My UniFi Dream Router 7 VLAN Setup

Safe, lockout-proof sequence for configuring VLANs and firewall rules. Management performed from siege.sh (Home, VLAN 2) over Wi-Fi.

Port Configuration (DR7)

• Port 1: IoT (VLAN 3) → Wired IoT devices
• Port 2: IoT (VLAN 3) → Home Assistant server
• Port 3: Services (VLAN 4) → Pi-hole server
• Port 4: WAN → Ethernet from ONT (VLAN 300 tagged)

Phase 1: Core Bootstrap

0. Configure WAN Connection (Do This First)

Option A: Initial Setup with Cable Modem (Before Fiber)

• Navigate to Settings → Internet → WAN
• Connection Type: DHCP
• VLAN ID: Leave disabled/untagged
• Connect cable modem to Port 4 (WAN)
• Verify internet connectivity before proceeding
• Complete all other phases of this guide

Option B: Switch to Fiber (When Available)

• Navigate to Settings → Internet → WAN
• Connection Type: DHCP (IP Address shows DHCP)
• VLAN ID: 300 (802.1q: 300 from ISP table)
• Mode: Routing
• Encapsulation: IPoE
• IPv4/IPv6 Mode: IPv4
• MTU: 1500
• NAT: Enable (checked in table)
• IGMP Proxy: Disable (X in table)
• Default Gateway: Enable (checked in table)
• Disconnect cable modem, connect Ethernet cable from ONT to Port 4 (WAN)
• Verify internet connectivity

Note: The only difference between cable and fiber setup is the VLAN 300 tag. Everything else stays the same.

1. Configure Home Network (VLAN 2)

Important: You're currently on the default Management network. We need to set up the Home network first so we can switch to it before reorganizing zones.

• Network: 10.42.2.0/24
• Gateway: 10.42.2.1
• DHCP: Enabled
• DHCP Name Server: Gateway (temporary)
• Wi-Fi SSID: siege.sh bound to VLAN 2
• Create the Wi-Fi network NOW - Don't wait for Phase 3
• Connect your laptop to siege.sh network
• Reserve laptop IP address (e.g., 10.42.2.10) - optional but recommended

⚠️ Critical: You MUST switch to the siege.sh Wi-Fi network before proceeding to zone configuration. This ensures you won't lose access when moving networks between zones.

2. Define Additional VLANs (No Wi-Fi Yet)

• Management (VLAN 1): 10.42.1.0/24, GW 10.42.1.1, DHCP ON
• IoT (VLAN 3): 10.42.3.0/24, GW 10.42.3.1, DHCP ON
• Services (VLAN 4): 10.42.4.0/24, GW 10.42.4.1, DHCP ON

Note: VLAN 300 is used for WAN/ISP communication and doesn't need local configuration

2a. Configure IoT Network Optimizations

• Navigate to Settings → Networks → IoT (VLAN 3)
• IGMP Snooping: Enable (prevents multicast flooding)
• Multicast DNS: Enable (allows .local domain resolution)
• DHCP Guarding: Enable (prevents rogue DHCP servers)

Why this matters: Many IoT devices use mDNS for discovery (Chromecast, Philips Hue, etc.) and multicast for communication. IGMP Snooping prevents multicast traffic from flooding the network while still allowing proper device discovery.

3. Create Firewall Zones and Assign Networks

Important: By default, UniFi has a "LAN" zone containing all local networks. You need to create custom zones and move networks into them. When you move a network to a different zone, existing firewall rules may be affected.

Create Custom Zones

• Navigate to Settings → Security → Firewall → Zones
• Create the following zones (in this order):
  1. Mgmt - For management/admin access
  2. Home - For trusted devices
  3. IoT - For IoT devices
  4. Services - For servers (Pi-hole, Home Assistant)

Note: WAN zone already exists by default

Assign Networks to Zones (Critical Order!)

Move networks in this specific order to avoid lockout:

1. First: Move Home (VLAN 2) → Home zone
   • You're connected via siege.sh on this network, so you maintain access
2. Second: Move Management (VLAN 1) → Mgmt zone
   • Now Home and Mgmt are in separate zones
3. Immediately: Add the lifeline rule (see Phase 2 below)
   • This ensures Home can reach Mgmt before we continue
4. Then: Move remaining networks:
   • IoT (VLAN 3) → IoT zone
   • Services (VLAN 4) → Services zone

⚠️ Critical: Do NOT move any other networks until the lifeline rule is in place, or you may lose access to the router UI!

Phase 2: Lifeline Rule (Critical!)

4. Add Safe Access Rule (Always Keep This First)

• From Zone: Home
• To Zone: Mgmt
• Services: TCP/443 (UniFi UI), TCP/22 (SSH optional)
• Source Filter: Any (all devices on Home network)
• Action: Allow

⚠️ Important: This rule ensures anyone on the Home network can always reach the DR7 UI, even after adding deny rules.

Phase 3: IoT Wi-Fi + Express Mesh

5. Create IoT Wi-Fi Network

• SSID: rc6.org
• VLAN: 3 (IoT)

6. Set Up Express Mesh Point

• Power up Express device (will mesh via siege.sh)
• Adopt in UniFi UI
• Configure to broadcast both SSIDs:
  • siege.sh (Home, VLAN 2)
  • rc6.org (IoT, VLAN 3)

Phase 4: Wire in Services

7. Connect Home Assistant

• Plug HA server into Port 2 (IoT VLAN 3)
• Reserve IP: 10.42.3.20

8. Connect Pi-hole

• Plug Pi-hole into Port 3 (Services VLAN 4)
• Reserve IP: 10.42.4.10

8a. Configure Pi-hole for Network-Wide Use

• Access Pi-hole admin interface at http://10.42.4.10/admin
• Navigate to Settings → DNS
• Enable Expert Mode (toggle in top right)
• Scroll to Interface Settings
• Select Permit all origins
• Click Save

Why this matters: By default, Pi-hole only responds to queries from the local network. "Permit all origins" allows Pi-hole to accept DNS queries from all your VLANs (Home, IoT, Services) since they appear to come from different subnets.

9. Verify Connectivity

• From laptop → Pi-hole UI (10.42.4.10)
• From laptop → Home Assistant UI (10.42.3.20)

Phase 5: Firewall Rules

Rule Priority Order (Top → Bottom)

Rule Explanations

• Rule 1: Ensures permanent access to router management
• Rule 2: Allows Home network to use Pi-hole for DNS and access web UI
• Rule 3: Allows Home network to access Home Assistant on IoT VLAN
• Rule 4: Allows IoT devices to use Pi-hole for DNS
• Rules 5-7: Default deny for security isolation

Phase 6: DNS Configuration (Pi-hole)

10. Test DNS Resolution

# From laptop
nslookup openai.com 10.42.4.10

# Verify Pi-hole is working properly before configuring network-wide

11. Configure Each VLAN to Use Pi-hole

• Navigate to Settings → Networks → Each VLAN
• Set DHCP Name Server to Manual: 10.42.4.10
• Apply to all VLANs:
  • Home (VLAN 2)
  • IoT (VLAN 3)
  • Services (VLAN 4)
  • Management (VLAN 1) - optional

Note: All devices will receive Pi-hole as their DNS server via DHCP. Devices that ignore DHCP DNS settings and use hardcoded DNS servers (like 8.8.8.8) will bypass Pi-hole filtering.

Phase 7: Final Verification

Connectivity Checklist

• ✅ Laptop (Home) → DR7 UI accessible
• ✅ Laptop (Home) → Pi-hole UI accessible
• ✅ Laptop (Home) → Home Assistant UI accessible
• ✅ IoT devices resolve DNS only via Pi-hole
• ✅ Home Assistant can control IoT devices
• ✅ Home network can access Home Assistant (10.42.3.20)
• ✅ Management VLAN remains isolated
• ✅ IoT devices cannot access Home network

Troubleshooting Tips

If You Get Locked Out

• The lifeline rule (Rule 1) should prevent this
• If needed, factory reset and start over
• Always test rules incrementally

WAN Connection Issues

• Verify VLAN 300 is set correctly on WAN interface
• Connection should be DHCP, not PPPoE
• MTU should be 1500
• NAT should be enabled
• Contact ISP if connection fails - ONT may need provisioning

Common Issues

• No internet: Check WAN configuration and VLAN 300 setting
• DNS not working: Verify Pi-hole is accessible and NAT redirect rule is active
• HA can't reach IoT: Check Services → IoT allow rule
• IoT accessing Home: Verify IoT → Home deny rule is in place
• IoT device discovery failing: Ensure IGMP Snooping and Multicast DNS are enabled on IoT VLAN
• Chromecast/smart speakers not found: Check mDNS is enabled and multicast traffic is allowed

Testing Commands

# Test DNS from different VLANs
nslookup google.com

# Test connectivity between VLANs
ping 10.42.4.10  # Pi-hole from any VLAN
ping 10.42.4.20  # Home Assistant from Home VLAN

Note: This configuration prioritizes security through network segmentation while maintaining necessary functionality. Always test each phase before proceeding to the next.