Contents

UniFi for the Home Lab: Where It Shines and Where It Doesn't

A slick ecosystem that's brilliant until you want to leave it

Contents

UniFi is the gateway drug of home networking. You buy one access point because your ISP router’s Wi-Fi is a disgrace, you marvel at the clean app and the pretty graphs, and eighteen months later you own a gateway, a couple of switches, a rack-mount UPS you didn’t strictly need, and you refer to your hallway cupboard as “the rack.” Ubiquiti has built something genuinely good here — prosumer gear with an enterprise feel at a price that doesn’t require a purchase order. But it is not the right answer for everyone, and the places it falls down are worth knowing before you spend the money.

I’ve run UniFi in my own house for years, through several controller upgrades, one firmware regression that ate an evening, and the slow creep of buying more of it than I strictly needed. This is the honest version, written by someone who genuinely likes the gear but has no interest in selling it to you — the good parts are good enough that they don’t need overselling, and the rough edges are worth knowing before your money’s already spent.

Where it genuinely shines

Advertisement

The single-pane-of-glass management is the real product. One controller — running on a Cloud Key, a Dream Machine, or self-hosted in Docker — manages every access point, switch and gateway you own. Adopt a device and it inherits your config. The dashboard is legitimately good: per-client traffic, deep packet inspection, a topology map, and roaming that actually works as you walk through the house.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
services:
  unifi:
    image: lscr.io/linuxserver/unifi-network-application:latest
    environment:
      - MONGO_HOST=unifi-db
      - MONGO_DBNAME=unifi
    ports:
      - "8443:8443"   # web UI
      - "3478:3478/udp"  # STUN
      - "8080:8080"   # device comms
    volumes:
      - ./config:/config

Self-hosting the controller like that means no recurring fees — once you own the hardware, the software is free, which puts it in a different category from anything with a subscription. The Wi-Fi roaming and the mesh handling are excellent, the PoE switches are tidy, and VLANs, firewall rules and multiple SSIDs are all a few clicks in a coherent UI rather than a CLI safari. For a household that wants strong, reliable, good-looking networking without becoming a part-time network engineer, it’s hard to beat.

The VLAN handling in particular deserves credit, because it’s where a lot of home networks fall over. Creating a separate network for your IoT junk, tagging it, binding an SSID to it, and writing a rule that says “these devices may reach the internet but not my NAS” is genuinely a few clicks in UniFi, where on other gear it’s a config-file exercise that half of people give up on. I’ve argued before that segmenting your smart toaster away from your NAS is one of the highest-value things you can do at home, and UniFi makes the mechanics of it approachable enough that people actually follow through — which matters more than any feature list, because security you don’t implement protects nobody.

There’s also a real running-cost story that’s easy to overlook. The PoE switches mean one cable to each access point instead of a cable plus a wall wart, and the whole stack idles at modest wattage. If you’ve ever put your home lab on a power monitor and been horrified, UniFi networking gear is rarely the villain — it’s efficient, quiet, and the kind of thing you install and forget rather than something that spins your electricity meter.

Where it falls down

Now the cracks, because there are several.

The walled garden is real. UniFi is happiest managing UniFi. Mix in a third-party switch or AP and you lose the single-pane magic — that device becomes an unmanaged black box on your topology map. The lovely experience is contingent on buying the whole ecosystem, and that’s a deliberate design choice, not an accident.

The controller is a dependency you didn’t ask for. Provisioning new config and seeing graphs requires the controller to be up. The network keeps forwarding packets if it goes down, but you’re flying blind until it’s back, and the controller is a Java-and-MongoDB application that occasionally needs babysitting through upgrades.

Advanced routing hits a ceiling fast. This is the big one for homelabbers. If you want BGP, policy-based routing, fine-grained control over NAT, or anything resembling what you’d do on OPNsense or VyOS, UniFi will frustrate you. The firewall is capable but opinionated, the rule ordering can be unintuitive, and there’s no full shell to drop into when the UI won’t do what you need. It abstracts away exactly the knobs an advanced user reaches for.

You’re trusting Ubiquiti’s cloud and update cadence. Remote access leans on their cloud, firmware updates have shipped regressions more than once, and the product line churns — the model you bought may be quietly deprecated sooner than enterprise gear would be.

The gateway is where the ecosystem tempts you into overspending. This is less a technical flaw than a wallet one. The clean app and the pretty topology map make it very easy to justify the next box — a bigger gateway “for headroom,” a 10-gig switch you don’t have 10-gig anything to plug into, a second AP for a house that had perfectly good coverage with one. This is exactly the home lab upgrade trap in vendor form: the ecosystem is designed to make more of itself feel necessary, and UniFi is better at that than almost anyone. The gear is good; the urge to keep buying it is a separate problem you have to manage yourself.

Where it fits next to the rest of the lab

Advertisement

A useful way to think about UniFi is by analogy to the Proxmox-versus-Kubernetes decision: both are about matching the tool’s complexity ceiling to your actual ambitions. UniFi is the Proxmox of networking — a polished, batteries-included platform that does 90% of what a home lab needs beautifully, right up until you hit a wall that the abstraction was never built to climb. The mistake in both cases is the same: buying the friendly all-in-one, then resenting it for not being the power tool you eventually wanted. Know which side of that line you’re on before you spend, and you’ll be happy; discover it afterwards and you’ll feel trapped.

The compromise that often wins

The setup I see work best for homelabbers who’ve outgrown the gateway is to keep the bits UniFi is great at and replace the bit it isn’t. Run a proper router — OPNsense or pfSense on a small box — as the brain doing the routing, firewalling and VLAN policy, and use UniFi purely for switching and Wi-Fi underneath it. You keep the gorgeous AP management and lose the routing ceiling. It costs you the all-in-one neatness, but it’s the pragmatic middle ground.

The practical arrangement looks like this: the OPNsense box sits at the edge holding your WAN connection and doing all the routing and firewalling; behind it, a UniFi switch carries your tagged VLANs; and UniFi APs broadcast the SSIDs, each bound to its VLAN. The catch to watch is that VLANs now have to be defined in two places — the tags exist in OPNsense for routing and in the UniFi controller for the switch ports and SSIDs — and if they disagree, traffic silently goes nowhere. Get the tag numbers matching on both sides, sanity-check that a client on the IoT VLAN actually gets an IoT-range address, and it’s rock solid. It’s more moving parts than the all-in-one, but each part is now best-in-class at its own job, and nothing is capped by a UI that won’t let you at the knobs.

Worth saying plainly: most people never need this. If your routing needs are “get to the internet, keep the toaster off the NAS,” the UniFi gateway does that with room to spare, and bolting on a separate router is complexity you’re buying for no return. The split is for the person who has felt the ceiling — and if you haven’t, don’t go looking for it.

Troubleshooting: the failures every UniFi owner eventually meets

A device is stuck “Adopting” or won’t adopt at all. This is the classic. Adoption needs the device to reach the controller on the “inform” port (device comms, 8080 in the compose above), and the device has to have the controller’s address baked in via the inform URL. If it’s stuck, the usual causes are a firewall between the device and controller blocking that port, a controller that moved IP so the inform URL is stale, or a device still holding a previous owner’s config. SSH into the device and set the inform URL manually, or factory-reset it and re-adopt. Nine times out of ten it’s the inform port.

Everything “disconnects” the moment the controller restarts. It doesn’t, actually — the network keeps forwarding. What disconnects is the controller’s view of the network. If clients genuinely drop when the controller bounces, you’ve likely got the controller doing something it shouldn’t, like being the DHCP server or DNS for the whole LAN. Keep the controller as management-only where you can, so a controller outage is a monitoring outage, not a network outage.

Self-hosted controller breaks after an upgrade. The controller is Java on MongoDB, and MongoDB version mismatches are the usual killer — the linuxserver image pins a compatible Mongo, but roll your own and you can end up with a controller that won’t start against a too-new database. Before every controller upgrade, back up from within the UI (Settings → Backups), and keep the ./config volume snapshotted. Restoring a backup into a fresh container is far faster than debugging a half-migrated database.

Wi-Fi mysteriously drops for some clients after a firmware update. Given the update-regression history, when Wi-Fi gets flaky right after a firmware bump, suspect the firmware first. Roll back the AP firmware to the previous known-good version and see if the problem vanishes before you go blaming your walls or your neighbours’ networks.

The verdict

If you want a reliable, attractive, low-faff network and you’re happy to buy into one vendor’s ecosystem, UniFi is an easy recommendation — the Wi-Fi is excellent, the switches are solid, and self-hosting the controller means no subscription nibbling at you forever. For most home labs, the gateway plus a switch plus a couple of APs is genuinely all you need, and it’ll be the nicest network most of your friends have seen.

But go in with eyes open. The moment your ambitions include serious routing, vendor-mixing, or operating without a controller hovering in the background, you’ll feel the walls of the garden. Buy it for the Wi-Fi and the switching, where it’s brilliant. Just don’t expect it to be a full router for the kind of person who reads articles like this one — and if that’s you, let it do what it’s good at and put a real router in front of it.

Advertisement
Advertisement
Smarc
Written by Smarc

Founder and editor of vo.rs. A lifelong tinkerer who self-hosts far more than is sensible, hardens Linux boxes for fun, and prods the latest AI tools to see what they can really do. The how-to guides here are the notes Smarc wishes had existed the first time round.