I am in the process of redoing some of my networking in terms of replacing devices with Unifi devices (UDM Pro, an 8 Port Unifi PoE switch, a Unifi 6 Lite AP, reusing a unmanaged switch elsewhere, etc), and running cabling etc. With all this work I’m doing, I want to segregate devices that do not need to talk to the internet.

I was trying to follow along with Rob ('The Hook Up' on YouTube) with this series: Part 2 | Ultimate Home Network 2021 | VLANs, Firewall Rules, and WiFi Networks for IoT UniFi 6.0 - YouTube

My extent of network experience is setting DHCP reservations and MAC filtering...I'm not very knowledgeable on networking, so please forgive me if I misspeak or don't know something. :slight_smile:

I loved the idea of a local-only hub, and I want to setup my network to limit devices talking to the internet and also talking to each other if not beneficial for me.

A lot of my devices that I have that I want local, I also want to get updates for.

Things such as a NAS, a NVR, my Konnected Pro device, or the Hubitat hub, etc. This got me wondering...wouldn't I have to expose my C7 HE device to the internet in order to get updates, get user apps (loving the package manager BTW), etc.? Could I then somehow limit this efficiently? (I've even debated trying to hook all devices like this up to a single switch if possibleand just change the LAN port that the switch is going to.... just to pull updates. I'm not even sure if I can set rules up by LAN port yet or not...)

Would anyone kindly offer suggestions, things to think about, etc.?

I planned to do as Rob from The Hook Up said and have a NoT, IoT, a main, and a guest network.

Is this the best way? Is there a better workaround?

I guess I’m asking two questions here:

  1. Can I somehow make the hub as local as possible but still pull updates, get the weather, etc.?
  • I assume the answer is just ‘no’.
  1. What are your suggestions on a network setup to make things as segregated as possible while still functioning?

You can definitely isolate all of your IoT devices to a separate VLAN, and then broadcast a unique WiFi SSID just for those things.
Use firewall rules to deny outbound Internet access to that VLAN, then either add rules to allow outbound to the few specific public IP addresses enabling device updates and fetching weather telemetry, or add a rule to allow outbound Internet access only from the internal IP address of the C7.

Once the hub is installed, updated, and you've installed the apps you want it can certainly be removed from the internet. You'll still be able to setup rules and it will function fine, as long as you are talking to z-wave, zigbee, or wifi devices that it can still reach. A simple solution would be to use a dedicated router that you can unplug the WAN port too. At least in the beginning. Setting up vlans and firewalls would be a better long term solution, but that's going to take a little time to learn. I would join a forum for whatever router you end up going with and learn the ins and outs of that guy.

I am about four months ahead of you with a switch to UDMP and two Nano HDs. Just using the PoE injectors that came with the Nanos.

I recommend that you just forge ahead and learn as you go. Setting up a separate VLAN for your smart home stuff will be easy.

Then you can start setting up rules for traffic to and from the internet from there.

The UDMP controller software is fairly intuitive about half the time even with my novice network skills.

I am about a month ahead of you. I just installed a UDM Pro, USW 16 port poe switch, a flex mini switch and 3 wireless access points. I followed the instructions on YouTube from Mactelecom, to setup the vlans and firewall rules. I found the instructions easy to follow and understandable.
I setup 5 networks with 4 vlans and 4 wireless networks.
The main lan is on Items on this network are network hardware such as the UDM pro, switches and WAP’s..
My Admin network is on 192,168.10.1 on vlan 10 with related wireless network. Items on this vlan include iMacs, ipads and iphones.
The IOT network is on on vlan 20 with related wireless network. Items on this network include wifi lighting, vacuum, doorbell etc.
The camera network is on on vlan 30 with related wireless network. I have 5 G3 flex and 2 G3 instant cameras.
The guest network is on on vlan 40 with related wireless network. I did not use the Unifi guest portal.
When you create a network, the system sets up correlating switch port profiles which helps with setup.
It took me a while to set up it all up, but it is working quite well. I hope you are successful with your system setup. If you need help, pm me and maybe I can help.

