The Update Homelabbers Have Been Waiting For

UniFi OS 5.1.11 dropped on May 14th, and if you run a UniFi stack at home, stop what you're doing and update. This isn't a routine maintenance release — Ubiquiti has shipped three features homelabbers have been building around for years: network-level ad blocking, IPv6-capable WireGuard, and automatic Let's Encrypt cert management. All in a single drop, across Dream Routers, Cloud Gateways, Cloud Keys, and Dream Wall. The firmware gods are smiling.

Ad Blocking With Policy-Based Routing: Pi-hole Has a Real Competitor Now

The headline feature is Ad Blocking and Content Filtering with Policy-Based Routing. In practical terms: your UDM can now act as a network-wide DNS sinkhole, blocking ad and tracking domains for every device on your network without touching individual clients. This is exactly what Pi-hole does — except it's now wired directly into the UniFi OS interface with no separate hardware, no Docker container to babysit, and no additional maintenance surface.

The "policy-based routing" qualifier is significant. This isn't just DNS interception at the resolver level. Routing ad traffic through policy rules means devices that hardcode their DNS to 8.8.8.8 or 1.1.1.1 to bypass your resolver can still get caught. That's a meaningful capability gap over a default Pi-hole deployment, which requires additional iptables redirect rules to intercept rogue DNS traffic. Whether Ubiquiti's blocklist quality matches Pi-hole's years of community-curated lists is still an open question — but for anyone who has been putting off setting up Pi-hole because the friction was too high, this removes the excuses.

IPv6 WireGuard Client: Modern VPN for Modern Networks

UniFi has supported WireGuard server and peer configs for some time, but the IPv6 transport gap was a real problem. With ISPs increasingly delivering dual-stack or IPv6-only connections, a WireGuard implementation that only tunneled over IPv4 was a blocker for an expanding number of deployments. Version 5.1.11 closes that gap with native IPv6 WireGuard client support.

This matters whether you're connecting back to a remote site that's gone IPv6-native or routing through a commercial provider with IPv6-only exit nodes. WireGuard's throughput advantage over OpenVPN on UDM hardware is stark — the kernel-space implementation achieves around 1.7-1.8 Gbps on UDM Pro hardware, versus OpenVPN's 250-300 Mbps ceiling imposed by its user-space architecture and TLS overhead. IPv6 support doesn't change those numbers, but it removes a deployment blocker that's become increasingly relevant as the world slowly runs out of IPv4 addresses.

VPN Protocol Throughput — UDM Pro (approximate, Mbps)

The release notes also mention fixes for WireGuard fallback activation issues and OpenVPN DNS query storms when multiple tunnels are active. If you've had OpenVPN setups that hammer your resolver when multiple tunnels come up simultaneously, that bug fix alone is worth reading the changelog for.

Automatic Let's Encrypt: No More 3 AM Certificate Expiry Pages

Automatic Let's Encrypt certificate generation is one of those features that reads as a convenience improvement until you've been woken up by a monitoring alert because your admin UI's self-signed cert expired and half your tooling stopped trusting it. UniFi OS 5.1.11 handles ACME challenges and certificate rotation automatically, keeping your management interface behind a valid TLS cert without cronjobs, Certbot wrappers, or manual renewal workflows.

The implementation details matter here. HTTP-01 ACME challenges require your UDM to be reachable from the internet, which is a non-starter for air-gapped or RFC1918-only management networks. If Ubiquiti has implemented DNS-01 challenge support, you can get valid certs for internal hostnames without exposing anything to the internet. That detail hasn't been explicitly confirmed in the release notes yet — worth checking before you rely on this for a hardened network.

AP 8.6.10: DNS Assistance and the 10G Reboot Bug is Dead

The simultaneously released UniFi AP firmware 8.6.10 brings a DNS Assistance feature for improved connectivity — likely captive portal detection improvements — and fixes a genuinely annoying bug where 10 Gbps port traffic would stop forwarding after a reboot or link event. If you're running U7 Pro Max APs or any 10G-capable UniFi hardware, that fix is non-negotiable. Discovering your 10G uplink silently dropped to 100 Mbps after a power blip is the kind of thing that makes you question your life choices.

Network-Level Ad Blocking — Setup Time (minutes)

The release also resolves DHCP failures affecting EAP and PPSK clients on default networks, mDNS/multicast discovery breaking after config changes, and IPv6 connectivity on PPSK SSIDs with multicast filtering enabled. Solid cleanup of the edge cases that trip up complex multi-VLAN homelab setups.

The Trajectory Is Clear

Ubiquiti has been accelerating UniFi OS feature development noticeably through 2025 and into 2026. The 5.x branch has delivered more infrastructure-relevant capabilities than any previous cycle, and 5.1.11 makes that trend explicit. Ad blocking, WireGuard IPv6, and automated certificate management aren't features that enterprise buyers care about — they're features that homelabbers and prosumers have been running third-party workarounds to achieve. Ubiquiti is listening to that segment.

If it's not on your own hardware, it's not really yours. UniFi OS 5.1.11 makes running it all on your own hardware a lot less painful.