Future Architecture: VLAN Trunking​

The goal is to move to an 802.1Q trunked VLAN on the Raspberry Pi, allowing a single ethernet cable to carry multiple isolated networks. The Pi would then act as a central DHCP and VPN gateway for each, providing a clean and scalable home networking backbone.

NetworkManager on Debian Trixie​

I thought it was Debian Bookworm, but Trixie finally forced me into a shotgun wedding with NetworkManager (NM). While I initially resisted, the unified CLI (nmcli) for managing Wi-Fi, ethernet, and VPN interfaces is actually quite powerful once you get past the initial learning curve.

Static IP Configuration with nmcli​

To set up a reliable static IP for a local gateway:

$ nmcli con add con-name my-con-em1 ifname em1 type ethernet \
  ip4 192.168.100.100/24 gw4 192.168.100.1
$ nmcli con mod my-con-em1 ipv4.dns "1.1.1.1 8.8.8.8"
$ nmcli con up my-con-em1

DHCP and Network Forwarding​

A nice feature of the Ubiquiti ecosystem is that it can act as a meshed AP, allowing a Raspberry Pi to serve as the DHCP server and gateway for a specific VLAN. This requires enabling IPv4 forwarding:

sysctl -w net.ipv4.ip_forward=1

The Other Problem(s)​

Stale WireGuard Connections​

When a remote endpoint changes its public IP, the WireGuard tunnel can become stale. While I've been manual about restarts so far, a Systemd Timer combined with a simple health check script (pinging the remote gateway) could easily automate this recovery workflow.

WireGuard Configuration: The Gateway Entrance​

[Interface]
Address = 10.253.120.7/32
ListenPort = 21001
PrivateKey = <local-private-key>

[Peer]
Endpoint = <gateway-domain>:21001
PublicKey = <remote-public-key>
AllowedIPs = 0.0.0.0/0, ::/0
PersistentKeepalive = 25

I've spent some time firming up the Overlord Home Network Kill Switch project due to some breaking changes in Pi-hole v6 and Ubiquiti Control 9.4.19. It’s a home project that uses iOS HomeKit buttons, backed by a Ubiquiti and Pi-hole setup, to simplify parental controls. I suspect others might appreciate a one-tap solution for managing network access, especially one that's easy enough for less technical family members to use.

Why I Built This​

The UniFi app is powerful, but I found it took too many clicks to quickly block the internet or specific services like YouTube. This project creates simple "on/off" switches in Apple HomeKit, saving me from needing to open the app or connect to a VPN for simple tasks. For those using Home Assistant, integration should also be straightforward.

What It Does​

I built a small FastAPI application that works with HomeKit (via MQTT and Node-RED) to:

• Enable or disable predefined firewall rules on your Ubiquiti network.
• Block or unblock specific devices by their MAC address.
• Allow non-technical users to create schedules and automations for these actions directly in the Home app.

Where to Get It​

You can find all the specifics on the GitHub repo: https://github.com/5L-Labs/overlord-network-kill-switch

To get started quickly with Podman:

podman run -d --replace --name=overlord-dns -p 19000:19000 --env-file=./etc/envfile ghcr.io/5l-labs/overlord-network-kill-switch:2.5

What was hard about this?​

Testing, testing, testing. Time management was also a challenge—this took far longer than planned for the limited time I had.

• Not DOSing the Ubiquiti Controller while trying to validate code paths.
• Ensuring Pi-hole v6 API calls were working as expected.
• Adding in edge-case/race-condition checks.
• Making it proper, releasable code that someone else might actually use.

Did AI Help?​

No, not really. It did some scaffolding and documentation, but the core logic was still human-led. I am currently using Jules to keep ripping out dead code paths and maintain the FastAPI backend, which has significantly lowered the "toil" of this side project.

Recent Changes​

• Pi-hole v6 API Integration: The project now uses the new pihole6api library to interact with the Pi-hole v6 API. This allows for more reliable and efficient management of blocklists.
• Ubiquiti Control 9.4.19 Support: The project has been updated to support the latest version of Ubiquiti Control.

How It Works (The "Background")​

I use the firewall rules on my Ubiquiti gear to enforce blocks on devices (like school-issued laptops) that are configured to bypass my local Pi-hole DNS. This setup allows for creating network-level blocks for common services, providing a more robust solution for locked-down devices. It was a fun project, and it gives my family an easier way to manage internet access as my kids get older.

• In addition, your data goes to the Wyze Cloud Infrastructure on AWS, where security incidents have happened—most notably the Feb 2024 event where users could inadvertently see into others' homes. I'm not judging, but if you value your privacy, it's time to take control of your hardware.
• I'm not opposed to paying for good software, but I'm already paying Apple and Google for their ecosystems. Do I really need to pay Wyze just to see my own front porch?
• Scrypted and Frigate are excellent open-source options for private camera management, streaming over the local LAN via ONVIF.
• These tools work with the Wyze API, but Wyze's recent firmware changes have made local-only access increasingly difficult, forcing my hand to replace the firmware entirely.

NAT at the Router, Fool (didn't work... why?)​

Initially, I tried to block Wyze's cloud heartbeats at the firewall level. This failed because the stock Wyze firmware is designed to "fail closed" or enter a reboot loop if it cannot reach its AWS-based authentication servers. The only way to truly own the hardware is a complete firmware replacement.

The Thingino Adventure​

Flashing the Thingino firmware onto a Wyze Cam v3 is not for the faint of heart. The device uses an Ingenic T31 processor, and the "almost bricking" experience happened while using the Ingenic USB Cloner tool.

If you don't get the driver and the "vibe" of the bootloader sequence just right, the device remains in a dead state. It took three attempts and a dedicated Windows VM to finally get the firmware to take. But once it did? Total local control, no cloud heartbeats, and a beautiful RTSP stream directly into Scrypted.

Conversion Strategy​

• Battery Cam Protocol: Moving to cameras that support local RTSP/ONVIF streams instead of proprietary battery-saving protocols that require cloud-based "wake-ups" to function.

• Legacy Support: Repurposing older hardware with Thingino or Scrypted to bypass the manufacturer's cloud limits and proprietary app requirements.

The Role of the Scrypted Hub​

The "Hub" in the diagram represents Scrypted, which acts as a bridge between my local IP cameras and HomeKit. It handles the local heavy lifting of motion detection and recording (HKSV), ensuring zero-latency access within the Apple ecosystem without any data ever leaving the house. This setup allows me to use any high-quality IP camera as if it were a native, high-privacy HomeKit device.

Hardware and Privacy Strategy​

All routers are currently Ubiquity. While they offer a great balance of performance and ease of use, I maintain a strict egress-filtering policy to block any "phone-home" telemetry to Ubiquity's servers. Should any issues with unsolicited data sharing be discovered, these will be replaced with more privacy-focused alternatives like OPNsense or pfSense.

Key Components​

• Local Mesh: A cluster of Raspberry Pi devices running Home Assistant and Homebridge to bridge Zigbee and Tasmota devices into HomeKit.
• Traffic Routing: Custom firewall rules ensure that IoT devices (VLAN 40) are completely isolated from the main network and have zero internet access unless explicitly whitelisted for firmware updates.
• Verification: Periodic Wireshark captures verify that no unauthorized traffic is leaking from the "Private Home" to external cloud providers.

The Problem: School Devices with Their Own Rules​

Many schools now provide Chromebooks for students to use both in class and at home. While these devices offer valuable educational benefits, they come with an unexpected challenge for parents trying to maintain healthy digital boundaries at home.

School-issued Chromebooks are typically configured with enterprise management tools that enforce the school's policies—including their internet filtering system. Products like Lightspeed filter proxy initial connection requests through school servers, effectively bypassing any local DNS or content filtering you might have configured on your home network.

To complicate matters further, tech-savvy students quickly discover proxy websites and workarounds that circumvent even the school's filtering systems. In our household, this meant homework time was regularly derailed by YouTube videos, despite our network-level content restrictions that worked perfectly on other devices.

Regaining Control: Falling Back on TLS 1.2​

One of the most effective, if blunt, ways to regain control is by "falling back on TLS 1.2" at the firewall level. By disabling TLS 1.3 for specific school-managed MAC addresses, we can force the device's traffic through a local inspection point (like a MITM proxy with a root CA) that the school's enterprise policy might otherwise bypass.

The key takeaway is that you cannot rely on DNS alone for managed devices. You must use a combination of MAC-based IP static assignments and Layer 7 firewall rules to identify and shunt this traffic into a restricted VLAN. This enforces your home rules over the school's proxy, ensuring that homework time remains productive and focused.