Isolate wifi network LANs from each other while sharing same WAN

Please find an illustration of my network setup here:

Networking Diagram

I want to ensure that the devices connected to each of the three WiFi networks are completely isolated from each other.

Ideally, there should be three different subnets, each with its own DHCP server. Each subnet should be assigned to one of the WiFi networks. Devices connecting to that WiFi should get an IP only from that subnet and they should be able to communicate only with devices in that same subnet. All three subnets should be able to access the load-balanced Internet connection available at the router.

Some devices are connected to the switch directly using Ethernet cables. Depending on which port they are connected to, they should be part of one of the three networks.

I understand that VLANs need to be used. I understand multiple subnets and DHCP servers need to be created. But I am not sure how all these things need to be configured. There are three separate classes of devices:

  • the pfSense router.
  • the web-manageable smart switch.
  • the Unifi Controller managing the Unifi APs.

Could someone give me basic guidelines on what I should do on each of these devices, to achieve what I want? Thanks!


First choose a VLAN ID for each subnet. Your existing "LAN" subnet is VLAN 1, new ones need to be from the range 2–4095.

the web-manageable smart switch.

Varies greatly between switch manufacturers and firmware types.

In general, the router & AP ports must have all VLANs assigned to them as "tagged" (except for the existing management LAN, which remains "untagged").

Some switches first require you to set the multi-VLAN ports to "General" or "Mixed" mode (instead of the default "Access") before you can start adding the tagged VLANs.

Make sure there's only one untagged VLAN per port (not all switches forbid that), and make sure each port's "PVID" (if it's a separate setting) matches the untagged VLAN's ID.

the pfSense router.

Under Interfaces → Assignments → VLANs, first create a virtual VLAN port for every tagged VLAN that you have on pfSense's switch port.

Screenshot of pfSense interface configuration, "VLAN port" list

The rest is exactly the same as if you had multiple actual Ethernet ports:

  • In the main Interface Assignments tab, assign the virtual ports to pfSense interfaces.
  • Through the Interfaces menu, configure names and IP addresses on each interface (e.g. 192.168.3.1/24 for IoT VLAN, 192.168.4.1/24 for PC VLAN).
  • In Services, enable DHCP and IPv6 Router Advertisements for each interface.
  • In Firewall → Rules, specify what communications are allowed from each interface. You'll probably want two rules: 1) deny access to 192.168.0.0/16, 2) allow everything else.

the Unifi Controller managing the Unifi APs.

Open the site's Settings page (gear icon). Under Wireless Networks, create the SSIDs you need. When configuring a network (SSID), you'll find the VLAN ID field under Advanced Options.

Screenshot of the "Use VLAN" field in UniFi site configuration
(I don't know why UniFi caps it to 4009.)

Since APs are just bridges, they do not need IP addresses for each VLAN, so there's nothing to configure for that.

Don't create too many SSIDs. (Also probably go back to your switch and double-check that the AP ports are indeed tagged members of every needed VLAN, just in case.)