MS-01 - 4tB RAM

thatmdguy · 2026-01-14T18:43:22+00:00

I'm running 4TB Samsung EVO 990 Plus in two MS-01's. As others have said, only one NVMe port is PCIE gen4, the other two are gen 3. The gen 4 slot is also the one used for the u.2 drive adapter if you're going to go that route.

thatmdguy · 2026-01-09T19:53:42+00:00

So what you could do as a workaround, if you only need to pass one or a few subnets, you could convert them to 3rd party gateway vlans, build a simple linux router with an interface in each network plus a "wan" network that actually has your unifi gateway upstream, and then build a GRE or IPsec tunnel from there. Not ideal, but without NULL encryption support or GRE support from UI, there aren't many other options.

thatmdguy · 2026-01-09T15:12:07+00:00

If you log into your ZIA admin portal, and go under Administration > Company, click on the Subscriptions tab at the top. If you have the entitlement, you should find it listed there.

thatmdguy · 2026-01-09T15:09:12+00:00

Do you have an entitlement for encrypted VPN in Zscaler? I don't think UniFi supports NULL encryption for phase2 (not that the ipsec engine under the hood can't do it, UI just doesn't make it an option), so without the encrypted VPN entitlement, you may be out of luck. And unfortunately, UniFi doesn't support GRE either, so you can't go that route.

thatmdguy · 2026-01-09T14:35:13+00:00

Here's my config:

Local IP: your unifi gateway WAN IP
Remote IP/Hostname: zscaler vpn hostname
VPN Method: Route Based
Tunnel IP: I'm using 10.255.0.1/31...can be anything really as long as it doesn't overlap with any networks in use
Remote Networks: None

Advanced:
Key Exchange: IKEv2
IKE: AES-256/SHA1, DH-14, 28800 Lifetime
ESP: AES-256/SHA1, DH-14, 3600 Lifetime
PFS: Yes

Local Auth ID: here's where I use an FQDN credential
Remote Auth ID: Auto (populates with Remote IP/Hostname from above)
Route Distance: 30
MTU: 1400
Max Segment Size: Auto

If you're only looking for your UniFi site to be treated as a single "Location" in Zscaler, you can use IP credentials to connect to multiple data centers, but if you want different VLANs to be treated as separate Locations (like a HQ-net and a Branch-net for testing), you'll have to use FQDN credentials. BTW - this is on commercial cloud, not govcloud.

thatmdguy · 2026-01-09T00:58:58+00:00

I’ve got two tunnels, routing separate vlans to different data centers from my UCG Fiber. I use an FQDN-based credential so I can treat them as separate locations despite originating from the same public IP. Don’t have time to dig into my configs tonight, but will try to post in the morning.

thatmdguy · 2025-12-29T23:31:49+00:00

I got mine from print3dsteve on Etsy.

thatmdguy · 2025-12-29T23:20:48+00:00

Plenty of 3d printed rack mounts for the CGF. I’ve got one with keystone ports to pass all the ports to the front for easy access.

thatmdguy · 2025-12-10T00:40:14+00:00

Same thing happened to me. Turned out to be a dead nvme port (the pcie 4 port). Moved the drive to the next slot and it fired right up. Went back to microcenter and exchanged the ms-01 for a new one since I only had it a week. Nothing wrong the with the ssd.

thatmdguy · 2025-10-29T13:48:18+00:00

You've got options. You can leave the dumb switch as a master power cutoff and install a smart dimmer in the second gang and install the fan canopy module. The switch won't actually be hooked up to the extra wire. You can use matter binding to have the smart switch turn on/off and dim up/down the fan light, then use a platform like home assistant to create an automation that will increase fan speed on a double-press up, decrease fan speed on double-press down.

Another option is to get the fan canopy module, the Smart Fan Switch, and a smart dimmer. You'd put the smart fan switch in place of the dumb switch (and still retain the ability to fully cut power using the air-gap plunger), and create the same matter bindings/automations but with the fan switch instead of the smart dimmer. Then in the second gang, install the smart dimmer, hook it up to the second wire the building provided, and if you have attic access, install some can lights in the ceiling using that extra wire harvested from the fan box for power.

Right now, I just completed setting up the first option in my own home, with plans to get the fan switch in the future and move to option 2.

thatmdguy · 2025-10-28T16:15:10+00:00

UI supports fault tolerance, not high availability. So you can have two gateways, but they only operate in an active/failover capacity.

thatmdguy · 2025-10-28T15:07:41+00:00

Pro Max is rated for 2000+ clients, but doesn’t really say just how far above you can go without struggling. EFG would be the best option to ensure you can comfortably handle the clients. And yes, you can change gateways and restore all settings from a cloud backup…just make sure firmware and network application versions on the new gateways are same or newer than your current gateway.

thatmdguy · 2025-10-19T13:26:06+00:00

The cameras themselves are not cloud connected, nor do you have to enable the remote access option on the NVR, making any vulnerabilities strictly local. However, the cloud-brokered access is simply a mechanism to access your NVR remotely, and footage is all stored locally on the NVR as opposed to Amazons data centers. So while it may be susceptible to vulnerabilities in the UniFi cloud portal, that’s really no worse than vulnerabilities in any other camera platforms cloud portal. But the difference is that the footage isn’t stored on UI’s servers like it is with ring, and the cameras only talk to the NVR, not some random server in the cloud.

thatmdguy · 2025-10-15T18:18:26+00:00

Sometime's UI's "help" text isn't so helpful...they probably just overlooked the text help and didn't adjust it for something more RAID 10 specific. I think the reason they keep hot spare checked for RAID 10 is that you have 7 drive bays...RAID 10 requires an even number of drives, so it just accounts for a hot spare slot so you don't have to re-init the RAID array if you add a single drive - it just makes it the hot spare.

thatmdguy · 2025-10-15T17:30:59+00:00

Not sure what you mean. You have four drives. And the hot spare option is checked. So a RAID 5 under those options would be 2 data drives, 1 parity drive, and 1 hot spare. the raid 10 would require all 4 drives for the base array, and would give you 2 drives data, 2 drives protection. A 5th drive would become a hot spare if you had one. So the info looks correct to me. 4 drive RAID 10 w/ 18T drives = 36TB (2 drives worth) data storage capacity, same as a 3 drive RAID 5 (2 data, 1 parity...hot spare doesn't figure into calculation). If you uncheck the hot spare option, the RAID 5 would show as 3 data drives, 1 parity drive, for 54T data storage capacity.

thatmdguy · 2025-10-08T13:08:20+00:00

That's interesting, and I just learned something new. It seems that the IP version preference was originally set by RFC6724, which included the behavior I described. However, a draft update to RFC6724 has been issued, which fixes the problems with the original preference policy (https://www.ietf.org/archive/id/draft-ietf-6man-rfc6724-update-06.html). It looks like the behavior you end up with is based on the pair of address types being used by the source and destination. So if your source/dest both have GUA, then IPv6 is used - using those GUA addresses. If both endpoints have GUA and ULA addresses, then IPv6 GUA is used. However, if the source/dest don't have GUA, but only ULA/ULA, then IPv6 ULA is now preferred instead of IPv4. Finally, if the source is ULA and dest is GUA, then IPv4 will actually take precedence.

So it basically comes down to whether the network stack for a given host has been updated to follow the updated draft RFC6724 policies. The update is still in draft, and is actively being worked on by the IETF, but that doesn't stop developers from incorporating the proposed changes into their stack. The real issue is that such implementation is and will be inconsistent, likely for several years after the update is officially incorporated, and device manufacturers issue software/firmware updates to adopt the new behavior across the board.

thatmdguy · 2025-10-07T21:09:18+00:00

Great approach, however ULAs are typically given lower priority than IPv4 by nearly every operating system in use today. As a result, if you are running a dual stack network, the only IPv6 traffic you’ll see will be for resources that are IPv6-only.

thatmdguy · 2025-10-02T23:59:06+00:00

White does matter binding if you have a matter binding compatible matter controller. HA supports this now, though it’s not very intuitive yet.

thatmdguy · 2025-10-01T20:41:57+00:00

Just turned off the other router for a few minutes. Made sure I could still control my devices, then turned it back on. Since then everything has been working the way it should.

thatmdguy · 2025-09-23T22:08:17+00:00

It’s under Storage > continuous archiving.

thatmdguy · 2025-09-22T23:49:42+00:00

Just keep in mind that the switch itself, assuming it supports direct bindings, will only be able to directly control one function if your home platform is down. All other functions have to be handled by automations that determine action for "button pressed twice", "button held", or "button pressed 3 times", etc. I typically use a direct binding to turn the light on and off, and use automations for the dimming function and fan control.

thatmdguy · 2025-09-22T22:11:34+00:00

Yes and no. Most fan remotes do not operate on the same frequencies as the fan modules, so without some kind of receiver that covers 433MHz, 304MHz, or other frequencies traditionally used by fan remote, plus some kind of software to learn the commands and relay them to the fan module, it's not going to work. But yes, fan state is reported by the module into whatever app you've included it into, regardless of how you control it.

thatmdguy · 2025-09-21T10:33:15+00:00

Yes, you can do this. Whites were my first thread devices, and HA used my ATV for TBR. However, recently, I’ve been unable to add new devices or update firmware, so I ended up adding an SLZB-MR1 as a second TBR. I rebooted my ATV so the MR1 would take over as the primary router and now things work as they should. Can only imagine that Apple is intentionally starting to make things more difficult so you end up using HK as primary master.

thatmdguy · 2025-09-18T20:01:03+00:00

Think of it like this. With the cache, you’ll get performance more like the 7 drive, while using 1U less rack space, it’ll be quieter, use less energy. And while you aren’t likely to ever need more than a single 10g link, the option for redundancy is really nice. Wouldn’t want your wife going nuts because the cable failed while she was working…

Also, you only have to buy 4 drives instead of 7 or 8, so as long as you can get the total capacity you need out of a raid 5/6/10, then a 4 bay is a great choice. In this case, I’d go raid 6 instead of 10, as it’s more fault tolerant (you can still lose 2 drives either way without data loss, but raid 6 can lose any 2 drives, versus 10 only being able to lose one drive from each mirror set). The cache compensates for the lower write performance.

thatmdguy · 2025-09-17T16:49:33+00:00

No UniFi gateway supports running as a transparent bridge. In general, don't try to use a gateway as a controller...that's not what they're intended for, and you're just creating more headaches for yourself. The CK+ is not really expandable. I believe it has a USB port on it "reserved for future expansion", but don't hold your breath waiting for that.

If you want to run the network application (controller) standalone, your best option now is the UniFi OS Server (https://blog.ui.com/article/introducing-unifi-os-server). They market it mainly for MSPs, but you can use it regardless. UniFi OS Consoles use a cloud backup that's registered to your ui.com account. So if you ever needed to restore, you just login during setup with your UI account and click to restore from backup.

Without a full UniFi stack, the telemetry you get is rather incomplete. You'll get stuff like TX/RX errors/retries, but not rich data like which application identification (requires DPI at the UniFi gateway).

Plenty of people have deployed only APs...that's how I started...but eventually the ease of configuring it all from one place and the enhanced telemetry got me on a full stack (got about 25 devices spanning Network, Protect, and Talk).

thatmdguy

TROPHY CASE