Skip to main content
Home Network

How to Setup and Secure UniFi VLAN

By March 21, 2023June 27th, 2023No Comments

When you have an UniFi Security Gateway or UniFi Dream Machine (UDM, UDM Pro) you can create different VLANs on your network. Virtual LANs (VLANs), allow you to divide your physical network into virtual networks, offering isolation, security, and scalability.

Now you might think, do I really need VLANs? But when guests are connecting to your home network, you probably don’t want them to have access to all your network devices. And if you have a smart home, then creating a separate VLAN might be a good idea. Because the security of IoT devices is not always as it should be.

In this article

  • Setup UniFi VLANs
    • Step 1 – Create the UniFi VLAN Networks
    • Step 2 – Block traffic between VLANs
    • Step 3 – Block Access to Unifi Network Console from VLANs
  • Assign devices to VLANs in UniFi Network
    • Assign Port Profiles to Switch Ports
    • Assign VLAN to Wireless Devices
  • Creating Firewall Exceptions
  • Wrapping Up

So in this article, I will explain how to set up and secure VLANs in the UniFi Network Console.

Setup UniFi VLANs

Creating VLANs in UniFi exists out of a couple of steps because we not only have to create the different networks, but we also need to secure the VLANs. The “problem” with UniFi is that inter-VLAN traffic is allowed by default. So without any firewall rules, traffic from for example the guest VLAN can just access the main VLAN.

In this example, we will be creating 3 VLAN networks for:

  • Guests – VLAN 20
  • Cameras – VLAN 30
  • IoT devices – VLAN 40

The guest VLAN is a bit different from the other VLANs because UniFi will automatically create the necessary firewall rules for the guest network. All you have to do is mark the network as a guest network type.

So in the steps below, we will create the guest network, with the correct settings, but further on I will use the IoT VLAN as an example.

Step 1 – Create the UniFi VLAN Networks

The first step is to create the different networks for the VLANs. I have used custom VLAN IDs in the steps below, but you can also leave Auto Scale Network on. This way UniFi will automatically create the IP Range and VLAN ID.

Open your UniFi network console and navigate to:

  1. Settings >Networks
  2. Click on Create New Network

We are first going to create the guest network:

  1. Enter Guests at the network name
  2. Deselect Auto Scale Network
  3. Set the host address to 192.168.20.1
  4. Change Advanced Configuration to Manual
  5. Change the VLAN ID to 20 so it matches the IP range
  6. Set the network type to Guest Network
  7. Change the content filtering to Family (optional)
  8. Click Apply Changes

Next, we need to create the network for the Cameras and IoT devices. Click again on Create a new network, repeat the steps below for both Cameras and IoT, using VLAN 30 for cameras en 40 for IoT:

  1. Network Name: IoT
  2. Disable Auto Scale Network
  3. Host Address: 192.168.40.1
  4. Advanced Configuration: Manual
  5. VLAN ID: 40
  6. Network Type: Standard
  7. Click Apply Changes (and repeat for cameras)

Step 2 – Block traffic between VLANs

With the networks and VLANs created we need to block the traffic between them. By default, devices in, for example the IoT VLAN, can access the device in your main VLAN. Guests however are already isolated by the automatically generated firewall rules by the Guest Network type.

Before we can block the inter-VLAN traffic, we first need to create 3 other rules:

  • Allow established and related connections
  • Drop invalid state connections
  • Allow the main VLAN to access all VLANs

Firewall rules are located in the settings under Firewall & Security:

  1. Click on Create New Rule

We are first going to create the rule that allows all established and related sessions.

  1. Type: LAN in
  2. Description: Allow established and related sessions
  3. Action: Accept
  4. Source Type: Port/IP Group
  5. IPv4 Address Group: Any
  6. Port Group: Any
  7. Destination Type: Port/IP Group
  8. IPv4 Address Group: Any
  9. Port Group: Any
  10. Under Advanced: select Match State Established and Match State Related
  11. Apply Changes

The second rule that we are going to create is to drop all invalid states:

  • Type: LAN in
  • Description: Drop invalid state
  • Action: Drop
  • Source Type: Port/IP Group
  • IPv4 Address Group: Any
  • Port Group: Any
  • Destination Type: Port/IP Group
  • IPv4 Address Group: Any
  • Port Group: Any
  • Under Advanced: select Match State Invalid
  • Apply Changes

And the third rule that we need to add is to allow traffic from our main VLAN to the other VLAN. This way we will be able to manage all the devices even if they are in IoT VLAN for example.

To create this rule we will first need to define an IP Group. Port/Ip Groups allow you to easily apply a rule to multiple port numbers or IP ranges. In this case, we want to match the IP ranges of all VLANs.

  1. In the settings menu, click on Profiles
  2. Scroll down and click Create New Group under Port and IP Groups
  3. Profile name: All Private IPs
  4. Type: IPv4 Address/Subnet
  5. Address: 192.168.0.0/16 (this will match all addresses that start with 192.168.x.x)
  6. Click Apply Changes

With the IP group created, go back to Firewall & Security and create the following rule:

  • Type: LAN in
  • Description: Allow main VLAN access to all VLAN
  • Action: Accept
  • Source Type: Network
  • Network: Default
  • Network Type: IPv4 Subnet
  • Destination Type: Port/IP Group
  • IPv4 Address Group: All Private IPs (the IP Group that we just created
  • Port Group: Any

We can now create the rule that will block traffic between the VLANs. The rules that we just created will ensure that we can still access the devices in the other VLANs from the main VLAN. For this rule, we are also going to use the IP Group that we created earlier.

Click on Create New Rule in Firewall & Security and add the following rule:

  • Type: LAN in
  • Description: Block VLAN to VLAN
  • Action: Drop
  • Source Type: Port/IP Group
  • IPv4 Address Group: All Private IPs
  • Destination Type: Port/IP Group
  • IPv4 Address Group: All Private IPs
  • Port Group: Any

We now have separated the VLANs in our UniFi network, preventing unwanted inter-VLAN traffic.

Step 3 – Block Access to Unifi Network Console from VLANs

Devices in your VLAN will need to have access to your network console (UDM Pro for example). But what we don’t want is that users (guests or IoT devices) are able to access the interface of our UniFi network console.

What we also want to prevent is that devices from IoT can access the gateway of the main VLAN.

First, we need to create a couple of Port and IP Groups. Open the Profiles in the settings menu and click on Create New Group under Port and IP Groups. Create the following IP Groups:

Profile NameTypeAddress / Port
Block IoT to GatewaysIPv4 Address/Subnet192.168.1.1
192.168.20.1
192.168.30.1
Block IoT Gateway InterfaceIPv4 Address/Subnet192.168.40.1
Block Cameras to GatewaysIPv4 Address/Subnet192.168.1.1
192.168.20.1
192.168.40.1
Block Cameras Gateway interfaceIPv4 Address/Subnet192.168.30.1

The last Port Group that we need to create is to block only HTTP, HTTPS, and SSH access to the UniFi Network Console. The device will need to be able to access the gateway, but as mentioned, we don’t want to expose the console self.

  • Profile Name: http,https,ssh
  • Type: Port Group
  • Port: 80, 443, 22

Next, we are going to add the firewall rules. This time we will be using the type LAN Local

  • Type: LAN local
  • Description: Block IoT to Gateways
  • Action: Drop
  • Source Type: Network
  • Network: IoT
  • Destination Type: Port/IP Group
  • IPv4 Address Group: Block IoT to Gateways
  • Port Group: Any

And the rule to block access to the UDM Console. Note that we will be using the Port Group http,https,ssh here that we created earlier!

  • Type: LAN local
  • Description: Block IoT to UDM Interface
  • Action: Drop
  • Source Type: Network
  • Network: IoT
  • Destination Type: Port/IP Group
  • IPv4 Address Group: Block IoT Gateway Interface
  • Port Group: http,https,ssh

Repeat the steps above but this time for the Cameras VLAN.

Assign devices to VLANs in UniFi Network

We have created all necessary rules to block inter-VLAN traffic, so all we need to do now is assign our devices to the correct VLAN in UniFi network. For wired devices, we can assign a network to the port on the switch. And for the wireless devices, we will need to create a separate SSID.

Assign Port Profiles to Switch Ports

The first step is to assign the correct Port Profiles to our switch ports. By default, the ports are assigned to the Port Profile All. This means that devices connected to this port can access all VLANs. This is only needed for the uplink port and connected access points.

In the UniFi Network console, open your Devices and select your switch. We are going to use the new Ports Insights feature because this will give us a good overview of the connected devices:

  1. Select the tab Ports
  2. Open Ports Insights

In this example, I have a camera connected to port 6 on the switch. We are going to change the profile of this port to Cameras.

Tip: By default, you can select and change multiple ports by just selecting them one after another. Mind this when you want to change another port.

  1. Select the port with your camera
  2. Change the Port Profile to Cameras
  3. Reboot your Camera by Power Cycle the port
  4. Click Apply Changes

Change the other ports as well, assign them to the main VLAN by selecting the Port Profile LAN or another appropriate Port Profile.

Make sure that you leave the Uplink port (recognized by the up arrow ^ ) and the access points port on the All profile.

Assign VLAN to Wireless Devices

If you have an UniFi doorbell, for example, you might also want to assign this device to the camera’s VLAN. The problem is that we can’t set a VLAN on the doorbell itself. The same problem occurs with a lot of IoT devices, on most you can’t configure a VLAN Id.

So the only option is to create a separate SSID (wireless network) for each VLAN and assign the wireless network to the correct VLAN.

  1. Open Settings and select WiFi
  2. Click on Create New WiFi network
  3. Enter a name and password for the wireless network
  4. Change network to the correct VLAN (cameras for example)
  5. Click Add WiFi network

You can change the WiFi connection of your UniFi Doorbell in the Protect Console > Devices > Settings > WiFi Connection.

Creating Firewall Exceptions

Sometimes you need to allow access between specific devices in different VLANs. In these cases, we need to create an allow rule and place the rule above the Block VLAN to VLAN rule. Let’s take the following example, allowing IoT devices to access a Raspberry PI in the main VLAN.

When you create an allow rule, try to be as specific as possible. If it’s only between two devices, then use the IP Address of both devices. If you know the protocol, then specify the port number as well.

Create a new firewall rule:

  • Type: LAN In
  • Description: IoT to Raspberry Pi
  • Action: Allow
  • Source Type: Network
  • Network: IoT
  • Destination Type: IP Address
  • IPv4 Address: 192.168.1.x

Next, we will need to move the rule above the Block VLAN to VLAN rule that we have created in the beginning. If you hover over an rule with your mouse, you can drag and drop rules using the 6 dots at the beginning of the rule:

  1. In the Firewall Rules select LAN
  2. Drag the new rule above the Block VLAN to VLAN (Rule index 2003)

Wrapping Up

VLANs allow you to secure your local network by making sure that devices from one VLAN can’t access the other. Because inter-VLAN access is by default allowed in UniFi, we will need to create quite an amount of rules before we can safely use it.

I hope this article helped you to set up UniFi Vlans. If you have any questions, just drop a comment below.

Close Menu