This took me way longer than it probably should have but I learned more from this than from anything I’d read up to that point.

The basic goal was: stop having everything on one flat network, add some segmentation, and set up a VPN so I can get back in when I’m not at home without relying on some third party service.

The setup

Running a UniFi gateway and a couple of UniFi switches and APs. Started with everything on the default network — every device, same subnet, no separation. Fine for a simple home setup, not great if you’re trying to learn networking.

The plan:

  • Wired VLAN for the desktop and anything that lives on the desk
  • WiFi VLAN for laptops, phones, everything wireless
  • Firewall rules between them
  • WireGuard VPN on the gateway for remote access

VLANs

UniFi makes VLAN setup pretty straightforward once you understand what you’re doing. Create the network, assign it to the relevant ports or SSID, done. The harder part is thinking through the addressing.

I didn’t just default to /24 for both. The wired network doesn’t need 254 hosts — there are maybe 5 devices on it. Used a /26 instead, which gives you 62 usable addresses. More than enough, and it made me actually think about the subnetting rather than just chucking a /24 at everything.

Once both VLANs were up I tested routing between them — pinged the wired desktop from the WiFi laptop. Worked. Inter-VLAN routing handled by the gateway.

WireGuard VPN

Wanted remote access without using Tailscale or any similar service. WireGuard is built into the UniFi gateway so this was the obvious choice.

The setup itself isn’t that complicated. You configure the server on the gateway, generate a client config, import it into the WireGuard app on your laptop. What’s less obvious is the DDNS piece.

Home internet connections have dynamic IPs. Your ISP can change your IP at any point. If you hard-code your home IP into the WireGuard client config and your IP changes, the VPN stops working silently — it just won’t connect and you won’t immediately know why.

The fix is DDNS — a hostname that automatically updates to point at your current IP. I set this up using ddclient running as a service, updating a Cloudflare DNS record whenever the IP changes. Now the client config points to a hostname rather than an IP and the whole thing just works even when the address rotates.

Firewall rules

This is where I spent most of the time. The main things I wanted to lock down:

  • SSH access to the machines on the wired network — allowed from inside the house only, not from the internet directly, only through the VPN
  • Same for remote desktop
  • Nothing from the outside world should reach internal services without going through the VPN first

Getting firewall rules right requires you to actually think about source, destination, and port for each rule. “Allow SSH” is not a firewall rule. It’s a starting point for a conversation. You need to specify where it’s coming from and where it’s going.

Also found out the hard way that Windows Firewall is a separate layer from the network firewall and needs its own rules if you’re running services on a Windows machine. Spent a while confused about why things weren’t working before I realised I’d sorted the network rules but Windows was still blocking the traffic at the host level.

What I’d do differently

I’d think through the firewall rules before setting up the VLANs rather than retrofitting them afterwards. It’s easier to build the rules into the design than to add them to something that’s already running.

Also would have set up DDNS from day one rather than realising I needed it when the VPN stopped working after my IP changed.

What’s next

The inter-VLAN rules are still too permissive — anything on WiFi can reach anything on the wired network. That needs tightening up. And I want to add a proper isolated network for IoT stuff at some point, things like smart plugs and such probably shouldn’t be on the same network as everything else.