Overview

After reading this article users should gain the knowledge to be able to configure and maintain the IPS/IDS functionality on their UniFi networks. NOTES & REQUIREMENTS:Applicable to the following:

• UniFi Network version 5.9+
• UniFi Security Gateway platform firmware 4.4.18+
• UniFi Dream Machine platform

Table of Contents

1. Introduction
2. Network Diagram
3. Intrusion Detection and Prevention
   1. Categories
   2. Whitelisting
   3. Signature Suppression 
4. GeoIP Filtering
5. DNS Filters 
   1. Filter Levels
6. Deep Packet Inspection
   1. DPI Restrictions (Layer 7 Filters)
7. Network Scanners
   1. Internal Honeypot
      1. Honeypot Services
8. Testing & Verification
9. Privacy Statement
10. Related Articles

Introduction

An intrusion prevention system (IPS) is an engine that identifies potentially malicious traffic based on signatures. The signatures contain known traffic patterns or instruction sequences used by malware. This type of signature-based engine can only detect anomalies based on known malicious traffic patterns.

Network Diagram

Intrusion Detection and Prevention

To enable intrusion detection or intrusion prevention, navigate to the Settings > Security section of the UniFi Network application. ATTENTION:

• Enabling IDS or IPS will affect the maximum throughput on inter-VLAN and egress traffic.
  • USG: 85 Mbps*
  • USG-Pro: 250 Mbps*
  • USG-XG: 1 Gbps*
• Enabling Smart Queues or DPI on top of IPS/IDS will also incur a further throughput penalty to maximum throughput.
• UniFi Dream Machine throughput: 850 Mbps*
• UniFi Dream Machine Pro: 3.5Gbps*

*Values are rough estimates and can vary depending on configuration.

Threat Management Modes

• Intrusion Detection System: When set will automatically detect, and alert, but will not block potentially malicious traffic. 
• Intrusion Prevention System: When set will automatically detect, alert, and block potentially malicious traffic. 

Firewall Restrictions

These restrictions can be found under New Settings > Internet Security > Advanced.

• Restrict Access to ToR: When enabled will block access to The Onion Router. 
• Restrict Access to Malicious IP Addresses: When enabled will block access to IP addresses or blocks of addresses that have been recognized as passing malicious traffic. 

System Sensitivity Levels

The “system sensitivity levels” are pre-defined levels of security categories that will be loaded into the threat management daemon. Each level increase requires more memory and CPU usage. Additionally the “custom” level is utilized when manually selection categories.

Categories

ATTENTION:

• Due to the amount of available memory on the USG3 and UDM a limited selection of categories can be enabled.
• Click below to see a full list of categories.

Categories and Their Definitions

Click Here to Expand the IPS/IDS Categories Section

NOTE:The following configuration can be found in the Advanced tab of Internet Security.

Whitelisting

The Threat Management Allow List function of the IPS engine allows a UniFi Administrator to create a list of trusted IP’s. The traffic, depending on the direction selected, will not get blocked to or from the identified IPs. 

Create a new allow list within Settings > Security > Internet Threat Management > Advanced.

Signature Suppression

The signature suppression function of the IPS engine allows a UniFi Administrator to mute the alerting on certain signatures. This will also disable blocking on traffic matching the designated suppression rule. 

• Adding a signature suppression rule for all traffic will suppress the signature regardless of host IP. 
• Adding a signature suppression rule with packet tracking based on traffic direction and by single IP, defined UniFi Network, or subnet of choice. 

GeoIP Filtering

NOTE:For GeoIP Filtering to work on the USG, hardware offloading must be enabled. When Threat Management is enabled (under Settings > Internet Security > Threat Management), hardware offloading is disabled. Only one of these two features can be enabled at a time on the USG.

Blocking

Blocking individual countries can be configured on the Threat Management Dashboard section. Blocking is as easy as navigating to the map, clicking on a country, and confirming by clicking “Block”.

Unblocking

Unblocking a country can be by performed on the Threat Management Dashboard by navigating to the left side of the map on the Overview tab. A list of blocked countries will be populated. Simply hover over the county that is to be unblocked and an “unblock” option will appear. Select “unblock” and the country will be taken off of the list. 

Traffic Direction

UniFi Network allows configuring the GeoIP filtering traffic direction. Follow the steps below:

    1. Navigate to the top of the Threat Management Dashboard and select the direction. 

    2. Select the traffic direction.

    3. Click Done.

DNS Filters

ATTENTION:

• DNS Filtering is only available on the UniFi Dream Machine. 
• Clients that use VPN, DNS-over-HTTPS, or DNS-over-TLS will have non-standard DNS requests that will not be seen by the UniFi Dream Machine. 

The DNS Filter feature allows administrators to select levels of filtering per-network. This ensures that any DNS requests that go out from clients on configured LANs adhere to the filtering levels. 

    1. To configure DNS Filters, navigate to New Settings > Internet Security > DNS Filters.

    2. Enable DNS Filtering by clicking the slider button.

    3. Select Add Filter.

    4. Choose the desired level of filtering for the LAN. 

    5. Select which network this filter should apply to and confirm the selection. 

    6. DNS filtering will be enabled at this point. 

Filter Levels

Security

Blocks access to phishing, spam, malware, and malicious domains. The database of malicious domains is updated hourly. Note that it does not block adult content.

Adult

Blocks access to all adult, pornographic and explicit sites. It does not block proxy or VPNs, nor mixed-content sites. Sites like Reddit are allowed. Google and Bing are set to the “Safe Mode”. Malicious and Phishing domains are blocked.

Family

Blocks access to all adult, pornographic and explicit sites. It also blocks proxy and VPN domains that are used to bypass the filters. Mixed content sites (like Reddit) are also blocked. Google, Bing, and Youtube are set to the Safe Mode. Malicious and Phishing domains are blocked.

Deep Packet Inspection

To configure Deep Packet Inspection (DPI) navigate to New Settings > Internet Security > Deep Packet Inspection.

NOTE: Device fingerprinting is not available on the UniFi Security Gateway.

DPI Restrictions

ATTENTION:DPI restrictions are limited to whole-category selections on the UniFi Security Gateway. This restriction is not applicable to the UniFi Dream Machine platform. 

    1. Click Add Restriction under “Restriction definitions”.

    2. In the configuration side-panel select a restriction group to add the rules to.

    3. Select a category to block. 

    4. Select an application from the category or select “All applications” to block the entire category.

    5. Ensure that “Enable This Restriction” is selected.

    6. Add the restriction group to a network in the “Restriction assignments” section. NOTE:A restriction definition can be applied to many networks. A restriction definition for each network is not required.

To manage the restriction definition, hover over the definition and selection either edit or remove.

Configuring Network Scanners

ATTENTION:Network Scanners are only available on the UniFi Dream Machine. 

Internal Honeypot

The “internal honeypot” feature is a passive detection system that listens for LAN clients attempting to gain access to unauthorized services or hosts. Clients that are potentially infected with worm or exfiltration type vulnerabilities are known to scan networks, infect other hosts, and potentially snoop for information on easy-to-access servers. The honeypot will report when hosts attempt to access the honeypot. Reports can be found on the Threat Management Dashboard.

To configure the internal honeypot follow the steps below:

    1. Navigate to Settings > Security > Internet Threat Management > Network Scanners.

    2. Enable the honeypot service by clicking the slider button.

    3. Select “Create Honeypot”.

    4. In  the popup modal select the network and Honeypot IP.

    5. Select “Create”.

Honeypot Services

The honeypot service listens on the following ports:

• FTP – TCP Port 21
• SSH – TCP Port 22
• Telnet – TCP Port 23
• SMTP – TCP Port 25
• DNS – UDP Port 53
• HTTP – TCP Port 80
• POP3 – TCP Port 110
• SMB – TCP Port 445
• MSSQL – TCP Port 1433

Testing & Verification

Intrusion Detection/Prevention

Linux or macOS

Input:

curl -A "BlackSun" www.example.com

Expected alert result:

Threat Management Alert 1: A Network Trojan was Detected. Signature ET USER_AGENTS Suspicious User Agent (BlackSun). From: 192.168.1.172:55693, to:172.217.4.196:80, protocol: TCP

Windows

The DNS category must be enabled

Input:

nslookup blacklistthisdomain.com 8.8.8.8

Expected alert result:

Threat Management Alert 1: A Network Trojan was Detected. Signature ET DNS Reply Sinkhole - 106.187.96.49 blacklistthisdomain.com. From: 192.168.1.1:53, to: 192.168.1.182:61440, protocol: UDP

Internal Honeypot

A few examples of manually testing the internal honeypot service are below. The following commands may or may not prompt for login credentials. The alerts will appear in the Honeypot section of the Threat Management Dashboard a few minutes after attempting the testing.

Telnet:

telnet <honeypot_ip>

SSH:

ssh <honeypot_ip>

NOTE:Replace <honeypot_ip> with the honeypot IP configured in the UniFi Network application.

Privacy Statement

What information does the IPS/IDS engine send to the cloud?

1. When a UniFi Administrator enables IPS or IDS on the UniFi Network application a token is generated for the gateway. The information listed below is sent over a TLS 1.2 encrypted connection whenever there is an IPS/IDS signature match.

timestamp
interface
source IP
source port
destination IP
destination port
protocol
signature id

2. Every 120-seconds there is a keep-alive to the ips1.unifi-ai.com hostname. This connection is to ensure reliable delivery of the violation message. The keep-alive is a connection to our cloud using port 443 so it is not just an ICMP ping or DNS resolution but a complete 3-way handshake and SSL Key exchange.

What information is kept on our servers regarding IPS/IDS?

The data listed above is only temporarily stored in the IPS Cloud until the  UniFi Network application downloads the information. After the information is downloaded by the application, the data is deleted from our cloud except for the attacker IP. The attacker IP information helps Ubiquiti maintain an up-to-date and effective attacker list which will improve Ubiquiti’s services to Ubiquiti customers around the world.

How is the information from alerts used by Ubiquiti?

Ubiquiti will use the alert information to improve its products and services, including generating lists of IP Reputation, Malicious IP addresses, Threat Intelligence and creating blacklists and new signatures for Ubiquiti devices. A sanitized version of IP addresses  (Ex: 200.200.x.x) can also be displayed on Ubiquiti Public Threat Map to help the public community to see malicious traffic around the world.

Source :
https://help.ui.com/hc/en-us/articles/360006893234-UniFi-USG-UDM-Configuring-Internet-Security-Settings

This article will provide suggestions for troubleshooting and resolving issues with slow Wi-Fi speeds on your UniFi network, as well as better understand what Wi-Fi speeds to expect and how to optimize your Wi-Fi configuration. 

• Introduction
• Measuring Wi-Fi performance
• Prerequisites
• Common Issues/Steps to Fix

Introduction

One of the most common Wi-Fi performance concerns reported is slower than expected Wi-Fi speed. This is due to a number of factors: 

• Speed issues can result from a wide range of network limitations and problems, many of which have nothing to do with wireless.
• Declined speed is easy to notice in typical network usage.
• Internet speed tests are the most widely—and sometimes the only tool used to evaluate/benchmark network performance: and can be inconsistent and inaccurate. 
• ISPs and hardware vendors market products with peak theoretical performance that differ from real-life usage. 

Measuring Wi-Fi Performance 

When looking at Wi-Fi performance it is important to take a step back and consider how Wi-Fi is supposed to work. Wi-Fi offers the benefit of mobility, scalability, and convenience over wired networks at the expense of maximum throughput and stability. With respect to client performance, modern Wi-Fi is designed to allow clients to enjoy the benefits of not being tethered to a wired network while preventing any visible reduction in performance across its area of coverage.  

Much of the concern about wireless throughput comes from a lack of understanding about how much bandwidth clients actually use. The difference between 300 Mbps and 500 Mbps may seem significant but the difference in performance would likely never be noticed through client use.

Here are estimated requirements of what throughput client devices need to use without declined performance (for more info see here): 

Client Application-specific Bandwidth Requirements

UniFi’s products are designed and tested to ensure they can provide for this typical use for many clients simultaneously. Any Access Point (AP) currently being offered in the UniFi product line offers far greater potential throughput than any client application could realistically require.

If a UniFi Access Point fails to provide the speed that it is capable of, this is most often a result of environmental limitations or other bottlenecks in the deployment. UniFi provides many tools that can help users identify these factors and mitigate them with proper configuration. 

Prerequisites 

The rest of this article assumes that the following prerequisites have been met: 

1. Eliminate any bottlenecks

Before working to improve your Wireless performance, it’s important to identify any bottlenecks outside of your Wireless network. A bottleneck is a point in a network infrastructure that limits performance everywhere else. Often poor Wi-Fi speed is incorrectly assumed to be a result of Wi-Fi hardware/config but actually is the result of a bottleneck upstream from the device. Here are some common examples of bottlenecks: 

• ISP Plan limits performance/speeds far beneath what Wi-Fi is capable of providing. For example, a plan might have a 100Mb/25Mb down/up bandwidth limit on service. Every UniFi device, including legacy devices, is capable of far exceeding this limit. See the image below. 
• Far too few APs for the number of clients/coverage requirements.
• Old/faulty ethernet cables.
• Outdated LAN hardware.
• Outdated Wireless hardware.
• Legacy client devices that don’t support 5GHz.
• Too much noise on a single channel.

The following is an example of a common network bottleneck: 

Diagram illustrating how Wi-Fi speed test results can be limited by ISP 

An easy way to at least rule out any bottleneck is to plug a wired device into the secondary port on an AP and perform the same speed test you are using to test Wi-Fi performance and compare the results to each other. It is normal to see some diminished performance on wireless compared to wired speed tests, but make sure you at least know what your wired network is capable of providing to the AP. 

2. Update your UniFi OS Console and UniFi Access Point (AP) Firmware to Current Version

Ubiquiti’s Firmware updates often include performance improvements: make sure that before testing the performance, you update your UniFi OS Console and your UniFi devices to the most current firmware available.

• UniFi – Set up UniFi Network
• UniFi – Upgrade the firmware of a UniFi device

Common Issues/Steps to Fix

This section examines some of the most common issues that cause diminished speeds on UniFi Networks, as well as the steps that will solve them.

Channel Width

Channel width is the most common cause for poor speed test results after setting up UniFi, especially when being compared to a single wireless router the UniFi devices are replacing. Default UniFi config on 5GHz radio is optimized for large environments (40MHz channel width), while most standalone routers are optimized for use as the only AP in a home/office (80MHz).

To properly test the maximum speed of a UniFi AP, switch to 80 MHz. 80 MHz channels are capable of more than double the peak speed of 40 MHz channels.NOTE: These settings only apply to 5GHz. We do not recommend that channel width be increased from 20 MHz on 2.4GHz as this will often cause worse performance. 

To change AP to use 80MHz channel width, go to Devices > Click on AP to open Properties Panel > Radios > RADIO 5G (11N/A/AC), Change Channel Width from VHT40 to VHT80, click Queue Changes, then Apply Changes. 

Summary: If using a small number of APs, switch 5GHz channel width on APs to 80 MHz for greater peak throughput. In larger environments, note that 40 or 20 MHz channel width is recommended for performance but can limit peak throughput.

Interference/Channel Overlap

The single most potentially negative environmental factor for Wi-Fi performance and stability is wireless interference. Interference can come from external sources like other wireless networks, weather radar, etc. while internal interference can come from devices overlapping with each other on the same channel. 

By default, UniFi Devices are set up with auto channel assignments, but this is something you will want to adjust for your deployment if there are concerns about speed/performance. 

It is recommended that a full site survey be performed for high-density/high-priority Wi-Fi deployments. If that has not been done or the site doesn’t warrant it, the Network application can help you find a better channel assignment for your APs by performing an RF scan. 

To do this, go to Devices > Click on AP to open Properties Panel > Tools > RF Environment and click Scan. User Tips:Running an RF Scan will disconnect any wireless clients currently connected to the AP. Do not run during peak hours if this is a concern. Suggested Channel Settings: 2.4GHz:
Channel width: HT20
Chanel: 1/6/11 Choose one of these channels, an RF scan will help you choose the cleanest one.Transmit Power: Medium5GHz:
Channel width: VHT40 
Optional VHT80/VHT160  (It will increase speeds but might cause more interference.)
Chanel: 36/44 | Optional (149/157) 
Choose one of these channels, an RF scan will help you choose the cleanest one. 
Avoid using DFS Channels unless you understand DFS logic.  (DFS Alerts will cause interruptions) 
Transmit Power: Medium (High)You could also modify your DTIM Periods if you have more modern devices on the network.
Settings > Wireless Network > SSID > 802.11 Rate And Beacon Controls
DITM 2G Period: 3
DITM 5G Period: 3

This scan will take 5-10 minutes and will populate the 2.4GHz channels first and then 5 GHz channels will subsequently be updated.

Once your RF scan is finished, select 5G and you’ll see a list of channels arranged by channel width and how much each channel is being utilized. Select a channel that appears to have the least noise on it and assign your AP to this channel.

To do this go to Devices > Click AP to select it and open Properties Panel > Properties > Radios > RADIO 5G (11N/A/AC), and choose the desired channel. 

If using multiple APs, make sure that each AP does not share the same channel as a nearby AP, and avoid having channels that are adjacent to each other as this can also cause interference. 

Summary: Interference/channel overlap can cause performance to decline. To make sure speed test results are not being impacted by interference, make sure APs are assigned to the optimal channel and not sharing or adjacent to the channel of any nearby APs.

Signal Quality

Another factor that can strongly influence Wi-Fi speed is the signal quality between AP and client device. As clients get further away from an access point and the signal gets weaker, to ensure stability/offer the best possible performance, the AP will lower the rate of the data transfer to compensate. 

When testing peak throughput, be sure to be standing close enough to the AP without obstructions and make sure the client signal strength is close to the maximum of 99%. If your client devices consistently have poor signal strength on 5GHz try increasing Transmit Power on 5GHz. 

To increase TX power on 5GHz, go to device configuration > Radios > Radio 5G (11N/A/AC), and only select “High” from the dropbox under Transmit Power. NOTE: Increasing transmit power on devices can have undesired effects, especially in a very high density environment. Consider starting on High or Auto and only reducing to Medium as needed on a per-AP basis.

Summary: When testing throughput make sure to consider the signal strength between the device and AP, you can find this under the Clients tab in the Network application. If the range on 5GHz is very low, consider increasing Transmit Power on the AP’s 5GHz radio. 

Inconsistent/Inaccurate Speedtest Methods

Another cause for poor speed test performance is inconsistent or inaccurate data. When comparing across devices, make sure to use the same speed test method as different speed test apps can vary wildly. 

While UniFi does include a speed test, the results are often far lower than reality, especially since UniFi’s available speed test servers are limited and results are very sensitive to the proximity of the speed test server. Try using a popular speed test app or website to test to check your UniFi results. Be sure to test multiple times and do not rely on assumptions or past data to inform your comparison.

If you wish to most accurately assess Wi-Fi speed alone and rule out other factors, try performing an iPerf test between a wired and wireless client/between two wireless clients. iPerf only measures bandwidth between two devices on your network. Note that iPerf can still be limited by the syntax you can use, the number of streams, packet size, etc. so make sure you understand what you’re doing before using iPerf. 

Summary: Speedtest results are often inaccurate. Make sure to use consistent speed test methods when comparing between devices, wired vs. wireless, etc. Confirm/test using multiple platforms. UniFi speed tests are often less accurate than other more popular speed test apps. 

Client-specific Issues & Limitations

When benchmarking Wi-Fi, it’s important to also compare across devices to ensure that the client itself isn’t limiting performance. Factors like client CPU utilization, network card driver, Wi-Fi specs, software, all can influence speed test results. 

Make sure to test with multiple devices. To truly measure peak throughput you must test a device that matches the capabilities of the UniFi AP. For instance, if you are testing with a device check the manufacturer specifications to see how many streams the 5GHz antenna supports i.e. Apple iPhone 7 is 2×2, UAP-AC-PRO has 3×3 5GHz radio, thus this iPhone will limit peak throughput. 

If a performance issue with Wi-Fi is isolated to one device, or multiple devices running the same software version, this will almost always point to a problem with the device/software. UniFi doesn’t change how it functions for each variety of client device. Try performing a web search to find other users experiencing similar issues with the same device on other vendor products. 

Keep in mind that declined performance on a single device isn’t a sign of a malfunctioning AP. UniFi APs are backwards compatible with older client devices and the fact that devices are able to connect with their older hardware is a sign the AP is working as designed. 

Summary: Test multiple client devices when benchmarking Wi-Fi performance. Client-specific issues are common but are largely unrelated to AP configuration/hardware.

Additional Steps

After reviewing each of the previous steps, if the issue does not appear to be resolved, check out this article for some further suggestions to troubleshoot wireless performance.

If you’d like to get suggestions from other UniFi administrators, feel free to post on our community.

For issues that point to an issue with UniFi devices/software with respect to wireless performance, feel free to reach out to UniFi support. Please note that the UniFi support team is not able to optimize networks for customers and will not be able to assist with performance issues that are cosmetic in nature or do not indicate an actual UniFi performance issue i.e. improving speed test results from 400 Mbps to 600 Mbps.

Source :
https://help.ui.com/hc/en-us/articles/360012947634-UniFi-Troubleshooting-Slow-Wi-Fi-Speeds-

You can wirelessly adopt access points to your UniFi Network. This allows you to extend your coverage without adding cabling in hard-to-reach areas. When within range of your already-adopted access points, simply connect a new access point to power and it will appear as ready for adoption in the Network application.

• General troubleshooting
• Wireless uplink requirements
• Modifying existing wireless uplink connections
• Frequently Asked Questions

General troubleshooting

Wireless UAP does not appear for adoption

1. Verify that the UAP is powering properly and is ready for adoption (steady white LED).

2. Connect it via Ethernet cable to your network and wait for it to appear for adoption. If it still won’t appear while connected, please see our general adoption troubleshooting steps.

3. Update to the current firmware version if an upgrade is available.

4. Once the UAP is adopted and running the newest version available, disconnect it from the wired LAN, and wait a few minutes while it connects wirelessly. After that, you may disconnect it from power to move it to its final position. Once it powers up again, the UniFi Network application will recognize it and start broadcasting the network’s WiFi through your wireless UAP.

The UAP is adopted but it will not work when moved to wireless networks

1. Verify that the UAP is receiving enough power from the PoE injector. The LED must be a steady blue. Take a look at the UAP’s datasheet to verify power requirements.

2. Verify that the Uplink Connectivity Monitor is enabled within Settings > System Settings > Controller Configuration > Uplink Connectivity Monitor.

3. Verify that there is at least one wired UAP to act as an uplink and that Enable Meshing is turned on within the UAP’s properties panel > RF > Enable Meshing. And that the meshing configuration is set to Auto; or if set to Manual, that Downlink is enabled.

Wireless uplink requirements

• At least one wired access point to serve as the uplink UAP
• A power source (i.e PoE injector) for the wireless UAP (downlink UAP)
• (Recommended) Newest firmware and Network application versions.

Note: The wireless adoption process takes longer than the wired one; expect to wait a little longer for access point detection and for the adoption process to complete.

Modifying existing wireless uplink connections

You can design the topology to your liking by configuring how the wirelessly connected UAPs are linked. To change a UAP’s uplink:

1. Select the UAP from the UniFi Devices section to open its properties panel.
2. Go to the RF tab and select Manual under the Enable Meshing toggle. If the Enable Meshing option is not turned on, do so now to expose the wireless uplink settings.
3. Select which UAP your wireless UAP will connect to (uplink).

Additionally, you can stipulate the uplink priority to define to which uplink your UAP will connect to if there is service degradation or if its current uplink goes offline. Use the Priority dropdown menus to select from the available uplinks.

Frequently Asked Questions

Can a wireless UAP be the uplink to another wireless UAP?

Yes. This is known as a multi-hop wireless uplink and is supported by UniFi, as long as there is one wired access point to provide the first “hop”. Keep in mind that each wireless uplink will suffer service degradation, so this should only be done when necessary.

Can I connect older UAPs wirelessly?

Yes, you just need to make sure to configure them correctly. Some older UAPs only broadcast on a single band (2.4GHz) and will not work the same as newer models. The following older generation UAPs do support wireless uplink on the band they operate on and do not support multi-hop: UAP, UAP-LR, UAP-PRO, UAP-Outdoor, UAP-Outdoor+, UAP-Outdoor5, UAP-IW.

UAP-AC and UAP-AC-Outdoor do not support wireless uplink or multi-hop.

If you have a UAP that does support wireless uplinking and it is still not working, make sure to take the following into account:

	Dual band uplink UAP to dual band downlink UAP: will uplink on 5GHz.
	Dual band uplink UAP to single band downlink UAP: will uplink on the supported frequency of the single band model.
	Single band uplink UAP to single band downlink UAP: will uplink, as long as the same band is supported on both sides of the link.
	Single band (2.4GHz only models) uplink UAP to dual band downlink AP will not be able to uplink.

If you have several wired UAPs, these should have assigned channels that are different and do not overlap with other UAP channels to minimize interference.

• If using all dual band UAPs
  • Set the wired UAP (uplink UAP) to static on 5GHz and to a static on 2.4GHz (1, 6 or 11 making sure it’s not a band also set for any of the other UAPs). Leave the wireless UAP (downlink UAP) set to Auto on the 5GHz radio and set a static channel on 2.4GHz not shared by others.
• If using all single band UAPs
  • Set the wired UAP (uplink UAP) to a static channel on 2.4GHz. Leave the wireless UAP (downlink UAP) set to Auto on 2.4GHz. 
• If using a dual band UAP as the uplink and single band UAP as the downlink
  • Set the wired UAP (uplink) to a static channel on 2.4GHz. Leave the wireless UAP (downlink) set to Auto.
    
    Source :
    https://help.ui.com/hc/en-us/articles/115002262328-UniFi-Network-Troubleshooting-Wireless-Uplinks