Comments: Unifi Network - Setup VLANs including IoT and access to Pi-hole

[fictionbecomesfact]

Comments for Unifi Network - Setup VLANs including IoT and access to Pi-hole

[JDIacobbo]

Any chance there is an update for version 7+? I was hoping to follow this guide but founds some new settings and some missing that are listed in the guide. An update would be hugely appreciated.

[fictionbecomesfact]

@JDIacobbo Coincidentally, I will soon be replacing my USG with a UDM Pro. I will probably rebuild my network from scratch. Then I will also switch from 6.x to 7.x. I will share those notes here again and update existing notes. I just need to find time for it... 😀

[JDIacobbo]

@JDIacobbo Coincidentally, I will soon be replacing my USG with a UDM Pro. I will probably rebuild my network from scratch. Then I will also switch from 6.x to 7.x. I will share those notes here again and update existing notes. I just need to find time for it... 😀

This would be perfect because I am also running a UDM Pro. I got it set up using your guide and I think everything is working properly but I'd love an update to include all the different setting, especially with the new UI.

[nicegraham]

I had followed a different guide and had trouble accessing devices on IOT from my main network. Your screenshot made me realise the Drop rule should be after the Allow rules... which is obvious now but maybe worth highlighting :)

[fictionbecomesfact]

Ubiquity is rapidly adjusting the UI and settings within the Network app. I have now updated some notes to match Unifi Network version 8.0.7

[N0Klu3]

Do you use: Domain Name: home.arpa on all VLAN's including the 'default' network?

[fictionbecomesfact]

I have entered home.arpa as the Domain Name for all networks, both default and vlans. And I've also added the domain name to the Pi-hole as a Local domain name (if you use that as well). All networks have access to the Pi-Hole via a firewall rule.

[msbc42]

Noticed you changed the article title from 'Home Assistant' to 'Pi-Hole' - intrested why and what changes were needed?

With HA in the SERVER-VLAN and smart devices in IOT-VLAN what rules would be needed?

[fictionbecomesfact]

With the help of the IP group IOTtoServers I control access to the HA server, see firewall rule "allow some IoT to servers". The SERVER-VLAN will also need to have access to the IOT-VLAN. You may also need to enable Multicast DNS (mDNS) for the SERVER-VLAN (and IOT-VLAN), please see this note. I use the Homey smart home platform to control most smart devices. The Homey device is also part of the IOT-VLAN, which makes it a bit easier :)

[msbc42]

If I put my HA device in IOT-VLAN then would that make config simpler? I'm in the planning stage and have not created the seperate VLAN's yet.

[fictionbecomesfact]

I think this choice also depends on the trust you have in certain devices. I see the Homey as an IoT device and I feel it is sufficiently secure. But the choice could also have been to secure the device better (so in a different more trusted vlan and then you indeed have to configure a bit more) because it controls your house and could know when you are home, for example.

[Skiaddict]

Something of a borderline advanced novice here not afraid to dig in but trying to understand what to do under this section “Rule allow some iot to servers” - “ Ipv4 Address Group: create a new IP Group and add the IP address of some IoT device(s)” What IP addresses am I adding here? I can’t imagine having to add each individual address for every single IoT device on my network (like every switch and dimmer etc).

[fictionbecomesfact]

Fortunately, this IP group is only intended for the exceptions. In my case, for example, it contains the IP address of an Nvidia Shield that should be able to access files that are on a server in the server VLAN. Another example is a P1 reader that writes power consumption to a database on the server VLAN. My switches and lights are controlled within the IoT VLAN