This post will describe how to setup Wi-Fi VLAN subnets for your home network.

This is the part 3 of a 3 steps guide to protect home network using subnets, based on using a pfSense firewall and VLAN.

Home network with vlans

With the first 2 parts done, the home network is already using pfSense and VLAN with multiple sub-networks. However, all wireless devices are still in one single sub-network.

This final setup will further extend the use of VLAN & pfSense to segregate the wireless devices into several subnets, each with it’s own SSID and VLAN ID.

home network with wifi vlans

This guide will split the subnet of wireless devices into 3 VLANs to insolate IoT and Guest devices:

  • VLAN 40 (SSID: Mobile): Your mobile devices
  • VLAN 42 (SSID: IoT): IoT devices
  • VLAN 44 (SSID: Guest): Guest devices

Ways to setup Wi-Fi subnets

Before diving right into the setup guide, let’s first go over a few different methods. Then we will demonstrate the setup with the first method using access point Unifi UAP AC Pro.

1. Router/WAP that supports multiple SSIDs and VLANs

This would be the best option to incorporate subnets to wireless networks. However, in the consumer market, there don’t seem to have a lot of routers/WAPs that support multiple SSIDs and VLANs.

Unifi UAP AC Pro is one of the few that supports VLANs and is easy enough to setup. This guide will show you how to setup VLAN subnets using Unifi UAP AC Pro.

2. Multiple routers/WAPS

Create additional VLANs using the VLAN switch and connect one wireless access point (WAP) to each VLAN.

This is the simplest method. But this requires extra cost and hardware to manage unless you already have some old ones sitting around somewhere.

Another concern would be potential interference among these access points that you may have to deal with.

3. Use custom firmware for your Router/WAP

There are couple custom firmware, if compatible, that you can flash to your router to enable VLAN support.



DD-WRT is a free linux-based firmware for wireless routers and access points, designed to unlock additional features that the official firmware does not support.

It supports many routers and you can check the router’s compatibility. Please also note that DD-WRT has specific builds for different router. So need to ensure the correct build is used.

Check out the setup using DD-WRT on RT-AC3200.

Tomato by Shibby


Similar to DD-WRT, Tomato also support multiple SSIDs/VLANs. And actually it’s easier to configure and enable multiple SSIDs/VLANs.

Check out the setup using Tomato on RT-N66U.

Wi-Fi VLAN setup using Unifi UAP AC Pro

Unifi UAP AC Pro is a great wireless access point. It’s easy to setup with multiple SSIDs and VLANs. The wireless signal/range is good and the connections are fast and reliable.

The only drawback is the Unifi line of devices require you to download their software (Unifi Controller) to configure the devices. You can’t configure the access point by directly connecting to it. You must use the software.

Well, it maybe a drawback if you only have 1 Unifi device. But their idea is to enable you to manage all Unifi devices from the single controller, from your local machine or from cloud. So if you are using many Unifi devices, it’s actually easier to manage them.

Install Unifi Controller

Note: Unifi Controller requires Java.

UniFi Controller

it will take a while for UniFi Controller to get started.

  • when the button Launch a Browser to Manage the Network
  • becomes enabled, click on it.

UniFi setup wizard

  • select your country
  • select your timezone
  • click Next
UniFi setup wizard

Configure devices

At the moment, the UAP Pro is not connected. So there are no devices found. That’s ok.

  • click Next
UniFi configure devices

Configure WiFi

  • enter ‘Mobile‘ for Secure SSID
  • enter a good password for Security Key
  • click Next
Unifi configure WiFi

Controller Access

Setup the login/password for use to access UniFi controller and devices

  • enter all required information
  • click Next
Unifi controller access


  • click Finish to confirm the initial setup
uniFi setup wizard confirm

Cloud Login Credentials

We don’t need to manage the devices from cloud.

  • click SKIP
cloud login credentials

UniFi Dashboard

UniFi dashboard

Setup Wireless Networks

  • select Settings > Wireless Networks
Setup wireless network

First wireless network (SSID: Mobile) was already created during initial setup. Let’s attach VLAN Id for the network

  • click Edit for wireless network Mobile
edit wireless network
  2. enable Use VLAN
  3. enter 40 for VLAN ID
  4. click SAVE at the bottom
configure vlan 40

Create VLAN 42 & VLAN 44 Wireless Network

At Wireless Network settings screen, click CREATE NEW WIRELESS NETWORK

  1. enter ‘IoT‘ for SSID
  2. select WPA Personal
  3. enter a good Security Key
  5. enable Use VLAN
  6. enter 42 for VLAN ID
  7. click SAVE
create vlan 42

repeat for VLAN 44 using SSID ‘Guest

create vlan 44

with the 3 wireless networks created with their corresponding VLAN ID, the Wireless Networks Settings screen should be shown as below:

Disable connectivity monitor

The access point will monitor connectivity by default. But we don’t need it since we are not using wireless uplink (and it could cause performance drop).

  • select SETTINGS > Site
  • uncheck Enable connectivity monitor and wireless uplink

Adopting UAP Pro

By adopting the UAP Pro in the Unifi controller, the controller will push the settings to the access point and enable the access point to run with your configurations.

  • select DEVICES
UniFi devices
  • set computer IP address manually to
  • connect computer directly to the UAP Pro
  • wait for a while and the UAP Pro should show up on the screen
Unifi UAP Pro ready to adopt
  • click ADOPT
  • status changes from ‘Adopting’ to ‘Provisioning’ to ‘Connected’
UAP Pro connected

The access point is now operational. You should now see the configured SSIDs show up on your mobile device as available networks (even though it’s not connected to the home network yet).

Configure pfSense and Netgear VLAN switch

Let’s now prepare pfSense and the Netgear VLAN switch with the additional VLANs before the access point joins the home network.

Add VLAN interfaces and rules at pfSense

Follow Step 1 through 4 of Setup VLAN interfaces at pfSense firewall to add VLAN 42 and VLAN 44 to the pfSense fireware.

Add VLAN 42 and 44 to Netgear GS108Ev3 switch

  • login to the switch (would be if you followed the guide in Part 2)
  • go to VLAN > 802.1Q > Advanced > VLAN Configuration
  • enter 42 at VLAN ID field and click Add
  • enter 44 at VLAN ID field and click Add

Configure port 6 as a trunk port

IMPORTANT: changing port 6 to trunk port will temporarily disable the sub-network VLAN 40.

Port 6 was originally setup as VLAN 40 for use of an access point to connect all mobile devices. If you have an access point connected to port 6 for wireless connections, it’s time to unplug the access point from port 6.

Set port 6 PVID to management VLAN 99

  • go to Port PVID
  • enable port 6‘s checkbox
  • enter 99 to PVID text box
  • click Apply

Convert port 6 to trunk port

  • go to VLAN Membership
  • select VLAN ID ’40’
  • click on port 6 & port 8 until both show ‘T‘ (tagged)
  • click Apply

Repeat for VLAN 42 and VLAN 44.

For VLAN 99, port 6, 7 & 8 should all be untagged (show ‘U‘).

Connect UAP Pro to home network

Connect UAP Pro to port 6 of the Netgear VLAN switch and the wireless networks should be ready to use.

Configure your mobile devices to use their new SSIDs accordingly.

All set. Your home network is now properly segmented with multiple sub-networks for better protection!

This Post Has 14 Comments

  1. What did you use to make that network diagram with? That’s very nice.


  2. Great article, thanks! This has helped me along the way, for sure. I’m not at the point where I want to create WiFi VLAN’s but I think my router is coming up short. Before investing further, would putting my IoT devices on the Guest WiFi network have the same effect?

    1. Yeah, that would separate IoT devices from your main network. For added protection, some routers have Isolation mode where you can further disable communication between devices within Guest network.
      You may want to test and double check the guest wi-fi network is setup correctly that devices in guest network has no access to your main network. Some router’s guest network does not work when in AP mode.

      Cheers Alan

  3. Great how-to!! I have one question: I have a surveillance camera system, Blue Iris, which has several cameras using the same switch (48-port POE managed). The cameras cannot call out to internet, but the blue iris server they connect to does through an unprotected open port when viewed by mobile device or web browser. Would this surveillance system be setup properly on VLAN with IoT devices or should I create a seperate VLAN for it?

    I also know I need to find a more secure way to remotely access the camera server but aren’t sure how yet. I currently use OpenVPN to RDP into that same machine (when away from home) but unsure how to implement the same secure connection using the Blue Iris app for mobile access and remote management (without actually doing it through Remote Desktop.

    Thanks in advance,


    1. I think it’s a good idea to have a separate VLAN for your surveillance system. This would prevent any IoT devices (if compromised) to try to tap into your Blue Iris server.

      It’s safer to use OpenVPN for viewing and remote management than opening port directly to the Blue Iris server. Once your mobile device is connected to your home network through OpenVPN, you should be able use browser or configure Blue Iris app to connect to local IP address of Blue Iris server.

  4. Great articles. I am running pfSense with similar having a Unifi Nano AP on a VLAN. I’ve been trying to figure out the safest way to allow a trusted laptop on VLAN 40 to connect through the Unifi AP and gain access to a backup server on Subnet 1? I understand how to use a remote access VPN from outside the home to access the home LAN, but not sure how to safely hop subnets while at home? Can OpenVPN be used to hop subnets? Thanks!

    1. Hi James,

      I did a test based on your scenario. I have a openVPN server on pfSense and my laptop connected through wi-fi.
      I can connect my laptop using openvpn to the pfSense openVPN server using home public IP, just like I connect remotely from outside.

  5. Hi Alan,

    Do you use your ISP router wifi network for any purpose, or you just disable it in this case?

    1. I disable ISP router wifi but you can use it for guest network.

  6. Hey Alan,

    So this guide has been really helpful but I’m having trouble adapting the settings for my use. Basically I’m going to have 4 VLANs: Trusted devices (wired and wireless), IoT, Printer, Guest. I have a Netgear GS308E Managed Switch and a Unifi AC Pro and a Unifi AC Lite. How would I configure say ports 1-4 for the Trusted Devices, and ports 5-6 for the others?

    1. Hi Justin,
      you assign vlan # (for trusted devices) to port 1 – 4.
      for port 5 & 6, you can assign different vlan # to each port. 2 ports can only serve 2 VLANS so you need to choose 2 out of other 3 VLANS (IoT, Printer & Guest)


  7. Alan,
    Thank you for such a throrough and helpful guide. I have successfully implemented the configuration as shown. However I cannot print from my desktop on subnet 1, nor from my laptop on VLAN40. My printer is connected to VLAN20. Do you know how to enable printing from Subnet1 -> VLAN20 and from VLAN40 -> VLAN20? I have searched the internet and tried a few ideas, but none have worked. Thanks.

    1. Hi Brian,
      You need to create firewall rules at Subnet1 and VLAN40 to allow traffic to VLAN20.
      go to Firewall > Rules > Subnet1,
      add new rule: source: Subnet1 net, source port: *, destination: VLAN20 net, dest port: *
      do the same for VLAN 40.

      Also, there are couple things you want to check. Each VLAN has its own non-overlapping IP address range.
      – Make sure your printer’s IP address & gateway are set correctly for VLAN20.
      – Make sure your printer device setup on your computer is pointing to the correct IP address of your printer


Leave a Reply

Close Menu