Oct 052019
Ubiquiti UniFi Controller Login Screen

When deploying a new UniFi network using Ubiquiti UniFi hardware and the controller, you may wish to change the management VLAN, and/or the VLAN that the hardware uses to communicate with the UniFi Controller.

In this post, I’m going to go over how to do this, as well as troubleshoot if something should go wrong.

Please note that I’m focusing on the theory and understanding as to how communication is handled, instead of providing step by step instructions which is what readers are usually accustomed to on this blog.

Why would we do this?

Some users (myself included) like to avoid using the default management VLAN of 1. This can be for a number of reasons such as reducing the security vulnerability footprint, customizing for specific customers or environments, or we just like to change it from the default VLAN.

How do we do this?

When you choose to change the default management VLAN, typically you need to maintain a network/subnet on untagged VLAN1. This is because when you purchase or deploy new UniFi equipment, it will always try to obtain an IP on untagged VLAN 1, and try to contact the controller using this network.

By having a functioning “provisioning” network and subnet on VLAN 1, the devices can obtain their configuration, and provision from there.

Once the device is provisioned and attached to the UniFi controller, you can configure it to use a different VLAN as it’s management VLAN.

Keep in mind that you must make the controller available on both the untagged “provisioning” VLAN 1, as well as the new custom management VLAN as well. In my case, I make all the subnets routable so that the UniFi controller is available no matter what subnet and/or VLAN your on.

How do we secure this?

In my example above, I have very restrictive firewall rules on the firewall that is routing the different VLANs and subnets. The only traffic that is allowed to be routed to the untagged “provisioning” VLAN 1 is traffic destined for the UniFi controller, and only the ports that are required for provisioning. All other traffic is restricted, including internet access.

Essentially the only thing that functions on VLAN 1 is routing to the UniFi controller, and DNS for the lookup of the host record “unifi”.

What will happen if I’m doing this wrong?

If you’ve done this wrong, you may notice that original provisioning works, then the AP or switch disappear and go offline after the management VLAN change on the device. This is because it can’t contact the controller after it changes its default management VLAN to the new one you specified.

If the device never contacts the UniFi controller in the first place, then the device isn’t able to contact the controller on the untagged VLAN 1. You need to make sure that the various provisioning methods are available and functioning, and that the subnet is routable and firewall rules allow communication from that subnet to the UniFi controller.

How do we test this?

In my environment on untagged VLAN 1 as well as my custom management VLAN, you can open a browser and type in “unifi” and it will resolve and connect to the UniFi controller. This means it’s available on the default VLAN that the devices look for, as well as the custom management VLAN.

I find using the A host record the easiest way to do this. Please note that my UniFi controller only has one static IP address on the custom management VLAN.

  14 Responses to “Change management VLAN on Ubiquiti UniFi Hardware and Controller”

  1. […] Change management VLAN on Ubiquiti UniFi Hardware and Controller […]

  2. How did you make the Unifi Controller available on both a tagged VLAN and the general untagged network? Does it live in (as in the IP address is in) the subnet of VLAN 1/untagged, but you route to it from other VLANs via a L3 device? Thanks!

  3. Hi Jamie,

    Thanks for reaching out. I have a few of the subnets on different VLANs routable. I do the routing on a Sophos UTM which has multiple (virtual) adapters sitting on each different subnet/VLAN. This way it can provide routing and I can enforce strict firewall controls.

    This way, when a UniFi device is attached to the network on the default untagged network, the only thing it has access to is a DHCP/DNS server, and the UniFi controller which resides on a different subnet. It performs the DNS lookup of “unifi”, provisions and then changes to the appropriate VLAN for management.

    Hope this helps!


  4. Thanks Stephen. So the controller lives on a VLAN, but is accessible from the untagged VLAN 1 through an L3 device (UTM). And out of the box, Unifi gear is preconfigured to resolve the FQDN “unifi” to provision to the controller, hence the DNS record? You don’t have to console into a Unifi switch for example to set the controller FQDN for provisioning? Thanks.

  5. Hi Jamie,

    That is correct (the routing, VLANs, and L3 routing). And yes, provisioning is all automatic, no SSHing needed.

    You can find all the different adoption methods available here: https://help.ubnt.com/hc/en-us/articles/204909754-UniFi-Device-Adoption-Methods-for-Remote-UniFi-Controllers

    You can use DNS, DHCP, etc… I just chose DNS because it’s easy and my Sophos UTM has a built in DNS server that I use for subnets/VLANs that I don’t want or have servers on.


  6. […] you’ve purchased some Ubiquiti UniFi hardware… You have configured it, possibly even changed your management VLAN. Now it’s time to get production […]

  7. […] Change management VLAN on Ubiquiti UniFi Hardware and Controller […]

  8. […] Change management VLAN on Ubiquiti UniFi Hardware and Controller […]

  9. Thanks for the theory, how about a step by step. Something that doesn’t seem to exist with anything Unifi. I am starting to think there is a conspiracy or some sort of law that prevents it.

  10. Hi Jeff,

    Sorry, but it’s a little tricky with a how-to on this specific topic. The steps would vary depending on which firewall you’re using, what router you’re using to provide routing between the subnets, etc.

    In my case I’m using a Sophos UTM firewall and UniFi switches, but the setup will probably vary from person to person.

    I was hoping to go in to the theory, to teach so that readers can setup their own environments and hardware to do this.

    Essentially you just need to make all subnets routable, firewall the routing between subnets to only allow communication to the UniFi controller, and set it all up.

    If you have a specific question, feel free to ask me and I’ll do my best to answer!


  11. Just to say thanks again Stephen. This week I followed the guidance from earlier this year, and put the Unifi devices onto untagged VLAN to be provisioned, gave the DNS entry for “unifi” for those devices that resolves to the controller on a different tagged VLAN, and made sure the Unifi devices could route to it. Now got a fully VLAN enabled home network, thanks again!

  12. Hi Jamie, glad it helped!

  13. Like Jeff I have spent days trying to get this setup with unifi switches and AP and a pfSense firewall. A step by step would really be helpful. Understand that each setup is different, but (at least in my case), if I try to change the unifi devices to my tagged management VLAN, the controller loses contact with them.,
    So to be clear, get everything setup on the untagged network, then transfer the controller to the management tagged VLAN? When you say ” you just need to make all subnets routable” – can you be clearer. What do you mean by routable? All subnets? Does that mean IOT and Guest VLANs?

    Also when you say ” the only thing it has access to is a DHCP/DNS server, and the UniFi controller which resides on a different subnet. It performs the DNS lookup of “unifi”, provisions and then changes to the appropriate VLAN for management.” Any explanation of these steps would be helpful.

  14. Hi Sam,

    It may be difficult and confusing, but once you figure out it becomes super easy to setup.

    A step by step guide is hard to create, since everyone’s configuration is different not only because of their unique setup, but also because they won’t be using the exact same hardware.

    You don’t need to “move” the controller from on VLAN to another, you can configure it on the VLAN you want it on, the important thing is that you need to make it routable to other VLANs.

    Typically, VLANs are different networks and cannot communicate with each other unless you have a gateway or router, that routes packets and allows the different VLANs to communicate with each other.

    When your networks are routable and can communicate, it won’t matter what VLAN they are on, they will be able to communicate with the controller, the important part is to have a DNS entry for “unifi” on the DNS server that services both the untagged VLAN and the destination VLAN you want to move APs and switches to.

    When you attach a new device, and the networks are routable, the unifi switch or AP will connect, allow provisioning, and when you move it it to your destination VLAN should continue to be available.

    I hope that clears it up.


 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>