Unifi Network - Setup IoT VLAN With Access to Home Assistant and Pi-hole


Here is explained how I created an Internet of Things VLAN with corresponding wireless network within the Unifi Network Application (formerly called Unifi Controller) (version 6.x). Several rules have been added to the firewall, including rules that allow devices in the IoT VLAN to connect to the Pi-hole and Home Assistant instances.

Setup Network

  1. Go to Settings and Networks and click Add New Network:
    • Name: for example IoT
  2. Expand Advanced:
    • VLAN ID: 20

    This number will match the Gateway IP/Subnet - 192.168.20.1/24

    • Make sure Device Isolation and Auto Scale Network are turned off
    • Turn on IGMP Snooping

      Chromecast: After performing various tests, it turned out that it was not necessary to create firewall rules for the Chromecast or enable mDNS/Multicast DNS (which you should not do with a USG because of the WAN interface that is included). I also left IGMP Snooping enabled for both the LAN network and the IoT network, this is preferable so that multicast streams are not sent to all ports. So in the end I was able to cast from my phone (LAN network) to the Chromecast (IoT network) without any problems. Unfortunately this doesn’t work for everyone out of the box, maybe it has something to do with cache. So testing is necessary!

    • Gateway IP/Subnet: 192.168.20.1/24
    • DHCP Range Start: 192.168.20.150
    • DHCP Range Stop: 192.168.20.254

    I have chosen a DHCP range between 150 and 254. This gives me the possibility to use all IP addresses before 150 as fixed IP addresses

    • (optional) DHCP Name Server: if needed manually designate the DNS servers that are assigned to DHCP clients. For example the Cloudflare DNS server or a Pi-hole instance
  3. Finally click Add Network

Setup WiFi

  1. Go to Settings and WiFi and click Add New WiFi Network:
    • Name: for example WiFi-IoT
    • Password: your password
    • Network: IoT
  2. Expand Advanced:
    • WiFi Band: Select which radio band is needed, most IoT devices use 2.4GHz
    • Optimize IoT WiFi Connectivity: turn ON
    • (optional) AP Groups: Select the Access Points that will broadcast the IoT WiFi network
    • Make sure UAPSD, Multicast Enhancement, High Performace Devices, BSS Transition, Proxy ARP, L2 Isolation, Legacy Support and Enable Fast Roaming are turned off (or do some research and turn on if desired)
  3. Expand Security
    • Security Protocol: WPA-2
    • Hide WiFi Name: turn ON

    My IoT WiFi network does not have to be visible by default (unless it is necessary for devices to be able to select the network). Opinions differ that a hidden WiFi network provides more security, it therefore remains a personal choice

    • PMF: Leave this Disabled
  4. Expand MAC Authorization
    • MAC Address Filter: turn ON if you want to allow or deny specific MAC addresses

    Personally, I think it’s a good thing to consciously give access to certain devices. That’s why I keep a list of MAC addresses that I give access

  5. Finally click Add WiFi Network

Setup Firewall

Go to Settings and Traffic & Security and Global Threat Management and expand Firewall.

Rule Allow Established/related Sessions
  1. Click LAN and click Create New Rule:
    • Type: LAN In
    • Description: allow established/related sessions
    • Rule Applied: Before Predefined Rules
    • Action: Accept
    • IPv4 Protocol: All
  2. Expand Advanced:
    • Turn ON Match State Established and Match State Related
  3. Click Apply Changes
(optional) Rule Allow IoT to PiHole
  1. Click LAN and click Create New Rule:
    • Type: LAN In
    • Description: allow IoT to Pihole
    • Rule Applied: Before Predefined Rules
    • Action: Accept
    • IPv4 Protocol: TCP and UDP
  2. Expand Source:
    • Source Type: Network
    • Network: IoT
  3. Expand Destination:
    • Source Type: Address/Port Group
    • IPv4 Address Group:
      • Create a new group:
        • Name: DNS Servers
        • Add Address: Add your DNS server IP address(es)
    • Click Create New Group
    • Port Group:
      • Create a new group:
        • Name: DNS Port
        • Add Port: 53
    • Click Create New Group
  4. Click Apply Changes
(optional) Rule Allow IoT to Home Assistant
  1. Click LAN and click Create New Rule:
    • Type: LAN In
    • Description: allow IoT to Home Assistant
    • Rule Applied: Before Predefined Rules
    • Action: Accept
    • IPv4 Protocol: All
  2. Expand Source:
    • Source Type: Network
    • Network: IoT
  3. Expand Destination:
    • Source Type: Address/Port Group
    • IPv4 Address Group:
      • Create a new group:
        • Name: Home Assistant Server
        • Add Address: Add your Home Assistant server IP address
    • Click Create New Group
    • Port Group:
      • Create a new group:
        • Name: Home Assistant Port
        • Add Port: 8123
    • Click Create New Group
  4. Click Apply Changes
Rule Block IoT to Private Network
  1. Click LAN and click Create New Rule:
    • Type: LAN In
    • Description: drop IoT to private network
    • Rule Applied: After
    • Action: Drop
    • IPv4 Protocol: All
  2. Expand Source:
    • Source Type: Network
    • Network: IoT
  3. Expand Destination:
    • Source Type: Network
    • Network: LAN
  4. Expand Advanced
    • Turn ON Match State New and Match State Invalid
  5. Click Apply Changes

Now the private (LAN) network and the IoT network are separated from each other, but devices on the IoT network can still access the Internet via the Pi-hole and connect to the Home Assistant server.

If necessary, it is also very easy to block internet access for specific devices


Testing

Test if it works, for example with your mobile phone by temporarily connecting to the IoT WiFi network.


Read other notes

Comments

    No comments found for this note.

    Join the discussion for this note on this ticket. Comments appear on this page instantly.

    Tags


    Notes mentioning this note


    Notes Graph