Help making a secure home network [Unifi]

So i’m wanting to make a secure home network for all of my smart devices and to have general peace of mind that my network/etc would be generally safe. (or at least that a newbie hacker/etc couldn’t easily get into my network; or if i’m livestreaming, that a viewer can’t find my location or DDOS me,etc

I’ll be implementing these after i move in a few months, as i’ll be getting a new router then (the Dream machine pro, with a Access Point U6 LR for wifi (i don’t think my new location would be big enough for multiple AP’s

Here is a list of my checklist of “internet security changes” that i’ll do when setting up the dream machine, which i’ve heard help with security from various YouTube video’s; I’m curious if theirs anything i’m missing or that is incorrect and i need to remove from my checklist.

[I’m putting my entire checklist here, so some might not exactly be “security” helping]
1 - Change the web portal’s username/password to something that’s not “admin” “admin”/etc (not sure if this applies to unifi products as i think you login with your unify account.
2 - update Dream machine’s / wifi ap’s firmware
3 - Make a VLAN for Main (comp) / IOT [with phone in this vlan, so it can discover my smart devices, and i’ve heard phone’s are built to be on sketchy networks so their pretty secure? and i normally use a vpn on my phone so i would assume that would help] / GUEST and use random generated 20 character wifi password’s for them. [so their not easily crackable]
4 - Set a rule where VLAN IOT can’t communicate with VLAN MAIN, and the other way around.
5 - Turn of UPnP.
6 - Disable remote access / remote management.
7 - allow nothing in port forwarding / turn off.
8 - turn off WPS / wifi protected setup
9 - Turn off “respond to pings from lan” and “respond to pings from wan”
10 - turn off “Enable connectivity monitor and wireless uplink” [not sure if security related, but have heard it’s better to turn these off].
11 - Disable fast roaming in the wifi section.
12 - Turn internet security to max, such as deep packet inspection on, device fingerprinting, threat management to max, intrusion prevention system on, etc
13 - if multiple wireless AP’s, put first AP’s 2.4ghz on channel 1, 2nd ap on channel 6, and 3rd on channel 11, and 5ghz on channels 36, 48, and 161).

Would these make my network fairly secure? if one of my smart devices was hacked/cracked because it had a vulnerability, would the network still be fairly secure? should i not have my phone on the IOT vlan, but instead on the main VLAN but setup mDNS so the phone can still connect with IOT devices? etc

If you are going out via your ISP, your WAN address will be visible.

Sounds like you want to use a VPN, I don’t have any Unifi kit but they don’t seem to a good solution for running VPNs. Once you have the kit to setup vlans then it’s straight forward.

Passwords are not secure, you could setup a Radius server with username / password / 2FA / certificates it would take a lot to get past all that.

Your’re probably better off with pfsense on your router, if you are willing to invest in the time it takes then it’s probably the best option to harden your security, Unifi are not on par with pfSense for routers.

IMO as long as you are not exposing your network to the internet you should be ok, and you only dial home via a VPN.

I don’t think you can do this with the UDMP as they require online registration to set up the system.

I’ll be using a VPN on my desktop, which is what i’ll be streaming from; will my network still be vulnerable to that even if my main device on that VLAN is using a vpn?

what do “pfsense” routers offer in terms of security/etc that unifi doesn’t? are their more security features? are their more frequent firmware updates that would resolve any vulnerability risk? etc

sorry for the noob questions, i’m super new to all this

I didn’t expect to get a reply from the owner :o

i thought about paying the $200 for your hourly “hire us” rate and sending my question on your website, but i saw the part about the forums and thought’d id ask here <3

As you are setting up vlans, with pfSense at least, it’s straight forward to set up a vlan that exits from your VPN provider, hence any device connecting to that vlan uses the VPN. Even better if you are in a pub you can remote into your home over say OpenVPN then exit out via your paid for VPN, without using up the number of connections you have, which is the usual limitation.

If you have a VPN on your laptop, it might be vulnerable to dns leaks, at least for me I find it easier to secure a network rather than a laptop.

I’d say you might want to do some research on Unifi Vs pfSense for your router, then take your pick.