3 min read News

Segmenting your Network

Segmenting your Network
Photo by Jordan Harrison / Unsplash

Humble Beginnings

When I first started out I had a flat 10.1.1.0/24 network that I put all of my devices and computers on. I kept my servers on this network, IOT devices, and even visitors connected to this network.

Segmenting your network provides better security. It allows more granular control over device traffic, and (at least in my experience), improved network performance.

Unifi offers the ability to create VLANs and set firewall rules between these VLANs, so that’s what I am going to demonstrate today.

I will be using the UDM Pro to demonstrate how to set this up, but it should be the same or similar for all devices.

Part 1: Creating the network

The first step is to create the network(s). In the example below I have created 6 different networks.

Home is for all my families devices. IOT-Network is for all IOT devices LAN is just the management VLAN for my Unifi devices. Remote Access is my VPN network Security is the VLAN for my Protect cameras, and Access devices (when I get them). Finally Server is the VLAN dedicated to my devices, my servers, and my desktop.

Click on Create New Network.

Give your network a name.

For the purpose select Corporate.

◊ Inter-VLAN routing is enabled by default between all Corporate LAN networks. If you want to disable this please take a look at this article.

For the interface select LAN.

Give the VLAN an ID. This can be anything from 0-4095, but keep in mind 1 is reserved for the default VLAN. I usually start at 10, then 20, and 30, and so on and so forth.

Next enter in the Gateway IP/Subnet. For example 10.1.1.1/24. This is a 24 bit network and allows up to 254 address to be assigned to devices on this network.

If you are running this in a domain then add the domain name.

I enable IGMP Snooping, but this might not matter depending on the devices being used in your network.

Ensure DHCP server is enabled, and change the DHCP range to your liking. By default Unifi reserves the first 5 address so your range should be 10.1.1.6-10.1.1.254.

For DHCP nameserver, feel free to leave it as auto, but if you’re running a DNS server (like a Pi-Hole, and you should absolutely be running a Pi-Hole) then you would enter in the IP of that server here. I use the IP of my Pi-Hole followed by 1.1.1.1 and then 8.8.8.8 just to make sure I have working DNS.

I left my DHCP lease time as the default 1 day.

Leave DHCP Gateway IP as auto.

I leave DHCP Unifi Controller empty as well.

I leave the last two options DHCP Guarding, and UPnP LAN deselected as well.

Click Save.

Step 2: Assign VLAN to a Port

So we’ve got the network setup, how do we get devices to use this new network?

The answer is to assign the network to a port or group of ports on your Unifi switch. You can use other switches, but they need to be managed ones so that you can tag ports with the right VLANs (This guide will only cover Unifi devices as thats what I use).

Navigate to your Devices page within the Unifi controller software.

Select the switch you want to edit the ports on. For me this is the Mech Room Switch.

Select the Ports tab to see the list of ports and the options for those ports.

My case is a little weird at the moment. I have a dumb switch plugged in to port 7 of my UDM Pro. I will be replacing that with a Gen 2 Unifi switch soon. This means that every device attached to that dumb switch will be on the network I assign to Port 7 of my UDM.

In the image above Port 7 has been renamed to Sever LAN for ease of use. Click the check box next to the port, and hit edit selected.Under Port Profile select the network we created above. In my example I selected Server (50) as everything attached to this port needs to be on my Server VLAN.

Hit Apply and the settings will sync. If everything was setup correctly, any device plugged into the dumb switch I have plugged into Port 7 will pick be on the Server (50) VLAN. Meaning the IPs of each device will be on the 10.1.4.0/24 network.

You can repeat these same steps for each network you want to create. This will be a little different if you’re using a managed switch instead of a dumb switch. One of the ports on your manage switch will need to be designated the Trunk port. The Trunk port is a port that contains all the VLANs. In Unifi software you would just change the port profile to All. This will then carry all VLANs to that switch. From there you can then tweak the other ports to be whatever VLAN you want.

Published by:

Kirkenjerk