UDM Pro VLAN Configuration & Capabilities
Detailed analysis of VLAN support on the Ubiquiti Dream Machine Pro, including port-based VLAN assignment and VPN integration.
Ubiquiti Dream Machine Pro Analysis
Comprehensive analysis of the Ubiquiti Dream Machine Pro capabilities, focusing on network boot (PXE) support and infrastructure integration.
Overview
The Ubiquiti Dream Machine Pro (UDM Pro) is an all-in-one network gateway, router, and switch designed for enterprise and advanced home lab environments. This analysis focuses on its capabilities relevant to infrastructure automation and network boot scenarios.
Key Specifications
Hardware
- Processor: Quad-core ARM Cortex-A57 @ 1.7 GHz
- RAM: 4GB DDR4
- Storage: 128GB eMMC (for UniFi OS, applications, and logs)
- Network Interfaces:
- 1x WAN port (RJ45, SFP, or SFP+)
- 8x LAN ports (1 Gbps RJ45, configurable)
- 1x SFP+ port (10 Gbps)
- 1x SFP port (1 Gbps)
- Additional Features:
- 3.5" SATA HDD bay (for UniFi Protect surveillance)
- IDS/IPS engine
- Deep packet inspection
- Built-in UniFi Network Controller
Software
- OS: UniFi OS (Linux-based)
- Controller: Built-in UniFi Network Controller
- Services: DHCP, DNS, routing, firewall, VPN (site-to-site and remote access)
Network Boot (PXE) Support
Native DHCP PXE Capabilities
The UDM Pro provides basic PXE boot support through its DHCP server:
Supported:
- DHCP Option 66 (
next-server/ TFTP server address) - DHCP Option 67 (
filename/ boot file name) - Basic single-architecture PXE booting
Configuration via UniFi Controller:
- Navigate to Settings → Networks → Select your network
- Scroll to DHCP section
- Enable DHCP
- Under Advanced DHCP Options:
- TFTP Server: IP address of your TFTP/PXE server (e.g.,
192.168.42.16) - Boot Filename: Name of the bootloader file (e.g.,
pxelinux.0for BIOS orbootx64.efifor UEFI)
- TFTP Server: IP address of your TFTP/PXE server (e.g.,
Limitations:
- No multi-architecture support: Cannot differentiate boot files based on client architecture (BIOS vs. UEFI, x86_64 vs. ARM64)
- No conditional DHCP options: Cannot vary
filenameornext-serverbased on client characteristics - Fixed boot parameters: One boot configuration for all PXE clients
- Single bootloader only: Must choose either BIOS or UEFI bootloader, not both
Use Cases:
- ✅ Homogeneous environments (all BIOS or all UEFI)
- ✅ Single OS deployment scenarios
- ✅ Simple provisioning workflows
- ❌ Mixed BIOS/UEFI environments (requires external DHCP server with conditional logic)
Network Segmentation & VLANs
The UDM Pro excels at network segmentation, critical for infrastructure isolation:
- VLAN Support: Native 802.1Q tagging
- Firewall Rules: Inter-VLAN routing with granular firewall policies
- Network Isolation: Can create fully isolated networks or controlled inter-network traffic
- Use Cases for Infrastructure:
- Management VLAN (for PXE/provisioning)
- Production VLAN (workloads)
- IoT/OT VLAN (isolated devices)
- DMZ (exposed services)
VPN Capabilities
Site-to-Site VPN
- Protocols: IPsec, WireGuard (experimental)
- Use Case: Connect home lab to cloud infrastructure (GCP, AWS, Azure)
- Performance: Hardware-accelerated encryption on UDM Pro
Remote Access VPN
- Protocols: L2TP, OpenVPN
- Use Case: Remote administration of home lab infrastructure
- Integration: Can work with Cloudflare Access for additional security layer
IDS/IPS Engine
- Technology: Suricata-based
- Capabilities:
- Intrusion detection
- Intrusion prevention (can drop malicious traffic)
- Threat signatures updated via UniFi
- Performance Impact: Can affect throughput on high-bandwidth connections
- Recommendation: Enable for security-sensitive infrastructure segments
DNS & DHCP Services
DNS
- Local DNS: Can act as caching DNS resolver
- Custom DNS Records: Limited to UniFi controller hostname
- Recommendation: Use external DNS (Pi-hole, Bind9) for advanced features like split-horizon DNS
DHCP
- Static Leases: Supports MAC-based static IP assignments
- DHCP Options: Can configure common options (NTP, DNS, domain name)
- Reservations: Per-client reservations via GUI
- PXE Options: Basic Option 66/67 support (as noted above)
Integration with Infrastructure-as-Code
UniFi Network API
- REST API: Available for configuration automation
- Python Libraries:
pyunifiand others for programmatic access - Use Cases:
- Terraform provider for network state management
- Ansible modules for configuration automation
- CI/CD integration for network-as-code
Terraform Provider
- Provider:
paultyng/unifi - Capabilities: Manage networks, firewall rules, port forwarding, DHCP settings
- Limitations: Not all UI features exposed via API
Configuration Persistence
- Backup/Restore: JSON-based configuration export
- Version Control: Can track config changes in Git
- Recovery: Auto-backup to cloud (optional)
Performance Characteristics
Throughput
- Routing/NAT: ~3.5 Gbps (without IDS/IPS)
- IDS/IPS Enabled: ~850 Mbps - 1 Gbps
- VPN (IPsec): ~1 Gbps
- Inter-VLAN Routing: Wire speed (8 Gbps backplane)
Scalability
- Concurrent Devices: 500+ clients tested
- VLANs: Up to 32 networks/VLANs
- Firewall Rules: Thousands (performance depends on complexity)
- DHCP Leases: Supports large pools efficiently
Comparison to Alternatives
| Feature | UDM Pro | pfSense | OPNsense | MikroTik |
|---|---|---|---|---|
| Basic PXE | ✅ | ✅ | ✅ | ✅ |
| Conditional DHCP | ❌ | ✅ | ✅ | ✅ |
| All-in-one | ✅ | ❌ | ❌ | Varies |
| GUI Ease-of-use | ✅✅ | ⚠️ | ⚠️ | ❌ |
| API/Automation | ⚠️ | ✅ | ✅ | ✅✅ |
| IDS/IPS Built-in | ✅ | ⚠️ (addon) | ⚠️ (addon) | ❌ |
| Hardware | Fixed | Flexible | Flexible | Flexible |
| Price | $$$ | $ (+ hardware) | $ (+ hardware) | $ - $$$ |
Recommendations for Home Lab Use
Ideal Use Cases
✅ Use the UDM Pro when:
- You want an all-in-one solution with minimal configuration
- You need integrated UniFi controller and network management
- Your home lab has mixed UniFi hardware (switches, APs)
- You want a polished GUI and mobile app management
- Network segmentation and VLANs are critical
Consider Alternatives When
⚠️ Look elsewhere if:
- You need conditional DHCP options or multi-architecture PXE boot
- You require advanced routing protocols (BGP, OSPF beyond basics)
- You need granular firewall control and scripting (pfSense/OPNsense better)
- Budget is tight and you already have x86 hardware (pfSense on old PC)
- You need extremely low latency (sub-1ms) routing
Recommended Configuration for Infrastructure Lab
Network Segmentation:
- VLAN 10: Management (PXE, Ansible, provisioning tools)
- VLAN 20: Kubernetes cluster
- VLAN 30: Storage network (NFS, iSCSI)
- VLAN 40: Public-facing services (behind Cloudflare)
DHCP Strategy:
- Use UDM Pro native DHCP with basic PXE options for single-arch PXE needs
- Static reservations for infrastructure components
- Consider external DHCP server if conditional options are required
Firewall Rules:
- Default deny between VLANs
- Allow management VLAN → all (with source IP restrictions)
- Allow cluster VLAN → storage VLAN (on specific ports)
- NAT only on VLAN 40 (public services)
VPN Configuration:
- Site-to-Site to GCP via WireGuard (lower overhead than IPsec)
- Remote access VPN on separate VLAN with restrictive firewall
Integration:
- Terraform for network state management
- Ansible for DHCP/DNS servers in management VLAN
- Cloudflare Access for secure public service exposure
Conclusion
The UDM Pro is a capable all-in-one network device ideal for home labs that prioritize ease-of-use and integration with the UniFi ecosystem. It provides basic PXE boot support suitable for single-architecture environments, though conditional DHCP options require external DHCP servers for complex scenarios.
For infrastructure automation projects, the UDM Pro serves well as a reliable network foundation that handles VLANs, routing, and basic services, allowing you to focus on higher-level infrastructure concerns like container orchestration and cloud integration.