Skip to main content
SHIFT/CTRL

A VLAN plan you can paste into the controller.

Four contexts — home basic, home with AV, small business, commercial. Pick what you're building and the planner emits the article-recommended VLAN structure, the deny-by-default firewall rules, the per-VLAN mDNS / IGMP / STP settings, and the vendor-specific overrides for Sonos, Crestron, Lutron, Apple AirPlay, Matter, and UniFi Protect. Every default and warning cites the published article it came from.
Open the planner How it works
Free No sign-in 4 contexts Article-backed UniFi-ready export
Install context1 site · AV + cameras + IoT
5 segments·10.250.x.x
10.250.0.0/16 · 1,270 usable hosts
4 notes · plan is sound4 notes
  1. ·

    Confirm the IGMP querier is active on AV / Cameras after paste-in

    IGMP snooping with no querier ages out membership tables — Sonos drops off, AirPlay disappears, surveillance multicast stutters. The export emits Querier = on; verify the setting persisted. Settings → Networks → [AV / Cameras] → IGMP Querier = enabled.

    cited: VLAN segmentation for a home network
  2. ·

    Confirm all three guest-isolation layers are on in the controller

    Per Ubiquiti guest-WiFi best practice: Network Isolation (per-VLAN), Client Device Isolation (per-AP), and switch-level Device Isolation — three layers, not one. The export emits all three; verify they persisted. Settings → WiFi → Guest → Client Device Isolation = on; Settings → Networks → Guest → Network Isolation = on; switch port profile = Device Isolation.

    cited: VLAN segmentation for a home network
  3. ·

    Paste the firewall rule set from the export — UniFi defaults to Allow

    UniFi default inter-VLAN posture is Allow, not Deny. The export ships the canonical deny-by-default rule set (Established/Related at top, asymmetric Trusted-initiated accepts, default Drop at bottom). Don't skip the firewall section of the export. Use the Copy UniFi text export and paste the Firewall & Security → Traffic Rules block in order.

    cited: Why your UniFi VLANs aren’t doing what you think they are
  4. ·

    Network 9.x: pick Pattern A or Pattern B per VLAN, never both

    In UniFi Network 9.x, Allow Traffic Rules no longer reliably supersede the global Block Inter-VLAN Routing toggle. The export uses Pattern B (toggle off, explicit rules) for Trusted/IoT/AV/Cameras and Pattern A (toggle on, no exceptions) for Guest. Leave Network Isolation OFF on every non-Guest VLAN; let the rules in the export do the work.

    cited: Why your UniFi VLANs aren’t doing what you think they are
Plan parameters · 1 base + 5 segments10.250.x.x · 5 active
Base network10.250.0.0/16 with third-octet = VLAN ID lines up cleanly with the five-VLAN home structure (10/20/30/40/50) and stays out of the saturated 192.168.x space.
Main Network (default)VLAN 10. The only VLAN that can initiate connections into other VLANs. Stateful return traffic comes back via Established/Related.
Optional segmentsEnable the segments that match the install. Each one becomes a VLAN with its own subnet, DHCP scope, and gateway.
Vendor profiles · placement, multicast, switching0 of 9 active
What's on this network?Toggle the AV / lighting / surveillance vendors present. Each profile mutates VLAN placement, multicast settings, and switch-port behaviour to match the vendor's published requirements.
VLAN plan · ready to paste into the controller5 segments
VLAN10

Main Network

Family devices — laptops, phones, TVs, the home-automation hub.

Subnet
10.250.10.0/24
Gateway
10.250.10.1
DHCP range
10.250.10.10 - 250
Usable IPs
254
VLAN20

IoT

Cloud-mediated low-trust devices: Hue, Lutron Caséta, Aqara, Matter / Thread, smart appliances.

Subnet
10.250.20.0/24
Gateway
10.250.20.1
DHCP range
10.250.20.10 - 250
Usable IPs
254
VLAN30

AV / Media

AV control processor, Sonos, intercoms, AV-over-IP, AppleTV when integrator-driven.

Subnet
10.250.30.0/24
Gateway
10.250.30.1
DHCP range
10.250.30.10 - 250
Usable IPs
254
VLAN40

Cameras

UniFi Protect doorbell + outdoor cameras. Internet dropped by default.

Subnet
10.250.40.0/24
Gateway
10.250.40.1
DHCP range
10.250.40.10 - 250
Usable IPs
254
VLAN50

Guest

Visitors and out-of-town family — internet-only with three-layer isolation.

Subnet
10.250.50.0/24
Gateway
10.250.50.1
DHCP range
10.250.50.10 - 250
Usable IPs
254
Take it with you
plan · 10.250.x.x · 5 VLANs · 1,270 usable hosts · 14 fw rulesUniFi controller · Settings → Networks → New VLAN

Three principles produce the plan.

The planner is a thin projection of what we publish. Pick a context; the five-VLAN AV home chassis (or the right shape for your scope) drops out with deny-by-default firewall rules and vendor-aware multicast and switch settings. Every line of the export cites the article that justifies it.

01

Context drives the plan.

Four contexts — Home — basic, Home — with AV, Small business, and Commercial — each shipping a different role set, default subnet base, and recommended vendor toggles. The five-VLAN AV home (Trusted 10, IoT 20, AV 30, Cameras 40, Guest 50) is one click away, not three articles deep.

02

Vendors mutate the plan, not just the labels.

Toggle Sonos and the AV VLAN inherits STP-enabled, BPDU flooding on, and Client Device Isolation off on the SSID. Toggle Crestron DM NAX and the same VLAN gets DSCP CS7 / CS6 / EF plus the untagged-access-port reminder. Toggle Matter and the issues panel surfaces the IPv6 link-local requirement. Toggle Lutron with Sonos and the IGMP-snooping conflict surfaces — with a resolution.

03

Every default and warning cites its article.

The plan reads from a single article-backed spec. Every firewall rule, multicast setting, and warning carries a deep-link to the published article that justifies it — home-vlan-segmentation, unifi-vlan-mistakes, sonos-chromecast-airplay-unifi-vlans, unifi-default-home-subnet. The plan is a thin projection of what we publish.

Segmentation vocabulary, in one paragraph each.

Skip if you tag trunks for a living. Useful if a VLAN review is scheduled with someone who calls it “the network” and isn't sure which network.

VLAN
Virtual LAN. A logical segmentation of a single physical network into independent broadcast domains, each with its own subnet, firewall policy, and DHCP scope. Tagged at the switch port using 802.1Q.
mDNS proxy
Multicast DNS Proxy on the UniFi gateway. Bridges Bonjour / AirPlay / Chromecast / HomeKit discovery between selected VLANs without breaking the trust boundary. Must be enabled on both the client VLAN and the receiver VLAN — one-sided enablement produces silent discovery failures.
IGMP querier
An active multicast querier on a VLAN keeps the switch's IGMP-snooping membership tables fresh. Snooping without a querier is the single most common cause of Sonos dropping off the network after idle.
Inter-VLAN routing
Traffic between VLANs is routed by the gateway (or a Layer 3 switch). UniFi permits this by default; firewall rules govern what crosses. The article-backed posture is deny-by-default with asymmetric Trusted-initiated allows.
DHCP scope
The range of IPs the gateway hands out automatically inside a VLAN. The planner uses .10–.250 for user VLANs and .10–.100 for Management so room is left for static infrastructure.
Management VLAN
A dedicated VLAN for network infrastructure — UniFi controller, switches, APs, gateway. Default to VLAN 99. SMB and commercial contexts ship it enabled; home contexts can substitute a LAN LOCAL rule blocking 22 / 80 / 443 / 8443 from the non-Trusted VLANs.

Four mistakes that turn segmentation into a label.

Not exotic — the four VLAN problems that account for nearly every “why can't the Sonos app see the speakers?” ticket. Each is cheaper to catch on paper than after the deployment is live.

× SONOS-ON-IOT

Putting Sonos on the IoT VLAN.

Sonos's own networking documentation states it verbatim: “Devices on separate VLANs will not be able to connect to Sonos products.”Speakers, the Sonos app on the phone, and any device controlling playback must share one VLAN. Our default places Sonos on AV / Media alongside the controllers; the planner's issues panel flags an “Sonos selected but AV / Media off” conflict the moment it happens.

× DEFAULT-SUBNET

Leaving the network on 192.168.1.0/24.

Hotel Wi-Fi, corporate VPN, UniFi Site Magic — all collide with the saturated 192.168.x space. Five minutes to renumber on day one; a half day after bindings accumulate. The planner defaults to 10.250.0.0/16 with third-octet = VLAN ID, and warns the moment 192.168.x is selected.

× NO-FW-RULES

Tagging VLANs without firewall rules.

UniFi's default inter-VLAN posture is allow, not deny. Aesthetic segmentation is a flat LAN with extra labels. The plan exports the deny-by-default rule set: Established / Related at the top, asymmetric Trusted-initiated accepts, explicit drops, default deny at the bottom of LAN IN, plus the LAN LOCAL block from non-Trusted VLANs to gateway management ports.

× MDNS-OFF

Forgetting the mDNS proxy on the discovery side.

Add a VLAN and AirPlay, Chromecast, HomeKit, and Sonos discovery break the same day — multicast DNS is link-local by design (RFC 6762 TTL = 255). The UniFi Multicast DNS Proxy bridges the discovery layer across VLANs, but it must be enabled on both the client VLAN and the receiver VLAN. The planner emits both sides as on by default and surfaces the reminder in the issues panel when AirPlay / Chromecast / Sonos is selected.

FAQ

Common questions about VLAN segmentation.

Phrasing varies; most questions fall into one of these categories. If your scenario doesn't fit, that's the point at which it makes sense to talk to an engineer.

What VLAN structure does the planner emit?
Five article-backed roles for the residential AV default: Trusted (VID 10), IoT (20), AV / Media (30), Cameras (40), Guest (50). The basic home context drops AV and Cameras; SMB and commercial add Management (99). The structure comes from our VLAN segmentation for a home network article.
Why does the planner default to 10.250 instead of 192.168?
The 192.168.x range is the most-collided /16 on the planet — every consumer router ships there. The default collides with hotel Wi-Fi, corporate VPNs, and UniFi Site Magic. Our default is 10.250.0.0/16 with third-octet = VLAN ID, the convention from our Why your UniFi LAN shouldn't be 192.168.1.0/24 article.
Does the export include firewall rules?
Yes. The Copy UniFi text export is organised by controller screen — Settings → Networks for each VLAN, Settings → Firewall & Security → Traffic Rules for the rule list. The rule order is Established / Related at the top, explicit Trusted-initiated accepts in the middle, drops + default deny at the bottom, plus the LAN LOCAL block from non-Trusted VLANs to gateway management ports (22 / 80 / 443 / 8443).
How does the planner handle Sonos, Crestron, Lutron, Apple, Matter?
Each vendor has a profile that mutates the per-VLAN switch and multicast settings. Toggling Sonos enables STP and BPDU flooding on AV / Media and surfaces the BPDU-Guard-off reminder. Toggling Crestron DM NAX surfaces the untagged-access-port requirement plus DSCP marking. Toggling Lutron flips IGMP snooping off on AV. Toggling Apple AirPlay enables the mDNS proxy on both Trusted and AV. Toggling Matter surfaces the IPv6 link-local routing requirement. Lutron + Sonos or Lutron + Crestron surfaces as a vendor conflict in the issues panel with a fix.
Why does Sonos go on the AV VLAN, not IoT?
Sonos's own networking documentation states it verbatim:“Sonos products must be on the same VLAN as all devices running the Sonos app. Devices on separate VLANs will not be able to connect to Sonos products.” The AV VLAN holds the controllers, so Sonos lives there by default — not on IoT alongside the cloud-mediated low-trust devices. See our Sonos, AirPlay, and Chromecast across VLANs on UniFi article.
What does deny-by-default look like in the export?
LAN IN starts with Accept Established/Related — any → any (the baseline that makes everything else work). Then explicit Accept rules from Trusted into IoT, AV, and Cameras, plus AV → IoT for lighting integrations. Then explicit Drop rules for Guest → any internal and IoT → Trusted / AV. A default deny at the bottom catches everything else. LAN LOCAL blocks the management ports from non-Trusted VLANs. The exact rule order matches the four-VLAN home layout in our UniFi VLAN mistakes article.
Does the planner handle IPv6?
IPv4 today. Matter accessories require IPv6 link-local routing between the Matter hub VLAN and the accessory VLAN — the planner surfaces the requirement in the issues panel when Matter is toggled on, but the routing toggle is in the UniFi controller, not the calculator. Full dual-stack planning is a real engagement.
Where do the recommendations come from?
Every default and warning in the planner cites the article it came from — and the export carries the citation. Four sources: home-vlan-segmentation, unifi-vlan-mistakes, sonos-chromecast-airplay-unifi-vlans, and unifi-default-home-subnet.
SISTER TOOLS
02WiFi coverage calculator

AP count and SSID layout for the segments above.

Open 05PoE & UPS planner

Switch power budget and UPS runtime for the management VLAN.

Open 04Protect storage calculator

NVR sizing for the camera VLAN above.

Open

Want this turned into a real segmentation engagement?

We'll do the network discovery, draft a segmentation plan against the existing fleet, write the firewall and multicast configuration, and stage the cutover so the user-facing impact is a few minutes overnight rather than a week of broken access, leaving you an as-built diagram you can maintain from.

Talk to an engineer