How to Set Up VLANs on a Unifi Dream Machine
If every device on your network shares the same broadcast domain, you're leaving performance and security on the table. VLANs (Virtual Local Area Networks) let you split one physical network into multiple isolated segments — and the Unifi Dream Machine makes it straightforward to set up.
Whether you're separating IoT devices from your main network, isolating guest Wi-Fi, or building out a home lab, this guide walks you through the entire process.
What Is a VLAN and Why Does It Matter?
A VLAN is a way to logically divide a single physical network into separate, isolated networks. Devices on one VLAN can't communicate with devices on another VLAN unless you explicitly allow it through firewall rules.
This matters for three reasons:
- Security — Your smart thermostat doesn't need access to your file server. VLANs keep things contained.
- Performance — Fewer devices per broadcast domain means less noise and faster communication.
- Organization — Grouping devices logically makes troubleshooting and monitoring much easier.
Common VLAN Setups
Here are the most common segments we set up for clients:
- Default / Management (VLAN 1) — Your Unifi gear, switches, and APs.
- Trusted (VLAN 10) — Personal or work devices: laptops, desktops, phones.
- IoT (VLAN 20) — Smart home devices, cameras, voice assistants.
- Guest (VLAN 30) — Visitor access with internet only, no local network access.
- Servers / Lab (VLAN 40) — Home lab, NAS, or self-hosted services.
Step 1: Create a New Network
Open your Unifi Network application and navigate to Settings → Networks. Click Create New Network.
- Give it a descriptive name (e.g., "IoT")
- Set the Router to your UDM/UDM Pro
- Under Advanced, set the VLAN ID (e.g., 20)
- Set the Gateway IP / Subnet — for example,
192.168.20.1/24 - Enable the DHCP Server so devices on this VLAN get IPs automatically
Repeat for each VLAN you want to create.
Step 2: Create Wi-Fi Networks Per VLAN
Go to Settings → WiFi and create a new wireless network for each VLAN that needs Wi-Fi access.
- Name it clearly (e.g., "Home-IoT" or "Guest")
- Under Network, select the VLAN you just created
- Set a strong password (or use an open network with a captive portal for guests)
Each SSID maps to a specific VLAN — so when a device connects to "Home-IoT", it lands on VLAN 20 automatically.
Step 3: Assign Switch Ports
For wired devices, you need to assign switch ports to VLANs. Go to Devices, select your switch, and click on a port.
- Under Port Profile, select the VLAN network you want that port to use
- For ports connecting to other switches or APs, use a Trunk / All profile so all VLANs pass through
Step 4: Set Up Firewall Rules
By default, VLANs on Unifi can still talk to each other. You'll want to create firewall rules to block inter-VLAN traffic and then allow specific exceptions.
Navigate to Settings → Firewall & Security → Firewall Rules and create a new rule:
- Type: LAN In
- Action: Drop
- Source: Your IoT network
- Destination: Your Trusted network
This blocks IoT devices from reaching your trusted devices while still allowing them to access the internet. Repeat for each VLAN pair you want to isolate.
Step 5: Test and Verify
Connect a device to each VLAN and verify:
- It gets an IP in the correct subnet (e.g., 192.168.20.x for IoT)
- It can reach the internet
- It cannot ping or access devices on other VLANs
- Any intentional exceptions (like a printer shared across VLANs) work correctly
Common Mistakes to Avoid
- Forgetting trunk ports — If your AP is on a non-trunk port, it won't be able to serve multiple SSIDs across VLANs.
- Not setting firewall rules — VLANs without firewall rules still allow cross-VLAN traffic by default on Unifi.
- Too many VLANs — Start simple. Three to four VLANs covers most use cases. You can always add more later.
- Locking yourself out — Always keep a device on the management VLAN so you can still access the Unifi controller.
When to Call a Professional
VLANs are powerful, but they can get complex — especially when you're dealing with inter-VLAN routing exceptions, mDNS across VLANs (for AirPlay, Chromecast, etc.), or larger environments with multiple switches and APs.
If you're not sure about your setup or want it done right the first time, that's exactly what we do.
Need help setting up VLANs?
We configure Unifi networks every day. Let us handle the setup so you can focus on everything else.
Book a free call