IT Guy Journals
Posts Tags Categories About Services
IT Guy Journals

Contents

Building SOHO Network With Ubiquiti UniFi: Step-By-Step Guide

 included in Home Lab
   1573 words   8 minutes 

In this guide, we’ll take you through building a segmented, secure SOHO (Small Office/Home Office) network using Ubiquiti UniFi hardware. The network will be tailored to isolate different types of traffic, set up VLANs for specific use cases, and apply strong firewall rules to protect sensitive data and infrastructure.

While the principles outlined here are generally applicable to most networks, this implementation is specifically designed for UniFi OS version 4.06 and Network Application version 8.4.62.

By the end of this guide, you will have a SOHO network that supports various types of devices, secures communication across VLANs, and optimizes performance for business-critical tasks. We’ll cover VLAN creation, access and trunk port configuration, guest network isolation, firewall rule setup, and more advanced features like honeypots and failover routing.

What is a SOHO Network?

A SOHO (Small Office/Home Office) network is a network infrastructure designed to cater to the needs of small businesses or home offices. It typically involves a smaller scale of devices and users compared to enterprise networks but still requires reliable security, performance, and manageability.

A SOHO network can support multiple devices like computers, smartphones, IoT devices, cameras, and network-attached storage (NAS). With more advanced tools like Ubiquiti’s UniFi platform, setting up such a network is not only achievable but highly customizable. We’ll walk through how to set up a SOHO network using UniFi, focusing on VLANs, subnets, guest networks, firewall rules, and honeypots for security.

Defining the SOHO Network: Example Subnets and VLANs

For this tutorial, we’ll be working with a segmented network approach using VLANs and subnets. Each segment or VLAN will serve a specific function to improve security and performance by isolating devices.

Here’s how we’ll organize our network:

NETWORK NAME VLAN ID SUBNET PURPOSE
Management 10 192.168.10.0/24 For managing networking devices like the UniFi Controller, routers, and switches.
Guest 20 192.168.20.0/24 For guest devices, isolated from the main network.
IoT 30 192.168.30.0/24 For IoT devices like smart speakers, thermostats, etc.
Camera 40 192.168.40.0/24 For security cameras and recording devices.
Infrastructure 50 192.168.50.0/24 For internal servers, NAS, and other infrastructure devices.
Business 60 192.168.60.0/24 For business-critical devices like laptops and desktops.

Each VLAN is separated from the others by UniFi’s firewall and routing rules. This ensures that sensitive data is kept secure and network performance remains optimized.

Configuring Access and Trunk Ports on Switches

Configuring switch ports properly in a SOHO network is crucial to ensure traffic is directed as intended across different VLANs. Depending on the type of device connected to a port, you will either use an access port or a trunk port.

Access ports should be used when connecting end devices such as computers, cameras, printers, and IoT devices. These ports only carry traffic for a single VLAN, which reduces the network load and isolates the device to the appropriate VLAN.

Trunk ports are used to connect devices that need to carry traffic for multiple VLANs. This includes infrastructure like access points (APs), other switches, and virtualization servers that may need access to various VLANs simultaneously.

Steps to Configure an Access Port/Trunk Port in UniFi:

  1. Select the switch that you want to configure and go to the Port Manager.
  2. Choose the specific port that connects to an end device.
  3. In Native VLAN / Network choose the network.
  4. In Tagged VLAN Management check Block all for access ports or Allow all for trunk ports.
  5. Apply the changes.

By setting up access ports for end devices and trunk ports for infrastructure, you ensure that traffic is properly segmented, maintaining security and performance.

Configuring the Guest Network

The guest network should be isolated from the main business network and any other sensitive networks to ensure that guests do not accidentally access internal resources.

Steps for Configuring the Guest Network:

  1. Create the VLAN for the Guest Network:
    1. In UniFi Controller, go to Settings > Networks > Create New Network.
    2. Name the network “Guest” and assign it VLAN ID 20.
    3. Set the subnet to 192.168.20.0/24.
  2. Enable Network and Device Isolation:
    1. In UniFi Controller, go to Settings > Networks > Guest, check the box that network is a guest network
    2. In UniFi Controller, go to Settings > Networks add the network to Device Isolation (ACL)
    3. If you have wifi enabled, under Settings > Wi-Fi > Guest Network, ensure that Client Device Isolation is enabled. This feature will prevent guests from communicating with each other’s devices.
  3. Set Up Bandwidth Limiting for Guests:
    1. To limit guest network speeds to 10Mbps up and 10Mbps down, navigate to Settings > Security > Traffic & Firewall Rules
    2. Create a traffic rule for the network with Action of Speed Limit.
    3. Apply this profile to the Guest Network.

Firewall Rules for Secure Networking in UniFi

Configuring firewall rules in a SOHO network is essential to ensure that different VLANs are properly segmented, while still allowing necessary communication between certain networks. Below are the updated firewall rules that apply to the network structure defined earlier. These rules are tailored to ensure secure, controlled traffic flow while blocking unnecessary or potentially risky interactions between VLANs.

1. Allow Management Network Access to All VLANs

The Management VLAN (VLAN 10) needs to be able to access all other VLANs in the network. This is important because network administrators typically require access to all devices for monitoring and configuration purposes.

1
2
3

Action: Allow
Source: Management Network (192.168.10.0/24)
Destination: All VLANs (192.168.20.0/24, 192.168.30.0/24, 192.168.40.0/24, 192.168.50.0/24, 192.168.60.0/24)

This rule ensures that any device on the Management VLAN can communicate with devices across all VLANs, maintaining administrative control over the network.

2. Allow Business Network to Access Infrastructure

The Business VLAN (VLAN 60) should be able to communicate with the Infrastructure VLAN (VLAN 50), as business-critical devices often need to interact with infrastructure services such as servers, printers, or NAS.

1
2
3

Action: Allow
Source: Business Network (192.168.60.0/24)
Destination: Infrastructure Network (192.168.50.0/24)

This rule allows necessary traffic between business devices (e.g., computers or workstations) and the infrastructure devices like servers and storage systems.

3. Block Inter-VLAN Routing

To maintain security, it is important to block communication between all other VLANs (except for the Management-to-all and Business-to-Infrastructure communication mentioned above). This ensures that devices in one VLAN cannot access devices in another VLAN, reducing the risk of accidental or malicious access between networks.

1
2
3

Action: Deny
Source: All VLANs (192.168.20.0/24, 192.168.30.0/24, 192.168.40.0/24, 192.168.50.0/24, 192.168.60.0/24)
Destination: All Other VLANs (192.168.20.0/24, 192.168.30.0/24, 192.168.40.0/24, 192.168.50.0/24, 192.168.60.0/24)

This rule will effectively prevent cross-VLAN traffic, isolating the Guest, IoT, Camera, and Business networks from each other.

4. Block Web Access to Gateways (HTTP/HTTPS)

To enhance security, block any HTTP and HTTPS traffic that is directed at the gateways. This prevents users from accessing the configuration pages of the network gateways, which could otherwise expose sensitive management interfaces.

1
2
3
4

Action: Deny
Source: All VLANs
Destination: Gateway IPs (192.168.x.1)
Protocol: HTTP, HTTPS

This rule ensures that no one can access the gateway’s web interface (either for monitoring or configuration) from any network except for the Management VLAN (which is handled by the first rule).

Enabling IDS And IPS

Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) are crucial tools in securing your network by monitoring traffic for suspicious activity and, in the case of IPS, actively preventing attacks. In addition, honeypots can help lure attackers into interacting with decoy services, helping you detect threats before they impact critical devices.

1. Enabling Honeypots on All Networks

Honeypots help detect potential security threats by tricking malicious actors into interacting with fake services. Once deployed, honeypots will monitor traffic across your networks and alert you to suspicious activity, such as unauthorized devices attempting to access resources.

Steps to enable honeypots on UniFi:

  1. Navigate to Settings > Security > General.
  2. Scroll down to the Internal Honeypots section.
  3. Add all your network VLANs to this section to deploy honeypots across each VLAN.
  4. Apply changes to activate the honeypots.

2. Configuring IPS

IDS and IPS work together to detect and prevent network intrusions by analyzing traffic for patterns that indicate malicious behavior. IDS passively detects threats, while IPS actively blocks them.

Steps to configure IPS on UniFi:

  1. Navigate to Settings > Security > Intrusion Prevention.
  2. Add the networks you want to protect (e.g., Business, Infrastructure, IoT) to the list of monitored networks.
  3. Adjust the Sensitivity and Filtering Mode based on your security needs.
    • Low Sensitivity is less aggressive but reduces false positives.
    • High Sensitivity provides tighter security but may block more legitimate traffic.
  4. Ensure that IDS/IPS is enabled to monitor and block unwanted traffic.

Configuring Failover Routing

Routing failover ensures that if your primary internet connection goes down, your SOHO network can automatically switch to a backup connection. For that secondary internet connection is needed from independent ISP.

Steps to configure failover in UniFi:

  1. Go to Settings > Internet > Dual WAN.
  2. Add your primary and secondary internet connections.
  3. Set appropriate Load Balancing.

Conclusion

Setting up a SOHO network with Ubiquiti UniFi allows you to create a robust, segmented, and secure network with full control over each VLAN. Whether it’s managing guest network isolation, setting up IoT devices, or controlling communication between subnets, UniFi offers an intuitive way to do it all.

By following these steps, you can ensure that your network is secure, efficient, and ready to handle both business and personal needs. Properly configuring access and trunk ports, securing your VLANs with firewall rules, configuring failover routing and enabling IDS/IPS will further enhance your network’s performance and security.

Happy engineering!

Updated on 2025-05-14
Read Markdown
 NetworkingSecurity
Back | Home