NEW to UNIFI VLANs?? START HERE!!!

There are a lot of version of this walkthrough out there on RUclips, but (for me at least) this is the only one that took the appropriate time and amount of hand-holding that I need to not just implement the FW rules, but also to help me understand the WHY. That is huge!
Thanks a ton!

Great great video. You are a terrific teacher.

Finally one of those vlan guide that I can follow and understand easily. VLANS are not that scary after all. Cheers man!

Probably the only video with the new interface. Thanks for creating and being very detailed with background info for noobz.

Thanks! Great tutorial. I set it up and it works perfectly. A dual screen setup to watch the video and work on the other is the way to do it!!!

I am finally considering a Unifi setup now that their OS is more well-baked, and you had the most recent Unifi OS VLAN video, so I decided to stop by and see how things have improved over the last few years. However, I must say that this video is probably one for the best for anyone new to VLANs in general, not just VLANs on Unifi. You, sir, are the only one that “teaches one how to fish instead of just giving one a fish” by explaining the logic behind firewall rules, thus giving one the ability to not just copy your foundational firewall rules (which were spot on as the bare minimum starting point), but also gain the confidence to start coming up with their own firewall rules unique to their situation. Looking forward to joining you on this journey to learn from each other!

I watched several videos and this is the one where things started clicking. I loved the format of showing the vulnerability, applying the fix and confirming vulnerability is negated along with clear and concise explanations during the process. I also like that the gateways were isolated. Before this video, I was struggling to figure out why I could ping my gateway addresses even though my networks were isolated and now I know. This is the first ever super thanks I have given. It’s well deserved. I’ll be adding one to the follow up video on configuring VLANs on Unifi switches. Many things clicked in that video also.

I am a Unifi virgin. I have watched many videos to try to understan the world of Unifi, this video is gold! You explain it well. Thank you!

Glad you are using the new UI. Aside from that, what a great job of providing the list of items to change, their order and a great explanation as to why. I've watched other videos that assume way to much of the audience.

Thank you! You’re the first, explaining vlans so that I understand it.

As a seasoned firewall admin I thought I knew what I was doing as I started throwing random firewall rules into my new UDM, and it wasn’t working! This makes loads of sense and I’m excited to try it… Also these states look like iptable states, so that’ll be the next thing I start researching! Thanks for the great breakdown 🎉

Well done, I am getting a much needed education on networks.

Thanks for explaining all the firewall rules. In other video's I've seen they just tell you do put in certain things but not explain why.

Yessir, you explained it well. It's easier to understand the more advanced parts once a baseline has been understood and configured. Just what I needed as there are more and more IOTs and guests in my house these days.

Many videos in RUclips this is the only video that explained firewalls rules in UniFi that I can understand. Thank you for the video.

Thank you for this walkthrough. I've struggled trying to configure the UDMP and you made it simple and straightforward.

One of my friend said many years ago for his boss: "for thank you I won't feed my family". So please take small tip from me with huge words of appreciation. Great tutorial, the one was very helpful with my first steps to Unifi :)

I had no idea about the "new" Wifi Pre-shared Key assignments to different networks, that's cool. Thank you for explaining and showing that.

Wow, huge work here!, honestly the best vlan class on RUclips. Congrats and thank you

Thank you! I didnt know about the feature of being able to integrate multiple VLAN connections into a single SSID.
Just need to work out a good time to switch!

You're a good instructor! You saved me tons of headaches and time. Very much appreciate what you're doing.

Awesome video that has helped me start to understand a confusing subject. Had to watch it a couple of times but I now have Guest and IOT separated from the main network and all my Home Assistant stuff seems to still be working fine. Thanks for pulling this and your other videos together for plebs like me.

Absolutely brilliant. Finally configured my Unifi gear!

This is exactly what i was looking for! I applied your IOT logic to a Vland for crypto mining. This way i don't compromise my default network with some shady new crypto mining software and wallets. 😂😁 Thanks you!

I am finally getting fiber. Getting a new home network setup. Going to a dream machine. Love the idea of just one said for multiple v Lans. Goimg to save me a lot of time setting up. Thanks for the walk through.

This video is great. I've been looking into unify for a while now, but my biggest reservations about diving into it has been VLANs. I'm pretty familiar with vlans as I do IT at a large resort and everything we connect to a network has a different VLAN. Everyone says unify can do VLANs, but they don't elaborate further and I want something robust enough for firewall rules like the ones you demonstrated. My biggest concern was that unify either would not allow firewall rules, or they would be very limited. This video demonstrates the capabilities well and has shown this is exactly what I'm looking for. I plan to start ordering my components over the next couple of weeks and setting everything up and I could not be more excited.

Thank you so much for this. Been searching for a logical and more importantly logical explanation of the logic. My first venture into VLANs as our collection of IoT devices is growing! Now have to figure out how to assign MAC address of wired device to VLAN.....via a Ubiquiti Express - Thanks again

You don't understand how helpful this has been!! No-one else that I watch has broken what rules to make down so well. I wanted to ask what if I need devices on my IOT to talk to each other? I have a lot of devices that would need inter-vlan communication. Would I just not do the drop all private ip addresses traffic or some other allow rule? Thanks

I'm a total newbie in the world of home networking. Recently, I made a jump from Asus eco system to Unifi and can't seem to wrap my head around all new concepts like Vlan, traffic/firewall rules and stuff. Your video is so easy to understand and following with, absolutely one of the best for Unifi's new customers to learn from. Thank you for taking your time and effort to share with us your knowledge, cheers !!!!

Yeah, super handy on the guest landing page. I appreciate the re-accepting of the Guest EULA after a period of time for a business. So you don't saturate the DHCP range. But for home use I very much like disabling so users at my house don't have to re-accept to "logon".

This is AWESOME !! I just got my UDM SE and bunch more Unifi equipment and was looking for a video just like yours. Helped lots !! Thank you.

Thank you for this video. It was so much clearer and personable than others. You say you're not a teacher, but I'm not convinced.

You easily earned a sub for this. I'm very new to unifi gateways after using pfsense for years and firewalla for a few months this was just what I needed after getting my UDM Pro SE up and running yesterday. I had my pfsense dialed in for years, but I wanted to get a more user-friendly network solution for my home just in case something happens to me. This tutorial is solid and I'll be employing much of this ruleset to my network to start as my basic setup is very similar to your example. Great job and Thanks!

Top notch. Thank you!

This helped thank you. So many videos watched. This one works and is very well explained.

Great tutorial! I have recently setup two additional VLANs (Family and IOT). I did this because I liked your "kids" network in your prior video. I have not set any rules yet, just been busy getting devices on the correct VLAN/Wifi. Will be playing with firewall rules soon. My question is... The first thing that came to mind when you were creating rules, especially the port rules, was what are the chances that one mistake could potentially lock you out of the gateway from ALL networks. It just made me think I should be VERY careful!

Just setup my home network using this video ! Thank you so much of the help ! Would love to know now how to improve WIFI and get the best experience

This is great. I did find one more thing that needs consideration from the IOT network. If you run the network controller on a local PC like I do, then that is also accessible from the IOT network and needs to be blocked in the firewall, much like the gateway access was done.

You may not claim to be an educator, but I am and you did a superb job. Came to see this method on the new interface and this was a great video and you have an excellent way of speaking for these. One idea you might do would be to provide a firewall rule summary in a PDF or something to make reference easier. Maybe even make this apart of a subscription if you wanted to monetize it. Anyway, good job.

On the portion of the video (about 333.) where you set up group Block IOT from other gateways, you set up a group that included 192.168.1.1 and 192.168.3.1. There is no 192.168.3.1 but there is a x.x.99.1. Perhaps you meant to use 99 instead of 3?

This is a GREAT tutorial, thank you very much. Do you see any value in having a separate WIFI for 2G IOT devices? I have about 60 of these devices to connect, and I wonder if they would conflict with 5G traffic at that volume.

Great information I’ve just started getting into the UniFi ecosystem with a Cloud Gateway Ultra. Certainly feels like a massive upgrade in terms of features and capabilities over my standard WiFi 6 router which is now be converted to a temporary access point. I’ve set a Vlan for wired devices and one for wireless for now to add some degree of separation. Once I add a UniFi AP then I can add separate vlans for IoT and Guests.

amazing video I am keep watching it over and over again

Hi Tim, excellent step-by-step tutorial, followed you along in setting it up. Thank you, concise and also sufficient details. One small thing you already mentioned: Unibuiti changes things and I am running version 8.0.28 In this version there is no upper tab / bookmark line anymore with items like LAN-IN, LAN-Out etc. Greetings from Amsterdam.

thank you for this structred yet simple to understand and setup tutorial, appreciate it and now its time to check your other videos 😉

I wanted to create some simple rules and VLAN's, not touched networking for many many years, since I did CCNA when I was 16 (Now 35!!!) this jogged the memory nicely, also new to UniFi so understanding it's flow this really helped. All networks now created and all rules and VLAN's setup! Happy with it.
I just now have the joy or resetting all my dumb smart devices to be on my IoT network! I presume those devices can still talk externally to the web for their native apps to still work etc?
Thanks though, brilliantly spoken!

Thanks Great Video. I had had trouble finding some of the settings and this helped immensley. I followed your instructions and thought i had a problem as i refreshed the gateway page and could still get to it then a light bulb went off. As i had an established connection it remained. Closed the connection and went again and no access. Thought i would mention it in case others thought the same thing. Thanks again

Outstanding Video..... I have a USG and 3 access points, and want to keep Guests, IOT, and my default all separate, so your video hit a sweet spot for me. I've very concerned about getting hacked thru IOT (like Wyze) and this helped to show how to block the IOT to the gateways. I'll probably have to watch it a few more times to get it right, but thank you.

Outstanding presentation with the new interface. I would like to have a private wireless for my wife, because of her job. Could I use a shared key for default, IOT, Wife's Wifi and use the Guest 99 network with the standard isolation with it's own password? I am going to check out your VLAN video. Maybe I can come up with other ideas. Also, one of the things that gets frustrating is when videos are not updated when there is a noticeable OS change. I look forward to you continuing to do so.

Man nice video, makes a lot of sense and the whole thing super easy to learn. Much appreciated!! Thanks a bunch :)

Great guide, from zero to hero with everything needed, just one comment - please consider using dark mode ui when recording these, cheers!

This is brilliant. Easy to follow and understand. Thanks

This is the best tutorial I have seen describing the UniFi setup I was looking for. Thanks a lot for this easy to use tutorial 👍 You got a new subscriber. Can’t wait for more of this stuff!!

Awesome content. You saved me a ton of time! Thank you!

Perfect tutorial! Not that I can only get what you set up but I got some understanding so I can adapt to my own rules using your video. Keep up the good work!

Great tutorial, thanks! I love all the details! I just followed your previous tutorial to setup my vLan protections on my UDM SE, your earlier tutorial was super helpful!! I think you were on 7.x in that tutorial. Glad to see this updated tutorial, on 8.0.26! I saw you had a Guest firewall rule for "Allow DNS Packets to External Name Servers". It would be great to see a tutorial on this topic. I am looking to block all DNS (Port 53) queries out (on my various vLans), unless they come from my DNS (PiHole or other DNS like ControlD or NextDNS) server, if someone on my network tries to change their DNS, my goal is that they will not connect to another DNS server and their Name Resolution will fail. It would be good to see options, but wanted to share an idea (I'm sure you have considered this topic too! Great Job! Thanks!

Really great stuff. Love that you used the latest version.
FYI - WiFi Private Pre-Shared Key is not supported on 6 Ghz WiFi

Thanks so much for a great video. I have tried for a while but now I finally have got my VLANs to work. I even used my knowledge from the video to figure out how to get all my Denon/HEOS stuff to work on the IoT! Much obliged!
Just two small question if you don’t mind though.
Should I not block access to the gateway from the guest network? I have tried to understand the rules ubiquity has given me but I don’t seem to find that?
Next a more general question. In the firewall rules from ubiquity there are 4 “accept” at the end. What good are they if no “drop” after them? Maybe I have misunderstood something?

Good job 👍. Everything you showed is very simple, but it may be useful for beginners.

Absolutely incredible video! I have a question on how you set up your pinters specifically. I read that putting them on their own VLAN is the way to go, and someone who is learning I would love to try and do that but I was having issues getting it to communicate with my other devices on my other VLANS. Do you have any recommendations on firewall rules or should I just throw it on the IOT VLAN?

Tim, this was helpful to understand the importance of VLAN’s. I really want to do something similar but your comment about Sonos makes me not want to proceed. I am not qualified to troubleshoot any networking and I would just end up resetting everything back to default!

Thank you! This is the bomb-diddly!!!!
I have attempted this in 3 prior efforts with compromised results. After testing, I am now convinced that my IoT is configured as I had hoped. Not being a Net Admin type, the explanations were matched nicely with the recipes. A fantastic balance!
An excellent time investment. Thank you again!!
One small suggestion that would have completed my setup .... the recipe to expose the printer on the default vlan to those connected to the Guest vlan. BUT, I have enough knowledge now (from the camera examples?) to try to pull that off. Did I learn to fish??? ;-)

Great job of teaching/explaining vlans, watched another video that didn't explain much and hurried through everything
Didn't work and certainly didn't learn anything about what I was doing from other videos
Thank you for teaching subbed & liked!

Hey Tim! Just found your channel, I have a bunch of UniFi gear and have been running it for years, but you have taught me quite a bit and this video right here has helped me figure a bunch of stuff out! As a thanks, I noticed that your audio is being done from a laptop/phone mic, which works, but, I have a set of lavaliers that I would love to send you as a thanks. But I couldn't DM you, Drop me a line back and I'll find a way to get them to you! Thank you for the great information!

Great content. Made it easy for me to understand VLANS

One of the best, if not, the best unifi firewall tutorial on youtube. You explain it so well!!
Question for you: I didn't need to block the ssh,http,https ports on my vlan gateways, i just blocked the gateway ips.
Did you block the ports just for that extra security? Thanks!

Nice walk through. Still following it and slowly setting things up but it is helping a lot. My only so far is I have the Cloud Gateway Ultra and in it the options are Guest Network and Isolate Network compared to your "Isolation" when setting up the guest vlan. Do I check both of these or just guest or just isolation ?

Thanks, great video. Question, most network engineers suggest best practice is to have the default network as a “management” VLAN and create a new VLAN for your main/corporate/internal network. You haven’t done that in this case, just wondered what your thoughts are on separating management from main networks.

Thanks you! This was so very helpful to assisting me in my basic setup. Great!

Really useful tutorial. I'm new to Unifi and I'm sure I'll be configuring, resetting and reconfiguring things for awhile. I am updating my little home network mainly because my WAP is EoL and hasn't had an update in 2 years. I have been using an ERL for several years, which is a great little router, but I am using the WAP as an excuse to build an easier to manage network . I guess it's like Apple once you get into the Unifi ecosystem you're better off staying there. I bought an UDR and Lite 16 port switch to replace my existing switch, AP and router. I have the UDR and switch kinda hanging off my current setup so I can practice with it and not worry about getting my "users" upset. I plan on eventually adding APs to connect a shop and would be interested in ways to connect between buildings.
The VLAN stuff is very timely. I have stayed away from IoT devices because of security concerns. I'm hoping to get a good understanding how to control and secure things both internal and external. What I would like to see is a tutorial on best practices for setting up and securing the Ubiquiti VPN. I also would like to add a NAS to do my own cloud storage as well as local file, media and backup. Thinking about why, where and how to put a NAS on the network while being able to restrict access based on who and where the access is coming from all turns into a confusing mess quick.
Keep up the tutorials. I'm looking forward learning more. 👍

Thanks, that's a great tutorial. I am in the process of setting up my UDM Pro. VLANs and Firewall are next...

Great video!!! I followed all your steps. My one question is I went onto my IOT vlan and tried printing to my printer which is on the Default vlan. I was able to see the printer from the IOT vlan and I'm not wanting to be able to see that. I was trying to figure out a rule but I am stumped. So, if you can help me please.

Thanks for this great video but I have a question about the rule to block the IOT network from it's own gateway, why can't you just combine it into one group with the port group? It seems redundant to create a separate rule for this.

I just discovered your channel and have been watching all your UniFi related videos. This is one of your best! Thank you for taking the time to make all of them.
Possibly stupid question...do these firewall rules with respect to the IoT network interfere with my ability to control those devices remotely from my smartphone? I know that the default network can communicate with the IoT network, but my phone would not be on the default network if I am away. So for example, would I be able to use Apple Home to remotely lock my front door while I am on vacation, or adjust the thermostat, etc.? Or would the firewall rules prevent that?

Beautiful explanation! Thank you 🙏

I've watched a ton of these firewall setup videos but this one is probably the best at explaining what each setting does so thanks. The reason I keep watching them is I can't for the life of me get my macbook on VLAN 1 to talk to a Pi server on VLAN 2. It wont ping, it wont shh. But it will if I connect the wifi on the mac to the VLAN 2 wifi network. If followed every little detail in this video (which is almost identical to many others) and put in an allow rule for pi ip to talk to the mac ip. I've also tried it as a all VLAN 2 to all VLAN 1 rule. Still won't work. Hope that makes sense but is there any other gotchya that could be preventing this in unifi?

Love your video I would love to see you corporate a cameras into that that’s gonna be figured in my mind and I’m really new at this so you did it really well love love to see it. Nice job.

Great tutorial, but one question:
I followed your exact approach yet I'm able to ping other devices on the IOT network while on the IOT network. I thought that should have been blocked based on the rules? I'm using a new UCG Ultra running latest software.

Great video, Tim. Thank you so much!

PPSK is really cool, but only supports WPA2, so no 6ghz networks, which is a huge bummer. I'm guessing for your home network, other video shots 6ghz, you're just using multiple SSIDs instead? great video, thanks.

Thank you!! One question, when setting up your LAN LOCAL rules, why do you explicitly add DENY rules instead of explicitly adding ACCEPT rules with a default DENY at the end? This seems like the only place where you do not follow the "deny by default" best practice? This doesn't seem to scale with more networks (but maybe this is intentional for the video!).
Also, Unifi has a firewall option for "network type" of "Gateway IP Address", which I believe is the 192.168.x.1. Would you recommend using that Unifi default instead of creating the groups like "DROP IOT to its Gateway"?
Thank you!!!

This is an awesome video and great that is has the new interface included - thank you so much for taking the time to create it, I've watched loads of others and it just wasn't as clear as this. I've now setup the basics of my DM Pro and all is working well. I hadn't seen anything on the pre-shared keys so have set that up as well, seems much better to me to just have the one SSID and the password dictates which VLAN - have subscribed so please keep stuff coming : )

Hi. Great video but one part confuses me one bit. At the 33:42 mark you add the 192.168.3.1 adress which I dont really know what it corresponds to. Was the 192.168.99.1 intended as the Guest VLAN Gateway? Other than that u made my configuration process a lot easier. Thank You.

Very good explanation. It also nice to have a video with the last versions of Unifi console & network application. Overall explanations is very good & your testing labs is good example as a starting point. To be more specific with UniFi, I believe that you should have address how to setup Unifi PoE+ camera on a specific VLAN for videosurveillance as many unify customer will have Unifi Protect and Unifi cameras. In this case would you keep the Protect UNVR in the default or in the speficic cameras VLAN ?

Great Video..... Will use a bunch of this when my Gear arrives

Do you not recommend the Isolate Network checkbox in 8.3.32 (different from the Guest Network checkbox) on the Unifi VLAN (Network) configuration screen for the IOT network?

Great and amazing video. Q: do you have a rule that disables a specific VLAN from getting to the internet?

Thanks. I learn something new today.

Great tutorial. Thanks.

How are you putting things like apple tv, Roku etc on a separate vlan? I want to make an AV vlan for apple tvs, our smart tv, xbox and other things. If you could help that would be great.. Also I love your video. It helps a lot for network dummies like me. It was very easy to follow.. One suggestion for you, please include kids network in your future videos like you did in your previous video. It really helped..

Congratulations!Great tutorial and learling point

Do you recommend using fixed IP addresses for devices and clients when setting up firewall rules and groups, especially if there will be a rule allow a specific IOT client to talk to specific device in the trusted network? Currently, I have a few fixed IP addresses for some of my Unifi devices but I let DHCP hand out IPs to other devices and all clients.

Thank you so much. After watching several videos and web based walk-throughs, but I could not get things working 100% - finally scrapped and went through your video and presto everything is working, have my Iot and Cameras on separate vlans as well as my Guest Network. Tested, retested and everything is communicating as it should and blocked as it should.
I am getting a ton of DROP invalid State trigger events for various devices I have, mostly Apple ones (home pods, Apple TVs, iPads, iPhones) as well as some out door eufy cams. Within an hour I’m seeing 60 plus triggers, 95% are Apple devices. This seems excessive, but I’m unsure if this is anything to be concerned about.

Thanks for a great walk trough. Followed it today when migrated my trusty old DDWRT to new Dream Router setup.
One question. As we only make firewall rules for IPv4, should IPv6 be disabled? Or how should be treated? Google doesn't really give definite answer.

I have 5 VLANS this helped me eliminate a lot of rules, appreciate it. Nothing to nothing and I do port based policies. I tried the wireless Pre Share key it was acting wonky and handing out wrong IP's. Maybe it needs an update will try again later.

Tim - thank you for the fantastic video! I found it very helpful. I have a specific use case I'm hoping you (or someone on this channel) might be able to help me with - I have Default, Main (for trusted devices, including my phones), IoT, Camera, and Guest VLANs - and have implemented the firewall rules and IP groups similarly to the recommendations you provided. I do have a Home Assistant server on my IoT network (wired) and was wondering if you would be able to provide any recommendations for additional firewall rules that would allow that device to work more seamlessly with phones and laptops on my Main vlan? Should I make it a static IP and allow it to access the Main vlan? (I trust and update the Home Assistant server.) Thanks again!

Amazing tutorial! Thank you!

Really good walkthrough!!!
Suggest doing a VPN network walkthrough.

Great video. I still fail to understand a point. We need to introduce a FW rule "Block IOT to other Gateways". Obviously, your machine inside the IOT network is able to connect/reach the gateway inside the default network. Therefore you need this rule. But I still fail to see why the FW rule "DROP ALL private IP communication" is not enough... Any observations/development on this point?

I don't own any Unifi products (yet), just asking of curiosity...
1) So Unify accepts all traffic by default, and you add rules to block. Does it also accept all for ipv6, so basically all the blocking rules you created can be avoided between devices that use ipv6 ?
2) For the Unifi Gateway Lite, I guess you would need to combine that with a layer 2 switch to handle those VLANs, right?
3) Why is blocking traffic to the gateway so interesting? Isn't the Unifi Controller (which doesn't have to be the gateway) the admin of everything and therefore much more valuable to protect ?
Thanks for the video 🙂