Zenn
🙆

UniFi Is All You Need

に公開
UniFi
pfsense
SoftBank
tech

UniFi Is All You Need: A Home Network Journey with SoftBank Hikari in Japan

I've been living in Japan for over 20 years, and like many home lab enthusiasts here, I've spent countless hours optimizing my home network. In this post, I’ll share the story of how I upgraded my home setup while dealing with the unique challenges of SoftBank Hikari—a 1 Gbps fiber-optic internet service widely used in Japan.

Starting from a simple TP-Link router, I explored open-source firewall solutions like pfSense and ultimately landed on Ubiquiti UniFi gear, which has since become my go-to solution. This article documents what I tried, why I switched, what I learned, and how things are working today.

If you're living in Japan and struggling with home networking—especially on SoftBank's network—this might save you some trial and error.

My first setup used the TP-Link AX6000, a high-end gaming router, directly connected to the NTT optical network unit (ONU). I configured the PPPoE settings for SoftBank Hikari based on their documentation.

SoftBank offers an optional rental router—the Hikari BB Unit—which enables their IPv6 "high-speed mode." I initially skipped this to keep things simple and used only IPv4 via PPPoE. However, this caused serious slowdowns during peak hours. Eventually, I subscribed to the Family Giga Speed plan and paid the additional 500 JPY per month to rent the BB Unit and enable IPv6. It also provides a fixed IP phone line if you need one.

Full plan info: SoftBank Hikari plans

The TP-Link router worked fine for basic use, but I ran into limitations—especially for content filtering (for kids) and network segmentation (for work, guests, and IoT). I tried Cloudflare DNS for Families, but it was easy to bypass and lacked fine-grained control. During the COVID-19 lockdowns, I wanted to block YouTube for kids while keeping it available for myself. So I started looking for a router-based solution with more advanced filtering and VLAN support.

Step 2: DIY Firewall with pfSense

This led me to pfSense. I bought a fanless mini PC with multiple NICs (example here) and got pfSense running quickly.

pfSense offers powerful security features like Snort for intrusion detection and Suricata for prevention. However, with all features enabled, it became slow and unstable. Eventually, I narrowed my usage to OpenVPN and pfBlockerNG for content filtering.

pfBlockerNG has many blocklist options, but it's hard to tell which ones are well-maintained. I used a basic setup with Steven’s List and a self-maintained YouTube blocklist. My goal was to keep YouTube off the kids' devices.

I also created VLANs for family, work, IoT devices, and guests. I used the Unifi U6 LR as my Wi-Fi AP, which supports multiple VLANs with different firewall rules. I learned a lot from Laurent Labs’ YouTube videos. (Note: The videos are in English, but you can summarize them in Japanese with tools like ChatGPT.)

While the pfSense setup was powerful, pfBlockerNG felt bloated and buggy. Firewall rule conflicts would randomly let YouTube through or block access unintentionally. Also, after Apple introduced MAC address randomization on iOS, device-specific filtering became unreliable.

As an engineer, I wasn't thrilled that pfSense is built on PHP—a language often cited in CS classes as a case study in insecure design. By 2025, this felt outdated.

I considered OPNsense, a pfSense fork that’s supposedly rewriting in C++. But as of May 2025, much of it still runs on PHP, and plugin support is limited. Zenarmor looks promising for schools and enterprises, but it’s commercial.

OpenWrt is another great open-source option, especially if you have older router hardware.

Some people use Pi-hole on a Raspberry Pi for DNS-based blocking. I never got around to trying it.

Step 3: Switching to UniFi — Simplicity Over Customization

Since I was already using a UniFi access point, I decided to unify my entire setup with UniFi hardware.

I picked up the Cloud Gateway Ultra—a compact yet powerful router that checks all the boxes. I bought two units for my main house and my summer retreat.

Both homes use SoftBank Hikari, and the summer house is in the mountains where SoftBank is the only available provider. Even though the 10 Gbps plan isn't offered in my area, I typically get 400–700 Mbps up/down on a 1 Gbps plan, which is solid.

The problem: SoftBank’s IPv6 setup is... strange. If you connect a TP-Link, pfSense, or UniFi router directly to the ONU, you won’t get IPv6. That’s because SoftBank uses a custom IPIP tunneling approach. To make IPv6 work, you need to use their Hikari BB Unit.

Without IPv6, network speeds drop significantly during peak hours.

The workaround: place your UniFi router behind the BB Unit and configure DMZ mode to expose the UniFi’s IP to the internet. This setup lets you use VPN and Dynamic DNS.

For Dynamic DNS, I built my own Inadyn-compatible AWS Route 53 updater. Unfortunately, UniFi doesn’t support Route 53 natively, so I had to SSH into the router to run the updater script. pfSense supported this out of the box via plugin, which was more convenient.

Also, UniFi ships with “free” DDNS services that turn out to be paid when you try to use them seriously. Not great.

Support in Japan is minimal, and SoftBank doesn’t care if you're using non-Japanese gear—so you're on your own.

How to Enable IPv6 on UniFi with SoftBank

The final challenge was getting IPv6 to work properly on UniFi.

Once your UniFi router is behind the SoftBank BB Unit (in DMZ mode), open the WAN1 settings and set:

  • IPv6 Connection Type: SLAAC
  • Prefix Delegation: Single Network

You should now see an IPv6 address on your WAN1 interface. All devices on your home network will be assigned IPv6 addresses and can access IPv6 sites like YouTube and GitHub—often much faster than IPv4 during peak times.

Important note: the SoftBank router blocks all inbound IPv6 traffic by default. Outbound connections from your network are allowed, but you must add explicit rules if you want to accept inbound IPv6.

There’s no NAT with IPv6, so each device has a globally routable address. It’s a good chance to deepen your understanding of how IPv6 works.

Also, disable Wi-Fi on the SoftBank router if you're using a separate access point like UniFi.

Wrap-Up

This was my journey upgrading my home network in Japan—from consumer routers to open-source firewalls to finally settling on UniFi.

If you're facing similar challenges, I hope this helps. And if I missed any key configurations or you'd like me to expand on a specific part, feel free to leave a comment!

Discussion