VLANs, or virtual local area networks, are a very effective and simple option for isolating different parts of a network. This is not only useful in enterprise networks, but ideally, separate networks should also be part of home networks.
In a home or smaller business, I would recommend at least three separate networks.
- Internal network. This network is for your own (managed) devices. This is where all your computers, laptops, phones, printers, network storages, and other traditional devices come in.
- Guest network. This network is for all the guests you want to allow access to the Internet. These are devices that you do not control and therefore should be separate and should not have access to your internal network and internal devices. There is primarily a security reason – you don’t know what state these foreign devices are in, and you probably don’t want malware from these foreign devices, for example, to start spreading within your own network to your own devices. Optimally, the guest network should also isolate all devices from each other, so that one device on the guest network cannot see another device on the guest network.
- IoT device network. This network is in principle your internal network, but it is used to connect various IoT (= Internet of Things) devices such as washing machines, refrigerators, smart lights, IP cameras, etc. These devices typically need to communicate to the internet (some sort of cloud), but usually don’t need to communicate within your local network. The reason these devices belong on a separate network is that they are usually various cheap Chinese devices connecting to Chinese clouds, and I simply don’t trust the security of such devices. These devices usually never receive any updates and it is not uncommon to see security incidents where someone has gained access to someone else’s network just through IP cameras and other smart devices connected to home or business networks.
The problem is that creating VLANs alone is not enough. By default, all communication between VLANs is enabled. Thus, even devices that are connected to a separate IoT VLAN can still communicate with devices in, for example, an internal VLAN.
The only exception is guest networks. If you check that a VLAN is a guest network, firewall rules are automatically applied in the background to block communication to other VLANs.
How to block network traffic between VLANs
In total, we will create three firewall rules that will block access from the IoT network but allow access to the IoT network.
Allow Established & Related to all networks
Communication between devices in a network must in principle be bidirectional. One device establishes a connection with another device, which is one way. And the other device in turn must send a reply back to the first device, which is the other direction of communication. If no reply comes, the whole communication is useless.
But if we just block the communication from the IoT network to the internal network, then in practice that would also mean that the devices from the internal network would not be able to communicate with the devices in the IoT network either, because they would never get a reply. So you have to allow devices on the IoT network to respond to requests from devices on the internal network.
Let’s create a new firewall rule in Settings – Security – Firewall Rules and call it Allow Established & Related to all networks. The rule type will be LAN In, the action will be Accept and the Protocol will be All.
For both Source and Destination it will be Source Type: Port/IP Group. And for both Source and Target it will be Any/Any, so any source from any network can respond to a request from any other source from any other network. This is fine because if the source has the ability to ask, the target should always be able to reply.
The important thing now is to select Match State at the bottom and check Established and Related.
Drop Invalid for all networks
The second rule we create is Drop Invalid for all networks. This rule will ensure that if the connection state is invalid, the request will be dropped. This is a similar principle to the previous rule, only flipped – now, instead, we want to block everything between all networks unless it’s a valid communication.
Again, we’ll go into the firewall rules and create a new rule called Drop Invalid for all networks. The rule type will again be LAN In, the Protocol will be All, but the Action this time will be Drop. Source and Destination will be Port/IP Group again and it will be an Any/Any rule again to apply to all networks.
Just at the bottom in the Match State we will select Invalid.
Block traffic from IoT to Internal
The last rule we will create will block traffic from the IoT to the internal network. Because like I said, by default all VLANs are interconnected.
It depends on how many VLANs you have and how you want to allow or disallow traffic between them. You can either go the route of creating one new rule to block traffic from the IoT to the internal network. Or if you have multiple VLANs and want to block traffic between them in general except for selected allowed networks, you can create a rule that will block traffic between all VLANs and then another rule with a higher priority that will only allow traffic between selected VLANs.
I only want to block traffic from the IoT to the internal network, so I will create one rule to block this traffic. Because again, all traffic is allowed by default, so I do not need to allow anything unless I block all.
We’ll call the new rule Block traffic from IoT to Internal. It will again be a LAN In rule and will apply to all protocols. The Action will be Drop.
The Source type will be Network and we’ll select the IoT VLAN. Destination will be Network again and we will select the internal network. We don’t need to set anything else and we’ll create the rule.
Block traffic between all VLANs on Unifi
As I mentioned earlier, if you have multiple networks or want to make sure that traffic between VLANs is blocked by default in the future, it would be better to create a Block Any/Any rule for all networks and then create a second rule with a higher priority to allow traffic between the selected VLANs that you want to allow to communicate with each other.
However, since this example is for a simple home or small business network where more/new VLANs are not considered, the above configuration is sufficient. In larger business networks or networks where growth can be expected, it is definitely better to block everything and then just allow selected ones when needed.