Complicated multi-router setup, specifically an Ubiquiti router. Help?

OilMagnate

Thread starter
Joined
Aug 4, 2020
Messages
520
Location
Oklahoma
I have been trying to set this up for two days now and I'm defeated. What I feel should be a somewhat simple setup for an average user is definitely not. That or I'm completely incompetent. Not sure at this point which.

The details are super long and complicated, but here's the simple short version. I have three routers that need to work together. The ISP modem/router combo I'll call "A" which is fed by fiber, my Asus RT-AC68U will be called "B" and an Ubiquiti AirRouter HP will be called "C" in this scenario.

A has zero issues and is the main unit for the whole network.

B is hardwired via a 100ft Cat5e cable from A on the extreme opposite end of the house. It has been connected for several weeks and has been working perfectly as a secondary router with it's own SSID and password (which is what I want). I have disabled the 5GHz radio on this router because it isn't needed in my setup.

C needs to be connected wirelessly to B in an auxiliary building/garage 92 feet away. B and C will have a clear, unobstructed line-of-sight to each other via windows in each building. The auxiliary building is solid cement block all the way around with solid core steel doors...an RF nightmare. The only chance of getting RF through is this third router in a tiny bathroom window above eye level (I'll be anchoring it in to prevent any possibility of it falling into water). This one will also need it's own SSID and password (I'm assuming WPA is not an option as a repeater, which is fine).

What I can't figure out is how to setup this particular router (C). My suspicion is that because it's a POE/WISP router, I'm doing something wrong. I can get logged into it, I can change the SSID, etc. But I can't get it to connect to B. Every time I think I get close, it completely locks me out of it and I have to do a hard reset to get access again, even using the "test" function. No matter what I do, it will not connect to the internet. Do I need this in Access Point mode, AP-Repeater mode, or Station mode? I'm assuming AP-Repeater. I'm also going to assume that between Bridge, Router, and SOHO Router modes, I need the standard Router mode due to not being on a WISP. But I'm questioning if Bridge is correct...? When in AP-Repeater mode I do enter B's MAC address as a WDS peer, but it still doesn't connect. I'm beating my head against the wall, but I feel like this is a simple obvious error. I also have a suspicion that I'm not doing something correctly regarding DHCP/Static/PPPoE, because I don't know what those do. I also cannot figure out how the WEP key works. I feel incredibly stupid with this WEP key in particular. Nothing works, everything I try is an invalid key. Ultimately I need all 3 routers to utilize the same bandwidth on a single ISP, but act as three totally independent networks to the average Joe trying to connect to them. They all need their own unique SSID and passwords.

Basically, can anyone knowledgeable with Ubiquiti AirOS, or at least fluent in this PDF manual help me out? PLEASE explain it to me like an old lady who knows nothin' bout them pooters. I won't take offense to talking to me like an idiot, because I wouldn't have typed this if I had the answer/wasn't. Any help is HIGHLY appreciated!

I guess my backup plan is buying a second AC68U to replace the Ubiquiti. At least I know how to set those up...
 
Last edited:

OilMagnate

Thread starter
Joined
Aug 4, 2020
Messages
520
Location
Oklahoma
***EDIT*** (Too late to edit the OP) - There is an unmanaged switch between A and B. This may be important, maybe not. But I wanted to list it since I forgot originally. In case anyone needs some visual clarity, I made this quick chart showing my full setup.

Legend:
A,B,C - Router letters from OP above
S - Unmanaged ethernet switch
W - Represents numerous random wireless devices that will connect to A,B,C independently/exclusively
Z - Represents one specific device that is hardwired
Green Line - indicates a hardwired connection
Yellow Line - indicates a wireless connection

20220224_053934.jpg


Yes, I have gone to great lengths to hardwire all of my devices, I hate wireless connectivity for most things because there is seemingly always something that goes wrong. This B to C link is a perfect example. I would much prefer to hardwire it, but that is just not an option.
 
Joined
Sep 27, 2015
Messages
4,577
Location
USA
First I'm not familiar with the exact features of Asus or Ubiquiti firmware because I run OpenWrt on everything.

A conventional wifi access point to station link can't be used as a bridge. In order to bridge you need a wired connection (such as between A and B), or a WDS mode wifi link, which needs WDS support by the devices on both ends. I'm going to assume the Asus only operates as a conventional AP.

So you should set up the garage router as a router and route everything in the garage over the wifi link to the house, and ultimately to the Internet. Especially if the users in the garage only need the Internet, you should enable the NAT or masquerade mode. Users in the garage will be on the garage LAN, which must have a different IP range than the house LAN. Users in the garage can access a printer etc inside the house but they will need to configure it by entering its IP address-- automatic discovery won't work.

It is possible but more complicated to set up symmetric routing, so that someone in the house could directly reach the garage network, but try NAT first.
 
Joined
Mar 21, 2004
Messages
27,991
Location
Near the beach in Delaware
So why do you have 3 routers rather than 1? B and C should be wireless access points rather than routers. So different SSIDs for each router? Ugly. I have 15 Ubiquity Unifi access points all with same SSID.

The Ubiquity products work well but best not to have a mix of products. Which you seem to have.

I would email Ubiquity support. They will respond.
 

wwillson

Staff member
Joined
Aug 20, 2003
Messages
5,352
Location
Naperville, IL
Always remember when routing, every device needs a next hop and every router needs to know the route to every prefix. The next hop MUST be in the device's own prefix. A router MUST know the route to every possible prefix, either with an explicit route or an aggregate route, the aggregate route is often stated as the default route (0.0.0.0). In your case, each router MUST have a static route pointing to prefixes that are not directly connected, of which you have a couple. I think if you fix the routing, your problems will go away.

For instance, router C can use the default route to get to every other prefix and the internet, because router C is a stub. However, router A must have a static route pointing at the prefix on C with a next hop of B's interface, B will know how to get to the prefix on C, because B is directly connected to C.
 
Last edited:
Joined
Oct 26, 2008
Messages
1,311
Location
Northern, NY
I am in a similar situation with a remote building that needs Wi-Fi. As soon as the ground thaws I am going to bury 100’ of direct burial Cat 5E and setup an access point in the building.
 
Joined
Aug 20, 2003
Messages
18,971
Location
NE,Ohio
buy new hardware = win.
I wrote a book but lost my post somehow.

is the garage on its own power? if on the same drop powerline ethernet adapters might be a good option.

92feet with mismatched old routers through 2 windows is far from optimal if even possible to do reliably.

You could also use a Point to point wireless bridge.. but futzing with a standalone old unifi router.. ewww.

you could also get a pair of these to make your wireless bridge.

unifi products do WAY better if you have all unifi products.. and not a mixed setup.
 
Last edited:

wwillson

Staff member
Joined
Aug 20, 2003
Messages
5,352
Location
Naperville, IL
I am in a similar situation with a remote building that needs Wi-Fi. As soon as the ground thaws I am going to bury 100’ of direct burial Cat 5E and setup an access point in the building.
Make sure the cable is properly shielded and grounded, else the first lightning storm will fry the devices on both ends. You don't need a lightning strike, you just need static build up from atmospheric potential. Trust me on this, I learned the hard way.
 
Joined
Sep 27, 2015
Messages
4,577
Location
USA
Yeah I didn't realize the Airrouter HP was such a "legacy" product. There isn't anything really equivalent to it in the current product line. You can use any two late model (dual band) Unifi APs and they will "mesh" together(*) quite simply. As Rand said it is intended that you use UBNT products throughout. The Unifis start close to $100 a piece though.

The Nanostation 5 AC loco is great for the price (especially with OpenWrt installed-- with the stock firmware all it can do is link to another Nanostation), but realize the power supply is not included, and it will not accept power from a standard 802.3af / at switch. So you need a UBNT 24 volt PoE injector for each one at about $15.

(*) Actually they WDS with each other using hidden SSIDs, but "mesh" is the industry buzzword so they call it that.
 
Joined
Oct 26, 2008
Messages
1,311
Location
Northern, NY
Make sure the cable is properly shielded and grounded, else the first lightning storm will fry the devices on both ends. You don't need a lightning strike, you just need static build up from atmospheric potential. Trust me on this, I learned the hard way.

Both buildings are powered from the same service panel and all grounds are bonded. I had not considered shielded cable for an underground ethernet run but I can do that if it is beneficial.
 
Last edited:

wwillson

Staff member
Joined
Aug 20, 2003
Messages
5,352
Location
Naperville, IL
Both buildings are powered from the same service panel and all grounds are bonded. I had not considered shielded cable for an underground ethernet run but I can do that if it is beneficial.
If you don't, you'll replacing your ESD sensitive electronic equipment on each end of the cable.
 

OVERKILL

$100 Site Donor 2021
Joined
Apr 28, 2008
Messages
53,916
Location
Ontario, Canada
First off, serial NAT is bad. I expect none of these devices are in fact acting as routers but instead as gateways, doing NAT/PAT. So you have three layers of encapsulation taking place from C to get through A to the internet if you could effectively get C to connect wirelessly to B as a repeater.

It sounds like you are trying to have three separate SSID's on separate subnets share an internet connection. Is there a reason for the isolation between the three networks? You'd normally do this with VLAN's and a more capable main device (A would be setup in bridge mode as a modem, not doing any gateway functions) that would handle NAT/PAT, DHCP and block inter-vlan routing. The wireless would be provided by AP's that can do VLAN's. This also brings with it the benefit of being able to provide the same SSID's on multiple AP's, so if you personally needed access at all three locations, you could have that SSID available on all three AP's, while limiting the other SSID appearances to just a single AP if desired. If non-VLAN aware hardware is leveraged, the alternative is to assign VLAN's to different physical ports on the device, make them access only (non-trunk) and then connect the different AP's to these different ports.

For providing the wireless link, you'd normally use a pair of dedicated AP's setup to do wireless bridging. These devices do not serve clients and typically leverage directional antennas. Then you'd have AP's with omni antennas at each location connected to service clients. A wired backhaul, as others noted, reduces the complexity in providing service to the remote building, which could then be handled with a single AP.

As @Rand noted, Ubiquiti wants you to stay within their ecosystem, and this is achievable with their inexpensive hardware.
 

OilMagnate

Thread starter
Joined
Aug 4, 2020
Messages
520
Location
Oklahoma
A conventional wifi access point to station link can't be used as a bridge. In order to bridge you need a wired connection (such as between A and B), or a WDS mode wifi link, which needs WDS support by the devices on both ends. I'm going to assume the Asus only operates as a conventional AP.

So you should set up the garage router as a router and route everything in the garage over the wifi link to the house, and ultimately to the Internet. Especially if the users in the garage only need the Internet, you should enable the NAT or masquerade mode. Users in the garage will be on the garage LAN, which must have a different IP range than the house LAN. Users in the garage can access a printer etc inside the house but they will need to configure it by entering its IP address-- automatic discovery won't work.

It is possible but more complicated to set up symmetric routing, so that someone in the house could directly reach the garage network, but try NAT first.
I do appreciate the advice and input, however I must admit a lot of this is jibberish to me. Dumb it down a bit?

So why do you have 3 routers rather than 1? B and C should be wireless access points rather than routers. So different SSIDs for each router? Ugly. I have 15 Ubiquity Unifi access points all with same SSID.

The Ubiquity products work well but best not to have a mix of products. Which you seem to have.

I would email Ubiquity support. They will respond.
I have my main router as A. I've always ran into problems when setting up two devices with the same SSID, therefore B is different strictly as an identifier, but I also like being able to tell what I'm connected to. So I guess the answer for B is preference. But C is an absolute requirement to be unique. I will give out information to login to C, and don't want people to be able to login to A or B. Basically I don't want to share my personal network, but I don't want to pay for a second ISP for C. As I said before, the auxiliary building where C will be located gets terrible RF reception, so using one router doesn't work. My fail-safe plan is to buy another AC68U, but I would love not to spend $120 unnecessarily if I have this Ubiquiti just collecting dust.

Always remember when routing, every device needs a next hop and every router needs to know the route to every prefix. The next hop MUST be in the device's own prefix. A router MUST know the route to every possible prefix, either with an explicit route or an aggregate route, the aggregate route is often stated as the default route (0.0.0.0). In your case, each router MUST have a static route pointing to prefixes that are not directly connected, of which you have a couple. I think if you fix the routing, your problems will go away.

For instance, router C can use the default route to get to every other prefix and the internet, because router C is a stub. However, router A must have a static route pointing at the prefix on C with a next hop of B's interface, B will know how to get to the prefix on C, because B is directly connected to C.
Again, above my paygrade. I don't mean to sound dismissive or unappreciative, I just don't understand the input. For example, here's what I understood of this post: I need to set static IP addresses for B and C, but you also mentioned something about a static "route" on A for C. I have no idea what this means. Nor do I really understand how to set static addresses for B and C other than entering a 'random' static IP address that looks good and matching it on both routers...which is probably not correct. I may have used some correct terminology in my OP, but I really have no idea what I'm talking about. I'm trying...

buy new hardware = win.
I wrote a book but lost my post somehow.

is the garage on its own power? if on the same drop powerline ethernet adapters might be a good option.

92feet with mismatched old routers through 2 windows is far from optimal if even possible to do reliably.

You could also use a Point to point wireless bridge.. but futzing with a standalone old unifi router.. ewww.

you could also get a pair of these to make your wireless bridge.

unifi products do WAY better if you have all unifi products.. and not a mixed setup.
I'm trying to avoid buying any new hardware. I can't change router A, because it's the ISP's modem/router combo. They require it, and gave it for free without any up-front or monthly fees. It's been flawless, so I'm not complaining. My AC68U is a bit dated, but it's a well-loved unit by the masses, and isn't going anywhere. The Ubiquiti router is collecting dust. I wanted to put it to use out there, because nothing is speed sensitive. Just need some kind of connectivity out there to web surf or stream music. If the Ubiquiti router is too much of a pain, then I'll need to buy another router/repeater/extender. Just not looking to invest a ton for a garage.

Not sure exactly how to answer the garage power supply. The entire property is all fed from the same pole and is all on one bill. However, the garage and house are completely independent of each other regarding wiring. Each has it's own breaker box, and meets only at the pole/meter.

First off, serial NAT is bad. I expect none of these devices are in fact acting as routers but instead as gateways, doing NAT/PAT. So you have three layers of encapsulation taking place from C to get through A to the internet if you could effectively get C to connect wirelessly to B as a repeater.

It sounds like you are trying to have three separate SSID's on separate subnets share an internet connection. Is there a reason for the isolation between the three networks? You'd normally do this with VLAN's and a more capable main device (A would be setup in bridge mode as a modem, not doing any gateway functions) that would handle NAT/PAT, DHCP and block inter-vlan routing. The wireless would be provided by AP's that can do VLAN's. This also brings with it the benefit of being able to provide the same SSID's on multiple AP's, so if you personally needed access at all three locations, you could have that SSID available on all three AP's, while limiting the other SSID appearances to just a single AP if desired. If non-VLAN aware hardware is leveraged, the alternative is to assign VLAN's to different physical ports on the device, make them access only (non-trunk) and then connect the different AP's to these different ports.

For providing the wireless link, you'd normally use a pair of dedicated AP's setup to do wireless bridging. These devices do not serve clients and typically leverage directional antennas. Then you'd have AP's with omni antennas at each location connected to service clients. A wired backhaul, as others noted, reduces the complexity in providing service to the remote building, which could then be handled with a single AP.

As @Rand noted, Ubiquiti wants you to stay within their ecosystem, and this is achievable with their inexpensive hardware.
It definitely sounds like you know what I need. That makes one of us! I think all of this sounds correct, but I have no clue what any of it means. To answer your question, as stated above, I want to be able to give the password out to connect to C without allowing access to A or B.
 

wwillson

Staff member
Joined
Aug 20, 2003
Messages
5,352
Location
Naperville, IL
Again, above my paygrade. I don't mean to sound dismissive or unappreciative, I just don't understand the input. For example, here's what I understood of this post: I need to set static IP addresses for B and C, but you also mentioned something about a static "route" on A for C. I have no idea what this means. Nor do I really understand how to set static addresses for B and C other than entering a 'random' static IP address that looks good and matching it on both routers...which is probably not correct. I may have used some correct terminology in my OP, but I really have no idea what I'm talking about. I'm trying...
You don't need to assign static IP addresses to your devices, you need a static route as described. You also need routeable prefixes on each segment you intend to route between. Meaning if you are using /24 prefixes, you can't have overlaps in your address space.

Example: router A is assigned 192.168.0.1/24, router B is assigned 192.168.1.1/24, and router C is assigned 192.168.2.1/24.

Welcome to the complexities of routing.

Home running Ethernet cables and using access points is much simpler.
 
Joined
Sep 27, 2015
Messages
4,577
Location
USA
It's considerably more complicated to mix and match old equipment than to run with an ecosystem like UniFi. Especially when you're insisting on throwing in a 15 year old router that is out of support from the manufacturer.

Generally you should treat an ISP gateway box (A) as only a link to the Internet and do all routing, firewalling, and wifi APs on your own equipment. Turn off the wifi features of box A and make only one wired connection to it.
 
Last edited:

OVERKILL

$100 Site Donor 2021
Joined
Apr 28, 2008
Messages
53,916
Location
Ontario, Canada
It's considerably more complicated to mix and match old equipment than to run with an ecosystem like UniFi. Especially when you're insisting on throwing in a 15 year old router that is out of support from the manufacturer.

Generally you should treat an ISP gateway box (A) as only a link to the Internet and do all routing, firewalling, and wifi APs on your own equipment. Turn off the wifi features of box A and make only one wired connection to it.
I'd take that a step further and see if he can get the ISP to put the device in bridge mode so it just acts as a modem, that way he cuts it doing NAT/PAT out of the equation all together.

Even if he sets it up as Wayne noted, with routes between the different subnets, that would allow a savvy user to access devices on one of the parent subnets being routed through. Ideally, we'd use VLAN's here, but another option is something like an Aruba InstantON that allows for the creation of guest WiFi networks, which has the traffic tunnelled, on its own subnet, to the default gateway and isn't allowed to access the parent subnet. Though I believe Ubiquiti hardware may also have this capability, not sure as to the price differential there.
 
Joined
Aug 20, 2003
Messages
18,971
Location
NE,Ohio
The cheapest option would be some sort of mesh devices that come equipped with guest network option.
ideally with unifi you would need UDR and probably 1-2AP. The ap could wirelessly connect to the other ap or UDR.
a better option would be that with a wireless bridge.
The UDR is out of stock.
as is the AP Lite.

I could write a book on how to do it with unifi but it would be hundreds $$$+ and that seems beyond your budget.
 

OilMagnate

Thread starter
Joined
Aug 4, 2020
Messages
520
Location
Oklahoma
You don't need to assign static IP addresses to your devices, you need a static route as described. You also need routeable prefixes on each segment you intend to route between. Meaning if you are using /24 prefixes, you can't have overlaps in your address space.

Example: router A is assigned 192.168.0.1/24, router B is assigned 192.168.1.1/24, and router C is assigned 192.168.2.1/24.

Welcome to the complexities of routing.

Home running Ethernet cables and using access points is much simpler.
This actually sounds fairly easy now that it was spelled out for me. So as long as I set them as described, it should work. Right?
 

OilMagnate

Thread starter
Joined
Aug 4, 2020
Messages
520
Location
Oklahoma
It's considerably more complicated to mix and match old equipment than to run with an ecosystem like UniFi. Especially when you're insisting on throwing in a 15 year old router that is out of support from the manufacturer.

Generally you should treat an ISP gateway box (A) as only a link to the Internet and do all routing, firewalling, and wifi APs on your own equipment. Turn off the wifi features of box A and make only one wired connection to it.
I guess I don't understand why the hatred for the ISP gateway when it's been doing everything I ask flawlessly. Turning off the WIFI at A is also not an option, as the distance between each of the routers is too large. Too many walls and obstacles. That's why B exists, and why C needs to be installed...poor RF reception.

I'd be happy if I can just get mediocre connectivity in the garage. I'm talking -80db, a ping under 100ms, and 5Mbps up & down. My ISP provides a rock solid 100Mbps up and 100Mbps down, without any dips. Best ISP in the world IMO. I could upgrade to gigabit up and down, but I haven't needed to yet. That said, I feel the AirRouter should easily meet my low expectations.

^Here I go using proper terminology again. I know speeds and reception. That's about where it stops.
 
Top