Back to Writing
March 12, 2026|9 min read

Writing Code Isn't Enough Anymore: Build Skills That Always Mattered

NetworkingInfrastructureAIHome Lab

"The cost to build software is rapidly approaching zero. The infrastructure needed to maintain it hasn't changed: it's only getting more expensive."

I got into tech at 16 because of my dad: he's a systems engineer. Since then I've been a help desk tech, a Tier I technician, a Tier II technician, a sysadmin, a platform engineer, AWS developer, a software engineer, a lead software engineer, a senior software engineer, and now a staff engineer. I say all that not to gloat, but to say: I've touched every layer of the stack, and the one thing that's stayed true through all of it is there is no software without networking.

Outside of work, I do a lot of prototyping on my own and I've been experimenting with running local models. That's what led me here.

Then I started running AI agents locally on a Mac Mini: OpenClaw, local models, the works. And I realized everything was sitting on the same flat WiFi network as my work laptop, my guests' phones, and my smart TV. That's not a lab. That's a security incident waiting to happen.

So I built a proper segmented network in my apartment. Here's exactly how I did it, step by step, so you can too.

The Thesis: Why This Matters Now

Local AI is about to change everything. Models are getting smaller, hardware is getting cheaper, and running inference locally is becoming the default for engineers who care about privacy, latency, and cost. But here's what nobody's talking about: the people who will be employed in five years aren't just the ones who can write code: they're the ones who can set up the infrastructure to run it.

Networking has always mattered. But before, as a software engineer, you could abstract it away. Someone else handled the network. Someone else configured the firewall. You just wrote code and shipped it. That's not the case anymore. Deploying and maintaining AI models, running local inference, managing secure environments: these require you to understand networking intimately. It's not a nice-to-have. It's becoming the same kind of fundamental requirement as understanding request/response, or knowing the difference between authentication and authorization. It's just another layer of the stack you need to own.

If you're a software engineer running local models, building side projects, or working remotely, you need to understand how to segment, secure, and manage a network. This isn't optional anymore. It's table stakes.

What You Need (It's Cheaper Than You Think)

You need three things: a router/gateway, a managed switch, and an access point. That's it.

I use UniFi. You don't have to. TP-Link Omada, Mikrotik: they all work. The concepts are identical. I chose UniFi because the controller software is clean, the ecosystem is cohesive, and it's what MSPs deploy in real offices. The point isn't the brand: it's understanding how the pieces connect.

My Setup (~$1,200)

  • Gateway: Cloud Gateway Max (1TB) - $349. Router, firewall, IDS/IPS, built-in controller + storage
  • Switch: USW-Enterprise-8-PoE - $479. Managed switch, PoE for APs, Layer 3 routing, 802.1X
  • Primary AP: U7 Pro - $189. WiFi 7, scanning radio for RF planning
  • Secondary AP: U7 Lite - $99. Extended coverage (added later: not needed day one)
  • Cables + Mount: GEARit Cat6 + 3M Command Strips - $80. Color-coded cables, renter-friendly AP mounting

Budget Alternative (~$360)

  • Gateway: Cloud Gateway Ultra ~$130
  • Switch: USW Lite 8 PoE ~$110
  • AP: U7 Lite ~$99
  • Cables: Cat6 5-pack from Amazon ~$20

Same VLAN segmentation. Same firewall rules. Same network isolation. You just get fewer ports and one AP instead of two. For a one-bedroom apartment, that's plenty.

The Plan: Three VLANs, Matrix Style

I set up three completely isolated networks. And because life's too short for boring SSID names, I went with a Matrix theme.

  • Tank (VLAN 10): Career/Work. Subnet: 10.10.10.0/24. WiFi enabled, SSID broadcast. Use: Work laptop, career stuff.
  • Zion (VLAN 20): Personal/Guest. Subnet: 10.10.20.0/24. WiFi enabled, SSID broadcast. Use: Phones, guests, personal devices.
  • Sentinel (VLAN 30): AI Lab. Subnet: 10.10.30.0/24. No WiFi, wired only, zero WiFi exposure. Use: Mac Mini running OpenClaw, hardwired only.

Why 10.x.x.x instead of 192.168.x.x? Because 192.168.1.0/24 is the default on every consumer router on the planet. Using 10.x.x.x avoids VPN conflicts and is what you'll see in enterprise environments. The VLAN ID in the third octet (VLAN 10 = 10.10.10.0) means you can look at any IP and instantly know which network it belongs to.

Why no WiFi for Sentinel? Because the Mac Mini doesn't need it. It's plugged directly into the switch via ethernet on a dedicated port tagged to VLAN 30. No wireless signal means no wireless attack surface. The only way onto that VLAN is to physically plug into that specific switch port. That's how you isolate sensitive workloads.

The Build: Step by Step (UniFi Specific)

Step 1: Cable Everything

Modem into the gateway's WAN port. Gateway LAN port to the switch. Mac Mini into its own dedicated switch port. APs into PoE ports on the switch (the switch powers them through the ethernet cable: no separate power adapter needed). That's the full topology.

Step 2: Adopt Devices

Open unifi.ui.com or the UniFi app. Each device will appear as "pending adoption." Adopt the gateway first, then the switch, then the APs. Let firmware updates finish: the switch took about 15 minutes on first boot. Don't unplug anything while it's updating.

Step 3: Create Your VLANs

In the UniFi controller: Settings > Networks > New Virtual Network

For each VLAN:

Tank (Career/Work): Network Name: Tank, Auto-Scale Network: Unchecked, Host Address: 10.10.10.1, Netmask: /24, VLAN ID: 10, Allow Internet Access: Yes

Zion (Personal/Guest): Network Name: Zion, Host Address: 10.10.20.1, Netmask: /24, VLAN ID: 20, Isolate Network: Yes (auto-creates rules preventing guest devices from reaching other VLANs), Allow Internet Access: Yes

Sentinel (AI Lab): Network Name: Sentinel, Host Address: 10.10.30.1, Netmask: /24, VLAN ID: 30, Isolate Network: No, Allow Internet Access: Yes (Mac Mini needs internet for pulling models and updates)

Step 4: Create WiFi Networks

Settings > WiFi > Create New

Create two SSIDs (not three: Sentinel is wired only):

  • SSID "Tank" > Map to network: Tank > Set a strong password
  • SSID "Zion" > Map to network: Zion > Set a strong password

Step 5: Assign the Mac Mini's Switch Port

This is the critical step that locks the Mac Mini onto its isolated VLAN.

Go to Devices > USW Enterprise 8 PoE > Port Manager. Find the port your Mac Mini is plugged into. Change the Native VLAN to Sentinel. Set Tagged VLAN Management to Block All. Apply.

The Mac Mini will grab a new IP from the 10.10.30.x range. It's now physically and logically isolated from Tank and Zion.

Step 6: Firewall Rules: "You Shall Not Pass"

This is where segmentation becomes real. Without firewall rules, VLANs can still talk to each other through the gateway. You need to explicitly block that.

Go to Settings > Firewall & Security > Firewall Rules and create two rules. That's it. Two.

Rule 1: "Block Inter-VLAN (you shall not pass)". Action: Block, Type: Local, Source: All Devices, Destination: All 4 Networks (Default, Tank, Zion, Sentinel), Schedule: Always.

This is the hammer. It blocks all inter-VLAN traffic. Tank can't talk to Zion. Zion can't talk to Sentinel. Sentinel can't talk to Tank. Done.

Rule 2: "Allow Default to All VLANs (phone home)". Action: Allow, Type: Local, Source: Default (VLAN 0), Destination: 3 Networks (Tank, Zion, Sentinel), Schedule: Always.

This is the exception. The Default network is your management network: it's how your UniFi devices communicate with the controller. Without this rule, your gateway can't manage your switch and APs. So you allow Default to reach all three VLANs, but the three VLANs still can't reach each other.

That's the entire firewall config. Two rules. Clean, simple, and if you're scrolling through your config at 2am, "you shall not pass" is going to make you smile.

Step 7: Kill the Modem WiFi

Log into your modem's admin page (usually 192.168.1.1: check the sticker on the modem). Disable the built-in WiFi radio. If your ISP supports it, enable bridge mode or IP passthrough so the modem just passes the internet connection to your gateway. This ensures the Cloud Gateway Max handles all routing, DHCP, and firewall duties: exactly how an office deployment works.

For AT&T modems, look for "IP Passthrough" in the firewall settings. Set it to passthrough mode with DHCPS-fixed and select your Cloud Gateway Max's MAC address.

Step 8: Verify Your Isolation (The Fun Part)

This is the step most tutorials skip. Don't skip it. Open your terminal and prove your segmentation works.

Test 1: Connect your laptop to the Tank WiFi network, then try to ping a device on Zion.

# From your laptop on Tank (10.10.10.x):
ping 10.10.20.1
# Expected output:
# Request timeout for icmp_seq 0
# Request timeout for icmp_seq 1
# Request timeout for icmp_seq 2
# 3 packets transmitted, 0 packets received, 100.0% packet loss

100% packet loss. That's what you want to see. Tank can't reach Zion.

Test 2: From your laptop on Tank, try to ping the Mac Mini on Sentinel.

# From your laptop on Tank (10.10.10.x):
ping 10.10.30.1
# Expected: 100% packet loss

Test 3: From a phone on Zion, try to access the gateway admin panel. Open a browser on a device connected to the Zion WiFi. Navigate to https://10.10.20.1. It should time out. Your guests can't touch your router config.

Test 4: From the Mac Mini on Sentinel, verify internet works.

# From the Mac Mini (10.10.30.x):
ping 8.8.8.8
# Expected: replies from Google DNS: internet works
# Then try:
ping 10.10.10.1
# Expected: 100% packet loss: can't reach the work network

If all four tests pass, congratulations. You have a production-grade segmented network running in your apartment.

Why I Hardwired the AI Lab

When you run AI agents locally (OpenClaw, Ollama, local LLMs), those processes are making outbound API calls, downloading model weights, processing data, and listening on open ports. On a flat WiFi network:

  • Anyone on the same WiFi can see it. ARP scanning, port scanning: trivially easy.
  • Your work traffic shares the same broadcast domain. That's a compliance problem.
  • WiFi is inherently less secure than ethernet. Wireless signals can be intercepted. Ethernet requires physical access.

By hardwiring the Mac Mini on an isolated VLAN with no WiFi SSID, the attack surface is effectively zero for remote attackers. This is the same principle used in data centers: sensitive workloads go on isolated segments with strict access controls. I'm just applying it to my apartment.

My Background (Why I Care About This)

My dad deploys these systems professionally: he's the one who told me to go modular instead of buying an all-in-one router. That advice alone made this project ten times more educational.

With AI adoption accelerating and local models becoming the norm, the gap is clear: engineers who can write code are everywhere. Engineers who can write code and set up the infrastructure to run it securely? That's a much smaller group. That's where the value is.

What's Next (Maybe)

The network is live and segmented, but there's more to build:

  • WireGuard VPN: secure remote access to my home network from anywhere
  • IDS/IPS deep dive: what the Cloud Gateway Max actually catches and how to read the logs
  • DNS filtering: content-level security policies per VLAN

If anyone finds this useful, then all of this work was worth it. Thank you for taking the time out of your day to read this, I really appreciate it.

If you've got questions about the setup or want to compare notes on your own lab, drop a comment.

All ArticlesRead on Medium