Ubiquiti Site Magic: Practical UniFi SD-WAN for Multi-Site Networks

There is a specific kind of networking value that shows up when a feature solves the boring operational work without pretending network design no longer matters. That is the appeal of Ubiquiti Site Magic.

Traditional site-to-site VPNs work, but they are usually manual: peer IPs, proposals, pre-shared keys, phase 1, phase 2, route tables, firewall rules, NAT edge cases, overlapping subnets, WAN changes, and the classic moment where the tunnel says it is up but traffic still does not pass. Paid SD-WAN platforms solve a lot of that, but they often bring licensing, contracts, cloud security bundles, and pricing that do not make sense for a serious home lab, a small office, or a managed family network.

Site Magic lands in the middle in a very UniFi way. Ubiquiti describes UniFi SD-WAN as a way to simplify site-to-site VPN tunnels between UniFi gateways for resource and application sharing across sites. The workflow lives in UniFi Site Manager, and the technical design is documented in Ubiquiti's UniFi SD-WAN guide.

Scope note: Site Magic is UniFi-to-UniFi SD-WAN. It is not a universal replacement for enterprise SD-WAN, third-party cloud VPN platforms, carrier-integrated WAN, or every remote-access VPN use case. If you need multi-vendor edge devices, advanced carrier SLA steering, deep app-aware routing, complex compliance controls, or cloud-native VPN integration, evaluate those requirements directly.

What Is Ubiquiti Site Magic?

Site Magic is UniFi's managed workflow for building SD-WAN style site-to-site connectivity between UniFi gateways. It is not magic in the sense that you stop thinking about routing, security, or addressing. It is magic in the practical sense: the routine tunnel plumbing gets quieter.

Instead of building every VPN by hand, you pick the topology, select the participating sites, decide which networks and routes should be advertised, and let UniFi create the managed site-to-site fabric. That is the win. VPNs did not become new. Routine multi-site plumbing became repeatable.

• Connect a home lab to a remote office or secondary property.
• Link a small office, shop, warehouse, church, or side business to a main site.
• Give family networks a managed support path without exposing admin tools to the public internet.
• Build simple branch access to shared services such as NAS, DNS, monitoring, cameras, inventory systems, or internal apps.
• Avoid recurring SD-WAN licensing when a UniFi-native solution is enough.

Why It Matters

The value is operational consistency. A one-off IPsec tunnel is fine. Ten tunnels across changing WAN links, renamed networks, branch moves, new subnets, and old documentation are where manual VPN designs start to age badly.

Site Magic gives UniFi users a cleaner path. You still need a good IP plan, firewall policy, and topology choice, but the day-to-day experience is closer to managing a fabric than maintaining a pile of hand-built tunnels. For a TechGeeks-style home lab or small office, that is a meaningful jump.

Before You Click Connect: Pick the Right Topology

The first design decision is not which button to press. It is how traffic should flow. Ubiquiti currently supports two main SD-WAN topology models: Hub-and-Spoke and Mesh.

Topology	Best Fit	Scale / Behavior	Security Notes
Hub-and-Spoke	Headquarters, main home lab, central NAS/server site, shared services, cloud egress whitelisting, many branches.	Centralized design. Ubiquiti lists hub-and-spoke support up to 1,000 tunnels depending on hub model.	Better default when branch-to-branch traffic is not required. Use spoke isolation and least-privilege firewall rules.
Mesh	Small groups of peer sites that need direct site-to-site access.	Decentralized design. Ubiquiti lists Mesh as supporting up to 20 sites.	Every site can become a lateral path. Firewall rules matter at every site. Avoid overlapping subnets.

Practical default: Start with Hub-and-Spoke unless branch-to-branch traffic is real, frequent, and justified. Mesh is useful, but it is not automatically better. It is simply a different topology.

Reference Topologies

Home Lab or Power Home User

Use your main home network as the hub. Remote sites become spokes. This is useful when the main site hosts NAS, Proxmox, monitoring, backups, DNS, media services, or administrative tooling. Keep IoT, guest, and untrusted networks out of the SD-WAN unless there is a specific reason to advertise them.

Small Business

Use the office or server location as the hub, then connect a warehouse, small shop, owner home office, or remote staff site as spokes. This keeps shared resources centralized and makes it easier to control which branch networks can access inventory systems, file shares, cameras, VoIP, or internal web apps.

Managed Family Network

This is one of the more practical home uses. A technically managed home can act as the hub for parents, a vacation home, or a sibling location. The goal is not to merge every device into one big trusted LAN. The goal is controlled access for remote support, backups, and specific shared services.

Retail or Branch Network

Hub-and-Spoke is usually the cleaner fit. Put POS, inventory, admin systems, and monitoring behind the hub path. Isolate branches from each other unless there is a documented business reason for lateral branch traffic.

Requirements That Matter

Ubiquiti's current SD-WAN guide lists specific requirements. Verify the live documentation before deployment, but these are the design-impacting items to plan around:

• Hub-and-Spoke requires a supported hub with a public IP address.
• Hub-and-Spoke spokes can be most Cloud Gateways, excluding Express, or independent gateways managed with a CloudKey or Official UniFi Hosting.
• All hubs and spokes must share the same UI Account Owner or be managed in the same Fabric by Fabric Admins.
• Hub-and-Spoke requires UniFi Network Application 9.0.108 or newer.
• Hub-and-Spoke requires UniFi gateway version 4.1.3 or newer.
• Mesh requires participating gateways under the same owner and at least one gateway with a public IP address.
• Legacy USG models are not supported.
• IPv6 is not yet supported for this SD-WAN feature according to Ubiquiti FAQ guidance.

Setup Guide: Hub-and-Spoke

Use Hub-and-Spoke when one site is the center of gravity. That site might host servers, storage, cameras, identity, DNS, management, monitoring, or cloud egress.

1. Open UniFi Site Manager and go to Settings > SD-WAN.
2. Choose Hub & Spoke and name the SD-WAN group.
3. Choose the hub topology: Single, Failover, or Distributed.
4. Choose the spoke-to-hub VPN architecture: Max Resiliency, Redundant, or Scalable.
5. Add the hub site or sites.
6. Select hub networks or manually defined routes to advertise.
7. Assign the primary VPN WAN and optional WAN failover for each hub.
8. Add spoke sites.
9. Select the spoke networks that should be advertised.
10. Configure spoke WAN and failover WAN settings.
11. Review advertised networks, WAN assignments, route intent, and overlap risk.
12. Apply the configuration and wait for tunnels/routes to establish.

Do the boring work first: Before applying the design, confirm firmware, ownership, remote access, rollback path, WAN health, and the exact networks that should cross the SD-WAN. The fastest way to make a clean feature messy is to advertise every VLAN and hope firewall policy catches up later.

Setup Guide: Mesh

Use Mesh when participating sites are peers and need direct site-to-site communication. Mesh is not the default answer for every small network. It is the answer when direct branch-to-branch paths are actually useful.

1. Open UniFi Site Manager and go to Settings > SD-WAN.
2. Choose Mesh and name the SD-WAN group.
3. Select up to 20 sites for the mesh group.
4. Select the networks from each site that should participate.
5. Confirm there are no overlapping subnets across shared networks.
6. Confirm guest, IoT, camera, POS, and management networks are excluded unless intentionally needed.
7. Apply the configuration and wait for mesh VPN tunnels and routes to come online.

Security Controls You Should Add Immediately

A working tunnel is not a security policy. Treat Site Magic as transport, then decide what is actually allowed to move across it.

• Do not advertise every VLAN by default.
• Keep guest, IoT, camera, kids, POS, and management networks scoped tightly.
• Prefer Hub-and-Spoke with spoke isolation when branch-to-branch access is unnecessary.
• Use Zone-Based Firewalling before relying on spoke isolation behavior.
• Allow only required source networks, destination networks, and ports.
• Avoid broad Any-to-Any rules between sites.
• Protect the UniFi Owner account with MFA and strong recovery controls.
• Use named admin accounts. Avoid shared owner credentials.
• Log SD-WAN changes, firewall changes, denied inter-site traffic, VPN events, and NAT/DNAT hits.
• Review firewall rules after every new site is added.

Be careful with overlapping subnets. Ubiquiti supports Auto-Scale and NAT Spoke VPN behavior for Hub-and-Spoke designs with overlap, but NAT adds troubleshooting and logging complexity. Clean addressing is better when you control the sites.

Validation and Troubleshooting

Test in layers. Routing can be correct while DNS is wrong. Firewalling can be wrong while the tunnel is perfect. Work from the lowest useful layer upward.

Check	What to Validate	Why It Matters
Site status	All selected sites are online in UniFi Site Manager.	A missing or offline site cannot participate reliably.
Tunnel status	SD-WAN group shows healthy tunnels.	Confirms the fabric is established before testing apps.
Gateway ping	Gateway-to-gateway reachability across advertised networks.	Validates routing before testing clients.
Client-to-server	A client at one site reaches a specific service at another site.	Confirms firewall and return path.
DNS	Names resolve across the intended path.	Many VPN complaints are DNS problems, not routing problems.
Denied paths	Guest/IoT/camera networks cannot cross the SD-WAN unless intended.	Confirms segmentation still exists.
Failover	WAN or hub failover works during a maintenance window.	Avoid assuming resiliency you have not tested.
Logs	Firewall denies, NAT hits, and SD-WAN events are visible.	Makes later troubleshooting evidence-based.

Model Selection: Which UniFi Gateway Should You Buy?

Ubiquiti's control-plane guidance recommends Cloud Gateways for most deployments because they combine UniFi Network management with routing and security. Use the UniFi cloud gateway tech specs for current hardware capabilities, and use the SD-WAN guide for Site Magic gateway requirements and hub tunnel capacity. Pick the hub for tunnel count, WAN resilience, inspection load, and growth. Pick the spoke for reliability and supportability.

Affiliate disclosure: As an Amazon Associate, TechGeeks may earn from qualifying purchases. These links are buying references. Always confirm current UniFi compatibility and seller quality before ordering.

Buyer Scenario	Good Fit	Why This Pick	Amazon Affiliate Link
Small remote home	Cloud Gateway Ultra / UCG-Ultra	Good low-cost branch or small remote site. Ubiquiti lists it as an entry-level compact gateway with 1 Gbps routing in its control-plane guidance.	Amazon: UCG Ultra
Power home or small office	Cloud Gateway Max / UCG-Max	Better compact option for heavier home-office use. Ubiquiti lists 2.3 Gbps IDS/IPS throughput and full UniFi app suite support.	Amazon: UCG Max No Storage
Rack homelab	Dream Machine Pro or UDM SE	Rack-mounted, full UniFi app suite, and useful as a small hub. Ubiquiti lists UDM Pro and UDM SE at 100 SD-WAN VPN tunnels in the hub capacity table. The linked Amazon result is a UDM Pro bundle, so verify seller and package contents before buying.	Amazon: UDM Pro bundle
Dual-WAN small business	Cloud Gateway Fiber, UDM SE, or UDM Pro Max	Use UCG Fiber when it fits the edge design; use UDM SE or UDM Pro Max when you want a rack console with the broader UniFi application stack.	Amazon: UCG Fiber
Many branches	UXG Enterprise or Enterprise Fortress Gateway	Prioritize hub tunnel capacity. Ubiquiti lists UXG Enterprise and EFG at 1,000 SD-WAN VPN tunnels. I did not find a reliable exact Amazon product page during this check.	Search Amazon: Enterprise UniFi gateway
Existing independent gateway design	UXG Pro	Useful when you want an independent gateway managed by CloudKey or Official UniFi Hosting. Ubiquiti lists UXG Pro at 100 SD-WAN VPN tunnels.	Amazon: UXG Pro
Accessories	Rack shelf, patch cables, UPS	Do not ignore the physical layer. Stable power and clean cabling matter more than another dashboard.	Search Amazon: UniFi rack shelf UPS patch cables

Hub Tunnel Capacity Reference

For Hub-and-Spoke designs, the hub matters. Ubiquiti currently lists the following SD-WAN VPN tunnel capacities in its SD-WAN guide:

Hub Model	Listed SD-WAN VPN Tunnels
Enterprise Fortress Gateway (EFG)	1,000
Gateway Enterprise (UXG Enterprise)	1,000
Dream Machine Pro Max (UDM Pro Max)	200
Dream Machine Special Edition (UDM SE)	100
Dream Machine Pro (UDM Pro)	100
Cloud Gateway Fiber (UCG Fiber)	100
Cloud Gateway Industrial (UCG Industrial)	100
Dream Wall (UDW)	100
Gateway Pro (UXG Pro)	100

Limitations and Gotchas

• Site Magic is for UniFi gateway-to-UniFi gateway SD-WAN. Use IPsec or OpenVPN for third-party gateways or cloud providers.
• Mesh is limited to 20 sites in Ubiquiti guidance.
• Legacy USG models are not supported.
• IPv6 is not yet supported for this SD-WAN feature according to Ubiquiti FAQ guidance.
• Existing SD-WAN connections should not drop during a cloud issue, but configuration changes require cloud availability.
• Ownership matters. Ubiquiti notes that ownership transfer on a participating console can close connections for that site.
• Overlapping subnets are operational debt. NAT can help, but clean addressing is easier to support.
• Do not call it enterprise SD-WAN if you need full SLA steering, carrier integration, multi-vendor orchestration, or deep app-aware policy.

Official References

• UniFi Gateway - Setting Up SD-WAN with UniFi Site Manager and Fabrics
• UniFi Remote Management via Site Manager
• Choosing the Right UniFi Control Plane
• UniFi Cloud Gateways - Tech Specs

Final Thoughts

Site Magic is not impressive because it replaces every VPN or SD-WAN product on the market. It is impressive because it takes a problem that used to feel unnecessarily heavy and makes it approachable for the networks a lot of us actually run.

For a UniFi-based home lab, small office, managed family setup, or small branch network, that matters. You still get to think like a network engineer: subnets, segmentation, access control, routing intent, and what should or should not be reachable across sites. But you spend less time hand-stitching tunnels together and more time building the services those tunnels were supposed to support.

My practical recommendation is simple: use Hub-and-Spoke for most business and managed-family designs, use Mesh only when direct site-to-site traffic is actually required, advertise only what matters, and validate every path. Done that way, Site Magic becomes one of the cleanest ways to connect small and mid-sized UniFi networks without turning every site into a custom VPN project.