UniFi
The home site is built on Ubiquiti UniFi gear, configured declaratively from tofu/environment/home via the ubiquiti-community/unifi provider. A FritzBox upstream of the UniFi gateway acts as the WAN router and hosts a separate LAN for energy / smart-meter devices that need to talk directly to the ISP.
The home site is exposed into the NetBird mesh by a single routing peer running on a long-lived box, which advertises the four UniFi subnets.
Gear
| Role | Model | Notes |
|---|---|---|
| Gateway | UniFi gateway (unifi-home) | 192.168.0.1 — terminates VLANs, NAT, firewall |
| Switch | Ubiquiti USW-16-PoE | Trunks all VLANs to APs and to the production rack uplink |
| APs | UniFi APs | Broadcast SSIDs for the four LAN subnets |
| Upstream | FritzBox (ISP-managed) | 192.168.178.1 — WAN router; also hosts the energy LAN |
The USW-16-PoE is also used as the production rack switch for the Proxmox/Talos nodes (its components are listed in hardware/nas). It carries the same VLAN trunk to both sides.
Subnets
| Network | CIDR | Purpose |
|---|---|---|
| management | 192.168.0.0/24 | UniFi gateway, Synology NAS, infra |
| iot | 192.168.2.0/24 | IoT / Home Assistant devices |
| private | 192.168.3.0/24 | Trusted clients |
| guest | 192.168.4.0/24 | Guest network |
Known hosts
| Host | IP | DNS (*.home.sys.kueber.eu) |
|---|---|---|
unifi-home | 192.168.0.1 | unifi-home.home.sys.kueber.eu |
synology | 192.168.0.5 | synology.home.sys.kueber.eu |
home-assistant | 192.168.2.20 | home-assistant.home.sys.kueber.eu |
The Synology DS723+ on 192.168.0.5 is the hot-storage tier and also runs Docker on Synology for Syncthing.
Upstream — FritzBox + the energy LAN
A FritzBox sits upstream of UniFi as the WAN gateway. It hosts its own LAN — 192.168.178.0/24 (the energy network) — for utility / smart-meter devices that need a direct connection to the ISP-managed router. The UniFi gateway double-NATs out through it.
Internet
│
┌─────▼──────┐
│ FritzBox │ 192.168.178.1
│ (WAN GW) │
└─┬────────┬─┘
│ │
energy LAN │ │ uplink
192.168.178.0/24 ┘ └──┐
(smart meter, │
energy devices, ▼
routed via ┌──────────┐
NetBird only) │ UniFi │ 192.168.0.1
│ gateway │
└────┬─────┘
│ trunk
USW-16-PoE
├─ management
├─ iot
├─ private
└─ guest
Reachability is asymmetric on purpose: hosts behind UniFi can reach 192.168.178.0/24 through the FritzBox uplink, but smart-meter devices on the FritzBox LAN cannot route back into the UniFi VLANs. The only path that exposes the energy LAN to the rest of the homelab is NetBird — see the production environment's energy resource in the NetBird overlay.
NetBird integration
- Network:
home— resources for all four UniFi subnets (management,iot,private,guest) - Routing peer: a single reusable setup key
routing-peers-homejoins the routing-peer box to thehomeandhome_peersgroups - Cross-site access: by default home is reachable from
administratorsonly; expand by adding policies in thenetbirdTofu environment
Operational notes
- VLANs are tagged on the trunk between UniFi and the production switch; the management VLAN is untagged on the production-side
vmbr0(see Proxmox). - Adding a new VLAN: declare it in
tofu/environment/home, then assign clients via the UniFi controller. - Apply order matters when ports change role (e.g. trunk → access) — UniFi can briefly drop the controller's own connection. Run the apply from a peer that can survive a brief outage.