How to Implement Network and Client Isolation
UniFi offers a range of features to achieve both network/VLAN and client device isolation. Understanding how these work and how to implement them can significantly enhance the effectiveness of your security posturing.
Gateway Features
Network Isolation
Network Isolation is the easiest way to completely Isolate one network/VLAN from all other networks/VLANs. It works by automatically creating Firewall Rules when you enable it.
To implement:
- Navigate to Settings > Networks
- Select the desired network
- Enable Isolate Network
Traffic & Firewall Rules
Traffic and Firewall rules provide a solution for isolation when more flexibility and control is required. Rather than completely isolating one network/VLAN from all others, they allow you to:
- Block a specific network/VLAN from a subset of other networks/VLANs.
- Block certain devices on a specific network/VLAN from a subset of networks/VLANs (or specific devices on those networks/VLANs).
- Limit isolation to specific ports or protocols.
For more information, read our article on Traffic and Firewall Rules.
Switch Features
Device Isolation (ACL)
Device isolation restricts communication between devices within the same network or VLAN and requires either a combination of a UniFi Gateway and UniFi Switch, or a network with a UniFi L3 switch set as the router. For more information on switch ACLs and supported switch models, click here.
To implement:
- Navigate to Settings > Networks
- Enable Device Isolation (ACL)
- Select the Network/VLAN to apply isolation to
More flexible configuration options can be found in Settings > Security > ACL Rules starting in UniFi Network version 8.2.
L3 Network Isolation (ACL)
Layer 3 Network Isolation accomplishes the same thing as Network Isolation, but allows customization of specific networks or VLANs. Layer 3 Network Isolation utilizes ACLs on the UniFi Switch and requires either a combination of a UniFi Gateway and UniFi Switch, or networks with a UniFi L3 switch set as the router. For more information on switch ACLs and supported switch models, click here.
To implement:
- Navigate to Settings > Networks
- Enable L3 Network Isolation (ACL)
More flexible configuration options can be found in Settings > Security > ACL Rules starting in UniFi Network version 8.2.
Port Isolation
Port Isolation blocks traffic between all ports on a given switch with this setting enabled.
To implement:
- Navigate to Ports and select a port on the switch in question
- Enable Port Isolation
AP Features
Hotspot Portal
In addition to providing a captive portal for guest authentication, the Hotspot Portal offers network isolation at the access point level. By default, guests connected to your Hotspot Portal will be isolated from all other networks except the one they are assigned to. This can be modified by enabling Pre-Authorization Allowances. For more information, read our Hotspot Portal article.
This feature is particularly useful for UniFi deployments that exclusively utilize UniFi access points.
To implement:
- Navigate to Settings > WiFi and select a WiFi profile
- Enable Hotspot Portal
Client Device Isolation
Client device isolation, a setting within the WiFi configuration, prevents wireless clients on the same AP from communicating with each other. This is often used in tandem with switch ACLs to ensure complete client isolation.
To implement:
- Navigate to Settings > WiFi and select a WiFi profile
- Enable Client Device Isolation
Note: This may inhibit the functionality of AirPlay, Chromecast, Sonos devices, screen mirroring, and wireless printers.
How to Achieve Complete Isolation for Public Guest Networks
- Navigate to Settings > Networks.
- Select or create a network.
- Enable Network Isolation to isolate this network/VLAN from all other networks/VLANs. If you want more customization, use Traffic & Firewall Rules instead.
- Navigate to Settings > WiFi and select or create a WiFi.
- Assign the network from step (2) to the WiFi.
- (Optional) Enable Hotspot Portal if you want WiFi clients to authenticate through a captive portal. For more information, read our Hotspot Portal article.
- Enable Client Device Isolation to prevent communication between clients connected to the same AP.
- Enable Device Isolation (ACL) to complete client isolation at the switch level.