eric/ericxliu-me
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

deploy: f6853a1cc4

Browse Source
This commit is contained in:
eric
2025-09-22 07:31:32 +00:00
parent f0b04beb1f
commit 66d0011843
22 changed files with 27 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
posts/unifi-vlan-migration-to-zone-based-architecture/index.html
View File

@@ -1,7 +1,7 @@
<!doctype html><html lang=en><head><title>UniFi VLAN Migration to Zone-Based Architecture · Eric X. Liu's Personal Page</title><meta charset=utf-8><meta name=viewport content="width=device-width,initial-scale=1"><meta name=color-scheme content="light dark"><meta name=author content="Eric X. Liu"><meta name=description content="Embarking on a network migration to a properly segmented VLAN architecture is a rite of passage for any serious home lab or small business operator. The goal is clear: improve security and organization by separating traffic. However, the path from a flat network to a segmented one is often paved with subtle but critical configuration details that can lead to hours of frustrating troubleshooting.
This article documents that journey. It details the pitfalls encountered, the core networking concepts that were essential to understand, and the best practices that ultimately led to a stable, secure, and logical network design built on a zone-based firewall model."><meta name=keywords content="software engineer,performance engineering,Google engineer,tech blog,software development,performance optimization,Eric Liu,engineering blog,mountain biking,Jeep enthusiast,overlanding,camping,outdoor adventures"><meta name=twitter:card content="summary"><meta name=twitter:title content="UniFi VLAN Migration to Zone-Based Architecture"><meta name=twitter:description content="Embarking on a network migration to a properly segmented VLAN architecture is a rite of passage for any serious home lab or small business operator. The goal is clear: improve security and organization by separating traffic. However, the path from a flat network to a segmented one is often paved with subtle but critical configuration details that can lead to hours of frustrating troubleshooting.
This article documents that journey. It details the pitfalls encountered, the core networking concepts that were essential to understand, and the best practices that ultimately led to a stable, secure, and logical network design built on a zone-based firewall model."><meta property="og:url" content="/posts/unifi-vlan-migration-to-zone-based-architecture/"><meta property="og:site_name" content="Eric X. Liu's Personal Page"><meta property="og:title" content="UniFi VLAN Migration to Zone-Based Architecture"><meta property="og:description" content="Embarking on a network migration to a properly segmented VLAN architecture is a rite of passage for any serious home lab or small business operator. The goal is clear: improve security and organization by separating traffic. However, the path from a flat network to a segmented one is often paved with subtle but critical configuration details that can lead to hours of frustrating troubleshooting.
This article documents that journey. It details the pitfalls encountered, the core networking concepts that were essential to understand, and the best practices that ultimately led to a stable, secure, and logical network design built on a zone-based firewall model."><meta property="og:locale" content="en"><meta property="og:type" content="article"><meta property="article:section" content="posts"><meta property="article:published_time" content="2025-09-22T00:00:00+00:00"><meta property="article:modified_time" content="2025-09-22T07:27:14+00:00"><link rel=canonical href=/posts/unifi-vlan-migration-to-zone-based-architecture/><link rel=preload href=/fonts/fa-brands-400.woff2 as=font type=font/woff2 crossorigin><link rel=preload href=/fonts/fa-regular-400.woff2 as=font type=font/woff2 crossorigin><link rel=preload href=/fonts/fa-solid-900.woff2 as=font type=font/woff2 crossorigin><link rel=stylesheet href=/css/coder.min.c8e4eea149ae1dc7c61ba9b0781793711a4e657f7e07a4413f9abc46d52dffc4.css integrity="sha256-yOTuoUmuHcfGG6mweBeTcRpOZX9+B6RBP5q8RtUt/8Q=" crossorigin=anonymous media=screen><link rel=stylesheet href=/css/coder-dark.min.a00e6364bacbc8266ad1cc81230774a1397198f8cfb7bcba29b7d6fcb54ce57f.css integrity="sha256-oA5jZLrLyCZq0cyBIwd0oTlxmPjPt7y6KbfW/LVM5X8=" crossorigin=anonymous media=screen><link rel=icon type=image/svg+xml href=/images/favicon.svg sizes=any><link rel=icon type=image/png href=/images/favicon-32x32.png sizes=32x32><link rel=icon type=image/png href=/images/favicon-16x16.png sizes=16x16><link rel=apple-touch-icon href=/images/apple-touch-icon.png><link rel=apple-touch-icon sizes=180x180 href=/images/apple-touch-icon.png><link rel=manifest href=/site.webmanifest><link rel=mask-icon href=/images/safari-pinned-tab.svg color=#5bbad5></head><body class="preload-transitions colorscheme-auto"><div class=float-container><a id=dark-mode-toggle class=colorscheme-toggle><i class="fa-solid fa-adjust fa-fw" aria-hidden=true></i></a></div><main class=wrapper><nav class=navigation><section class=container><a class=navigation-title href=/>Eric X. Liu's Personal Page
This article documents that journey. It details the pitfalls encountered, the core networking concepts that were essential to understand, and the best practices that ultimately led to a stable, secure, and logical network design built on a zone-based firewall model."><meta property="og:locale" content="en"><meta property="og:type" content="article"><meta property="article:section" content="posts"><meta property="article:published_time" content="2025-09-22T00:00:00+00:00"><meta property="article:modified_time" content="2025-09-22T07:31:20+00:00"><link rel=canonical href=/posts/unifi-vlan-migration-to-zone-based-architecture/><link rel=preload href=/fonts/fa-brands-400.woff2 as=font type=font/woff2 crossorigin><link rel=preload href=/fonts/fa-regular-400.woff2 as=font type=font/woff2 crossorigin><link rel=preload href=/fonts/fa-solid-900.woff2 as=font type=font/woff2 crossorigin><link rel=stylesheet href=/css/coder.min.c8e4eea149ae1dc7c61ba9b0781793711a4e657f7e07a4413f9abc46d52dffc4.css integrity="sha256-yOTuoUmuHcfGG6mweBeTcRpOZX9+B6RBP5q8RtUt/8Q=" crossorigin=anonymous media=screen><link rel=stylesheet href=/css/coder-dark.min.a00e6364bacbc8266ad1cc81230774a1397198f8cfb7bcba29b7d6fcb54ce57f.css integrity="sha256-oA5jZLrLyCZq0cyBIwd0oTlxmPjPt7y6KbfW/LVM5X8=" crossorigin=anonymous media=screen><link rel=icon type=image/svg+xml href=/images/favicon.svg sizes=any><link rel=icon type=image/png href=/images/favicon-32x32.png sizes=32x32><link rel=icon type=image/png href=/images/favicon-16x16.png sizes=16x16><link rel=apple-touch-icon href=/images/apple-touch-icon.png><link rel=apple-touch-icon sizes=180x180 href=/images/apple-touch-icon.png><link rel=manifest href=/site.webmanifest><link rel=mask-icon href=/images/safari-pinned-tab.svg color=#5bbad5></head><body class="preload-transitions colorscheme-auto"><div class=float-container><a id=dark-mode-toggle class=colorscheme-toggle><i class="fa-solid fa-adjust fa-fw" aria-hidden=true></i></a></div><main class=wrapper><nav class=navigation><section class=container><a class=navigation-title href=/>Eric X. Liu's Personal Page
</a><input type=checkbox id=menu-toggle>
<label class="menu-button float-right" for=menu-toggle><i class="fa-solid fa-bars fa-fw" aria-hidden=true></i></label><ul class=navigation-list><li class=navigation-item><a class=navigation-link href=/posts/>Posts</a></li><li class=navigation-item><a class=navigation-link href=https://chat.ericxliu.me>Chat</a></li><li class=navigation-item><a class=navigation-link href=https://git.ericxliu.me/user/oauth2/Authenitk>Git</a></li><li class=navigation-item><a class=navigation-link href=https://coder.ericxliu.me/api/v2/users/oidc/callback>Coder</a></li><li class=navigation-item><a class=navigation-link href=/>|</a></li><li class=navigation-item><a class=navigation-link href=https://sso.ericxliu.me>Sign in</a></li></ul></section></nav><div class=content><section class="container post"><article><header><div class=post-title><h1 class=title><a class=title-link href=/posts/unifi-vlan-migration-to-zone-based-architecture/>UniFi VLAN Migration to Zone-Based Architecture</a></h1></div><div class=post-meta><div class=date><span class=posted-on><i class="fa-solid fa-calendar" aria-hidden=true></i>
<time datetime=2025-09-22T00:00:00Z>September 22, 2025
@@ -16,9 +16,11 @@ This article documents that journey. It details the pitfalls encountered, the co
<a class=heading-link href=#the-final-architecture-a-zone-based-firewall-model><i class="fa-solid fa-link" aria-hidden=true title="Link to heading"></i>
<span class=sr-only>Link to heading</span></a></h3><p>The culmination of these lessons is a network architecture defined by clear, logical zones, each with a distinct purpose and trust level. This model simplifies firewall management and provides a robust security posture that is easy to understand at a glance.</p><h4 id=network-zones-and-their-roles>Network Zones and Their Roles
<a class=heading-link href=#network-zones-and-their-roles><i class="fa-solid fa-link" aria-hidden=true title="Link to heading"></i>
<span class=sr-only>Link to heading</span></a></h4><p>The final configuration groups the individual VLANs into distinct zones, forming the foundation of the security policy.</p><ul><li><strong>Internal:</strong> Contains the <code>corp</code> network. This is the most trusted zone for daily work.</li><li><strong>DMZ:</strong> Contains the <code>dns</code> and <code>prod</code> networks for semi-trusted, exposed services.</li><li><strong>IoT:</strong> Contains the <code>iot</code> network. This is a low-trust zone for smart devices.</li><li><strong>Management:</strong> Contains the <code>management</code> network. This is a highly privileged, isolated zone for network infrastructure.</li></ul><h4 id=the-security-policy-matrix>The Security Policy Matrix
<span class=sr-only>Link to heading</span></a></h4><p>The final configuration groups the individual VLANs into distinct zones, forming the foundation of the security policy.</p><ul><li><strong>Internal:</strong> Contains the <code>corp</code> network. This is the most trusted zone for daily work.</li><li><strong>DMZ:</strong> Contains the <code>dns</code> and <code>prod</code> networks for semi-trusted, exposed services.</li><li><strong>IoT:</strong> Contains the <code>iot</code> network. This is a low-trust zone for smart devices.</li><li><strong>Management:</strong> Contains the <code>management</code> network. This is a highly privileged, isolated zone for network infrastructure.
<img src="http://localhost:4998/attachments/image-167d5cef9e79e622fff779f3671492a8a5a343ea.png?client=default&amp;bucket=obsidian" alt="S3 File"></li></ul><h4 id=the-security-policy-matrix>The Security Policy Matrix
<a class=heading-link href=#the-security-policy-matrix><i class="fa-solid fa-link" aria-hidden=true title="Link to heading"></i>
<span class=sr-only>Link to heading</span></a></h4><p>The true power of this model is realized in the firewall&rsquo;s zone matrix, which dictates the default traffic flow between each zone.</p><p>This matrix enforces the desired security policy with clear, high-level rules:</p><ul><li><strong>Complete IoT Isolation:</strong> The <code>IoT</code> row shows that devices in this zone are blocked from initiating any communication with any other internal zone. Their only allowed path is out to the internet.</li><li><strong>Protected Management Plane:</strong> The <code>management</code> row and column are almost entirely red. The critical network infrastructure is blocked from initiating contact with any user-facing zone, and vice-versa, following the principle of least privilege.</li><li><strong>Controlled DMZ Access:</strong> The <code>DMZ</code> is prevented from initiating connections to the trusted <code>Internal</code> zone, preventing a compromised public-facing server from being used as a pivot point to attack internal devices.</li></ul><h4 id=granular-intra-zone-control>Granular Intra-Zone Control
<span class=sr-only>Link to heading</span></a></h4><p>The true power of this model is realized in the firewall&rsquo;s zone matrix, which dictates the default traffic flow between each zone.
<img src="http://localhost:4998/attachments/image-4b9dbea5f7ceb0446d517305bc281b74e7f22ffc.png?client=default&amp;bucket=obsidian" alt="S3 File"></p><p>This matrix enforces the desired security policy with clear, high-level rules:</p><ul><li><strong>Complete IoT Isolation:</strong> The <code>IoT</code> row shows that devices in this zone are blocked from initiating any communication with any other internal zone. Their only allowed path is out to the internet.</li><li><strong>Protected Management Plane:</strong> The <code>management</code> row and column are almost entirely red. The critical network infrastructure is blocked from initiating contact with any user-facing zone, and vice-versa, following the principle of least privilege.</li><li><strong>Controlled DMZ Access:</strong> The <code>DMZ</code> is prevented from initiating connections to the trusted <code>Internal</code> zone, preventing a compromised public-facing server from being used as a pivot point to attack internal devices.</li></ul><h4 id=granular-intra-zone-control>Granular Intra-Zone Control
<a class=heading-link href=#granular-intra-zone-control><i class="fa-solid fa-link" aria-hidden=true title="Link to heading"></i>
<span class=sr-only>Link to heading</span></a></h4><p>Beyond the high-level zone policies, the configuration also implements granular rules to control traffic <em>within</em> a single zone, providing defense-in-depth.</p><p>These rules explicitly define the communication paths between services. For instance, rules allow a specific device to access a Kubernetes load balancer while another rule allows general DNS access within the zone. This ensures that even within a semi-trusted zone, services can only communicate in expected and necessary ways, further reducing the potential attack surface.</p><p>By adhering to these principles, what began as a day of frustrating troubleshooting evolved into a robust, layered, and logically segmented network that balances simplicity with strong security practices.</p><hr><h3 id=references>References
<a class=heading-link href=#references><i class="fa-solid fa-link" aria-hidden=true title="Link to heading"></i>
@@ -26,4 +28,4 @@ This article documents that journey. It details the pitfalls encountered, the co
2016 -
2025
Eric X. Liu
<a href="https://git.ericxliu.me/eric/ericxliu-me/commit/96e2f71">[96e2f71]</a></section></footer></main><script src=/js/coder.min.6ae284be93d2d19dad1f02b0039508d9aab3180a12a06dcc71b0b0ef7825a317.js integrity="sha256-auKEvpPS0Z2tHwKwA5UI2aqzGAoSoG3McbCw73gloxc="></script><script defer src=https://static.cloudflareinsights.com/beacon.min.js data-cf-beacon='{"token": "987638e636ce4dbb932d038af74c17d1"}'></script></body></html>
<a href="https://git.ericxliu.me/eric/ericxliu-me/commit/f6853a1">[f6853a1]</a></section></footer></main><script src=/js/coder.min.6ae284be93d2d19dad1f02b0039508d9aab3180a12a06dcc71b0b0ef7825a317.js integrity="sha256-auKEvpPS0Z2tHwKwA5UI2aqzGAoSoG3McbCw73gloxc="></script><script defer src=https://static.cloudflareinsights.com/beacon.min.js data-cf-beacon='{"token": "987638e636ce4dbb932d038af74c17d1"}'></script></body></html>