Skip to content

UniFi Network

Home networking runs on Ubiquiti UniFi gear. The Dream Machine is the gateway, firewall, and UniFi Network controller. Everything on the homelab LAN — TrueNAS, Windows PC, Wi‑Fi clients — sits behind it.

Hardware

Device Role
Dream Machine Special Edition Router, firewall, UniFi Network controller
U7 access points ×2 — whole-home Wi‑Fi

LAN

Setting Value
Subnet 192.168.2.0/24
Gateway (typical) 192.168.2.1 — Dream Machine
TrueNAS 192.168.2.203TrueNAS
Windows PC 192.168.2.200 — client workstation

Static DHCP reservations

Critical servers get fixed IPs so SMB mappings, Docker, and firewall rules do not break when leases renew.

Device IP MAC / notes
TrueNAS (Ugreen DXP 8800 Plus) 192.168.2.203 Set in UniFi → Clients → device → Use fixed IPTODO: record MAC here
Windows PC 192.168.2.200 Same process — TODO: record MAC here

How to set:

  1. UniFi Network app or web UI → Clients
  2. Find the device (by hostname or current lease)
  3. Enable Fixed IP Address / Use network default or custom IP as above
  4. Apply — device may need to renew DHCP (reboot or ipconfig /renew on Windows)

Wi‑Fi (SSIDs)

SSID Purpose Notes
TODO: primary SSID name Main household Wi‑Fi Password in Vaultwarden
TODO: IoT / guest SSID if any Isolated or guest network TODO: document if VLAN-bound

TODO: fill in actual SSID names, bands (2.4 / 5 / 6 GHz), and whether WPA3 is enabled.

Access points: 2× U7 — placement and channel width settings live in UniFi → Devices → each AP → Settings.

How to access

  1. Open the UniFi Network app or https://<gateway-ip> on the LAN (typically https://192.168.2.1)
  2. Log in with UniFi admin credentials (stored in Vaultwarden)

What I configure here

  • Wi‑Fi SSIDs and passwords
  • Fixed IP reservations for NAS and PC
  • Firewall rules between VLANs (if any)
  • Port profiles and switch settings
  • Client device list (handy for finding IPs)
  • Geo / threat management at the edge (limited — most geo blocking is on Cloudflare)

Cloudflare and CGNAT

The Dream Machine sits behind ISP CGNAT, so there is no usable inbound port forwarding. That is why homelab services use Cloudflare Tunnels instead of exposing ports on the WAN. See Network and cloudflared.

Internet ──► ISP (CGNAT) ──► Dream Machine WAN ──► LAN 192.168.2.0/24
                    No inbound ports open — cloudflared outbound only

Firewall context

Most homelab security for public URLs is handled in Cloudflare (WAF, block no aus, tunnels). The Dream Machine still matters for:

Layer What it does
LAN → WAN Normal outbound traffic for updates, torrents, tunnel keepalives
WAN → LAN Should be default-deny inbound; CGNAT makes unsolicited inbound rare anyway
LAN → LAN All devices on flat subnet today — TrueNAS SMB, PC, phones
VLANs TODO: document if IoT or guest VLANs exist and what can reach TrueNAS

Custom firewall rules

TODO: document actual rules once written down. Examples to capture when I configure them:

  • Block guest Wi‑Fi from reaching 192.168.2.203 (SMB / TrueNAS admin)
  • Allow only specific ports from PC to NAS if ever segmented
  • Any mDNS or multicast exceptions for AirPlay / casting

Until documented, assume a flat trusted LAN where anything on Wi‑Fi or Ethernet can reach TrueNAS services.

Geo blocking

block no aus on Cloudflare restricts most *.saxobroko.com homelab hosts to Australian IPs. That is separate from UniFi geo rules.

UniFi may have its own Traffic Management or Country Restriction on WAN — TODO: note if enabled.

Relationship to key services

Service Network dependency
TrueNAS @ .203 Fixed IP; SMB for A: drive — Windows network drive
Windows PC @ .200 Fixed IP; maps shares, runs clients only
cloudflared Outbound HTTPS to Cloudflare; no port forward on Dream Machine
status.saxobroko.com External monitors hit public URLs, not LAN — Monitoring

Troubleshooting

Symptom Check
Cannot reach TrueNAS on LAN Ping 192.168.2.203; client on correct SSID/subnet; fixed IP still assigned
Internet up, LAN broken Dream Machine restart; switch link; AP disconnected
Public sites down, LAN fine Not UniFi — see cloudflared, Common Issues
Wi‑Fi slow AP placement, interference, backhaul — UniFi Insights

Customisation backlog

Still TODO — fill in when I change something worth remembering:

  • Actual SSID names and VLAN IDs
  • MAC addresses for .203 and .200 reservations
  • Custom firewall rules (guest isolation, NAS protection)
  • DNS overrides (Pi-hole, AdGuard, or custom records on UDM)
  • VPN (WireGuard / Teleport) if ever enabled on the Dream Machine

Related todo: router customisation was on the backlog — update this page whenever rules change.