Unifi IOT Firewall Rules
To separate your IoT devices, it is advisable to create a firewall rule to block new and invalid traffic from the IoT VLAN to your default VLAN. This allows you to talk to your devices while permitting only established and related or returning traffic.

Setting Up a VLAN for IoT Devices
From your UniFi dashboard, navigate to Settings > Networks and click on the New Virtual Network link. Use the following settings for your IoT VLAN:
IoT VLAN Settings

- Auto-Scale Network: Unchecked.
- Host Address: Set your preferred one (e.g., match the third octet to VLAN IDs for consistency).
- Advanced: Manual.
- Guest Network: Unchecked.
- Isolate Network: Unchecked.
- Allow Internet Access: Checked ✅.
- Content Filtering: None.
- IGMP Snooping: Unchecked.
- mDNS: Checked ✅.
- DHCP Server: Use predefined settings.

These settings will place IoT devices into their own LAN. For enhanced security, you can restrict traffic from IoT devices to the rest of your home LAN.
Traffic & Firewall Rule Setup
From the UniFi dashboard, go to Settings > Security > Traffic & Firewall Rules, and click on the Create Entry link.

Firewall Rule: IoT to LAN Established or Related
Rule Details
- Rule Type:
- Type: LAN In.
- Name: IoT to LAN Established or Related.
- Action: Accept.
- Protocol: All.
- Before Predefined Rules: Yes.
- Source:
- Source Type: Network.
- Network: IoT.
- Network Type: IPv4 Subnet.
- MAC Address: Not specified.
- Destination:
- Destination Type: Network.
- Network: Home.
- Network Type: IPv4 Subnet.
- Advanced Options:
- Match State: Established, Related.
- Match IPsec: Do not match.
- Logging: Enabled.
The Match State option is crucial for this rule. Ensure “Established” and “Related” are selected to restrict traffic to valid sessions.

For a more detailed explanation of Match State, refer to Firewall Rule Match State Explained.
By following these steps, your IoT devices will have limited access to your home network, enhancing security while maintaining functionality.