Mentaven DevOps

Custom Network Monitoring

Mentacity Ventures DevOps
Home » Ubiquiti » Ubiquiti Unifi: Upgrading From A Flat Network

Ubiquiti Unifi: Upgrading From A Flat Network

By , last updated Leave a Comment

Unifi IoT VLAN

Over the holidays I decided to treat myself to an upgraded home network.

Up until recently it was completely flat, with no VLAN functionality at all.

However, I have added so many smart home devices that I figured it was time to segment them off into their own VLAN for security (and for fun … yes I’m a weirdo).

Of course, the upgrade and segmentation process didn’t come without its own set of problems …

The Starting Point and The Goal

First, the setup.

The original network had a Ubiquiti EdgeMax EdgeRouter 4 as the firewall/gateway with a connection to two ISPs.

The AP was a Ubiquiti Unifi UAP-AC-LR.

In between was a series of D-Link 5- and 8-port ‘dumb’ 1G switches, which means everything was sitting in the same VLAN and could see everything else.

Next, the goal.

What I wanted was to segment the network traffic by creating a separate IoT (Internet of Things) VLAN for just the smart devices.

To do this I had to replace the D-Link switches. I ended up going with Ubiquiti Unifi 1G managed switches, specifically USW-Lite-8-PoE and USW-Lite-16-PoE.

The Steps

Once the new Unifi switches arrived, I simply replaced the D-Links with the new ones. This part was easy since the Unifi switches have every port set to Trunk by default, so it didn’t matter which switch I replaced first or how they were connected.

Afterwards I checked the Unifi app and sure enough the new switches were seen and were ready to be adopted, so I did. Some had firmware updates pending so I did that too.

Next I used the Unifi app to create a new IoT VLAN in the Networks section. Since I am using an EdgeRouter, the Gateway IP/Subnet section wasn’t necessary but I filled it in anyway.

After that I updated the config on the EdgeRouter to create a ‘vif’ interface with the correct IP and Subnet. Then I created new firewall rules to block traffic inbound from the IoT VLAN to the primary VLAN while allowing traffic from IoT to the Internet.

Lastly, I created a new WiFi network in the Unifi app and set it to use the IoT VLAN.

After testing the new WiFi network with my phone, I started the tedious process of migrating all my IoT devices over.

Issues

Despite all the changes, pretty much everything worked as intended:

  • Devices on the Unifi IoT VLAN could reach the Internet but couldn’t see my primary VLAN, which is good for security
  • Devices on the Primary VLAN could reach IoT devices for management
  • I could manage all the devices from their respective apps on my phone

The only big issue I ran into was that I could no longer see my Roku devices from my phone or tablet, which took me quite a while to figure out (see Unifi mDNS for how I fixed it).

Summary

Overall it was a great upgrade and I’m really happy with the result.

On to the next project!

Leave a Reply

Your email address will not be published.