After many (many!) years I finally got around to my childhood dreams of building a home network rack, centered around the Unifi stack. I've got the new 10 gig switch, the dream machine SE, a bunch of cameras, and I've been very impressed with their stuff. The experience "just works" and feels like they take inspiration from Apple. The whole camera setup can be "closed" by shutting off outside access, this self-hosting option takes it all a step further for those who care deeply about privacy!
There's one big gotcha with Unifi cameras, where you have to cloud-connect your Unifi system if you want "AI" detections[1] (anything other than simple motion detection). I'm hoping they fix it some day[2], but for now I just have motion detection on my Unifi hardware. If this is a problem for you, make sure you understand the tradeoffs here before you commit to a Unifi system.
[1] https://old.reddit.com/r/Ubiquiti/comments/1cifnut/unifi_pro...
[2] https://old.reddit.com/r/Ubiquiti/comments/1dbyvan/home_assi...
Still dont understand why this is such a big issue, and I have been reading threads about it for a year now.
Just turn on cloud access, accept the t&cs and then turn it off again. If you are really scared then you can isolate that device in a vlan or DMZ temporarily.
I run many commercial and residential networks, and this is definitely a non issue for me.
I stopped buying Ubiquiti when I reset my UDM Pro and took it to another house without internet access, and it refused to "activate" without an Internet Connection or a phone app connection. Seems they are more interested in selling a lifestyle rather than actual production network equipment.
I stopped buying them when I saw users posting on reddit that they were logging in to their systems and seeing other peoples camera feeds and networks.
https://www.bleepingcomputer.com/news/security/ubiquiti-user...
Im not excusing Ubiquiti here, I agree thats pretty annoying.
However a UDM pro is a router (as well as other things). The expectation is that it is connected to WAN.
Unifi switches and access points etc do not have the same online requirement.
You can't actually configure the wan connection fully without internet connectivity (at least last i checked).
This meant for instance if your WAN required VLAN like New Zealand you couldn't actually set it up without another router. Their fix is to add 1 more option to the WAN configuration options rather than the full suite of WAN configuration options you get once it's talked home.
The partial fix does make it clear that the philosophy of "you must talk to the mothership" is a guiding one that ubiquiti sticks to.
> a UDM pro is a router (as well as other things). The expectation is that it is connected to WAN.
That's a bad expectation.
When I moved houses, I was without home broadband for almost 2 months. I bought a Cloud Fibre Gateway as everybody recommended Unifi. I intended to set my local network up, have Home Assistant running, as well as my NAS and other self-hosted apps.
Couldn't do any of that until I figured out a way to tether my phone to my OpenWRT router that the Unifi was supposed to replace, and wire them together over ethernet.
Not the final straw that made be give up on it but a truly atrocious first experience.
What are you using instead?
If I ditched my modest ubiquiti gear I’d probably try out https://www.alta.inc/ Because https://chrisbuechler.com/
I swapped my edgerouter lite (ERLite-3) to an Alta Labs Route10 recently after moving to an ISP that uses PPPoE. Unfortunately the Cavium silicon inside the ERL cannot do hardware offloading for ipv6+vlan+pppoe concurrently, so I had to find a new router. The Route10 is a nice piece of kit, but the software is still very immature, and absolutely requires a controller to manage. I really wish that I could run VyOS on it, but for now it does the job and will probably be absolutely fine for 99% of people.
This looks super interesting, thank you
New mikrotik gear is also a great option.
OPNsense.
I’m also curious what other prosumer network hardware companies have good products?
I use TP link Omada gear and its a been very good replacement to unifi. I use it both personally & manage a side gig venue’s network. I have lots of vlans & even run dante & ndi with no issues. Replaced a Unifi system it was so buggy. DHCP reserve IPs failed, spotty issues with artists phones & the mixer board to mix their in-ears etc. I’ve setup IPSec tunnel to AWS VPC even pretty easy.
Using a pi4 for last 4 years on poe running their management docker container. So solid! I’d recommend the pi over buying their hardware device mamager, its way slower.
I like Mikrotik routers, and their other products look good too. They are often discussed on HN if you want to search for a range of opinions. I do find that their software can be confusing, but that may also be to do with the number of options.
Having seen a few slippery slope situations like this over the years with IoT and other services, I'm simply not willing to make any concessions in that direction. I use a UDM Pro and turning on cloud access requires associating that hardware with a Unify cloud account. That's already undesirable if you want to safeguard privacy.
Fair enough, the Unifi brand is a consumer/prosumer brand after all.
I guess if you have strict privacy requirements then you would be looking more at enterprise gear anyway.
Why does strict privacy requirements imply enterprise gear?
Because the elites have decided that privacy is only applicable to businesses.
Ah yes. The “elites”. The invisible yet omnipresent, subtle yet ubiquitous, global cabal that no matter how fragmented and divided society gets, always speaks with one voice[0] and acts in seamless unison.
[0] It’s an endless source of fascination to me that it always seems to be non-elites that have the inside scoop on what the elites are thinking and deciding. I’d love to know where they get that insight if not from their own hyper-pattern-matching imagination.
This is absurd. When people refer to "the elites" as I did, they often mean a large group of people. They do NOT speak with one voice[0], nor do they act in seamless unison. It is a bit noteworthy then that governments worldwide seem intent on destroying the privacy of communications on the internet.
[0] People who are used to getting fucked by people higher up in the economic food chain are pretty used to seeing, with their own eyes, the actions "the elites" take. See, we get to live in the world they create. Whereas they get to live in a much, much nicer world, without rules or restrictions. To call the average person's lived experience "hyper-pattern-matching imagination" is just plainly being shitty.
No. I don’t believe most people can see “with their own eyes” anything of the sort. They definitely feel the pain. But the ability of most people to correctly ascribe their pain to a semi-reasonable, possibly-likely source is utter rubbish. Most folks do the exact opposite. They are SO incapable of seeing with clear eyes that they will happily let their abusers scapegoat utterly irrelevant groups and distract with pointless crusades. Most people let their pain get hijacked just so they can easily point the finger at anyone and feel justified that yes, someone did indeed do them over. And as a result, they will consistently vote against their own interests and join in on the gang bashing of minority groups, all the while being screwed over even more.
Perhaps next time it would be more useful to point out exactly who you’re referring to in a given discussion rather than lazily refer to “the elites”.
I’ll also add that in my view, most of what seems like the concerted actions of a global conspiracy is merely the result of very simple human heuristics. Mostly functions of greed (for money, power, or both). Just like the amazing structure in fractals arises from very simple math, so too the workings of our politics and economies through simple human heuristics played out at scale.
This is an absurd comment.
Do you really think there is some magical network gear out there which provides easy full security, but is only available to buy for a specific group of people?
Because it generally has much stricter firewalls, more granular policies, better/more comprehensive logging, no device phone home, and no requirements to sign up for online accounts. All of which make it all much more secure by default due to standard enterprise company requirements, and easier to customise to the users specific secure needs.
Enterprises often have to pass audits and have regulatory compliance requirements. So no surveillance capitalism for them. Where enterprise tech vendors get you is licensing cost.
Enterprises often have to pass audits and have regulatory compliance requirements.
So do many smaller organisations. The market for prosumer/SOHO/SME tech is in a sorry state lately with many being pushed towards what is essentially consumer level junk with a slightly different finish on the case and a different badge.
There is an irony here in the UK that we're finally seeing widespread availability of FTTP broadband with gigabit+ speeds and the latest WiFi standards but trying to find decent routers, switches, and access points that support 10G internal networking and the full rates of the available broadband and WiFi standards is a nightmare. It's like the only conceivable options are extremely expensive "enterprise" products and consumer junk that you control with a mobile app (until it becomes unsupported at some indeterminate future date presumably) that phones home to the manufacturer's servers (until they get shut off at some indeterminate future date presumably) and only works with an account on the manufacturer's system (until it deliberately or accidentally gets disabled for any reason presumably) and possibly a subscription payment (that can increase arbitrarily in future years presumably). It seems like literally no manufacturer that has previously provided reputable mid-level equipment still trying to compete in this segment of the market any more and that is both sad and potentially dangerous.
They pay enough to not become the product
Because enterprises pay a lot of money for strict privacy, whereas consumers pay less if anything.
In my experience generally consumers pay zero for privacy but expect it anyway.
In addition to the other comments, enterprise infra (almost) never has internet access.
Will it still get automatic updates in case of security issues?
https://store.ui.com/us/en/products/ai-key
Even this only reviews "Smart Detections" and I have smart detections turned off on my Unifi cameras, because it enables cloud AI. Having the ability to have an AI key to process detections locally would be great.
Also, having to buy extra hardware kinda stinks. Would love to be able to have a self hosted Unifi OS server that can do AI key abilities if the hardware supports it.
If only the system would cope with power outages I would agree. My viewports refuse to reconnect to the cameras and need multiple forgets/adoptions to come back to life. The (wired) cameras themselves take hours before they show up again, except for the (WiFi) doorbell. During this period I can see the all online via the managed ubiquiti switches.
I've been using unfi protect/capture (I self hosted capture for a long time) for years and have never had a forgotten adoption any they almost never go down. I do have everything on UPS now but I never saw the issue before that either.
That said I've only used the wired bullet cams so maybe other models are not so nice.
Really the only downside I've seen is about 5ish years ago, all the bullet cams I bought would die after about .75 -> 3 years. All died with the same issue and I had 100% failure rate with any bought during that time frame. Ubiquiti replaced the ones that died during the warranty period but most died just after that expired.
The ones bought before or after that have been great so the issue was solved but I have a nice stack of dead ones that would work great as fake cameras, especially as their IR leds still light up.
Surely the expected solution for that is a UPS on the POE switch?
A UPS is not a solution for all power outages, just ones short enough to last the UPS uptime. The brains of the system is supposed to be the Cloud Key anyway which has its own built in “UPS” and seems to shut down gracefully if you kill power.
The cameras and viewports should not be writing data at all after an initial configuration if designed properly and killing power should present no problems to any system with a read-only filesystem. As someone who designs systems like these it absolutely baffles me.
Version 1 Cloud Keys would brick upon power loss.
Just one of the many side effects of building on top of mongodb. :)
Ummm..... So the solution to cameras taking several hours to take back to life is to.... just to make sure the will never go offline?
The UPS remark is such an non sequitur. Sure, it's prudent to have one but this doesn't make the bug go away.
I agree, not sure why you are being downvoted.
It's not a solution, its kicking the can down the road. What happens with the UPS battery dies and the power comes back on? The cameras are still down for an unacceptable amount of time because of poor software.
The cameras should reassociate almost immediately after regaining a connection. It shouldn't take hours for them to try and connect again. I won't fault the camera for going down when the power dies, I will fault it for not coming back immediately after the power comes back though!
Yea Ubiquiti is brutal after a power outage. I got a battery back up for my rack just to avoid post power outage down time.
My general impression is that it “Just Works” if you don’t do anything remotely interesting with it.
Want to create a VLAN with no Internet connectivity? Better test that it actually has no Internet connectivity because the setting doesn’t actually work.
Want to use the firewall? Better test all the rules — it’s amazingly buggy.
Want to change a WiFi setting without WiFi going down for a minute or two? Good luck — UniFi doesn’t seem to care about making it work.
Want to find information (MAC, switch port, DHCP reservation, etc) about a device that uses the same MAC address on multiple VLANs? Good luck — it looks like UniFi utterly flubbed either their database schema or whatever interface their front end uses to talk to their backend about it, and it’s very, very broken.
Want to find basically any setting based on online docs? Too bad — they keep moving the settings and not updating the docs.
Just to reiterate for those that missed it:
If you change the schedule of a WiFi network your entire network (wired and everything) goes down for two minutes.
Just a simple admin policy change… full network outage.
Clown. College.
Constantly tweaking settings is not a use-case they have optimized for. Most of their customers are small IT shops that support small/medium sized businesses. They set up a network for a few doctors offices, law firms, etc. by clicking a few buttons in the controller's GUI once, and then remotely keep an eye on the networks with the controller software's remote management features.
If you set the thing to automatically optimize WiFi (the default!) it goes completely down for several minutes every day.
I would not want to have to carefully optimize settings to get that third nine of uptime for a small business.
Eh, in my experience, if you disable the uplink monitor features aggressively enough (which is in a different place in different firmwares and currently seems to also require disabling all wireless uplink/“mesh” capability), then sometime more of the network will stay up. Maybe even the gateway will keep working too if you don’t touch any gateway settings. Of course, if the gateway does decide to reboot, you’re down for many minutes.
It’s real classy.
The thing that made me move off of it was issues connecting to devices on mesh'd APs if the ARP entry for that device timed out on the main AP.
Literally couldn't connect to my mobile phone, and after a lot of troubleshooting (which Unifi does pretty much nothing to help you with) I found that when the phone had roamed to the mesh'd AP, ARPs for it wouldn't get answered. If I forced it back to a wired AP or manually added it to the table... all worked fine. Went unfixed for years, heck, I still don't know if it is...
And all the "alerts" about malicious traffic that a bunch of prosumers seem to love? It's not very actionable for figuring out if it's really a problem nor digging deeper...
Oh, and when they had a firmware update that changed the SSID maximum length from 32 (the spec) to 31. My SSID is 32 characters and after that I could no longer edit the network without a UI error. That sucked.
I'm now on OPNsense and Ruckus APs and while it's not as integrated, I couldn't be happier.
If you can spring for Ruckus (I just buy used off ebay), it's worth it. The controller is integrated into the AP - for me that was worth it over unifi alone.
This. They make excellent access points and their lite beam/air fibre products are great.
But UniFi has serious limitations when it comes to anything beyond the basics. An off the self Asus all in one home router actually has more features and capabilities.
> An off the self Asus all in one home router actually has more features and capabilities.
This is just not true at all. I agree unifi can be buggy at times, and their super clean interface means they need to hide stuff all over the place, but I havent found any network configuration I couldnt do on Unifi yet.
Care to elaborate on exactly which functions standard asus routers have over Ubiquiti gear?
VLAN with an id of 0 isn't possible on the new interface last I checked. Which, granted is a weird thing to do, but...
That's not a valid vlan ID for most vendors (Reserved) and can also be a security vulnerability, as it can allow traffic to elevate its Class of Service and hop vlans via this method.
There are off-the-shelf all-in-one Asus home routers that do VLANs?
Many Asus home routers advertise compatibility with and/or run OpenWRT internally, so yes to a certain reading.
Here's a random example I found:
https://www.asus.com/networking-iot-servers/modem-routers/al... | https://web.archive.org/web/20250704161852/https://www.asus....
Installing a custom firmware on a router does not count as 'off-the-shelf' imo.
I’m not speaking hypothetically, as I have used VLANs on native stock Asus firmware.
https://www.asus.com/us/support/faq/1049415/
yes, thos is quite rare thong. Could you describe the reason behind it?
Idk about you but I’m rocking a site to site link to my parents house, I have vlans for each segment in my home network (iot, priv etc) with full ipv6 routing and custom filtered dns over https with full network name resolution for all dhcp clients by their hostname on my local subnet domain…
I have complete control over my kids network access, can block specific types of traffic by app type or time based rules. I have high visibility into my WiFi setup and everything is on prem and self hosted and integrated with home assistant…
I took a hybrid approach -- Unifi for everything except the firewall, and a Firewalla for that. I'm overall quite happy with it, although you won't get a single pane of glass for management.
This. I don't use their gateways/ security devices anymore. I run ONSense at every edge which allows me to so some really nice things with respect to remote access for non-home sites.
Most people don't want to do anything 'interesting'. If you stray too far from the beaten path, I'd argue that you no longer need or something that "Just Works". You need something very configurable, which, by definition, will let you shoot yourself in the foot.
My current setup is Mikrotik for wired and Ubiquity APs for wifi. Their wifi devices have great specs and are difficult to beat. Mikrotik has decent wifi devices but not only they have a footgun minefield - not exactly their fault since Wifi is difficult to get right, so the more settings you expose, the worse it gets. Mikrotik also logs behind in features (they are still at wifi 6). It's an odd combination of philosophies but seems to work, all the vlan logic is offloaded to Mikrotik. And so are firewalls, etc. Then the voodoo Wifi stuff gets handled by Ubiquiti.
> Want to change a WiFi setting without WiFi going down for a minute or two? Good luck — UniFi doesn’t seem to care about making it work.
I am with you on that. It's things like that that prevent adoption by larger businesses and contribute to the perception that they aren't a serious contender. I previously had an Aruba InstantOn setup(which is focused on SMB), and got really accustomed to being able to tweak (most) settings without any interruptions at all. I could even do things like change channel widths (in one direction) without losing connectivity. What was really surprising on Unifi is that I lost connection when I changed settings for a _different_ SSID, for like a minute. That isn't really acceptable.
They still do a lot of things right though, and it shouldn't be too difficult to get their act together. The devices are pretty decent and at a surprisingly low price point.
But unifi is trying to position at the prosumer segment.
And we have things like indeed no WiFi (all networks down) if you dare to change WiFi settings, or mdns having a hard limit of five networks because the underlying Perl script is 10 or 15 years old.
This was absolutely my experience. I ended up tearing it all out and selling it on eBay.
I run OPNsense now with a Ruckus standalone AP, and it has been bulletproof.
Funny, I did the same... Never looked back at Unifi. That was a constant fight with problems.
OPNsense, a cheap fanless Brocade switch, and two Ruckus enterprise-grade APs from eBay and boom. Stuff Just Works, and when I want to do anything fancy (I did a /lot/ of weird network setup to troubleshoot users' WFH scenarios during COVID times) I just could.
I did this in 2023 and my experience has been the same. Had 0 problems other than Sonos being, well, Sonos.
Recently set up CCTV at my parents’ with a Cloud Gateway Max, set up a site to site VPN in 3 clicks and now I can support remotely and their Sony smart TV can see my Jellyfin server.
IIRC some Sonos issues are related to STP. AFAIK it's, like you said, Sonos being Sonos. Lol.
Yeah, that was exactly it. Unifi have a special page in their docs for dealing with Sonos.
https://help.ui.com/hc/en-us/articles/18930473041047-Best-Pr...
I ended up connecting everything with a wired connection and disabling WiFi. Thankfully I have cat6 to every room so it wasn't an inconvenience.
It's worked perfectly since.
How could a Sonos device possibly interact with spanning tree? Are there Sonos devices that act as bridges?
Most of their devices act as bridges; some of the newer ones don't. Some have multiple ethernet ports, and anything that has both an ethernet port and is part of their "sonosnet" mutant-wifi will bridge between sonosnet and their ethernet port(s) with spanning tree using classic (pre-RSTP) link costs.
If you're not careful you can end up with the "best" path between two switches going over the sonos-to-sonos wifi.
That’s nutty!
I am more interested in your childhood than your network at this point.
That's because Robert Pera, CEO/founder used to work for Apple for a few years when he was very young.
Has he said that?
I did a lot of jobs when I was very young. I wouldn't want someone to draw conclusions about me today based on my failed stint at Burger King, for example.
Google it.
But yes.
https://en.wikipedia.org/wiki/Robert_Pera#Apple
> I finally got around to my childhood dreams of building a home network rack
My childhood dream was to build crazy buildings, before that it was a space explorer. Not sure a home network rack ever made the list!
I really love my Dream Machine. Super reliable. What I don't like that much is their UI. It is super weirdly done. It is not natural to use, at least if like me, you use it once every 6 months or more.
I like the way they do VLANs. It's easy enough that it can be managed by people that don't understand all the low level terminology.
> feels like they take inspiration from Apple
the founders are ex-Apple