Setting up a secure IoT network using UniFi

In this article, I will show you how to set up a secure IoT network using the UniFi SDN.

You can watch a video tutorial of this on YouTube here.

Objectives

  • IoT network segregated from main LAN
  • Allow routing between IoT network and main LAN for AirPlay and Google Cast, but no other traffic should be routed
  • Create a VLAN in the UniFi SDN which allows us to assign access ports to the IoT network for wired devices


1. Setup IoT LAN

First, we have to setup our network for the IoT devices. To do this, navigate to Settings > Networks > Create New Network in UniFi.

The network should be marked as Corportate and have a unique (unused) VLAN assigned to it. Follow your standard IP addressing scheme and assign a subnet. For home deployments, a /24 should have more than enough IP addresses for your devices.

IoT VLAN in UniFi
Creation of the Internet of Things VLAN in UniFi


2. Make the IoT WiFi Network

The majority of your Internet of Things devices will probably be connected using WiFi, so we have create a wireless network next. Navigate to Settings > Wireless Networks > Create Wireless Network in UniFi.

IoT WiFi Network in UniFi
Creation of the Internet of Things WLAN in UniFi

You can change the SSID to something that isn’t already in use in your neighborhood to reduce WLAN collision, and apply a WPA2 password. Despite us hiding the SSID later, I would strongly recommend adding a password to the network since it is possible to sniff hidden network names using a program such as Wireshark.

Next, expand the Advanced Options and tag this network with the same VLAN that we created earlier. In this case, it will be VLAN 6. You should also check the box near “Prevent this SSID from being broadcast” since this network doesn’t need to be publicly visible.


3. Secure the IoT Network – Routing & Firewall Rules

By now, you will have both an IoT VLAN and an IoT WiFi network. However, these are in no way segregated from your main LAN, and aren’t secure. Now, we will secure our IoT network.

3a. Allow Established/Related connections

The first rule we are adding is to allow established and related connections. If you aren’t sure what those are, you might want to check out this Wikipedia page.

Firewall Rules

To add this rule, go to Settings > Routing & Firewall > Firewall > Rules IPv4 > LAN In > Create New Rule in UniFi. Call it “Allow Established/related sessions” and make sure that it is run before the predefined rules. Make sure to select the Action as “Accept”. On the same page, under Advanced > States, check “Established” and “Related”. For “Source”, you want to select the “Network” option and select your Internet of Things VLAN in the dropdown. For “Destination”, again, select “Network”, and select your main LAN in the dropdown.

3b. Drop IoT to Main LAN

If you were to login to the IoT WiFi network right now and ping a device on your main LAN right now, it would respond. Now, we have to instruct the USG to disallow routing all traffic that does not match the rule we have just defined in the previous step.

Staying in the LAN In section, create another new rule. Name it “Drop IoT to Main”, and have it run After Predefined Rules. Ensure the action matches “Drop”, and select the Source to be from network “Internet of Things”, and the destination to be from network “LAN”.

4. Enable mDNS Reflector for Google Cast and AirPlay

Casting protocols like Google Cast and AirPlay use a protocol called multicast to discover devices on the network and advertise themselves as players. Right now, our network would work as a walled-off network, but we would not be able to use Google Cast without switching our own device to the IoT network, which is not ideal and defeats the purpose.

mDNS in UniFi

Ubiquiti has definitely thought this part through, and it’s a simple one-click setting adjustment to make this work. Go to Settings > Services > mDNS and enable it, and Apply your settings changes.

Conclusion

You should now have a functioning and secure IoT network. If you connect to the IoT network, you shouldn’t be able to ping a device on the main LAN or reach it on the local area network. However, if you have something like a Google Home and you are on the main LAN, you should be able to cast to it despite it being on the secured IoT network. If you have any questions or need help, feel free to leave a comment.

One Reply to “Setting up a secure IoT network using UniFi”

  1. Ubiquiti love says:

    This was very helpful. Thanks!!

Leave a Reply