "do one thing and do it well," and the Netgear (and formerly Cisco) cable devices that my ISP supplies are the complete opposite of that.

So, when looking for home networking equipment, I wanted a few things:

  1. It must be composable or modular to scale up if I needed to, or down.
  2. It must be small, so no rack-mounting.
  3. It cannot be overly complicated or expensive.
  4. It must be well-maintained and supported. My existing modem never gets firmware updates, and I want something that at minimum gets security fixes rapidly (e.g. "Broadpwn")
  5. It cannot require a huge amount of power or generate a huge amount of noise.
  6. It must have a large Wi-Fi range, or have a working mesh networking solution. I already have a top-of-the-line consumer range extender, but it actually just doesn't work.
  7. It must not look like a mutant robot spider flipped on its back, like so many consumer Wi-Fi routers these days. I don't know what's gotten into the industrial designers responsible, but I don't like it.


Ubiquiti came across my radar a year ago when Andrew Buntine used Ubiquiti syslog events to play personalized theme music when people enter the office.

Since then, I've also followed Troy Hunt who has done a series of blog posts about Ubiquiti's consumer/prosumer/enterprise products, as well as Scott Hanselman who did a post on Amplifi, their newer more-consumer-friendly option.

After doing further research, it seemed that Ubiquiti ticks all the boxes for me. It's expensive but not outrageously so, has different products for distinct roles that all work together, and are regularly shipping firmware updates for their products.

In the end it came down to the prosumer/enterprise "UBNT"/UniFi gear, or the consumer offering, AmpliFi. I went with the UBNT gear instead becauase I wanted some of the more powerful features that AmpliFi does not appear to offer, plus I had started using a wired network too (not just Wi-Fi) and wanted some control over the wired parts.

I eventually settled on the following combination of gear:

  1. ISP-provided cable modem in bridge mode. Only LAN port 1 is active, and it gets a public IP Address. All NAT, routing and wireless is disabled.
  2. 1x Security Gateway - this acts as the router/firewall, and sits immediately behind the modem.
  3. 1x AP-AC-Pro Wi-Fi access point, selected for high 5GHz throughput without going completely overboard. If I need more Wi-Fi range, I can get a UniFi Mesh Point afterwards.
  4. 2x 8-port 60W Power-over-Ethernet switches. One sits with the modem and gateway, the other one on my desk. I could have gone with 1x PoE and 1x non-PoE, but the new Raspberry Pis support PoE and I have some fun ideas for that.
  5. 1x Cloud Key - this is a little dedicated device that runs the network controller software. I could have run this on another device - my NUC, or NAS, or even in the cloud by paying Ubiquiti a bit more - but that would break the do-one-thing rule.

Boxes of Ubiquiti Hardware

Setting it up

I was quite surprised by how straightforward the process was. For each device I basically just had to:

  1. Take it out of the box.
  2. Plug in the power (for the gateway + switches).
  3. Plug it into the network.

In order to configure the network I plugged my computer into the ethernet, and to my surprise the network was already operational with perfectly fine defaults. I had to download a Chrome application in order to find the Cloud Key and run through the setup wizard, but the out-of-box experience was painless.


The most difficult part of the entire procedure was removing the rear mounting bracket from the AP-AC-Pro - it took me a while to find a paperclip, as the instructions call for one, but the device does not ship with one.

The Good

  • The UniFi-powered network is so much faster and more reliable than the old crappy-ISP-gear-powered one.

  • Firmware updates were already available out of the box. These are the first home networking devices I've ever had where firmware updates are more frequent than the manufacturing-to-unboxing time.

  • The Wi-Fi is incredibly fast, and has a massive range. Areas of the house that used to sometimes get a signal if you held your phone at a precise angle now get a solid 30Mbps internet connection. I don't need even a mesh point.

  • The management software gives me a huge amount of control and visibility into what the network is doing, including the physical topology. I can even see which port of which switch is connected to which device.

  • The inbuilt L2TP VPN server is the first one that has ever worked on my home network. I am now slightly suspicious that other ones did not work purely because the ISP modem was not in bridge mode, and may have had it's own ISP-configured IPSEC server.

  • I can change an enormous array of settings without having to restart any network devices. By contrast, the ISP modem would need to do a full reboot if I so much as sneezed, which would stop internet access to all devices.

  • I was expecting to set QoS rules, as my existing ISP modem would allow a single upload to completely choke the network. It turns out that I don't have to, the USG does a much better job out-of-the-box of prioritising network traffic. I can now upload a photo and play Overwatch at the same time.

The Bad

  • The AP-AC-Pro doesn't ship with a way to get the mounting bracket off, and assumes you have a conveniently-sized paperclip just lying about.

  • The Dynamic DNS client appear to be broken, and doesn't support CloudFlare, the DNS provider for the domain I wanted to use. In the bigger picture this is fairly inconsequential as my Synology NAS already has working Dynamic DNS through Synology, so I just made the record a CNAME to Synology, and it resolves to the same public IP anyhow.

  • Whenever I change a Wi-Fi setting, even for a secondary SSID, the primary Wi-Fi network is interrupted for a brief moment. Based on the logs, I think it's re-evaluting which channel/frequency is the best to run on during this time.

  • The switches run quite warm. The management software suggests that they're constantly running at about 50% CPU and memory, even when the network is largely idle. I don't know why, but I'm not overly worried as they're not warm enough to burn somebody or start a fire.

  • The Cloud Key includes a very short ethernet cable, but it doesn't twist, so my Cloud Key is now folded over the switch upside-down, rather than right-way-up.

  • The management software has shown me that I have way more things on the network than I would have expected - from PCs and phones to VMs, my 3DS, and an Apple device that we can't seem to physically identify or locate. This isn't an issue with UniFi, but just one that UniFi highlighted. You can even see my home Kubernetes cluster!

Network Topology Map

The Ugly

Nothing. I have no major complaints, nothing that's made me reconsider the whole thing, nothing that's frustrated me or left me scratching my head wondering what the heck to do.

DPI and Statistics

The default configuration of the UniFi gear is to have Deep Packet Inspection enabled. This has me concerned somewhat - not that Ubiquiti is watching what I'm doing, but simply the amount of information that's available by passively observing network traffic, i.e. without doing TLS interception or other crazy things.

Almost all of the statistics and information that Ubiquiti gathers is also observable by my ISP, and potentially already part of the Government-mandated metadata collections.

There's some basic stats, for example, by looking at the traffic flow, one can easily see what time the first person in the house gets up, what time the last person goes to bed, and times that the household is idle, which is likely when nobody is home. For example, guess when I woke up this morning:

Traffic Flow Chart

Furthermore, for the week or so since I've installed the gear, here's the current traffic breakdown:

Traffic Analysis

Each of these categories can be further subdivided, like so:

Network Streaming Traffic Analysis

From this it's easy to see that, for example, the single largest use of my internet traffic for the last week has been Netflix.

Because I'm on the household's side of the modem, I can subdivide it further by device. For example, my iPad is the biggest consumer of Internet traffic purely because I've been binge-watching Tintin on Netflix for the past week:

Single Device Traffic Analysis

My ISP can't see that level of detail, but there's still a lot of information that you can garner from this at a per-subscriber level. I would not be surprised if at least one ISP was selling this information or doing other shady things with it.


I could quite realistically just copy Troy Hunt's summary here word for word because I've had basically the exact same experience, just with a smaller house and no jetski.

I've been running this configuration for about a week and had zero major issues. My cable modem now does only what it does best, and it's other roles have been taken over by dedicated hardware units that do them a heck of a lot better.

The Wi-Fi coverage and speed are both surprisingly great even with a single access point, and the wired network is running at full speed. I am now able to hog my full 100Mbps internet connection from nearly anywhere in the house. 😁

The hardware is great, the software is amazing, and if I had to do this all again, I probably wouldn't do it any differently.