Enterprise Home Lab — Ubiquiti UniFi Network Architecture

This project documents the design, deployment, and ongoing administration of an enterprise-grade network infrastructure running within a residential environment in Sydney. Using Ubiquiti's UniFi ecosystem as the hardware backbone, the lab implements the same network segmentation, security posture, and RF engineering principles found in commercial deployments — at a scale that allows for genuine experimentation and learning.

This is not a consumer setup with default configurations. Every design decision has been made deliberately, tested against real-world failure modes, and documented as part of a broader effort to develop practical network engineering skills alongside formal study.

Hardware Stack

Routing & Switching

UCG Fiber: Ubiquiti's fibre-capable unified security gateway handles all routing, DNS, DHCP, and firewall processing. Acts as the network's core intelligence layer.
US-48-500W PoE Switch: 48-port managed switch providing 500W total Power-over-Ethernet budget, supplying power to all access points and networked devices without separate power adapters.

Wireless Infrastructure

U6 Pro Access Points: Multiple Ubiquiti U6 Pro APs positioned throughout the building, operating across both 2.4 GHz and 5 GHz bands. The U6 Pro's high-density design and wide coverage characteristics are well-suited to the physical challenges of the environment (see RF Engineering section below).

Storage & Compute

TrueNAS Bare-Metal Server: Dedicated storage server running TrueNAS, providing centralised network-attached storage for media, backups, and service data.
Docker Containerisation: Application services running on the TrueNAS server are containerised using Docker, isolating individual services and simplifying dependency management and updates.

Network Segmentation — 802.1Q VLAN Architecture

The network is divided into isolated Layer 2 segments using 802.1Q VLAN tagging. Each segment has a defined security profile and access policy.

VLAN Structure (illustrative):

Management — Network infrastructure devices. Strict isolation; no cross-segment access.
Trusted LAN — Primary computers and servers. Full inter-VLAN routing where required.
IoT — Smart home devices and sensors. Isolated; no LAN access.
Guest — Visitor Wi-Fi. Internet-only; no LAN access.
Servers — TrueNAS, Docker services. Restricted inbound; controlled outbound.

This segmentation ensures that a compromised IoT device cannot traverse to the trusted LAN — a design principle that consumer routers simply cannot enforce.

Firewall Architecture — Stateful Traffic Rules

The UCG Fiber's firewall is configured with explicit, stateful Traffic Rules evaluated across three chains: LAN In, LAN Out, and Local.

Design principles:

Default deny: All cross-segment traffic is dropped unless explicitly permitted
Broadcast isolation: mDNS, Bonjour, and SSDP discovery protocols are explicitly blocked from traversing VLAN boundaries, preventing IoT devices from being discoverable on the trusted LAN
Service-specific permits: Required cross-segment flows (e.g., HomeKit controller accessing IoT devices) are permitted on a per-service, per-port basis
Local chain hardening: The gateway itself is protected against direct access from IoT and guest segments

This approach means every permitted traffic flow is a conscious decision, not a default allowance that was never reviewed.

RF Engineering — Dense Construction Challenges

The physical environment presents significant RF engineering challenges: Australian double-brick construction creates severe signal attenuation, particularly on the 5 GHz band, and the density of neighbouring networks creates significant Co-Channel Interference (CCI) on 2.4 GHz.

2.4 GHz Optimisation

Channel width: Enforced HT20 (20 MHz) channel widths across all 2.4 GHz radios. Wider channel widths increase throughput in ideal conditions but dramatically worsen CCI in dense environments — the trade-off is not worth it here.
Channel assignment: Manual non-overlapping channel assignment (1, 6, 11) across APs to eliminate self-interference within the network.
Tx power balancing: Manual transmit power tuning in dBm rather than relying on automatic power control. Over-powered APs create asymmetric coverage cells that degrade client roaming decisions.

5 GHz Optimisation

Legacy protocol disabling: 802.11a and other legacy protocols disabled on 5 GHz, forcing modern clients to use current standards and freeing airtime wasted on backward-compatibility overhead.
Roaming enforcement: Minimum RSSI thresholds configured to force client disconnection from a weak AP before the connection degrades — preventing clients from "sticking" to a distant AP when a closer one is available.
dBm balancing: Cell size tuned to match the physical coverage requirement without creating excessive overlap that triggers interference between adjacent APs.

The result is reliable wireless connectivity throughout the building, with clients roaming seamlessly between APs as they move through different rooms.

Docker Service Architecture

Running containerised services on the TrueNAS server provides several advantages:

Service isolation: Each application (media server, network monitoring, home automation, etc.) runs in its own container with defined resource limits
Reproducibility: Container definitions mean services can be rebuilt from scratch rapidly after hardware failures
Network control: Docker bridge and macvlan networking configurations control exactly which services are reachable from which VLANs
Update management: Containers can be updated individually without risking other service stability

Smart Home Integration Challenges

One of the more technically interesting challenges has been maintaining local smart home control across VLAN boundaries. See the related case study on Homebridge VLAN integration for the full technical detail.

In summary: proprietary discovery protocols (mDNS, Bonjour, TP-Link's KLAP protocol) are fundamentally subnet-scoped. Making them work across VLANs requires a combination of mDNS reflection, explicit JSON payload configuration in Homebridge, and direct IP binding — bypassing the automatic discovery mechanisms entirely.

Skills Developed

This project has provided hands-on experience with:

Enterprise networking concepts: VLAN design, inter-VLAN routing, stateful firewall design
RF engineering: Practical application of interference mitigation, channel planning, and coverage optimisation in challenging physical environments
Linux systems administration: TrueNAS management, Docker operations, service configuration
Security architecture: Threat modelling for home IoT environments, network segmentation as a security control
Documentation: Maintaining accurate network diagrams and configuration records

Why This Matters

Building and operating this infrastructure alongside formal Computer Science study has fundamentally changed how I approach networking and security problems. The gap between understanding a concept in a lecture and actually debugging why a firewall rule isn't working as expected is enormous — and bridging that gap requires exactly this kind of hands-on work.

The lab continues to evolve. New services get added, security configurations get hardened, and every change is an opportunity to learn something the textbook doesn't cover.