It’s been just over a year since I last posted my 2024 Network Upgrade post. In that time, my network has undergone several changes. Here are the major updates:
Upgraded my FTTH link from 2Gb to 5Gb! (Hence the upgrade from the UDM Pro)
Added a UNAS Pro to the network for extra storage. It has 7x8TB drives in RAID 6, providing roughly 40TB of usable space (excluding the usual overhead).
Added Starlink to the mix of internet connections. Total bandwidth into the house is now around 6.5Gb/s, with upload at about 350Mb/s.
In the (hopefully not too distant) future, my cable ISP plans to upgrade from HFC (Hybrid Fiber/Coax) to full FTTH. When this happens, my speed will increase from 1Gb/50Mb to 5Gb/500Mb—and needless to say, I’ll be ordering that as soon as it’s available! This will boost the total download speed to just over 10Gb (about 10.4Gb, since Starlink tops out around 400Mb/s) and upload to 800Mb/s (with Starlink contributing 40-50Mb/s). That’s why I chose the UCG Fiber. It should handle two 5Gb incoming links, one 10Gb LAN connection, plus the Starlink connection (with IDS/IPS off, of course).
If you’re considering using Cloudflare Wrap for specific machines on your network, you can easily install the Warp client directly on them. It supports various operating systems, including Windows, Linux, Mac, iOS, and Android. However, if you need to use it on devices that aren’t compatible with the client installation, for example, NAS Devices or Smart TVs, this tutorial may be helpful.
First, please note that this is not an officially supported option. Cloudflare might modify their configurations at some point, potentially causing this feature to break. You have been informed about this possibility.
What do you need:
UDM Pro (it can work on any Ubiquiti Unifi gateways, but this is the one I have).
Wireguard Configuration File Generator (WGCF). This tool will generate a Wireguard configuration file based on the Cloudflare settings.
I’ve created a script that executes the following commands. It worked on my MacBook Pro, and it should also work on Windows or Linux.
First, install WGCF. I installed it by running
brew install wgcf
on my Mac Book Pro.
Next, run:
wgcf register
This will register a client on your machine. A wgcf-account.toml file will be left in your running folder. Next, run the script again.
wgcf generate
You’ll be left with a wgcf-profile.config file in your running folder. Open this file in a text editor to access the necessary details for your next steps.
Go to your Unifi Network Dashboard, click on “Settings,” and then select “VPN” and “VPN Client.” Click on “Create New” and choose “Wireguard” as the protocol. Then, change the “Setup” to “Manual.”
The configuration file you created earlier should resemble this:
Use the contents of PrivateKey to overwrite the existing Private Key. This will automatically fill in your Public Key. Next, set your Tunnel IP to the value listed for IPv4Address. Remove the trailing slash and use that in the Netmask (my Netmask was a /32). Server Address is the value listed as ServerEndpoint. Check the port and include it as well. The Public Server Key is ServerPublicKey. Finally, add your DNS settings for IPv4 in the configuration and click Apply Changes.
After a few seconds, the status should change to “Connected”.
Next, you need to configure the Policy-Based Routes. This is located under the routing section, specifically under the heading “Policy-Based Routes.”
Here, you can name the rule and decide whether you want to send all traffic or specific traffic.
For all traffic, you can select a specific device or the entire network. For instance, in this example, all traffic from my Guest network will be routed through Warp:
You can also set it to send traffic to specific destinations:
Fallback allows it to fail back to one of the other connections if the Warp connection fails.
Finally, click Add Entry at the bottom. Now, run some tests on that machine and see the traffic counts increase.
That is now it. You can select what devices or networks, or even what destinations you want to send over Cloudflare. Happy hunting.
I’m currently in the midst of a significant network upgrade for the CloudShed. I’ve purchased two Ubiquiti Unifi Hi-Capacity Aggregation Switches, a 24-port Switch Pro POE, a Switch Enterprise 8 PoE, a couple of U7 Pro Access Points, and a U6 In-wall Access Point.
The two Aggregation Switches each have four 25Gb ports and 28 10Gb ports. Two of the 25Gb ports will be connected between the house and the CloudShed. The U6 InWall will be installed in the office, while the two U7 Pros are already in the house and powered by the Switch Enterprise 8 Poe (which supports 2.5Gb Ethernet). The 24-port Poe Switch will replace my older 16-port switch, which lacks 10Gb Ethernet. More details will be provided as I have time to install everything.
Day 58 of #100daysofhomelab and today is mostly a retrospective of what I did over the last few days, with some links thrown in for good measure…
Given I am going to keep GodBoxV3 running Windows Server 2022 for the foreseeable future, I installed Veeam Availability Suite (through their NFR program) and got it to backup up my Hyper-V VMs, along with my ESXi VMs to both local and Backblaze B2 storage. So far, so good.
Also, Ubiquiti released Unifi OS 3.0 for the UDM Pro, which I upgraded this morning. Links for that are below. Some nice bits in here, like:
Added Wireguard VPN Server support.
Added VPN Client Routing.
Added Ad-blocking feature.
Added support for OpenVPN tunnel in Traffic Routes.
Allow adding multiple VPN Clients.
the 2.5 release OS had the VPN Client option, but ALL traffic went over the VPN, whether you wanted it to or not. This release gives you the option to say that traffic from a given host, network or even traffic to a given IP or range, goes over the VPN link. The Ad Block feature is nice too, but I have not tried it yet (still using PiHole for the moment) and the Wireguard VPN option is going to be VERY handy. More testing coming soon…
Day 18 of #100daysofhomelab and today I moved my Unifi Protect cameras from my UDM Pro to my Cloud Key Gen 2. Why? The UDM Pro is still stuck on Unifi OS 2.4 (hopefully it will get 3 at some stage…). The Cloud Key Gen 2, however, does run 3.0. Some of the new Protect features are limited to Unifi OS 3.0, and I wanted to try them out. Also, my UCK has a 5Tb HDD in it, but my UDM only has 3, so I get more recording space from the UCK. So far, seems to be running well. Everything else is still on the UDM Pro. Only Protect has moved. More tomorrow.
A few weeks back, Ubiquiti released a pre-release update for the Unifi Network Controller, version 7.1.61. It got installed on my UDM and I noticed a few interesting bits that you might find handy… First, you will need to be signed up for Unifi Early Access before you can download or even read the release notes, but this is just a quick update based on my findings so far.
The first thing to note: You can see the list of devices connected to switches on the Overview Tab. I can’t remember exactly when that was added, but I think it’s new…
Under the ports tab, you now have a ports insight option:
Clicking this give you:
You can also select multiple ports and make changes at a bulk level:
You can also see a bit more info about each port:
Teleport VPN is also now added. This makes giving someone access to your network a LOT easier than usual. They will need the WifiMan software on Android, iOS or Mac to join. Not sure what happens on a Windows machine… Maybe it’s coming soon? To use it, just generate a new link and send it to your user. Not sure how to remove them afterwards (if you want to give them temp access for example…)
Final Interesting part, and something I have been waiting for for a while, under Traffic Management, you can now create custom traffic rules:
You can set it based on destination Domain Name, IP or even the full internet:
And you can set the Source to be All Devices, group of devices (network) or individual (or multiple targeted) devices.
Finally, you can set the output internet connection.
If you had multiple internet connections, and one had better speeds for stuff like Netflix, or you wanted to send bulk data over a different link, you can do this using this feature. Very cool stuff.
