Setting up a secure IoT network using UniFi
This tutorial goes over how to set up a secure internet of things (IoT) network in UniFi with Google Cast and Airplay across VLANs.
- IoT network segregated from main LAN
- Allow routing between IoT network and main LAN for AirPlay and Google Cast, but no other traffic should be routed
- Create a VLAN in the UniFi SDN which allows us to assign access ports to the IoT network for wired devices
1. Setup IoT LAN
First, we have to setup our network for the IoT devices. To do this, navigate to Settings > Networks > Create New Network in UniFi.
The network should be marked as Corportate and have a unique (unused) VLAN assigned to it. Follow your standard IP addressing scheme and assign a subnet. For home deployments, a /24 should have more than enough IP addresses for your devices.
2. Make the IoT WiFi Network
The majority of your Internet of Things devices will probably be connected using WiFi, so we have create a wireless network next. Navigate to Settings > Wireless Networks > Create Wireless Network in UniFi.
Despite us hiding the SSID later, I would strongly recommend adding a password to the network since it is possible to sniff hidden network names using a program such as Wireshark.
Next, expand the Advanced Options and tag this network with the same VLAN that we created earlier. In this case, it will be VLAN 6. You should also check the box near “Prevent this SSID from being broadcast” since this network doesn’t need to be publicly visible.
3. Secure the IoT Network – Routing & Firewall Rules
By now, you will have both an IoT VLAN and an IoT WiFi network. However, these are in no way segregated from your main LAN, and aren’t secure. Now, we will secure our IoT network.
3a. Allow Established/Related connections
The first rule we are adding is to allow established and related connections. If you aren’t sure what those are, you might want to check out this Wikipedia page.
To add this rule, go to Settings > Routing & Firewall > Firewall > Rules IPv4 > LAN In > Create New Rule in UniFi. Call it “Allow Established/related sessions” and make sure that it is run before the predefined rules. Make sure to select the Action as “Accept”. On the same page, under Advanced > States, check “Established” and “Related”. For “Source”, you want to select the “Network” option and select your Internet of Things VLAN in the dropdown. For “Destination”, again, select “Network”, and select your main LAN in the dropdown.
3b. Drop IoT to Main LAN
If you were to login to the IoT WiFi network right now and ping a device on your main LAN right now, it would respond. Now, we have to instruct the USG to disallow routing all traffic that does not match the rule we have just defined in the previous step.
Staying in the LAN In section, create another new rule. Name it “Drop IoT to Main”, and have it run After Predefined Rules. Ensure the action matches “Drop”, and select the Source to be from network “Internet of Things”, and the destination to be from network “LAN”.
4. Enable mDNS Reflector for Google Cast and AirPlay
Casting protocols like Google Cast and AirPlay use an IP routing concept called multicast to discover devices on the network and advertise themselves as players. Right now, our network would work as a walled-off network, but we would not be able to use Google Cast without switching our own device to the IoT network, which is not ideal and defeats the purpose.
Go to Settings > Services > mDNS and enable it, and Apply your settings changes.
You should now have a functioning and secure IoT network. If you connect to the IoT network, you shouldn’t be able to ping a device on the main LAN or reach it on the local area network. However, if you have something like a Google Home and you are on the main LAN, you should be able to cast to it despite it being on the secured IoT network. If you have any questions or need help, feel free to leave a comment.
This was very helpful. Thanks!!
Airplay works for me if i’m on the same network, but it won’t allow me to cast ariplay from my ipad if its on a different network than my lg tv.
Does the iPad show the TV on the other network as an available option or does it not show at all? If it shows it’s a problem with your firewalling and if it doesn’t show your mDNS reflector is probably off.
Thank you so much, this helped me tremendously….
Happy to hear that I helped you!
Thanks for this guide! Question: I have a WebOS 4.7 LG TV connected to my IoT LAN (according to your instructions) via a USW-Flex-Mini by setting the corresponding ethernet port profile to the IoT LAN. I can see the device advertised on both AirPlay and Google Cast, but Airplay screen mirroring and google casting with the youtube app (iOS device on main WIFI) don’t work. Interestingly, using the youtube app to cast videos via AirPlay does work. Any idea what I’m missing?
Cory, I had luck getting screen mirroring by opening up the TCP/UDP port range 49152-65535 between my AirPlay-enabled TV and Apple Devices.
Nowhere near enough details, given that the images cannot be clicked to show the full screen.
I presume should put all streaming boxes here, including AppleTV devices, HomePods and HomePod minis, as well as all Wi-Fi devices (plugs, bulbs, cameras, door openers, thermostats for furnace, humidifiers, blinds, sensors etc)
I’m curious how you would approach a device like a audio receiver that has an app to control it and can use spotify or similar on your phone. I have the Receiver on the iot network but of course can only control it if I put my phone on that network. Should multicast solve that issue?