Unifi Network VLAN setup with IoT and access to Pi-hole

Dec 12, 2023 - Last update: Jan 6, 2025

Introduction

This guide covers the setup of VLANs and WiFi networks using the Unifi Network Application. It also provides instructions for configuring the firewall to enable devices on any VLAN to utilize the Pi-hole.

Note

I replaced my old Unifi Security Gateway (USG) with a Unifi Dream Machine Pro (UDM-Pro) and made the choice to build everything from scratch and not migrate the settings. So all settings are set by default and from there I make the necessary adjustments.

I have created the following networks:

• LAN (this is the default network and renamed to LAN) - very trusted - this contains all network equipment
• SERVER-VLAN - very trusted - this contains servers and a NAS
• CLIENT-VLAN - trusted - this contains clients like desktops, laptops, tablets and phones
• IOT-VLAN - not trusted - this contains smart(home) devices and media players
• GUEST-VLAN - not trusted - this contains not trusted clients including devices from work

Caution

Make sure the device you use to configure your Unifi Network remains in LAN until you finish configuring the firewall (see at the very bottom).

Setup

Network setup

Determine the VLAN ID each VLAN should have

For the IOT-VLAN I use VLAN ID 20 for example. This number will match the Gateway IP/Subnet: 192.168.20.0/24.

Create the IOT-VLAN

1. Go to Settings and Networks

2. Create a New Virtual Network All settings remain at their default values except for the modifications detailed below.

   Instructions:

   • Required Network Name: IOT-VLAN
   • Required Gateway IP/Subnet: Uncheck Auto-Scale Network and change the Host Address to 192.168.20.1 with Netmask 24

   Advanced:

   First select Manual.

   • Required VLAN ID: 20
   • Optional Multicast DNS: please read [[Unifi Network - Setup Chromecast between VLANs]] for more information
   DHCP:

   • Required DHCP Range Start: 192.168.20.150
   • Required DHCP Range Stop: 192.168.20.254

   Note

   Using a DHCP range between 150 and 254 allowed me to assign static IP addresses to all addresses below 150.

   Now expand Show options after DHCP Service Management.

   • Optional DNS Server: In my case I unchecked Auto and added the IP address of my Pi-hole
   • Optional Domain Name: home.arpa

   Tip

   Home.ARPA has been specifically created to handle “home” or “small business” name queries by shunting it to “black holes” early in the hops.

3. Click Add

Repeat the above steps for any other VLAN.

Note

I configured the GUEST-VLAN similarly. I did not enable the Isolation Network setting. Like the other VLANs, the GUEST-VLAN is already separated from other VLANs via the firewall (see the details below). However, you also have the option to enable this setting along with the Hotspot portal and Guest WiFi.

Port management

Now that the networks/VLANs have been created, we can adjust the switch port settings. With this we ensure that wired devices use the correct VLAN and, for example, will receive the correct IP address. For wireless devices, we will create the corresponding WiFi networks in the WiFi Setup part.

Caution

Do not change the Native VLAN / Network setting of the ports which are connected to the gateway, other switches or access points, leave it set to LAN and the Tagged VLAN Management setting to Allow All.

Change the port settings

1. Go to Ports, or alternatively go to Unifi Devices, click on a switch or the router and click the Port Manager button

2. Go to the tab Ports, if this is not already selected

3. Now you can select a port and change the settings

   For example:

   • Optional Name: P1Reader - this is the name of the IoT device
   • Required Native VLAN / Network: IOT-VLAN (20)
   • Required Tagged VLAN Management: Block All
   • Optional PoE: you can turn PoE off if the device does not need Power over Ethernet

   

4. And finally click Apply Changes.

Repeat this for all ports for which it is necessary to change the port settings.

Check the results

To check if the port settings are working properly, do the following:

1. Go to Client Devices

2. And there is the P1Reader within the IOT-VLAN network and a corresponding IP address:

   

   Tip

   Columns like Network (the IOT-VLAN field) can be added in the Display Options.

3. Give the client device a fixed IP address if needed

   • Optional Click on the device and go to Settings and give it a fixed IP address, which I did for the above P1Reader example

WiFi setup

To ensure that wireless devices connect to the correct network, I have created three WiFi networks:

• WiFi-Client
• WiFi-IoT
• WiFi-Guest

All settings remain at their default values except for the modifications detailed below.

1. Go to Settings and WiFi

2. Click Create New:

   Instructions:

   • Required Name: for example WiFi-IoT
   • Required Password: Your password
   • Required Network: for example IOT-VLAN - or link WiFi-Client to CLIENT-VLAN and WiFi-Guest to GUEST-VLAN

   Advanced:

   First select Manual.

   • Required Client Device Isolation: I have enabled this only for the WiFi-Guest network
   • Optional WiFi Speed Limit: Default - for the WiFi-Guest network I have created a guest profile that limits the bandwidth slightly
   • Optional Multicast Enhancement and Multicast and Broadcast Control: please read this note for more information
   • Optional MAC Address Filter: I have enabled the filter for WiFi-Client and WiFi-IoT
   • Optional Security Protocol: use WPA2 for backwards compatibility, so I used WPA2 for WiFi-IoT en WPA2/WPA3 for WiFi-Guest and WiFi-Client. At some point I will completely switch to WPA3
   • Optional Group Rekey Interval: Enable 3600 seconds - for increased security

   Note

   Personally, I think it’s a good thing to consciously give access to certain devices. That’s why I keep a list of MAC addresses that I give access. About the option to hide the WiFi name: opinions differ that a hidden WiFi network provides more security, it therefore remains a personal choice.

3. And finally click Add WiFi Network.

Repeat the above steps for any other WiFi network.

Firewall setup

To make the VLANs work properly the first rule I created is to allow established/related sessions from client devices. Then I made sure traffic between the networks is no longer possible. Blocking inter-VLAN routing is also described by Ubiquiti here.

Note

You can also use Traffic Management instead of firewall rules. Firewall rules are generally used to match on specific ports and IP addresses. Traffic rules can match on categories such as an App or Domain. Personally, I have made the choice to use firewall rules.

Tip

You can read here about blocking internet access for specific (IoT) devices with a firewall rule.

RFC1918 IP group

First create the IP Group needed for blocking inter-VLAN routing:

1. Go to Settings and Profiles
2. Go to tab IP Groups
3. Create a new profile
   Instructions:

   • Required Profile Name: RFC1918
   • Required Type: IPv4 Address/Subnet
   • Required Address: add 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16
4. Click the Add button (all the way at the bottom left)

You can now use this IP group when creating the firewall rule.

Select LAN In rules

1. Go to Settings and Security
2. Go to tab Traffic & Firewall Rules
3. Go to LAN rules and select LAN In

All settings remain at their default values except for the modifications detailed below.

Rule allow established/related sessions

1. Click Create Entry and make sure Rule Type is set to Advanced

   Instructions:

   • Required Type: LAN In
   • Required Name: allow established/related sessions, for example
   • Required Action: Accept
   • Required Protocol: All and Before Predefined is selected

   Advanced:

   First select Manual.

   • Required Match State: Only Established and Related are selected

2. Leave the other fields at their default value and click the Add Rule button (all the way at the bottom left)

Rule drop traffic between vlans

1. Click Create Entry and make sure Rule Type is set to Advanced
   Instructions:

   • Required Type: LAN In
   • Required Name: drop traffic between vlans, for example
   • Required Action: Drop
   • Required Protocol: All and Before Predefined is selected
   Source:

   • Required Source Type: Port/IP Group
   • Required Address Group: RFC1918
   Destination:

   • Required Destination Type: Port/IP Group
   • Required Address Group: RFC1918
2. Leave the other fields at their default value and click the Add Rule button (all the way at the bottom left)

Now all VLANs/networks are seperated from each other.

The rules below will make it possible that:

• All VLANs has access to Pi-hole DNS
• LAN has access to all other networks
• CLIENT-VLAN has access to LAN (or make sure that you allow individual devices from the CLIENT-VLAN to manage LAN)
• CLIENT-VLAN has access to SERVER-VLAN
• CLIENT-VLAN has access to IOT-VLAN
• Some IOT-VLAN devices has access to SERVER-VLAN

This seems to me personally a good basis to start with. The next step could be to set up access between the VLANs in more detail.

Rule allow dns from vlans

1. Click Create Entry and make sure Rule Type is set to Advanced
   Instructions:

   • Required Type: LAN In
   • Required Name: allow dns from vlans, for example
   • Required Action: Accept
   • Required Protocol: All and Before Predefined is selected
   Source:

   • Required Source Type: Port/IP Group
   • Required Address Group: RFC1918
   Destination:

   • Required Destination Type: Port/IP Group
   • Required Address Group: Create a new IP Group and add the IP address(es) of your Pi-hole(s)
   • Required Port Group: Create a new Port Group and add port 53
2. Leave the other fields at their default value and click the Add Rule button (all the way at the bottom left)

Rule allow lan to all vlans

1. Click Create Entry and make sure Rule Type is set to Advanced
   Instructions:

   • Required Type: LAN In
   • Required Name: allow lan to all vlans, for example
   • Required Action: Accept
   • Required Protocol: All and Before Predefined is selected
   Source:

   • Required Source Type: Network
   • Required Network: LAN
   • Required Network Type: Ipv4 Subnet
   Destination:

   • Required Destination Type: Port/IP Group
   • Required Address Group: RFC1918
2. Leave the other fields at their default value and click the Add Rule button (all the way at the bottom left)

Rule allow clients to lan

1. Click Create Entry and make sure Rule Type is set to Advanced
   Instructions:

   • Required Type: LAN In
   • Required Name: allow clients to lan, for example
   • Required Action: Accept
   • Required Protocol: All and Before Predefined is selected
   Source:

   • Required Source Type: Network
   • Required Network: CLIENT-VLAN
   • Required Network Type: Ipv4 Subnet
   Destination:

   • Required Source Type: Network
   • Required Network: LAN
   • Required Network Type: Ipv4 Subnet
2. Leave the other fields at their default value and click the Add Rule button (all the way at the bottom left)

Rule allow clients to servers

1. Click Create Entry and make sure Rule Type is set to Advanced
   Instructions:

   • Required Type: LAN In
   • Required Name: allow clients to servers, for example
   • Required Action: Accept
   • Required Protocol: All and Before Predefined is selected
   Source:

   • Required Source Type: Network
   • Required Network: CLIENT-VLAN
   • Required Network Type: Ipv4 Subnet
   Destination:

   • Required Source Type: Network
   • Required Network: SERVER-VLAN
   • Required Network Type: Ipv4 Subnet
2. Leave the other fields at their default value and click the Add Rule button (all the way at the bottom left)

Rule allow clients to iot

1. Click Create Entry and make sure Rule Type is set to Advanced
   Instructions:

   • Required Type: LAN In
   • Required Name: allow clients to iot, for example
   • Required Action: Accept
   • Required Protocol: All and Before Predefined is selected
   Source:

   • Required Source Type: Network
   • Required Network: CLIENT-VLAN
   • Required Network Type: Ipv4 Subnet
   Destination:

   • Required Source Type: Network
   • Required Network: IOT-VLAN
   • Required Network Type: Ipv4 Subnet
2. Leave the other fields at their default value and click the Add Rule button (all the way at the bottom left)

Rule allow some iot to servers

1. Click Create Entry and make sure Rule Type is set to Advanced
   Instructions:

   • Required Type: LAN In
   • Required Name: allow some iot to servers, for example
   • Required Action: Accept
   • Required Protocol: All and Before Predefined is selected
   Source:

   • Required Source Type: Port/IP Group
   • Required Address Group: Create a new IP Group and add the IP address(es) of the IoT device(s)
   Destination:

   • Required Destination Type: Port/IP Group
   • Required Address Group: Create a new IP Group and add the IP address(es) of the server(s)
2. Leave the other fields at their default value and click the Add Rule button (all the way at the bottom left)

Check the results

In this way I have created a few more rules. A number of things are accepted first and otherwise the traffic will be dropped between the VLANs. The firewall rules then look like this:

Test if it works, for example with your mobile phone by temporarily connecting to the IoT WiFi network.

Comments

No comments found for this note.

Join the discussion for this note on Github. Comments appear on this page instantly.

Tags:

• Networking
• Smarthome

How to block internet access for devices with Unifi Network

How to add Cockpit UI for virtual machines to NixOS