VLANs Mark 3
My second attempt at applying VLANs has been generally successful and since that time I have been iterating to improve it. Notably I have:
- Reduced the size of the VLAN subnets to something less wildly excessive
- Added a
WorkVLAN to isolate my work laptop from the rest of the network while working from home. - Added a
PerimeterVLAN which contains devices such as Sonos speakers that are more trusted than random IoT devices but which I still don’t want on the primary VLAN.
Networks
| Network | VLAN | Subnet |
|---|---|---|
| LAN | 1 | 192.168.1.1/22 |
| IoT | 20 | 192.168.20.1/22 |
| Work | 30 | 172.16.6.1/24 |
| Perimeter | 40 | 192.168.40.1/22 |
This table shows the configuration of each of the networks and the associated VLAN ID. I’m also using the default UniFi guest network which is automatically managed.
Firewall
The LAN firewall rules have been somewhat expanded to account for these new VLANs. Notable features:
LANcan establish connections intoIoTandPerimeterPerimetercan make connections toLANandIoT1 on specific TCP and UDP ports so Sonos equipment works- Traffic between
Workand all other VLANs is rejected in both directions
| Rule | Name | Action | Enabled | Source | Destination | Advanced |
|---|---|---|---|---|---|---|
| 2000 | All established/related | Accept all | true | Any | Any | Match Established Match Related |
| 2001 | Accept all NTP requests IPv4 | Accept all | true | IPv4: 192.168.0.0/16 |
Ports: 123 |
|
| 2002 | Local to Work deny | Drop all | true | IPv4: 192.168.0.0/16 |
Network Work (IPv4 Subnet) |
|
| 2003 | Work to Local deny | Drop all | true | Network Work (IPv4 Subnet) |
IPv4: 192.168.0.0/16 |
|
| 2004 | LAN allow | Accept all | true | Network LAN (IPv4 Subnet) |
Any | Match New Match Established Match Related |
| 2005 | Drop invalid | Drop all | true | Any | Any | Match Invalid |
| 2006 | IoT to LAN deny | Reject all | true | Network IoT (IPv4 Subnet) |
Network LAN (IPv4 Subnet) |
|
| 2007 | IoT to Perimeter deny | Reject all | true | Network IoT (IPv4 Subnet) |
Network Perimeter (IPv4 Subnet) |
|
| 2008 | Sonos UDP allow | Accept udp | true | Network Perimeter (IPv4 Subnet) |
Ports: 1901 1900 6969 |
|
| 2009 | Sonos TCP allow | Accept tcp | true | Network Perimeter (IPv4 Subnet) |
Ports: 3400 3401 3500 |
|
| 2010 | Perimeter to LAN deny | Reject all | true | Network Perimeter (IPv4 Subnet) |
Network LAN (IPv4 Subnet) |
|
| 2011 | Perimeter to IoT deny | Reject all | true | Network Perimeter (IPv4 Subnet) |
Network IoT (IPv4 Subnet) |
|
| 2012 | IoT allow | Accept all | true | Network IoT (IPv4 Subnet) |
Any | Match New Match Established Match Related |
| 2013 | Perimeter allow | Accept all | true | Network Perimeter (IPv4 Subnet) |
Any | Match New Match Established Match Related |
| 2014 | Work allow | Accept all | true | Network Work (IPv4 Subnet) |
Any | |
| 2015 | Local deny | Drop all | true | Any | Network LAN (IPv4 Subnet) |
Match New |
I have a few firewall rule groups to make managing ports and address ranges easier.
| Name | Type | |
|---|---|---|
| NTP Port | Port Group | 123 |
| Local Networks IPv4 | IPv4 Address/Subnet | 192.168.0.0/16 |
| Sonos UDP | Port Group | 1901 1900 6969 |
| Sonos TCP | Port Group | 3400 3401 3500 |
Issues
This has been running pretty smoothly since configured. It’s also survived a hardware transition from a UniFi Security Gateway to a UniFi Dream Machine Pro. There have only been a couple of glitches:
- My Phillips Hue bridge2 had a habit of rebooting periodically causing brief loss of control of the lights. I’m not sure if this is a consequence of it being VLANed but the current firmware seems more stable and this problem seems to have been resolved.
- The Sonos S2 app doesn’t work even if you open all their documented ports. No idea why but it adds nothing I need and my next setup won’t be Sonos anyway so it’s not a big deal for me. The Sonos S1 app works and I don’t use it enough to find their constant upselling3 more than a mild annoyance. I don’t stream to Sonos devices so whether that’s functional in this setup is not of interest to me.
Documenting the configuration
All the tables in this post were generated by the UniFi Markdown Extractor I wrote as a test application for my UniFi client library.
-
I’ve just noticed this is a consequence of the rule ordering but it’s harmless in this case. ↩︎
-
Hue bridges are in my experience prone to issues up to and including just not working out of the box. ↩︎
-
Repeatedly pushing your new products in the app for the existing products is a good way to get me to consider alternatives. ↩︎