logos (other)


Go Wireless NZ

Follow by Email

Friday, May 20, 2016

Configuring VLANs with a UniFi Security Gateway and UniFi Switch


With the release of the US-8-150W, UAP-IW and the new UAP-AC Series Access Points, now is perfect time to start looking at UniFi as a complete network solution for Home, SOHO and Enterprise Networks including Motels and Hotels. This blog will explain how to configure multiple networks using VLANs including a corporate and guest network.

Ensure you have a UniFi Security Gateway, UniFi Switch, and UniFi Access Point. We will start with a single wireless network which was setup using the Setup Wizard.

Step 1:
We will start by creating a Guest Network which customers can access via wired connection to the switch or by connecting to a UniFi wireless access point. Navigate to Settings > Networks > Create New Network. This network will have a VLAN ID of 2 and Network Address range of 192.168.2.x/24.
Step 2:
We will use the default corporate network that was created with UniFi (192.168.1.x/24) as our main corporate LAN, however we would like to separate our VoIP network as well so we will create another network below with a VLAN ID of 3 and Network Address range of 192.168.3.x/24.
Step 3:
Our Networks Page should now look like the following:
Step 4:
We now want to enable the Guest Portal settings and enable Hotspot functionality for our Guest Network so that guests require a voucher to authenticate on the network. After clicking Apply, you canverify that you have two wireless networks, The Corporate Network is my network I created when going through UniFi's Setup Wizard initially and the second network is our Guest Wireless.

Step 5:
Now that our networks are all setup, we can start locking down the switch ports. Currently your Access Point should be broadcasting two networks (Corporate Network and Guest Wireless). Connecting to the Corporate network should require a WPA2 password to connect and give you an ip address of 192.168.1.x with full access to the network and internet while connecting to the Guest Wireless should give you an ip address of 192.168.2.x and redirect you to the voucher authorisation portal page.

Step 6:
We now want start restricting some of the ports on the switch. By default all of the ports are currently set to allow all networks and passing the untagged corporate network which means all of the ports currently give you access to the corporate network. Any ports you wish to be on the corporate network can be left with the default settings shown below:

Step 7:
We now want to isolate Port 6 as a Guest Network port. This can be easily done by editing Port 6 and setting Networks/VLANs to our Guest Network.
Step 8: 
We can do the same for Port 7 but instead assigning it to our VoIP Network.
Step 9:
We can now start testing however you will need to wait until the UniFi Switch has reprovisioned itself with the latest configuration which can take a couple of minutes. Once provisioning is complete try connecting a computer to port 5, 6 and 7. Port 5 should give you a 192.168.1.x IP, port 7 should give you a 192.168.3.x IP and port 6 should connect you to the guest network with an IP address of 192.168.2.x. Devices will be able to traverse VLANs / Networks and communicate with each other by default, if you wish to restrict VLANs to their own subnet then you will need to block communication using firewall rules which are not currently available in the UniFi Controller. The one exception of this is of course the Guest Network which is completely isolated.

The UniFi Security Gateway controls the WWW, WAN and LAN status icons on the Dashboard. It is possible to use another VLAN capable switch (i.e. MikroTik or EdgeSwitch) and maintain the Dashboard Status icons and also pass VLAN capable traffic through the network (i.e. you can tag VLANs like the Guest Network through a non UniFi Switch).


  1. Don't you have to put the VLAN ID also on the Guest network in the Wireless Networks setting page?

  2. Correct, that is not showed in the screenshots sorry. the management (in this case Corporate LAN) is untagged / no vlan configured on the Wireless Tab however all other Wireless Networks that are created need to be tagged (i.e. Guest and VoIP)

  3. This comment has been removed by the author.

  4. This comment has been removed by the author.

  5. Very helpful post.

    I have an US-8-150W switch with 3 networks defined:
    LAN (untagged)
    VLAN10 (tagged vlan 10)
    VLAN20 (tagged vlan 20)

    I want to set a port to block VLAN20 but allow LAN and VLAN10, but I can't seem to get this to work.
    Is this possible to do?

    1. Thanks, by default inter-vlan routing works i.e. vlan10 to vlan20 traffic is accepted. you would have to isolate this in the config.gateway.json file as i dont believe the ability is in the controller as yet.

  6. Another great article. Just one question. If I wanted to allow guest access to a printer that is on VLAN1 with an IP address in the 192.168.1.x/24 range, how would I accomplish that? Thanks

    1. Hi John - all you should need to do is add the ip address of the printer to the allowed subnets under the guest port settings. for example, if your printer ip address is you would add to the allowed subnets (Pre-Authorization Access) under the Guest Control tab of the controller.

  7. Can someone please explain to me why the USG wont accept a vlan setting on the wan. Im hoping to use this to replace my orcon router and orcon use vlan 10. Nothing seems to work properly on this router i cant get a lan setup or anything.

    1. If you are running an older firmware you can have these issues with the USG not holding settings correctly or not displaying the VLAN option as you are running an old firmware. sometimes it is best to plug into an existing network where the usg can get internet and DHCP on the WAN side, perform upgrade through controller and then setup. if you cant do this you can upgrade via SSH.

  8. What about the AP's?? Which port they should be connected to?

    1. Hi there, the AP's can be connected to any spare port you like. I would not connect the to the ports configured above that are configured for ethernet only links (port 5, 6 and 7).