Netgear on homelab

UniFi Express VPN & Network Management

Thu, 30 Apr 2026 00:00:00 +0000

UniFi Express VPN & Network Management#

What Was Established#

Methodology for configuring ProtonVPN WireGuard on UniFi Express.
Kill switch implementation to prevent IP/DNS leaks when the VPN drops.
Best practices for managing Netgear managed switches via dedicated subnets and secure ports.

Key Decisions#

WireGuard Protocol: Selected over OpenVPN for superior speed and efficiency on UniFi Express.
Kill Switch Pattern: Default-deny WAN traffic; only allow forwarding through the wg0 interface.
Netgear Management: Restrict switch web GUI access to a dedicated management VLAN/subnet using HTTPS.

Current Configuration#

VPN Client: ProtonVPN (WireGuard)
Endpoint: us-123.protonvpn.net:51820 (example high-speed server)
ProtonVPN DNS: 10.2.0.1
Allowed IPs: 0.0.0.0/0 (full tunnel)
Netgear Switch Management Ports:
- HTTP: 80 (insecure, avoid)
- HTTPS: 443 (secure web GUI)
- SSH: 22 (CLI access)
- SNMP: 161 (monitoring)

Historical Notes#

Conversation dated 2025-04-14.
Gateway device referred to as UniFi Express (infrastructure list notes “UCG Express ‘Olorín’ at 192.168.1.1”).
Netgear MS308E is the managed switch in the homelab.
Kill switch and DNS leak prevention rely on iptables/nftables or UniFi OS firewall rules.

Open Questions#

Does UniFi Express support native WireGuard kill switch in the GUI, or is manual CLI firewall configuration required?
Specific UniFi OS version and exact GUI paths for VPN/kill switch implementation.
Whether split tunneling is needed for specific homelab services.

Uptime Kuma - Configuration & Integrations

UniFi UX7 & Netgear MS308E VLAN Setup

Thu, 30 Apr 2026 00:00:00 +0000

UniFi UX7 & Netgear MS308E VLAN Setup#

What Was Established#

Multi-switch VLAN topology using UniFi UCG Express (UX7) and Netgear MS308E switches.
Netgear MS308E 802.1Q Advanced configuration pattern for trunks and access ports.
Troubleshooting methodology for multi-switch chains (isolate to inter-switch trunks vs. device-specific vs. firewall).
UX7 firewall rule correction for IoT isolation (Tharkûn VLAN 3).

Key Decisions#

VLAN 1 (Gandalf): Untagged on trunks, PVID 1. Used for servers and switch management.
VLAN 2 (Mithrandir): Tagged on trunks, Untagged on access. PVID 2. Routes through UX7 VPN.
VLAN 3 (Tharkûn): Tagged on trunks, Untagged on access. PVID 3. Isolated IoT network.
Native VLAN set to 1 on trunks to ensure management traffic passes untagged and remains accessible.
UX7 Firewall: Tharkûn (VLAN 3) placed in DMZ zone. Required explicit “Allow DMZ to Internet” rule to restore IoT connectivity.

Current Configuration#

UX7 (Olorín): 192.168.1.1
- Port 1 (to Netgear Switch 1): Trunk, Native VLAN 1, Allowed VLANs 1, 2, 3.
Netgear MS308E (Switch 1): 192.168.1.239
- Port 1 (to UX7): VLAN 1 Untagged (PVID 1), VLAN 2 Tagged, VLAN 3 Tagged.
- Ports 2, 3 (to downstream switches): Same as Port 1.
- Access Ports (e.g., Port 8 to U7 AP): VLAN 3 Untagged, PVID 3.
Netgear MS308E (Switch 2):
- Trunk ports: VLAN 1 Untagged (PVID 1), VLAN 2 Tagged, VLAN 3 Tagged.
- Access Ports: VLAN 2 Untagged (PVID 2) for PCs, VLAN 3 Untagged (PVID 3) for IoT (e.g., Hue Hub).
UX7 Firewall Rules (Tharkûn/DMZ):
- Allow DMZ to Internet
- Allow DMZ to Gateway
- Block DMZ to Internal
- Block DMZ to VPN

Historical Notes#

Initial attempts to set trunk ports to “No Native VLAN” (all tagged) caused lockout because management traffic (VLAN 1) became untagged and was dropped. Reverted to Native VLAN = 1.
VLAN 2 (Mithrandir) initially failed on downstream switches due to missing tagged configuration on inter-switch trunks.
VLAN 3 (Tharkûn) failed due to missing firewall rule in UX7 Site Manager for the DMZ zone.

Open Questions#

How to handle Rivendell (VLAN 4) when deployed?
Will U7 APs require specific VLAN tagging configurations for Tharkûn WiFi?

wiki/networking/vlan_setup.md (Legacy OPNsense context)
wiki/infrastructure/network.md
wiki/networking/opnsense_dmz_iot_firewall.md

Uptime Kuma - Configuration & Integrations

VLAN Configuration: OPNsense & Netgear MS308E

Tue, 25 Mar 2025 00:00:00 +0000

VLAN Configuration: OPNsense & Netgear MS308E#

What Was Established#

Configuration pattern for implementing tagged (trunk) and untagged (access) VLANs using OPNsense as the router and a Netgear MS308E managed switch.

Key Decisions#

VLAN Naming/ID: Example VLAN “Incánus” assigned ID 20.
Trunking Strategy: The port connecting OPNsense to the Netgear switch must be configured as a Tagged port for all active VLANs.
Access Port Strategy: Ports for end-devices must be Untagged for the specific VLAN, with the PVID (Port VLAN ID) set to match that VLAN.

Current Configuration#

OPNsense Setup#

Create VLAN: Interfaces → Other Types → VLAN (Assign Parent Interface and Tag ID).
Assign Interface: Interfaces → Assignments (Add the new VLAN interface).
Configure IP: Set a static IPv4 address (e.g., 192.168.20.1/24 for VLAN 20).
DHCP: Enable DHCPv4 under Services → DHCPv4 → [VLAN Interface].

Netgear MS308E Setup#

VLAN Membership:
- Trunk Port (to OPNsense): Set as Tagged for all VLANs (e.g., VLAN 20, 30).
- Access Port (to Device): Set as Untagged for the target VLAN.
PVID Configuration:
- For Access Ports, the PVID must be updated to match the VLAN ID (e.g., Port 1: PVID 20).

Historical Notes#

Configuration established during the rollout of the “Incánus” network segment.

Netgear on homelab

UniFi Express VPN & Network Management

UniFi Express VPN & Network Management#

What Was Established#

Key Decisions#

Current Configuration#

Historical Notes#

Open Questions#

Related Pages#

UniFi UX7 & Netgear MS308E VLAN Setup

UniFi UX7 & Netgear MS308E VLAN Setup#

What Was Established#

Key Decisions#

Current Configuration#

Historical Notes#

Open Questions#

Related Pages#

VLAN Configuration: OPNsense & Netgear MS308E

VLAN Configuration: OPNsense & Netgear MS308E#

What Was Established#

Key Decisions#

Current Configuration#

OPNsense Setup#

Netgear MS308E Setup#

Historical Notes#