This repository contains a complete configuration setup for a Ubiquiti router (UniFi or EdgeRouter) with three isolated network segments designed for maximum security and proper network segregation.
- Overview
- Network Architecture
- Directory Structure
- Prerequisites
- Quick Start
- Configuration Files
- Deployment
- Testing & Validation
- Troubleshooting
- Security Considerations
- Maintenance
This configuration creates three isolated network segments:
- Subnet: 192.168.10.0/24
- Gateway: 192.168.10.1
- Purpose: Trusted devices (computers, phones, tablets)
- Access: Full access to all networks and internet
- Subnet: 192.168.20.0/24
- Gateway: 192.168.20.1
- Purpose: Guest devices (visitors)
- Access: Internet only, isolated from all other networks
- Features: Client isolation, bandwidth limits (50Mbps down / 10Mbps up)
- Subnet: 192.168.30.0/24
- Gateway: 192.168.30.1
- Purpose: Smart home and IoT devices
- Access: Internet access, manageable from Private network
- Features: Isolated from Guest network, limited local access
Internet
|
[WAN Interface]
|
[Ubiquiti Router]
|
+-------------+-------------+
| | |
[VLAN 10] [VLAN 20] [VLAN 30]
Private Guest IoT
192.168.10.1 192.168.20.1 192.168.30.1
| | |
Managed Switch / Access Points
| | |
+-----+-----+ +----+----+ +-----+-----+
| | | | | |
Computers Phones Visitors Smart Home Security
Laptops Tablets Devices Cameras
| From β To | Private | Guest | IoT | Internet |
|---|---|---|---|---|
| Private | β Full | β Full | β Full | β Full |
| Guest | β Block | β Block* | β Block | β Allow |
| IoT | β Block | β Block | β Allow | β Allow |
*Guest devices cannot communicate with each other (client isolation)
.
βββ README.md # This file
βββ config/
β βββ unifi/
β β βββ networks.json # UniFi network definitions
β βββ edgerouter/
β β βββ setup.sh # EdgeRouter CLI setup script
β βββ firewall/
β β βββ rules.json # Firewall rules configuration
β βββ wifi/
β βββ wireless-networks.json # WiFi/SSID configuration
βββ docs/
β βββ DEPLOYMENT.md # Deployment guide
β βββ ARCHITECTURE.md # Architecture documentation
β βββ TROUBLESHOOTING.md # Troubleshooting guide
β βββ SECURITY.md # Security best practices
βββ scripts/
βββ validate-config.sh # Configuration validation script
- Ubiquiti UniFi Dream Machine (UDM/UDM Pro) OR EdgeRouter
- Managed switch with VLAN support (UniFi Switch recommended)
- UniFi Access Points (for WiFi networks)
- UniFi Network Controller (v7.0+) OR EdgeOS (v2.0+)
- SSH access to router
- Basic understanding of VLANs and networking
- Familiarity with VLAN configuration
- Basic firewall rule concepts
- Understanding of network isolation
-
Access UniFi Controller
# Open browser to your controller https://unifi.ui.com # or local controller https://192.168.1.1:8443
-
Import Network Configuration
- Navigate to Settings β Networks
- Use the JSON configurations in
config/unifi/ - Create each network with specified VLAN IDs
-
Configure Firewall Rules
- Navigate to Settings β Firewall & Security
- Import rules from
config/firewall/rules.json - Ensure rules are in correct order
-
Set Up WiFi Networks
- Navigate to Settings β WiFi
- Create SSIDs using
config/wifi/wireless-networks.json - Assign VLANs to each SSID
-
SSH to EdgeRouter
ssh admin@192.168.1.1
-
Run Configuration Script
# Copy script to router scp config/edgerouter/setup.sh admin@192.168.1.1:/tmp/ # SSH and run ssh admin@192.168.1.1 chmod +x /tmp/setup.sh sudo /tmp/setup.sh
-
Review and Commit
# Review configuration compare # Commit if satisfied commit save
Defines all three networks with their properties:
- IP addressing and DHCP ranges
- DNS servers
- VLAN assignments
- Guest policies and bandwidth limits
Contains all firewall rules for network isolation:
- Block rules for IoT β Private/Guest
- Block rules for Guest β Private/IoT
- Allow rules for Private β IoT management
- Client isolation for Guest network
Defines wireless networks:
- SSID names and passwords
- Security settings (WPA2/WPA3)
- VLAN assignments
- Radio settings and bandwidth limits
Complete CLI configuration for EdgeRouter:
- VLAN interface creation
- DHCP server configuration
- Firewall rule implementation
- NAT configuration
UniFi:
# Download backup from Settings β System β BackupEdgeRouter:
# SSH to router
ssh admin@192.168.1.1
show configuration commands > /tmp/backup-$(date +%Y%m%d).txt-
Connect managed switch to router
- Ensure switch port is configured as trunk (all VLANs)
- Tag VLANs 10, 20, 30
-
Configure switch ports
- Access points: Trunk mode with all VLANs
- Wired devices: Access mode with appropriate VLAN
Follow the Quick Start guide for your specific hardware.
UniFi:
- Access points automatically adopt network configuration
- Ensure all SSIDs are enabled on desired APs
Other APs:
- Configure SSID β VLAN mappings manually
- Enable WPA2/WPA3 as appropriate
# Run validation script
cd /path/to/nick-demo
chmod +x scripts/validate-config.sh
./scripts/validate-config.shSee DEPLOYMENT.md for detailed deployment instructions.
Run the validation script:
./scripts/validate-config.shFrom Private Network (192.168.10.x):
# Should succeed
ping 192.168.30.100 # Access to IoT
ping 8.8.8.8 # Internet access
# Should succeed
ssh admin@192.168.10.1 # Router accessFrom Guest Network (192.168.20.x):
# Should FAIL
ping 192.168.10.1 # Blocked to Private
ping 192.168.30.1 # Blocked to IoT
ping 192.168.20.100 # Client isolation
# Should succeed
ping 8.8.8.8 # Internet accessFrom IoT Network (192.168.30.x):
# Should FAIL
ping 192.168.10.100 # Blocked to Private
ping 192.168.20.100 # Blocked to Guest
# Should succeed
ping 8.8.8.8 # Internet accessEach network should receive appropriate IP:
# Private: 192.168.10.10-250
# Guest: 192.168.20.10-250
# IoT: 192.168.30.10-250nslookup google.com
# Should resolve using configured DNS serversCheck:
- VLAN configuration on switch
- DHCP server is running
- Device is on correct SSID/port
Solution:
# UniFi: Check DHCP leases
Settings β Networks β [Network] β DHCP
# EdgeRouter: Check DHCP
show dhcp leases
show dhcp statisticsCheck:
- NAT rules are configured
- Default route exists
- DNS is resolving
Solution:
# EdgeRouter
show nat rules
show ip route
show dns forwarding statisticsCheck:
- Rule order (block before allow)
- Source/destination addresses
- Applied to correct interface
Solution:
# EdgeRouter
show firewall statistics
show firewall name [RULESET_NAME]
# UniFi
Check Settings β Firewall & Security β Traffic RulesSee TROUBLESHOOTING.md for detailed troubleshooting.
config/wifi/wireless-networks.json
"password": "CHANGE_ME_PRIVATE_PASSWORD"
"password": "CHANGE_ME_GUEST_PASSWORD"
"password": "CHANGE_ME_IOT_PASSWORD"- Use WPA3 for Private network when possible
- Regular firmware updates for router and APs
- Monitor firewall logs for suspicious activity
- Disable unused services (UPnP, WPS, etc.)
- Use strong admin passwords for router access
- Enable 2FA on UniFi account
- Regular security audits of connected devices
- Review IoT device permissions regularly
- Update IoT device firmware
- Use separate credentials for each device
- Consider MAC filtering for critical devices
- Monitor IoT network traffic
See SECURITY.md for comprehensive security guidance.
Weekly:
- Review DHCP leases for unknown devices
- Check firewall logs for blocked attempts
Monthly:
- Update router firmware
- Update AP firmware
- Review and rotate WiFi passwords if needed
- Audit connected devices
Quarterly:
- Full security audit
- Review and update firewall rules
- Test disaster recovery procedures
- Document any configuration changes
UniFi:
Settings β System β Backup β Download Backup
EdgeRouter:
show configuration commands > backup-$(date +%Y%m%d).txtSet up monitoring for:
- Unusual traffic patterns
- Failed authentication attempts
- DHCP pool exhaustion
- Bandwidth usage by network
- DEPLOYMENT.md - Detailed deployment guide
- ARCHITECTURE.md - Architecture documentation
- TROUBLESHOOTING.md - Troubleshooting guide
- SECURITY.md - Security best practices
Improvements and suggestions are welcome! Please:
- Test changes thoroughly
- Update documentation
- Follow security best practices
ISC License - See package.json
This configuration is provided as-is. Always test in a non-production environment first. The authors are not responsible for any network outages or security incidents resulting from use of this configuration.
For issues or questions:
- Check TROUBLESHOOTING.md
- Review Ubiquiti documentation
- Consult with network professional if needed
Version: 1.0.0
Last Updated: January 9, 2026
Tested With: UniFi Network v8.x, EdgeOS v2.0.9