Beginners question: Will this setup work?

Hello Forum,

i’m new here searching for a reasonable replacement for a recently bought Unifi Dream Machine (UDM, an all in one Firewall, Access Point and Managed 4-Port Gigabit Switch-Device), that sounded good first but is way far from being stable, is only usable with an ubiquity account and as i found out today, likes to phone home even if i opt out in the unifi controller. So this device needs to go away soon. Added to that i bought a Unifi managed 24-port Switch and two Access Points, that i don’t really want to get rid of. So only a replacement for UDM is needed. An IPFire with an extra Access Point seems to be a good alternative for a SOHO environment. I’m not a firewall expert and additionally a native german speaker, so i hope you understand, what i want to ask. Apologizes, if it is not that clear :wink:

I uploaded the desired layout as attachment. There are more wired and wireless clients, another two VLANS one with a wired Xbox and one with a wired FireTV stick and not one but three Access Points, but the general layout doesn’t change with that additional devices. So i left them out for clarity.

First, there is a Fritzbox serving as the VDSL modem and DECT-Base for IP-Telephones (wired and wireless) in the red area. Then comes the IPFirebox (at the moment planned APU4D4 if reasonable), because i need besides the WAN-Port and the Port to connect the Switch on Admin-VLAN 1 at least another two Gigabit Ports to connect my office Equipment (Laptop and Printer/Scanner-Device) directly to that box on VLAN10 because it is not possible to connect them to the switch. All these devices should be in the green area, if i understand that principle correctly. And not to forget a Raspberry Pi with pi.hole serving as the primary DNS-Server, AdBlocker and anti-tracking for the whole green area (except the Guest VLAN 100).

The managed switch has POE-ports leading to the access points in the Admin-VLAN 1 broadcasting four different SSIDs on VLANs 10, 20, 50 and 100. 100 is the guest VLAN with a different port range.

At the moment, the UDM sits at the place of the (maybee soon to be there) IPFirebox and because everything is Unifi, it is very easy to assign the same VLANs to the Switch-Ports on the UDM and the Switch-Ports on the Unifi Switch.

So my questions are now: Is it also possible to assign the same VLANs on the IPFirebox-Ports and on the Unifi-Switch-Ports? And if yes, is the APU4D4 sufficient for a 100Mbit-VDSL-Line, IPS with suricata and at least 10 devices in local network (one of them streaming netflix, one Xbox, one streaming youtube and one homeoffice device remotely connecting to a company server). Or should i look for a more powerful device? Two more Ports on the IPFire-Device wouldn’t hurt either. And it needs to be fanless. Any suggestions are appreciated.

So, i hope you understand what i’ve written :slight_smile:

I’m looking forward to your answers. Thank you in advance


Welcome Chris,

I am personally not a fan of these, but they work - most of the time.

What is the reason for so many different VLANs? I am not sure if this in the end will bring you any advantage. You will have to add many rules on the firewall and then it does not really matter if you are crossing VLAN boundaries.

That box is definitely too slow for an IPS on 100 MBit/s.


do you use some kind of installation already? I’m not sure if you mix up between LAN and VLAN, exspecially related to the fact, that you’re talking about VLANs in your wifi but actually there’re just different SSIDs with subnets for different user groups :thinking:.

However with all your VLANs, as long as you don’t want to manage them with ipfire you will be fine. There is no web ui implemention for manageing VLANs.

Don’t do that: with much traffic it will be a brick and ways to slow. I’ve been using an AMD APU for many years now with less clients in my network as yours with 150Mbits and it has become too slow. That’s why I just upgrade my fw. Build up something like that to have enough power! Ryzen Refresh 1600 are really cheap :innocent: atm.

Hello Michael, hello Terry,

thanks four your replies. Well, i´m not a Network expert, so maybe the words i use (and in english too…) are not always the right ones, but i hope you get the meaning. It is hard for me to describe my needs in english.

The idea of it all is to make the Office devices unreachable from the private stuff and vice versa. At the moment it is configured like the Network map, except the desired ipfire-device is the unifi Dream machine serving as security Gateway, router, Firewall, accesspoint for four ssids in four different subnets and a 4 port-switch directly connecting two devices in the same subnet. The many different subnets were configured, because it is easy to do so in the unifi Controller :wink: There is a deny-all-rule between the subnets. except one allow rule for the networkprinter with only a specific ip-address and port to be reached from two other subnets. i thought it was a good idea to divide it like that, because the possible spread of malware caught accidentally by kids, wife or me would be limited to lesser devices.

but maybe i think too complicated?

Michael, you write, you are not a fan of These. what do you mean? fritzbox? pihole? i didn’t get that.


apparently i confused vlans with subnets. so, i need to assign two NICs on the ipfirebox to the same subnet 10, that is also configured (besides other subnets) in the managed switch behind. and i need to apply a deny-all-rule, that includes the NICs on the ipfirebox and the NICs on the switch behind. I know it’s hard to read by a Network expert, but do you understand me?

If you possibly mixed up VLANs and IP subnets in your description, it would easier to understand your config and needs, if you specify the IP addresses/subnets of your network segments.

Hello Bernhard,

i’m back at home and have some screenshots out of the unifi controller for you all. I hope, this says more than thousand (wrong) words by me :wink:

(add a Fritzbox to the left of the left device (Unifi Dream Machine, combined Firewall, Router, 4-Port-Switch and Access Point)


With IPFire 2 you can’t do exactly the same thing since you have only 2 users/clients nets GREEN + BLUE. For every VLAN you need (I’m not sure that you really need them) a seperate NIC and configure them in the “NIC assignment” via the web ui as VLAN. Also your switch needs to be configured for static VLANs. In my opinion this is not usefull, since you will need at least 6 NICs for the GREEN (+BLUE) network and wired connections to the switch.

Hello Terry,

thank you for your answer.

That sounds, i’ll better stick to the Ubiquity unifi-stuff. I don’t like their privacy policy at all and i thought i could replace it easily with something true open source, but it seems i’m not yet ready for it.

Maybe i’ll be back when i’ve got more knowledge of it-networking or if Ubiquity gets even worse so i don’t really have a choice to switch.

Thank you all for your contributions to this thread :+1:


Hello Chris,

I think your vlan concept won’t fit to ipfire at the moment, because of the backward restrictions.
As you can see in the wiki page described, there is only one vlan on every ethernet interface available.

Hopefully ipfire3 could solve the problem.
Unlike the others i’m also a big fan of vlans which are separated by the firewall.

Best regards
Gothic Gorn