Cloud Gateways Switching WiFi Camera Security Door Access Integrations Accessory Tech Identity
User
Sign Up UniFi Site Manager
Help Center Help Articles Professional Support Professional Integrators Community RMA & Warranty Downloads Tech Specs
User
Sign Up UniFi Site Manager
Help Center Help Articles Professional Phone Support Professional Integrators Community RMA & Warranty Downloads Tech Specs
Cloud Gateways Switching WiFi Camera Security Door Access Integrations Accessory Tech Identity

Social

Facebook Twitter Youtube Instagram

Company

Careers Contact Us Investors

Training

Courses Calendar Trainers Become a Trainer

Tools

WiFiman UISP Design Center
  1. Ubiquiti Help Center
  2. UniFi
  3. Network
  4. Features & Configuration

Implementing Network and Client Isolation in UniFi

Once devices are assigned to VLANs, UniFi provides multiple tools to control and enforce separation across and within gateways, switches, and APs. While these tools share a common goal—isolating traffic—they operate at different layers and serve distinct purposes.

Gateway Segmentation

Zone-Based Firewall (ZBF)

Zone-Based Firewalls are available on UniFi Gateways and Cloud Gateways. They enforce policies by defining traffic rules between different network zones, such as VLANs, WANs, and VPNs. ZBF controls how VLANs communicate across the network, making it the most flexible option for inter-VLAN control, especially when VPN traffic needs segmentation. Learn more about Zone-Based Firewalls here.

Network Isolation

For those looking for a simplified, one-click solution, UniFi offers Network Isolation, which automatically configures the necessary firewall rules to block inter-VLAN traffic. To enable:

  1. Navigate to Settings > Networks.
  2. Select the desired network or VLAN.
  3. Enable Network Isolation.

This is the most common way to restrict traffic between VLANs with minimal setup.

Switch Segmentation: Access Control Lists (ACLs)

ACLs provide another layer of segmentation, operating at the switch level. While ZBF governs traffic between VLANs at the gateway, ACLs control traffic passing through a switch within or between VLANs. Unlike ZBF, which applies security rules at the network routing level, ACLs are more lightweight and directly enforce security policies at the switch level.

ACLs can be used for two key types of isolation:

  • L3 Network Isolation: Blocks traffic between different VLANs, preventing inter-network communication without using a firewall.
  • Client Device Isolation: Restricts communication between devices even within the same VLAN, ensuring devices remain isolated on the same network.

To configure Client Device Isolation via ACLs:

  1. Navigate to Settings > Networks.
  2. Enable Device Isolation (ACL) for the appropriate network/VLAN.
  3. Select the Network/VLAN to apply isolation to.

ACLs are ideal for restricting inter-VLAN communication or isolating individual devices without relying on a gateway. Learn more about ACLs here.

AP Segmentation: Client Isolation

Unlike ZBF and ACLs, which regulate VLAN-to-VLAN traffic, Client Isolation blocks communication within a single Access Point—even on the same VLAN—making it ideal for guest networks and IoT security. This feature complements ACLs by ensuring that even within a VLAN, devices remain isolated from one another.

To enable Client Isolation:

  1. Navigate to Settings > WiFi.
  2. Select the WiFi associated with your network.
  3. Enable Client Device Isolation.

Learn more about Client Isolation here.

Best Practices for Public Guest WiFi

These segmentation tools are critical for securing guest networks, preventing unauthorized device-to-device communication, and ensuring user privacy. For a step-by-step guide to implementing these techniques in public guest WiFi, see our Guest WiFi Best Practices.

Additional Traffic Management Tools

Beyond network segmentation, UniFi also provides application-layer controls such as:

  • Traffic restrictions to block specific apps or services.
  • QoS (Quality of Service) to prioritize bandwidth for critical devices.
  • Policy-Based Routing to direct traffic flows based on custom rules.

For more information on these advanced traffic management tools, click here.

Was this article helpful?