Unifi Network - Setup VLANs including IoT and access to Pi-hole
Here I describe which networks/VLANs and WiFi networks I have created. And how I configured the firewall and added a rule that allows the Pi-hole from the SERVER-VLAN to be used by devices in other VLANs such as the CLIENT-VLAN and IOT-VLAN.
I replaced my old Unifi Security Gateway (USG) with a Unifi Dream Machine Pro (UDM-Pro) and made the choice to build everything from scratch and not migrate the settings. So all settings are set by default and from there I make the necessary adjustments. The setup below is based on the newest user interface (v7).
I have created the following networks:
- LAN (this is the default network and renamed to LAN) - very trusted - this contains all network equipment
- SERVER-VLAN - very trusted - this contains servers and a NAS
- CLIENT-VLAN - trusted - this contains clients like desktops, laptops, tablets and phones
- IOT-VLAN - not trusted - this contains smart(home) devices and media players
- GUEST-VLAN - not trusted - this contains not trusted clients including devices from work
Make sure the device you use to configure your Unifi Network remains in LAN until you finish configuring the firewall (see at the very bottom).
Setup Network
First I determined which VLAN ID each VLAN should have. For example for the IOT-VLAN I use VLAN ID 20.
This number will match the Gateway IP/Subnet - 192.168.20.1/24
Perform the following steps to create the IOT-VLAN:
- Go to
Settings
andNetworks
- Click
Create New Network
:- Network Name:
IOT-VLAN
- Uncheck
Auto-Scale Network
and change the Host Address to192.168.20.1
Advanced Configuration - Click
Manual
- everything is set by default except what I described below - VLAN ID:
20
- Multicast DNS: please read Unifi Network - Setup Chromecast between VLANs for more information
DHCP - DHCP Range Start:
192.168.20.150
- DHCP Range Stop:
192.168.20.254
I have chosen a DHCP range between 150 and 254. This gives me the possibility to use all IP addresses before 150 as fixed IP addresses
- Expand
Hide options
after DHCP Service Management- In my case I enabled the
DHCP DNS Server
and added the IP address of my Pi-hole
- In my case I enabled the
- Domain Name:
home.arpa
Home.ARPA has been specifically created to handle “home” or “small business” name queries by shunting it to “black holes” early in the hops.
- Network Name:
- Click
Add Network
Repeat the above steps for any other vlan.
I configured the GUEST-VLAN the same, so Network Type
Standard
and notGuest Network
. I wanted to keep this as simple as possible at the moment, but you can also choose to use the guest portal and hotspot system.
Port Management
Now that the networks/VLANs have been created, we can adjust the switch port profiles to the correct network. With this we ensure that wired devices use the correct VLAN and, for example, will receive the correct IP address.
Do not change the port profile of ports which are connected to the gateway, other switches or access points, leave it set to
All
For wireless devices, we will create the corresponding WiFi networks in the next part
- Go to
Unifi Devices
and click the switch (or any other device with ports such as the UDM) - Go to tab
Ports
and clickPort Management
- Now you can select the ports of which you want to change the port profile:
In the screenshot I selected port 8 and changed the following:
- Name: P1Reader
- this is the name of the IoT device
- Port Profile: IOT-VLAN
- PoE: Personally, I turn off PoE if the device does not need power
Now click Apply Changes
Repeat this for all ports for which it is necessary to change the port profile.
You can check the device as follows:
- Go to
Client Devices
- In my case I see the P1Reader within the IOT-VLAN network and with the correct IP address:
Optionally you can click on the device and go to Settings
and give it a fixed IP address (which I did in this example).
Setup WiFi
To ensure that wireless devices connect to the correct network, I have created three WiFi networks:
- WiFi-Client
- WiFi-IoT
- WiFi-Guest
- Go to
Settings
andWiFi
- Click
Create New WiFi Network
:- Name: for example
WiFi-IoT
- Network: for example
IOT-VLAN
- or linkWiFi-Client
toCLIENT-VLAN
andWiFi-Guest
toGUEST-VLAN
Advanced Configuration- Click
Manual
- everything is set by default except what I described below - Bandwidth Profile:
Default
- for theWiFi-Guest
network I have created a guest profile that limits the bandwidth slightly - Multicast Management: please read Unifi Network - Setup Chromecast between VLANs for more information
- Client Device Isolation: I have enabled this only for the
WiFi-Guest
network
Security - Security Protocol: use
WPA2
for backwards compatibility, so I usedWPA2
forWiFi-IoT
enWPA2/WPA3
forWiFi-Guest
andWiFi-Client
. At some point I will completely switch toWPA3
- Group Rekey Interval:
Enable 3600 seconds
- for increased security
Device Filtering - MAC Address Filter: I have enabled the filter for
WiFi-Client
andWiFi-IoT
Personally, I think it’s a good thing to consciously give access to certain devices. That’s why I keep a list of MAC addresses that I give access. About the option to hide the WiFi name: opinions differ that a hidden WiFi network provides more security, it therefore remains a personal choice
- Click
- Name: for example
- Finally click
Add WiFi Network
Repeat the above steps for any other WiFi network.
Setup Firewall
There are a number of devices I want to deprive of access to the Internet, which I have described further in this note. This mainly concerns IoT devices.
To make the VLANs work properly the first rule I created is to allow established/related sessions from client devices. And then I make sure that the traffic between all the networks is no longer possible. Disabling inter-VLAN routing is also described by Ubiquiti here.
You can also choose to use Traffic Management to configure the firewall. Personally, I have made the choice to create firewall rules myself.
First create the IP Group needed for disabling inter-VLAN routing:
- Go to
Settings
andProfiles
- Scroll down to
Port and IP Groups
and clickCreate New Group
:- Profile Name:
RFC1918
- Type:
IPv4 Address/Subnet
- Address: add
10.0.0.0/8
,172.16.0.0/12
, and192.168.0.0/16
- Profile Name:
- Click
Apply Changes
You can now use this group when creating the firewall rule.
Go to Settings
and Firewall & Security
and scroll down to Firewall Rules
:
Rule allow established/related sessions
- Click
Create New Rule
:- Type:
LAN In
- Description:
allow established/related sessions
- Rule Applied:
Before Predefined Rules
- Action:
Accept
- IPv4 Protocol:
All
Advanced- Click
Manual
- States: check
Match State Established
andMatch State Related
- Click
- Type:
- Click
Apply Changes
Rule drop traffic between vlans
- Click
Create New Rule
:- Type:
LAN In
- Description:
drop traffic between vlans
- Rule Applied:
Before Predefined Rules
- Action:
Drop
- IPv4 Protocol:
All
Source- Source Type:
Port/IP Group
- Ipv4 Address Group:
RFC1918
Destination - Destination Type:
Port/IP Group
- Ipv4 Address Group:
RFC1918
- Source Type:
- Type:
- Click
Apply Changes
Now all VLANs/networks are seperated from each other.
The rules below will make it possible that:
- All VLANs has access to Pi-hole DNS
- LAN has access to all other networks
- CLIENT-VLAN has access to LAN (or make sure that you allow individual devices from the CLIENT-VLAN to manage LAN)
- CLIENT-VLAN has access to SERVER-VLAN
- CLIENT-VLAN has access to IOT-VLAN
- Some IOT-VLAN devices has access to SERVER-VLAN
This seems to me personally a good basis to start with. The next step may be to set up access between the VLANs in more detail.
Rule allow dns from vlans
- Click
Create New Rule
:- Type:
LAN In
- Description:
allow dns from vlans
- Rule Applied:
Before Predefined Rules
- Action:
Accept
- IPv4 Protocol:
All
Source- Source Type:
Port/IP Group
- Ipv4 Address Group:
RFC1918
Destination - Destination Type:
Port/IP Group
- Ipv4 Address Group: create a new
IP Group
and add the IP address of your Pi-hole(s) - Port Group: create a new
Port Group
and add port53
- Source Type:
- Type:
- Click
Apply Changes
Rule allow lan to all vlans
- Click
Create New Rule
:- Type:
LAN In
- Description:
allow lan to all vlans
- Rule Applied:
Before Predefined Rules
- Action:
Accept
- IPv4 Protocol:
All
Source- Source Type:
Network
- Network:
LAN
- Network Type:
Ipv4 Subnet
Destination - Destination Type:
Port/IP Group
- Ipv4 Address Group:
RFC1918
- Source Type:
- Type:
- Click
Apply Changes
Rule allow clients to lan
- Click
Create New Rule
:- Type:
LAN In
- Description:
allow clients to lan
- Rule Applied:
Before Predefined Rules
- Action:
Accept
- IPv4 Protocol:
All
Source- Source Type:
Network
- Network:
CLIENT-VLAN
- Network Type:
Ipv4 Subnet
Destination - Source Type:
Network
- Network:
LAN
- Network Type:
Ipv4 Subnet
- Source Type:
- Type:
- Click
Apply Changes
Rule allow clients to servers
- Click
Create New Rule
:- Type:
LAN In
- Description:
allow clients to servers
- Rule Applied:
Before Predefined Rules
- Action:
Accept
- IPv4 Protocol:
All
Source- Source Type:
Network
- Network:
CLIENT-VLAN
- Network Type:
Ipv4 Subnet
Destination - Source Type:
Network
- Network:
SERVER-VLAN
- Network Type:
Ipv4 Subnet
- Source Type:
- Type:
- Click
Apply Changes
Rule allow clients to iot
- Click
Create New Rule
:- Type:
LAN In
- Description:
allow clients to iot
- Rule Applied:
Before Predefined Rules
- Action:
Accept
- IPv4 Protocol:
All
Source- Source Type:
Network
- Network:
CLIENT-VLAN
- Network Type:
Ipv4 Subnet
Destination - Source Type:
Network
- Network:
IOT-VLAN
- Network Type:
Ipv4 Subnet
- Source Type:
- Type:
- Click
Apply Changes
Rule allow some iot to servers
- Click
Create New Rule
:- Type:
LAN In
- Description:
allow some iot to servers
- Rule Applied:
Before Predefined Rules
- Action:
Accept
- IPv4 Protocol:
All
Source- Source Type:
Port/IP Group
- Ipv4 Address Group: create a new
IP Group
and add the IP address of some IoT device(s)
Destination - Destination Type:
Port/IP Group
- Ipv4 Address Group: create a new
IP Group
and add the IP address of some server(s)
- Source Type:
- Type:
- Click
Apply Changes
The firewall rules then look like this. A number of things are accepted first and otherwise the traffic will be dropped:
Testing
Test if it works, for example with your mobile phone by temporarily connecting to the IoT WiFi network.
Read other notes
Tags
Notes mentioning this note
- Docker - Telegraf Container with Syslog Receiver Input Plugin
I found out that an IoT device (smart power strip) had the setting to communicatie with a syslog server and...
- Unifi Network - Setup Chromecast between VLANs
Fortunately, it is nowadays very easy to use the Chromecast within different networks/vlans. All you have to do is make...
- Unifi Network - Replacing the USG with the UDM Pro
I finally replaced my old Unifi Security Gateway (USG) with a Unifi Dream Machine Pro (UDM-Pro).
- NixOS - My Configuration and Switch to Podman
For some time now I have been looking for an interesting lightweight linux distribution that could replace Ubuntu
Comments
No comments found for this note.
Join the discussion for this note on this ticket. Comments appear on this page instantly.