NEW to UNIFI VLANs?? START HERE!!!

Introduction

This tutorial will guide you through the process of setting up VLANs (Virtual Local Area Networks) and firewall rules on a Ubiquiti Dream Machine Pro (UDM Pro). This configuration is essential for enhancing the security of your home network, especially as IoT devices become more prevalent. By the end of this guide, you will have a basic VLAN configuration that separates your main network traffic, IoT devices, and guest access.

Chapter 1: Understanding VLANs

• VLANs are used to segment networks logically without needing separate physical hardware.
• This segmentation enhances security, as devices on different VLANs cannot communicate unless explicitly allowed.
• Common use cases for VLANs include isolating IoT devices, guest networks, and sensitive data networks.

Key Considerations

• Start with a simple configuration. You do not need multiple VLANs initially; a basic setup might include:
  • Default Network (VLAN 1)
  • IoT Network (VLAN 2)
  • Guest Network (VLAN 99)
• Ensure your UDM Pro is updated to the latest firmware version for the best functionality.

Chapter 2: Pre-VLAN Setup

• Ensure your UDM Pro is set up with default configurations. There should be no pre-existing networks or VLANs.
• Familiarize yourself with the network diagram:
  • Default Network: 192.168.1.0/24
  • IoT Network: 192.168.2.0/24
  • Guest Network: 192.168.99.0/24

Chapter 3: Creating VLANs

Step 1: Access Network Settings

1. Log into your UDM Pro interface.
2. Navigate to Settings > Networks.

Step 2: Create IoT Network

1. Click on Create New Network.
2. Name it "IoT".
3. Disable the autoscaler.
4. Set VLAN ID to 2.
5. Select Manual for IP assignment, and add the subnet 192.168.2.1.
6. Click Add to save.

Step 3: Create Guest Network

1. Click on Create New Network.
2. Name it "Guest".
3. Disable the autoscaler.
4. Set VLAN ID to 99.
5. Enable the option to create a guest network, allowing for a public hotspot.
6. Click Add.

Chapter 4: Creating Wi-Fi Network with Pre-Shared Keys

Step 1: Create Wi-Fi Network

1. Navigate to Wi-Fi settings.
2. Create a new SSID called "My New Wi-Fi".
3. Under Pre-Shared Keys, add:
   • Default Network Password: 1throughn
   • IoT Password: IoT12345
   • Guest Password: Gguest1123
4. Adjust settings such as turning off band steering, and enable fast roaming.
5. Click Add to save the Wi-Fi settings.

Chapter 5: Configuring Firewall Rules

Step 1: Access Firewall Settings

1. Navigate to Settings > Firewall & Security.

Step 2: Create Firewall Rules

• Allow Established and Related Traffic

  • Create a rule allowing established and related traffic for all VLANs.

• Drop Invalid Traffic

  • Create a rule to drop any invalid traffic.

• Allow Default Network to Private IPs

  • Create a rule allowing the Default Network to communicate with all private IPs.

• Block IoT Communication

  • Create a rule to drop traffic from the IoT Network to the Default Network.

Step 3: Create IP Groups

1. Create an IP group for all private IPs, including:
   • 192.168.0.0/16
   • 172.16.0.0/12
   • 10.0.0.0/8
2. Ensure rules are prioritized correctly to enforce security.

Chapter 6: Testing the Configuration

• Test communication between devices on different VLANs:
  • You should be able to ping devices within the same VLAN but not across VLANs unless rules allow it.
• Verify that the Guest Network is isolated and only has internet access.

Conclusion

You have successfully set up a basic VLAN configuration on your UDM Pro, enhancing your network security by isolating IoT devices and providing a secure guest access point. As you grow your network, consider adding additional VLANs and refining firewall rules based on specific needs. Always ensure your firmware is up to date for optimal functionality and security. Happy networking!