Router - Initial Configuration

Posted on 5 2026

The setup wizard gets the UDM-SE onto the network and establishes a basic working configuration. This page covers the initial hardening and configuration that should happen immediately after: setting a strong admin password, configuring SSH access, setting the hostname, timezone, and NTP, and establishing the shell environment for command line work.

These steps should be completed before moving on to network configuration, firewall rules, or VPN setup. Getting the foundations right first avoids having to revisit them later.

Administration password

The password set during the setup wizard is the admin password for the UniFi Network application and the UniFi OS. If a weak password was used during setup, change it now.

Navigate to UniFi OS > Admins & Users > Admin. Select your admin account and change the password to a strong unique credential generated in KeePassXC.

The admin account also controls access to the local web interface when the device is accessed directly at https://10.1.0.1. It is separate from your Ubiquiti cloud account password, though both should be strong and unique.

Local access vs cloud access

The UDM-SE provides two authentication paths:

Local access: via https://10.1.0.1 using the local admin account configured above. Works without internet connectivity. The local admin password is what you set in KeePassXC.

Cloud access: via https://unifi.ui.com using your Ubiquiti account. Requires internet connectivity and Ubiquiti’s cloud services to be available.

For a home network, both are useful: local access is more reliable, cloud access is more convenient when away from the network. Ensure both passwords are strong and stored in KeePassXC.

SSH access

SSH is disabled by default on UniFi OS. Enable and configure it before doing anything else that might require SSH for recovery.

Navigate to UniFi OS > System > Advanced > SSH.

Enable SSH. Set a strong SSH password. This is separate from the admin password and is what you use when connecting via ssh root@10.1.0.1. Store it in KeePassXC.

Adding your SSH public key

Add the desktop’s public SSH key to allow key-based authentication. In the SSH settings, paste the public key from your desktop:

cat ~/.ssh/id_ed25519.pub

Copy the output and paste it into the SSH key field. Once added, SSH connections from the desktop authenticate via key rather than password.

Test SSH access

Verify SSH works before relying on it:

ssh root@10.1.0.1

The UniFi OS shell should open. The prompt looks something like:

Welcome to UniFi OS

root@UDMSE:~#

If connecting by hostname rather than IP, use the hostname configured below:

ssh prevernal

This uses the SSH config entry from the desktop SSH configuration page.

System hostname and domain

Navigate to UniFi OS > System > System Configuration.

Set the hostname to match the router name in the network design:

  • Site 1: prevernal
  • Site 2: vernal
  • Site 3: estival

Set the domain to your internal domain:

yourdomain.net

The fully qualified hostname for Prevernal becomes prevernal.yourdomain.net. This is what appears in logs, alerts, and SSH banners, and what DNS should resolve to within the internal network.

Timezone

Navigate to UniFi OS > System > System Configuration.

Set the timezone to Europe/London. This is correct for the UK including the automatic adjustment between GMT and BST.

Accurate timezone configuration matters for log correlation across devices and for certificate validity checking. Every device in the network should agree on the current time.

NTP configuration

The UDM-SE synchronises its clock via NTP automatically. The default NTP servers are Ubiquiti’s own pool. For a network that aims to be self-sufficient, configuring UK NTP pool servers is worth doing.

Navigate to Settings > System > Time Zone & NTP.

Set the NTP servers to the UK pool:

0.uk.pool.ntp.org
1.uk.pool.ntp.org
2.uk.pool.ntp.org
3.uk.pool.ntp.org

Router as NTP server for the local network

The UDM-SE can act as an NTP server for devices on the local network. Once the router has accurate time via the public NTP pool, local devices can sync from it rather than reaching out to the internet.

Navigate to Settings > Networks > Default Network > Advanced > DHCP.

Enable NTP Server and set it to 10.1.0.1 (the Core VLAN gateway address). DHCP will distribute this NTP server address to all devices on the network automatically.

This means local devices can synchronise time even when internet connectivity is unavailable, which is the correct behaviour for a resilient local network.

UniFi OS update

Before any further configuration, ensure UniFi OS and the Network application are on the latest versions.

Navigate to UniFi OS > System > Updates.

Apply all available updates. The device will reboot. After the reboot, verify the versions in UniFi OS > System > About.

Enable automatic updates if not already enabled. UniFi updates are generally well-tested and staying current is important for security.

Command line environment

The UniFi OS shell is a standard Linux environment running on Debian. Unlike OpenWrt’s ash shell, the bash shell is available and behaves consistently with a standard Linux desktop.

Configure a useful shell environment for the root user. Connect via SSH and create or edit ~/.bashrc:

ssh prevernal

cat > ~/.bashrc << 'EOF'
# UniFi OS root shell configuration
# Prevernal - Burnage Mad House

# Prompt with hostname and path
PS1='\[\033[01;31m\]\u@\h\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ '

# Aliases
alias ll='ls -alF'
alias la='ls -A'
alias l='ls -CF'
alias grep='grep --color=auto'

# Show uptime and system info on login
echo "Host:   $(hostname -f)"
echo "Uptime: $(uptime -p)"
echo "Load:   $(cut -d' ' -f1-3 /proc/loadavg)"
echo "Memory: $(free -h | awk '/^Mem:/ {print $3 " used of " $2}')"
echo
EOF

source ~/.bashrc

Source it immediately and verify the prompt has changed.

Useful command line tools

The UniFi OS environment includes most standard Linux tools. A few additional ones are worth installing if available:

# Check what is available
apt list --installed 2>/dev/null | head -20

# The package manager is apt (Debian-based)
apt update
apt install htop mtr-tiny dnsutils

Note that package changes on UniFi OS can be overwritten by firmware updates. Avoid installing anything that would be disruptive to lose, and document any custom package installations.

Configuration backup

Once the initial configuration is complete, export a manual backup immediately.

Navigate to Settings > System > Backups > Download Backup.

Store the .unf backup file in:

  • KeePassXC as a file attachment under Infrastructure > UniFi > Prevernal
  • The NAS backup directory once the NAS is available
  • Offline safe storage on the encrypted USB drive

The backup file contains the complete device configuration. Losing it means manual reconstruction of every VLAN, firewall rule, and WireGuard configuration from scratch.

Accessing from the desktop

From this point forward, Prevernal is accessible from the Kubuntu desktop at:

MethodAddress
Web interfacehttps://10.1.0.1 or https://prevernal.yourdomain.net
SSHssh prevernal
UniFi appVia the network applet or browser

The SSH config entry from the desktop SSH configuration page handles the hostname to IP resolution and key selection automatically.

UniFi OS is a managed platform. Avoid making manual configuration changes via SSH that duplicate or conflict with the web interface configuration. The controller is the source of truth. Manual SSH changes that touch network configuration may be overwritten on the next controller sync. Use SSH for diagnostics, log reading, and recovery, not for routine configuration.