Back to Blog

Network Segmentation with Unifi

How I designed my home network around security boundaries and controlled ingress using Unifi networking gear.

NetworkingUnifiSecurityHomelab

When you start self-hosting services, your home network becomes more than just a way to get to the internet. It becomes infrastructure. And infrastructure needs to be designed with security in mind.

The Problem with Flat Networks

Most home networks are flat—every device on the same network can talk to every other device. Your smart TV, your laptop, your server, your IoT thermostat: all neighbors.

This is convenient but risky:

  • A compromised IoT device can scan and attack your other machines
  • Guest devices have the same access as your personal devices
  • There's no isolation between "trusted" and "untrusted" devices

When I started running real services, I knew I needed to think differently about network design.

The Unifi Ecosystem

I run Unifi networking gear: router, switches, and access points. The Unifi controller provides a unified management interface for the entire network, and more importantly, it makes VLAN-based segmentation accessible.

Why Unifi

  • Centralized management: One interface for routing, switching, and wireless
  • VLAN support: Easy network segmentation without enterprise complexity
  • Firewall rules: Control traffic between networks
  • Visibility: Traffic analytics and device tracking

My Network Design

Segmentation Philosophy

I think about my network in terms of trust levels:

  • Trusted: My workstations, phones, devices I control and update
  • Server: Infrastructure that provides services
  • IoT: Smart devices that might be compromised but need network access
  • Guest: Temporary access for visitors

Each trust level maps to a network segment with appropriate access controls.

Traffic Rules

The firewall rules follow a principle of least privilege:

  • Default deny between segments unless explicitly allowed
  • Servers can't initiate connections to trusted devices
  • IoT is isolated from everything except what it needs
  • Guest has internet only, no access to internal resources

Management Access

The router and switch management interfaces are only accessible from specific trusted networks. Even if someone compromises a guest device, they can't reconfigure my network.

Controlled Ingress

For services that need to be accessible from the internet, I apply strict ingress control:

Minimal Exposure

Only the ports that absolutely need to be open are open. Most services are internal-only, accessed via Tailscale when I'm remote.

Origin Allowlisting

For services proxied through a VPS, my home firewall only accepts connections from the VPS's IP address. This means the public service is visible to the internet, but my home infrastructure isn't.

Logging and Monitoring

Firewall logs feed into my monitoring stack. I can see what's being blocked, identify scanning attempts, and detect anomalies.

Practical Benefits

This design has paid off multiple times:

Isolation Contains Blast Radius

When I was experimenting with a new service and it misbehaved, it could only affect its own segment. My workstations and other services were unaffected.

Clear Security Posture

I can answer "what's exposed?" quickly. The attack surface is documented and intentional, not accidental.

Safe Experimentation

New devices go on restricted networks first. I can observe their behavior before deciding if they deserve more access.

Lessons Learned

Implementing network segmentation taught me:

  1. Flat networks are a liability - The convenience isn't worth the risk when you're running real services
  2. VLANs aren't just for enterprises - Modern prosumer gear makes segmentation accessible
  3. Default deny is the right starting point - Allow what's needed, not what's convenient
  4. Documentation matters - Future me needs to understand why rules exist

The Ongoing Work

Network design is never done:

  • Regular review of firewall rules to remove stale entries
  • Monitoring for new devices that might appear unexpectedly
  • Updating access as services and requirements change
  • Documenting the topology for disaster recovery

If you're running a homelab, consider your network architecture. The time invested in proper segmentation pays dividends in security, troubleshooting, and peace of mind.