UniFi Network
Home networking runs on Ubiquiti UniFi gear. The Dream Machine is the gateway, firewall, and UniFi Network controller. Everything on the homelab LAN — TrueNAS, Windows PC, Wi‑Fi clients — sits behind it.
Hardware
| Device | Role |
|---|---|
| Dream Machine Special Edition | Router, firewall, UniFi Network controller |
| U7 access points | ×2 — whole-home Wi‑Fi |
LAN
| Setting | Value |
|---|---|
| Subnet | 192.168.2.0/24 |
| Gateway (typical) | 192.168.2.1 — Dream Machine |
| TrueNAS | 192.168.2.203 — TrueNAS |
| Windows PC | 192.168.2.200 — client workstation |
Static DHCP reservations
Critical servers get fixed IPs so SMB mappings, Docker, and firewall rules do not break when leases renew.
| Device | IP | MAC / notes |
|---|---|---|
| TrueNAS (Ugreen DXP 8800 Plus) | 192.168.2.203 |
Set in UniFi → Clients → device → Use fixed IP — TODO: record MAC here |
| Windows PC | 192.168.2.200 |
Same process — TODO: record MAC here |
How to set:
- UniFi Network app or web UI → Clients
- Find the device (by hostname or current lease)
- Enable Fixed IP Address / Use network default or custom IP as above
- Apply — device may need to renew DHCP (reboot or
ipconfig /renewon Windows)
Wi‑Fi (SSIDs)
| SSID | Purpose | Notes |
|---|---|---|
| TODO: primary SSID name | Main household Wi‑Fi | Password in Vaultwarden |
| TODO: IoT / guest SSID if any | Isolated or guest network | TODO: document if VLAN-bound |
TODO: fill in actual SSID names, bands (2.4 / 5 / 6 GHz), and whether WPA3 is enabled.
Access points: 2× U7 — placement and channel width settings live in UniFi → Devices → each AP → Settings.
How to access
- Open the UniFi Network app or
https://<gateway-ip>on the LAN (typicallyhttps://192.168.2.1) - Log in with UniFi admin credentials (stored in Vaultwarden)
What I configure here
- Wi‑Fi SSIDs and passwords
- Fixed IP reservations for NAS and PC
- Firewall rules between VLANs (if any)
- Port profiles and switch settings
- Client device list (handy for finding IPs)
- Geo / threat management at the edge (limited — most geo blocking is on Cloudflare)
Cloudflare and CGNAT
The Dream Machine sits behind ISP CGNAT, so there is no usable inbound port forwarding. That is why homelab services use Cloudflare Tunnels instead of exposing ports on the WAN. See Network and cloudflared.
Internet ──► ISP (CGNAT) ──► Dream Machine WAN ──► LAN 192.168.2.0/24
│
No inbound ports open — cloudflared outbound only
Firewall context
Most homelab security for public URLs is handled in Cloudflare (WAF, block no aus, tunnels). The Dream Machine still matters for:
| Layer | What it does |
|---|---|
| LAN → WAN | Normal outbound traffic for updates, torrents, tunnel keepalives |
| WAN → LAN | Should be default-deny inbound; CGNAT makes unsolicited inbound rare anyway |
| LAN → LAN | All devices on flat subnet today — TrueNAS SMB, PC, phones |
| VLANs | TODO: document if IoT or guest VLANs exist and what can reach TrueNAS |
Custom firewall rules
TODO: document actual rules once written down. Examples to capture when I configure them:
- Block guest Wi‑Fi from reaching
192.168.2.203(SMB / TrueNAS admin) - Allow only specific ports from PC to NAS if ever segmented
- Any mDNS or multicast exceptions for AirPlay / casting
Until documented, assume a flat trusted LAN where anything on Wi‑Fi or Ethernet can reach TrueNAS services.
Geo blocking
block no aus on Cloudflare restricts most *.saxobroko.com homelab hosts to Australian IPs. That is separate from UniFi geo rules.
UniFi may have its own Traffic Management or Country Restriction on WAN — TODO: note if enabled.
Relationship to key services
| Service | Network dependency |
|---|---|
TrueNAS @ .203 |
Fixed IP; SMB for A: drive — Windows network drive |
Windows PC @ .200 |
Fixed IP; maps shares, runs clients only |
| cloudflared | Outbound HTTPS to Cloudflare; no port forward on Dream Machine |
| status.saxobroko.com | External monitors hit public URLs, not LAN — Monitoring |
Troubleshooting
| Symptom | Check |
|---|---|
| Cannot reach TrueNAS on LAN | Ping 192.168.2.203; client on correct SSID/subnet; fixed IP still assigned |
| Internet up, LAN broken | Dream Machine restart; switch link; AP disconnected |
| Public sites down, LAN fine | Not UniFi — see cloudflared, Common Issues |
| Wi‑Fi slow | AP placement, interference, backhaul — UniFi Insights |
Customisation backlog
Still TODO — fill in when I change something worth remembering:
- Actual SSID names and VLAN IDs
- MAC addresses for
.203and.200reservations - Custom firewall rules (guest isolation, NAS protection)
- DNS overrides (Pi-hole, AdGuard, or custom records on UDM)
- VPN (WireGuard / Teleport) if ever enabled on the Dream Machine
Related todo: router customisation was on the backlog — update this page whenever rules change.
Related
- Network — tunnels, public URLs
- cloudflared — why port forwarding is not used
- TrueNAS —
.203 - Common Issues