DIY Linux Router Part 7: Wifi

DIY Linux Router Part 7: Wifi
BLÅHAJ eating some radiant dish

The following is the seventh part of a multipart series describing how I build (software not hardware) my own Linux router from scratch, based on Debian 11.

Since my router itself does not have any Wifi hardware and I didn't want to add a small Wifi card with bad signal strength, I bought myself a UniFi AP AC LITE. But any other Wifi AP capable of VLAN should work.

Ubiquiti - UniFi® AP AC LITE
The UniFi AC Lite AP features the latest Wi-Fi 802.11ac technology in a refined industrial design and is ideal for cost-effective deployment of high‑performance wireless networks.

Router Configuration

We already configured everything needed in Part 2, but let's recall the important bits. We created a VLAN for our guest network:

[NetDev]
Name=vlan222
Kind=vlan

[VLAN]
Id=222
/etc/systemd/network/10-vlan222.netdev

And we configured our OPT1 interface with VLAN tagging and connected the untagged VLAN to the br0 bridge.

[Match]
Name=opt1

[Network]
Bridge=br0
LinkLocalAddressing=no
VLAN=vlan222
/etc/systemd/network/10-opt1.network

And finally we created our guest network:

[Match]
Name=vlan222

[Network]
Address=192.168.222.1/24
DHCPServer=yes

[DHCPServer]
PoolOffset=20
PoolSize=150
DNS=192.168.222.1
/etc/systemd/network/10-vlan222.network

UniFi Network Application

The UniFi APs don't have a web interface to configure them, instead we need to install the UniFi Network Application to control our APs. We can download it to our PC or we can install it as a service on a linux server. I opted to install it on my already existing home server.

To do this we add the UniFi repo key to our system:

sudo wget -O /etc/apt/trusted.gpg.d/unifi-repo.gpg https://dl.ui.com/unifi/unifi-repo.gpg 

And then add the source list to our system:

echo 'deb https://www.ui.com/downloads/unifi/debian stable ubiquiti' | sudo tee /etc/apt/sources.list.d/100-ubnt-unifi.list

After that we can install the UniFi Network Application and Java 8 which is a required dependency for it:

sudo apt install unifi openjdk-8-jre-headless

Now we can open the web interface through the servers IP address and port 8443. For me this was https://192.168.144.10:8443/ but I later put it behind a NGINX reverse proxy.

To login you need to create an Ubiquiti account. Before connecting your UniFi AP via Ethernet, make sure to open Port 3478 UDP and 8080 TCP on the device which is running the UniFi Network Application or your AP won't find it.

Now we boot up the AP and after a few minutes it shows up on the UNIFI DEVICES tab. We click on it to open the AP panel on the right site and then click ADOPT to add it.

Image from: https://help.ui.com/hc/en-us/articles/360012622613-UniFi-Network-Add-new-devices

The UniFi software will then update the AP to the newest firmware and once this finished it should look something like this:

WiFi Configuration

We now add our two networks to the UniFi software and it will automatically distribute them to all connected APs.

First we go to Settings > Networks and click Add New Network. Choose a name for our private network, and under advanced set the following options:

  • VLAN ID: empty (untagged)
  • DHCP mode: None
  • Gateway IP/Subnet: The IP of your router (192.168.144.1/24 for me)

The rest we leave at the default settings.

Now we add another network that will be used as a guest network and use the following options:

  • VLAN ID: 222
  • Device Isolation: ON
  • DHCP Mode: None
  • Gateway IP/Subnet: The IP of your router (192.168.222.1/24 for me)

Next we go to Settings > WiFi and click Add New WiFi network. Here we use the same names as before for private and guest network. Then choose a password. I use 16 numbers since these are easier to communicate and type on a mobile device. Numbers only is secure if you use more then the often only 8 character long WiFi passwords.

I use the same following settings for both networks:

  • Network: Choose the corresponding network we created before
  • WiFi Band: Both
  • Security Protocol: WPA-3/WPA-2 (I wanted to use WPA-3 only for my private network, but I have some devices which where not compatible)
  • PMF: Optional

Everything else stays on default.

The last thing I changed was to enable automatic AP updates: Settings > System > Maintenance > Automate UniFi Device Updates.

Under the UNIFI DEVICES tab you should see your AP applying the configuration and when this is done you can connect to your WiFi.

Under the CLIENT DEVICES tab we can then see all connected devices.

Next up: NetFlow / IPFIX