How I Designed My UniFi Network for Performance, Privacy, and Peace of Mind
A behind-the-scenes look at how I designed and segmented my UniFi network—covering VLANs, Wi-Fi strategy, firewall rules, and how each subnet fits into my homelab and home life.
It’s one thing to have Wi-Fi that works. It’s another to know exactly how your network is structured—and to design it in a way that reflects how you actually use your home and homelab.
I’m running a UniFi Dream Machine Special Edition (UDM SE) as the core of my home network, and after multiple iterations, I’ve landed on a design that balances performance, segmentation, and sanity. This post breaks down my VLANs, routing rules, multicast setup, and Wi-Fi layout, with the goal of giving every device what it needs—without opening unnecessary doors.
🧱 VLANs: Segmenting Everything
I use 7 VLANs across my network, each scoped to its own /24 subnet and controlled by custom firewall rules.
| Name | VLAN ID | Subnet | Purpose |
|---|---|---|---|
| Default | 1 | 10.10.10.0/24 | Default fallback, rarely used |
| Homelab | 2 | 10.10.11.0/24 | Proxmox nodes, K8s cluster, Overseer |
| Cameras | 3 | 10.10.12.0/24 | IP cams and NVR feeds |
| Work | 4 | 10.10.13.0/24 | My work laptops/devices (isolated from personal traffic) |
| Public | 5 | 10.10.14.0/24 | Guest Wi-Fi |
| SecretNet | 6 | 10.10.18.0/24 | Isolated lab for sensitive testing |
| JonanLab | 7 | 10.10.19.0/24 | VLAN for my son’s Pi/ESP tinkering |
🔐 Firewall Rules and Traffic Flow
Everything is built on the principle of default deny, explicit allow. Here's how I route:
- Homelab ↔ SecretNet: Mostly blocked, with only specific ports open for testing API integrations.
- Work ↔ Internet only: Keep work at work and home at home.
- Cameras ↔ LAN: Uni-directional flow to Home Assistant and Frigate.
- JonanLab ↔ Internet only: Isolated except for MQTT broker access.
- Public → LAN: Fully blocked (just internet)
I use mDNS forwarding selectively for the Public VLAN and enable IGMP Snooping on SecretNet and JonanLab to reduce broadcast noise.
📶 Wi-Fi SSID Mapping
Each VLAN is assigned to its own SSID for clarity and isolation:
| SSID | VLAN | Band | Notes |
|---|---|---|---|
| STAR Labs | Public (5) | 2.4 GHz | Guest network |
| Work WiFi | Work (4) | 5 GHz | Laptops + productivity devices |
| DeathWatch | Homelab (2) | 5 GHz | Admin-only infrastructure |
| JonansLab | JonanLab (7) | 2.4 GHz | Kid’s ESP and dev projects |
| IOT | Homelab (2) | 2.4 GHz | Smart home gear |
All SSIDs are broadcast from all access points, with band steering enabled to prioritize 5 GHz where available. DFS channels are excluded and the channel plan is manually tuned to avoid interference.
⚙️ Global Switch Settings
- Spanning Tree Protocol: RSTP enabled
- Rogue DHCP Detection: Enabled
- Flow Control: Off
- Jumbo Frames: Disabled
🧠 Design Philosophy
- Segment early, troubleshoot less
Putting IoT, guests, and cameras on their own VLANs keeps them from interfering or listening where they shouldn’t. - Let DNS be your friend
I use internal.petie.localdomains for services like Home Assistant, Frigate, and Grafana, resolved by my homelab DNS. - Empower safe exploration
JonanLab is a safe playground for my son to experiment with ESP32s, microcontrollers, and Pi-based projects—without risking my production services.
📌 What I’d Still Like to Improve
- Add VLAN-aware DNS rules for context-sensitive resolution
- Move mDNS off public VLAN entirely and tunnel through Home Assistant
- Build out full WireGuard + site-to-site VPN for roaming access
✅ Summary
A well-structured network isn’t just functional—it’s intentional. Every device has a defined role, clear boundaries, and just enough access to do its job. UniFi gives you the tools, but the real value comes from how you design and deploy it.
This setup works well for a hybrid of homelab tinkering, remote work, family use, and experimentation—and with solid backups in place, it’s built to last.