My UniFi Dream Router 7 VLAN Setup
This is documentation of my home network setup using the UniFi Dream Router 7. I'm writing this primarily for future me, when I inevitably need to rebuild this or troubleshoot something at 11 PM on a Tuesday.
Network Overview
The network uses five VLANs with specific purposes:
- VLAN 1 (Management): 10.42.1.0/24 - Router management access
- VLAN 2 (Home): 10.42.2.0/24 - Trusted devices (laptops, phones)
- VLAN 3 (IoT): 10.42.3.0/24 - Smart home devices
- VLAN 4 (Services): 10.42.4.0/24 - Infrastructure (Home Assistant, Pi-hole)
- VLAN 300 (WAN): ISP connection (tagged on WAN port)
Physical port assignments on the DR7:
- Port 1: IoT devices (VLAN 3)
- Port 2: Home Assistant server (VLAN 4)
- Port 3: Pi-hole server (VLAN 4)
- Port 4: WAN to ONT (VLAN 300 tagged)
Build Sequence
I followed a specific sequence to avoid locking myself out during configuration. Management was performed from a laptop connected to the Home network Wi-Fi.
Step 0: WAN Configuration
This must be done first. My ISP requires specific WAN settings:
- Connection Type: DHCP
- VLAN ID: 300 (802.1q tagged)
- Mode: Routing
- Encapsulation: IPoE
- IPv4/IPv6 Mode: IPv4
- MTU: 1500
- NAT: Enabled
- IGMP Proxy: Disabled
- Default Gateway: Enabled
The Ethernet cable from the ONT connects to Port 4. I verified internet connectivity before proceeding with VLAN configuration.
Step 1: Home Network Setup
I configured the Home network first and connected to it via Wi-Fi. This became my management connection for the rest of the setup.
- Network: 10.42.2.0/24
- Gateway: 10.42.2.1
- DHCP: Enabled
- DHCP Name Server: Gateway (temporary, changed later)
- Wi-Fi SSID:
siege.shbound to VLAN 2
I reserved a static IP for my laptop (10.42.2.10) to ensure consistent access during configuration.
Step 2: Additional VLAN Definition
I created the other VLANs without assigning Wi-Fi networks yet:
Management (VLAN 1):
- Network: 10.42.1.0/24
- Gateway: 10.42.1.1
- DHCP: Enabled
IoT (VLAN 3):
- Network: 10.42.3.0/24
- Gateway: 10.42.3.1
- DHCP: Enabled
Services (VLAN 4):
- Network: 10.42.4.0/24
- Gateway: 10.42.4.1
- DHCP: Enabled
Step 2a: IoT Network Optimizations
For the IoT VLAN, I enabled additional settings to handle multicast traffic properly:
- IGMP Snooping: Enabled (prevents multicast flooding)
- Multicast DNS: Enabled (allows .local domain resolution)
- DHCP Guarding: Enabled (prevents rogue DHCP servers)
These settings are critical for IoT devices that use mDNS for discovery (Chromecast, Philips Hue, etc.) and multicast for communication. IGMP Snooping prevents multicast traffic from flooding the entire network while still allowing proper device discovery.
Step 3: Firewall Zone Creation
I created firewall zones mapped to each VLAN:
- Mgmt zone = VLAN 1
- Home zone = VLAN 2
- IoT zone = VLAN 3
- Services zone = VLAN 4
- WAN zone = Internet
Step 4: The Lifeline Rule
Before adding any restrictive rules, I created a safety rule that always stays first in the firewall list:
- From Zone: Home
- To Zone: Mgmt
- Services: TCP/443 (UniFi UI), TCP/22 (SSH)
- Source Filter: Any
- Action: Allow
This ensures I can always reach the router management interface from the Home network, regardless of what other rules I add later.
Step 5: IoT Wi-Fi Network
I created the IoT Wi-Fi network:
- SSID:
rc6.org - VLAN: 3 (IoT)
Step 6: Express Mesh Point
I added a UniFi Express as a mesh point. It connected wirelessly to the DR7 and broadcasts both SSIDs:
siege.sh(Home, VLAN 2)rc6.org(IoT, VLAN 3)
Step 7-8: Services Infrastructure
I connected the infrastructure servers:
Home Assistant:
- Connected to Port 2 (Services VLAN 4)
- Reserved IP: 10.42.4.20
Pi-hole:
- Connected to Port 3 (Services VLAN 4)
- Reserved IP: 10.42.4.10
Step 9: Connectivity Verification
Before adding restrictive firewall rules, I verified I could reach both services from my laptop on the Home network:
- Pi-hole web UI at 10.42.4.10
- Home Assistant web UI at 10.42.4.20
Firewall Rules
The firewall rules are ordered from top to bottom. The order matters because the first matching rule wins.
| Priority | From Zone | To Zone | Service | Source Filter | Action | Purpose |
|---|---|---|---|---|---|---|
| 1 | Home | Mgmt | TCP/443, TCP/22 | Any | Allow | Lifeline: Always access router |
| 2 | Home | Services | UDP/TCP 53, TCP/80, TCP/443 | Any | Allow | DNS and web UIs |
| 3 | IoT | Services | UDP/TCP 53 | Any | Allow | IoT DNS only |
| 4 | Services | IoT | Any | Any | Allow | Home Assistant controls devices |
| 5 | Home | Services | TCP/8123 | Any | Allow | Home Assistant access (optional) |
| 6 | Any | Mgmt | Any | Any | Deny | Protect management VLAN |
| 7 | IoT | Home | Any | Any | Deny | Isolate IoT from Home |
| 8 | Any LAN | Any LAN | Any | Any | Deny | Default deny all inter-VLAN |
Rule Explanations:
- Rule 1: Ensures I can always access router management from Home network
- Rule 2: Allows Home network to use Pi-hole DNS and access web UIs
- Rule 3: IoT devices can only use DNS, nothing else in Services
- Rule 4: Home Assistant needs to reach IoT devices to control them
- Rule 5: Optional rule for accessing Home Assistant from Home network
- Rules 6-8: Default deny posture for security
DNS Configuration
I wanted all DNS traffic to go through Pi-hole, regardless of what DNS servers devices try to use.
Testing Pi-hole
Before redirecting all traffic, I tested Pi-hole manually:
nslookup openai.com 10.42.4.10
DNS Redirect Rule
I created a NAT redirect rule to force all DNS through Pi-hole:
- Source Zone: Any
- Destination Zone: WAN
- Port: 53 (UDP/TCP)
- Action: Redirect to 10.42.4.10
This intercepts any DNS query attempting to reach the internet and redirects it to Pi-hole. Even devices with hardcoded DNS servers (like 8.8.8.8) get redirected.
DHCP Configuration
I left the DHCP Name Server setting as "Gateway" on all VLANs. The NAT redirect catches all DNS traffic anyway, so this keeps the configuration simpler. Alternatively, I could set DHCP to distribute 10.42.4.10 directly, but the redirect rule makes this unnecessary.
Verification Checklist
After completing the setup, I verified:
- Laptop (Home) can access DR7 UI
- Laptop (Home) can access Pi-hole UI
- Laptop (Home) can access Home Assistant UI
- IoT devices resolve DNS only via Pi-hole
- Home Assistant can control IoT devices
- Management VLAN remains isolated
- IoT devices cannot access Home network
Troubleshooting Notes
WAN Connection Issues:
- Verify VLAN 300 is set on WAN interface
- Connection should be DHCP, not PPPoE
- MTU should be 1500
- NAT should be enabled
- If connection fails, ONT may need ISP provisioning
DNS Problems:
- Verify Pi-hole is accessible at 10.42.4.10
- Check NAT redirect rule is active
- Test with
nslookupfrom different VLANs
IoT Device Discovery:
- Ensure IGMP Snooping is enabled on IoT VLAN
- Verify Multicast DNS is enabled
- Check that Home Assistant → IoT allow rule exists
Testing Commands:
# Test DNS resolution
nslookup google.com
# Test inter-VLAN connectivity
ping 10.42.4.10 # Pi-hole
ping 10.42.4.20 # Home AssistantImportant Notes for Future Me
- The lifeline rule (Priority 1) must always stay first. Don't reorder it.
- VLAN 300 is required by my ISP for WAN. Don't remove it.
- IoT VLAN needs IGMP Snooping and Multicast DNS for device discovery.
- Pi-hole must have a reserved IP since it's the DNS server.
- The NAT redirect rule is what forces all DNS through Pi-hole.
- If I factory reset the router, configure WAN (VLAN 300) before anything else.
This setup provides network segmentation while allowing necessary communication between zones. The IoT devices are isolated from the Home network, but Home Assistant can still control them. All DNS goes through Pi-hole for filtering, and the management interface is protected from unauthorized access.
Comments