How to Setup and Secure UniFi VLAN

118 thoughts on “How to Setup and Secure UniFi VLAN”

1. I cant get Printer access to work. I have my Printer on VLAN 20 my IOT VLAN I set my IP to 10.0.20.80. Im not able to ping this IP from default. I used your rule IOT to Raspberry changing it to default to 10.0.20.80. I still can not ping my HP Printer. Any help is greatly appreciated. Ive noticed a lot of people have issue with printers.

2. Hi, as far as I know I followed the tutorial to the letter. I have an issue with DHCP. For example my IOT network is defined to be in the range 192.168.40.6 – 254 by the DHCP settings for that network. However, when I connecf a client (like a windows pc f.i.) it does NOT get an IP address assigned. My DHCP settings are :

   DHCP mode: DHCP Server
   DHCP Range: 192.168.40.6 – 192.168.40.254
   DHCP default gateway : tries both 192.168.40.1 as well as Auto

   What could possibly be wrong and what should I verify ?

   Big thanks !!!!

3. Hi this realy helped me. Thank you for your hard work.

4. Great guide, thank you !

   Question … When a IOT device sits in a specific Wifi network, assigned a VLAN ID … I see it connects to the network without issues, however the IP address of that device does not show in the Unifi Client list interface ?

5. Great guide , much appreciated .

   Can you pls expand your guide with the steps required to route VLAN traffic through the new UniFi magic VPN. I’ve 2 sites connected via Magic VPN with Cameras on each site but one NVR in a single site only. I want to use one VLAN for all the cameras and their NVR so would this be possible with the new UniFi magic VPN as it’s very easy to setup?

   I would imagine that would be policy routing approach and work around for traffic in 2 layers 2 and 3 (based on my limited understanding) , will this be possible? What are the steps to implement it?

   Thank you

6. Hi,

   thanks for this nice guide. Finally a guide which describes all settings on the new unifi ui.

   Why is it necessary to add the Rule “Block IoT to Gateways”? Why should the IOT devices be blocked from reaching its DHCP or DNS Server?

   When I add the rule I’m not able to add new tuya devices.

   • It should be able to access the DNS and DHCP at it’s own gateway address 192.168.40.1. We only block http, https and ssh there.

7. Ruud, thank you, this is an excellent article!

   I don’t quiet understand two things, only concerning the “Block traffic between VLANS”:
   – Allow established and related connections
   – Drop invalid state connections
   – Allow the main VLAN to access all VLANs
   – Block VLAN to VLAN

   1. For the first two rules you use as source “Any” and destination “Any”. For the fourth rule you use as source “All Private IPs” and destination “All Private IPs”. I get the logic for the fourth rule but don’t understand why the first two rules are “Any”. Wouldn’t it be enough to just use “All Private IPs” as well?

   2. I do technically understand what the second rule does “Drop invalid state connections” but I don’t understand why it’s used here? Is that just a best practice thing to do?

   The first question is for understanding but the second one is if particular interest to me as I see some traffic being dropped and not sure this is right, e.g. I have Apple devices in my network and they seem to want to contact Couldflare (1.1.1.1 and 1.0.0.1) and those connections are being dropped now as invalid.

   Appreciate any comments. Cheers!

   • 1. These rules also apply to connection to the internet
     2. The firewall not only blocks strange or messed-up packets but also rejects any packets that don’t belong to an ongoing conversation. Think of it like this: if you were getting a file, and the transfer finished, the connection would close. So, if the server sends more data after that, the firewall sees it as odd because there’s no active talk going on. To be safe, it’s smart to have these rules to stop any weird attempts from a compromised device.

8. Perfect and simple example of vlan’s setting up. I doubt about iot and video restriction access to router, this case you can’t control smart homing and NVR remotely, but it can be tuned individually.
   What you can advice for such trlcky task: secondary wan link (ethernet) present near usw24 (not L2) switch, connection to UDM Pro via optic. There are free ethernet ports at usw24 and at udm-pro. Is it possible to build isolated trunk between ethernet ports to path trough this wan link to udm?

9. hello,
   what about trunking? what would be the configuration for having all created vlans including the management vlan trunked out of the UDM on a single port, down range to other switches trunk ports to expand my network?

   Thanks.

   • You can use the port profile all for that.

10. After setting up VLANs and triple checking firewall rules, I have a couple of devices in my IoT network that can only be accessed remotely or from the IoT local wifi network. Shouldn’t I be able to access them from the default local wifi network, too? Feels like I missed something.

    Thanks for a great article…very helpful.

11. First, thank you so much for the guide.

    I was wondering if you could explain a bit more on why you have LAN In for some, and LAN Local for others?

    • LAN In rules applies to traffic the enters the LAN from the internet. LAN Local applies to traffic that comes from within your local network.

      • `LAN In` is from internet? Wouldn’t that be `WAN In`? Cause all the rules in this article are `LAN …` for blocking inter VLAN traffic — nothing about internet. I’m a bit confused?

        • The labels are indeed confusing:
          LAN-IN = traffic entering the LAN interface (usually sourced from clients on the LAN, but VPN traffic is also filtered here). Also traffic from the WAN interface to the LAN interface can be filtered here.
          LAN-OUT = traffic leaving the LAN interface (destined for the LAN clients)
          WAN-IN= traffic entering the WAN interface (usually sourced from anything on the internet)
          WAN-OUT= traffic leaving the WAN interface

          • I researched some more and I think I figured it out.

            Conceptually, `LAN Local` is the same as `LAN In` where `destination` is the UDM itself.

            But, if traffic comes in where `destination` is the UDM itself, the UDM does not trigger `LAN In` rules. Hence why those rules need `LAN Local`.

            Now I get it. Thank you!

12. First, thanks for the article, it’s been very helpful!

    Correct me if I’m wrong, but I believe the “Block VLAN to VLAN” rule you created at or near the beginning makes blocking access to the group of gateway IP’s that are in your other VLAN’s unnecessary, as they should already be blocked, right? Thus, I think the only rule needed would be the one to block http,https,ssh to the gateway interface for said VLAN.

    • That is what I thought too but Unifi does not trigger the `LAN In` rules for traffic destined to the router itself. Thats why you need the other `LAN Local` rules.

13. Hello, I wanted to ask. If port 443 and HTTP, and HTTPS are blocked, how do you connect to the unify web interface control window? Do I need to connect directly through the computer after downloading the unifi program?

    • Have you installed the controller on a Windows computer? Port forwarding or a firewall execption is the best option

      • Hi,

        I am a mac os user. I haven’t installed anything on my computer yet. That’s all it takes to install the controller on the computer and I’ll be able to connect? maybe you have written somewhere in your blog about creating firewall execption rules to connect to UDM?

    • 443 is only blocked from IoT. So devices on your main/default can still access the Unifi web interface control from your LAN.

14. Hi,

    I am thinking of upgrading the home network to something more serious. I am choosing between meraki and unifi. Do you think unifi has a good enough firewall like cisco? and I wonder if cloud key2 can be connected to cisco meraki router.? if I would like to add wifi cameras.

    Thank you for you opinion

    • I prefer UniFi. It’s easier to set up and you don’t need monthly licenses to run and configure your hardware. The firewall of UniFi is good enough for a home or small business network. You can place the cloud key behind the Meraki router.

      • Hi, Rudy

        Thank you for your reply. I’m thinking about UDM/SE, although at the moment the internet provider only offers 1GB internet speed. Maybe in a few years there will be a higher speed. Investment in the future. I’m also thinking about acces point pro, it should probably be enough for an 88 sq m apartment.

15. Hey Ruud,
    I wanted first to say that your article was very helpful and thank you! With that, I’ve found two oddities that perhaps you could provide insight into. First, when I run an external scan of my domain (strictly housed behind the UDMP running Network 7.4.150), I find that I have a ton of ports open. I’ve confirmed that I have UPnP off, so no ports are being opened for arbitrary services. I can’t figure out why they are open.

    The second is regarding securing IPv6. I’d like the same VLan structure in place, along with the firewall rules to match that coincide with the IPv4 rules and VLan’s. I currently have about 40-50 devices of various types and am trying to slowly transition to IPv6. Do you have any ideas on how to approach this, or any good references that could point me in the right direction?

    • And you have threat management running?
      I don’t have any experience with IPv6 and vLANs yet.

16. Oh wow, perfect article to guide a beginner like me. Many, many thanks. After setting up the groups to block port 22,80,443, I can no longer SSH to a machine on the blocked network. For now, I have excluded port 22 but would rather add a rule to allow SSH from the blocked VLAN to a specific machine on my main network. Any examples?

17. Thank you for year great tutorial!
    I have tried to implement a similar setup using USG-PRO4 and UniFi Console 7.4.150, but did find that Switch port profile configuration under which you referred to as “new Ports Insights feature” was not available.
    There are some other differences as well.
    Do you know if I should be able to set up a similar solution without a UDM?
    If not would you be able able to point out what I need to configure different?
    Thank you in advance

18. Great article Rudy – thankyou. I guess like many who found this article I was perplexed by the “problem” that inter-VLAN traffic is allowed by default, having set up VLANs which did “nothing”. This article has saved me hours. The rules Unifi creates with the same description are indeed “Internet In”, “Internet Local”, or “…v6…” rules and cannot be edited and the detail cannot be viewed, but I could take a reasonable guess at what they do. I read a post from Unifi that suggests they cannot be edited/viewed to “…enable the best user experience” – saving us from ourselves perhaps.
    UDM 7.3.83, U6-LR, u6-Lite, USW-Lite-8-poe.

19. I followed this tutorial and everything seems to have worked – perhaps too well. I cannot access my HDHomerun Flex 4K tuners from a different VLAN. Everything I’ve read online seems to suggest a tricky situation working with HDHR devices and VLANs. Wondering if there’s a simple way for a non-IT weekend warrior like myself.

    What I hope to accomplish is to regain access from my Pixel 6 (VLAN 20) to several HDHR devices (VLAN 1). Is there a firewall rule to use? I’ve tinkered without success so far. Alternately, should I consider moving the HDHR devices to a separate VLAN? Might that clear things up? I have an unused MEDIA VLAN in my network list; no devices are assigned to it yet.

    Ideally, I’d like all mobile devices on VLAN 20 to have access, so if this involves a new profile/group then I’d like help with that as well.

    Thanks,
    Robert

20. Would any of these rules stop internet in traffic? I set up the vlan for having a game server separated from the rest of my network but the port forwarding is still blocked after creating a rule. I can get OUT from the vlan but I can’t get in.

    • When configured wrong it can stop internet traffic indeed.

21. Rudy,

    First off, I love this site as well as the simplicity of the information you presented on this topic. I was able to follow along on this tutorial and get firewall rules set up properly. Now my IOT network is isolated from all others on my UniFi Dream Machine Pro. Thank you! This tutorial was much easier to follow than the dozens of YouTube videos out there claiming to “make it easy”. I’m not an IT professional so all of this is sort of “weekend warrior IT” for me.

    A question I have on the HTTP, HTTPS and SSH group profile. I use ports 80 and 443 to renew SSL certificates every 90 days. I have port forwarding for 80 & 443 disabled until I need to use them. Should I expect that group profile to interfere with those certificate renewals? Is disabling the profile sufficient while renewing, or can I remove ports 80 and 443 from the profile?

    Thanks again!
    Robert

    • Disabling the profile (or switching the port to another profile) might be the easiest option.

22. I think I got the tutorial right, but from the beginning my vlan doesn’t seem to assign an ip. I have just one pc plugged into a port on the switch that is set to use this vlan (called “gaming” in my case) but it gets no ip when then pc is plugged in.

    • Is DHCP enabled in the vlan? If you go to network > select your gaming network, scroll down to advanced > DHCP

      • Thanks, got it figured out, it was my own stupidity 🙂

23. Hi all,
    thanks for useful post and comments!
    I have from Ubiquiti only a USW PRO 48 POE switch and the CloudKeyGen2Console.
    I have set the vlans (100,200,300) across the router and switch (only 1 router only 1 switch), but trying to get the printer on vlan 100 to be accessible from 200 and 300. how do I do that? tried different option but not successful so far and see in this post some functionalities are not available to me… thanks for any suggestion/feedback!

    • The cloudkey alone isn’t sufficient for this. You will need a router or this as well.

    • Can you set the printer so it’s not on a vlan and allow traffic from all three vlans to access the port the printer is on?

24. Thanks for the guide, I’ve gotten to blocking the UDM interface and I don’t have the option in the red box. Am I missing something or did they update the interface?

    • Are you sure that you have selected Destination Type : Port/Ip Group?

25. Ok, I followed this to the letter and verified 3 times that I made no mistakes but I can’t get any trafic between VLAN’s.
    I have a camera server on 192.168.1.1 (Default network) that can’t a ping a Camera that had it’s ip set via DHCP on VLAN id 30 192.168.30.217.
    I brought back this cam on Default LAN and I had no issue to ping it.
    Is there an easy way to see what firewall rules block this traffic ? (running 2.4.27)

    thanks

    • No, unfortunately, we can’t see the firewall logs easily.

26. Drat, new UDM Pro, updated to version 2.4.27, a lot of this stuff looks different. I am at the step: “Next, we are going to add the firewall rules. This time we will be using the type LAN Local”, however, LAN Local is no longer an option.

    The Firewall & Security Type pulldown has: Internet In, Internet Out, Internet Local, and LAN in.

    Any idea which of those updated pulldown choices are equivalent to “LAN Local”?

    • You can scroll through the dropdown (it isn’t very clear sometimes that you can scroll)

27. Ok im back and have sorted out my cable issue. I thought this was resolved because I could print from my phone. I was thinking ok things are talking. I have now realized that my phone was the only device that could print. I have the firewall rule established and related but that doesnt seem to work. I also can not ping the printer. I have it wired to a static IP.

28. Hello Rudy,
    Thanks for the step by step tutorial on setting up the UDM PRO it is invaluable in understanding VLANs. It was hard finding information on how to setup VLANs on the UDM PRO until I came accross your article. However I have a consistent problem between three of these Dream Machines (UDM PRO). I followed your tutorial almost to a T on a out of the box new UDM PRO. When done with the configurations, I am not able to set the LAN ports on the UDM PRO to a specific defined network. The only option is “ALL” or “Disable” with “Default” and “Networks” grayed out under a port profile. There must be something basic in the setup that I am missing. Can you help?

    • Just to be sure, you can normally scroll down. Default and Networks are “headers” in the dropdown list (and indeed greyed out). So under Default, you will see All and Disable. And under Networks, you will find the network profiles that you have created (after you scrolled down).

    • Hello Rudy,

      I spent hours trying to setup VLANs with multiple Dream machines, unlike other pull downs in the dream machine settings the one for configuring switch ports on a specific VLAN this pull down has a hard to see side scroll. Not too straight forward in my opinion. Thanks for your help

29. Would it be possible to achieve the same setup using the Traffic Management option (local network category)?

30. Good morning Ruud,
    Do I really need a UniFi Security Gateway or UniFi Dream Machine (UDM, UDM Pro) for creating different VLANs on my network?
    I hava a nighthawk R7000 router to which I attached a 16PoE lite and I have a 8 PoE lite connected to the 16 PoE switch.
    To the 16 Poe I connected 2 Unifi AP’s, Hue bridge and solar pannels.
    Doorbell, chromecast and google home mini are connected via wifi.
    To the 8PoE switch I connected 1 unifi AP and a desktop.
    Kind regards

    • Well, it makes it a lot easier. You can also create the VLANs on your router, and then create the appropriate wireless networks in the UniFi Controller. That should also work.

31. hello rudy
    thanks so much for this tutorial, finally beginning to understand things a little bit.
    followed everything step by step including firewall rules and so on
    everything works perfectly as far as i can see from within the wired network.
    the main vlan has access to all other vlans and all other vlans cannot reach the main lan and each other. so far so good.
    however only from the wifi assigned to the main lan i cannot access the other vlans , which should be possible ( allow main network to all vlans — source main network destination all local ip adresses )
    deleted the wifi networks reinstalled them , checked the groups on faults etc etc .
    this drives me a little bit crazy it is probably something small but i have no idea whatsoever
    may be you or somebody out there can give me a hint in the correct direction
    thanks
    dank je wel
    paul

32. Do you have any write ups on creating a mgmt VLAN for access points? I don’t want my APs to use the default VLAN since we already have an AP mgmt VLAN in place. Applies to the unifi controller software on a server.

    Thank you

33. Hi, thanks for this great tutorial !

    Just one thing .. when creating the networks, I have the option to select the “Network Group” … (assigned to a specific port on f.i. my USG) .. I select LAN2 Here ? (This is the 3rd port besides WAN and LAN1)

    Thank You !!!!

    • Yes that should work

34. Hi,
    Excellent write up. Thanks.
    I’ve got just one question. In my main vlan (default) i have a machine which runs an application (on for example port 4333). How can i configure devices from the IoT vlan to connect the machine in the main vlan (default) by only this port?

    I red you’re exceptions and tried a port group with port 4333 to the particular machine’s IP). But wasn’t succesful.

    Any help?

    • Exceptions can sometimes be a bit of a trial and error. Make sure that you order the rules correctly. And you can try to allow access first based on IP and if that works narrow it down to specific port only.

35. i have an UDM and have aproblem with wifi and wlan. i created a network (IOT-Devices) and enabled DHCP servicer in this network. as well i assigned a new SSID in wifi and added this to the network. I can connect with a client to this network but i won’t get an DHCP Ip address to my device.
    is there an additional setting to get DHCP to work

    • this is exactly my problem

      • I also have this problem. No matter if I create a Guest network or a IoT network i cant get a ip from the dhcp in that network. Have anyone found a solution for this?

        • Same here…. looking in other forums to see if I can find the issue.

          • Same here. Any solutions anywhere?

          • Seeing this also. Any luck? Rudy?

          • Just did a quick test here, and seems to work fine. But I see that I haven’t mentioned the DHCP server settings in the article. Can you please check the following:

            – Open Settings > Networks
            – Select the IoT network
            – Scroll down to Advanced Configuration
            – Check if DHCP mode is set to DHCP Server
            – And the DHCP Rnage is in the same subnet as the IoT network is 192.168.40.x – 192.168.40.200 for example.

          • Confirmed that DHCP Server is there along with the subnet range it needs to be in.

            To me it almost seems like firewall is blocking it. Do we need to let the DHCP server traffic through on UDP ports 67, 68? I would think that each network would handle its own DHCP but that doesn’t seem to be the case.

            Getting no router IP and 169 address when connecting (hangs trying to connect on devices essentially)

          • No that should not be necessary. How is the client connected? Directly to the UDM Pro?

          • So it’s a UDM connected to a switch and then I have a few devices connected to that including a couple UI wifi 6 aps.

            I think my issue might be the switch actually and it not handling vlan traffic. It’s a Ruckus switch and therefore I don’t think it understands the vlan traffic tagged.

          • That could indeed be a problem. Also, make sure that you have set the port profile to all for the connection from the UDM to the switch.

    • Hi Rudy,

      Just a heads up that swapping out the ruckus switch for a UniFi switch did the trick.

36. Hello, great tutorial however, when I enable Block Vlan to Vlan it cuts off all network traffic. I can’t find what I’m doing wrong? All network traffic being my AP and direct wire.

37. I have 5 VLANS,

    (Default), Main, IOT, NOT, HA.
    In the Default/untagged, i have the UDR, USW, and want to set the G4 Doorbell in. (so only unifi devices)
    Is it a good idea to put the Doorbell into the Default LAN? And block the access of the camera to the other VLANS?

38. How do I allow my cameras access to the internet for remote viewing?

    • Do you want to allow the RTSP stream? Because you should be able to watch the camera’s through the Unifi Protect app.

      • I have Ring.com cameras that are blocked from accessing the internet if I use those rules. I’m not an expert but I believe it needs guest type access without the login screen

39. Duidelijk! nee, dat heeft de fritz.box niet. Wel een handig gast-netwerk. Dat werkt goed. Maar ik wil ook een game-pc op een aparte VLAN zetten. Dus moet ik wat gaan aanpassen.

40. Andere vraag: ik heb een fritz!box met 4 LAN-poorten. 1 LAN-poort is verbonden aan de Unifi Switch. Kan ik alleen VLAN’s inregelen voor apparaten achter de switch of ook voor de switch?
    Ik wil voor het hele huis een aantal VLAN’s inregelen. Maar ik denk dat ik dan de Switch direct achter de fritz!box moeten plaatsen en vandaar uit VLAN’s creëren?

    • Klopt, of je moet ook VLAN’s kunnen instellen op de Fritzbox, maar dat betwijfel ik.

41. hoi, ik loop vast in dit scherm met IP Group aanmaken.
    Als ik in type bij adress: IPv4 Adresses/Subnet krijg ik een foutmelding. Vraagt om een geldig IP of Subnet adress.
    Wat doe ik verkeerd?

    • Welke ip range heb je daar ingevuld? Meestal moet dat zijn 192.168.0.0/16

      • geen idee, maar nu lukte de ip range wel! Dank!

42. Quick question. Would i follow the same setup thru the network console if i am using the Edgerouter X SFP?

    • No, you will need to set up the VLANs in the EdgeRouter as well.

      • Thanks for the answer. Do you plan on doing a tutorial for setting up Vlan in Edgerouter X SFP?

        • I don’t have an edge router anymore at the moment, so probably not for now.

43. Excellent tutorial Ruud. I’ve followed the steps and everything is working great. I need to create a new firewall and I could use your help. I use a Synology NAS with two NIC’s. Each Synology LAN has a static ip address with one on the main LAN and the other on the IoT LAN. Unfortunately 3 VLAN’s don’t go into the two Synology LAN’s so my camera network can’t access Surveillance Station on the NAS.

    Can you tell me how to create a new firewall rule in UniFi that will allow the camera VLAN 30 to access the Synology NAS using the IoT VLAN of 40? The NAS ip address on the IoT VLAN is 192.168.40.127.

    • Create a new firewall rule like described in Step 3, only allow instead of block.And set the appropriate network type etc

44. How does this still stands when enabling IPv6, and all devices get a public and local IPv6?

    Also using Port 433 in firewall rules is no more allowed as of the latest beta Netwerk Application version.

45. Thanks Rudi for this useful guide. My current setup is ERX with Unifi AP’s – partially setup with help from your previous articles. I am using VLANS for guests, iot and ’trusted devices’ similar to your descriptions here.

    I now plan to change my ERX to the Unify Dream Machine and one Unify switch.
    Before I do that, I just wanted to double check if can assign the Port Profiles on ports on the Dream Machine as well? Or can this only be done with ports on the switch?

    I am asking because the Dream Machine is a router rather than a switch. Or is it both?

    • It’s both, and yes you can assign port profiles on the switch.

46. Hello

    First I want to thank you for the excellent explanation!

    But I still have a question. I don’t understand why it’s necessary to do “Step 3 – Block Access to Unifi Network Console from VLANs” when we already have blocked the access from VLAN to VLAN with a firewall rule.
    Can you explain it a bit more to me please?

    And what is the order in which the firewall rules must be put?
    Is it like this:
    1 Allow established/related sessions
    2 Allow main VLAN access to all VLAN
    3 Drop invalid state (what does it do?)
    4 Block VLAN to VLAN
    5 Block IoT to Gateways (why are you not making such a profile for the Guest VLAN?)
    6 Block IoT Gateway Interface (why are you not making such a profile for the Guest VLAN?)
    7 Block Cameras to Gateways
    8 Block Cameras Gateway Interface

    Last question, why do you use drop and not reject?

    Thanks a lot!
    Tom

    • I agree. An excellent explanation. Good for people new to Ubiquiti and firewall rules. And I have the same question: if we have already blocked VLAN to VLAN access, why do we block access to the Unifi console from VLANs? And also, if we have already blocked VLAN to VLAN access, why block access to other VLAN gateways?

      Thanks.

      • Cancel my second question as I see that we are blocking those ports for the VLAN’s own gateway. But I still have the same question as Tom regarding blocking access to other gateways when we have already blocked VLAN to VLAN access.

        Thanks.

47. amazing step-by-step tutorial. thank you for taking the time to document and share it.
    I can’t wait to use it to setup my new unifi network

48. Nice article, thanks. I ran into an issue where my G3 Flex camera was shown as offline as soon as I set the relevant port on my switch to the newly created Cameras profile. This reverted after setting it to ‘All’ again. Any thoughts on this? This switch is connected to another switch first before being connected to a router, could that influence things?

    • Have you restarted the camera (Power cycle the port). My G3 Flex took almost 15 minutes to come back online in the right VLAN, so you might need to give it some time.

      • Yes I tried this, waited for 30 minutes but to no avail. I am using a CloudKey Gen2 by the way, and not the UDM (Pro). Could it possiblity be related to that?

        • Ah yes, you will need a USG, Dream Machine, or Dream Router.

49. Hello,

    I just updated my network to Unifi. I followed all of your instructions on this post. I can no longer control my IoT devices using the Google home app. Are these firewall rules restricting that?

    • They should be able to access the internet. Double check step 3

50. Excellent write up! Kindly thank you for your time to put this article together!

    Regards,

    Tom

51. Sorry I used wrong cable. It pings on both.

52. I just noticed that when I ply into my main VLan I’m not longer able to ping the printer on IOT.

53. Im trying to set up a HP printer on my IoT network. None of my devices seem to be able to see it. Is there something special you would recommend for set up. my rules pretty much mirror yours in this article.

    • First, check if the printer is genuinely in the IoT network. You can do this by checking the IP Address of the printer (most printers can print out the configuration by using the buttons if you don’t have a display on the printer)

      Then can you ping or access the printer from a device in the IoT network?

      • Yes it’s on my IOT network I verified thru UniFi interface an on printer. I can ping from my main network. I’ve read HP is tricky when put on a different VLan

54. Hi Rudy
    How to block single VLAN from Internet access, lets say NoT (IoT vlan for smart plugs/switches)?

    • Use the method from Step 3 but instead Type LAN local use internet out. That should block all the traffic from the selected port group to the internet. (Haven’t tested it)

55. Hello,
    I used the following rule to block vlan to other lan’s:

    Drop All IoT from Local
    > After and Drop
    > Network > IoT

    > Port group > All Local IP (here all my local IP addresses including all VLANS and the Untagged LAN.

    Is this also correct?

    Than I changed your rule “Block IoT to Gateways” to at once block all VLAN Gateways (i have 5) to http(s) and ssh:

    Block All VLANs to Base Console
    > After – Drop
    > Group > All VLANs

    > Group > Gateways
    > Ports > http(s), ssh.

    To be able to connect to the main gateway i used the following:

    Allow Trusted VLANs to Base Console
    > Accept – Before
    > All Trusted VLANs (main and untagged)

    > Group > Gateway console (192.168.1.1)
    > Ports > http(s), ssh.

    Does this the same but in 2 rules for all vlans instead of 1 for every vlan?

    Regards,
    Rick

56. If I want to use a separate management VLAN (will be the default VLAN 1) then, when creating the firewall rules, do I have to use the managment VLAN to allow traffic to other VLAN’s?
    All other devices will be other VLAN’s.

57. Yip, thanks did indeed forget to change the new rule into “LAN in”.

    Is it not sufficient to only block the Gateway ports of the subnet because there is already a rule “Block VLAN to VLAN” in place to prevents access to other VLAN’s (including their Gateway I hope)?

    • The block inter-VLAN rules are also to prevent broadcast requests between the VLANs for example. These can also happen on the switch level, without routing to the gateway first.

58. I just have my UDM and to be honest I am just a NOOB/Novice. So your article is very helpful. I noticed that some of the Firewall rules are now already predefined (version Network 7.1.66). Is there still a reason to add them anyway (like because predefined firewalls are not brows able so you can not see the exact settings?)

    • If the exact rule already exists then there is no need to add them again. But make sure that you check if they are also located under LAN In, for example.