HOME NETWORK SOLUTIONS BERKSHIRE
  • Home
  • Network Services
    • WiFi services
    • Ethernet network cabling installation
    • Reliable and Fast Event WiFi Solutions
    • Network design and consultation
    • WiFi and Network Support Services
  • Ubiquit Unifi
    • Ubiquiti Unifi Installers
    • Ubiquiti Unifi Access - Door Entry
  • Security
    • CCTV
    • Intruder Alarms
  • Business Services
  • Gallery
  • Contact
  • Audio
  • FAQs
  • Blogs
  • About us
  • Privacy Policy
  • Change Request Form

Blogs.

How to create secure VLANs on a Unifi Dream Machine Pro (UDM-Pro)

2/1/2023

0 Comments

 
In this guide I show you how to create secure VLANs on a Ubiquiti Unifi Dream Machine Pro. Virtual Local Area Networks (VLANs) allow you to 'virtually' break down your network into different areas. They can be used for many reasons and have lots of benefits, but VLANs are mostly used to keep networks secure by separating trusted and untrusted network traffic, clients and users.

Unifi VLANs are not automatically secure, once they are created firewall rules must be applied to secure them. 

In this example will be creating a couple of VLANs one to be used as a Guest network and one to be used as a IoT network. As well as separating the guests out from the main native LAN (Local Area Network) for security reasons, we are also going to stop them accessing the router interface. Although in this example the scenario is simple, it can easily be scaled to create a more complex multi-VLAN network. 

It should be noted that if you are looking for just a simple Guest VLAN you do not need to follow this guide, you can simply select 'Guest Network' during the Network set-up and the Firewall rules will be created automatically.  

VLANs are a great way to secure a network, however it is worth bearing in mind that secure VLANs are restrictive. Careful thought should be put into how they will operate before implementation. Certain devices may need to have specific rules created to allow them to function correctly if you intend to use them across VLANs (for example a network printer). 

1. Create your Networks

Open the UDM Pro interface and select the Network Application.

Then select the following Settings->Networks->Create New Network

Name: IoT

Add Network

The rest can be left as default but it is worth noting the IP range of each network for the Firewall rules.  

For guest networks with predefined rules, select Manual->Guest Network. There is also an option to add content filtering to the Guest Network should you wish. 

2. Allow establish and related

Select Settings->Security-> Internet Threat Management->Firewall-> Create New Rule. This area is where will be get our Firewalls set-ups. Fill the options in as below:

​Type: LAN In
Description: Allow established/related
Action: Accept 
Protocol: All 
Source and Destination: Left as is
Advanced: Select Match State Related and Match State Established 

Apply Changes

3. Drop Invalid State

Create new rule

Type:
LAN In
Description: Drop new/invalid
Action: Drop
Protocol: All 
Source and destination: Left as is
Advanced: Select Match State New and Match State Invalid

Apply changes

4. Create an RFC1918 group

For this next part we need to create a groups to allow us to apply our next Firewall rule to the right areas. To create a New Group simply scroll down to the Groups section of the Firewall tab and select 'Create New Group' 

The first group to create is RFC1918. 

Name: RFC1918
Type: IPv4 Address/Subnet
Address: 192.168.0.0/16, 172.16.0.0/12 and 10.0.0.0/8 (press the +Add button to each new line)

Apply Change
​​

5. Allow LAN to all VLANs

Create a new Firewall rule

Type: LAN In
Description: Allow default to all VLANs
Action: Accept
Protocol: All

Source
Source Type: Network
Network: LAN
Network Type: IPv4 Subnet

Destination 
Destination Type: Port/IP Group
IPv4 Address Group: RFC1918
Port Group: Any

Apply Change

6. Block Inter-VLAN Routing

Create a new Firewall rule

Type: LAN In
Description: Block Inter-VLAN routing
Action: Drop

Source
Source  Type: Port/IP Group
IPv4 Address Group: RFC1918

Destination
Destination Type: Port/IP Group
IPv4 Address Group: RFC1918

Apply changes

7. Block VLAN to Gateways

There are two stages to this part and this will need to be done for each VLAN added. 

a. Create a Block VLAN to Gateways group

Create New Port/IP Group

Profile name: Block IoT to Gateways
Type: IPv4 Address/Subnet
Address: 192.168.1.1 and 192.168.2.1 (the IP addresses of the Gateways on each subnet not including IoT)

Apply changes

b. Use the new group to block VLAN to Gateway

Create New Firewall Rule

Type: LAN Local
Description: Block IoT to gateways (or which ever VLAN it is)
Action: Drop

Source
Source Type: Network 
Network: IoT

Destination
Destination Type : Port/IP Group
IPv4 Group: Block IoT to Gateways

Apply changes

8. Block VLAN to Gateway Interface

a. Create Port/IP Group for Gateway

Create Port/IP Group

Profile Name: IoT Gateway (or which ever Gateway it is)
Type: IPv4 Address/Subnet
Address: 192.168.3.1 (or whatever the gateway IP is)

Apply changes
​

b. Create a http, https and SSH Port/IP group

Create Port/IP group

Profile Name: http, https and SSH
Type: Port Group
Ports: 80, 443 and 22

Apply changes

c. Create Block VLAN to Gateway Interface rule

Create new Firewall rule

Type: LAN Local
Description: Block IoT to Gateway Interface
Action: Block

Source
Source Type: Network
Network Type: IoT

Destination
Destination Type: IP/Port Group
IPv4 Address Group: IoT Gateway
Port Group: http, https, SSH

Apply changes

Conclusion

So in those few simple steps you have now created and secured your VLANs. For more complex scenarios just repeat the steps to add more VLANs with the same rules. 

I hope this quick guide has been useful. Please feel free to ask any questions in the comments below. 

If you are based in the UK are looking for Network Services please Contact Us to find out more
0 Comments

    Huw Jones

    Owner of Home Network Solutions Berkshire

    RSS Feed

    Categories

    All
    Broadband
    Business Networking
    Ethernet
    Firewalls
    Hikvision CCTV Guides
    Home Networking
    Mesh WiFi
    NAS Devices
    Network Security
    Powerline Adapters
    Smart Home
    TP-Link Omada
    Ubiquiti Unifi
    VLANs
    Wi Fi
    Wi-Fi

    Archives

    May 2024
    January 2024
    December 2023
    June 2023
    May 2023
    January 2023
    August 2022
    July 2022
    April 2022
    March 2022
    April 2021
    January 2021
    December 2020
    April 2020
    March 2020
    July 2018
    May 2018
    April 2018
    March 2018
    February 2018

    Picture
    ​Follow us on Instagram for more networking and tech! 

    Home Network Solutions Berkshire are on Youtube
    Home Network Solutions are on Youtube
    Click here for details of our Privacy Policy
Home Network Solutions Berkshire Ltd. - 01628 337501​ - [email protected]
Maidenhead, Berkshire, UK
 Company number 11887009 VAT 356828363
  • Home
  • Network Services
    • WiFi services
    • Ethernet network cabling installation
    • Reliable and Fast Event WiFi Solutions
    • Network design and consultation
    • WiFi and Network Support Services
  • Ubiquit Unifi
    • Ubiquiti Unifi Installers
    • Ubiquiti Unifi Access - Door Entry
  • Security
    • CCTV
    • Intruder Alarms
  • Business Services
  • Gallery
  • Contact
  • Audio
  • FAQs
  • Blogs
  • About us
  • Privacy Policy
  • Change Request Form