Move all UniFi devices in a separate VLAN or leave them in LAN?

Hi everyone,

I posted this in Reddit but doing this here as well. I thought I saw in one Tom’s videos that he recommended having the network controller reside in a secured VLAN (instead of LAN) but could be wrong.

Anyway, below is my Reddit post, thank you in advance!

*I have a UCK Gen2+, several UniFI switches and a couple APs - they are all behind pfSense. I am very familiar on how to create VLANs in pfSense and UniFi.

I have a LAN (subnet and then have created the following VLANs:

Admin- (VLAN 20)

IoT- (VLAN 30)

Camera- (VLAN 40)

*Would like to move and isolate all the UniFi devices to the Admin (or management) VLAN but I have been struggling quite a bit lately because when they are factory-reset, all UniFi devices (including the controller), will get their IP from LAN which is understandable. *

*However, changing their IPs to the Admin VLAN has been quite a struggle as I have not figured out the proper way and commands to make this possible. *

I have a couple of questions:

*1. What is the best way to change the UniFi devices IPs (including UCK Gen2+) from those in LAN to those VLAN 20? *

2. What are some of the proper UniFi commands that can be used to facilitate such IP change? I have tried the “set-inform”’ones but have not been successful.

3. What would be the proper path to follow when doing this? Start with the controller first, then move to the aggregate switch, other switches and lastly all APs?

3. Lastly, would you even bother to move all UniFi devices to a separate VLAN when you could simply leave them in the pfSense’s LAN and use the other VLANs to segregate all other devices?

Appreciate your thoughts and advice!

I would leave the network as it is setup now.

main lan (which includes UCK Gen2+, Unifi Switches, AP’s), - just have strong passwords for the Gen2+ , ssh access to the unifi equipment.

separate vlans for IOT and cameras.

How To Setup VLANs With pfsense & UniFI 2022 - YouTube

1 Like

I have all my UniFi devices in the default LAN. I don’t see the need to put them in a separate VLAN for management.

1 Like

I left all my UniFi devices in the default LAN with other VLANs/subnets for servers, workstations, etc.

1 Like

I don’t have an answer to your query as such but more of an observation. I would use the LAN as a management vlan which is I assume your Admin vlan. Then you can control who can access those bits of kit. If it’s your home, perhaps the risk is low but it’s there and you have the means of reducing the risk so why not.

I would have added a Guest vlan as that is where the “real” untrusted devices come from, perhaps the IoT but they just dial home passing on data. Mostly just depends on your network, physical layout and what you can be bothered to do.

1 Like

Thank you so much Tom!

Thank you so much @neogrid!