Vish/homelab-optimized
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
145606fe4a12d38c89ef8595bfd356b4e65b96de
homelab-optimized/docs/infrastructure/ubiquiti-enterprise-setup.md
Gitea Mirror Bot 145606fe4a
Some checks failed
Documentation / Build Docusaurus (push) Failing after 5m0s
Details
Documentation / Deploy to GitHub Pages (push) Has been skipped
Details
Sanitized mirror from private repository - 2026-04-08 09:36:44 UTC
2026-04-08 09:36:44 +00:00

755 lines
17 KiB
Markdown
Raw Blame History

# 🏢 Ubiquiti Enterprise Network Setup Guide
**🔴 Advanced Guide**
This guide covers deploying a complete Ubiquiti enterprise networking solution for your homelab, including Dream Machine, managed switches, access points, and advanced network segmentation.
## 🎯 Ubiquiti Enterprise Architecture
### **Complete Ubiquiti Stack**
- **🌐 Dream Machine Pro/SE** - Gateway, controller, and security appliance
- **🔌 UniFi Switch Pro 48** - 48-port managed switch with PoE++
- **📡 UniFi Access Points** - WiFi 6E/7 coverage throughout property
- **📹 UniFi Protect** - Integrated video surveillance
- **📞 UniFi Talk** - VoIP phone system
- **🚪 UniFi Access** - Door access control
### **Network Segmentation Strategy**
```bash
# VLAN Design for Homelab
VLAN 1 - Management (192.168.1.0/24) # UniFi devices, infrastructure
VLAN 10 - Homelab (192.168.10.0/24) # Servers, NAS, compute
VLAN 20 - IoT (192.168.20.0/24) # Smart home devices
VLAN 30 - Guest (192.168.30.0/24) # Guest network, isolated
VLAN 40 - Security (192.168.40.0/24) # Cameras, access control
VLAN 50 - DMZ (192.168.50.0/24) # Public-facing services
VLAN 100 - Trunk (All VLANs) # Inter-VLAN routing
```
---
## 🌐 Dream Machine Pro/SE Setup
### **Initial Configuration**
#### **Physical Setup**
```bash
# 1. Connect modem to WAN port (port 11 on UDM-Pro)
# 2. Connect computer to LAN port (port 1-8)
# 3. Power on and wait for LED to turn white (5-10 minutes)
# 4. Access setup at: https://192.168.1.1
```
#### **UniFi OS Setup**
```bash
# Initial setup wizard:
# 1. Create UniFi account or sign in
# 2. Set device name: "Homelab-UDM-Pro"
# 3. Configure WiFi (temporary - will be replaced by APs)
# 4. Set admin password (save to password manager)
# 5. Enable automatic updates
# 6. Complete setup and access UniFi Network
```
### **Network Configuration**
#### **WAN Configuration**
```bash
# Navigate to: Settings → Internet
# WAN Settings:
Connection Type: DHCP (or Static/PPPoE based on ISP)
VLAN ID: [Leave blank unless ISP requires]
DNS Servers: 1.1.1.1, 8.8.8.8 (or custom)
IPv6: Enable if supported by ISP
# Advanced WAN Settings:
Load Balancing: Disabled (single WAN)
Smart Queues: Enable for QoS
Bandwidth Limits: Set to 90% of actual speeds
```
#### **LAN Configuration**
```bash
# Navigate to: Settings → Networks
# Default LAN Network:
Name: Management
VLAN ID: 1
Gateway/Subnet: 192.168.1.1/24
DHCP Range: 192.168.1.100-192.168.1.200
DHCP Lease Time: 86400 seconds (24 hours)
DNS Servers: 192.168.1.1 (UDM) or Pi-hole IP
Domain Name: vish.local
```
### **VLAN Configuration**
#### **Create VLANs**
```bash
# Navigate to: Settings → Networks → Create New Network
# Homelab VLAN
Name: Homelab
VLAN ID: 10
Gateway/Subnet: 192.168.10.1/24
DHCP Range: 192.168.10.100-192.168.10.200
Purpose: Corporate
IGMP Snooping: Enable
Multicast DNS: Enable
# IoT VLAN
Name: IoT
VLAN ID: 20
Gateway/Subnet: 192.168.20.1/24
DHCP Range: 192.168.20.100-192.168.20.200
Purpose: IoT
Block LAN Access: Enable
Internet Access: Enable
# Guest VLAN
Name: Guest
VLAN ID: 30
Gateway/Subnet: 192.168.30.1/24
DHCP Range: 192.168.30.100-192.168.30.200
Purpose: Guest
Guest Policy: Apply guest policies
Bandwidth Limit: 50 Mbps down, 10 Mbps up
# Security VLAN
Name: Security
VLAN ID: 40
Gateway/Subnet: 192.168.40.1/24
DHCP Range: 192.168.40.100-192.168.40.200
Purpose: Security
IGMP Snooping: Enable
# DMZ VLAN
Name: DMZ
VLAN ID: 50
Gateway/Subnet: 192.168.50.1/24
DHCP Range: 192.168.50.100-192.168.50.200
Purpose: Corporate
```
### **Firewall Rules**
#### **Inter-VLAN Rules**
```bash
# Navigate to: Settings → Security → Traffic & Firewall Rules
# Allow Homelab to Management
Name: Homelab-to-Management
Rule Applied: Before Predefined Rules
Action: Accept
Source: Homelab Network (192.168.10.0/24)
Destination: Management Network (192.168.1.0/24)
Protocol: All
# Block IoT to other VLANs
Name: Block-IoT-to-Internal
Rule Applied: Before Predefined Rules
Action: Drop
Source: IoT Network (192.168.20.0/24)
Destination: Management, Homelab Networks
Protocol: All
Logging: Enable
# Allow specific IoT to Homelab (for Home Assistant)
Name: IoT-to-HomeAssistant
Rule Applied: Before Predefined Rules
Action: Accept
Source: IoT Network (192.168.20.0/24)
Destination: 192.168.10.102 (Home Assistant)
Port: 8123
Protocol: TCP
# Block Guest from all internal networks
Name: Block-Guest-Internal
Rule Applied: Before Predefined Rules
Action: Drop
Source: Guest Network (192.168.30.0/24)
Destination: RFC1918 Networks
Protocol: All
Logging: Enable
```
#### **Port Forwarding**
```bash
# Navigate to: Settings → Security → Internet Security → Port Forwarding
# WireGuard VPN
Name: WireGuard-Atlantis
From: WAN
Port: 51820
Forward IP: 192.168.10.100 (Atlantis)
Forward Port: 51820
Protocol: UDP
Logging: Enable
# HTTPS Services
Name: HTTPS-Proxy
From: WAN
Port: 443
Forward IP: 192.168.10.100 (Atlantis)
Forward Port: 8766
Protocol: TCP
Logging: Enable
# SSH Access (Non-standard port for security)
Name: SSH-Management
From: WAN
Port: 2222
Forward IP: 192.168.1.100 (Management host)
Forward Port: 22
Protocol: TCP
Logging: Enable
```
---
## 🔌 UniFi Switch Pro 48 Configuration
### **Physical Installation**
```bash
# 1. Mount in rack (1U height)
# 2. Connect power (PoE++ requires both power inputs)
# 3. Connect uplink to UDM-Pro (SFP+ for 10Gbps)
# 4. Wait for adoption in UniFi Network controller
```
### **Switch Configuration**
#### **Port Profiles**
```bash
# Navigate to: UniFi Devices → Switch → Ports
# Management Ports (1-8)
Profile: Management
VLAN: 1 (Management)
PoE: Auto (for UniFi APs)
Storm Control: Enable
Port Isolation: Disable
# Homelab Servers (9-24)
Profile: Homelab
VLAN: 10 (Homelab)
PoE: Auto
Link Aggregation: Available for NAS
Storm Control: Enable
# IoT Devices (25-32)
Profile: IoT
VLAN: 20 (IoT)
PoE: Auto
Storm Control: Enable
Port Isolation: Enable
# Security Cameras (33-40)
Profile: Security
VLAN: 40 (Security)
PoE: 802.3bt (PoE++)
Storm Control: Enable
# DMZ Services (41-44)
Profile: DMZ
VLAN: 50 (DMZ)
PoE: Disabled
Storm Control: Enable
# Uplinks (45-48 + SFP+)
Profile: Trunk
VLANs: All (Tagged)
Link Aggregation: Available
```
#### **Link Aggregation (LACP)**
```bash
# For high-bandwidth devices (NAS, servers)
# Navigate to: UniFi Devices → Switch → Settings → Link Aggregation
# Atlantis NAS (Primary)
Name: Atlantis-LAG
Ports: 9, 10
Mode: LACP (802.3ad)
Profile: Homelab
# Calypso NAS (Media)
Name: Calypso-LAG
Ports: 11, 12
Mode: LACP (802.3ad)
Profile: Homelab
# Uplink to UDM-Pro
Name: Uplink-LAG
Ports: SFP+ 1, SFP+ 2
Mode: LACP (802.3ad)
Profile: Trunk
```
### **Advanced Switch Features**
#### **Storm Control**
```bash
# Navigate to: Settings → System → Advanced Features
# Enable storm control globally
Broadcast Storm Control: 10% of port bandwidth
Multicast Storm Control: 10% of port bandwidth
Unknown Unicast Storm Control: 10% of port bandwidth
```
#### **Spanning Tree Protocol**
```bash
# STP Configuration
STP Mode: RSTP (Rapid Spanning Tree)
Priority: 32768 (default)
Forward Delay: 15 seconds
Max Age: 20 seconds
```
#### **IGMP Snooping**
```bash
# For multicast optimization (Plex, IPTV)
IGMP Snooping: Enable
IGMP Querier: Enable
Fast Leave: Enable
```
---
## 📡 UniFi Access Points Configuration
### **Access Point Deployment**
#### **Recommended APs for Homelab**
```bash
# UniFi Access Point WiFi 7 Pro
- WiFi 7 (802.11be)
- 6 GHz support
- 2.5 Gbps uplink
- PoE+ powered
- Coverage: ~2,500 sq ft
# UniFi Access Point WiFi 6 Long Range
- WiFi 6 (802.11ax)
- Extended range
- 1 Gbps uplink
- PoE powered
- Coverage: ~3,000 sq ft
# UniFi Access Point WiFi 6 In-Wall
- In-wall installation
- Built-in switch ports
- PoE powered
- Coverage: ~1,500 sq ft
```
#### **AP Placement Strategy**
```bash
# Coverage Planning:
# 1. Central locations for maximum coverage
# 2. Avoid interference sources (microwaves, baby monitors)
# 3. Consider building materials (concrete, metal)
# 4. Plan for both 2.4 GHz and 5/6 GHz coverage
# 5. Use UniFi WiFiman app for site survey
# Recommended placement:
Main Floor: 1x WiFi 7 Pro (central)
Upper Floor: 1x WiFi 6 LR (central)
Basement/Lab: 1x WiFi 6 Pro (near servers)
Office: 1x WiFi 6 In-Wall (desk area)
Outdoor: 1x WiFi 6 Mesh (if needed)
```
### **WiFi Network Configuration**
#### **Create WiFi Networks**
```bash
# Navigate to: Settings → WiFi
# Main Network (Management + Homelab)
Name: YourNetwork
Password: "REDACTED_PASSWORD" password in password manager]
Security: WPA3 Only
VLAN: 1 (Management)
Band: 2.4/5/6 GHz
Channel Width: 160 MHz (5 GHz), 320 MHz (6 GHz)
Transmit Power: Auto
Fast Roaming: Enable
BSS Transition: Enable
UAPSD: Enable
# IoT Network
Name: YourNetwork_IoT
Password: "REDACTED_PASSWORD" password]
Security: WPA2/WPA3
VLAN: 20 (IoT)
Band: 2.4/5 GHz (many IoT devices don't support 6 GHz)
Channel Width: 80 MHz
Client Isolation: Enable
Block LAN Access: Enable
# Guest Network
Name: YourNetwork_Guest
Password: "REDACTED_PASSWORD" password or open with captive portal]
Security: WPA2/WPA3
VLAN: 30 (Guest)
Band: 2.4/5 GHz
Bandwidth Limit: 50 Mbps
Time Limit: 8 hours
Guest Policy: Apply restrictions
```
#### **Advanced WiFi Settings**
```bash
# Navigate to: Settings → WiFi → Advanced
# Band Steering
2.4 GHz: Enable
5 GHz: Enable
6 GHz: Enable (WiFi 7 APs)
Prefer 5 GHz: Enable
Prefer 6 GHz: Enable
# Airtime Fairness
Enable: Yes (prevents slow devices from degrading performance)
# Multicast Enhancement
Enable: Yes (improves streaming performance)
# Fast Roaming
802.11r: Enable
802.11k: Enable
802.11v: Enable
# WiFi 6/7 Features
OFDMA: Enable
MU-MIMO: Enable
BSS Coloring: Enable (WiFi 6/7)
Target Wake Time: Enable
```
---
## 📹 UniFi Protect Integration
### **UniFi Protect Setup**
#### **Camera Deployment**
```bash
# Recommended cameras for homelab security:
# UniFi Protect G5 Pro
- 4K resolution
- PoE++ powered
- Night vision
- Smart detection
- Weatherproof
# UniFi Protect G4 Doorbell Pro
- 2K resolution
- Two-way audio
- Package detection
- PoE+ powered
# UniFi Protect G4 Bullet
- 4K resolution
- PoE+ powered
- Infrared night vision
- Vandal resistant
```
#### **Storage Configuration**
```bash
# Navigate to: UniFi Protect → Settings → Storage
# Local Storage (UDM-Pro)
Primary Storage: Internal HDD (3.5" bay)
Capacity: 8TB+ recommended
Retention: 30 days for 4K, 60 days for 1080p
# Network Storage (Optional)
Secondary Storage: NAS (Atlantis/Calypso)
Path: /volume1/surveillance
Retention: 90+ days
Backup: Enable automatic backup
```
#### **Detection Settings**
```bash
# Smart Detection Configuration
Person Detection: Enable
Vehicle Detection: Enable
Package Detection: Enable (doorbell)
Animal Detection: Enable
Motion Zones: Configure per camera
Privacy Zones: Configure as needed
# Notifications
Push Notifications: Enable for critical cameras
Email Alerts: Configure for security events
Webhook Integration: Home Assistant integration
```
---
## 🔒 Advanced Security Configuration
### **Threat Management**
```bash
# Navigate to: Settings → Security → Threat Management
# IDS/IPS
Intrusion Detection: Enable
Intrusion Prevention: Enable
Malware Blocking: Enable
Ad Blocking: Enable (or use Pi-hole)
Country Blocking: Configure as needed
# DPI (Deep Packet Inspection)
Application Identification: Enable
Traffic Analysis: Enable
Bandwidth Monitoring: Enable
```
### **VPN Server**
```bash
# Navigate to: Settings → VPN
# Site-to-Site VPN (for remote locations)
VPN Type: L2TP
Pre-shared Key: [Generate strong key]
User Authentication: Local users
DNS Servers: 192.168.1.1
# Remote Access VPN
VPN Type: L2TP or WireGuard
Network: 192.168.100.0/24 (VPN client pool)
DNS: Push homelab DNS servers
Routes: Push homelab networks
```
### **Network Access Control**
```bash
# Navigate to: Settings → Security → Network Access Control
# Device Authentication
802.1X: Enable for enterprise devices
MAC Authentication: Enable for IoT devices
Guest Portal: Enable for guest network
RADIUS Server: Configure if using external auth
# Device Fingerprinting
Device Classification: Enable
Automatic VLAN Assignment: Configure rules
Quarantine VLAN: 192.168.99.0/24
```
---
## 📊 Monitoring and Management
### **UniFi Network Monitoring**
```bash
# Navigate to: Insights → Overview
# Key Metrics to Monitor:
- Bandwidth utilization per VLAN
- Client count and distribution
- AP performance and coverage
- Switch port utilization
- Security events and threats
- Device health and uptime
# Alerts Configuration:
- High bandwidth usage (>80%)
- Device offline alerts
- Security threat detection
- Failed authentication attempts
- Hardware health issues
```
### **Integration with Homelab Monitoring**
```bash
# SNMP Configuration for Prometheus
# Navigate to: Settings → System → Advanced
SNMP: Enable
Community: homelab-monitoring
Contact: admin@vish.local
Location: Home Lab
# Add to Prometheus configuration:
# /etc/prometheus/prometheus.yml
- job_name: 'unifi'
static_configs:
- targets: ['192.168.1.1:161'] # UDM-Pro
- targets: ['192.168.1.10:161'] # Switch
metrics_path: /snmp
params:
module: [unifi]
```
### **Grafana Dashboard**
```bash
# Import UniFi dashboards:
# Dashboard ID: 11314 (UniFi Poller)
# Dashboard ID: 11315 (UniFi Network Sites)
# Custom metrics to track:
- Per-VLAN bandwidth usage
- WiFi client distribution
- Security event frequency
- Device uptime statistics
- PoE power consumption
```
---
## 🔧 Migration from Consumer Router
### **Migration Strategy**
```bash
# Phase 1: Parallel Deployment
# 1. Deploy UDM-Pro alongside existing router
# 2. Configure VLANs and basic networking
# 3. Test connectivity and performance
# 4. Migrate non-critical devices first
# Phase 2: Service Migration
# 1. Update DHCP reservations
# 2. Migrate port forwarding rules
# 3. Update DNS settings
# 4. Test all services and external access
# Phase 3: Complete Cutover
# 1. Move WAN connection to UDM-Pro
# 2. Disable old router
# 3. Update all device configurations
# 4. Verify all services operational
```
### **Configuration Migration**
```bash
# Export current router configuration
# Document all settings:
- Static IP assignments
- Port forwarding rules
- WiFi networks and passwords
- DNS settings
- DDNS configuration
- VPN settings
# Import to UniFi:
# Most settings need manual recreation
# Use network discovery to identify devices
# Update homelab documentation with new IPs
```
---
## 🚀 Advanced Features
### **Software-Defined Perimeter**
```bash
# Zero Trust Network Access
# Navigate to: Settings → Security → Identity Enterprise
# Configure identity-based access:
- User authentication via LDAP/AD
- Device certificates
- Conditional access policies
- Application-level security
```
### **Network Segmentation Automation**
```bash
# Dynamic VLAN Assignment
# Based on device type, user, or certificate
# Rules examples:
Device Type: Security Camera → VLAN 40
Device Type: IoT Sensor → VLAN 20
User Group: Admin → VLAN 1
User Group: Guest → VLAN 30
Certificate: Homelab-Cert → VLAN 10
```
### **API Integration**
```bash
# UniFi Controller API
# For automation and custom integrations
# Generate API key:
# Settings → Admins → Create API Key
# Example API calls:
# Get device status
curl -X GET "https://192.168.1.1:443/proxy/network/api/s/default/stat/device" \
-H "Authorization: Bearer YOUR_API_KEY"
# Update device configuration
curl -X PUT "https://192.168.1.1:443/proxy/network/api/s/default/rest/device/DEVICE_ID" \
-H "Authorization: Bearer YOUR_API_KEY" \
-d '{"name": "New Device Name"}'
```
---
## 📋 Deployment Checklist
### **Pre-Deployment**
```bash
☐ Plan VLAN structure and IP addressing
☐ Document current network configuration
☐ Order all Ubiquiti equipment
☐ Plan physical installation locations
☐ Prepare cable runs and power
☐ Create migration timeline
☐ Backup current router configuration
☐ Notify users of planned downtime
```
### **Installation Phase**
```bash
☐ Install UDM-Pro in rack/location
☐ Install and configure switch
☐ Install access points
☐ Configure basic networking
☐ Test internet connectivity
☐ Configure VLANs and firewall rules
☐ Test inter-VLAN communication
☐ Configure WiFi networks
☐ Test wireless connectivity
```
### **Migration Phase**
```bash
☐ Migrate DHCP reservations
☐ Update port forwarding rules
☐ Configure DDNS
☐ Test external access
☐ Migrate devices to new VLANs
☐ Update homelab service configurations
☐ Test all services and applications
☐ Update monitoring configurations
☐ Update documentation
☐ Decommission old equipment
```
---
## 🔗 Related Documentation
- [Network Architecture](networking.md) - Overall network design
- [Tailscale Setup Guide](tailscale-setup-guide.md) - VPN integration with enterprise networking
- [Laptop Travel Setup](laptop-travel-setup.md) - Remote access through enterprise network
- [Kubernetes Cluster Setup](kubernetes-cluster-setup.md) - Container orchestration on enterprise network
- [TP-Link Archer BE800 Setup](tplink-archer-be800-setup.md) - Consumer router alternative
- [Security Model](security.md) - Security architecture
- [Disaster Recovery Guide](../troubleshooting/disaster-recovery.md) - Network recovery procedures
---
**💡 Pro Tip**: Start with a basic UniFi setup and gradually add advanced features. The UniFi ecosystem is powerful but complex - implement VLANs, security policies, and advanced features incrementally to avoid overwhelming complexity during initial deployment.
Reference in New Issue View Git Blame Copy Permalink