Router Installation
The source material this series draws on covers a pfSense-based router build. This network runs Ubiquiti UniFi hardware at all three sites. The router section covers the UniFi setup rather than pfSense.
The primary router at Burnage Mad House is the UniFi Dream Machine SE (UDM-SE), sometimes still referred to by its original name, the Dream Machine Pro SE. It is a 1U rack-mounted appliance that combines a security gateway, an 8-port PoE switch, a UniFi Network controller, a UniFi Protect NVR, and 128GB of integrated storage into a single device. For a homelab or small office with a rack, it is a clean solution that eliminates a dedicated controller machine.
Vernal and Estival run smaller UniFi gateways. Their configuration follows the same principles covered here, adjusted for the hardware at each site.
Hardware overview
The UDM-SE features dual-WAN connectivity with a 10G SFP+ port and a 2.5GbE RJ45 port, a Gigabit PoE switch, and a network video recorder with 128GB of internal storage.
| Component | Specification |
|---|---|
| Processor | Quad-core ARM Cortex-A57 at 1.7 GHz |
| System memory | 4 GB DDR4 |
| WAN ports | 1x 10G SFP+, 1x 2.5GbE RJ45 |
| LAN ports | 8x Gigabit RJ45 (6x PoE 802.3af, 2x PoE+ 802.3at), 1x 10G SFP+ |
| Storage | 16GB eMMC + 128GB SSD + 1x 3.5" HDD bay |
| IPS throughput | 3.5 Gbps |
| Max power | 50W (excluding PoE output) |
| Form factor | 1U rack mount |
The integrated 128GB SSD runs the UniFi OS and Network controller. The 3.5" HDD bay is for UniFi Protect camera recording storage: optional for this setup since Protect is not a primary focus.
Physical installation
Mount the UDM-SE in the homelab rack. It is a standard 1U depth device and ships with rack ears. Connect:
- WAN: ISP modem or ONT to the 2.5GbE RJ45 WAN port (or the 10G SFP+ if the ISP provides a fibre handoff with SFP+ connectivity)
- LAN: Upstream switch or directly to devices on the 8x Gigabit LAN ports
- Power: The included power adapter, or a rack-mounted PDU
Connect the management port (one of the LAN ports) to a laptop or desktop for initial setup. The device is accessible at 192.168.1.1 before configuration.
Initial setup
Option 1: Mobile app (recommended for first setup)
The UDM-SE includes a Bluetooth radio for initial discovery via the UniFi mobile app.
- Download the UniFi Network app on your phone (iOS or Android)
- Power on the UDM-SE and wait for the LED to pulse white
- Open the app and tap Add Device, or let it discover the UDM-SE automatically via Bluetooth
- Follow the setup wizard: create or sign in with a Ubiquiti account, name the device, set the admin password
- The wizard walks through basic WAN configuration and WiFi setup
Option 2: Browser
If the phone app is not available, connect a laptop directly to any LAN port and navigate to:
https://192.168.1.1
Accept the self-signed certificate warning (you will replace this later with your internal CA certificate). Follow the setup wizard in the browser.
Ubiquiti account
The setup wizard requires a Ubiquiti account. This is used for remote access via UniFi Site Manager, cloud backup of configuration, and firmware update notifications. It is not required for local operation once the device is configured, but setting it up during initial configuration is the path of least resistance.
Post-installation configuration
After the initial wizard, the network is operational with defaults. The following sections configure it for this network design.
Update firmware
Before configuring anything else, update to the latest firmware. Go to UniFi OS > System > Updates. Apply any available updates to UniFi OS and the Network application. Reboot when prompted.
Network application settings
Open the Network application from the UniFi OS portal. Navigate to Settings > System.
Country: Set to United Kingdom. This affects regulatory settings including WiFi channel availability and power limits.
Timezone: Europe/London.
Automatic updates: Enable. UniFi firmware updates are generally well-tested and staying current is important for security.
SSH: Enable under Settings > System > Advanced > SSH. Set a strong password and add your desktop’s public SSH key. Store the SSH password in KeePassXC.
Configuration backup: Enable automatic backups. The backup file goes to the integrated SSD. Set up remote backup to the NAS once it is available.
WAN configuration
Settings > Internet.
Configure the WAN connection type to match the ISP:
- DHCP: Most home ISPs. Select DHCP and the UDM-SE gets an address automatically.
- PPPoE: Some DSL and fibre ISPs. Enter the PPPoE credentials from the ISP.
- Static: If the ISP provides a static IP. Enter the address, gateway, and DNS manually.
For dual WAN using both the SFP+ and 2.5GbE ports (if a second ISP or LTE failover is available), configure the failover or load balancing under Settings > Internet > WAN Networks.
DNS configuration
Settings > Networks > Default Network > Advanced.
Set the DNS server to your internal DNS resolver for devices on the LAN. Once the server and Unbound are running:
- DNS Server 1:
10.1.0.1(your internal resolver) - DNS Server 2:
10.1.0.2(backup if running a secondary)
For the WAN DNS (what the UDM-SE itself uses for its own resolution), use a reliable public resolver until the internal DNS is running:
1.1.1.1
9.9.9.9
Update to the internal resolver once the server section is complete.
VLAN configuration
Settings > Networks > Add Network.
Create a network for each VLAN in the network design. For Burnage Mad House (Prevernal), the named VLANs from the network design are:
| Name | VLAN ID | Subnet |
|---|---|---|
| Core | 14 | 10.1.0.0/24 |
| Fury | 15 | 10.1.10.0/24 |
| Apex | 16 | 10.1.20.0/24 |
| Collision | 17 | 10.1.30.0/24 |
| Skyforth | 18 | 10.1.40.0/24 |
| Twilight | 19 | 10.1.50.0/24 |
| Flow | 20 | 10.1.60.0/24 |
| Earth | 21 | 10.1.70.0/24 |
| Glide | 22 | 10.1.80.0/24 |
| Visitor | 23 | 10.1.90.0/24 |
| Testnet | 25 | 10.1.200.0/24 |
| Divided | 26 | 192.168.1.0/24 |
For each network:
- Set the VLAN ID
- Set the subnet and gateway address (e.g.
10.1.0.1/24for Core) - Enable DHCP for each VLAN with an appropriate range (e.g.
10.1.0.100to10.1.0.250) - Set DHCP DNS to the internal resolver once available
The Visitor network (VLAN 23) should have Client Device Isolation enabled, preventing devices on this VLAN from communicating with each other or any other internal VLANs. This is the guest network.
Firewall rules
Settings > Firewall & Security.
UniFi applies sensible default rules. The key customisations for this setup:
Block inter-VLAN routing from Visitor to internal VLANs:
Create a rule in LAN In:
- Action: Drop
- Source: Network = Visitor (VLAN 23)
- Destination: Network = Any internal VLAN
This ensures the Visitor VLAN can reach the internet but nothing on the internal network.
Allow inter-site routing via VPN:
Once the WireGuard VPN is configured, ensure traffic between site subnets (10.1.x.x, 10.2.x.x, 10.3.x.x) is permitted.
WireGuard VPN server
Settings > VPN > VPN Server > Create New > WireGuard.
This is covered in the WireGuard desktop client section of this series. On the server side:
- Set the VPN subnet for clients (e.g.
10.1.254.0/24) - Set the DNS server to the internal resolver
- Enable DDNS if the WAN IP is dynamic
- Add a client for the desktop and each roaming device
WiFi networks
Settings > WiFi > Add WiFi Network.
Create WiFi networks mapped to the appropriate VLANs:
- Main network: Maps to Core VLAN. WPA3 or WPA2/WPA3 mixed. Use a strong, unique passphrase.
- Visitor network: Maps to Visitor VLAN. WPA2. Separate passphrase shared with guests.
- IoT network: Maps to a dedicated IoT VLAN if separating smart home devices. Useful for isolating devices with questionable security posture.
Threat management
Settings > Firewall & Security > Threat Management.
The UDM-SE includes 3.5 Gbps IPS routing throughput, which is sufficient for typical home internet connections. Enable IPS/IDS with the default ruleset. The performance impact is minimal at typical home broadband speeds.
Enable Honeypot to detect scanning and attack attempts on the internal network. It creates fake services that alert when accessed, flagging devices that may be compromised.
Adopting additional UniFi devices
Any UniFi access points, switches, or cameras on the same network as the UDM-SE are adopted automatically. Navigate to UniFi Devices in the Network application to see discovered devices. Click Adopt to bring them under management.
For devices at other sites (Vernal and Estival), once the inter-site VPN is established, the UDM-SE can adopt those devices remotely if needed. However, each site’s gateway runs its own local controller, so remote adoption is typically not required.
DDNS for remote access
Settings > Internet > Dynamic DNS.
If the WAN IP address changes (as it does on most home internet connections), configure DDNS so the WireGuard VPN endpoint hostname stays current. UniFi supports several DDNS providers natively. DNS-O-Matic is a useful aggregator that can update multiple DNS providers simultaneously.
Alternatively, if your domain is managed via Cloudflare, the ddclient package on the homelab server can update the DNS record automatically. This is covered in the server section.
Configuration backup
Once the network is configured, export a manual backup immediately: Settings > System > Backups > Download Backup. Store the .unf file in the NAS backup directory and in KeePassXC as a file attachment. This file contains the complete network configuration and is the fastest path back to a working state if the device needs to be replaced.
The automated backup process via the anacron script from the desktop Ubiquiti management page handles ongoing backups once the NAS is available.
The UDM-SE integrates router, switch, and controller into one device, which is convenient and reduces rack space. The trade-off is that if the device fails, the network controller fails with it. For a home setup this is acceptable. For anything business-critical, running a separate controller (on the February homelab server) that can manage devices even when the UDM-SE is being replaced is worth the additional setup.