For those who have issues casting from Private to ioT network with Chromecast - you need one more rule. Add to the ioT Local Ruleset: allow UDP, destination port 5353(mDNS). [match the allow ioT DNS rule, just using port 5353]. You're welcome.

I just started to setup my 1st iot network today. Literally. Then, I stumble on this video. Absolute gamechanger. You sir, are a gentleman and a scholar!

I can't thank you enough for all your super simple but through explanations of all the concepts that you teach. You are an absolute legend!

can you make a video or a article on your website for the USG? so we can follow along with the USG

MQTT is used to broadcast JSON (or similar, i.e. YAML) requests. On IoT devices, this normally tells an MQTT server the status of that device (i.e. on or off, or temperature/humidity). It can also be used to turn the device on off, of course, via 2 way communication. It is highly efficient, as the packets are tiny, and is widely used in the Home Assistant environment, for example. P.S. Nice video. I am obviously here, as my weekend project, coming up, is to move onto a new router, switch, and AP, and implement VLANs for my IoT devices. Thanks for the share!

Stuff to think about: 1. Remove/blackhole VLAN1 2. Add new default VLAN to replace VLAN1 3. Add a management VLAN 4a. DNS reflection rule. I use this to redirect all external DNS requests from internal clients to my DNS server from any incorrectly configured client. (I do this for NTP as well as some devices don't accept the DHCP NTP option). 4b. DNS block internal clients from using external DNS services. I've been thinking/working on blocking internal clients from using DNS over HTTPS and/or TLS..... 4c. Move internal DNS server to HTTPS or TLS Going down a rabbit hole. Stopping now. Keep up the good work. You not only need to have a grasp of the tech, but also the charisma to present it. Well done!

Hi Chris Please make a video for IoT devices again with USG router. From London with love

Excellent video dude! I just joined the Ubiquity family with two Pro AP's and an Edgerouter 4. I'll still be using my Netgear GS724T switch for the time being, but we also just put in a new security system and I'll soon be spinning up a Blue Iris camera system. I also have a media server on the network. I'm going to try and replicate this for my camera system. Essentially, I may create a total of 4 VLAN's which one will be for cams and another for my existing Smarthings IOT network. I'm still pretty new to all this level of control (I mean my old router did allow me to SSH into it and make a few changes), but I have high hopes. I'm liking the Ubiquity platform thus far (just started literally yesterday) and will start digging in deeper today as soon as my new router comes in. Thanks again for these detailed quality videos; it's really helping me get off my feet with this.

This is a nice first cut for improving IoT security, but you should really have separate VLANs for each unique type of IoT device or you'll be vulnerable to lateral attacks within the IoT domain: e.g., access control on one VLAN, video surveillance on another, home automation on a third, entertainment on a fourth, etc. For WiFi, put each device on a separate WLAN group, and use hidden SSIDs to eliminate unnecessary beaconing polluting WiFi spectrum, and then associate those WLANs with the corresponding IoT VLANs. Now you can control all communication between IoT realms and between IoT, the protected LAN, and the Internet. This last control is often overlooked: always filter Internet traffic from each IoT device to only permit addressing the public IPs they actually need, rather than the entire Internet. You can discover which destinations and protocols these are by initially denying all Internet traffic and checking the firewall logs to see what is getting denied.. This is the standard for enterprise IoT security, as implement by Cisco, Juniper, etc, and is also the approach used going forward in automobile and aircraft IoT networks. An interesting article on IoT enterprise deployment is www.networkworld.com/article/3213868/3-real-world-examples-of-iot-rolled-out-in-the-enterprise.html

Perfect IoT ssid... perfect

I hit like on this even before watching as this is something everybody should do - at least anyone with IoT devices. Before I made my first IoT purchase (t-stat & lights) I made sure to setup a separate SSID, vLAN & routing/firewall rules. This was early on & the devices used were not ideal, but I committed to not getting any IoT devices until this was at least somewhat segregated from my main LAN. I strongly recommend to any/everybody to setup vLAN or even subnet to isolate traffic (something's better than nothing). PS - SSID is excellent! Also like the 107.

Finally picked up a managed switch to implement this and worked a dream! Thank you for such good videos explaining everything and making it straight forward. I came across one snag. I enabled mDNS but still couldn't see any Google Devices - other IOT devices worked and I could control etc. I found that adding a third rule to the IOT_LOCAL to accept port 5353 on UDP fixed the issue. Hopefully this was the right thing to do!

This is really great stuff. I have a UDMpro and I'm trying to setup a secure iot network, this is almost exactly what I need. I only say almost because I know next to nothing about networks so I'm making educated guesses as to how the edge router configuration translates to the UDM. It would be extra awesome to have this same video remade with the new unifi interface.

It would be good if you could show people how to handle devices like Phillips Hue, Sonos etc. that need an igmp proxy. I never got this working on my USG

The S in 'IoT' is for Security

Love to see this video updated for the UDM-Pro. Could you do this for both a main network and guest network setup (showing all three separate but showing the guest or main networks being able to access airplay, Chromcast, etc). I want to be able to access all networks from the main network, but have my iOT be separated off

This is one of the best guides to this setup I've found. Excellent info and great presentation man!

Your videos are great ! Straightforward and to the point while being clear and conveying information in a way that anyone can understand. LOVE your channel !

Great tutorial! Exactly what I was looking for. Only thing I had to do next to this tutorial is to allow UDP port 5353 in the IOT_local firewall rules. This made my Chromecasts visible again in my main LAN. Just MDNS did not do the trick for me.

Thanks for this! It’s such a pain trying to search 20 places to put all of this together is super convenient.

Chris, I thought that "Local" was traffic destined for the router itself. (router services etc) You are saying here that it's on the VLAN itself. And inter-VLAN. Can you elaborate on this please?

My config got wiped. I knew exactly where to come to get things set back up. Thanks again, Chris!!

Hi Chris, Do you have a tutorial on how you setup the Pi-Hole you mention on your "Secure IoT Network Configuration" video?

Very well explained! I followed this comprehensive video today and set up an IoT network for my TP-Link smart plugs. Thank you Chris.

Thanks, works great for wireless devises. How would I allocate one of the Edgerouter ports for wired devices?

this is a great tutorial. I used it to build by IOT network about 3 years ago, shortly after you posted it. I finally wised up and built a Pihole on an old PC since I can't find a Raspberry Pi anywhere for reasonable. I came back to this video to see what I was missing on my firewall. The rules you have, fixed me right up. Your Pihole video was really helpful as well. At the end of this video you talk about other firewall rules that could be setup. Any chance you have a blog or video talking about those other rules? Example blocking DHCP for anything other than the pihole.

Amazing video. Followed your config for my network and started transferring my IoT devices. I have an EdgeRouter 4, Cloud Key (Gen 1), US-8-150W, 2x UAP-AC-PRO, so the setup is pretty the same as yours. I have a streaming box with Kodi and it's configured to access my media library from my NAS using NFS. If I transfer my streaming box to the IOT VLAN, how do I allow it to connect with NFS to my NAS?

Great video...been thinking of doing this at my house but just did not want to invest the time to research the firewall rules I needed. This is a great guide which gives me NO excuses now! ;)

I followed the great video thanks but have a question. The rule to drop all local traffic on the IDIoT network; does that not mean they cannot talk to each other if needed? Love your videos!

Haven't finished watching yet, but let me say I love the names you gave things.

Thank you Chris for the tutorial! Note to others regarding mdns repeater; I had to reboot my Edge Router X before this would work.

Outstanding video. You make things very clear for even people who aren't the best or that knowledgable to do this stuff.

I understand that by having your private network on a separate VLAN from your IoT devices you will save a lot of bandwidth on the private LAN. But, on average, how much bandwidth do the IoT devices eat up on your internet connection? You seemed to touch on internal traffic, but I would like to know how much traffic the devices have to the outside internet. This is a wonderful video explaining what the general public should for IoT setups. I haven't found anything else that covers this topic as simply nor as completely as you have. Thank you!

Would like to see similar video with USG instead of Edge Router. Thanks.

I'd love to see an updated version of this. and using a separate security vlan for protect. +1 more for wanting to see this with UBNT gear, maybe a new dream machine pro.

Great video. Would like to see this done with the UniFi controller instead of the Edgerouter. Similar concept but nice to see the exact screens

Great video. Having a hard time translating the Edge Router firewall to the UniFi controller firewall. For example, I don't see a Interface option and I'm also unsure about setting the source versus destination.

Late to this channel but you're amazing dude.

It is necessary to add an ‘allow’ rule for address 224.0.0.251 and UDP port 5353 in IDIoT_LOCAL otherwise mDNS will not work (devices inside the IoT VLAN will not be able to broadcast). This gave me problems with Homekit accessories being unresponsive without adding this rule. Homekit accessories will also fail to set up with these rules and I’m still trying to figure out how to overcome this.

For anyone struggling with vlans and the dual wan feature you want to add the modify balance profile to the vif as per the parent eth interface.

Great job. Clear clean instructions. I used it on a USG-Pro-4 , cloud key and a UniFi Switch 16 POE-150W. I have successfully blocked all internvlan communication and so on. I don’t have any Ubiquiti access points. I have 2 questions. 1. I wish to block internal communication between devices inside the guest network? 2. Is there a way to limit speeds via mac accress or IP without using a Ubiquiti AP? I know this can be handled on the Ubiquiti APs I am looking or a firewall rule or a setting without using ubiquity APs.

Hey Chris! Thanks for the guide. Much appreciated. I followed the guide to the letter, including setting up an mdns repeater on my EdgeRouter 6P, but I still could not see my Chromecasts (on the IoT vlan) from devices running on my trusted vlan. I solved this by adding the following third rule to the IDIoT_LOCAL ruleset: rule 3 { action accept description "Allow MDNS" destination { port 5353 } log disable protocol udp } I can now stream to my Chromecasts and TV's on the IoT vlan from devices on the trusted vlan. I hope this helps someone!

Hello Chris, I'm about to setup this solution you made, but I want to be sure to have all the equipment. Right now I have a EdgeRouter X, and I'm about to buy a USW-Flex-Mini and 1 UAP-AC-LR. I want to know if I can do all this with this equipments. Look like I can do it, but I just want to be sure. Thanks for all your help.

I've been meaning to do this at my home. Looks like I got a project to do this weekend. Thanks for the video!

Thank you for all your videos - I’m new to the home network world and set up my own thanks to you. Any place I can get this detailed info for TP Link short stack?

Solid information Thank You! Answered a LOT of questions but.... Now I have just as many new questions!!!

Great video! Thanks for pulling it all together. My challenge has been trying to get Sonos speakers on an IoT network!

This couldn't have come at a better time... Thanks Chris really appreciated 👍

Ha! Crazy small world, I did this two weeks ago for my setup at home as well. Great content Chris, love the channel

Thank you for the video, should I still be available to ping from IoT network to the protected network?

Hi Chris, how did you associated IDIoT network with IoT SSID? It's done automatically by set VLAN ID? Another thing is why is necessary create new network for IoT? Is it not enough to use default one? I'm able to obtain correct IP for VLAN 107 if I have corrected setup on EdgeRouter and EdgeSwitch for that VLAN (without any other network on uap).

Great video explanation!!! One suggestion: You should do a video on how to connect to a SONOS speaker in the IoT VLAN from another VLAN.

I just wanted to setup on USG, but settings are so much different. I wait for a video for USG.

You lost me at setting up the firewall rules. I know the basics are the same, but as others requested, could you please do a similar tutorial with the USG/USG-Pro-4?? I have a USG-Pro-4 in my Unifi lan, but the screens from the Edge Router are completely different from the Unifi setup. (I admit, I am not a IT-specialist but a hobby-ist)

Need to add allow rule to IoT LOCAL for UDP port 5353 if you want mDNS to work for chromecast.

This is a bit confusing when you are mixing the Edge Router OS with the Unifi OS. Could you do the same thing for a UDM/UDM Pro? For instance, do I need to block all IoT traffic from LAN Local? At the moment I can still ping 192.168.1.1. Do I need a rule to allow time server requests on port 123 for IoT network?

OpenDNS is a very good backup for your IOT network. I also have my USG relay through it says I don’t have a piehole.

In close neighbour ship I would not run hidden SSID, it makes channel conflict detection less functional.

This is great but why don't you show us how to do this on a dmpro? Great Video.

Can you do a video on how to setup firewall policies for Sonos on the IoT Vlan?

What about UDP5353 ? As you created a mDNS repeater, should it be also allowed ?

Just a beginner here, would really like to see this with a USG. I found some other resources online to set the firewall up but doesn't provided details about who to add exceptions from the IoT to private networks.

Great timing for a great video. Thanks Chris, very helpful indeed and was just wondering about setting all this up the other day so cheers! Looking forward to your next vid.

Hi, I'm Brad from Outback Rural QLD Australia. I strongly believe that all IOT must be it's separate vLAN. I have gone a little further by creating 2 IoT vLans - IoT & NoT. The second has basically the same rules as IoT as you shown with a few more including "preferred DNS" and blockling all other DNS servers (I have a standard DNS Drop rule on Google IPv4 & 6). Unlike Iot that can get out to the Internet under special ruleset, NoT can't get out and can't get to other vLans too, however Management vLan can access both IoT, NoT and Cameras vLans one way using "New/Est/Related". My Camera vLan is a bit like the NOT network too but with the NVR also residing in this vLan. I have gone a little further by making my Management vLAN (primary Corporate LAN) having its own vLan number. I have a separate TRUNK vLan that interconnects from USGPRO4 to all my 4 switches and 8 APs etc., for some extra securty. I feel this network design gives a little more security. Yes the security is only as good as the Firewall Rules! I just learning all this stuff, and taking it slowly and building my IoT devices which will basically connect to everything in the home and farm. Any constructive comments most welcome.

I know it is asked a lot in the comments for a separate USG video but how about just a side by side comparison of the settings you use in the video for the ER with what/where/who they are in USG in a tabular form or graphically shown with screen grabs?

Is it possible to do this same level of configuration on a UniFi USG Pro 4? If so, could you do a video showing that? I get lost trying to translate the Edge interface to UniFi for DHCP and DNS configuration you do around the 9 minute mark.

Chris, any chance you could do an updated version of this video using a UDM Pro?

@crosstalk could refresh this IoT video now that you're using a UDM Pro please? I'm in process of setting my network up, and it would help tremendously.

Great video! ... Talking about IoT, have you heard of anything Ubiquiti and 802.11ax (WiFi6) road map, rumors or other?

What about separating IOT's from streaming? Would there be an advantage to having a VLAN for IOT's and a VLAN for streaming?

Do you have a video doing the same setup using UDM instead of EdgeRouter? Or can recommend one video performing the same setup with UDM or UDM-Pro? Thanks!

Great video"s nicely explained, getting my Dream Machine Pro in a few day so will be using you videos to help me set it up me being a network novice, I have one question, Seri needs to be on the same network has you iPhone or so it keeps telling me 🙂 so if you put your iPhone on the main network and Seri on the IOT network would this work? Thanks again for the great content 👍🏻

I can’t seem to obtain an IP address when trying to connect to IoT network. I have the DHCP server setup. Do you have to link what DHCP server to use for a given VLAN?

Also there is quite a bit of fiddling involved in getting Sonos to work in these setups - took me a good evening of googling to find the right recipe to get the Sonos Controller application on the secure nw PC to actually be able to communicate with the Sonos Bridge in the IoT network.

do this with a usg please!

Hi Chris thanks for the wonderful content, this help me a lot in setting up the firewall in my network. Also hope you don't mind if you can post a procedure on how we can forward UDP broadcast to certain VLAN. Again thank you so much for the content you have shared.

Great video. I tried this, but from my main LAN, I am unable to get to the AP connected to the IOT port. To access the AP, I had to be on the IOT network. What firewall rule should I add or reconfigure so that I can get to the AP @10.0.0.40? I can ping 10.0.0.1 from Main LAN, but no other leases.

DNS is Port 53 udp AND tcp. If a response exceeds one UDP packet the client retries with tcp

For clarity: the firewall rule which drops all local traffic on the IoT network would probably not allow us to run a local Home Assistant installation from within that same IoT network, correct? You would then probably need to add more whitelisting rules for each new integration that you're trying to establish?

Hi Chris! Can you use expressvpn with Unifi USG, if it can be done would you then make a KZbin about it?

How do you deal devices like Google Home....This would obviously go on the IoT VLAN, however devices on the main network would not be able to control them since they'd be on a different network. I guess i could disconnect my phone from the main network and temporarily put it on the IoT network but this would be a pain to switch back and forth (especially if not broadcasting the SSID) and defeats the whole purpose of setting up the separate VLANs. Great video, thanks for putting it together. Interested in hearing your reply.

Your diagram shows an AP for the secure network and a 2nd AP for the IoT network. Are there two APs for security reasons? If not, would it be a good idea to configure one UAP-AC-PRO to broadcast SSIDs for the secure network, the IoT network and a guest network?

Do you have a similar video which shows making the firewall entries on UDM OS (preferably the modern version) or if not, maybe you can make one?

How would you combine this with "IOT Across Subnets with EdgeRouter" video that David did for you? Part of his setting up an mdns repeater was that you can atleast ping between subnets and there shouldn't be a firewall rule preventing communication. I'm thinking there should be a firewall to allow video to be sent to a Chromecast on the IoT network from the Secure network, while blocking the Chromecast from accessing the Secure network.

Great video and very timely with IoT growing in popularity. One question, will this still allow for HomeKit traffic / control from the outside. For example controlling a iDevices switch using Apple HomeKit while on the road ? My understanding is that mDNS responder ‘should’ allow that but if not can you mention here how you can enable that kind of remote access to control outside of the home ? Thanks

How would you set up the last rule you talked about at the end of the video about port 53?

Dumb question but where do you get your Ubiquiti Visio stencils from?

I have RT-AC88U main router and an old RT-68U as AiMesh. My thought for security stuff (PC, phone, Ipad, etc..) are on the main router and IoT (doorbell camera, light, TV, etc..) will be on the the RT-AC68U. I can also set IoT on the main router under "Guest". Which option is best and safe to protect the main router access?

I love your videos on USG and Unifi products. Can I challenge you to make a video on the USG where you can show how to create a segregated wireless network (open if you want) but have the traffic pass into a VPN tunnel, connecting to an online service such as hide.me (L2TP). The idea is when I connect my iPhone to this new local wifi, and once authenticated, I would be automatically secured through hide.me. There is a client I can install on the iPhone, and there are a handful of dual VPN routers that can handle this request. I was hoping if the USG can be configured to do the same. It would be awesome. Thank-You. Robert

Would you put UniFi wifi cameras in the IoT vlan?

Great video. Do all your smart devices still have accessibility from your smartphone or tablet while outside of your house coverage area? If you have camera that has both a direct connection while on your network but web connection while not on your network is that also possible and able to be secure like you have isolated everything else? I don’t want to loose functionality or accessibility from anywhere of the “smart” items I am buying or have. Thanks

Hi Chris, thanks for this clear tutorial! I take the first steps in the edgerouter and to increase knowledge I did set this configuration up... But when I connect to the IOT wifi and go to the internet, I get no response. Looking at the statistics of the firewall, it is all blocked by the local default action.. drop.. For internet access on the IOT network, do you need to add a firewall rule to allow new traffic? Or do I do something wrong elsewhere?

I use Visio for some small work projects but I wanted to ask did you have some download for Unifi products, did you use screen shots, etc?

Whats up with all the old office phones?

@Crosstalk Solutions Is it possible to have this or an updated version of this documented on the Crosstalk blog, in a similar fashion as the Definitive Guide To Hosted UniFi? I'm following along as best as I can and having to pause quite a bit to make sure you don't get too far ahead of me.

So, you said you have an AppleTV on the IoT network, how does AirPlay work in such setting? can you stream to it from your phone (which happens to be in the secure VLAN)?

Hi Chris Please make a video for IoT devices again with USG router. please please please, BTW thanks for everything, my Unifi network rock because of your guidance. you da man

How would I set up jot network with pfsense router and deco x50poe in access mode? My set up is Int>pfsense router>first x50>Poe switch>other two x50’s and a few other hard wired iot devices. My cameras and some other iot devices would be connected via Wi-Fi.

This video is a year old now... I'm trying to build the same sort of network with a UDM Cylinder, UI Switch 8, UI flex mini and UI LTE... I have wifi printers, laptops, tablets, phones, lightbulbs, thermostats, roku, fire, smartTV, multiple NAS and ESXi servers... oh my... at the same time I'm trying to emulate the network principles a customer of mine is using... essentially an SDN with lots of VLAN silos... seems impractical.

Is this the same for the Dream Machine??? and will the iOS functions still work i.e. screen mirroring???