Creating a isolated IOT network with the UniFi Dream Machine

Over the last couple years the amount of IOT devices we have at home has increased quite dramatically, and it seems very Xmas holiday we get new smart plugs or smart lights. Also with having 2 young children i can see the amount of IOT devices that we have is only going to increase.

I first heard about Ubiquiti about a year ago, and straightaway I was impressed at how good their networking products were. I was immediately drawn to the Unify Dream Machine, however after reading some of the initial reviews, and with the COVID pandemic I put everything on the back burner.

A few weeks ago, and after reading some of the online reviews of the latest firmware I decided to take the plunge and get the dream machine. Even though its only been a few days, I must say I am impressed.

One of the things I wanted to have was to separate network my ever expanding IOT devices, which include:

  • Amazon Echo’s
  • Google Home mini
  • Various Smart plugs and lights
  • Ring Door Bell and Chime

The only device I had any really issue with was the Google Home Mini, but more on that later. The initial steps were as follows:

  • Create a separate network
  • Create a separate WIFI network attached to the network
  • Create some firewall rules to ensure the IOT devices are unable to communicate with any of the other networks

I already have a LAN network setup and WIFI for my normal devices, so the first step is to create a separate network, log into the Unify controller, go to settings, Networks and local network, Click on “Create New Local Network” and click on the Advanced option.

Give your Network a name, leave the network purpose as corporate , and a VLAN no, and supply a Gateway IP/Subnet and DHCP range, the rest can be left as default. Don’t forget to click “Done” at the bottom of the page.

Next, click on Wi-Fi networks, then “create New Wi-Fi Network” and once again click on the advanced option.

once you are in the WIFI creation page, you give the WIFI name, ensure the network is enabled, select the security protocol and provide a password for the WIFI Network.

Further down on the same page, under the advanced setting section, enable VLAN usage and enter the VLAN ID, and click done at the bottom of the screen.

Almost done, the IOT network has been created and associated to a WIFI network. You should now be able to add devices to this network. Last step is to ensure the IOT devices cannot communicate with the rest of the network.

Under “Internet Security” click on firewall.

Select LAN, and click on “Create New Rule”.

Under Type of connection select LAN in. Give the Network rule a description, and ensure it is enabled. Under Rule applied, selct “Before Predefined Rules” and under Action select “Drop”. Under Source device select “Network” and the name of the network you created earlier.

Further down on the same page under “Destination Type” select “Network” and lastly under “Network” Select the network your normal devices are on and click on “Apply”.

Once you’ve clicked apply, you should now see your new firewall rule, which will ensure the IOT devices are not able to connect to the rest of the network.

I managed to set up all my IOT devices on the new IOT WIFI except for the pesky Google Home Mini.

In order to get this up and running I had to create a temp firewall rule which allows the established IOT devices to communicate with the eatablished LAN devices. This rule will be disabled later and will not allow communication between any new IOT, and the LAN network. The following firewall rules were configured:

  • Type: Lan In
  • Description: “give it a description”
  • Rule Applied: Before Predefined Rule
  • Action: Accept
  • Source Type: Network
  • Network: IOT-Devices
  • Destination Type: Network
  • Network: LAN

Under Advanced enabled “Match State Established” and “Match State Related” and selected apply.

You need to ensure the new rule you have created has a lower priority than the first rule. you can do this by dragging the new rule above the original rule.

After creating this rule, I was able to setup the Google Home Mini without any problem. After setup I disabled the new rule, and the Google Mini was still working without a hitch.

I hope you find this useful, there is so much more you can do with the UDM, such as:

  • Rate limit networks (Great for IOT devices)
  • Setting up a Guest Networks
  • Traffic Analysis
  • WIFI Blackout Windows
  • IDS and IPS Configuration
  • Creating Honeypots on each network

The Unify Dream Machine is brilliant bit of kit, and if you are interested in securing your home network or small office network to consider it.