UniFi VLANs, Explained — Segmentation Without the Guesswork

A VLAN is a Layer 2 segmentation construct. Instead of buying a separate physical switch for every traffic type you want to isolate, you configure logical segments on a single managed switch and tag frames with a VLAN ID defined in IEEE 802.1Q.

In practice this means your IoT devices — smart bulbs, thermostats, cameras — can live on VLAN 20 while your workstations sit on VLAN 10, and neither can initiate connections to the other unless you write an explicit firewall rule permitting it. The router (UniFi Gateway, Dream Machine, or Cloud Gateway) routes between VLANs at Layer 3 and enforces those rules.

Why bother? Three reasons: security (a compromised IoT device cannot pivot to your NAS), performance (broadcast storms on one VLAN do not flood others), and manageability (DHCP assignments, DNS overrides, and DPI policies can be scoped per VLAN).

UniFi accepts VLAN IDs from 2 to 4094. VLAN 1 is the default untagged network — leave it alone; changing it mid-deployment causes unexpected switch port behavior.

A practical numbering scheme for home and small-office deployments:

| VLAN ID | Purpose | Subnet example | |---------|---------|----------------| | 10 | Trusted workstations | 192.168.10.0/24 | | 20 | IoT & smart home | 192.168.20.0/24 | | 30 | Guest Wi-Fi | 192.168.30.0/24 | | 40 | Security cameras | 192.168.40.0/24 | | 50 | Lab / servers | 192.168.50.0/24 |

Use /24 subnets for simplicity — they give you 254 usable addresses and keep DHCP pools predictable. If you have more than ~200 devices per VLAN (unusual below enterprise scale), step up to /23.

Avoid overlapping RFC 1918 ranges across VLANs. UniFi's DHCP server will reject duplicate subnets, but routing anomalies can appear if ranges overlap on external uplinks or VPN tunnels.

1. Open UniFi Network (local controller or cloud at unifi.ui.com).
2. Navigate to Settings → Networks → Create New Network.
3. Name the network (e.g., "IoT"), set VLAN ID to your chosen value, and leave Auto-Scale Network on for automatic subnet assignment, or specify your own subnet under Advanced.
4. Set DHCP Mode to DHCP Server (the default). Set your lease time — 24 hours is fine for static-ish devices; 4 hours for a guest VLAN with high turnover.
5. Click Add Network.

UniFi automatically creates an interface on the gateway and begins serving DHCP on that subnet. No additional routing configuration is needed — the gateway handles inter-VLAN routing natively.

To assign a wireless SSID to the new VLAN: go to Settings → WiFi, edit or create an SSID, and set Network to your new VLAN under Advanced.

To assign a switch port: open Devices → [switch] → Ports, select the port, set Profile to your VLAN or create a port profile under Settings → Profiles → Port.

By default, all networks in UniFi can communicate with each other. You must add explicit rules to block inter-VLAN traffic.

The cleanest approach is a block-all, allow-specific posture per VLAN:

1. Go to Settings → Firewall & Security → Rules → LAN.
2. Create a rule to block traffic from your IoT VLAN to RFC 1918 ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16). This prevents IoT devices from reaching any other private network segment.
3. Create allow rules for the specific flows you need — e.g., allow IoT VLAN to reach the DNS server on your trusted VLAN, or allow your NVR VLAN to reach cameras on the camera VLAN but not vice versa.

Rule order matters. UniFi evaluates firewall rules top-down and stops at the first match. Place allow rules above the block-all rule for any traffic you need to permit.

A common mistake: blocking inter-VLAN traffic and then wondering why mDNS-based devices (Apple TVs, Chromecast, printers) stop working across VLANs. mDNS does not cross broadcast domain boundaries. The fix is enabling mDNS repeating under Settings → Networks → [network] → Advanced, which lets UniFi rebroadcast service announcements across VLANs without opening full layer-3 access.

Device not getting a DHCP address: Verify the switch port profile includes the correct VLAN as tagged or untagged. An access (untagged) port should have the VLAN set as the native network. Check Devices → [switch] → Ports to confirm the assignment is applied.

Device gets an address but cannot reach the internet: The gateway may be missing a routing entry. In UniFi this is automatic, but check Settings → Networks to confirm the VLAN has a valid gateway IP assigned. If you have a custom DNS server, ensure the IoT VLAN's DNS setting points to a reachable resolver.

Firewall rules not taking effect: UniFi applies LAN firewall rules to traffic that crosses VLANs (routed traffic). Rules do not apply to intra-VLAN traffic (same broadcast domain). If you need to filter within a VLAN, use a client isolation setting on the SSID or VLAN instead.

Trunk port dropping traffic for a VLAN: On switch-to-switch uplinks, both ends must have the VLAN in their allowed list. Check the port profile on both switches. If you are using a non-UniFi switch on the edge, verify it is tagging VLAN frames with the correct ID on the uplink port.