The following is the seventh part of a multipart series describing how I build (software not hardware) my own Linux router from scratch, based on Debian 11.
- Part 1: Hardware
- Part 2: Interfaces, DHCP and VLAN
- Part 3: PPPOE and Routing
- Part 4: Firewall and Port Forwards
- Part 5: DNS with Unbound
- Part 6: WireGuard VPN
- Part 8: NetFlow / IPFIX
Since my router itself does not have any Wifi hardware and I didn't want to add a small Wifi card with bad signal strength, I bought myself a UniFi AP AC LITE. But any other Wifi AP capable of VLAN should work.
We already configured everything needed in Part 2, but let's recall the important bits. We created a VLAN for our guest network:
And we configured our OPT1 interface with VLAN tagging and connected the untagged VLAN to the
And finally we created our guest network:
UniFi Network Application
The UniFi APs don't have a web interface to configure them, instead we need to install the UniFi Network Application to control our APs. We can download it to our PC or we can install it as a service on a linux server. I opted to install it on my already existing home server.
To do this we add the UniFi repo key to our system:
sudo wget -O /etc/apt/trusted.gpg.d/unifi-repo.gpg https://dl.ui.com/unifi/unifi-repo.gpg
And then add the source list to our system:
echo 'deb https://www.ui.com/downloads/unifi/debian stable ubiquiti' | sudo tee /etc/apt/sources.list.d/100-ubnt-unifi.list
After that we can install the UniFi Network Application and Java 8 which is a required dependency for it:
sudo apt install unifi openjdk-8-jre-headless
Now we can open the web interface through the servers IP address and port 8443. For me this was https://192.168.144.10:8443/ but I later put it behind a NGINX reverse proxy.
To login you need to create an Ubiquiti account. Before connecting your UniFi AP via Ethernet, make sure to open Port 3478 UDP and 8080 TCP on the device which is running the UniFi Network Application or your AP won't find it.
Now we boot up the AP and after a few minutes it shows up on the UNIFI DEVICES tab. We click on it to open the AP panel on the right site and then click ADOPT to add it.
The UniFi software will then update the AP to the newest firmware and once this finished it should look something like this:
We now add our two networks to the UniFi software and it will automatically distribute them to all connected APs.
First we go to Settings > Networks and click Add New Network. Choose a name for our private network, and under advanced set the following options:
- VLAN ID: empty (untagged)
- DHCP mode: None
- Gateway IP/Subnet: The IP of your router (192.168.144.1/24 for me)
The rest we leave at the default settings.
Now we add another network that will be used as a guest network and use the following options:
- VLAN ID: 222
- Device Isolation: ON
- DHCP Mode: None
- Gateway IP/Subnet: The IP of your router (192.168.222.1/24 for me)
Next we go to Settings > WiFi and click Add New WiFi network. Here we use the same names as before for private and guest network. Then choose a password. I use 16 numbers since these are easier to communicate and type on a mobile device. Numbers only is secure if you use more then the often only 8 character long WiFi passwords.
I use the same following settings for both networks:
- Network: Choose the corresponding network we created before
- WiFi Band: Both
- Security Protocol: WPA-3/WPA-2 (I wanted to use WPA-3 only for my private network, but I have some devices which where not compatible)
- PMF: Optional
Everything else stays on default.
The last thing I changed was to enable automatic AP updates: Settings > System > Maintenance > Automate UniFi Device Updates.
Under the UNIFI DEVICES tab you should see your AP applying the configuration and when this is done you can connect to your WiFi.
Under the CLIENT DEVICES tab we can then see all connected devices.
Next up: NetFlow / IPFIX