How to Setup and Secure UniFi VLAN

When you have an UniFi Security Gateway or UniFi Dream Machine (UDM, UDM Pro) you can create different VLANs on your network. Virtual LANs (VLANs), allow you to divide your physical network into virtual networks, offering isolation, security, and scalability.

Now you might think, do I really need VLANs? But when guests are connecting to your home network, you probably don’t want them to have access to all your network devices. And if you have a smart home, then creating a separate VLAN might be a good idea. Because the security of IoT devices is not always as it should be.

So in this article, I will explain how to set up and secure VLANs in the UniFi Network Console.

Setup UniFi VLANs

Creating VLANs in UniFi exists out of a couple of steps because we not only have to create the different networks, but we also need to secure the VLANs. The “problem” with UniFi is that inter-VLAN traffic is allowed by default. So without any firewall rules, traffic from for example the guest VLAN can just access the main VLAN.

In this example, we will be creating 3 VLAN networks for:

  • Guests – VLAN 20
  • Cameras – VLAN 30
  • IoT devices – VLAN 40

The guest VLAN is a bit different from the other VLANs because UniFi will automatically create the necessary firewall rules for the guest network. All you have to do is mark the network as a guest network type.

So in the steps below, we will create the guest network, with the correct settings, but further on I will use the IoT VLAN as an example.

Step 1 – Create the UniFi VLAN Networks

The first step is to create the different networks for the VLANs. I have used custom VLAN IDs in the steps below, but you can also leave Auto Scale Network on. This way UniFi will automatically create the IP Range and VLAN ID.

Open your UniFi network console and navigate to:

  1. Settings >Networks
  2. Click on Create New Network
Cerate unifi vlan

We are first going to create the guest network:

  1. Enter Guests at the network name
  2. Deselect Auto Scale Network
  3. Set the host address to 192.168.20.1
  4. Change Advanced Configuration to Manual
  5. Change the VLAN ID to 20 so it matches the IP range
  6. Set the network type to Guest Network
  7. Change the content filtering to Family (optional)
  8. Click Apply Changes
unifi vlan
UniFi Guest Network

Next, we need to create the network for the Cameras and IoT devices. Click again on Create a new network, repeat the steps below for both Cameras and IoT, using VLAN 30 for cameras en 40 for IoT:

  1. Network Name: IoT
  2. Disable Auto Scale Network
  3. Host Address: 192.168.40.1
  4. Advanced Configuration: Manual
  5. VLAN ID: 40
  6. Network Type: Standard
  7. Click Apply Changes (and repeat for cameras)
Create VLAN networks unifi

Step 2 – Block traffic between VLANs

With the networks and VLANs created we need to block the traffic between them. By default, devices in, for example the IoT VLAN, can access the device in your main VLAN. Guests however are already isolated by the automatically generated firewall rules by the Guest Network type.

Before we can block the inter-VLAN traffic, we first need to create 3 other rules:

  • Allow established and related connections
  • Drop invalid state connections
  • Allow the main VLAN to access all VLANs

Firewall rules are located in the settings under Firewall & Security:

  1. Click on Create New Rule
Create firewall rules
Create New Firewall Rule

We are first going to create the rule that allows all established and related sessions.

  • Type: LAN in
  • Description: Allow established and related sessions
  • Action: Accept
  • Source Type: Port/IP Group
  • IPv4 Address Group: Any
  • Port Group: Any
  • Destination Type: Port/IP Group
  • IPv4 Address Group: Any
  • Port Group: Any
  • Under Advanced: select Match State Established and Match State Related
  • Apply Changes

The second rule that we are going to create is to drop all invalid states:

  • Type: LAN in
  • Description: Drop invalid state
  • Action: Drop
  • Source Type: Port/IP Group
  • IPv4 Address Group: Any
  • Port Group: Any
  • Destination Type: Port/IP Group
  • IPv4 Address Group: Any
  • Port Group: Any
  • Under Advanced: select Match State Invalid
  • Apply Changes

And the third rule that we need to add is to allow traffic from our main VLAN to the other VLAN. This way we will be able to manage all the devices even if they are in IoT VLAN for example.

To create this rule we will first need to define an IP Group. Port/Ip Groups allow you to easily apply a rule to multiple port numbers or IP ranges. In this case, we want to match the IP ranges of all VLANs.

  1. In the settings menu, click on Profiles
  2. Scroll down and click Create New Group under Port and IP Groups
  3. Profile name: All Private IPs
  4. Type: IPv4 Address/Subnet
  5. Address: 192.168.0.0/16 (this will match all addresses that start with 192.168.x.x)
  6. Click Apply Changes
private IP group
Create a Private IP Group

With the IP group created, go back to Firewall & Security and create the following rule:

  • Type: LAN in
  • Description: Allow main VLAN access to all VLAN
  • Action: Accept
  • Source Type: Network
  • Network: Default
  • Network Type: IPv4 Subnet
  • Destination Type: Port/IP Group
  • IPv4 Address Group: All Private IPs (the IP Group that we just created
  • Port Group: Any

We can now create the rule that will block traffic between the VLANs. The rules that we just created will ensure that we can still access the devices in the other VLANs from the main VLAN. For this rule, we are also going to use the IP Group that we created earlier.

Click on Create New Rule in Firewall & Security and add the following rule:

  • Type: LAN in
  • Description: Block VLAN to VLAN
  • Action: Drop
  • Source Type: Port/IP Group
  • IPv4 Address Group: All Private IPs
  • Destination Type: Port/IP Group
  • IPv4 Address Group: All Private IPs
  • Port Group: Any

We now have separated the VLANs in our UniFi network, preventing unwanted inter-VLAN traffic.

Step 3 – Block Access to Unifi Network Console from VLANs

Devices in your VLAN will need to have access to your network console (UDM Pro for example). But what we don’t want is that users (guests or IoT devices) are able to access the interface of our UniFi network console.

What we also want to prevent is that devices from IoT can access the gateway of the main VLAN.

First, we need to create a couple of Port and IP Groups. Open the Profiles in the settings menu and click on Create New Group under Port and IP Groups. Create the following IP Groups:

Profile NameTypeAddress / Port
Block IoT to GatewaysIPv4 Address/Subnet192.168.1.1
192.168.20.1
192.168.30.1
Block IoT Gateway InterfaceIPv4 Address/Subnet192.168.40.1
Block Cameras to GatewaysIPv4 Address/Subnet192.168.1.1
192.168.20.1
192.168.40.1
Block Cameras Gateway interfaceIPv4 Address/Subnet192.168.30.1

The last Port Group that we need to create is to block only HTTP, HTTPS, and SSH access to the UniFi Network Console. The device will need to be able to access the gateway, but as mentioned, we don’t want to expose the console self.

  • Profile Name: http,https,ssh
  • Type: Port Group
  • Port: 80, 443, 22

Next, we are going to add the firewall rules. This time we will be using the type LAN Local

  • Type: LAN local
  • Description: Block IoT to Gateways
  • Action: Drop
  • Source Type: Network
  • Network: IoT
  • Destination Type: Port/IP Group
  • IPv4 Address Group: Block IoT to Gateways
  • Port Group: Any

And the rule to block access to the UDM Console. Note that we will be using the Port Group http,https,ssh here that we created earlier!

  • Type: LAN local
  • Description: Block IoT to UDM Interface
  • Action: Drop
  • Source Type: Network
  • Network: IoT
  • Destination Type: Port/IP Group
  • IPv4 Address Group: Block IoT Gateway Interface
  • Port Group: http,https,ssh

Repeat the steps above but this time for the Cameras VLAN.

Assign devices to VLANs in UniFi Network

We have created all necessary rules to block inter-VLAN traffic, so all we need to do now is assign our devices to the correct VLAN in UniFi network. For wired devices, we can assign a network to the port on the switch. And for the wireless devices, we will need to create a separate SSID.

Assign Port Profiles to Switch Ports

The first step is to assign the correct Port Profiles to our switch ports. By default, the ports are assigned to the Port Profile All. This means that devices connected to this port can access all VLANs. This is only needed for the uplink port and connected access points.

In the UniFi Network console, open your Devices and select your switch. We are going to use the new Ports Insights feature because this will give us a good overview of the connected devices:

  1. Select the tab Ports
  2. Open Ports Insights
open Port Insights

In this example, I have a camera connected to port 6 on the switch. We are going to change the profile of this port to Cameras.

Tip

By default, you can select and change multiple ports by just selecting them one after another. Mind this when you want to change another port.
  1. Select the port with your camera
  2. Change the Port Profile to Cameras
  3. Reboot your Camera by Power Cycle the port
  4. Click Apply Changes
Assign vlan to port
Assign VLAN to Port

Change the other ports as well, assign them to the main VLAN by selecting the Port Profile LAN or another appropriate Port Profile.

Make sure that you leave the Uplink port (recognized by the up arrow ^ ) and the access points port on the All profile.

Assign VLAN to Wireless Devices

If you have an UniFi doorbell, for example, you might also want to assign this device to the camera’s VLAN. The problem is that we can’t set a VLAN on the doorbell itself. The same problem occurs with a lot of IoT devices, on most you can’t configure a VLAN Id.

So the only option is to create a separate SSID (wireless network) for each VLAN and assign the wireless network to the correct VLAN.

  1. Open Settings and select WiFi
  2. Click on Create New WiFi network
  3. Enter a name and password for the wireless network
  4. Change network to the correct VLAN (cameras for example)
  5. Click Add WiFi network
Assign VLAN to Wifi network
Assign VLAN to Wireless network

You can change the WiFi connection of your UniFi Doorbell in the Protect Console > Devices > Settings > WiFi Connection.

Creating Firewall Exceptions

Sometimes you need to allow access between specific devices in different VLANs. In these cases, we need to create an allow rule and place the rule above the Block VLAN to VLAN rule. Let’s take the following example, allowing IoT devices to access a Raspberry PI in the main VLAN.

When you create an allow rule, try to be as specific as possible. If it’s only between two devices, then use the IP Address of both devices. If you know the protocol, then specify the port number as well.

Create a new firewall rule:

  • Type: LAN In
  • Description: IoT to Raspberry Pi
  • Action: Allow
  • Source Type: Network
  • Network: IoT
  • Destination Type: IP Address
  • IPv4 Address: 192.168.1.x

Next, we will need to move the rule above the Block VLAN to VLAN rule that we have created in the beginning. If you hover over an rule with your mouse, you can drag and drop rules using the 6 dots at the beginning of the rule:

  1. In the Firewall Rules select LAN
  2. Drag the new rule above the Block VLAN to VLAN (Rule index 2003)
drag rules
Drag rules

Wrapping Up

VLANs allow you to secure your local network by making sure that devices from one VLAN can’t access the other. Because inter-VLAN access is by default allowed in UniFi, we will need to create quite an amount of rules before we can safely use it.

I hope this article helped you to set up UniFi Vlans. If you have any questions, just drop a comment below.

Get more stuff like this

IT, Office365, Smart Home, PowerShell and Blogging Tips

I hate spam to, so you can unsubscribe at any time.

79 thoughts on “How to Setup and Secure UniFi VLAN”

  1. I think I got the tutorial right, but from the beginning my vlan doesn’t seem to assign an ip. I have just one pc plugged into a port on the switch that is set to use this vlan (called “gaming” in my case) but it gets no ip when then pc is plugged in.

  2. Hi all,
    thanks for useful post and comments!
    I have from Ubiquiti only a USW PRO 48 POE switch and the CloudKeyGen2Console.
    I have set the vlans (100,200,300) across the router and switch (only 1 router only 1 switch), but trying to get the printer on vlan 100 to be accessible from 200 and 300. how do I do that? tried different option but not successful so far and see in this post some functionalities are not available to me… thanks for any suggestion/feedback!

  3. Thanks for the guide, I’ve gotten to blocking the UDM interface and I don’t have the option in the red box. Am I missing something or did they update the interface?

  4. Ok, I followed this to the letter and verified 3 times that I made no mistakes but I can’t get any trafic between VLAN’s.
    I have a camera server on 192.168.1.1 (Default network) that can’t a ping a Camera that had it’s ip set via DHCP on VLAN id 30 192.168.30.217.
    I brought back this cam on Default LAN and I had no issue to ping it.
    Is there an easy way to see what firewall rules block this traffic ? (running 2.4.27)

    thanks

  5. Drat, new UDM Pro, updated to version 2.4.27, a lot of this stuff looks different. I am at the step: “Next, we are going to add the firewall rules. This time we will be using the type LAN Local”, however, LAN Local is no longer an option.

    The Firewall & Security Type pulldown has: Internet In, Internet Out, Internet Local, and LAN in.

    Any idea which of those updated pulldown choices are equivalent to “LAN Local”?

  6. Ok im back and have sorted out my cable issue. I thought this was resolved because I could print from my phone. I was thinking ok things are talking. I have now realized that my phone was the only device that could print. I have the firewall rule established and related but that doesnt seem to work. I also can not ping the printer. I have it wired to a static IP.

  7. Hello Rudy,
    Thanks for the step by step tutorial on setting up the UDM PRO it is invaluable in understanding VLANs. It was hard finding information on how to setup VLANs on the UDM PRO until I came accross your article. However I have a consistent problem between three of these Dream Machines (UDM PRO). I followed your tutorial almost to a T on a out of the box new UDM PRO. When done with the configurations, I am not able to set the LAN ports on the UDM PRO to a specific defined network. The only option is “ALL” or “Disable” with “Default” and “Networks” grayed out under a port profile. There must be something basic in the setup that I am missing. Can you help?

    • Just to be sure, you can normally scroll down. Default and Networks are “headers” in the dropdown list (and indeed greyed out). So under Default, you will see All and Disable. And under Networks, you will find the network profiles that you have created (after you scrolled down).

    • Hello Rudy,

      I spent hours trying to setup VLANs with multiple Dream machines, unlike other pull downs in the dream machine settings the one for configuring switch ports on a specific VLAN this pull down has a hard to see side scroll. Not too straight forward in my opinion. Thanks for your help

  8. Good morning Ruud,
    Do I really need a UniFi Security Gateway or UniFi Dream Machine (UDM, UDM Pro) for creating different VLANs on my network?
    I hava a nighthawk R7000 router to which I attached a 16PoE lite and I have a 8 PoE lite connected to the 16 PoE switch.
    To the 16 Poe I connected 2 Unifi AP’s, Hue bridge and solar pannels.
    Doorbell, chromecast and google home mini are connected via wifi.
    To the 8PoE switch I connected 1 unifi AP and a desktop.
    Kind regards

    • Well, it makes it a lot easier. You can also create the VLANs on your router, and then create the appropriate wireless networks in the UniFi Controller. That should also work.

  9. hello rudy
    thanks so much for this tutorial, finally beginning to understand things a little bit.
    followed everything step by step including firewall rules and so on
    everything works perfectly as far as i can see from within the wired network.
    the main vlan has access to all other vlans and all other vlans cannot reach the main lan and each other. so far so good.
    however only from the wifi assigned to the main lan i cannot access the other vlans , which should be possible ( allow main network to all vlans — source main network destination all local ip adresses )
    deleted the wifi networks reinstalled them , checked the groups on faults etc etc .
    this drives me a little bit crazy it is probably something small but i have no idea whatsoever
    may be you or somebody out there can give me a hint in the correct direction
    thanks
    dank je wel
    paul

  10. Do you have any write ups on creating a mgmt VLAN for access points? I don’t want my APs to use the default VLAN since we already have an AP mgmt VLAN in place. Applies to the unifi controller software on a server.

    Thank you

  11. Hi, thanks for this great tutorial !

    Just one thing .. when creating the networks, I have the option to select the “Network Group” … (assigned to a specific port on f.i. my USG) .. I select LAN2 Here ? (This is the 3rd port besides WAN and LAN1)

    Thank You !!!!

  12. Hi,
    Excellent write up. Thanks.
    I’ve got just one question. In my main vlan (default) i have a machine which runs an application (on for example port 4333). How can i configure devices from the IoT vlan to connect the machine in the main vlan (default) by only this port?

    I red you’re exceptions and tried a port group with port 4333 to the particular machine’s IP). But wasn’t succesful.

    Any help?

    • Exceptions can sometimes be a bit of a trial and error. Make sure that you order the rules correctly. And you can try to allow access first based on IP and if that works narrow it down to specific port only.

  13. i have an UDM and have aproblem with wifi and wlan. i created a network (IOT-Devices) and enabled DHCP servicer in this network. as well i assigned a new SSID in wifi and added this to the network. I can connect with a client to this network but i won’t get an DHCP Ip address to my device.
    is there an additional setting to get DHCP to work

      • I also have this problem. No matter if I create a Guest network or a IoT network i cant get a ip from the dhcp in that network. Have anyone found a solution for this?

          • Just did a quick test here, and seems to work fine. But I see that I haven’t mentioned the DHCP server settings in the article. Can you please check the following:

            – Open Settings > Networks
            – Select the IoT network
            – Scroll down to Advanced Configuration
            – Check if DHCP mode is set to DHCP Server
            – And the DHCP Rnage is in the same subnet as the IoT network is 192.168.40.x – 192.168.40.200 for example.

          • Confirmed that DHCP Server is there along with the subnet range it needs to be in.

            To me it almost seems like firewall is blocking it. Do we need to let the DHCP server traffic through on UDP ports 67, 68? I would think that each network would handle its own DHCP but that doesn’t seem to be the case.

            Getting no router IP and 169 address when connecting (hangs trying to connect on devices essentially)

          • So it’s a UDM connected to a switch and then I have a few devices connected to that including a couple UI wifi 6 aps.

            I think my issue might be the switch actually and it not handling vlan traffic. It’s a Ruckus switch and therefore I don’t think it understands the vlan traffic tagged.

  14. Hello, great tutorial however, when I enable Block Vlan to Vlan it cuts off all network traffic. I can’t find what I’m doing wrong? All network traffic being my AP and direct wire.

  15. I have 5 VLANS,

    (Default), Main, IOT, NOT, HA.
    In the Default/untagged, i have the UDR, USW, and want to set the G4 Doorbell in. (so only unifi devices)
    Is it a good idea to put the Doorbell into the Default LAN? And block the access of the camera to the other VLANS?

      • I have Ring.com cameras that are blocked from accessing the internet if I use those rules. I’m not an expert but I believe it needs guest type access without the login screen

  16. Duidelijk! nee, dat heeft de fritz.box niet. Wel een handig gast-netwerk. Dat werkt goed. Maar ik wil ook een game-pc op een aparte VLAN zetten. Dus moet ik wat gaan aanpassen.

  17. Andere vraag: ik heb een fritz!box met 4 LAN-poorten. 1 LAN-poort is verbonden aan de Unifi Switch. Kan ik alleen VLAN’s inregelen voor apparaten achter de switch of ook voor de switch?
    Ik wil voor het hele huis een aantal VLAN’s inregelen. Maar ik denk dat ik dan de Switch direct achter de fritz!box moeten plaatsen en vandaar uit VLAN’s creëren?

  18. hoi, ik loop vast in dit scherm met IP Group aanmaken.
    Als ik in type bij adress: IPv4 Adresses/Subnet krijg ik een foutmelding. Vraagt om een geldig IP of Subnet adress.
    Wat doe ik verkeerd?

  19. Excellent tutorial Ruud. I’ve followed the steps and everything is working great. I need to create a new firewall and I could use your help. I use a Synology NAS with two NIC’s. Each Synology LAN has a static ip address with one on the main LAN and the other on the IoT LAN. Unfortunately 3 VLAN’s don’t go into the two Synology LAN’s so my camera network can’t access Surveillance Station on the NAS.

    Can you tell me how to create a new firewall rule in UniFi that will allow the camera VLAN 30 to access the Synology NAS using the IoT VLAN of 40? The NAS ip address on the IoT VLAN is 192.168.40.127.

  20. How does this still stands when enabling IPv6, and all devices get a public and local IPv6?

    Also using Port 433 in firewall rules is no more allowed as of the latest beta Netwerk Application version.

  21. Thanks Rudi for this useful guide. My current setup is ERX with Unifi AP’s – partially setup with help from your previous articles. I am using VLANS for guests, iot and ’trusted devices’ similar to your descriptions here.

    I now plan to change my ERX to the Unify Dream Machine and one Unify switch.
    Before I do that, I just wanted to double check if can assign the Port Profiles on ports on the Dream Machine as well? Or can this only be done with ports on the switch?

    I am asking because the Dream Machine is a router rather than a switch. Or is it both?

  22. Hello

    First I want to thank you for the excellent explanation!

    But I still have a question. I don’t understand why it’s necessary to do “Step 3 – Block Access to Unifi Network Console from VLANs” when we already have blocked the access from VLAN to VLAN with a firewall rule.
    Can you explain it a bit more to me please?

    And what is the order in which the firewall rules must be put?
    Is it like this:
    1 Allow established/related sessions
    2 Allow main VLAN access to all VLAN
    3 Drop invalid state (what does it do?)
    4 Block VLAN to VLAN
    5 Block IoT to Gateways (why are you not making such a profile for the Guest VLAN?)
    6 Block IoT Gateway Interface (why are you not making such a profile for the Guest VLAN?)
    7 Block Cameras to Gateways
    8 Block Cameras Gateway Interface

    Last question, why do you use drop and not reject?

    Thanks a lot!
    Tom

    • I agree. An excellent explanation. Good for people new to Ubiquiti and firewall rules. And I have the same question: if we have already blocked VLAN to VLAN access, why do we block access to the Unifi console from VLANs? And also, if we have already blocked VLAN to VLAN access, why block access to other VLAN gateways?

      Thanks.

      • Cancel my second question as I see that we are blocking those ports for the VLAN’s own gateway. But I still have the same question as Tom regarding blocking access to other gateways when we have already blocked VLAN to VLAN access.

        Thanks.

  23. amazing step-by-step tutorial. thank you for taking the time to document and share it.
    I can’t wait to use it to setup my new unifi network

  24. Nice article, thanks. I ran into an issue where my G3 Flex camera was shown as offline as soon as I set the relevant port on my switch to the newly created Cameras profile. This reverted after setting it to ‘All’ again. Any thoughts on this? This switch is connected to another switch first before being connected to a router, could that influence things?

  25. Hello,

    I just updated my network to Unifi. I followed all of your instructions on this post. I can no longer control my IoT devices using the Google home app. Are these firewall rules restricting that?

  26. Im trying to set up a HP printer on my IoT network. None of my devices seem to be able to see it. Is there something special you would recommend for set up. my rules pretty much mirror yours in this article.

    • First, check if the printer is genuinely in the IoT network. You can do this by checking the IP Address of the printer (most printers can print out the configuration by using the buttons if you don’t have a display on the printer)

      Then can you ping or access the printer from a device in the IoT network?

      • Yes it’s on my IOT network I verified thru UniFi interface an on printer. I can ping from my main network. I’ve read HP is tricky when put on a different VLan

    • Use the method from Step 3 but instead Type LAN local use internet out. That should block all the traffic from the selected port group to the internet. (Haven’t tested it)

  27. Hello,
    I used the following rule to block vlan to other lan’s:

    Drop All IoT from Local
    > After and Drop
    > Network > IoT

    > Port group > All Local IP (here all my local IP addresses including all VLANS and the Untagged LAN.

    Is this also correct?

    Than I changed your rule “Block IoT to Gateways” to at once block all VLAN Gateways (i have 5) to http(s) and ssh:

    Block All VLANs to Base Console
    > After – Drop
    > Group > All VLANs

    > Group > Gateways
    > Ports > http(s), ssh.

    To be able to connect to the main gateway i used the following:

    Allow Trusted VLANs to Base Console
    > Accept – Before
    > All Trusted VLANs (main and untagged)

    > Group > Gateway console (192.168.1.1)
    > Ports > http(s), ssh.

    Does this the same but in 2 rules for all vlans instead of 1 for every vlan?

    Regards,
    Rick

  28. If I want to use a separate management VLAN (will be the default VLAN 1) then, when creating the firewall rules, do I have to use the managment VLAN to allow traffic to other VLAN’s?
    All other devices will be other VLAN’s.

  29. Yip, thanks did indeed forget to change the new rule into “LAN in”.

    Is it not sufficient to only block the Gateway ports of the subnet because there is already a rule “Block VLAN to VLAN” in place to prevents access to other VLAN’s (including their Gateway I hope)?

    • The block inter-VLAN rules are also to prevent broadcast requests between the VLANs for example. These can also happen on the switch level, without routing to the gateway first.

  30. I just have my UDM and to be honest I am just a NOOB/Novice. So your article is very helpful. I noticed that some of the Firewall rules are now already predefined (version Network 7.1.66). Is there still a reason to add them anyway (like because predefined firewalls are not brows able so you can not see the exact settings?)

    • If the exact rule already exists then there is no need to add them again. But make sure that you check if they are also located under LAN In, for example.

Leave a Comment

0 Shares
Tweet
Pin
Share
Share