This post shows out how to setup a DMZ using a VLAN with Unifi. There’s a general Unifi post on VLANs here and a good post on the topic of blocking VLAN to LAN access here
The first step is to create a new Network for the DMZ VLAN. There’s a good overview of the Unifi network types on the Ubiquiti site. Based on this we’ll be setting up a Guest network for our DMZ VLAN.
In this example, I’m going to use the following network settings:
10.0.0.0/24 - Internal LAN
10.1.1.0/24 - DMZ VLAN
To setup the new DMZ VLAN, go to Settings and create a new network with the following values and then Save the network.
| Setting | Value |
|---|---|
| Name | DMZ VLAN |
| Purpose | Corporate |
| VLAN | 3 (you choose) |
| Gateway | 10.1.1.1/24 |
| Domain Name | dmz |
| DHCP Mode | Server |
Go to Settings > Routing & Firewall > Firewall > Groups and create a new group with the following settings:
| Setting | Value |
|---|---|
| Name | Private IP’s |
| Address | 192.168.0.0/16 |
| 172.16.0.0/16 | |
| 10.0.0.0/8 |
We’ve setup our DMZ VLAN as a Unifi Guest network and the default rules for guest networks do not allow traffic into the guest network. We need to allow traffic from our LAN and WAN into the DMZ, so we’ll create a rule in Settings > Routing & Firewall > Firewall > Rules IPv4 > Rules IPv4 > LAN IN by clicking Create New Rule and using the following settings.
Note: When you create a new rule, it can take the USG a couple of minutes be updated with the new rule.
| Setting | Value |
|---|---|
| Name | Allow established/related traffic |
| Action | Accept |
| States | Established, Related |
Add the following rule to allow the LAN to access all VLAN’s
| Setting | Value |
|---|---|
| Name | Allow main LAN to VLAN |
| Action | Accept |
| Source Type | Network |
| Source IPv4 Network | LAN |
| Destination Type | Address/Port Group |
| Destination IPv4 Address Group | Private IP’s |
Add the following rule to block the VLAN DMZ from initiating connections to the LAN
| Setting | Value |
|---|---|
| Name | Block VLAN to LAN |
| Action | Drop |
| States | Established, Related |
| Source Type | Network |
| Source IPv4 Address Group | DMZ VLAN |
| Destination Type | Address/Port Group |
| Destination IPv4 Address Group | Private IP’s |
Mark Berry’s post adds the following rule to block DMC VLAN to LAN traffic but this blocked all traffic in and out of the VLAN for me.
| Setting | Value |
|---|---|
| Name | Block VLAN to LAN |
| Action | Drop |
| Source Type | Address/Port Group |
| Source IPv4 Address Group | Private IP’s |
| Destination Type | Address/Port Group |
| Destination IPv4 Address Group | Private IP’s |
When you created the new network, Unifi automatically created a new switch port profile that we can use to assign ports to the new DMZ VLAN. Go to Settings > Profiles > Switch Ports and you will see your switch port profiles including a new profile called DMZ VLAN
Now, let’s setup a DMZ VLAN WiFi network. Go to Settings > Wireless Networks > Create New Wireless Network. Expand the Advanced Options settings and set the following values and then Save.
| Setting | Value |
|---|---|
| Name/SSID | DMZ |
| Security | (your choice) |
| Security Key | (key) |
| VLAN | 3 (from above) |
You can now assign switch ports to the new DMZ VLAN or create a new wireless network and associate it with the VLAN id used when setting up the network.