//nbkelley /homelab

UniFi Express VPN & Network Management

Calendar April 30, 2026
Unifi, Protonvpn, Wireguard, Kill-Switch, Netgear, Networking

UniFi Express VPN & Network Management#

What Was Established#

  • Methodology for configuring ProtonVPN WireGuard on UniFi Express.
  • Kill switch implementation to prevent IP/DNS leaks when the VPN drops.
  • Best practices for managing Netgear managed switches via dedicated subnets and secure ports.

Key Decisions#

  • WireGuard Protocol: Selected over OpenVPN for superior speed and efficiency on UniFi Express.
  • Kill Switch Pattern: Default-deny WAN traffic; only allow forwarding through the wg0 interface.
  • Netgear Management: Restrict switch web GUI access to a dedicated management VLAN/subnet using HTTPS.

Current Configuration#

  • VPN Client: ProtonVPN (WireGuard)
  • Endpoint: us-123.protonvpn.net:51820 (example high-speed server)
  • ProtonVPN DNS: 10.2.0.1
  • Allowed IPs: 0.0.0.0/0 (full tunnel)
  • Netgear Switch Management Ports:
    • HTTP: 80 (insecure, avoid)
    • HTTPS: 443 (secure web GUI)
    • SSH: 22 (CLI access)
    • SNMP: 161 (monitoring)

Historical Notes#

  • Conversation dated 2025-04-14.
  • Gateway device referred to as UniFi Express (infrastructure list notes “UCG Express ‘Olorín’ at 192.168.1.1”).
  • Netgear MS308E is the managed switch in the homelab.
  • Kill switch and DNS leak prevention rely on iptables/nftables or UniFi OS firewall rules.

Open Questions#

  • Does UniFi Express support native WireGuard kill switch in the GUI, or is manual CLI firewall configuration required?
  • Specific UniFi OS version and exact GUI paths for VPN/kill switch implementation.
  • Whether split tunneling is needed for specific homelab services.

Uptime Kuma - Configuration & Integrations

UniFi UX7 & Netgear MS308E VLAN Setup

Calendar April 30, 2026
Unifi, Netgear, Vlan, Ms308e, Ux7, Firewall, Tharkun, Mithrandir, Gandalf

UniFi UX7 & Netgear MS308E VLAN Setup#

What Was Established#

  • Multi-switch VLAN topology using UniFi UCG Express (UX7) and Netgear MS308E switches.
  • Netgear MS308E 802.1Q Advanced configuration pattern for trunks and access ports.
  • Troubleshooting methodology for multi-switch chains (isolate to inter-switch trunks vs. device-specific vs. firewall).
  • UX7 firewall rule correction for IoT isolation (Tharkûn VLAN 3).

Key Decisions#

  • VLAN 1 (Gandalf): Untagged on trunks, PVID 1. Used for servers and switch management.
  • VLAN 2 (Mithrandir): Tagged on trunks, Untagged on access. PVID 2. Routes through UX7 VPN.
  • VLAN 3 (Tharkûn): Tagged on trunks, Untagged on access. PVID 3. Isolated IoT network.
  • Native VLAN set to 1 on trunks to ensure management traffic passes untagged and remains accessible.
  • UX7 Firewall: Tharkûn (VLAN 3) placed in DMZ zone. Required explicit “Allow DMZ to Internet” rule to restore IoT connectivity.

Current Configuration#

  • UX7 (Olorín): 192.168.1.1
    • Port 1 (to Netgear Switch 1): Trunk, Native VLAN 1, Allowed VLANs 1, 2, 3.
  • Netgear MS308E (Switch 1): 192.168.1.239
    • Port 1 (to UX7): VLAN 1 Untagged (PVID 1), VLAN 2 Tagged, VLAN 3 Tagged.
    • Ports 2, 3 (to downstream switches): Same as Port 1.
    • Access Ports (e.g., Port 8 to U7 AP): VLAN 3 Untagged, PVID 3.
  • Netgear MS308E (Switch 2):
    • Trunk ports: VLAN 1 Untagged (PVID 1), VLAN 2 Tagged, VLAN 3 Tagged.
    • Access Ports: VLAN 2 Untagged (PVID 2) for PCs, VLAN 3 Untagged (PVID 3) for IoT (e.g., Hue Hub).
  • UX7 Firewall Rules (Tharkûn/DMZ):
    • Allow DMZ to Internet
    • Allow DMZ to Gateway
    • Block DMZ to Internal
    • Block DMZ to VPN

Historical Notes#

  • Initial attempts to set trunk ports to “No Native VLAN” (all tagged) caused lockout because management traffic (VLAN 1) became untagged and was dropped. Reverted to Native VLAN = 1.
  • VLAN 2 (Mithrandir) initially failed on downstream switches due to missing tagged configuration on inter-switch trunks.
  • VLAN 3 (Tharkûn) failed due to missing firewall rule in UX7 Site Manager for the DMZ zone.

Open Questions#

  • How to handle Rivendell (VLAN 4) when deployed?
  • Will U7 APs require specific VLAN tagging configurations for Tharkûn WiFi?
  • wiki/networking/vlan_setup.md (Legacy OPNsense context)
  • wiki/infrastructure/network.md
  • wiki/networking/opnsense_dmz_iot_firewall.md

Uptime Kuma - Configuration & Integrations

VLAN Configuration: OPNsense & Netgear MS308E

Calendar March 25, 2025
Opnsense, Netgear, Vlan, Switching

VLAN Configuration: OPNsense & Netgear MS308E#

What Was Established#

Configuration pattern for implementing tagged (trunk) and untagged (access) VLANs using OPNsense as the router and a Netgear MS308E managed switch.

Key Decisions#

  • VLAN Naming/ID: Example VLAN “Incánus” assigned ID 20.
  • Trunking Strategy: The port connecting OPNsense to the Netgear switch must be configured as a Tagged port for all active VLANs.
  • Access Port Strategy: Ports for end-devices must be Untagged for the specific VLAN, with the PVID (Port VLAN ID) set to match that VLAN.

Current Configuration#

OPNsense Setup#

  1. Create VLAN: Interfaces → Other Types → VLAN (Assign Parent Interface and Tag ID).
  2. Assign Interface: Interfaces → Assignments (Add the new VLAN interface).
  3. Configure IP: Set a static IPv4 address (e.g., 192.168.20.1/24 for VLAN 20).
  4. DHCP: Enable DHCPv4 under Services → DHCPv4 → [VLAN Interface].

Netgear MS308E Setup#

  1. VLAN Membership:
    • Trunk Port (to OPNsense): Set as Tagged for all VLANs (e.g., VLAN 20, 30).
    • Access Port (to Device): Set as Untagged for the target VLAN.
  2. PVID Configuration:
    • For Access Ports, the PVID must be updated to match the VLAN ID (e.g., Port 1: PVID 20).

Historical Notes#

Configuration established during the rollout of the “Incánus” network segment.