This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Ubiquiti Dream Machine Pro Analysis

Comprehensive analysis of the Ubiquiti Dream Machine Pro capabilities, focusing on network boot (PXE) support and infrastructure integration.

Overview

The Ubiquiti Dream Machine Pro (UDM Pro) is an all-in-one network gateway, router, and switch designed for enterprise and advanced home lab environments. This analysis focuses on its capabilities relevant to infrastructure automation and network boot scenarios.

Key Specifications

Hardware

  • Processor: Quad-core ARM Cortex-A57 @ 1.7 GHz
  • RAM: 4GB DDR4
  • Storage: 128GB eMMC (for UniFi OS, applications, and logs)
  • Network Interfaces:
    • 1x WAN port (RJ45, SFP, or SFP+)
    • 8x LAN ports (1 Gbps RJ45, configurable)
    • 1x SFP+ port (10 Gbps)
    • 1x SFP port (1 Gbps)
  • Additional Features:
    • 3.5" SATA HDD bay (for UniFi Protect surveillance)
    • IDS/IPS engine
    • Deep packet inspection
    • Built-in UniFi Network Controller

Software

  • OS: UniFi OS (Linux-based)
  • Controller: Built-in UniFi Network Controller
  • Services: DHCP, DNS, routing, firewall, VPN (site-to-site and remote access)

Network Boot (PXE) Support

Native DHCP PXE Capabilities

The UDM Pro provides basic PXE boot support through its DHCP server:

Supported:

  • DHCP Option 66 (next-server / TFTP server address)
  • DHCP Option 67 (filename / boot file name)
  • Basic single-architecture PXE booting

Configuration via UniFi Controller:

  1. Navigate to SettingsNetworks → Select your network
  2. Scroll to DHCP section
  3. Enable DHCP
  4. Under Advanced DHCP Options:
    • TFTP Server: IP address of your TFTP/PXE server (e.g., 192.168.42.16)
    • Boot Filename: Name of the bootloader file (e.g., pxelinux.0 for BIOS or bootx64.efi for UEFI)

Limitations:

  • No multi-architecture support: Cannot differentiate boot files based on client architecture (BIOS vs. UEFI, x86_64 vs. ARM64)
  • No conditional DHCP options: Cannot vary filename or next-server based on client characteristics
  • Fixed boot parameters: One boot configuration for all PXE clients
  • Single bootloader only: Must choose either BIOS or UEFI bootloader, not both

Use Cases:

  • ✅ Homogeneous environments (all BIOS or all UEFI)
  • ✅ Single OS deployment scenarios
  • ✅ Simple provisioning workflows
  • ❌ Mixed BIOS/UEFI environments (requires external DHCP server with conditional logic)

Network Segmentation & VLANs

The UDM Pro excels at network segmentation, critical for infrastructure isolation:

  • VLAN Support: Native 802.1Q tagging
  • Firewall Rules: Inter-VLAN routing with granular firewall policies
  • Network Isolation: Can create fully isolated networks or controlled inter-network traffic
  • Use Cases for Infrastructure:
    • Management VLAN (for PXE/provisioning)
    • Production VLAN (workloads)
    • IoT/OT VLAN (isolated devices)
    • DMZ (exposed services)

VPN Capabilities

Site-to-Site VPN

  • Protocols: IPsec, WireGuard (experimental)
  • Use Case: Connect home lab to cloud infrastructure (GCP, AWS, Azure)
  • Performance: Hardware-accelerated encryption on UDM Pro

Remote Access VPN

  • Protocols: L2TP, OpenVPN
  • Use Case: Remote administration of home lab infrastructure
  • Integration: Can work with Cloudflare Access for additional security layer

IDS/IPS Engine

  • Technology: Suricata-based
  • Capabilities:
    • Intrusion detection
    • Intrusion prevention (can drop malicious traffic)
    • Threat signatures updated via UniFi
  • Performance Impact: Can affect throughput on high-bandwidth connections
  • Recommendation: Enable for security-sensitive infrastructure segments

DNS & DHCP Services

DNS

  • Local DNS: Can act as caching DNS resolver
  • Custom DNS Records: Limited to UniFi controller hostname
  • Recommendation: Use external DNS (Pi-hole, Bind9) for advanced features like split-horizon DNS

DHCP

  • Static Leases: Supports MAC-based static IP assignments
  • DHCP Options: Can configure common options (NTP, DNS, domain name)
  • Reservations: Per-client reservations via GUI
  • PXE Options: Basic Option 66/67 support (as noted above)

Integration with Infrastructure-as-Code

UniFi Network API

  • REST API: Available for configuration automation
  • Python Libraries: pyunifi and others for programmatic access
  • Use Cases:
    • Terraform provider for network state management
    • Ansible modules for configuration automation
    • CI/CD integration for network-as-code

Terraform Provider

  • Provider: paultyng/unifi
  • Capabilities: Manage networks, firewall rules, port forwarding, DHCP settings
  • Limitations: Not all UI features exposed via API

Configuration Persistence

  • Backup/Restore: JSON-based configuration export
  • Version Control: Can track config changes in Git
  • Recovery: Auto-backup to cloud (optional)

Performance Characteristics

Throughput

  • Routing/NAT: ~3.5 Gbps (without IDS/IPS)
  • IDS/IPS Enabled: ~850 Mbps - 1 Gbps
  • VPN (IPsec): ~1 Gbps
  • Inter-VLAN Routing: Wire speed (8 Gbps backplane)

Scalability

  • Concurrent Devices: 500+ clients tested
  • VLANs: Up to 32 networks/VLANs
  • Firewall Rules: Thousands (performance depends on complexity)
  • DHCP Leases: Supports large pools efficiently

Comparison to Alternatives

FeatureUDM PropfSenseOPNsenseMikroTik
Basic PXE
Conditional DHCP
All-in-oneVaries
GUI Ease-of-use✅✅⚠️⚠️
API/Automation⚠️✅✅
IDS/IPS Built-in⚠️ (addon)⚠️ (addon)
HardwareFixedFlexibleFlexibleFlexible
Price$$$$ (+ hardware)$ (+ hardware)$ - $$$

Recommendations for Home Lab Use

Ideal Use Cases

Use the UDM Pro when:

  • You want an all-in-one solution with minimal configuration
  • You need integrated UniFi controller and network management
  • Your home lab has mixed UniFi hardware (switches, APs)
  • You want a polished GUI and mobile app management
  • Network segmentation and VLANs are critical

Consider Alternatives When

⚠️ Look elsewhere if:

  • You need conditional DHCP options or multi-architecture PXE boot
  • You require advanced routing protocols (BGP, OSPF beyond basics)
  • You need granular firewall control and scripting (pfSense/OPNsense better)
  • Budget is tight and you already have x86 hardware (pfSense on old PC)
  • You need extremely low latency (sub-1ms) routing

  1. Network Segmentation:

    • VLAN 10: Management (PXE, Ansible, provisioning tools)
    • VLAN 20: Kubernetes cluster
    • VLAN 30: Storage network (NFS, iSCSI)
    • VLAN 40: Public-facing services (behind Cloudflare)

  2. DHCP Strategy:

    • Use UDM Pro native DHCP with basic PXE options for single-arch PXE needs
    • Static reservations for infrastructure components
    • Consider external DHCP server if conditional options are required

  3. Firewall Rules:

    • Default deny between VLANs
    • Allow management VLAN → all (with source IP restrictions)
    • Allow cluster VLAN → storage VLAN (on specific ports)
    • NAT only on VLAN 40 (public services)

  4. VPN Configuration:

    • Site-to-Site to GCP via WireGuard (lower overhead than IPsec)
    • Remote access VPN on separate VLAN with restrictive firewall

  5. Integration:

    • Terraform for network state management
    • Ansible for DHCP/DNS servers in management VLAN
    • Cloudflare Access for secure public service exposure

Conclusion

The UDM Pro is a capable all-in-one network device ideal for home labs that prioritize ease-of-use and integration with the UniFi ecosystem. It provides basic PXE boot support suitable for single-architecture environments, though conditional DHCP options require external DHCP servers for complex scenarios.

For infrastructure automation projects, the UDM Pro serves well as a reliable network foundation that handles VLANs, routing, and basic services, allowing you to focus on higher-level infrastructure concerns like container orchestration and cloud integration.

1 - UDM Pro VLAN Configuration & Capabilities

Detailed analysis of VLAN support on the Ubiquiti Dream Machine Pro, including port-based VLAN assignment and VPN integration.

Overview

The Ubiquiti Dream Machine Pro (UDM Pro) provides robust VLAN support through native 802.1Q tagging, enabling network segmentation for security, performance, and organizational purposes. This document covers VLAN configuration capabilities, port assignments, and VPN integration.

VLAN Fundamentals on UDM Pro

Supported Standards

  • 802.1Q VLAN Tagging: Full support for standard VLAN tagging
  • VLAN Range: IDs 1-4094 (standard IEEE 802.1Q range)
  • Maximum VLANs: Up to 32 networks/VLANs per device
  • Native VLAN: Configurable per port (default: VLAN 1)

VLAN Types

Corporate Network

  • Default network type for general-purpose VLANs
  • Provides DHCP, inter-VLAN routing, and firewall capabilities
  • Can enable/disable guest policies, IGMP snooping, and multicast DNS

Guest Network

  • Isolated network with internet-only access
  • Automatic firewall rules preventing access to other VLANs
  • Captive portal support for guest authentication

IoT Network

  • Optimized for IoT devices with device isolation
  • Prevents lateral movement between IoT devices
  • Allows communication with controller/gateway only

Port-Based VLAN Assignment

Per-Port VLAN Configuration

The UDM Pro’s 8x 1 Gbps LAN ports and SFP/SFP+ ports support flexible VLAN assignment:

Configuration Options per Port:

  1. Native VLAN/Untagged VLAN: The default VLAN for untagged traffic on the port
  2. Tagged VLANs: Multiple VLANs that can pass through the port with 802.1Q tags
  3. Port Profile: Pre-configured VLAN assignments that can be applied to ports

Port Profile Types

All: Port accepts all VLANs (trunk mode)

  • Passes all configured VLANs with tags
  • Used for connecting managed switches or access points
  • Native VLAN for untagged traffic

Specific VLANs: Port limited to selected VLANs

  • Choose which VLANs are allowed (tagged)
  • Set native/untagged VLAN
  • Used for controlled trunk links

Single VLAN: Access port mode

  • Port carries only one VLAN (untagged)
  • All traffic on this port belongs to specified VLAN
  • Used for end devices (PCs, servers, printers)

Configuration Steps

Via UniFi Controller GUI:

  1. Create Port Profile:

    • Navigate to SettingsProfilesPort Manager
    • Click Create New Port Profile
    • Select profile type (All, LAN, or Custom)
    • Configure VLAN settings:
      • Native VLAN/Network: Untagged VLAN
      • Tagged VLANs: Select allowed VLANs (for trunk mode)
    • Enable/disable settings: PoE, Storm Control, Port Isolation

  2. Assign Profile to Ports:

    • Navigate to UniFi Devices → Select UDM Pro
    • Go to Ports tab
    • For each LAN port (1-8) or SFP port:
      • Click port to edit
      • Select Port Profile from dropdown
      • Apply changes

  3. Quick Port Assignment (Alternative):

    • SettingsNetworks → Select VLAN
    • Under Port Manager, assign specific ports to this network
    • Ports become access ports for this VLAN

Example Port Layout

UDM Pro Port Assignment Example:

Port 1: Native VLAN 10 (Management) - Access Mode
        └── Use: Ansible control server

Port 2: Native VLAN 20 (Kubernetes) - Access Mode
        └── Use: K8s master node

Port 3: Native VLAN 30 (Storage) - Access Mode
        └── Use: NAS/SAN device

Port 4: Native VLAN 1, Tagged: 10,20,30,40 - Trunk Mode
        └── Use: Managed switch uplink

Port 5-7: Native VLAN 40 (DMZ) - Access Mode
          └── Use: Public-facing servers

Port 8: Native VLAN 1 (Default/Untagged) - Access Mode
        └── Use: Management laptop (temporary)

SFP+: Native VLAN 1, Tagged: All - Trunk Mode
      └── Use: 10G uplink to core switch

VLAN Features and Capabilities

Inter-VLAN Routing

Enabled by Default:

  • Hardware-accelerated routing between VLANs
  • Wire-speed performance (8 Gbps backplane)
  • Routing decisions made at Layer 3

Firewall Control:

  • Default behavior: Allow all inter-VLAN traffic
  • Recommended: Create explicit allow/deny rules per VLAN pair
  • Granular control: Protocol, port, source/destination filtering

Example Firewall Rules:

Rule 1: Allow Management (VLAN 10) → All VLANs
        Source: 192.168.10.0/24
        Destination: Any
        Action: Accept

Rule 2: Allow K8s (VLAN 20) → Storage (VLAN 30) - NFS only
        Source: 192.168.20.0/24
        Destination: 192.168.30.0/24
        Ports: 2049 (NFS), 111 (Portmapper)
        Action: Accept

Rule 3: Block IoT (VLAN 50) → All Private Networks
        Source: 192.168.50.0/24
        Destination: 192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12
        Action: Drop

Rule 4 (Implicit): Default Deny Between VLANs
        Source: Any
        Destination: Any
        Action: Drop

DHCP per VLAN

Each VLAN can have its own DHCP server:

  • Independent IP ranges per VLAN
  • Separate DHCP options (DNS, gateway, NTP, domain)
  • Static DHCP reservations per VLAN
  • PXE boot options (Option 66/67) per network

Configuration:

  • SettingsNetworks → Select VLAN
  • DHCP section:
    • Enable DHCP server
    • Define IP range (e.g., 192.168.10.100-192.168.10.254)
    • Set lease time
    • Configure gateway (usually UDM Pro’s IP on this VLAN)
    • Add custom DHCP options

Example DHCP Configuration:

VLAN 10 (Management):
  Subnet: 192.168.10.0/24
  Gateway: 192.168.10.1 (UDM Pro)
  DHCP Range: 192.168.10.100-192.168.10.200
  DNS: 192.168.10.10 (local DNS server)
  TFTP Server (Option 66): 192.168.10.16
  Boot Filename (Option 67): pxelinux.0

VLAN 20 (Kubernetes):
  Subnet: 192.168.20.0/24
  Gateway: 192.168.20.1 (UDM Pro)
  DHCP Range: 192.168.20.50-192.168.20.99
  DNS: 8.8.8.8, 8.8.4.4
  Domain Name: k8s.lab.local

VLAN Isolation

Guest Portal Isolation:

  • Guest networks auto-configured with isolation rules
  • Prevents access to RFC1918 private networks
  • Internet-only access by default

Manual Isolation (Firewall Rules):

  • Create LAN In rules to block inter-VLAN traffic
  • Use groups for easier management of multiple VLANs
  • Apply port isolation for additional security

Device Isolation (IoT Networks):

  • Prevents devices on same VLAN from communicating
  • Only controller/gateway access allowed
  • Use for untrusted IoT devices (cameras, smart home)

VPN and VLAN Integration

Site-to-Site VPN VLAN Assignment

✅ VLANs CAN be assigned to site-to-site VPN connections:

WireGuard VPN:

  • Configure remote subnet to map to specific local VLAN
  • Example: GCP subnet 10.128.0.0/20 → routed through VLAN 10
  • Routing table automatically updated
  • Firewall rules apply to VPN traffic

IPsec Site-to-Site:

  • Specify local networks (can select specific VLANs)
  • Remote networks configured in tunnel settings
  • Multiple VLANs can traverse single VPN tunnel
  • Perfect Forward Secrecy supported

Configuration Steps:

  1. SettingsVPNSite-to-Site VPN
  2. Create New VPN tunnel (WireGuard or IPsec)
  3. Under Local Networks, select VLANs to include:
    • Option 1: Select “All” networks
    • Option 2: Choose specific VLANs (e.g., VLAN 10, 20 only)
  4. Configure Remote Networks (cloud provider subnets)
  5. Set encryption parameters and pre-shared keys
  6. Create Firewall Rules for VPN traffic:
    • Allow specific VLAN → VPN tunnel
    • Control which VLANs can reach remote networks

Example Site-to-Site Config:

Home Lab → GCP WireGuard VPN

Local Networks:
  - VLAN 10 (Management): 192.168.10.0/24
  - VLAN 20 (Kubernetes): 192.168.20.0/24

Remote Networks:
  - GCP VPC: 10.128.0.0/20

Firewall Rules:
  - Allow VLAN 10 → GCP VPC (all protocols)
  - Allow VLAN 20 → GCP VPC (HTTPS, kubectl API only)
  - Block all other VLANs from VPN tunnel

Remote Access VPN VLAN Assignment

✅ VLANs CAN be assigned to remote access VPN clients:

L2TP/IPsec Remote Access:

  • VPN clients land on a specific VLAN
  • Default: All clients in same VPN subnet
  • Firewall rules control VLAN access from VPN

OpenVPN Remote Access (via UniFi Network Application addon):

  • Not natively built into UDM Pro
  • Requires UniFi Network Application 6.0+
  • Can route VPN clients to specific VLAN

Teleport VPN (UniFi’s solution):

  • Built-in remote access VPN
  • Clients route through UDM Pro
  • Can access specific VLANs based on firewall rules
  • Layer 3 routing to VLANs

Configuration:

  1. SettingsVPNRemote Access
  2. Enable L2TP or configure Teleport
  3. Set VPN Network (e.g., 192.168.100.0/24)
  4. Advanced:
    • Enable access to specific VLANs
    • By default, VPN network is treated as separate VLAN
  5. Firewall Rules to allow VPN → VLANs:
    • Source: VPN network (192.168.100.0/24)
    • Destination: VLAN 10, VLAN 20 (or specific resources)
    • Action: Accept

Example Remote Access Config:

Remote VPN Users → Home Lab Access

VPN Network: 192.168.100.0/24
VPN Gateway: 192.168.100.1 (UDM Pro)

Firewall Rules:
  Rule 1: Allow VPN → Management VLAN (admin users)
          Source: 192.168.100.0/24
          Dest: 192.168.10.0/24
          Ports: SSH (22), HTTPS (443)
  
  Rule 2: Allow VPN → Kubernetes VLAN (developers)
          Source: 192.168.100.0/24
          Dest: 192.168.20.0/24
          Ports: kubectl (6443), app ports (8080-8090)
  
  Rule 3: Block VPN → Storage VLAN (security)
          Source: 192.168.100.0/24
          Dest: 192.168.30.0/24
          Action: Drop

VPN VLAN Routing Limitations

Current Limitations:

  • Cannot assign individual VPN clients to different VLANs dynamically
  • No VLAN assignment based on user identity (all clients in same VPN network)
  • RADIUS integration does not support per-user VLAN assignment for VPN
  • For per-user VLAN control, use firewall rules based on source IP

Workarounds:

  • Use firewall rules with VPN client IP ranges for granular access
  • Deploy separate VPN tunnels for different access levels
  • Use RADIUS for authentication + firewall rules for authorization

VLAN Best Practices for Home Lab

Network Segmentation Strategy

Recommended VLAN Layout:

VLAN 1:   Default/Management (UDM Pro access)
VLAN 10:  Infrastructure Management (Ansible, PXE, monitoring)
VLAN 20:  Kubernetes Cluster (control plane + workers)
VLAN 30:  Storage Network (NFS, iSCSI, object storage)
VLAN 40:  DMZ/Public Services (exposed to internet via Cloudflare)
VLAN 50:  IoT Devices (isolated smart home devices)
VLAN 60:  Guest Network (visitor WiFi, untrusted devices)
VLAN 100: VPN Remote Access (remote admin/dev access)

Firewall Policy Design

Default Deny Approach:

  1. Create explicit allow rules for necessary traffic
  2. Set implicit deny for all inter-VLAN traffic
  3. Log dropped packets for troubleshooting

Rule Order (top to bottom):

  1. Management VLAN → All (with source IP restrictions)
  2. Kubernetes → Storage (specific ports)
  3. DMZ → Internet (outbound only)
  4. VPN → Specific VLANs (based on role)
  5. All → Internet (NAT)
  6. Block RFC1918 from DMZ
  7. Drop all (implicit)

Performance Optimization

VLAN Routing Performance:

  • Inter-VLAN routing is hardware-accelerated
  • No performance penalty for multiple VLANs
  • Use VLAN tagging on trunk ports to reduce switch load

Multicast and Broadcast Control:

  • Enable IGMP snooping per VLAN for multicast efficiency
  • Disable multicast DNS (mDNS) between VLANs if not needed
  • Use multicast routing for cross-VLAN multicast (advanced)

Advanced VLAN Features

VLAN-Specific Services

DNS per VLAN:

  • Configure different DNS servers per VLAN via DHCP
  • Example: Management VLAN uses local DNS, DMZ uses public DNS

NTP per VLAN:

  • DHCP Option 42 for NTP server
  • Different time sources per network segment

Domain Name per VLAN:

  • DHCP Option 15 for domain name
  • Useful for split-horizon DNS setups

VLAN Tagging on WiFi

UniFi WiFi Integration:

  • Each WiFi SSID can map to a specific VLAN
  • Multiple SSIDs on same AP → different VLANs
  • Seamless VLAN tagging for wireless clients

Configuration:

  • Create WiFi network in UniFi Controller
  • Assign VLAN ID to SSID
  • Client traffic automatically tagged

VLAN Monitoring and Troubleshooting

Traffic Statistics:

  • Per-VLAN bandwidth usage visible in UniFi Controller
  • Deep Packet Inspection (DPI) provides application-level stats
  • Export data for analysis in external tools

Debugging Tools:

  • Port mirroring for packet capture
  • Flow logs for traffic analysis
  • Firewall logs show inter-VLAN blocks

Common Issues:

  1. VLAN not working: Check port profile assignment and native VLAN config
  2. No inter-VLAN routing: Verify firewall rules aren’t blocking traffic
  3. DHCP not working on VLAN: Ensure DHCP server enabled on that network
  4. VPN can’t reach VLAN: Check VPN local networks include the VLAN

Summary

VLAN Port Assignment: ✅ YES

The UDM Pro fully supports port-based VLAN assignment:

  • Individual ports can be assigned to specific VLANs (access mode)
  • Ports can carry multiple tagged VLANs (trunk mode)
  • Native/untagged VLAN configurable per port
  • Port profiles simplify configuration across multiple devices

VPN VLAN Assignment: ✅ YES

VLANs can be assigned to VPN connections:

  • Site-to-Site VPN: Select which VLANs traverse the tunnel
  • Remote Access VPN: VPN clients route to specific VLANs via firewall rules
  • Routing Control: Full control over which VLANs are accessible via VPN
  • Limitations: No per-user VLAN assignment; use firewall rules for granular access

Key Capabilities

  • Up to 32 VLANs supported
  • Hardware-accelerated inter-VLAN routing
  • Per-VLAN DHCP, DNS, and firewall policies
  • Full integration with UniFi WiFi for SSID-to-VLAN mapping
  • Flexible port profiles for easy configuration
  • VPN integration for both site-to-site and remote access scenarios