Thank you, RoChess. Can you tell me what "SPF+" means? I missed asking about it earlier.

I love my Unifi products. I have been running a US-24-250w as my Poe switch and a UAP-AC-LITE for the last 3 years. I now run my Unifi controller on an ubuntu VM on my ESXi host. Originally I had it loaded on an old RPI I had laying around.

For a firewall I run PFsense. For hardware I have a dual gigabit NIC mini PC based on an Intel i5-5200u (2 core 4 thread 2.2Ghz/2.7Ghz), 8GB of RAM AND A 74GB SSD HDD. It is a powerful tool and allows me to run
DHCP
DDNS
local DNS server
(all public requests are secured through DoT (DNS over TLS with Cloudflare, DNS requests to other sources are redirected back to my local DNS server and routed over DOT)
DNS filtering (PFBlockerNG)
Public IP filtering (PFBLOCKERNG)
VLANs
IDS
CODELQ queuing
Reverse proxy to handle requests from inside and outside my network.
VPN support for access to my local network when I am on the public Internet
VPN private browsing of the public Internet

At home I have some 44 devices counting:
Firewall
ESXi host
VMServers
VM NAS
Old Netgear READYNAS
IOT HA device’s
Media streamers
Security cameras
Smart TVs
HTPCs
Network TV Tuners
PCs
Laptops
Tablets
iPods
Smartphones
Console Systems
On the network spanning some 7 VLANs. I do this to segregate
1. untrusted devices that don’t need Internet,
2. untrusted devices that need Internet access,
3. devices that need access to a network managed private VPN for browsing,
4. personal devices,
5. network management VLAN,
6. server VLAN.
7. Storage VLAN.

While I like he Unifi Interface, it’s primary problem as a monitoring tool is that it is not platform agnostic. I use it for configuration, and patch management, But use a different central network monitoring tool to keep track of all my network, server, and storage equipment which I have tied to my pushover account for notifications.

I actually am planning on upgrading my network backbone to 10Gbps from my inside LAN interface on my firewall through my switch and to my ESXi host and primary NAS. I am currently waiting on a US-48-500w, and a pair of HD wireless APs.

Once I have those I have a few options. I could virtualize my PFsense firewall or I could build a new firewall. My hope is to virtualize my firewall on my ESXi host. My big reason for this is to cut down on total wattage. Currently, I sit at .145 Kilowatts/hour on my network rack). This costs me an additional $13.6 per month to run. while this is easily 6 times more than the average home with a modem and prosumer wireless router and no dedicated Poe switch, and redundant NAS environments.

My next purchase will be a Chelsio T520-SO-CR 10Gbps SFP+ NIC. I will install it on my ESXi home server and virtualize my PFsense firewall on it and adjust my network topology to make it the core firewall. Since my wan will still be limited to 1 GBPs I will use the onboard Intel i210 nic for my wan port.


Sent from my iPhone using Tapatalk

I'm just curious? How come you use pfSense vs unifi's firewall capabilities?

Yes I have Ubiquity ER-POE5 router and and an Edge Switch 24 POE 250W.

I ave several VLANs configured and found this excellent guide that I followed and tailored to my setup.

I have a VLAN for IP security cameras and Blue Iris VMS. VLAN keeps camera isolated but accessible by Blue Iris and HS.

https://www.handymanhowto.com/ubiqui...etwork-design/

How are you keeping the cameras isolated if you're allowing HS access? I'm in the process of trying to do the same thing, but if I have to allow packets from the cameras to the HS server, how is that protecting my server from something rogue on the camera VLAN?

I've configured mine so only established and related traffic is allowed from camera vlan to the vlan where HS resides. New traffic is dropped. That way HS has to initiate the connection.

that makes sense - how do you do that?

Are you asking specifically about doing it in UniFi Controller? In general terms, it's 2 LAN IN rules:
1. Allow all established and related traffic from camera vlan to secure vlan;
2. Drop all traffic from camera vlan to secure vlan.

Since rules are applied in order, this effectively means allow established/related and block everything else.

Simplest explanation is that they are universal ports that you slide an adapter in to either connect 10Gbps fiber optic cables to, or copper based ones. This gives full flexibility to what you want to expand with in the future without having to replace primary unit.

For more details, Google

The UAP-AC-PRO-US is locked to only support channel 1-11 per FCC bands available for official 2.4Ghz usage in the USA. The other model has the same range, but also allows European bands 12-14 if memory serves me. I've used channel 14 once when the street was just crowded with WiFi routers and devices kept channel hopping, but it is in violation of FCC rules, so that is your call.

Those are still the latest versions and no Early Access replacements announced, so you would be good to go on those.

Ubiquiti will update firmwares as needed, but eventually that will end obviously, but then you also reach a point that if it ain't broke, don't fix it