My home network is built primarily on Ubiquiti UniFi equipment and is designed with a strong focus on security, segmentation, and resilience.
The network uses an ISP-provided FTTH ONT as the primary WAN connection, with a MikroTik LHG LTE6 on the EE network configured as a failover WAN. Routing, firewalling, and VPN services are handled by a UniFi Dream Machine Pro. Wireless coverage is provided by two UniFi U6-LR access points and one U6-Lite, while switching is handled by a US-16-150W, US-24-500W, two USW-Flex, and a USW-Flex-Mini, all connected using CAT6 Ethernet.
The network is segmented using multiple VLANs to reduce attack surface and limit lateral movement:
VLAN 0 (Trusted) – desktops, laptops, and servers
VLAN 20 (Untrusted / IoT) – smart TVs and IoT devices
VLAN 40 (CCTV / UniFi Protect) – UNVR, G4 Pro, G3 Flex, G5 Flex, G5 Bullet, and G4 Doorbell
VLAN 60 (Guest) – isolated guest devices
Firewall rules ensure that devices on VLANs 20, 40, and 60 cannot initiate communication with other VLANs, with access restricted to established and related sessions originating from VLAN 0. Guest devices on VLAN 60 are further isolated from each other, bandwidth limited, and routed through a VPN endpoint in Scotland to mask the public IP address.
This design significantly reduces the potential impact of compromised or low-security IoT devices, while still allowing controlled cross-VLAN functionality such as Chromecast and Google Home integrations.
Secure remote access to the network is provided via a WireGuard VPN terminating on the UniFi Dream Machine Pro. All core networking equipment is protected by a dedicated CyberPower VP1600 UPS, ensuring network availability during power outages or short power interruptions.