Bullet Proof VLAN for Home Automation

[kirangohel]

Hello my old friends. I hope you all are very well.

I’ve missed you guys and I’ve missed my passion for tech.

This is a custom VLAN setup for my house which anybody can use to replicate in their own house and use the groups in 1.1 to figure out where each component should sit in their network. I hope it helps. I’ve obviously changed the IP addresses and VLAN IDs for this public guide lol…

We Still Going… 🍕🍦

UniFi VLAN Setup Guide for My B&O Home…

Overview

This guide walks you through setting up a secure, segmented network for your home automation system using VLANs on your UniFi equipment. By the end, your IoT devices, security cameras, control systems, and management devices will be properly isolated while still able to communicate where needed.

1. Network Architecture Plan

1.1 VLAN Structure

VLAN ID | Name            | Subnet          | Purpose                  | Devices

1       | Default / LAN   | 192.168.1.0/24  | Legacy (to migrate off)  | –

5       | Control Systems | 192.168.5.0/24  | Automation controllers   | Home Assistant, BLI PRO, Beolink Gateway

10      | Management      | 192.168.10.0/24 | Trusted user devices     | Wall iPads, phones, tablets, computers, Apple Watch

20      | IoT             | 192.168.20.0/24 | Smart home devices       | All B&O, LG TVs, DoorBird, Lutron, Echo Dots, thermostats, ACs, Bosch coffee machine

30      | Security        | 192.168.30.0/24 | Surveillance equipment   | Hikvision NVR & cameras, UniFi Protect cameras

2. Phase 1: Prepare Your Network

Pre-Setup Checklist

– Back up current UniFi configuration: Settings → System → Backup

– Document all current device IP addresses

– Ensure you have physical access to the UniFi controller

– Schedule changes during low-usage time (devices will disconnect)

– Have a computer connected via Ethernet for recovery

Important: You can lock yourself out if not careful. Keep one wired management device on the default network until everything is working.

3. Phase 2: Create VLANs

3.1 Access UniFi Controller

– Log into your UniFi controller (http://[controller-ip] or UniFi app).

– Go to Settings (gear icon).

3.2 Create Control Systems VLAN (VLAN 5)

Settings → Networks → Create New Network / New Virtual Network

– Name: Control Systems

– Network type: Corporate

– Router: UniFi Gateway

– VLAN ID: 5

– Gateway IP/Subnet: 192.168.5.1/24

– DHCP: Server, range 192.168.5.10 – 192.168.5.250

– Domain name: default or control.home

– Multicast DNS: Enabled

– IGMP Snooping: Enabled

– Auto Scale Network: Disabled

3.3 Create Management VLAN (VLAN 10)

– Name: Management

– VLAN ID: 10

– Gateway IP/Subnet: 192.168.10.1/24

– DHCP range: 192.168.10.10 – 192.168.10.250

– Multicast DNS: Enabled

– IGMP Snooping: Enabled

3.4 Create IoT VLAN (VLAN 20)

– Name: IoT

– VLAN ID: 20

– Gateway IP/Subnet: 192.168.20.1/24

– DHCP range: 192.168.20.10 – 192.168.20.250

– Multicast DNS: Enabled (critical for Beolink, AirPlay, Chromecast)

– IGMP Snooping: Enabled

3.5 Create Security VLAN (VLAN 30)

– Name: Security

– VLAN ID: 30

– Gateway IP/Subnet: 192.168.30.1/24

– DHCP range: 192.168.30.10 – 192.168.30.250

– Multicast DNS: Disabled

– IGMP Snooping: Enabled

4. Phase 3: Multicast DNS (mDNS) Configuration

4.1 Global mDNS

Settings → Services → Multicast DNS

– Enable Multicast DNS: On

– Service Filter (if present): enable

– AirPlay

– Chromecast

– HomeKit

– Spotify Connect

– Sonos (if used)

– Or simply “All” if available

4.2 Per-Network mDNS

Settings → Networks → [each network] → Advanced

– Control Systems: mDNS On

– Management: mDNS On

– IoT: mDNS On

– Security: mDNS Off

5. Phase 4: Firewall Groups

Firewall groups simplify rule management.

5.1 Navigate

Settings → Security / Firewall & Security → Create New Group

5.2 Address Groups

– Home-Assistant: 192.168.5.10

– BLI-PRO: 192.168.5.11

– DNS-Servers: 192.168.5.1, 1.1.1.1, 8.8.8.8

– NTP-Servers: 192.168.5.1, time.google.com, time.cloudflare.com

– Hikvision-NVR: 192.168.30.10

– Management-Network: 192.168.10.0/24

– IoT-Network: 192.168.20.0/24

– Control-Network: 192.168.5.0/24

5.3 Port Groups

– Home-Assistant-Ports: 8123, 1883, 5353

– MQTT-Ports: 1883, 8883

– Chromecast-Ports: 8008, 8009, 5556, 5558, 5353

– Web-Ports: 80, 443, 8080, 8443

– Camera-Ports: 554, 8000, 8554, 8555

– Core-Services: 53, 123

6. Phase 5: Firewall Rules (LAN IN)

Rules are processed top-to-bottom. Allow rules must be above block rules.

Recommended Order

1. Allow established & related

2. Allow specific IoT → Control Systems

3. Allow IoT → Internet services

4. Allow Management → all

5. Allow Control → IoT/Security

6. Block IoT → Management

7. Block IoT → Control

8. Block IoT → Security

9. Block Security → others (except explicit allows)

Key Rule Examples

– Allow Established/Related: Source any, Destination any, Match state Established + Related.

– Allow IoT → Home Assistant: Source IoT, Destination Home-Assistant, Ports Home-Assistant-Ports.

– Allow IoT → BLI PRO: Source IoT, Destination BLI-PRO, Ports Web-Ports.

– Allow IoT → DNS: Source IoT, Destination DNS-Servers, Port 53.

– Allow IoT → NTP: Source IoT, Destination NTP-Servers, Port 123.

– Allow IoT → Internet: Source IoT, Destination WAN/Internet.

– Allow Control → IoT: Source Control-Network, Destination IoT-Network.

– Allow Control → Security: Source Control-Network, Destination Security VLAN.

– Allow Management → All: Source Management-Network, Destination any.

– Allow Security → Internet: Source Security VLAN, Destination WAN/Internet.

– Block IoT → Management: Source IoT-Network, Destination Management-Network, Action Drop, Logging On.

– Block IoT → Control: Source IoT-Network, Destination Control-Network, Action Drop.

– Block IoT → Security: Source IoT-Network, Destination Security VLAN, Action Drop.

– Block Security → Management/IoT/Control: Source Security VLAN, Destination respective VLANs, Action Drop.

7. Phase 6: Assign Devices to VLANs

7.1 WiFi Networks → VLANs

IoT WiFi

Settings → WiFi → Add new

– SSID: YourHome-IoT

– Password: strong

– Network: IoT (VLAN 20)

– Band: 2.4 GHz

– Advanced: enable Multicast enhancement, BSS Transition, UAPSD

Management WiFi

– SSID: YourHome-Secure

– Password: strong

– Network: Management (VLAN 10)

– Band: 2.4 + 5 GHz

7.2 Switch Ports

Devices → Switch → Ports → [port]

– Uplink ports (between switches / gateway): Network/VLAN = All

– AP ports: Network/VLAN = All

– End devices: Network/VLAN = specific VLAN:

– Control Systems devices → Control Systems (5)

– Wall iPads → Management (10)

– B&O wired equipment → IoT (20)

– NVR → Security (30)

7.3 Device / MAC Assignments

Control Systems (192.168.5.x)

– Home Assistant Green: 192.168.5.10

– BLI PRO: 192.168.5.11

– Beolink Gateway: 192.168.5.12

Management (192.168.10.x)

– Wall iPad – Entry: 192.168.10.21

– Wall iPad – Landing: 192.168.10.22

– Wall iPad – Kitchen: 192.168.10.23

– Wall iPad – Loft: 192.168.10.24

IoT (192.168.20.x)

– DoorBird: 192.168.20.30

– Lutron processor: 192.168.20.40

– BeoSound Cores: 192.168.20.50–70

– LG TVs: 192.168.20.71–90

– Thermostats: 192.168.20.91–100

– Echo Dots & other IoT: DHCP

Security (192.168.30.x)

– Hikvision NVR: 192.168.30.10

– Hikvision cameras: 192.168.30.11–25

– UniFi Protect cameras: 192.168.30.26–40

8. Phase 7: Testing & Troubleshooting

Connectivity checks

– From Management devices:

– Reach Home Assistant: http://192.168.5.10:8123

– Reach BLI PRO: https://192.168.5.11

– View Hikvision / UniFi Protect cameras

– IoT devices:

– Alexa / cloud services work (IoT → Internet)

– Security:

– NVR sees all cameras

Automation checks

– Home Assistant discovers B&O devices, LG TVs, Lutron bridges / processors

– BLI PRO controls B&O equipment

– DoorBird events reach Home Assistant / BLI

Security checks

– From an IoT device, ping a Management device: should fail

– Try to access a Management IP from IoT: should be blocked

9. Phase 8: Advanced Configuration

Echo Dots in Ceilings (Power)

– PoE + USB adapters: PoE switch/injector → PoE–USB-C splitter in ceiling.

– In-ceiling outlets: shallow back box + USB PSU in ceiling.

– Low-voltage DC: central 12 V PSU → low-voltage runs → DC–DC buck converters to 5 V USB.

DoorBird Integration (after VLANs stable)

– Configure DoorBird HTTP callbacks to Home Assistant

– Automations: doorbell press → pause all TVs / mute audio / show camera

– Lutron: scenes to open/close gate via DoorBird relay

– HA dashboard: gate open/close buttons

10. Maintenance & Best Practices

Regular checks

– Review firewall logs monthly

– Keep UniFi firmware updated (controller & gateway)

– Document new devices and VLAN assignments

– Re-test key automations after major network changes

Security

– Change default passwords on all IoT devices

– Disable unused services on IoT

– Keep Home Assistant, BLI PRO and controllers updated

– Restrict Internet access for devices that do not need it

Backups

– Export UniFi configuration monthly

– Keep an offline copy of backups

– Maintain a documented firewall rule list

– Maintain an IP/VLAN planning sheet

Rollback Plan

– Immediate rollback: Settings → System → Restore → choose backup from before VLAN changes.

– Partial rollback: disable problematic rules, or move devices back to default network while you debug.

– Emergency access: wired connection directly to gateway and access controller via IP; disable rules if needed.

[Author]

Posts