UniFi Configuration: Network Overhaul, Part 3
We’ve made it to Part 3 of our UniFi based smart home network. This is where we get down to brass tacks and really get the most out of our setup.
This article assumes you have followed at least part 2 of this series, though we recommend starting from the beginning. While this article is written from the perspective of a UniFi Dream Machine Pro user, it also applies to the Dream Machine and USG. The concepts can also be carried over to other network configurations.
I’d also like to note that if you are an auditory/visual learner, Rob from TheSmarthomeHookUp has a YouTube Series on this topic which was the inspiration for this series here. A lot of the content will be similar, but I’ve found a few settings that work better for me (such as the PiHole Ad Blocker).
The UniFi Wifi Setup
For purposes of this walk-through, we’ll assume you have your wireless AP set up and adopted in to the network from the initial setup wizard. Our first order of business is to decided how many wireless networks we need. For security’s sake, I will have Weland and Weland-Guest for our primary and Guest network WiFi, respectively.
I will also have a Weland-IoT and Weland-NoT; as the name suggests, IoT is for my Internet of Things devices. Or smart home devices that rely on some sort of external service, like a Google Home (mini) or something on the Tuya platform.
NoT is a play off IoT by smart home guru ‘Frenck’ – the creator of many Home Assistant add-ons an plugins. NoT is Network of Things, or smart devices that only need to run locally. They may use something like the MQTT protocol to communicate. Note: you will need to host an MQTT server, which you can do on a Raspberry Pi.
WiFi Configuration
On the Settings > Site tab, the important thing here is to disable the “Auto-Optimize Network”. While it sounds counter intuitive, this will help with a few settings later in this guide.
For this next part, I only have one screen shot of my WiFi configuration because aside from the name and passwords, setup is going to be the same. Under settings > wireless networks add your various WiFi SSIDs.
When configuring each of the SSIDs, remember to make each password unique. Security is the name of the game here. Under the Advanced Options drop-down, you also want to uncheck the box that says “Block LAN to WLAN Multicast and Broadcast Data.” This will come in to play later when we setup VLANs. Also worth noting here is that later we will come back and edit the “Use VLAN” for the IoT and NoT networks.
Setting Up UniFi Networks
Here’s where the configuration gets a little more complex but believe me – it will all be worth it. UniFi network configurations contain a lot of power. Under Settings > Networks, create a network for both your IoT and NoT. I have included images of the settings for mine. For both, select “corporate” under “purpose”. Under VLAN, I’ve chosen to give this a number of 20 for IoT and 30 for NoT.
For Gateway/Subnet you should write out your IP address as 192.168.*VLAN*.1/24 where *VLAN* is the number you applied to that network. VLAN for my IoT here was 192.168.20.1/24 You will also then want to click the “Update DHCP Range” button that appears. This will section off any device on that network to a separate block of IP addresses. Typically devices on on one VLAN cannot talk to devices on another VLAN but we will fix that shortly.
Check the box to enable IGMP snooping. If you setup PiHole from our earlier guide, you will want to select “Manual” under DHCP Name Server and for the first IP block enter the IP address for your PiHole. For the second block, it’s a good idea to use either Google’s 8.8.8.8 or CloudFlare’s 1.1.1.1 as a backup. You should also do this with your primary LAN.
Finish up VLANs
Now is as good a time as any to go back to your WiFi settings for your IoT and NoT networks and edit that configuration to use the VLANs for the corresponding VLANs you’ve setup. In my example VLAN 20 for IoT and VLAN 30 for NoT.
Note: A handy setting to change for each LAN or VLAN in this Network section is Domain Name. For IoT I’ve used “iot”, for NoT I’ve used “not” and for LAN I’ve used “localdomain”. Having these filled in allows you to access certain devices by their *hostname.domain*, so my AppServer running PiHole can be reached on my network in a browser with “http://appserver.localdomain”. Likewise, I can reach some of my smart home switches or sensors with “http://sensorname.iot”.
Configuring the UniFi Firewall
Here is the glue that holds this all together. Firewall Rules for UniFi are additive, meaning they work form the top down. For example: if a rule on top allows something, a rule beneath it will not block it.
Rules should be set as soon as they hit your local network. You can set them from Settings > Routing & Firewall > LAN IN.
Thems the Rules
Allow Established and Related Sessions: Means that if you initiate the communication than the device you are communicating with can reply back.
Allow all NTP Requests: NPT is a time synchronization by allowing this you allow you devices to keep accurate time. The NTP Port is 123, so this is allowing any traffic on your network that is requesting time information on port 123.
Allow NoT to MQTT: This will allow any traffic from your NoT Network communicate on MQTT ports. The most common ports are 1883 and 8883.
Allow IoT to HomeAssistant: This rule allows your IoT devices on your IoT VLAN to talk to your Home Assistant server if you have one setup. Mine runs on AppServer the same server as my PiHole installation.
Block IoT from LAN: This blocks all IoT communication from your LAN other than what you’ve already allowed (as above), namely the first rule, so they cannot communicate with your LAN devices that have not already requested it.
Block IoT from NoT: As the name suggests this keeps items from your IoT network from communicating directly to devices on the NoT network. IoT devices are handy but some developers really like to see what information they can glean from your network.
Block All NoT: This, of course, blocks ALL NoT traffic that has not been allowed by a previous rule.
Keep in mind Rob does an amazing job describing this step in part 3 of his video guide.
Final Touches
We are in the home stretch now. One important setting to keep this all running smoothly is to go to Settings > Services > MDNS and toggle “Enable Multicast DNS”. This, coupled with our IGMP snooping earlier on, will allow the devices on one VLAN to share their name with devices on the rest of your networks. This is how we are able to use “https://appserver.localdomain” in my example earlier.
Once you have all of your wireless IoT and NoT devices connected to their respective Wireless Networks, you can save some overhead by disabling the 5GHz network on those SSIDs, as well as hiding those SSID from being broadcast. They still work, but they won’t show up in a list when looking for WiFi to connect to.
Another feature that was paramount for me was to go to Settings > Threat Managment. I chose to enable this in IPS mode rather than IDS. IPS is intrusion prevention where as IDS is intrusion detection. I’d rather let UniFi handle this for me at this juncture and outright block intruders.
I have also enabled EVERYTHING in the Threat Management Categories drop-down. If you are using the new settings layout, this will be called “Level 5.”
Wrapping Up
I highly encourage you to watch Rob’s guide on YouTube that I’ve linked up top. If you’ve been following along, you should now have a secure network ready for a bunch of smarthome goodness. And better still, you should also have a relatively ad-free online experience.
I believe the UDMP has the total switching capacity of 1000mbps, therefor I do not use the switch part of the UDMP. I would suggest connecting the UDMP with a SFP to the switch you have and use the switch for switching. But a new writeup..
You are absolutely correct, this is a change I made to the network recently since moving to a new house. I think next up is a switch upgrade to have a 10G backplane (10g via SFP+ form UMDP to switch)