Setting up a UniFi network can be a complex task, but with the right configurations, it is possible to create a secure, efficient, and well-organized network. The following guide outlines essential settings for VLANs, switch ports, Wi-Fi SSIDs, and AP configurations. Whether managing a small office or a smart home, these tips can help optimize network performance and security.
VLAN Configuration
To create VLANs on your UniFi platform, click on the Settings cog in the bottom left corner. Navigate to the Network section to access the VLAN settings.
To create a VLAN, follow these steps:
- Click on the "New Virtual Network" button.
- Give the VLAN a name.
- Select your router.
- Uncheck the "Auto-Scale Network" option. This is important for selecting the IP address range.
Note: You can use the standard 192.168.X.0 format, where X matches the VLAN ID. This helps easily identify the VLAN.
In the "Gateway IP/Subnet" field, select your IP range and netmask. The netmask can typically be /24 (255.255.255.0), which supports 254 devices. Change this only if you need more or fewer devices on the VLAN.
- Gateway IP, Broadcast IP, Usable IP, IP range, and subnet mask will be displayed.
Under "Advanced Options," change "Auto" to "Manual."
Set the VLAN ID to match the third octet of your IP range. For example, if your IP is 192.168.5.0/24, set the VLAN ID to 5.
Ensure "Allow internet access" is set to true. All other settings can remain at their default values.
Following these steps will help you properly configure a VLAN on your UniFi network.
Create VLANs:
- Default VLAN: For Switch and AP ports only. Avoid using this for normal network IPs if you need separation.
- Private VLAN: For the private network, excluding IoT devices. This can include all other devices.
- IoT VLAN: Specifically for IoT devices.
Note:
- Match VLAN ID with Subnet ID for easier configuration.
- Example: VLAN ID 20 corresponds to Subnet 10.10.20.0/24 (default subnet mask 255.255.255.0, supports 254 devices).
Example VLAN Setup:
- System/Default: VLAN ID 1, Subnet 192-168.1.0/24 (only for connecting APs and Switches, not for normal network IPs).
- Private: VLAN ID 20, Subnet 10.10.20.0/24.
- IoT: VLAN ID 50, Subnet 10.10.50.0/24.
Note: It's perfectly fine not to use VLANs on your network. VLANs are an additional feature to help you separate your private network and IoT devices into two distinct subnets, enhancing security and organization. If you choose not to implement VLANs, ensure that the System/Default VLAN is always assigned to switch ports and devices to maintain proper network functionality. This approach keeps your network straightforward while still providing effective management of your devices. Remember, using VLANs can add an extra layer of control, but it's not a necessity for every setup.
Switch Port Configuration
- Switch to Switch Port: Allocate to System VLAN.
- Switch to AP Port: Allocate to System VLAN.
To configure device ports, navigate to the UniFi devices page, located third from the top on the left-hand side menu. Click on "Switch" and then select "Port Manager."
Next, locate the port connected to your Access Point or another switch. Ensure that the Native VLAN/Network is configured to use the Default/System VLAN.
Note: Ensure that your Native VLAN/Network is correctly set for switches and access points. This configuration is crucial to enable access points to communicate with IoT and Private VLANs within the Default network.
Wi-Fi SSID Configuration
To find this setting go back to the settings cog and locate the Wifi settings. Here you will be able to create your SSID
Setup Wi-Fi SSIDs:
- Private: Assign network settings to the Private VLAN.
- IoT: Assign network settings to the IoT VLAN.
Manual Settings to Confirm:
Private SSID:
- Password: Use a strong custom password.
- Network: Private VLAN.
- Wi-Fi Band: 2.4 and 5 GHz.
- Band Steering: Enabled.
- BSS Transmission: Enabled.
- UAPSD: Enabled.
- Multicast Enhancement: Enabled.
- 802.11 DTIM Period: Auto.
- Minimum Data Rate Control: Auto.
- Security Protocol: Custom to client requirements.
- Note: These settings are specific to the client and do not affect the IoT network.
IoT SSID:
- Password: Use a strong custom password.
- Network: IoT VLAN.
- Wi-Fi Band: 2.4 GHz.
- Band Steering: Disabled.
- BSS Transmission: Disabled.
- UAPSD: Disabled.
- Multicast Enhancement: Disabled.
- 802.11 DTIM Period: Auto.
- Minimum Data Rate Control: Auto.
- Security Protocol: WPA2.
Additional Wi-Fi Settings:
- 802.11 DTIM Period for 2.4 GHz: Set to 2.
- Minimum Data Rate Control: 12-24 Mbps.
AP Settings
2.4 GHz:
- Channel Width: 20 MHz.
- Channel: Auto.
- Transmit Power: Medium to Low.
- Minimum RSSI: Disabled.
- Band Steering: Disabled.
5 GHz:
- Channel Width: 80 MHz.
- Channel: Auto.
- Transmit Power: Auto.
- Minimum RSSI: Disabled.
Additional Settings:
- IP Configuration: Use DHCP unless setting each AP to a static IP address is necessary.
Below is the settings you can find when you select the Access point you will be able to configure the 2.4 and 5GHz settings from for AP from the AP settings its self. If you have more and two Access points look into creating groups to make changes to multiple devices at once
Firewall Rules
- Confirm traffic rules if isolation of the IoT network from Private and System networks is required.
- Rule: System and Private networks can communicate with IoT, but IoT should not access Private or System networks.
- Note: Ensure correct implementation to avoid blocking necessary communication between VLANs.
Configuring VLANs, optimizing Wi-Fi settings, and adjusting firewall rules are essential for ensuring performance, security, and seamless connectivity across your devices. If you encounter any issues or have more questions, don't hesitate to seek further guidance from the community - https://community.shelly.cloud/topic/1440-unifi-wi-fi-settings-and-shelly-devices/#comment-6762