Unifi on homelab

UniFi Express VPN & Network Management

Thu, 30 Apr 2026 00:00:00 +0000

UniFi Express VPN & Network Management#

What Was Established#

Methodology for configuring ProtonVPN WireGuard on UniFi Express.
Kill switch implementation to prevent IP/DNS leaks when the VPN drops.
Best practices for managing Netgear managed switches via dedicated subnets and secure ports.

Key Decisions#

WireGuard Protocol: Selected over OpenVPN for superior speed and efficiency on UniFi Express.
Kill Switch Pattern: Default-deny WAN traffic; only allow forwarding through the wg0 interface.
Netgear Management: Restrict switch web GUI access to a dedicated management VLAN/subnet using HTTPS.

Current Configuration#

VPN Client: ProtonVPN (WireGuard)
Endpoint: us-123.protonvpn.net:51820 (example high-speed server)
ProtonVPN DNS: 10.2.0.1
Allowed IPs: 0.0.0.0/0 (full tunnel)
Netgear Switch Management Ports:
- HTTP: 80 (insecure, avoid)
- HTTPS: 443 (secure web GUI)
- SSH: 22 (CLI access)
- SNMP: 161 (monitoring)

Historical Notes#

Conversation dated 2025-04-14.
Gateway device referred to as UniFi Express (infrastructure list notes “UCG Express ‘Olorín’ at 192.168.1.1”).
Netgear MS308E is the managed switch in the homelab.
Kill switch and DNS leak prevention rely on iptables/nftables or UniFi OS firewall rules.

Open Questions#

Does UniFi Express support native WireGuard kill switch in the GUI, or is manual CLI firewall configuration required?
Specific UniFi OS version and exact GUI paths for VPN/kill switch implementation.
Whether split tunneling is needed for specific homelab services.

Uptime Kuma - Configuration & Integrations

UniFi UX7 & Netgear MS308E VLAN Setup

Thu, 30 Apr 2026 00:00:00 +0000

UniFi UX7 & Netgear MS308E VLAN Setup#

What Was Established#

Multi-switch VLAN topology using UniFi UCG Express (UX7) and Netgear MS308E switches.
Netgear MS308E 802.1Q Advanced configuration pattern for trunks and access ports.
Troubleshooting methodology for multi-switch chains (isolate to inter-switch trunks vs. device-specific vs. firewall).
UX7 firewall rule correction for IoT isolation (Tharkûn VLAN 3).

Key Decisions#

VLAN 1 (Gandalf): Untagged on trunks, PVID 1. Used for servers and switch management.
VLAN 2 (Mithrandir): Tagged on trunks, Untagged on access. PVID 2. Routes through UX7 VPN.
VLAN 3 (Tharkûn): Tagged on trunks, Untagged on access. PVID 3. Isolated IoT network.
Native VLAN set to 1 on trunks to ensure management traffic passes untagged and remains accessible.
UX7 Firewall: Tharkûn (VLAN 3) placed in DMZ zone. Required explicit “Allow DMZ to Internet” rule to restore IoT connectivity.

Current Configuration#

UX7 (Olorín): 192.168.1.1
- Port 1 (to Netgear Switch 1): Trunk, Native VLAN 1, Allowed VLANs 1, 2, 3.
Netgear MS308E (Switch 1): 192.168.1.239
- Port 1 (to UX7): VLAN 1 Untagged (PVID 1), VLAN 2 Tagged, VLAN 3 Tagged.
- Ports 2, 3 (to downstream switches): Same as Port 1.
- Access Ports (e.g., Port 8 to U7 AP): VLAN 3 Untagged, PVID 3.
Netgear MS308E (Switch 2):
- Trunk ports: VLAN 1 Untagged (PVID 1), VLAN 2 Tagged, VLAN 3 Tagged.
- Access Ports: VLAN 2 Untagged (PVID 2) for PCs, VLAN 3 Untagged (PVID 3) for IoT (e.g., Hue Hub).
UX7 Firewall Rules (Tharkûn/DMZ):
- Allow DMZ to Internet
- Allow DMZ to Gateway
- Block DMZ to Internal
- Block DMZ to VPN

Historical Notes#

Initial attempts to set trunk ports to “No Native VLAN” (all tagged) caused lockout because management traffic (VLAN 1) became untagged and was dropped. Reverted to Native VLAN = 1.
VLAN 2 (Mithrandir) initially failed on downstream switches due to missing tagged configuration on inter-switch trunks.
VLAN 3 (Tharkûn) failed due to missing firewall rule in UX7 Site Manager for the DMZ zone.

Open Questions#

How to handle Rivendell (VLAN 4) when deployed?
Will U7 APs require specific VLAN tagging configurations for Tharkûn WiFi?

wiki/networking/vlan_setup.md (Legacy OPNsense context)
wiki/infrastructure/network.md
wiki/networking/opnsense_dmz_iot_firewall.md

Uptime Kuma - Configuration & Integrations

AI-Driven Monitoring Pipeline

Tue, 21 Apr 2026 00:00:00 +0000

AI-Driven Monitoring Pipeline#

What Was Established#

The monitoring pipeline is fully operational and running hourly. It collects rich structured data from four sources (Prometheus — 7 metrics, Uptime Kuma, UniFi, Synology), runs 4 parallel Ollama summarization calls, synthesises a final status report, and writes everything to Postgres. Hourly snapshots of raw UniFi and Prometheus data are stored in dedicated tables for delta computation. End-to-end runtime is ~13 minutes using gemma4:e4b CPU-only on the Pavilion — accepted as-is pending Mac Studio.

Network Infrastructure & VLANs

Tue, 14 Apr 2026 00:00:00 +0000

Network Infrastructure & VLANs#

What Was Established#

The network uses a UniFi UCG Express with a multi-VLAN setup. A recent incident involving a VPN expiry caused a routing failure on specific VLANs due to policy-based routing (PBR) without a fallback mechanism.

Key Decisions#

VLAN Segmentation:
- Gandalf: Server network (Always-on, stable, no VPN).
- Mithrandir (VLAN 2): Client/AI network. Traffic is routed through ProtonVPN via WireGuard.
- Harken (VLAN 3): General usage.
- Tharkûn (DMZ): Restricted zone (DMZ $\rightarrow$ Internal is Blocked).
- Rivendell (VLAN 4): Unused.
VPN Configuration: ProtonVPN WireGuard Client 1 is used for Mithrand/VLAN 2. Critical: Ensure “Block traffic if WireGuard is down” is enabled to prevent IP leaks.
IP Management: Use DHCP Reservations (Fixed IPs) in the UniFi Controller rather than configuring static IPs on individual hosts to prevent port-forward breakage during DHCP lease renewals.

Current Configuration#

Known Fixed IPs (DHCP Reservations):

Unifi on homelab

UniFi Express VPN & Network Management

UniFi Express VPN & Network Management#

What Was Established#

Key Decisions#

Current Configuration#

Historical Notes#

Open Questions#

Related Pages#

UniFi UX7 & Netgear MS308E VLAN Setup

UniFi UX7 & Netgear MS308E VLAN Setup#

What Was Established#

Key Decisions#

Current Configuration#

Historical Notes#

Open Questions#

Related Pages#

AI-Driven Monitoring Pipeline

AI-Driven Monitoring Pipeline#

What Was Established#

Network Infrastructure & VLANs

Network Infrastructure & VLANs#

What Was Established#

Key Decisions#

Current Configuration#