UniFi Ultra-Secure Network: Work, Personal, and IoT Segregation

Overview
Network Design
VLAN Setup
Wireless Networks
Firewall Rules
DNS Configuration
Additional Hardening
Testing Isolation

Overview

This guide configures a UniFi network with three completely isolated segments — Work, Personal, and IoT — that cannot communicate with each other under any circumstances. Each segment gets its own VLAN, subnet, and Wi-Fi SSID. Firewall rules enforce strict east-west isolation at the gateway level.

Hardware assumed: UniFi Dream Machine (UDM/UDM Pro/UDM SE) or USG with a UniFi switch and APs. The UDM runs both the router and controller, so all settings live in the UniFi Network application.

Network Design

Segment	VLAN ID	Subnet	Purpose
Default	1	192.168.1.0/24	Management only — no client devices
Work	10	10.10.0.0/24	Work laptops, work phones
Personal	20	10.20.0.0/24	Personal phones, tablets, computers
IoT	30	10.30.0.0/24	Smart home devices, cameras, sensors

Key principle: No inter-VLAN routing. Traffic from VLAN 10 cannot reach VLAN 20 or VLAN 30, and vice versa. All VLANs can reach the internet.

VLAN Setup

Create Networks in UniFi

Go to Settings → Networks → Add New Network for each segment.

Work Network (VLAN 10)

Name:           Work
Purpose:        Corporate
VLAN ID:        10
Gateway/Subnet: 10.10.0.1/24
DHCP Mode:      DHCP Server
DHCP Range:     10.10.0.100 – 10.10.0.254
DNS Server:      10.10.0.1 (or your Pi-hole/AdGuard IP on this VLAN)

Personal Network (VLAN 20)

Name:           Personal
Purpose:        Corporate
VLAN ID:        20
Gateway/Subnet: 10.20.0.1/24
DHCP Mode:      DHCP Server
DHCP Range:     10.20.0.100 – 10.20.0.254
DNS Server:      10.20.0.1

IoT Network (VLAN 30)

Name:           IoT
Purpose:        Corporate
VLAN ID:        30
Gateway/Subnet: 10.30.0.1/24
DHCP Mode:      DHCP Server
DHCP Range:     10.30.0.100 – 10.30.0.254
DNS Server:      10.30.0.1

Use Corporate purpose (not Guest) for all three — Guest networks have limited firewall control. You will enforce isolation manually via firewall rules.

Wireless Networks

Go to Settings → WiFi → Add New WiFi Network for each segment.

Work Wi-Fi

Name (SSID):    Work-5G / Work-2G
Password:       Strong unique passphrase (20+ chars)
Network:        Work (VLAN 10)
Security:       WPA3 (or WPA2/WPA3 mixed if older devices need it)
Band Steering:  Enabled
PMF:            Required (WPA3) or Optional (WPA2/WPA3 mixed)
Client Isolation: Disabled (devices on this VLAN can talk to each other)

Personal Wi-Fi

Name (SSID):    Home-5G / Home-2G
Password:       Strong unique passphrase
Network:        Personal (VLAN 20)
Security:       WPA3
PMF:            Required
Client Isolation: Disabled

IoT Wi-Fi

Name (SSID):    IoT-Home
Password:       Strong unique passphrase
Network:        IoT (VLAN 30)
Security:       WPA2 (many IoT devices don't support WPA3)
PMF:            Disabled (IoT device compatibility)
Client Isolation: Enabled — prevents IoT devices talking to each other

Enable 2.4 GHz only for IoT if your devices don’t need 5 GHz. Many smart home devices only support 2.4 GHz anyway.

Firewall Rules

This is the most critical section. UniFi firewall rules are processed top-to-bottom; the first match wins.

UniFi 8.x+ UI note: The menu was renamed from “Firewall & Security” to just “Security”. UniFi also introduced a simplified “Traffic Rules” interface — but it has known gaps: it does not reliably block gateway console access and VPN/Teleport clients can bypass it. Use the legacy Firewall Rules interface (under Settings → Security → Firewall) for all rules in this guide.

Go to Settings → Security → Firewall → Rules.

Understand the Rule Types

LAN In: Traffic entering the router from a LAN segment (headed to another LAN segment or the internet)
LAN Local: Traffic destined for the router itself (DNS, DHCP, UniFi controller)

Create Groups First

Go to Settings → Security → Profiles → Groups (8.x+) or Settings → Security → Port and IP Groups (older).

Group: RFC1918 (All Private Subnets)

Type:     IPv4 Address/Subnet
Name:     RFC1918
Addresses:
  10.0.0.0/8
  172.16.0.0/12
  192.168.0.0/16

Group: Work Subnet

Type:     IPv4 Address/Subnet
Name:     Work_Subnet
Address:  10.10.0.0/24

Group: Personal Subnet

Type:     IPv4 Address/Subnet
Name:     Personal_Subnet
Address:  10.20.0.0/24

Group: IoT Subnet

Type:     IPv4 Address/Subnet
Name:     IoT_Subnet
Address:  10.30.0.0/24

Warning — lockout risk: Apply firewall rules while connected to the UDM from a device on the management VLAN (192.168.1.x). If you apply rules from a client VLAN device and a rule blocks your session, you will lose access and need physical console access to recover. Add rules one at a time and verify connectivity after each.

LAN In Rules (Inter-VLAN Blocking)

Create these rules in LAN In to block all cross-VLAN traffic. Order matters — rules are evaluated top to bottom, first match wins.

The first two rules are mandatory foundations that every UniFi firewall ruleset needs. Without them, drop rules can accidentally block return traffic for legitimate connections (e.g., the TCP SYN-ACK reply for an internet session your firewall already approved).

Rule 0: Allow established and related sessions

Action:             Accept
IPv4 Protocol:      All
Source:             Any
Destination:        Any
Match State:        Established, Related

Rule 0b: Drop invalid state packets

Action:             Drop
IPv4 Protocol:      All
Source:             Any
Destination:        Any
Match State:        Invalid

Rule 1: Block Work → Personal

Action:             Drop
IPv4 Protocol:      All
Source:             Network — Work
Destination:        Address/Port Group — Personal_Subnet

Rule 2: Block Work → IoT

Action:             Drop
IPv4 Protocol:      All
Source:             Network — Work
Destination:        Address/Port Group — IoT_Subnet

Rule 3: Block Personal → Work

Action:             Drop
IPv4 Protocol:      All
Source:             Network — Personal
Destination:        Address/Port Group — Work_Subnet

Rule 4: Block Personal → IoT

Action:             Drop
IPv4 Protocol:      All
Source:             Network — Personal
Destination:        Address/Port Group — IoT_Subnet

Rule 5: Block IoT → Work

Action:             Drop
IPv4 Protocol:      All
Source:             Network — IoT
Destination:        Address/Port Group — Work_Subnet

Rule 6: Block IoT → Personal

Action:             Drop
IPv4 Protocol:      All
Source:             Network — IoT
Destination:        Address/Port Group — Personal_Subnet

Rule 7: Block IoT → All RFC1918 (belt-and-suspenders — catches any private IP)

Action:             Drop
IPv4 Protocol:      All
Source:             Network — IoT
Destination:        Address/Port Group — RFC1918

Rule 8: Block Work → All RFC1918 (belt-and-suspenders for Work VLAN)

Action:             Drop
IPv4 Protocol:      All
Source:             Network — Work
Destination:        Address/Port Group — RFC1918

Rule 9: Block Personal → All RFC1918 (belt-and-suspenders for Personal VLAN)

Action:             Drop
IPv4 Protocol:      All
Source:             Network — Personal
Destination:        Address/Port Group — RFC1918

Rules 1–6 are explicit pairwise blocks. Rules 7–9 are catch-alls that protect against any future VLANs you add — without them, a new VLAN would be reachable from existing segments until you update every pairwise rule. The RFC1918 catch-alls close that gap automatically.

LAN Local Rules (Protect the Router)

Rule 10: Allow DNS from all VLANs to router

Action:             Accept
IPv4 Protocol:      TCP/UDP
Source:             Any
Destination:        Address — 10.10.0.1, 10.20.0.1, 10.30.0.1
Destination Port:   53

Rule 11: Allow DHCP from all VLANs

Action:             Accept
IPv4 Protocol:      UDP
Source:             Any
Destination Port:   67

Rule 12: Block IoT from accessing UniFi controller

Action:             Drop
IPv4 Protocol:      All
Source:             Network — IoT
Destination:        Address — 192.168.1.1 (your UDM IP)

Rule 13: Block client VLANs from reaching management subnet

Action:             Drop
IPv4 Protocol:      All
Source:             Address/Port Group — Work_Subnet, Personal_Subnet, IoT_Subnet
Destination:        Address — 192.168.1.0/24

Do NOT use RFC1918 as the source here — that would include 192.168.1.x itself and block management devices from reaching the router.

DNS Configuration

Option A: Use Router as DNS (simple)

Each VLAN’s gateway (10.10.0.1, etc.) forwards DNS to upstream resolvers. Use encrypted DNS upstream:

Go to Settings → Internet → WAN DNS:

Primary:   1.1.1.1
Secondary: 8.8.8.8

Or use DoT/DoH if your UDM firmware supports it.

Option B: AdGuard Home / Pi-hole per VLAN (recommended)

Run AdGuard Home on a server/container with separate listener IPs per VLAN. This lets you:

Block ads and trackers per segment
Apply stricter DNS filtering to IoT (block all non-essential domains)
Log DNS queries per segment for visibility

Set each VLAN’s DHCP DNS server to the AdGuard listener IP on that subnet.

Force DNS through your resolver (prevent bypass via hardcoded IPs):

UniFi doesn’t support negated destinations, so use two ordered rules — the allow fires first, the block catches everything else:

Rule A: Allow DNS to your resolver (place first)

Action:             Accept
IPv4 Protocol:      TCP/UDP
Source:             Network — IoT
Destination:        Address — 10.30.0.1 (your resolver on IoT subnet)
Destination Port:   53

Rule B: Block all other outbound DNS (place immediately after Rule A)

Action:             Drop
IPv4 Protocol:      TCP/UDP
Source:             Network — IoT
Destination Port:   53

Together these force all IoT DNS through your resolver, preventing devices from bypassing filtering by hardcoding 8.8.8.8 or using DoH (port 443 DoH is harder to block without deep packet inspection).

Additional Hardening

Static DHCP Leases for Firewall-Referenced Devices

Any device whose IP address appears in a firewall rule needs a static DHCP reservation. If the device renews to a different IP, the rule silently stops applying.

Settings → Networks → [Network] → DHCP → Fixed IPs: Map each device’s MAC address to a fixed IP within your DHCP range.

This applies to any DNS servers, home automation hubs, or NAS boxes you reference by IP in rules or DNS intercept configs.

Disable UPnP

Settings → Internet → UPnP: Off

UPnP lets devices punch holes in your firewall automatically — dangerous for IoT devices.

Enable Intrusion Detection (IDS/IPS)

Settings → Security → Threat Management:

Mode:               IPS (Intrusion Prevention)
Sensitivity:        High
Restrict:           Enable for all networks

This inspects traffic and blocks known malicious signatures.

Enable Honeypot (UDM Pro only)

Settings → Security → Honeypot: On

Triggers an alert if anything on your network port-scans internal IPs — a sign of a compromised device.

Geographic IP Blocking

Settings → Security → Country Restrictions:

Block inbound connections from countries you don’t expect traffic from. For IoT especially, most devices only need to reach their cloud services in the US/EU.

Isolate Wired IoT Ports

On your UniFi switch, assign any wired IoT device ports to VLAN 30:

Devices → Switch → Ports → [Port] → Profile:

Port Profile:    IoT (VLAN 30)
Native VLAN:     30
Tagged VLANs:    None

mDNS / Multicast Reflection (Cross-VLAN Device Discovery)

With full VLAN isolation, IoT devices are completely unreachable from Personal devices. This means you cannot use your phone to control a Chromecast, Sonos speaker, HomeKit accessory, or smart plug that lives on the IoT VLAN. This is intentional in a zero-trust design.

If you want device control from Personal → IoT (one-way, no IoT-initiated connections back):

Enable mDNS reflector: Settings → Networks → [Network] → mDNS: On for each relevant network
Add a specific LAN In allow rule above the block rules for the exact port/protocol needed (e.g., TCP 8123 for Home Assistant, TCP 32400 for Plex)
Keep the IoT → Personal blocks in place — only allow the specific return traffic via the established/related rule

Without mDNS reflection, service discovery (AirPlay, Chromecast, HomeKit, Sonos grouping) will silently fail across VLANs.

IGMP Snooping

IGMP snooping controls how multicast traffic is forwarded on your switch. UniFi enables it by default, but it can drop multicast packets needed by certain devices (Sonos, Matter accessories, HomeKit hubs).

If devices on your IoT VLAN are unreachable or behave erratically despite correct firewall rules, try:

Settings → Networks → [IoT Network] → IGMP Snooping: Off

This is particularly relevant for Matter/Thread devices (see below).

Matter and Thread Devices (Apple Home, Google Home, Amazon Alexa)

Matter accessories (smart bulbs, plugs, sensors using the new standard) have additional requirements that break with strict VLAN isolation:

Matter uses dynamic UDP ports — static port-based firewall rules are insufficient
Matter over Thread requires IPv6 link-local communication, which doesn’t cross VLANs by default
Matter commissioning uses multicast that IGMP snooping can drop

If you use Apple Home, Google Home, or Matter-based accessories, your options are:

Keep Matter devices on the same VLAN as your hub (Home Pod, Google Nest Hub, Echo)
Disable IGMP snooping on the IoT VLAN
Accept that Matter cross-VLAN control requires complex per-device firewall exceptions

The simplest approach: put your smart home hub and all its Matter accessories together on the IoT VLAN, and use a separate segment for legacy IP-based devices.

Disable IPv6 or Add IPv6 Firewall Rules

If IPv6 is active on your UDM, devices can bypass all IPv4 VLAN isolation using IPv6 link-local or global addresses. Either:

Disable IPv6 per network: Settings → Networks → [Network] → IPv6 → Disabled
Or: Add equivalent rules in the LAN6 In firewall table mirroring all LAN In rules above

The simplest option for most home setups is to disable IPv6 on the Work, Personal, and IoT networks.

Disable Guest Portal Bypass

Ensure your IoT SSID does not have “Allow guest traffic” enabled — this would bypass your custom firewall rules.

MAC Address Filtering (optional, low value)

MAC filtering is trivially bypassed but adds a minor deterrent for IoT:

WiFi → IoT-Home → Edit → Advanced → MAC Filter: Allowlist mode with known device MACs.

Testing Isolation

After configuring, verify each boundary holds.

Test 1: IoT cannot reach Personal

From an IoT device (e.g., SSH into a Raspberry Pi on VLAN 30):

ping 10.20.0.1       # Should fail (timeout)
ping 10.10.0.1       # Should fail (timeout)
ping 8.8.8.8         # Should succeed (internet works)

Test 2: Personal cannot reach IoT

From a Personal device:

ping 10.30.0.100     # Should fail
curl http://10.30.0.100  # Should fail

Test 3: DNS is forced through resolver

From an IoT device, try querying a non-router DNS server:

nslookup google.com 8.8.8.8   # Should fail if DNS intercept rule is active
nslookup google.com 10.30.0.1  # Should succeed

Test 3b: Work cannot reach IoT or Personal

From a Work device:

ping 10.30.0.1       # Should fail
ping 10.20.0.1       # Should fail
ping 8.8.8.8         # Should succeed

Test 4: Internet works from all VLANs

curl https://ifconfig.me   # Should return your WAN IP from all three segments

Test 5: UniFi controller unreachable from IoT

From IoT VLAN:

curl http://192.168.1.1   # Should time out