VLANs are a powerful tool that allows us to segment our network into smaller, more manageable parts, and reduce the risk of unauthorized access and data breaches. We’ll review the network VLAN isolation and the configuration I’ve used in Unifi, and provide you with some best practices to ensure that your network is secure and easy to manage.
VLANs allow us to create separate broadcast domains within a single physical network, which means that devices on different VLANs communication with each is governed by firewall rules. For home networks they can be configured to make the network more secure and private.
What to expect below
- Understanding VLAN Isolation, general examples, and my setup
- Configuration in Unifi
- Setup Examples
Understanding Network VLAN Isolation
Security Philosophy of Isolated VLANs
VLANs can be setup in many different ways but I like to balance security with complexity. If five VLANs can be reduced to three with little loss of security that’s the direction I’d choose. It is usually best to limit the number and keep the configuration as simple as possible. Some good examples of potential VLANs for your network include a guest VLAN (usually a default option on routers), IoT VLAN, core network with secure devices, Security Camera VLAN, No local VLAN, No Internet VLAN etc.
By isolating devices and users into separate VLANs, we can prevent unauthorized access to sensitive data and resources. We segregate devices into VLANs based on characteristics such as usage, purpose, or how much of a risk they are.
To decide how you want to segment your network you need to have a good idea what different types of devices you have and what you’re trying to achieve.
Categories of VLAN devices I’ve Used
We need to split up all the network devices in ways that make sense to improve security and protect our important systems.
IoT devices: make sense as a class of devices because there are so many in the modern home, they generally have low security standards, they are updated remotely when companies change their terms of service, may have low quality code and practices, and generally they have low value (e.g. if my wireless air filter stops working or gets hacked I don’t really care as long as it is isolate from important items). In my house these devices include: nest smoke alarms, ecobee thermostat, air filter, MyQ garage controller, smart lights, smart plugs, sense power monitor. Even if these companies are well managed, secure, and have good terms of service now those things could change at any time. IoT devices are some of the easiest for hackers to make use of.
Wireless devices: anything that needs wireless access. Usually smart phones, ipads, laptops, quest VR sets, alexa units etc but also nearly all IoT devices or depending on the type security cameras could be included
Security cameras: security cameras of all types are big risks. They are huge privacy concerns due to their very nature. Cheap cloud security cameras have unknown security risks managed by large companies. They have all the security problems to IoT devices but with the added fact they are constantly recording and sending information out to the internet. Local or Wired security cameras are also one of the most concerning classes of network devices. They are, ironically, one of the most insecure devices and must be strictly managed.
Untrusted Devices: Devices that need no outbound communication and should only speak when spoken to
Local Only: devices that should only be locally available to the network. Examples include Blue Iris, Plex server, NAS, Local DNS, piHole. Which may need to pull updates from the internet, or devices such as local security cameras which do not need to be updated and should not be allowed to access the internet.
Cloud Only: Devices that need to be cloud enabled for their functionality buy do not need to communicate with any local devices. e.g. Ecobee, MyQ, sense energy monitor, kasa smart plugs. Devices that are potentially easily compromised but have no functional reason to communicate with the rest of your network.
Mixed Devices: Many devices will fall into several of the categories above. Examples include Nest Smoke detectors or Rokus. They need to be cloud enabled but also need local connections (to other next smoke detectors or the plex server).
Trusted Devices: High quality devices that we trust or want to protect from improper access. E.g. my main computer, ESX/Proxmox host, docker host, NAS.
VPN network: A network for connections that VPN into your network remotely.
The more you split up your network into separate VLANs the more added complexity there will be in understanding and managing the firewall rules that govern these VLANs. There is a tradeoff between complexity and security. The value of isolating some devices is much higher than others so you can determine how much of a tradeoff you’re willing to make between simplicity and ease of setup with security.
My VLAN Configuration
I started by looking at isolating the riskiest classes of devices into the smallest amount of VLANs that makes sense.
First VLAN: The default, trusted VLAN. This includes servers I want to protect and believe are secure. This includes my main computer, ESX/Proxmox host, docker host, home assistant. This is the default physical network.
The second VLAN: is a combination group of IoT and all wireless devices. While I trust IoT devices much less than android or apple smartphones I didn’t think the distinction was worth making a second wireless vlan to separate them. Some of these devices may require elevated access to primary VLAN resources (blue iris, plex, etc) but by default anything wireless on my network is untrusted. These devices can reach the internet and talk to each other but cannot access the trusted network above by default. Rules and groups may be used to grant specific devices access to specific resources on the primary VLAN.
The third VLAN: for wired security cameras. These devices should only speak when spoken to and they should never be talking out to the internet. Outside of firmware updates and initial configurations (rare event) my Blue Iris server is the only device communicating with them. Only a special group has access to reach these devices.
the Fourth VLAN: Is setup specifically for WireGuard VPN connections. When you VPN into my network with WireGuard this is the IP you’ll get. The rules are setup such that these devices get internet access so I can browse safely from public Wi-Fi and can connect to local network resources that may be needed remotely (e.g. plex, security systems, or Blue Iris) that would not be available to the wireless only group. This is how smart phones connect to blue iris to view security camera feeds remotely for example.
Exceptions: Some devices are physical but fall into the cloud devices category and shouldn’t be trusted. An example would be my abode wireless security system. For these I simply have Unifi force that physical port on the switch/router to be on the second VLAN with the other untrusted IoT devices. My Synology NAS I don’t really trust but I don’t want the shared storage on the untrusted network so it gets put on the first VLAN. My ESX/proxmox host has VMs which vary in how much they are trusted. The IP Addresses handed out to them are for VLAN1/2 on an individual basis. The Blue Iris server has restrictions on who can talk to it (WireGuard plus VLAN1) and is the only server outside of VLAN3 for the security cameras that can initiate communication with them.
Setting Up Network VLAN Isolation in Unifi
Configuring the VLAN
To configure a VLAN, log into the Unifi Controller and navigate to Settings > Networks. Click on the “Create New Network” button and provide the following details:
- Name: Give the network a name (i.e. “cameras”, “IoT – Untrusted” etc)
- Router: select your Unifi Router
- IPv4/v6: select IPv4
- Gateway/Subnet: Select gateway IP and netmask.
- Default is 192.168.1.1
- You can use 192.168.2.1 for second VLAN 192.168.3.1 for third etc
- netmask determines the amount of usable addresses. /24 will allow 249 which should be enough for most home networks.
- DHCP: Enable DHCP unless you have a dedicated DHCP host
Here is an example of my camera network, making use of vlan ID 30 and a host address of 192.168.30.1/24
Setup WiFi network
If you wish to setup a wireless network for one of your VLANs you can navigate to settings -> WiFi -> create new
Put a name for the WiFi ssid and a strong password. Select the network (VLAN) you want to use. Usually you want the network to be broadcast on all the APs you have available. Usually all defaults should be taken unless you know what you’re doing.
Here is an example of my WiFi setup:
Note that it is connecting to VLAN ID 20 for “IoT – Untrusted”
Implementing the Isolation
Once the VLANs are configured, you can implement network VLAN isolation. To do this, follow these steps:
- Log into the Unifi Controller and navigate to Settings > Application Firewall.
- Here there are lots of security settings to configure. Be sure to investigate the settings
- Select “Firewall Rules” near the top right
There are several items we need to define here. This should be showing you your firewall rules, similar to this:
This is listing all the rules. We can filter by type. Internet includes firewall rules governing communication from/to the internet from your network. LAN is to and from your Local VLANs. Guest is the default guest network (I don’t enable). The ‘v6’ versions are the same but for IPv6.
The first column ‘Action’ is the action the firewall rule executes.
- drop: this traffic is silently discarded or ignored. There is no response and no evidence a target device exists
- accept: this traffic is accepted and the packages are allowed to pass through the firewall to their destination
- reject: The traffic is rejected and discarded like a drop but a rejection response is sent back to the sender.
The second column protocol is the type of communication that is allowed. TCP is more structured protocol but slower, UDP has some data loss but is faster.
The third column “type” is where we want the rule to be enforced. Keep in mind the router is making these decisions
- ‘Local’ applies traffic that is destined for the router itself.
- ‘In’ applies to traffic that is entering the interface, destined for other networks
- ‘Out’ applies to traffic that is exiting the interface, destined for this networks
- WAN “wide area network” is usually where your internet connection exists
- LAN is “local area network” which includes your VLANs “virtual local area networks”
Typically you’ll want to make rules that are enforce on ‘In’ so you stop packets before they’re routed through the firewall. The path is IN -> Routing (router) -> OUT.
Examples, routing is the router itself
- A connection from the internet goes WAN IN -> Router -> LAN OUT
- rules under “LAN In” will be traffic from a LAN (your VLANs) destined for other networks (e.g. other VLANs or the internet)
- A WIFI device to the internet would be LAN IN -> Routing -> WAN OUT
Firewall rules are evaluated sequentially by the router. The router assesses each rule against incoming traffic and applies the first rule that matches the traffic characteristics. The sensitivity to order underscores the importance of listing rules for accepting traffic ahead of rules for dropping traffic. Failure to prioritize accepting rules first may lead to the router not evaluating acceptance messages since it would have already matched on the drop rules.
Common Challenges and Solutions
As I have worked with Unifi VLANs, I have encountered some common challenges that can cause connectivity issues and security concerns. In this section, I will discuss these challenges and provide solutions to address them.
Troubleshooting Connectivity Issues
One of the most common challenges with Unifi VLANs is connectivity issues. If you find that a device or client cannot connect or communicate in your VLAN(s), it may be the result of an incorrect network configuration. Here are some common reasons for connectivity issues and their solutions:
- Incorrect VLAN configuration: Ensure that the VLAN is properly configured on the switch and the UniFi controller. Double-check the VLAN ID, subnet, gateway, and DNS settings.
- Firewall blocking traffic: Check your firewall settings to ensure that traffic is allowed between VLANs. If necessary, create firewall rules to allow the required traffic.
- Misconfigured DHCP server: Verify that the DHCP server is properly configured for the VLAN. Check the IP range, subnet, gateway, and DNS settings.
- Incorrect VLAN tagging: Ensure that all devices are properly tagged with the VLAN ID. If necessary, configure the switch to tag all traffic on the port with the VLAN ID.
Addressing Security Concerns
Another challenge with Unifi VLANs is addressing security concerns. One of the main benefits of VLANs is the ability to isolate traffic between different networks. However, if not configured correctly, VLANs can still be vulnerable to security threats. Here are some common security concerns and their solutions:
- Unauthorized access: Ensure that only authorized users have access to the VLAN. Use strong passwords and implement two-factor authentication where possible.
- VLAN hopping: Configure the switch to prevent VLAN hopping, which is a technique used by attackers to gain access to other VLANs. Use VLAN access control lists (ACLs) to restrict traffic between VLANs.
- Denial of service attacks: Implement traffic shaping and rate limiting to prevent denial of service attacks. Use firewall rules to block traffic from known malicious IP addresses.
- Data leakage: Implement encryption and access controls to prevent data leakage between VLANs. Use VLAN ACLs to restrict traffic between VLANs.
By addressing these common challenges and implementing the solutions provided, you can ensure that your Unifi VLANs are properly configured and secure.
Best Practices for Network VLAN Isolation in Unifi
When it comes to network VLAN isolation in Unifi, there are a few best practices to keep in mind to ensure that your network is secure and running smoothly. As someone who has worked with Unifi for a while, I have found the following practices to be helpful:
1. Plan Your VLANs Carefully
Before you start creating VLANs, it is important to plan out your network carefully. Consider the devices that will be connected to each VLAN and the level of access each device needs. This will help you determine the appropriate VLAN tags to use and how to configure access rules.
2. Use Firewall Rules to Control Traffic Between VLANs
One of the main benefits of VLAN isolation is that it allows you to control traffic between different parts of your network. To do this effectively, it is important to use firewall rules to restrict access between VLANs. For example, you may want to allow traffic from your guest network to the internet but block access to your internal network.
3. Use VLAN Tags to Segment Your Network
VLAN tags are a way of segmenting your network into different parts. When creating VLANs in Unifi, be sure to assign unique VLAN tags to each network. This will help you keep track of which devices are connected to which VLAN and make it easier to troubleshoot any issues that arise.
4. Monitor Your Network Regularly
Finally, it is important to monitor your network regularly to ensure that everything is running smoothly. Keep an eye on your VLANs to make sure that traffic is flowing as expected and that there are no security issues. Unifi makes it easy to monitor your network using the built-in dashboard and network analytics tools.
By following these best practices, you can create a secure and efficient network VLAN isolation in Unifi. With careful planning and monitoring, you can ensure that your network is running smoothly and that your devices are protected from security threats.
Conclusion
In conclusion, VLAN isolation is an essential feature for network administrators who want to secure their networks and prevent unauthorized access. With Unifi, creating and managing VLANs is an easy task that can be done through the Unifi Controller.
By using VLANs, you can create separate broadcast domains that can be isolated from each other, thus preventing unwanted traffic from entering your network. This can be especially useful in environments where multiple users and devices are connected to the same network, such as in an office or a school.
Additionally, VLANs can be used to prioritize traffic and optimize network performance. By assigning different VLANs to different types of traffic, such as voice or video, you can ensure that each type of traffic gets the necessary bandwidth and is not affected by other types of traffic on the network.
Overall, VLAN isolation is a powerful tool that can help you create a more secure and efficient network. With Unifi, you can easily create and manage VLANs, and take advantage of the many benefits that VLAN isolation has to offer.
Frequently Asked Questions
How can I configure VLAN isolation in UniFi?
To configure VLAN isolation in UniFi, you need to create separate VLANs for each network segment. You can do this by going to Settings > Networks and clicking on Create New Network. From there, you can specify the VLAN ID, subnet, and gateway for each new network. Once you have created your VLANs, you can assign them to specific ports on your UniFi switch to keep traffic separated.
What are the best practices for VLANs in UniFi?
When using VLANs in UniFi, it is important to follow best practices to ensure that your network is secure and functioning properly. Some best practices include using separate VLANs for different departments or functions, using firewall rules to control traffic between VLANs, and limiting access to VLANs based on user roles.
What firewall rules should I use for VLAN isolation in UniFi?
To implement VLAN isolation in UniFi, you should use firewall rules to control traffic between VLANs. You can do this by going to Settings > Routing & Firewall > Firewall Policies and creating a new policy for each VLAN. In each policy, you can specify the source and destination VLANs and the action to take (allow, deny, or limit).
How do I set up a VLAN-only network in UniFi?
To set up a VLAN-only network in UniFi, you need to create a new VLAN network and assign it to a specific port on your UniFi switch. You can do this by going to Settings > Networks and clicking on Create New Network. From there, you can specify the VLAN ID, subnet, and gateway for your new network. Once you have created your VLAN network, you can assign it to a specific port on your UniFi switch to create a VLAN-only network.
What is L2 isolation and how does it work in UniFi?
L2 isolation is a feature in UniFi that allows you to isolate devices on the same VLAN from each other. This can be useful for security purposes or to prevent devices from interfering with each other. To enable L2 isolation, you need to go to Settings > Switch Ports and enable the Isolation option for each port.
Can I create an isolated LAN in UniFi and how do I do it?
Yes, you can create an isolated LAN in UniFi by using VLANs and firewall rules to control traffic between different network segments. To do this, you need to create separate VLANs for each network segment and use firewall rules to control traffic between them. You can also use L2 isolation to further isolate devices on the same VLAN from each other.