7 Common UniFi Mistakes That Cause Bigger Problems Later

Added: 2026-05-22

[00:00:00]Setting up a UniFi network is pretty straightforward, but it's also easy to set one up wrong without realizing it.

[00:00:07]And the worst part is that a lot of these issues don't show up right away.

[00:00:11]They turn into random issues later, devices that can't connect properly, weak security, or settings that seem harmless but cause issues. In this video, I'll walk through seven of the most common ones, why they matter, and exactly how to fix them. If your network has been running for a while, there's a pretty good chance at least one of these is affecting you right now. Before we get to that, I want to thank MicroEnter for sponsoring this video. If you're building, upgrading, or experimenting with anything AI related right now, MicroEnter is one of the best places to start. They have a full list of AI workstations for both beginners and professionals. So whether you're just getting into local AI tools or you need something more serious for creative work development or heavier workloads, it's worth checking out. Also, if you're in Austin, Texas, MicroEnter's 31st store is opening there later this year, and you can sign up and get a free 128 gig flash drive when the store opens. If you're near Columbus, that microenter is getting a remodel with a grand reopening coming soon. You can sign up there as well for a free 128 gig flash drive at the grand reopening. Whether you're looking for AI workstations, PC parts, or just want to keep up with what's happening in tech, check out MicroEnter News and the links in the description.

[00:01:32]Thanks again to MicroEnter for sponsoring this video. Now, let's get back to it. So, the first configuration issue that we're going to talk about is individual Wi-Fi SSIDs. Now, most of the issues that we're going to be talking about today, I've experienced with a lot of different clients over the years, and I've talked through a lot of these issues on individual consulting calls.

[00:01:54]So, why an individual Wi-Fi SSID is a problem is because for the most part, you're going to be coming to a UniFi network either from a different router and firewall or you're going to be coming into the UniFi ecosystem, and you're not totally clear on exactly how Wi-Fi SSIDs plus VLANs work. So, in the network section here, you'll see I have a bunch of VLANs. But in the Wi-Fi section, I have one Wi-Fi SSID. And that SSID is tied to the native network. So in that SSID configuration, you can select a different VLAN. And when you do that, the Wi-Fi devices that connect to this VLAN will then be assigned to that VLAN. But what happens is people have an individual Wi-Fi SSID and they have like 70 devices on it. And the reason is because they either switched to this device and just set up the old Wi-Fi SSID that they were using or they just set up an individual SSID and connected all of their devices to it. Now, that is the problem in a nutshell. So, every phone you have, tablet, laptops, light bulbs, smart plugs, whatever it is, everything is tied to this one Wi-Fi SSID. So when you go and want to segment your network with firewall rules, you really can't because all of those devices are connected to this one Wi-Fi SSID. So there's a few ways that you can get around this. The first is that from day one, you want to create different Wi-Fi SSIDs. So, if you have different Wi-Fi SSIDs, even if they're tied to the same VLAN, what you can do is ensure that the devices that you are connecting to this network are connected to the correct Wi-Fi SSID for a later date when you intend on implementing VLANs. Then, at a later time when you configure those VLANs, you can easily come in here and change the network to use that specific VLAN. And then at that point, all of those devices will be on the correct VLAN. With that said, if you did not set it up this way from the start and all of your devices are on one VLAN, you kind of just have to go through and move them all. But there is one thing that you can do. What you can do is try and figure out exactly how many devices are connected to this network and where the majority of those devices should be on from a VLAN perspective. So, what I mean by that is let's say this top network had 50 devices and 40 of them were IoT.

[00:04:26]Well, what you do is set this to be your IoT network. It doesn't have to say IoT.

[00:04:32]Just make sure then that you go in and set up a trusted Wi-Fi SSID and a guest Wi-Fi SSID. And then at that point, you're only moving a few devices. You don't have to do all of them. But regardless, you're going to have to figure out a way to move all of those devices. The next is around hard- coding IP addresses in firewall rules. So, what ends up happening over time is that you are going to end up punching holes in your firewall. And what I mean by that is setting firewall rules up to allow a specific device to access another device, preferably on an individual port like you'll see here. So, these rules are set up this way for a reason. So what you'll see is that in the source here I'm using a network list but in the destination I'm using an IP address. So what ends up happening a lot of the times is that all of these IP addresses are hardcoded and then when that device changes what ends up happening is that you have to go back and update a ton of different firewall rules. And more importantly, you have to go back to all of your zones and check out to see exactly where those rules were being referenced, what IP addresses have to be updated, etc., but you can get around it in one of two ways. So, the first way is to use network lists. So, what you'll see here is I have this video editing PC, but it's actually a network list.

[00:05:59]And that network list just contains one IP address because it's one device. But if that video editing PC was to ever change or that IP address was to ever change, the only thing I have to do is come into the overview section, scroll down to my network lists, select that specific network list, and then change this IP address. So I could remove it, and then add the correct one. Then at that point, this specific network list when it's referenced in other firewall rules will automatically be updated and I won't have to go through and try and find out all of them and update all of them at the same time. So you can do that very easily in the firewall rule itself. And rather than having an IP, you would come here, select list, give it a name, add the IP address, create it, and then when you apply those changes, you'll see that the firewall rule gets updated. And then after that, the only thing that you have to do scroll down, select the list, apply the changes, and then at that point, the destination would be updated. And now you'll no longer be referencing specific IP addresses. The other thing to keep in mind is that if you are not using the firewall and you're using objectoriented networking, it kind of works the same way, but you're going to want to create a group. That group would then allow you to group all of those devices, and if any of them were to ever change, you would remove the individual device, then go in and add the new one, and then all of those object-oriented networking rules would automatically update based on that group. The next is enabling intrusion detection and prevention without checking insights when something is broken. So I have a very clear way of talking through this because it happened to me literally yesterday. So in the cyber secure section here you're going to see intrusion prevention and you can turn it on or off and you really have pretty basic settings here. So you have your selected network. So these are your VLANs and you can add VLANs to this list. And then at the bottom here is the detection mode. So you have notify and you have notify and block. If you turn on notify and block, you're going to have the perception like this is only a benefit. So what I mean by that is you're going to look at it like if something bad was to happen, it would automatically get blocked. But the reality is that there are going to be times that you're trying to do stuff most of the time inter VLAN where you're trying to do something and something weird could be happening. So the example I have is this rule right here. So my video editing PC was trying to access my database on this port and it just wasn't working and I couldn't make sense of why. After about an hour or so, I realized what it could be. And I'm saying hour or so specifically because even though you know this, sometimes you forget about it. I forgot about it yesterday and I went a pretty long time before connecting the dots. So in this insight section here, you're going to see blocked and threats. And this yesterday is exactly what was happening to me. So my video editing PC was trying to access that database, but it was being blocked for this specific reason.

[00:09:11]And when you click this, you can actually see exactly why it was being blocked. So there's two things here. The first thing is if something weird is happening on your network, especially if it's from one VLAN to another, and you have intrusion prevention on specifically because if this was just detection, it would only notify me. It wouldn't actually have blocked it. This is the first place you should start. And if you do find something like I found, you have a few options here. You can either exclude the source IP address entirely and because this is one of my trusted devices, that's what I did. But you can also suppress the signature for the IP address. I wouldn't necessarily suppress it entirely, but you can do it for either the destination or the source IP address and that will allow that traffic to go through. So, this is the very first place you need to check if something in something weird is happening basically because intrusion prevention could be blocking it and it's probably going to be one of the last things that you think about. While we're here, the next one is actually around ad blocking and the exact same thing happening. So inside of the cyber secure section in the content filter, you can configure this ad block setting right here. And then you could pick a specific VLAN or multiple VLANs. And then what it's doing is it's doing DNS filtering.

[00:10:28]So what that means is it's going to look for anything that is ad related and it's going to block that. So if you go to a website while this is on and there's an ad that's normally there, this should block it. It's not 100%, but it does a very good job. And if you're not using it, it's a pretty cool way that you can very easily set up Pi Hole like functionality without any of the actual setup. But what ends up happening is that ad blocking, especially at the DNS level, is not perfect. So what happens is you're on a website and something's not working the way that you'd expect it to. So the site could partially load or you could be having a hard time logging into it or you can be trying to access or use an application and it's not working properly. The very first thing that you should check if those are your symptoms and you have ad blocking turned on is the insights again. So inside of the insights tab, if you scroll down to the policy type and then ad blocking, you're going to see exactly what was blocked. And then it gets a little harder because you need to try to figure out exactly what is being blocked that's not supposed to be blocked. But regardless, you can come in here, select it, see exactly why it was being blocked, and then you can allow the destination domain. Now, you might have to do that for multiple different domains depending on exactly what's not working. But that's something that is very, very common if you're using ad blocking. So, if something is broken and it's not working the way that you'd expect it to and you're using ad blocking, come here and check to see if anything is being blocked. You can also temporarily disable the content filter as well to validate that. Next is over or under isolating networks. Now I've seen both scenarios and they are opposite sides of the spectrum here. So inside of the VLAN section here you have this isolate checkbox and this is a hard isolation. So when you isolate a network, if you come into the firewall here, you're going to see this isolated networks firewall rule that gets created and it in essence just takes that specific VLAN and it creates an isolate rule in all of the zones. Now because it does that, that VLAN is isolated.

[00:12:42]Nothing can access it and it cannot access anything else. If that's what you want, that's a very good way to do it because you don't have to worry about firewall rules. It's a checkbox. The VLAN gets isolated. you don't have to worry about it. But what ends up happening a lot of the times is that you want to access devices. So for example, someone will isolate an IoT network and then wonder why they can't access any of the devices on that network. Well, you isolated it. That's why. So if you've overolated things, either you did it with that checkbox or you configured specific zones and just basically blocked everything from accessing one another. If you're not looking to do that, you should try and configure the firewall properly. I have a video that I just released that goes over an entire firewall setup. I'll leave a popup for that. Now, that video will explain how you can kind of scale back your firewall to exactly what you need rather than just isolating everything. But the opposite side of that spectrum is under isolating everything. So what ends up happening is people will come in and they will set up specific VLANs, but they won't actually add any firewall rules. So let's say you didn't isolate the network and you just had everything set up like this. When you come into the zonebased firewall, which I would suggest you use inside of this internal zone here, you'll see all of your VLANs, but that traffic is not actually isolated. So the VLANs are technically segmented, but they're not actually blocked from accessing one another. So that falls into the under isolating category where you have not created any firewall rules and everything can still technically access one another. And the worst part is that you think they're isolated, but they're not actually isolated. So those are the problems. You really have one solution to this, and it's configuring the firewall properly.

[00:14:35]That video will go over it. But regardless, if you're over isolating your network, you're not going to be able to access what you need. If you've under isolated your network, everything can access one another. And all roads lead back to the same place. You should just try and configure the firewall properly. The next, and this has happened to a lot of the clients I've worked with, is not configuring dynamic DNS for your VPN. So, in this VPN section here, you're going to see that you can create a VPN server. And wireguard is a very popular option that a lot of the clients I've worked with have used. But what you'll see here is this checkbox. And for every client that I've met with that has had this problem, this checkbox is not used. So what ends up happening is you come in here and you configure a WireGuard VPN server. I have a video if you're interested in doing this that walks through the whole process. I will leave a popup for that.

[00:15:27]now. But inside of this IP address, you're going to see your external IP address. Now, why this is a problem is because you most likely, and I say most likely because it's not everybody, but you most likely have a dynamic external IP address. What that means is that periodically that IP address will change. And there are plenty of people out there right now that are saying that they've had the same IP address for 3 years. Sure, you probably have, but if you've had a power outage or if you've rebooted your modem, there's a pretty good chance it's going to pick up a new IP address. And if it does, that's when this problem will arise. So, when you create that WireGuardVPN server and you come into this client section here and you add a client, if we were to download this configuration file, your setup will look like this. And you'll see in the endpoint section here, the IP address is hardcoded. So when that IP address changes, you can no longer connect to it because it's no longer the location that you were connecting to. It's a different IP address. What you want is for it to look like this. And by using that checkbox and configuring your DDNS domain, what happens is that that DDNS host name will be updated with your new IP address. And when it is, you'll always be connecting to it. So if it ever changes, you don't really have to worry about it because then at that point you're ensuring that you are always connecting to it. Now the way that you can configure this is in the internet section here. If you select your uh WAN connection, you can come in here, select manual, and then create dynamic DNS. I have an article if you're interested. I'll leave a link for that in the description if you're interested in setting this up. But if you haven't configured it this way, you're going to have to go back and ensure that your WireGuard client on your phone or laptop or whatever it is starts to use that DDNS host name. You can't just configure it here and then set up WireGuard to use it moving forward. You're going to have to go back to those client devices and update them so that it uses that DDNS host name. So the last is around Wi-Fi.

[00:17:35]And for the most part, there are going to be major differences from person to person. It generally will depend on the access points that you have and how many access points you have, but there's a very helpful option here that allows you to apply all of the same settings to all of your access points. And for the channel width, I actually very much like this because I don't change the channel width from access point to access point.

[00:18:03]But where it can become a problem is if you use that same approach inside of the actual power settings for your access points. So I have a video as well that goes over a default Wi-Fi configuration and how you should configure your access points. And it's done with an older version of UniFi Network, but the principles are the same. But the real point here is that depending on how many access points you have, your transmit power probably has to be lower than you think it is. And if you have multiple access points, 2.4 should probably always be low. Five can be somewhere between low and medium. And then six, I've had good experiences with high, but it really does depend. You could also potentially set 5 gigahertz to be high, but again, it depends on your access points. The point here is not to say what settings you should use. That other video goes over that. The point is more to say that depending on the access points that you have, where they're located, how they're configured, that should drive the access point settings.

[00:19:08]If you don't have this all configured properly, you're going to have a ton of interference. you're going to have poor roaming performance, which means just walking around your house and the device that you're on, moving from access point to access point because to be clear, the access point does not determine what device is connected to it. The device determines what access point it's connected to. So, you need to make sure that this is all dialed in properly or you're going to have very, very poor Wi-Fi performance. I don't want to go over it now because this is already a very long video, but that video will walk you through just about everything that you need to know. Now, I acknowledge that this was a lot and there are probably a lot of other issues that people have experienced as well, but the point here is really to highlight some of the more common ones that I've come across in consulting sessions. I have a bunch of videos or tutorials that I will leave a link for in the description, ones that I've referenced before. I also have a different UniFi mistakes video that's similar but a little different that I'll link below as well because that goes over some other common beginner mistakes. But this one was more geared around issues that I have experienced with clients based on how much they have occurred. So, I hope you got some value out of this video if you made it this far. Thank you very much for watching.

[00:20:25]And I'll see you guys next