If you want enterprise-grade network infrastructure without an enterprise price tag, Ubiquiti UniFi is the answer most homelab engineers land on eventually. The UniFi ecosystem covers managed switches, wireless access points, gateways, cameras, and access control — all managed from a single, polished web interface called the UniFi Network Application.
I have deployed UniFi gear across my homelab and multiple small business environments. The consistency of the management experience, the quality of the hardware at the price point, and the scalability from a single AP to a multi-site deployment make it a platform worth learning deeply.
The UniFi Ecosystem
UniFi hardware falls into several product lines:
- Gateways — UniFi Dream Machine (UDM), Dream Machine Pro (UDM-Pro), Dream Machine Special Edition (UDM-SE). These are all-in-one devices combining the network controller, gateway/router, and optionally a PoE switch and UniFi Protect NVR.
- Switches — UniFi Lite, Pro, Enterprise, and Aggregation switches. Ranging from 8-port desktop switches to 48-port aggregation units with 10G/25G SFP+ ports.
- Access Points — U6 series (WiFi 6), U7 series (WiFi 7), and the older AC series. Indoor, outdoor, in-wall, and ceiling models available.
- Network Video Recorder — UNVR, integrated into UDM-Pro and UDM-SE for camera recording.
Running the UniFi Network Application
The UniFi Network Application (formerly UniFi Controller) is the software that manages all UniFi network gear. You have three deployment options:
- On a UniFi Gateway (UDM/UDM-Pro) — the application runs built-in. Simplest option, no separate server needed.
- Self-hosted on a VM or container — I run UniFi Network Application on an LXC container on Proxmox. Full control, no subscription, persistent configuration.
- UniFi Cloud Console — Ubiquiti hosts the controller in the cloud. Requires a UI account and ongoing connectivity to their servers.
For a self-hosted deployment on Debian/Ubuntu:
# Install UniFi Network Application on Ubuntu 22.04
curl -fsSL https://dl.ui.com/unifi/unifi-repo.gpg | sudo gpg --dearmor -o /usr/share/keyrings/unifi.gpg
echo "deb [signed-by=/usr/share/keyrings/unifi.gpg] https://www.ui.com/downloads/unifi/debian stable ubiquiti" | sudo tee /etc/apt/sources.list.d/unifi.list
sudo apt update && sudo apt install unifi -y
sudo systemctl enable --now unifiAccess the controller at https://<server-ip>:8443 after installation.
Network Design with VLANs
UniFi makes VLAN segmentation accessible through the UI. Under Settings > Networks, create a new network for each VLAN. Define the VLAN ID, subnet, DHCP range, and any DHCP options (DNS servers, gateway). UniFi automatically handles inter-VLAN routing at the gateway.
My UniFi network layout:
| Network Name | VLAN | Subnet | Purpose |
|---|---|---|---|
| Default | 1 | 192.168.1.0/24 | Management |
| Servers | 10 | 10.10.0.0/24 | VMs, NAS |
| Workstations | 20 | 10.20.0.0/24 | PCs, laptops |
| IoT | 30 | 10.30.0.0/24 | Smart home devices |
| Guest | 50 | 10.50.0.0/24 | Visitor WiFi |
Switch Port Profiles
UniFi switch ports are configured using Port Profiles — predefined sets of VLAN assignments that you apply to one or multiple ports. A profile can be:
- Access — assigns a single VLAN to the port (for end devices)
- Trunk — allows multiple VLANs (for uplinks to other switches or firewalls)
- Custom — mix of native VLAN and tagged VLANs for specific use cases
Creating profiles lets you apply the same consistent configuration to multiple ports across multiple switches with a single click — a major time saver when you are deploying 10+ switches across a building.
WiFi Networks and SSIDs
Under Settings > WiFi, each SSID maps to a network (VLAN). This is where UniFi shines — you can have multiple SSIDs broadcasting from every access point, each isolated to its own VLAN:
Home— maps to Workstations VLAN 20, WPA3/WPA2 mixed modeIoT— maps to IoT VLAN 30, WPA2 only (many IoT devices do not support WPA3)Guest— maps to Guest VLAN 50, Guest Portal enabled, bandwidth limited to 25 Mbps down/10 Mbps up
Access points automatically handle 802.11r fast roaming, band steering (pushing capable clients to 5 GHz or 6 GHz), and minimum RSSI thresholds to prevent sticky clients from clinging to a distant AP.
Traffic Management and Firewall Rules
UniFi includes a built-in firewall under Settings > Security > Traffic and Firewall Rules. For VLAN isolation:
- Block IoT VLAN from reaching Workstations and Servers VLANs
- Block Guest VLAN from all internal networks (allow internet only)
- Allow specific cross-VLAN services (e.g., allow Workstations to reach a Plex server on the Servers VLAN)
For advanced firewall work, I pair the UniFi ecosystem with a Sophos or Palo Alto gateway — UniFi handles the switching and WiFi, while the dedicated NGFW handles inspection and inter-VLAN routing at the perimeter.
Monitoring and Insights
The UniFi dashboard provides real-time visibility into your network — connected clients, per-client bandwidth, AP radio stats, switch port utilization, and historical traffic graphs. The Client Details view shows every device that has ever connected, with MAC address, hostname, IP history, and total data transferred.
For deeper monitoring, enable DPI (Deep Packet Inspection) under Settings. This gives you per-application bandwidth breakdowns — exactly which applications (Netflix, YouTube, gaming) are consuming your bandwidth, broken down by client. All processing happens locally on the gateway; no data is sent to Ubiquiti.
Tips from Production Deployments
- Use a dedicated management VLAN and set your UniFi devices to only respond on that VLAN. This prevents management traffic from mixing with user traffic.
- Enable auto-updates on a schedule — UniFi firmware updates are frequent and generally high quality. Set auto-update to a maintenance window so devices do not reboot during business hours.
- Set minimum RSSI on APs in dense deployments to prevent client stickiness — I use -75 dBm as my threshold.
- Back up your controller configuration regularly. UniFi Network Application has a built-in auto-backup; make sure it is pointing to a network share, not just the local disk.