Creating IsoLANs with UniFi - Part 1: IoT Isolation

There are a number of reasons why someone might want to set up isolated LANs within their home network. For the average consumer, the most common use of IsoLANs is to cordon IoT devices off from the main network. With the IoT devices in their own network, the firewall can be configured to prevent the often poorly secured devices from being able to interact with the more sensitive devices on the main LAN. As with all security controls, it's important to balance usability with security, so we want to ensure that devices located on the main LAN can still interact with IoT devices when required.

In further articles, I will also expand on using this method to support the secure, isolated communication between devices hosted in an Unraid Virtual Lab, a Raspberry Pi swarm, and select devices on the LAN.

Setting up a IoT IsoLAN on a UniFi Security Gateway

1. Login to the UniFi Management Interface and open the Settings menu
2. First, we want to create a new Local Area Network (LAN) for our IoT devices, configure our wireless APs to broadcast that IoT LAN, and then enable Multicast DNS to support DNS lookups across LANs.
   1. Select Networks
      1. Select Create New Network
      2. Name the new Network
      3. Ensure Corporate is selected as the Purpose
      4. Set the VLAN variable to your desired VLAN ID
      5. Set the Gateway IP/Subnet to your desired IP Address range
      6. Set the DHCP Range within the Network IP Range for your Subnet configuration
      7. Click Save
         
   2. Select Wireless Networks
      1. Select Create New Wireless Network
      2. Name the new Wireless Network
      3. Expand the Advanced Options section
      4. Check Use VLAN and provide the corresponding VLAN ID from Step 2.1.4
      5. Personally, I turn on the Prevent this SSID from being broadcast option
         
   3. Select Services
      1. Select MDNS
      2. Enable Multicast DNS
      3. Select Apply
         
3. Next, we'll create the Firewall Rules to allow devices on the main LAN to establish communication with devices on the IoT LAN, but not allow devices from the IoT LAN to start conversations the other way.
   1. Select Routing and Firewall
      1. Select Firewall from the top menu
      2. Select LAN LOCAL
      3. Select Create New Rule
         1. Name the Rule `IoT->LAN: Deny All
         2. Ensure Before predefined rules is selected
         3. Set the Action to Drop
         4. For IPv4 Protocol, we want All selected
         5. Set the Source Type to Network and select your IoT LAN from the drop-down
         6. Set the Destination Type to Network and select your LAN from the drop-down
         7. Select Save
            
      4. Select Create New Rule
         1. Name the Rule IoT->LAN: Allow Established/Related
         2. Ensure Before predefined rules is selected
         3. Set the Action to Accept
         4. For IPv4 Protocol, we want All selected
         5. Set the Source Type to Network and select your IoT LAN from the drop-down
         6. Set the Destination Type to Network and select your LAN from the drop-down
         7. Select Save
            
   2. Ensure the "Allow" rule is higher up than the "Deny All" rule. This will ensure that traffic that meets the conditions set in the "Allow" rule go through, and all others are denied.