UniFi UCG Fiber: Home Network Best Practices

This guide assumes the UCG Fiber is both your ONT bridge and your main router/firewall. Focus: clean segmentation, low surprise, and easy recovery.

1) Hardware context you should confirm

  • UCG Fiber model and UniFi OS/Network version
  • Connected switch: UniFi or third party?
  • AP strategy: UniFi WiFi 6/7 vs standalone APs
  • Any existing PoE, UPS, or backup WAN paths
  • Whether you’ll run separate SSIDs per VLAN

Write these down before changing anything. It makes rollback much easier.

2) Initial setup checklist

  • Factory reset if needed
  • Adopt the UCG Fiber into your UniFi site
  • Set static WAN IP or PPPoE as required by your ISP
  • Set LAN subnet and DHCP ranges
  • Set static DNS: local router first, public fallback second
  • Set a static IP for the UCG Fiber on the LAN
  • Enable automatic updates carefully (pause during major changes)

3) Network design

Recommended starting VLANs for a home lab:

  • 10 — Management: UCG, switches, APs, servers
  • 20 — Trusted: personal phones, laptops, workstations
  • 30 — Guest or untrusted Wi-Fi
  • 40 — IoT: cameras, sensors, smart plugs, Home Assistant, media
  • 50 — Servers / homelab services if you want extra isolation
  • 60 — VPN users / remote access segment

Inter-VLAN rules:

  • Management should only be reachable from Trusted
  • IoT should not initiate connections to Trusted
  • Servers should not be reachable from Guest or IoT
  • Use explicit allow rules, not “allow all”

4) Wireless design

  • One SSID per VLAN, with separate passwords
  • Use WPA3-Personal when clients support it
  • Avoid “Flexible SSID” in sensitive environments
  • Keep IoT on 2.4 GHz only if it simplifies compatibility
  • Enable “Auto-optimize network” cautiously
  • Band steering and fast-roaming can destabilise some IoT devices

5) Firewall

Start with a simple deny-all model and approve traffic explicitly.

Key rules to consider

  • Block all inter-VLAN traffic by default
  • Allow DNS from Trusted and IoT only
  • Allow NTP from Trusted and IoT
  • Block IoT from accessing the management IP range
  • Block Guest from everything except internet access
  • Allow Home Assistant and UniFi controller traffic on their actual ports
  • Fail2Ban or rate-limiting should sit on internet-facing ports only

6) VLAN implementation steps on UniFi Network

  1. Create each VLAN in Settings > Networks
  2. Assign SSIDs to VLANs via WiFi > SSIDs
  3. Assign switch ports:
    • Trunk ports carry all VLANs to switches/APs
    • Access ports map one port to one VLAN
  4. Confirm DHCP helper / relay if VLANs need central services
  5. Review firewall rules per VLAN after adoption

7) Monitoring and logging

  • Enable Traffic and Security Analysis if performance allows
  • Enable DPI and Threat Management selectively on the edge
  • Use Events to audit device adoption and configuration changes
  • Enable Syslog export to a server if you have one
  • Monitor WAN health and failover paths
  • Review anomaly reports for new device types or unexpected bandwidth

8) Automation and alerts

  • Alert on internet outage
  • Alert on DHCP pool exhaustion
  • Alert on new device to your management VLAN
  • Alert on WAN IP change
  • Alert on high CPU / memory on UCG

9) Maintenance and safety

  • Back up UniFi settings regularly
  • Export device configs before firmware updates
  • Schedule maintenance windows for updates
  • Keep a rollback plan for VLAN cuts and firewall changes
  • Avoid changing management VLAN while away from site

10) UniFi ecosystem add-ons: UniFi Cloud vs UniFi Secure

UniFi Cloud is the hosted cloud platform behind Site Manager and unifi.ui.com. UniFi Secure is the subscription service that adds remote management, simplified multi-site tooling, and unified services across Protect, Access, and Talk. They are not the same thing.

UniFi Cloud / cloud-hosted controller

  • Lets you reach UniFi Network remotely without opening inbound ports
  • Useful when local control is unavailable
  • Low value if you already have VPN or Tailscale access

UniFi Secure subscription

  • Adds protected management paths across UniFi Protect, Access, and Talk
  • Useful if you want Ubiquiti’s hosted remote-console story instead of DIY tunnels
  • Recurring cost; usually more valuable on multi-site or business installs

My take for this environment

  • For a single home site: local UniFi controller access via VPN or Tailscale is usually enough unless you specifically need Ubiquiti’s hosted remote access.
  • If privacy and zero external dependency is preferred: keep access self-hosted.
  • If remote management convenience is the priority: UniFi Secure can simplify things, but the cost can add up when bundled across UniFi Protect cameras and Access.
  • If you already use Cloudflare Access and Tailscale: the value of UniFi Secure drops because you already have private remote access.

11) UniFi CyberSecure (Enhanced by Proofpoint and Cloudflare)

What it is

UniFi CyberSecure is a premium subscription add-on for UniFi Network that upgrades two built-in protection layers:

  • Enhanced IDS/IPS powered by Proofpoint
  • Enhanced Content Filtering powered by Cloudflare

It turns UniFi’s basic security features into something closer to small-business-grade protection, without leaving the UniFi console.

Activation

  1. Open Site Manager, click the shield icon for your target site.
  2. Buy and activate via your UniFi account.
  3. Allow about 15 minutes for signatures and filtering rules to fully apply.

Requirements

  • UniFi OS 4.1.8+ on Cloud Gateways
  • UniFi Network 9.3+
  • UniFi Network Server (not the legacy Network app)

Enhanced IDS/IPS (Proofpoint)

  • 110,000+ threat signatures on high-end models; 70,000+ on UCG Fiber/UGC-class hardware
  • ~30–50+ new signatures per week
  • 53 threat categories for targeted policy control
  • Lower false-positive tuning than standard UniFi
  • Memory-optimised mode reduces signatures and categories when the gateway is also doing routing-heavy work (BGP, ad blocking, content filtering)

Enhanced Content Filtering (Cloudflare)

  • 100+ granular content categories
  • Apply policies to individual users, devices, or VLANs
  • Useful if you want targeted parental controls or compliance-style filtering without a standalone proxy

What’s included on UCG Fiber

  • Supports the enhanced signature set
  • Can run in Memory Optimised Mode if other resource-heavy features are enabled
  • Covers both the primary gateway and a secondary “Shadow Mode” gateway in HA setups

My opinion: is it worth it?

Yes, if:

  • You want policy-based content filtering per user/device/VLAN without maintaining a separate Pi-hole/AdGuard Home instance
  • You like the idea of Proofpoint-backed IDS/IPS curated into UniFi, rather than generic signatures
  • You prefer a single Ubiquiti-managed security stack and are comfortable with the recurring cost
  • You don’t already have equivalent protections elsewhere

Likely no, if:

  • You already run your own DNS/content filtering layer
  • Your home threat model is more “IoT gone weird” than “targeted intrusion”
  • You want lower ongoing cost and are happy with firewall/VPN isolation

My take

CyberSecure is a solid, practical convenience layer. It closes a real capability gap between basic UniFi security and full enterprise firewalls like SonicWall / Fortinet. For most home labs, its value depends on whether you already run parallel security tooling. In your setup, with Cloudflare Access, Tailscale, and Home Assistant already in play, CyberSecure adds useful but optional protection—good if you want tighter content control and better IDS/IPS visibility, not essential if those are already covered elsewhere.

12) DNS filtering: Pi-hole vs UCG built-in vs UniFi CyberSecure

You already ran Pi-hole on a Raspberry Pi. With the UCG Fiber you now have three main options for network-wide ad and domain filtering, so here is the direct comparison.

Option A: Pi-hole / AdGuard Home (separate host)

What it is A dedicated DNS sinkhole/server on a Raspberry Pi, VM, container, or NAS. Pi-hole is the classic choice; AdGuard Home is functionally similar with a different UI and some extra DNS rewrite and parental-control features.

Pros

  • Very mature community; huge blocklist ecosystem
  • Granular per-client/per-group blocking
  • Full query log with long-term stats
  • Very low ongoing cost after hardware
  • Works with almost any router/gateway
  • Strong local control and privacy

Cons

  • Another device to maintain, update, and back up
  • You must manually integrate it with UniFi for easy per-VLAN or per-SSID policy control
  • Loses some convenience if the Pi is down or moved

Option B: UCG built-in DNS / forwarding

What it is Using the UCG Fiber itself as the LAN DNS server, with upstream DoT/DoH and any local DNS records the UniFi UI allows.

Pros

  • One less device to run
  • DNS is colocated with DHCP and routing, which reduces split-brain configs
  • Simple SOHO setups are easier to reason about

Cons

  • Feature-light compared with Pi-hole / CyberSecure
  • Coarse filtering only
  • No rich query history or blocklist workflow
  • Harder to do per-VLAN or per-user filtering
  • Not ideal if your main goal was ad/tracker/malware blocking

Option C: UniFi CyberSecure enhanced content filtering

What it is Cloudflare-powered filtering inside UniFi Network with 100+ categories and per-user/device/VLAN policies.

Pros

  • Tight integration with UniFi and Site Manager
  • Policy per VLAN, SSID, or user instead of only whole-network
  • Curated Cloudflare categories instead of manually maintained blocklists
  • Covers filtering and IDS/IPS in the same add-on

Cons

  • Subscription cost
  • Less transparency than open blocklists
  • Still a vendor-managed cloud dependency for the actual filtering backend

Feature comparison

FeaturePi-hole / AdGuardUCG built-in DNSCyberSecure
Costhardware + powerincludedsubscription
Filtering depthhighlowhigh
Per-VLAN controlpossible, manuallimitednative
Query historyyesminimalpartial / UniFi-style logs
Maintenanceyoulowlow
Offline operationyesyespartially
Integration with UniFimanualnativenative

My take for your environment

  • If you already like Pi-hole and want maximum control: keep it. Point the UCG Fiber’s DHCP DNS to the Pi-hole IP and let UniFi DHCP remain on the UCG if you want.
  • If you want native UniFi integration and per-VLAN policies: CyberSecure is the more polished path.
  • If you just want basic filtering and want no new boxes: start with built-in DNS and revisit later if you miss visibility or control.

How these options fit with the rest of your setup

  • Home Assistant + Tailscale + Cloudflare Access already give you strong remote and auth control
  • Pi-hole adds privacy-friendly filtering and full local logs
  • CyberSecure adds on-prem threat visibility and unified policy, at recurring cost
  • Built-in DNS is best when simplicity is more important than filtering power

Recommendation

My preference for your home lab is Pi-hole or AdGuard Home restored on the Pi, or CyberSecure if you want UniFi-native per-VLAN filtering and are comfortable paying for the subscription. The middle path—built-in filtering only—works if you mainly want to eliminate the Pi-hole host and are okay with lighter filtering and less visibility.

14) Security-hardened deployment options

You have two practical paths for letting an agent (like me) work with UniFi safely:

  1. Preferred first step: expose UniFi state through Home Assistant
  2. Direct agent access: run unifi-mcp with strict controls

Both assume you already have Cloudflare Access and Tailscale protecting your network. These plans harden the local path so you don’t weaken that outer shell.


What it gives you

  • HA becomes the security boundary instead of exposing UniFi APIs directly
  • Read-heavy operations are safe by default
  • Write operations can be carefully scoped
  • You get monitoring/alerting in the same place you already use

Deployment steps

  1. In Home Assistant, add the UniFi Network integration
  2. Use a dedicated UniFi API user with limited permissions:
    • Read access for networks, devices, clients, health
    • Write access only for specific actions you care about
    • No global admin rights unless required
  3. Restrict HA’s own access:
    • Bind HA to 127.0.0.1 or your internal Tailnet
    • Keep Cloudflare Access enabled for public-facing access
    • Use Tailscale ACLs or HA user permissions to control who can reach UniFi endpoints
  4. Verify the integration:
    • Check that unifi_* entities expose the data you need (switches, APs, sites)
    • Test turning a light/lamp on and off through HA before trusting any agent automation

Agent workflow here

  • I can use the home-assistant-api skill to inspect UniFi state and control devices through HA
  • For sensitive actions like VLAN changes, require explicit user confirmation
  • Use HA history and notification services to log every UniFi-affecting automation

Security boundaries enforced

  • UniFi API credentials stay inside HA
  • HA is the only bridge to UniFi
  • Any agent action is mediated by HA’s permissions
  • All changes appear in HA’s logbook and notification system

Option B — unifi-mcp with strict controls

When to use this

  • You need UniFi automation that HA can’t express cleanly
  • You’re comfortable managing an additional service and want rich UniFi-native control

Hardened deployment steps

  1. Dedicated UniFi API user with only the permissions the MCP toolset will use:
    • Read-only for monitoring tools
    • Write access for specific tools only
    • Separate from your admin account; document the purpose in UniFi user notes
  2. Localhost-only binding:
    • Run the MCP server on 127.0.0.1:port
    • Never expose the server directly to the internet; Cloudflare Access or Tailscale sits in front, not the MCP port itself
  3. Least privilege firewall:
    • Block inbound access on the MCP port at UCG Firewall
    • Allow only HA, the machine running the MCP server, and your own admin jump host
  4. Read-only by default, write on explicit request:
    • Configure the server to default operations to read-only where possible
    • Require explicit confirmation for write operations in the agent prompt/tool policy
  5. Telemetry and logging:
    • Log every MCP tool call locally with timestamp, tool slug, and arguments
    • Do not send logs externally unless you encrypt them

Agent workflow here

  • I can call unifi-mcp tools through the same transport path as other MCP servers
  • Treat every write call as a change request: show the user what will happen before executing
  • Re-run the plan after changes to verify state matches intent

Shared hardening checklist for both options

ControlOption A: HA-mediatedOption B: unifi-mcp
Secrets storageHA secrets/encrypted storageDedicated UniFi API user + local env file
Network exposureSame as HA (Tailscale + CF Access)localhost only, firewalled
Auth boundaryHA user/ACLMCP server policy + firewall
Audit trailHA logbook + automationsMCP call log + git commit history for config changes
RecoveryHA backup + UniFi auto-backupUniFi config export before automation runs

My recommended order

  • Today: Use Option A. Connect UniFi to Home Assistant and let me manage it through HA. It’s simpler and safer because HA already handles auth, logging, and access control.
  • Later: If you hit workflows HA can’t do cleanly, add Option B for those specific cases.

15) Practical next steps

  1. Confirm model, ISP requirements, and current subnet layout
  2. Decide VLAN count and naming scheme
  3. Set aside a maintenance window to apply changes
  4. Review firewall rules against existing device inventory
  5. Export initial UniFi config as a backup before changing anything
  6. Add UniFi integration to Home Assistant and scope the API user permissions
  7. If needed, set up unifi-mcp on a separate machine, localhost-only, with its own dedicated UniFi API user