Setting up a secure IoT network using UniFi

This tutorial goes over how to set up a secure internet of things (IoT) network in UniFi with Google Cast and Airplay across VLANs.

Objectives

• IoT network segregated from main LAN
• Allow routing between IoT network and main LAN for AirPlay and Google Cast, but no other traffic should be routed
• Create a VLAN in the UniFi SDN which allows us to assign access ports to the IoT network for wired devices

1. Setup IoT LAN

First, we have to setup our network for the IoT devices. To do this, navigate to Settings > Networks > Create New Network in UniFi.

The network should be marked as Corportate and have a unique (unused) VLAN assigned to it. Follow your standard IP addressing scheme and assign a subnet. For home deployments, a /24 should have more than enough IP addresses for your devices.

2. Make the IoT WiFi Network

The majority of your Internet of Things devices will probably be connected using WiFi, so we have create a wireless network next. Navigate to Settings > Wireless Networks > Create Wireless Network in UniFi.

Despite us hiding the SSID later, I would strongly recommend adding a password to the network since it is possible to sniff hidden network names using a program such as Wireshark.

Next, expand the Advanced Options and tag this network with the same VLAN that we created earlier. In this case, it will be VLAN 6. You should also check the box near “Prevent this SSID from being broadcast” since this network doesn’t need to be publicly visible.

3. Secure the IoT Network – Routing & Firewall Rules

By now, you will have both an IoT VLAN and an IoT WiFi network. However, these are in no way segregated from your main LAN, and aren’t secure. Now, we will secure our IoT network.

3a. Allow Established/Related connections

The first rule we are adding is to allow established and related connections. If you aren’t sure what those are, you might want to check out this Wikipedia page.

To add this rule, go to Settings > Routing & Firewall > Firewall > Rules IPv4 > LAN In > Create New Rule in UniFi. Call it “Allow Established/related sessions” and make sure that it is run before the predefined rules. Make sure to select the Action as “Accept”. On the same page, under Advanced > States, check “Established” and “Related”. For “Source”, you want to select the “Network” option and select your Internet of Things VLAN in the dropdown. For “Destination”, again, select “Network”, and select your main LAN in the dropdown.

3b. Drop IoT to Main LAN

If you were to login to the IoT WiFi network right now and ping a device on your main LAN right now, it would respond. Now, we have to instruct the USG to disallow routing all traffic that does not match the rule we have just defined in the previous step.

Staying in the LAN In section, create another new rule. Name it “Drop IoT to Main”, and have it run After Predefined Rules. Ensure the action matches “Drop”, and select the Source to be from network “Internet of Things”, and the destination to be from network “LAN”.

4. Enable mDNS Reflector for Google Cast and AirPlay

Casting protocols like Google Cast and AirPlay use an IP routing concept called multicast to discover devices on the network and advertise themselves as players. Right now, our network would work as a walled-off network, but we would not be able to use Google Cast without switching our own device to the IoT network, which is not ideal and defeats the purpose.

Go to Settings > Services > mDNS and enable it, and Apply your settings changes.

Conclusion

You should now have a functioning and secure IoT network. If you connect to the IoT network, you shouldn’t be able to ping a device on the main LAN or reach it on the local area network. However, if you have something like a Google Home and you are on the main LAN, you should be able to cast to it despite it being on the secured IoT network. If you have any questions or need help, feel free to leave a comment.