Unifi Network - Setup VLANs including IoT and access to Pi-hole

Here I describe which networks/VLANs and WiFi networks I have created. And how I configured the firewall and added a rule that allows the Pi-hole from the SERVER-VLAN to be used by devices in other VLANs such as the CLIENT-VLAN and IOT-VLAN.

I replaced my old Unifi Security Gateway (USG) with a Unifi Dream Machine Pro (UDM-Pro) and made the choice to build everything from scratch and not migrate the settings. So all settings are set by default and from there I make the necessary adjustments. The setup below is based on the newest user interface (v7).

I have created the following networks:

  • LAN (this is the default network and renamed to LAN) - very trusted - this contains all network equipment
  • SERVER-VLAN - very trusted - this contains servers and a NAS
  • CLIENT-VLAN - trusted - this contains clients like desktops, laptops, tablets and phones
  • IOT-VLAN - not trusted - this contains smart(home) devices and media players
  • GUEST-VLAN - not trusted - this contains not trusted clients including devices from work

Make sure the device you use to configure your Unifi Network remains in LAN until you finish configuring the firewall (see at the very bottom).

Setup Network

First I determined which VLAN ID each VLAN should have. For example for the IOT-VLAN I use VLAN ID 20.

This number will match the Gateway IP/Subnet - 192.168.20.1/24

Perform the following steps to create the IOT-VLAN:

  1. Go to Settings and Networks
  2. Click Create New Network:
    • Network Name: IOT-VLAN
    • Uncheck Auto-Scale Network and change the Host Address to 192.168.20.1
      Advanced Configuration
    • Click Manual - everything is set by default except what I described below
    • VLAN ID: 20
    • Multicast DNS: please read Unifi Network - Setup Chromecast between VLANs for more information
      DHCP
    • DHCP Range Start: 192.168.20.150
    • DHCP Range Stop: 192.168.20.254

    I have chosen a DHCP range between 150 and 254. This gives me the possibility to use all IP addresses before 150 as fixed IP addresses

    • Expand Hide options after DHCP Service Management
      • In my case I enabled the DHCP DNS Server and added the IP address of my Pi-hole
    • Domain Name: home.arpa

      Home.ARPA has been specifically created to handle “home” or “small business” name queries by shunting it to “black holes” early in the hops.

  3. Click Add Network

Repeat the above steps for any other vlan.

I configured the GUEST-VLAN the same, so Network Type Standard and not Guest Network. I wanted to keep this as simple as possible at the moment, but you can also choose to use the guest portal and hotspot system.

Port Management

Now that the networks/VLANs have been created, we can adjust the switch port profiles to the correct network. With this we ensure that wired devices use the correct VLAN and, for example, will receive the correct IP address.

Do not change the port profile of ports which are connected to the gateway, other switches or access points, leave it set to All

For wireless devices, we will create the corresponding WiFi networks in the next part

  1. Go to Unifi Devices and click the switch (or any other device with ports such as the UDM)
  2. Go to tab Ports and click Port Management
  3. Now you can select the ports of which you want to change the port profile:

In the screenshot I selected port 8 and changed the following:
- Name: P1Reader - this is the name of the IoT device
- Port Profile: IOT-VLAN
- PoE: Personally, I turn off PoE if the device does not need power

Now click Apply Changes

Repeat this for all ports for which it is necessary to change the port profile.
You can check the device as follows:

  1. Go to Client Devices
  2. In my case I see the P1Reader within the IOT-VLAN network and with the correct IP address:

Optionally you can click on the device and go to Settings and give it a fixed IP address (which I did in this example).

Setup WiFi

To ensure that wireless devices connect to the correct network, I have created three WiFi networks:

  • WiFi-Client
  • WiFi-IoT
  • WiFi-Guest
  1. Go to Settings and WiFi
  2. Click Create New WiFi Network:
    • Name: for example WiFi-IoT
    • Network: for example IOT-VLAN - or link WiFi-Client to CLIENT-VLAN and WiFi-Guest to GUEST-VLAN
      Advanced Configuration
      • Click Manual - everything is set by default except what I described below
      • Bandwidth Profile: Default - for the WiFi-Guest network I have created a guest profile that limits the bandwidth slightly
      • Multicast Management: please read Unifi Network - Setup Chromecast between VLANs for more information
      • Client Device Isolation: I have enabled this only for the WiFi-Guest network
        Security
      • Security Protocol: use WPA2 for backwards compatibility, so I used WPA2 for WiFi-IoT en WPA2/WPA3 for WiFi-Guest and WiFi-Client. At some point I will completely switch to WPA3
      • Group Rekey Interval: Enable 3600 seconds - for increased security
        Device Filtering
      • MAC Address Filter: I have enabled the filter for WiFi-Client and WiFi-IoT

        Personally, I think it’s a good thing to consciously give access to certain devices. That’s why I keep a list of MAC addresses that I give access. About the option to hide the WiFi name: opinions differ that a hidden WiFi network provides more security, it therefore remains a personal choice

  3. Finally click Add WiFi Network

Repeat the above steps for any other WiFi network.

Setup Firewall

There are a number of devices I want to deprive of access to the Internet, which I have described further in this note. This mainly concerns IoT devices.

To make the VLANs work properly the first rule I created is to allow established/related sessions from client devices. And then I make sure that the traffic between all the networks is no longer possible. Disabling inter-VLAN routing is also described by Ubiquiti here.

You can also choose to use Traffic Management to configure the firewall. Personally, I have made the choice to create firewall rules myself.

First create the IP Group needed for disabling inter-VLAN routing:

  1. Go to Settings and Profiles
  2. Scroll down to Port and IP Groups and click Create New Group:
    • Profile Name: RFC1918
    • Type: IPv4 Address/Subnet
    • Address: add 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16
  3. Click Apply Changes

You can now use this group when creating the firewall rule.

Go to Settings and Firewall & Security and scroll down to Firewall Rules:
Rule allow established/related sessions

  1. Click Create New Rule:
    • Type: LAN In
    • Description: allow established/related sessions
    • Rule Applied: Before Predefined Rules
    • Action: Accept
    • IPv4 Protocol: All
      Advanced
      • Click Manual
      • States: check Match State Established and Match State Related
  2. Click Apply Changes

Rule drop traffic between vlans

  1. Click Create New Rule:
    • Type: LAN In
    • Description: drop traffic between vlans
    • Rule Applied: Before Predefined Rules
    • Action: Drop
    • IPv4 Protocol: All
      Source
      • Source Type: Port/IP Group
      • Ipv4 Address Group: RFC1918
        Destination
      • Destination Type: Port/IP Group
      • Ipv4 Address Group: RFC1918
  2. Click Apply Changes

Now all VLANs/networks are seperated from each other.

The rules below will make it possible that:

  • All VLANs has access to Pi-hole DNS
  • LAN has access to all other networks
  • CLIENT-VLAN has access to LAN (or make sure that you allow individual devices from the CLIENT-VLAN to manage LAN)
  • CLIENT-VLAN has access to SERVER-VLAN
  • CLIENT-VLAN has access to IOT-VLAN
  • Some IOT-VLAN devices has access to SERVER-VLAN

This seems to me personally a good basis to start with. The next step may be to set up access between the VLANs in more detail.

Rule allow dns from vlans

  1. Click Create New Rule:
    • Type: LAN In
    • Description: allow dns from vlans
    • Rule Applied: Before Predefined Rules
    • Action: Accept
    • IPv4 Protocol: All
      Source
      • Source Type: Port/IP Group
      • Ipv4 Address Group: RFC1918
        Destination
      • Destination Type: Port/IP Group
      • Ipv4 Address Group: create a new IP Group and add the IP address of your Pi-hole(s)
      • Port Group: create a new Port Group and add port 53
  2. Click Apply Changes

Rule allow lan to all vlans

  1. Click Create New Rule:
    • Type: LAN In
    • Description: allow lan to all vlans
    • Rule Applied: Before Predefined Rules
    • Action: Accept
    • IPv4 Protocol: All
      Source
      • Source Type: Network
      • Network: LAN
      • Network Type: Ipv4 Subnet
        Destination
      • Destination Type: Port/IP Group
      • Ipv4 Address Group: RFC1918
  2. Click Apply Changes

Rule allow clients to lan

  1. Click Create New Rule:
    • Type: LAN In
    • Description: allow clients to lan
    • Rule Applied: Before Predefined Rules
    • Action: Accept
    • IPv4 Protocol: All
      Source
      • Source Type: Network
      • Network: CLIENT-VLAN
      • Network Type: Ipv4 Subnet
        Destination
      • Source Type: Network
      • Network: LAN
      • Network Type: Ipv4 Subnet
  2. Click Apply Changes

Rule allow clients to servers

  1. Click Create New Rule:
    • Type: LAN In
    • Description: allow clients to servers
    • Rule Applied: Before Predefined Rules
    • Action: Accept
    • IPv4 Protocol: All
      Source
      • Source Type: Network
      • Network: CLIENT-VLAN
      • Network Type: Ipv4 Subnet
        Destination
      • Source Type: Network
      • Network: SERVER-VLAN
      • Network Type: Ipv4 Subnet
  2. Click Apply Changes

Rule allow clients to iot

  1. Click Create New Rule:
    • Type: LAN In
    • Description: allow clients to iot
    • Rule Applied: Before Predefined Rules
    • Action: Accept
    • IPv4 Protocol: All
      Source
      • Source Type: Network
      • Network: CLIENT-VLAN
      • Network Type: Ipv4 Subnet
        Destination
      • Source Type: Network
      • Network: IOT-VLAN
      • Network Type: Ipv4 Subnet
  2. Click Apply Changes

Rule allow some iot to servers

  1. Click Create New Rule:
    • Type: LAN In
    • Description: allow some iot to servers
    • Rule Applied: Before Predefined Rules
    • Action: Accept
    • IPv4 Protocol: All
      Source
      • Source Type: Port/IP Group
      • Ipv4 Address Group: create a new IP Group and add the IP address of some IoT device(s)
        Destination
      • Destination Type: Port/IP Group
      • Ipv4 Address Group: create a new IP Group and add the IP address of some server(s)
  2. Click Apply Changes

The firewall rules then look like this. A number of things are accepted first and otherwise the traffic will be dropped:


Testing

Test if it works, for example with your mobile phone by temporarily connecting to the IoT WiFi network.

Read other notes

Comments

    No comments found for this note.

    Join the discussion for this note on this ticket. Comments appear on this page instantly.

    Tags


    Notes mentioning this note


    Notes Graph