How to configure VLANs for UniFi Access Points on a Hosted Controller

If you're using a UniFi setup with a hosted controller and want to keep your network clean, fast, and secure, VLANs (Virtual LANs) are a must. They let you split your traffic into different lanes, separating your guest users from your team, your IoT devices from your POS systems, and so on.

In this guide, we’ll break down exactly how to configure VLANs for UniFi access points (APs) using a hosted controller setup. No complex jargon, just a step-by-step explanation to help you get things running smoothly.

Let's dive in !!

Before we dive in, please don't self-host your UniFi Controller if you take care of client networks. Sooner or later this will cause issues! It's fine for home users, but definitely not recommended for IT service businesses and MSPs. If you want secure, reliable and a scalable hosting solution check out UniHosted.

Why Use VLANs with UniFi?

Using VLANs in UniFi has some serious benefits:

  • Improved security: Keep guests from accessing sensitive internal devices.
  • Better network performance: Segment high-priority traffic like VoIP or security cameras.
  • Scalability: Makes it easier to grow and manage your network.

And if you’re running a hosted controller (like one from UniHosted), the best part is you don’t need to be on-prem to manage any of this.

What You’ll Need

Before diving in, here’s what you should already have:

  • At least one UniFi Access Point installed
  • A hosted UniFi Network Controller set up and accessible
  • A router/firewall that supports VLAN tagging (e.g., UniFi Security Gateway, UDM Pro, pfSense, MikroTik)
  • Managed switch (optional but recommended)

Now let’s get into the configuration.

Step 1: Understand VLAN IDs and How They Work

A VLAN ID is just a number (from 1–4094) that tags packets in your network. Think of it like assigning a color to each group of traffic.

For example:

  • VLAN 10 → Internal Office
  • VLAN 20 → Guest Wi-Fi
  • VLAN 30 → IoT devices
  • VLAN 40 → VoIP phones

These VLANs will only work if your router, switch, and APs all understand and forward the tags correctly.

Step 2: Create VLAN-Tagged Networks in UniFi

Go to your hosted UniFi controller:

  1. Log in to your hosted controller (e.g., https://yourdomain:8443)
  2. Go to Settings → Networks
  3. Click “Create New Network”
  4. Name it something like GuestNetwork_VLAN20
  5. Under Purpose, select Corporate
  6. Set the VLAN ID (e.g., 20)
  7. Assign a subnet and DHCP range (if your USG/UDM is doing DHCP)
  8. Save

Repeat this process for other VLANs you need (IoT, Admin, VoIP, etc.).

Step 3: Configure Wi-Fi SSIDs for Each VLAN

Now that VLANs are created in your controller, you can assign them to specific SSIDs.

Here’s how:

  1. Go to Settings → Wi-Fi
  2. Click “Create New Wi-Fi Network”
  3. SSID Name: GuestWiFi (or whatever fits)
  4. Security: Open or WPA2/WPA3 (if password-protected)
  5. Scroll down and click Advanced
  6. VLAN ID: Set it to 20 (or whatever you assigned earlier)

What you’re doing here is telling UniFi, “Traffic from this Wi-Fi network should be tagged with VLAN 20.”

Repeat this for other Wi-Fi networks:

  • OfficeWiFi → VLAN 10
  • SmartDevices → VLAN 30
  • VoIP_Network → VLAN 40

Step 4: Configure Your Router to Handle VLANs

If you're using a UniFi Dream Machine, UDM Pro, or USG, VLAN support is built-in.

Go to:

  • Settings → Routing & Firewall → VLANs
  • Add the same VLAN IDs (10, 20, 30, etc.) and define their subnets
  • Set DHCP if necessary

If you're using a third-party router (like pfSense or MikroTik), you’ll need to:

  • Create VLAN interfaces on your LAN port
  • Assign them to the appropriate interfaces
  • Set up DHCP servers for each
  • Add firewall rules to isolate or allow traffic

Step 5: Set Up VLANs on Your Switch

If your AP is connected to a managed switch, you’ll need to configure trunk and access ports.

Example:

  • Port to router: Trunk (All VLANs tagged)
  • Port to AP: Trunk (Untagged for VLAN 1 or native VLAN; tagged for 10, 20, etc.)
  • Port to IoT device: Access Port with VLAN 30 only

On UniFi Switches:

  1. Go to Devices
  2. Click on the switch
  3. Go to Ports
  4. Click the port connected to AP
  5. Set it as All or Custom with tagged VLANs and untagged native VLAN

Step 6: Confirm APs Are Receiving VLAN Tags

After saving, your AP should now be receiving tagged traffic from the SSIDs and passing it correctly to the switch or router.

To test:

  • Connect to GuestWiFi
  • Check IP address range (should match VLAN 20 subnet)
  • Ping other devices (should be blocked if VLAN isolation is working)
  • Run speed tests and observe DHCP lease assignments

Step 7: Add Firewall Rules to Isolate VLANs

By default, VLANs may talk to each other unless you block them. Here’s how to isolate them:

  1. Go to Settings → Firewall & Security
  2. Add rules under LAN IN or Guest IN
  3. For example:
    • Deny traffic from VLAN20 to LAN (Internal subnet)
    • Allow VLAN30 (IoT) to reach VLAN10 (for MQTT or Home Assistant)

This ensures guests can’t access your printers or NAS, but your smart thermostat can still talk to your server.

Step 8: Monitor and Troubleshoot

Once configured, head to:

  • Clients → Filter by SSID or VLAN
  • Insights → See device history
  • Dashboard → Watch traffic per network

Tools like ping, traceroute, and even packet capture from UniFi’s support tools can help if something doesn’t work.

Common Issues and Fixes

Problem Likely Cause Fix
Devices don’t get IP on VLAN DHCP not configured on router for that VLAN Add interface and DHCP settings
AP doesn’t pass VLAN traffic Switch port misconfigured (access vs trunk) Set port to trunk/tagged for VLANs
VLAN clients can see LAN Missing firewall rule to block inter-VLAN access Add deny rule in firewall
IoT devices can't reach internet No DNS or NAT allowed for that VLAN Add specific allow rules in firewall

Real-World Use Case: Café Network Setup

SSID-to-VLAN Mapping:

SSID Use VLAN ID
CaféGuest Public Wi-Fi 20
CaféStaff Staff Devices 10
POS_Terminal POS Machines 30
SecurityCam IP Cameras 40
  • VLAN 20 is fully isolated
  • VLAN 30 can only reach payment gateway
  • VLAN 40 streams to NVR on VLAN 50

Controller is hosted with UniHosted, so the owner can make changes anytime, from anywhere—even from their phone.

Final Thoughts

VLANs are one of those things that sound complicated but really aren’t, especially with UniFi. Once you’ve set up a hosted controller and tagged your Wi-Fi networks with VLAN IDs, your network starts running smoother, safer, and smarter.

At Unihosted, we make this process even easier. We offer hosted UniFi controllers with preconfigured VLAN setups, remote management, and enterprise-grade support. Whether you’re running one AP or fifty across multiple sites, we’ve got your back.