# 🏢 Ubiquiti Enterprise Network Setup Guide **🔴 Advanced Guide** This guide covers deploying a complete Ubiquiti enterprise networking solution for your homelab, including Dream Machine, managed switches, access points, and advanced network segmentation. ## 🎯 Ubiquiti Enterprise Architecture ### **Complete Ubiquiti Stack** - **🌐 Dream Machine Pro/SE** - Gateway, controller, and security appliance - **🔌 UniFi Switch Pro 48** - 48-port managed switch with PoE++ - **📡 UniFi Access Points** - WiFi 6E/7 coverage throughout property - **📹 UniFi Protect** - Integrated video surveillance - **📞 UniFi Talk** - VoIP phone system - **🚪 UniFi Access** - Door access control ### **Network Segmentation Strategy** ```bash # VLAN Design for Homelab VLAN 1 - Management (192.168.1.0/24) # UniFi devices, infrastructure VLAN 10 - Homelab (192.168.10.0/24) # Servers, NAS, compute VLAN 20 - IoT (192.168.20.0/24) # Smart home devices VLAN 30 - Guest (192.168.30.0/24) # Guest network, isolated VLAN 40 - Security (192.168.40.0/24) # Cameras, access control VLAN 50 - DMZ (192.168.50.0/24) # Public-facing services VLAN 100 - Trunk (All VLANs) # Inter-VLAN routing ``` --- ## 🌐 Dream Machine Pro/SE Setup ### **Initial Configuration** #### **Physical Setup** ```bash # 1. Connect modem to WAN port (port 11 on UDM-Pro) # 2. Connect computer to LAN port (port 1-8) # 3. Power on and wait for LED to turn white (5-10 minutes) # 4. Access setup at: https://192.168.1.1 ``` #### **UniFi OS Setup** ```bash # Initial setup wizard: # 1. Create UniFi account or sign in # 2. Set device name: "Homelab-UDM-Pro" # 3. Configure WiFi (temporary - will be replaced by APs) # 4. Set admin password (save to password manager) # 5. Enable automatic updates # 6. Complete setup and access UniFi Network ``` ### **Network Configuration** #### **WAN Configuration** ```bash # Navigate to: Settings → Internet # WAN Settings: Connection Type: DHCP (or Static/PPPoE based on ISP) VLAN ID: [Leave blank unless ISP requires] DNS Servers: 1.1.1.1, 8.8.8.8 (or custom) IPv6: Enable if supported by ISP # Advanced WAN Settings: Load Balancing: Disabled (single WAN) Smart Queues: Enable for QoS Bandwidth Limits: Set to 90% of actual speeds ``` #### **LAN Configuration** ```bash # Navigate to: Settings → Networks # Default LAN Network: Name: Management VLAN ID: 1 Gateway/Subnet: 192.168.1.1/24 DHCP Range: 192.168.1.100-192.168.1.200 DHCP Lease Time: 86400 seconds (24 hours) DNS Servers: 192.168.1.1 (UDM) or Pi-hole IP Domain Name: vish.local ``` ### **VLAN Configuration** #### **Create VLANs** ```bash # Navigate to: Settings → Networks → Create New Network # Homelab VLAN Name: Homelab VLAN ID: 10 Gateway/Subnet: 192.168.10.1/24 DHCP Range: 192.168.10.100-192.168.10.200 Purpose: Corporate IGMP Snooping: Enable Multicast DNS: Enable # IoT VLAN Name: IoT VLAN ID: 20 Gateway/Subnet: 192.168.20.1/24 DHCP Range: 192.168.20.100-192.168.20.200 Purpose: IoT Block LAN Access: Enable Internet Access: Enable # Guest VLAN Name: Guest VLAN ID: 30 Gateway/Subnet: 192.168.30.1/24 DHCP Range: 192.168.30.100-192.168.30.200 Purpose: Guest Guest Policy: Apply guest policies Bandwidth Limit: 50 Mbps down, 10 Mbps up # Security VLAN Name: Security VLAN ID: 40 Gateway/Subnet: 192.168.40.1/24 DHCP Range: 192.168.40.100-192.168.40.200 Purpose: Security IGMP Snooping: Enable # DMZ VLAN Name: DMZ VLAN ID: 50 Gateway/Subnet: 192.168.50.1/24 DHCP Range: 192.168.50.100-192.168.50.200 Purpose: Corporate ``` ### **Firewall Rules** #### **Inter-VLAN Rules** ```bash # Navigate to: Settings → Security → Traffic & Firewall Rules # Allow Homelab to Management Name: Homelab-to-Management Rule Applied: Before Predefined Rules Action: Accept Source: Homelab Network (192.168.10.0/24) Destination: Management Network (192.168.1.0/24) Protocol: All # Block IoT to other VLANs Name: Block-IoT-to-Internal Rule Applied: Before Predefined Rules Action: Drop Source: IoT Network (192.168.20.0/24) Destination: Management, Homelab Networks Protocol: All Logging: Enable # Allow specific IoT to Homelab (for Home Assistant) Name: IoT-to-HomeAssistant Rule Applied: Before Predefined Rules Action: Accept Source: IoT Network (192.168.20.0/24) Destination: 192.168.10.102 (Home Assistant) Port: 8123 Protocol: TCP # Block Guest from all internal networks Name: Block-Guest-Internal Rule Applied: Before Predefined Rules Action: Drop Source: Guest Network (192.168.30.0/24) Destination: RFC1918 Networks Protocol: All Logging: Enable ``` #### **Port Forwarding** ```bash # Navigate to: Settings → Security → Internet Security → Port Forwarding # WireGuard VPN Name: WireGuard-Atlantis From: WAN Port: 51820 Forward IP: 192.168.10.100 (Atlantis) Forward Port: 51820 Protocol: UDP Logging: Enable # HTTPS Services Name: HTTPS-Proxy From: WAN Port: 443 Forward IP: 192.168.10.100 (Atlantis) Forward Port: 8766 Protocol: TCP Logging: Enable # SSH Access (Non-standard port for security) Name: SSH-Management From: WAN Port: 2222 Forward IP: 192.168.1.100 (Management host) Forward Port: 22 Protocol: TCP Logging: Enable ``` --- ## 🔌 UniFi Switch Pro 48 Configuration ### **Physical Installation** ```bash # 1. Mount in rack (1U height) # 2. Connect power (PoE++ requires both power inputs) # 3. Connect uplink to UDM-Pro (SFP+ for 10Gbps) # 4. Wait for adoption in UniFi Network controller ``` ### **Switch Configuration** #### **Port Profiles** ```bash # Navigate to: UniFi Devices → Switch → Ports # Management Ports (1-8) Profile: Management VLAN: 1 (Management) PoE: Auto (for UniFi APs) Storm Control: Enable Port Isolation: Disable # Homelab Servers (9-24) Profile: Homelab VLAN: 10 (Homelab) PoE: Auto Link Aggregation: Available for NAS Storm Control: Enable # IoT Devices (25-32) Profile: IoT VLAN: 20 (IoT) PoE: Auto Storm Control: Enable Port Isolation: Enable # Security Cameras (33-40) Profile: Security VLAN: 40 (Security) PoE: 802.3bt (PoE++) Storm Control: Enable # DMZ Services (41-44) Profile: DMZ VLAN: 50 (DMZ) PoE: Disabled Storm Control: Enable # Uplinks (45-48 + SFP+) Profile: Trunk VLANs: All (Tagged) Link Aggregation: Available ``` #### **Link Aggregation (LACP)** ```bash # For high-bandwidth devices (NAS, servers) # Navigate to: UniFi Devices → Switch → Settings → Link Aggregation # Atlantis NAS (Primary) Name: Atlantis-LAG Ports: 9, 10 Mode: LACP (802.3ad) Profile: Homelab # Calypso NAS (Media) Name: Calypso-LAG Ports: 11, 12 Mode: LACP (802.3ad) Profile: Homelab # Uplink to UDM-Pro Name: Uplink-LAG Ports: SFP+ 1, SFP+ 2 Mode: LACP (802.3ad) Profile: Trunk ``` ### **Advanced Switch Features** #### **Storm Control** ```bash # Navigate to: Settings → System → Advanced Features # Enable storm control globally Broadcast Storm Control: 10% of port bandwidth Multicast Storm Control: 10% of port bandwidth Unknown Unicast Storm Control: 10% of port bandwidth ``` #### **Spanning Tree Protocol** ```bash # STP Configuration STP Mode: RSTP (Rapid Spanning Tree) Priority: 32768 (default) Forward Delay: 15 seconds Max Age: 20 seconds ``` #### **IGMP Snooping** ```bash # For multicast optimization (Plex, IPTV) IGMP Snooping: Enable IGMP Querier: Enable Fast Leave: Enable ``` --- ## 📡 UniFi Access Points Configuration ### **Access Point Deployment** #### **Recommended APs for Homelab** ```bash # UniFi Access Point WiFi 7 Pro - WiFi 7 (802.11be) - 6 GHz support - 2.5 Gbps uplink - PoE+ powered - Coverage: ~2,500 sq ft # UniFi Access Point WiFi 6 Long Range - WiFi 6 (802.11ax) - Extended range - 1 Gbps uplink - PoE powered - Coverage: ~3,000 sq ft # UniFi Access Point WiFi 6 In-Wall - In-wall installation - Built-in switch ports - PoE powered - Coverage: ~1,500 sq ft ``` #### **AP Placement Strategy** ```bash # Coverage Planning: # 1. Central locations for maximum coverage # 2. Avoid interference sources (microwaves, baby monitors) # 3. Consider building materials (concrete, metal) # 4. Plan for both 2.4 GHz and 5/6 GHz coverage # 5. Use UniFi WiFiman app for site survey # Recommended placement: Main Floor: 1x WiFi 7 Pro (central) Upper Floor: 1x WiFi 6 LR (central) Basement/Lab: 1x WiFi 6 Pro (near servers) Office: 1x WiFi 6 In-Wall (desk area) Outdoor: 1x WiFi 6 Mesh (if needed) ``` ### **WiFi Network Configuration** #### **Create WiFi Networks** ```bash # Navigate to: Settings → WiFi # Main Network (Management + Homelab) Name: YourNetwork Password: "REDACTED_PASSWORD" password in password manager] Security: WPA3 Only VLAN: 1 (Management) Band: 2.4/5/6 GHz Channel Width: 160 MHz (5 GHz), 320 MHz (6 GHz) Transmit Power: Auto Fast Roaming: Enable BSS Transition: Enable UAPSD: Enable # IoT Network Name: YourNetwork_IoT Password: "REDACTED_PASSWORD" password] Security: WPA2/WPA3 VLAN: 20 (IoT) Band: 2.4/5 GHz (many IoT devices don't support 6 GHz) Channel Width: 80 MHz Client Isolation: Enable Block LAN Access: Enable # Guest Network Name: YourNetwork_Guest Password: "REDACTED_PASSWORD" password or open with captive portal] Security: WPA2/WPA3 VLAN: 30 (Guest) Band: 2.4/5 GHz Bandwidth Limit: 50 Mbps Time Limit: 8 hours Guest Policy: Apply restrictions ``` #### **Advanced WiFi Settings** ```bash # Navigate to: Settings → WiFi → Advanced # Band Steering 2.4 GHz: Enable 5 GHz: Enable 6 GHz: Enable (WiFi 7 APs) Prefer 5 GHz: Enable Prefer 6 GHz: Enable # Airtime Fairness Enable: Yes (prevents slow devices from degrading performance) # Multicast Enhancement Enable: Yes (improves streaming performance) # Fast Roaming 802.11r: Enable 802.11k: Enable 802.11v: Enable # WiFi 6/7 Features OFDMA: Enable MU-MIMO: Enable BSS Coloring: Enable (WiFi 6/7) Target Wake Time: Enable ``` --- ## 📹 UniFi Protect Integration ### **UniFi Protect Setup** #### **Camera Deployment** ```bash # Recommended cameras for homelab security: # UniFi Protect G5 Pro - 4K resolution - PoE++ powered - Night vision - Smart detection - Weatherproof # UniFi Protect G4 Doorbell Pro - 2K resolution - Two-way audio - Package detection - PoE+ powered # UniFi Protect G4 Bullet - 4K resolution - PoE+ powered - Infrared night vision - Vandal resistant ``` #### **Storage Configuration** ```bash # Navigate to: UniFi Protect → Settings → Storage # Local Storage (UDM-Pro) Primary Storage: Internal HDD (3.5" bay) Capacity: 8TB+ recommended Retention: 30 days for 4K, 60 days for 1080p # Network Storage (Optional) Secondary Storage: NAS (Atlantis/Calypso) Path: /volume1/surveillance Retention: 90+ days Backup: Enable automatic backup ``` #### **Detection Settings** ```bash # Smart Detection Configuration Person Detection: Enable Vehicle Detection: Enable Package Detection: Enable (doorbell) Animal Detection: Enable Motion Zones: Configure per camera Privacy Zones: Configure as needed # Notifications Push Notifications: Enable for critical cameras Email Alerts: Configure for security events Webhook Integration: Home Assistant integration ``` --- ## 🔒 Advanced Security Configuration ### **Threat Management** ```bash # Navigate to: Settings → Security → Threat Management # IDS/IPS Intrusion Detection: Enable Intrusion Prevention: Enable Malware Blocking: Enable Ad Blocking: Enable (or use Pi-hole) Country Blocking: Configure as needed # DPI (Deep Packet Inspection) Application Identification: Enable Traffic Analysis: Enable Bandwidth Monitoring: Enable ``` ### **VPN Server** ```bash # Navigate to: Settings → VPN # Site-to-Site VPN (for remote locations) VPN Type: L2TP Pre-shared Key: [Generate strong key] User Authentication: Local users DNS Servers: 192.168.1.1 # Remote Access VPN VPN Type: L2TP or WireGuard Network: 192.168.100.0/24 (VPN client pool) DNS: Push homelab DNS servers Routes: Push homelab networks ``` ### **Network Access Control** ```bash # Navigate to: Settings → Security → Network Access Control # Device Authentication 802.1X: Enable for enterprise devices MAC Authentication: Enable for IoT devices Guest Portal: Enable for guest network RADIUS Server: Configure if using external auth # Device Fingerprinting Device Classification: Enable Automatic VLAN Assignment: Configure rules Quarantine VLAN: 192.168.99.0/24 ``` --- ## 📊 Monitoring and Management ### **UniFi Network Monitoring** ```bash # Navigate to: Insights → Overview # Key Metrics to Monitor: - Bandwidth utilization per VLAN - Client count and distribution - AP performance and coverage - Switch port utilization - Security events and threats - Device health and uptime # Alerts Configuration: - High bandwidth usage (>80%) - Device offline alerts - Security threat detection - Failed authentication attempts - Hardware health issues ``` ### **Integration with Homelab Monitoring** ```bash # SNMP Configuration for Prometheus # Navigate to: Settings → System → Advanced SNMP: Enable Community: homelab-monitoring Contact: admin@vish.local Location: Home Lab # Add to Prometheus configuration: # /etc/prometheus/prometheus.yml - job_name: 'unifi' static_configs: - targets: ['192.168.1.1:161'] # UDM-Pro - targets: ['192.168.1.10:161'] # Switch metrics_path: /snmp params: module: [unifi] ``` ### **Grafana Dashboard** ```bash # Import UniFi dashboards: # Dashboard ID: 11314 (UniFi Poller) # Dashboard ID: 11315 (UniFi Network Sites) # Custom metrics to track: - Per-VLAN bandwidth usage - WiFi client distribution - Security event frequency - Device uptime statistics - PoE power consumption ``` --- ## 🔧 Migration from Consumer Router ### **Migration Strategy** ```bash # Phase 1: Parallel Deployment # 1. Deploy UDM-Pro alongside existing router # 2. Configure VLANs and basic networking # 3. Test connectivity and performance # 4. Migrate non-critical devices first # Phase 2: Service Migration # 1. Update DHCP reservations # 2. Migrate port forwarding rules # 3. Update DNS settings # 4. Test all services and external access # Phase 3: Complete Cutover # 1. Move WAN connection to UDM-Pro # 2. Disable old router # 3. Update all device configurations # 4. Verify all services operational ``` ### **Configuration Migration** ```bash # Export current router configuration # Document all settings: - Static IP assignments - Port forwarding rules - WiFi networks and passwords - DNS settings - DDNS configuration - VPN settings # Import to UniFi: # Most settings need manual recreation # Use network discovery to identify devices # Update homelab documentation with new IPs ``` --- ## 🚀 Advanced Features ### **Software-Defined Perimeter** ```bash # Zero Trust Network Access # Navigate to: Settings → Security → Identity Enterprise # Configure identity-based access: - User authentication via LDAP/AD - Device certificates - Conditional access policies - Application-level security ``` ### **Network Segmentation Automation** ```bash # Dynamic VLAN Assignment # Based on device type, user, or certificate # Rules examples: Device Type: Security Camera → VLAN 40 Device Type: IoT Sensor → VLAN 20 User Group: Admin → VLAN 1 User Group: Guest → VLAN 30 Certificate: Homelab-Cert → VLAN 10 ``` ### **API Integration** ```bash # UniFi Controller API # For automation and custom integrations # Generate API key: # Settings → Admins → Create API Key # Example API calls: # Get device status curl -X GET "https://192.168.1.1:443/proxy/network/api/s/default/stat/device" \ -H "Authorization: Bearer YOUR_API_KEY" # Update device configuration curl -X PUT "https://192.168.1.1:443/proxy/network/api/s/default/rest/device/DEVICE_ID" \ -H "Authorization: Bearer YOUR_API_KEY" \ -d '{"name": "New Device Name"}' ``` --- ## 📋 Deployment Checklist ### **Pre-Deployment** ```bash ☐ Plan VLAN structure and IP addressing ☐ Document current network configuration ☐ Order all Ubiquiti equipment ☐ Plan physical installation locations ☐ Prepare cable runs and power ☐ Create migration timeline ☐ Backup current router configuration ☐ Notify users of planned downtime ``` ### **Installation Phase** ```bash ☐ Install UDM-Pro in rack/location ☐ Install and configure switch ☐ Install access points ☐ Configure basic networking ☐ Test internet connectivity ☐ Configure VLANs and firewall rules ☐ Test inter-VLAN communication ☐ Configure WiFi networks ☐ Test wireless connectivity ``` ### **Migration Phase** ```bash ☐ Migrate DHCP reservations ☐ Update port forwarding rules ☐ Configure DDNS ☐ Test external access ☐ Migrate devices to new VLANs ☐ Update homelab service configurations ☐ Test all services and applications ☐ Update monitoring configurations ☐ Update documentation ☐ Decommission old equipment ``` --- ## 🔗 Related Documentation - [Network Architecture](networking.md) - Overall network design - [Tailscale Setup Guide](tailscale-setup-guide.md) - VPN integration with enterprise networking - [Laptop Travel Setup](laptop-travel-setup.md) - Remote access through enterprise network - [Kubernetes Cluster Setup](kubernetes-cluster-setup.md) - Container orchestration on enterprise network - [TP-Link Archer BE800 Setup](tplink-archer-be800-setup.md) - Consumer router alternative - [Security Model](security.md) - Security architecture - [Disaster Recovery Guide](../troubleshooting/disaster-recovery.md) - Network recovery procedures --- **💡 Pro Tip**: Start with a basic UniFi setup and gradually add advanced features. The UniFi ecosystem is powerful but complex - implement VLANs, security policies, and advanced features incrementally to avoid overwhelming complexity during initial deployment.