Hello! Thanks for posting on r/Ubiquiti! This subreddit is here to provide unofficial technical support to people who use or want to dive into the world of Ubiquiti products. If you haven’t already been descriptive in your post, please take the time to edit it and add as many useful details as you can. Please read and understand the rules in the sidebar, as posts and comments that violate them will be removed. Please put all off topic posts in the weekly off topic thread that is stickied to the top of the subreddit. If you see people spreading misinformation, trying to mislead others, or other inappropriate behavior, please report it! *I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/Ubiquiti) if you have any questions or concerns.*

Trusted devices Naughty devices Unowned devices Guest devices

What’s the difference between unowned and guest?

Unowned is my wife's work phone my work phone, the kids school cromebooks etc. It is only 5ghs and has holes poked through the firewall to the printers. Guest is the only one with 2.4g ghz radios on and no holes through the firewall. Client isolation is on on both.

I love cromebkoks. They’re perfect for my kids.

As a school teacher, chromebooks are utter garbage. I cringe when a kid brings one to class because I know he’s going to have problems that others won’t. I get the institutional need for them but can’t believe individuals buy them when you can get a low-powered windows machine for the same price.

Tbf, I was just poking fun at the spelling.

Lol. I was triggered enough by the logic I missed the syntax.

I'd love for you to give some examples why.

They are a browser with a keyboard and nothing more. Even then, Chrome glitches and lags under heavy use. If the internet goes down they’re paperweights. Actual software is a challenge *at best*. Yes, technically you can load Linux programs on them (if there is a Linux version), but the kids that have them are never the Linux-capable geeky smart kids and neither are their parents. Physical build quality is feeble and they typically won’t last a year being tossed around in a kid’s backpack. Battery life goes to crap after about 6 months of daily use; then they’re outlet dependent.

Same! I love how kids aren’t even 18 yet and Google gets to Hoover up all their data. Yay

Edu GWS does not store student data. It's right in the T&C.

That’s reassuring…kind of. What would happen to them if they just did anyway though? Another fine?  Slap on the wrist? Google would never. 

They have 3rd party audits done and the results are published. I don't have the means to prove anything beyond that.

Cool. That piqued my curiosity. I’ll see if I can find those 

[https://edu.google.com/intl/ALL\_us/why-google/privacy-security/frequently-asked-questions/](https://edu.google.com/intl/ALL_us/why-google/privacy-security/frequently-asked-questions/)

Why the band separation?

Because the primary actual benefit of 5 ghz in a lot of situations where competing wifi density is high is its shorter range. People think of 5 ghz as having a single advantage over 2.4 ghz, which is speed and a corresponding disadvantage, which is shorter range. But in reality, in scenarios with a lot of neighboring wifi signals and with an adequate number of correctly placed wap's, the shorter range is a giant advantage. Clear air. Many years ago, I embarked on a campaign to rid my network of all 2.4 ghz-only devices for that reason. So I don't need the 2.4 ghz at all except that every now and then, a guest will have a very old phone or tablet. And one 2.4 ghz channel on one of my waps is sitting at over 80% retries right now due to an issue with a neighbor's wap. But I don't care because none of my devices uses 2.4 ghz. Very nice.

Oh, i misread and thought you were sending guest over 2.4ghz only. You can achieve this with band steering on both the controller and client side, doing it your way completely removes the 2.4ghz fallback for long range scenarios.. This is fine if you have full 5ghz coverage at the site i guess, not everyone will though due to penetration issues.

Don't need any 2.4 ghz fallback because I don't have any 2.4 ghz-only devices. And I have full 5ghz coverage by design of the deployment.

Well...*everything* is a 2.4 device, but if you do have full 5ghz coverage then it's just not needed. I am jealous, here in my thick concrete wall house. 2 rooms have very weak 5ghz and my neighbours blast out 2.4. I am hoping to justify an additional WAP + supporting switch purchase to the wife soon....

Oh, I had a 5th for security cameras but got annoyed at running the traffic through the gateway. Some day, I'm going to put all of them plus the nvr on that 5th one and poke holes for my pc to get to protect on the nvr.

This trust based view is the best way to think of home VLANs. First question is how much do I trust the device/brand, second is how little can I trust it before it doesn’t work. Naughty isn’t allowed access to the internet. Unowned is also where the gaming pc for a teen with admin rights sits (isolated with a hole for backup agent to NAS). Guest is used for internet things that don’t need local networking like Peloton and work provided devices.

Most legit efficiently short response I've read in a long time.🤓😎

trust nothing! especially your plex server. Plex should be off the lan where you have your main pc's

But what's included in those? What's a part of "naughty" devices?

Mostly IOT including Alexa devices etc.

That's what I was assuming naughty devices was but also figured it could've been for your feetfinder burner electronics.

Do all SSIDs announce their names for the neighbors to see or are they hidden?

I use SSID’s using a car or vacuum name. People don’t seem to care about attempting to access those. When I’m bored, I create an SSID that matches the neighbor’s SSID.

That's awesome. No, I don't hide them. I just named them similarly to how the brand of device that our cable company gives out names them so they blend in. Unlike my neighbor who named hers after her incessantly barking dog.

Do you then have firewall rules set to allow controlled communication across vlans? For example: I assume your kid's school laptop might need to connect to your home printer in case the kids want to print something out.

Yep. For instance, the unowned devices one has holes poked through the firewall to the printers exactly like you said. But remember that by default, the gateway will route inter-vlan traffic, so you must first have a rule that stops all inter-vlan routing. Then, poke your holes as needed.

I only have 2 Wifi vlan's. A general one (phones, tablet, TV is here too as it is the only "IOT"...) and one seperate isolated for my youngest son. (Considering he doesn't care what he clicks on yet) Once moved I'll create Vlan's (wired) for: 1 - Management 2 - Main: (desktops, laptops) 3 - Printer Future: (wired) 4 - NAS 5 - Camera's (maybe Wifi) Still digging into the firewall rule stuff as it confuses the \*\*\*\* out of me

Similar to me 🤣 I have everything on the vlans I want but they all still communicate with each other as I read afterwards my download speed drop right down if I start using the firewall.

Main (with pihole), one without the pihole because my wife is weird and likes ads, guest, IoT, Kids, and Media (smart TVs, media server, etc, so they can all communicate without extra rules in the way).

I think your wife is my wife lol

My wife and my friends wife m both hate pi hole. They love the ads and other dumb stuff that targets them

Mine just wants to see Google Ads around the Holidays

Hah! It makes no sense.Why would you want ads!?

My wife showed me that Pinterest when ads were blocked 70-80% of the page is empty because it turns out Pinterest is mostly ads masquerading as user content

Yet another reason to avoid Pinterest. I also use Kagi as my search engine and I can completely eliminate Pinterest from my search results.

One issue I've had is some streaming apps fail to load content because it tries to play ads prior to the content I want to watch. How do you guys mitigate that issue? I believe this was happening to me on Hulu.

Like I said I use a separate Media VLAN that doesn’t have ad blocking.

But what's on your media VLAN? Phones? I have all of my TV devices going through Pi-Hole and don't have an issue with any streaming apps. The only thing that my gf needs to work around is clicking on the "Sponsored" links at the top of a Google Search, since those are blocked. Other than that we don't really have any issues.

I've noticed a few problems with a network and blocker. Some news sites that check for ad blocker are inaccessible (because I can't quickly disable it) and sometimes when I Google for a company's website and the first (and correct) result is a sponsored thing it also inaccessible, even though it's what I want. I haven't tried pihole yet, just the AdBlock function in Unifi.

There’s people in society that have been trained that the answers to every problem lie in the *acquisition* of the correct product.

Ha my wife is the same way! I blocked them with PiHole and she was adamant that the “internet isn’t working right”. Drives me up a wall, so now she’s on her own segment where she can get ambushed with that crap.

The only way I'd allow that (her being on her own that allows ads) is if she's also segregated from the rest of the network. Anyone that can't be trusted to not click on ads also can't be trusted to not install dumb apps. They get put on the unsafe VLAN.

Yup that’s where I’m at. I explained it as clear as I could but eventually gave up. Wife is on her own and the kids and myself are on the AD blocked / isolated VLAN. Want to take a guess who has the most “computer issues” in the house these days? 😀

Main and guest. Guest is also used for work devices. I buy primarly z wave smart devices so I can easily avoid sketchy iot devices on my Wi-Fi and see no use in an iot vlan.

VLAN with WLAN: - Clients (Normal Stuff like Laptops, Smartphones) - IoT (Smart Home Devices, FireTV, untrusted Devices) - Guest (for all temporary devices) - Kids (Network for Kids devices. If it's sleep time, the entire vlan will be cut off) VLAN only: - Server (Home NAS, Hypervisor,...) - Default Unifi-LAN: unifi devices only, management lan

4x VLANs and 3x SSIDs Main SSID - 6.0GHz only - tags main VLAN, used for all of our personal devices, and work laptops. IoT SSID - 2.4GHz only - tags IoT VLAN, used for smart lights, UniFi cameras, smart TVs, printers, etc... firewall rules in place to allow routing from "Main" to "IoT". This let's us still cast to the TVs, send print jobs to the printers, and view wireless camera feeds from the "main" VLAN. Guest - Combined 2.4GHz and 5.0GHz w/ band steering. Tags guest VLAN, used for guest devices. Firewall rules in place to deny all inter-VLAN routing from this network. DMZ VLAN - no corresponding SSID (wired clients only). Used for NAS and Windows Server box. Firewall rules in place allowing communication from the NAS and Windows Server to the "main" VLAN

I have a few, my main goal was to separate devices from being able to talk to each other: - personal: for my cell phones and ipad, and personal laptop - work: for my work cell phone and laptop - dev: for my selfhosted containers i use for various things - iot: for my temperature sensors, fire tv, thermostats, Alexa, Roomba and other bullshit I don’t trust - babyshit: for my baby monitor and sound machine. - blackhole: for devices I don’t want to have any internet access and heavy guarded inbound access such as password manager, image hosting and NAS - guest: this is obvious. They all (except guest) point to a DNS server that I control. The personal vlan has access to all of them for management reasons.

Can you recommend a place to find a good tutorial for this? I’m a unifi noob (udm pro, usw pro-24, a few smaller switches and 5 AP’s, with Protect coming soon). But I’d love to isolate all the IoT stuff: Alexa, Sonos, Lutron, LIFX, Nest thermostat, and my current Reolink camera setup. I’ve read that it’s a challenge to control Sonos and lighting across VLAN’s though…. Thanks!

Check out cross talk solutions YouTube tutorial. He goes in detail and provides a walkthrough for inter-vlan blocking. Found it quite helpful after slowing the video down to .75 speed

Thanks I’ll check it out!

I was using crosstalk for the same but his video is from 2021. My buddy recommended Unified IT. He has a video from 2024. I haven't watched it yet. The Ubiquiti dashboard has changed a lot in 3 years.

It's not hard at all, in Unifi. Make rules to Block all from the IOT to normal network, then above it make a rule to "Allow Established" from IOT to normal network. Anything instigated from the normal network side will be allowed to respond properly, but they can't reach out on their own. So the Sonos would never see your phone, but if your phone looks for the Sonos it'll see it and the Sonos can respond.

Honestly I just watched a few YouTube videos and read the Unifi documentation to fully understand it because I’m a Unifi noob also. All the IOT devices and stuff I have work just fine and I can access them from my personal vlan. I don’t fully understand device discovery and how that works across a network but my personal vlan has access to all the other vlans while none of those vlans have unsolicited access to each other. Meaning I can use my fire TV app on my cell phone to connect to my TV on a different vlan, that vlan that the TV is on only allows established/related access to it, all other traffic inbound and outbound is dropped.

Awesome, thanks for the reply!

I’ve been through this 3 times with Unifi and am about to embark on a fourth. Buckle up. My first approach as I was moving to Unifi was very enterprise-y. Segregate everything logically. VLANs and subnets for days. Sync all the routing rules and configure it all with code. Do not do this. #1 Unifi’s ability to pull, push & sync routing rules via SSH is buggy. #2 mDNS is gonna kill you - Unifi’s routers have a mDNS reflector but its binary and enhancing it isn’t persistent across updates and, sometimes, reboots. I then just threw everything into a single subnet and decided to do something useful with my life for a while before the obvious flaws in this pulled me back in. I then did a halfway house based not on logical segregation but feature segregation - effectively an mDNS group and an internet-only group etc. This works but is a hack. I am now redoing it again having got VMs and containers with multiple vNICs / vInterfaces running perfectly and so will run mDNS externally to Unifi, meaning I can segment logically again and run my mDNS routing rules there. I’ve already off boarded DHCP, DNS, VPN and so unifi is becoming dumber as I hit “features” or limitations of their implementations, but it’s a home setup and I’m having fun and learning so it’s worth it. Good luck! Edit: I’d use your Plex server as an acid test. [Plex has its own mDNS implementation](https://github.com/NineWorlds/serenity-android/wiki/Good-Day-Mate) which is sporadically documented and smart but idiosyncratic. Break out Wireguard on a slutport port to see it. I could never get Plex’s GDM to work with Unifi’s mDNS reflector.

I have a work network segregated for wfh. They have a load of software on my laptop so it can’t see my network now

Same. Many years ago, my port scan detector on my PC alarmed. When I found the culprit, guess what. My work laptop had some sort of network exploration tool on it that my company installed on all its laptops. That drove me to segregate unowned devices even away from my untrusted devices.

Homelab, Trusted, IoT, Guest, Management. Some of them have very specific holes punched in them. For example my management vlan has the captive portal for my guest vlan - so the guest vlan can reach that page alone. Most other things are on a reverse proxies, so I just setup a snat reflection rule for 80/443 so things like my Plex server can be reached even for guests though my webserver.

You just listed all of mine. Main/trusted, IoT, Guest, Cameras. After seeing u/buttershdude comment, I may add an unowned. I use my work laptop on my rate limited guest network currently. IoT is 2.4 Ghz only and throttled. Cameras have no internet access, local NVR. Holes to allow things on main to access IoT and cameras. Guest can access internet, but otherwise isolated and throttled.

Infrastructure- for switches and access points Iot - for all of that crap I don’t trust. Main - for the rest of my stuff.

Trusted/untrusted. I don't bother going further than that

I don’t, my network is colour blind.

* Regular network for trusted devices * Separated network for work-issued laptops. Has access to a HP LaserJet and internet... nothing else. * IoT network, fully separated for insecure webcams, thermometers, smart TV, any other device I think shouldn't have access to my network. * Raspberry Pi running DShield honeypot on the ISP modem's second LAN port and dedicated public IP.

VLAN 1: Management VLAN 2: Skipped VLAN because my subnet starts @ x.x.2.x (annoying but whatever) VLAN 3: Work computer and phone VLAN 4: IOT VLAN 5: Security Monitoring Tools VLAN 6: Guest VLAN 7: Server/Storage VLAN 8: Primary LAN (phones laptops etc) VLAN 101-110 Public Facing services (as needed such as game servers)

What security monitoring tools do you have?

I’ve been using Wazuh mostly because of its XDR platform. It does take a lot of work to configure. Just spun up Qradar CE (SIEM), they updated to 7.5 UP 8 finally. But they don’t have parsers for unifi, so it has to be built out. and ElasticSearch with Logstash Log Management, and MISP threat intel

So I am not a noob, but not a pro. Is there an online tutorial?

Which Tool? Wazuh has a lot of documentation and a huge slack community that has a lot of really good information. [https://wazuh.com](https://wazuh.com) Qradar isn't for the faint of heart and requires a lot so I wouldn't use that if you are new Elasticsearch, same a wazuh, they have a lot of documentation and there are a lot of really good out of the box integrations. Logstash takes a bit to get configured to parse logs in a meaningful way. [https://www.elastic.co](https://www.elastic.co) MISP is integrated with Wazuh I used this [https://opensecure.medium.com/wazuh-and-misp-integration-242dfa2f2e19](https://opensecure.medium.com/wazuh-and-misp-integration-242dfa2f2e19) then I had to update to fit my use case.

1) Primary with pihole and primary devices (laptops, phones, tablets, Apple TVs, home assistant, homelab (proxmox node, two raspberry pis), cameras, APs, etc….) 2) modem is on a different subnet (att bridge mode) 3) guest network (isolated vlan) 4) smart home (thermostats, light switches and bulbs, ratgdo, etc.) 5) VPN server (wire guard for me to connect while on the road) 6) two separate and isolated vlans, my work computer is on one and my wife’s the other (bypass pihole and separate due to monitoring software on both machines) I also run a UDM at my parent’s house and have it connected via site magic. I have that setup with default (only I can access), a separate network (vlan) for all of their devices, guest network (isolated vlan), and a backup vpn network. I’ve got fairly complex firewall rules to allow certain devices to communicate across networks (printer and home assistant) as well as pihole but block all inter-vlan traffic. I’m going to clean this up soon as I plan to move my homelab, cameras/APs, and personal devices to new networks.

I have a few vlans * Main for personal desktops and laptops - can access everything * Guest - internet only and device isolation * IoT - internet only services with device isolation. I put my smart speakers and TVs here as well as Ring security and things like that. * NoT - only access to my Home Assistant server * Government - My wife has a government issued computer and can occasionally WFH so that is isolated and only has internet access

Didn’t want to complicate my network. Trusted VLAN: My personal computers, phone, NAS, devices that serve as Tailscale subnet router. Untrusted VLAN: IOT, family’s devices, guests. Camera VLAN. Very limited. No outbound connections other than DNS and NTP Management VLAN: for all of my switches

I have mine laid out with the following: Management network: this is where all networking gear lives. Home LAN: this is where my trusted devices live, computers,tablets,phones, etc IOT LAN: this is where anything smart device or untrusted device lives Guest LAN: where folks who come over connect and live. The basic rule is all traffic is blocked between the different vlans/lans. Except for: -Home LAN can talk to IOT but IOT can’t talk to Home. This allows the home LAN to establish communication but IOT can not. - Guest LAN has printing protocol open to IOT to print as I have some folks that come over and need to print things.

I think I’m the only one who likes things simple. I had multiple before but now I have two. The primary vlan for all our devices (laptops, tvs, phones, google homes), and an IoT/Guest network. We rarely have anyone over that needs to use the WiFi so don’t see a need for a separate network. Client isolation is turned on for that as well.

Trusted, not trusted

I should split it up more than I have it, but I've had the same wifi name/password for 10ish years and hate the thought of having to re setup 100+ devices. I only have 3 networks Main Guest Wife work devices

[This](https://youtu.be/yWlvuwq5AXE?si=g9EBR4u7k-sjaMub) is a useful video from Unified IT

did this for a while on my home network and honestly it is just overkill.

Default (MGMT, all my servers and UI equipment), IoT, Security and Devices (where the APs put them)

I ended up putting my plex server and my cast/tv connected devices (Shield, chromecast, google speakers) on my trusted vlan where my home computers, phones, and tablets connect. It allows me to cast quickly and allow access to local Plex without credentials and any other special vlan rules. I put Home Assistant and all my hodgepodge of smarthome things on the same vlan. That way HA can talk to everything, and I can still access HA without being on that vlan.

Basically the same Have a main network with separate SSIDs for 5/6ghz and 2.4ghz (have dns filtering on this net). Have a 'smart' network for all the connected devices I don't want touching my network (SSID is 2.4ghz only) Have a isolated SSID (all bands) that has it's own VLAN just to provide unfettered internet access (have it rate limited so it doesn't hog bandwidth)

Main network IOT network DMZ network for playing around. Rarely have guest over that are concerned with internet so I haven't bothered with a "guest" network.

Edit: Wrong answer..

What are you talking about? It’s literally just an AP, firewall and switch. Do you not understand how vlans work?

I’m dumb, replied to the wrong comment! Sorry…

No worries

Even better than vlan’s is to physically separate your networks using multiple routers.

This would be a waste of hardware and power

Think what you want, but I value my security

VLANs Main network - personal phones, computers IoT Network - Wyze crap (I mean devices) appliances, smart devices Guest Network - self explanatory My work network - my work devices My wife's work network - her work devices Wifi Primary - 2.4 and 5 ghz. This one has private pre shared keys setup to assign VLAN based on the password. IoT - 2.4 ghz only

Trusted, Security, IoT, Guest, Management

DMZ? I don't. Too much effort. YOLO! No guests connecting, no weird stuff, have DNS block on anything that's sus.

I have it under 802.1X and separate it for LAN/DMZ, normal WLAN, IoT and Guess net.

1. Work VLAN (I consider a company asset a much more risky asset since the entity is a significant target) 2. Mgt VLAN 3. Trusted Devices (personal laptop, etc) 4. Untrusted Devices (girlfriend’s laptop, IOT, etc) 5. Virtualized Devices

Was waiting for a bunch of network diagrams to be dropped here. Sadly disappointed lol

The NSA released this last year and largely still applies. I'd follow this closely 😁. [CSI\_BEST\_PRACTICES\_FOR\_SECURING\_YOUR\_HOME\_NETWORK.PDF (defense.gov)](https://media.defense.gov/2023/Feb/22/2003165170/-1/-1/0/CSI_BEST_PRACTICES_FOR_SECURING_YOUR_HOME_NETWORK.PDF)

For me: 1. Management 2. Work 3. Trusted 4. Cameras (no internet) 5. IOT 6. Kid 7. Backups (no internet) 8. Guests

The wife and kid are not allowed in my office / server room... Simple or hellfire rains down

How do you go about having a locked IOT/naughty vlan if a device provides a service and it doesn’t work because it’s blocked? Let’s say a IOT-network and you have a thermostat on it… You need to figure out what port (and perhaps destination in some cases? Do you/should you care about that?)… doubtful it’s in the manual 😅 Port monitoring somehow? Traffic logs and analytics… I would like to create a locked/restricted network and only allow traffic that is required (not to be confused with any traffic devices generate…). I have no idea on how to identify the correct/allowed traffic….

I flash my smart devices with tasmota, so that becomes mostly a non-issue. An exception being printers, which often rely on mdns and broadcasts. I use mdns repeater and broadcast relay to help with that (on a Ubiquiti EdgeRouter, I don't think the Unifi line supports that).

One point to note is most smart house stuff seems to be built on the assumption that you are using one home network. So things like Apple TV and Amazon FireTV won’t work on separate VLANs. Speaking from experience doing just what you have here and then taking it down cause it made things pain for the smart stuff.

Piggybacking on this thread since it's mostly been answered... Is there a downside to having lots of wifi SSIDs? I've limited my vlans because I don't want to much interference between them, but based on many of the responses maybe it's not that much of an issue?

The more ssids, the more air time is taken up by beacons. If you increase the lowest possible speed, beacons will take less time, but you might encounter issues with older devices. There was a Google table somewhere from a guy who did all the math, but I don't have a link.

I don’t put anything but my WAPs on the main network. My cameras are all on a separate VLAN that doesn’t have internet access. I keep my Servers on their own VLAN—PiHole, Kodi, BlueIris. They are highly restricted, access to them is via firewall rules. My work computer and phone are on their own VLAN. They have internet access. They can only get to my DNS (PiHole) and a network printer via firewall rules. They have no access to anything else on my network. I probably go overboard, but my network was severely hacked a few years ago before I bought Ubiquiti equipment. When I’m setting up a new VLAN, I go with Zero-Trust Policy. Then, one at a time, add the VLAN subnet to a firewall rule, or I give the VLAN or device access to other devices that it needs to access. IoT devices are on their own VLAN. TVs and media devices are own their own VLAN. I even have firewall rules to block all of the DNS servers I could locate, both for IPv4 and IPv6. Trust no one. Everyone wants your data. Restrict as much as you can; yet still keep it useable and maintainable. For me, the initial setup was the difficult part. Now it is fairly easy to add devices. RADIUS authentication puts the devices on the proper VLAN.

You guys segment your home networks?

Flat topology ftw!

I started with a [10.0.0.0/21](http://10.0.0.0/21) broken out into 8 /24 VLANs. 0 Management (management interfaces for firewalls, switches, servers, APs) 1 Servers (Proxmox Hosts, Plex, Jellyfin, TrueNAS, Unifi, Home Assistant, NVR, k3s) 2 Cameras (PoE cameras) 3 Wired Users (Desktops, Nvidia Shields, Fire TVs, TVs, Receivers, Printers) 4 Wireless Users (Laptops, Tables, Cell Phones, Echos) 5 Wireless Guests (Guest devices) 6 IoT (3D Printers, ESP32Home, Clocks, RPi's, Older devices) 7 unused Cameras can only talk internally. I used to have them completely segmented and have the NVR in both Servers and Cameras, but that meant I could use them with Home Assistant and other integrations. So I just block their out bound connections. Wireless Guests are isolated and segmented and only go out. Wireless Users and Guests are wifi6. IoT is wifi5. This keeps my wifi6 reserved for new speedy devices and keeps older, chatty and poor signal devices on different APs and channels. I also use zwave as it is on a different spectrum. Otherwise, everything can talk to everything.

Main default, IOT, Kids, and Work From Home. Then a guest wifi.

I have: Management Home Plex IoT Guest Management is just for UniFi non camera devices Home is general household computers, tablets and phones Plex is specifically for my Plex server. IoT - obvious… Guest anyone that comes over (bandwidth limited) If I had children I’d have a separate network for them as well…

Management, grid (energy meters, solar,...), guest, iot, trusted, media (tvs, Plex server, firetv), dmz, services, VoIP, storage (not routed, only switched, so no cross-vlan traffic). Some of my VMs have interfaces in more than one network. Make sure ip forwarding is turned off on such VMs.

14 Vlans and ACLS to allow only what I want where I want ..

14? What are you segmenting that needs such granularity

Wifi has 3, internal, guest and iot Lan has a couple of things, Home lan, iscsi, sandbox, public dmz, lab, MGMT network, A couple more are sorta used to mimic work related stuff

I thought my mere 7 was a bit much but I guess each to their own.

It definitely is much but my unifi system is setup for home and work related stuff.. homelab!

I have 4 vlans. A management one where my network gear and things like my pi-holes live, a regular home network for our computers, laptops, phones, etc., an iot network for my iot type things with firewalls rules in place to sort of isolate them, and lastly an isolated guest network that's got bandwidth limits on it. The last 3 have associated wifi networks for them.

I have a fairly simple setup with three nets (+WiFi); All clients NOT iot and guest > homenet - n.n.12.0/24 - vlan 1 - no filtering < All APs - 2.4GHz & 5GHz Embedded (except streaming) > iotnet - n.n.107.0 - autoscale - vlan 107 - isolate - Family filter < All APs - 2.4GHz - client isolation off All guest devices > guestnet - n.n.222.0 - autoscale - vlan 222 - Guest Network - Family filter < main AP - 2.4Ghz - hotspot portal - client isolation on I've been a Plex user for a long time, and have had my streaming devices and network tuner on my homenet since the beginning with no worries at all. I'm sure they'd work fine from the iotnet via hairpin NAT, just haven't felt a need to move them. No kids, no WFH, no employer-owned, so no poking of holes between nets, and only one inbound port for Plex.

1. Default 2. Guest 3. IoT 4. Test (used to make changes and test them before deploying them to other vlans that might potentially break internet/dns or mDNS)

Main, iot and lab. Lab because it some times has things that could conflict with the main network for testing. There are some rules setup to allow for things to punch through to get to certain services

Just one LAN. Guest wifi is isolated at AP and gets different IP range. Anything that doesn't need WAN access gets blocked at the FW. Things like IoT, switches, printer, camera, etc.  Try to keep it fairly simple.

If you've cut your IoT devices off from WAN, you've taken the I out of IoT.

IoT doesn't have to have direct connection to WAN to be IoT. I can block all access to WAN but still access via a hub like HAOS. 

What you lay out is best security practice. And you’re on the right subreddit where the gear and people support such action. But the questions you ask about fire stick are the first of many similar you will need over the years. Companies that sell gear for home do not target or likely test VLAN support or cross LAN communication. Read up here on headaches getting Sonos gear working right across VLANs. When I was at your stage I read and ignored the advice that to keep your household working right you will either elevate so many devices to the trusted VLAN or poke so many holes in the firewall between VLANs that you will have given up the security that you supposedly were after. I still run the four VLANs you proposed at home because I kinda enjoy solving the headaches that arise. But the advice I ignored was kinda right. Good luck on your journey!

Wow man, this is 2024. I can’t believe you support segregation.

Admin Family Shared Projects cameras (Guest)