Implementing VLAN Segmentation in UniFi: Isolating Network Traffic by Security Tier

Overview

This article implements VLAN segmentation in UniFi to isolate network traffic by security tier. You'll create 10 VLANs organized into four tiers, configure WiFi SSIDs for each zone, set up switch port profiles for wired devices, and enable MAC filtering to prevent physical attacks. All changes are made in the UniFi console - no cluster modifications yet.

Before You Begin

Prerequisites

Home Lab V2 completed (working cluster)
Access to UniFi console (unifi.ui.com or local)

What We're Setting Up

Component	Count	Purpose
Firewall Zones	4	Custom zones for default-deny between tiers
VLANs	10	Network segments by security tier
WiFi SSIDs	6	Wireless access per VLAN
Port Profiles	8	VLAN assignments for wired devices

Why VLANs

V2's flat network means any device can reach any other device. A compromised game server pod can reach the UDM, NAS, and personal devices - no container escape required, just network access.

VLANs create layer 2 boundaries. Devices on different VLANs can only communicate if firewall rules explicitly allow it (configured in the next article).

How Zones Work

Custom zones provide default-deny security between network tiers¹. Unlike the built-in Internal zone (which allows all traffic between VLANs), custom zones block all traffic by default.


Warning:	Devices on different VLANs can't communicate until you create Allow policies - even VLANs within the same zone.

Source → Dest	External	Gateway	Core	Lab	Trusted	Isolated
Core	Allow All	Allow All	Block All	Block All	Block All	Block All
Lab	Allow All	Allow All	Block All	Block All	Block All	Block All
Trusted	Allow All	Allow All	Block All	Block All	Block All	Block All
Isolated	Allow All	Allow All	Block All	Block All	Block All	Block All

After creating intra-zone Allow policies (Core → Core, Lab → Lab, Trusted → Trusted), devices within the same zone can communicate. Isolated stays Block All for defense in depth. Cross-zone policies are added in article 02.

VLAN Configuration Notes

Toggle VLAN ID from Auto to Manual to unlock the checkbox settings². Assign each VLAN to a custom zone¹ and disable Auto-Scale³ when you need custom DHCP ranges.

Why Isolate on Isolated VLANs? Custom zones block traffic between zones. Isolate Network blocks traffic within the same VLAN (L2 isolation). For Isolated VLANs, both are needed.

Why mDNS on Trusted VLANs? AirPlay, HomeKit, Chromecast, and Matter use mDNS for device discovery⁴. Enable mDNS on VLANs with discoverable devices (Things-Trusted, Things-Isolated) and VLANs with devices that need to discover them (Unrestricted-Trusted). The mDNS Proxy forwards discovery traffic between VLANs. Things-Isolated devices like Philips Hue need mDNS so HomePods can discover them for Siri control - mDNS is multicast advertisement, not initiating connections, so isolation is preserved.

How mDNS/IGMP columns work: Enabling mDNS or IGMP per-VLAN automatically adds that VLAN to the Gateway mDNS Proxy and IGMP Snooping scope. UniFi sets Custom mode and only proxies between VLANs where you enabled these features - not globally.

Why 5 GHz for main/filtered? iPhones, Macs, and iPads all support 5 GHz⁵. Using 5 GHz only for primary networks frees up 2.4 GHz slots for IoT and restricted devices. Home uses dual-band for HomePod compatibility. Note that 5 GHz has shorter range through walls - ensure adequate AP coverage.

Why Internet on Drive but not Protect? UNAS Pro needs internet for external file sharing via drop.ui.com⁶. Protect cameras only communicate locally with the UDM controller - no internet required.

Why speed limits on Isolated networks? Isolated devices are untrusted by definition - guests, IoT, managed devices. Speed limits add another layer of defense. Trusted networks are your own devices and don't need limits.

Why 15 Mbps for Personal? 1080p streaming requires 5-8 Mbps⁷ and FaceTime needs 1-5 Mbps⁸. 15 Mbps down / 5 Mbps up supports both while preventing bandwidth hogging on guest and sandbox networks. WiFi Speed Limits apply per client⁹ - each device gets its own limit, not shared across the SSID.

Why 2 Mbps for IoT? Philips Hue Bridge uses 1-2 Mbps¹⁰, and smart plugs/sensors need even less. 2 Mbps covers legitimate use while ensuring compromised devices can't be useful for data exfiltration or botnet activity - defense in depth.

Why custom DHCP ranges? Network and Lab have Scale disabled to reserve IPs:

VLAN	Reserved IPs	Purpose
Network	.1-.99	UDM, infrastructure
Lab	.30-.39, .40-.79	Talos nodes, MetalLB pool

Keep other defaults: DHCP Server mode, Auto Default Gateway, Auto DNS Server, Lease Time 86400.

Create Firewall Zones

Navigate to Settings → Security → Zones → Create Zone for each zone.

Zone Name	VLANs	Purpose
Core	Network (1), Protect (3), Drive (5)	UDM, cameras, NAS
Lab	Lab (10)	Kubernetes cluster
Trusted	Things-Trusted (20), Unrestricted-Trusted (30), Restricted-Trusted (40)	Personal and entertainment
Isolated	Things-Isolated (25), Unrestricted-Isolated (35), Restricted-Isolated (45)	IoT and guest devices

Intra-Zone Policies

Navigate to Settings → Security → Zones → click the Block All cell → Create Policy.

Policy	Source	Destination	Action
Core → Core	Core	Core	Allow All
Lab → Lab	Lab	Lab	Allow All
Trusted → Trusted	Trusted	Trusted	Allow All

Leave Isolated → Isolated as Block All.

Create VLANs

Navigate to Settings → Networks → Create New Network for each VLAN.

Core Tier

Name	Zone	Scale	Subnet	VLAN	Isolate	Internet	IGMP	mDNS	DHCP
Network	Core	✗	192.168.1.0/24	1	✗	✓	✓	✓	.100-.254
Protect	Core	✓	192.168.3.0/24	3	✗	✗	✗	✗	(auto)
Drive	Core	✓	192.168.5.0/24	5	✗	✓	✗	✗	(auto)

Exposed Tier

Name	Zone	Scale	Subnet	VLAN	Isolate	Internet	IGMP	mDNS	DHCP
Lab	Lab	✗	192.168.10.0/24	10	✗	✓	✗	✗	.100-.199

Things Tier

Name	Zone	Scale	Subnet	VLAN	Isolate	Internet	IGMP	mDNS	DHCP
Things-Trusted	Trusted	✓	192.168.20.0/24	20	✗	✓	✓	✓	(auto)
Things-Isolated	Isolated	✓	192.168.25.0/24	25	✓	✓	✗	✓	(auto)

Users Tier

Name	Zone	Scale	Subnet	VLAN	Isolate	Internet	IGMP	mDNS	DHCP
Unrestricted-Trusted	Trusted	✓	192.168.30.0/24	30	✗	✓	✓	✓	(auto)
Unrestricted-Isolated	Isolated	✓	192.168.35.0/24	35	✓	✓	✗	✗	(auto)
Restricted-Trusted	Trusted	✓	192.168.40.0/24	40	✗	✓	✗	✗	(auto)
Restricted-Isolated	Isolated	✓	192.168.45.0/24	45	✓	✓	✗	✗	(auto)

Navigate to Settings → Networks and verify 10 networks are listed.

Create WiFi Networks

Navigate to Settings → WiFi, scroll to the bottom, and click Create New under WiFi Speed Limit.

WiFi Speed Limits

Name	Download	Upload
Personal	15 Mbps	5 Mbps
IoT	2 Mbps	1 Mbps

WiFi Blackout Schedules

Blackout schedules are configured per-SSID. After creating each SSID, navigate to Advanced → WiFi Blackout Schedule → On and set the schedule.

Name	Schedule
Downtime	8 PM - 5 AM daily

Apply Downtime to guest, filtered, and sandbox SSIDs.

WiFi Configuration

Navigate to Settings → WiFi → Create New for each SSID¹¹.


Warning:	UniFi APs limit 4 SSIDs per band. This configuration uses all 4 slots on each.

SSID	Network	Application	Band	Advanced	Hidden	Isolation	Steering	Limit	Blackout
`<prefix>-main`	Unrestricted-Trusted	Standard	5	Auto	✗	✗	-	-	✗
`<prefix>-filtered`	Restricted-Trusted	Standard	5	Manual	✗	✗	-	-	Downtime
`<prefix>-guest`	Unrestricted-Isolated	Hotspot	2.4 + 5	Manual	✗	✓	✓	Personal	Downtime
`<prefix>-home`	Things-Trusted	Standard	2.4 + 5	Manual	✓	✗	✓	-	✗
`<prefix>-iot`	Things-Isolated	IoT	2.4	Manual	✓	✓	-	IoT	✗
`<prefix>-sandbox`	Restricted-Isolated	Standard	2.4	Manual	✗	✓	-	Personal	Downtime

Hidden networks are configured once on devices. IoT and sandbox use 2.4 GHz only - 5 GHz band is at capacity. Band Steering pushes dual-band devices to 5 GHz. Blackout schedules disable WiFi during set times for restricted networks.

Navigate to Settings → WiFi and verify 6 SSIDs exist with correct VLAN mappings.

Create Port Profiles

Navigate to Settings → Networks, scroll to the bottom, and click Create New under Ethernet Port Profiles.


Note:	MAC filtering is not available on UDM built-in ports. It applies when devices connect through a managed switch.

Profile	Port	Allowed MACs	Native VLAN	Tagged VLAN Management	PoE
AP-Trunk	Active	-	Network (1)	Custom: 20, 25, 30, 35, 40, 45	Auto
Bastion	Restricted	Admin MAC	Network (1)	Block All	Off
Protect	Restricted	All camera MACs	Protect (3)	Block All	Auto
Drive	Restricted	NAS MAC	Drive (5)	Block All	Off
Lab	Restricted	All node MACs	Lab (10)	Block All	Off
Things-Trusted	Restricted	Device MACs	Things-Trusted (20)	Block All	Off
Things-Isolated	Restricted	Device MACs	Things-Isolated (25)	Block All	Off
Unrestricted-Trusted	Restricted	Device MACs	Unrestricted-Trusted (30)	Block All	Off

AP-Trunk is Active because WiFi client traffic keeps its original source MAC - filtering would block all clients. All other profiles are Restricted with allowed MACs to prevent unauthorized devices.

Assign Port Profiles

Navigate to Devices → [Switch] → Ports, select a port, and set Port Profile.

Profile	Devices
AP-Trunk	UniFi APs
Bastion	Mac bastion
Protect	Protect cameras
Drive	UNAS Pro
Things-Trusted	Entertainment
Things-Isolated	IoT devices
Unrestricted-Trusted	Workstations


Note:	Lab profile is not assigned yet. Homelab nodes remain on Default until Talos migration configures DHCP reservations.

Navigate to Settings → Networks → Ethernet Port Profiles and verify 8 profiles exist.

Next Steps

VLANs and zones are configured with default-deny between zones. Devices on different zones can't communicate until firewall rules allow it.

Expected: Cross-zone access is blocked - Unrestricted-Trusted (Users) cannot reach Drive (Core) until firewall rules are added.

See: Firewall Rules

Resources

Ubiquiti, "Zone-Based Firewalls in UniFi," help.ui.com. Accessed: Feb. 18, 2026. [Online]. Available: https://help.ui.com/hc/en-us/articles/115003173168-Zone-Based-Firewalls-in-UniFi ↩
R. Mens, "How to Setup UniFi Network - Complete Guide 2026," LazyAdmin. Accessed: Feb. 18, 2026. [Online]. Available: https://lazyadmin.nl/home-network/unifi-network-complete-guide/ ↩
W. Howe, "UniFi Auto Scale Network - Use Cases," Willie Howe Technology. Accessed: Feb. 18, 2026. [Online]. Available: https://williehowe.com/2025/12/16/unifi-auto-scale-network-use-cases/ ↩
C. Deluisio, "How to Set Up mDNS in UniFi Network," deluisio.com. Accessed: Feb. 21, 2026. [Online]. Available: https://deluisio.com/networking/unifi/2025/08/09/how-to-set-up-mdns-in-unifi-network/ ↩
The Interface, "The HomePod mini does work with 5GHz WiFi," theinterface.uk. Accessed: Feb. 21, 2026. [Online]. Available: https://theinterface.uk/blog-posts/the-homepod-mini-does-work-with-5ghz-wifi ↩
NASCompares, "UniFi UNAS Pro - Complete Setup Guide," nascompares.com. Accessed: Feb. 21, 2026. [Online]. Available: https://nascompares.com/2024/11/08/unifi-unas-pro-complete-setup-guide/ ↩
Netflix, "Internet connection speed recommendations," help.netflix.com. Accessed: Feb. 21, 2026. [Online]. Available: https://help.netflix.com/en/node/306 ↩
Make Tech Easier, "How Much Bandwidth Does Video Calling Use?," maketecheasier.com. Accessed: Feb. 21, 2026. [Online]. Available: https://www.maketecheasier.com/how-much-bandwidth-does-video-calling-use/ ↩
Ubiquiti Community, "Bandwidth limit on individual SSID," community.ui.com. Accessed: Feb. 21, 2026. [Online]. Available: https://community.ui.com/questions/Bandwidth-limit-on-individual-ssid/bfa152b9-9928-401e-8227-c2ec9f560285 ↩
Super Home Pursuits, "How Much Bandwidth Does Philips Hue Use?," superhomepursuits.com. Accessed: Feb. 21, 2026. [Online]. Available: https://superhomepursuits.com/how-much-bandwidth-does-philips-hue-use/ ↩
Ubiquiti, "UniFi WiFi SSID and AP Settings Overview," help.ui.com. Accessed: Feb. 20, 2026. [Online]. Available: https://help.ui.com/hc/en-us/articles/32065480092951-UniFi-WiFi-SSID-and-AP-Settings-Overview ↩