Roon + Unifi VLANS

Hi all. I just purchased a Unifi Dream Machine Pro to compliment the rest of my existing Unifi network (4 switches + 4AP’s). I’m just learning about VLANS and hoping that someone may be able to help me solve my issue. I’ll CC another couple people I’ve seen post as Unifi owners: @hells , @wizardofoz , @Jason_Carle2, @jimmyb, @ipeverywhere.

I have a few VLANS setup, including:
“Users”: Personal computers and mobile devices.
“Media”: Windows 10 Roon Core, RPis running Ropieee, and ATV’s.

I tried assigning the UDMP port connected to the Core machine with a switch profile I created called “Media Client Access” that is assigned the “Media” VLAN as native, with the “Users” VLAN tagged. I also tagged the VLAN that only includes the router (called “Router”) for good measure. I was on my laptop, connected to the SSID associated with the “Users” VLAN. When I fired up Roon it found the Core machine and it’s correct IP (assigned via DHCP, and within the “Media” VLAN subnet), but it could not connect. It showed that it was “Connecting” but kept failing and re-trying. When I changed the port profile to place the Core machine in the “Users” vlan/subnet, the same one my laptop is on, it connected fine.

My question is: If my “Media Client Access” port profile includes a tag for “Users”, then why would it have more trouble connecting to Core with that profile, that when I simply set the port to the “Users” VLAN only?

My assumption is that by including the “Users” VLAN in the switch port profile as a tag, that I would be able to connect to core without any firewall rules.

I hope this is not too confusing, and thank you in advance for your help with this!

1 Like

Late here… I’ll try to keep this brief. Can answer more in the AM.

An 802.1q (standard for VLANs) uses tagged ethernet frames to signify which VLAN the ethernet frame belongs to. On devices that do not support tagging then you assign that port a single VLAN and set it as “access” (ubnt calls this native or untagged). This, effectively, strips the VLAN tag off of the frame as they leave the switch and it applies the tag to frames coming in. Effectively, your connected device does not know which VLAN it belongs to as it sees no tags.

A “trunk” port will leave the tags on the frames and all frames coming from the connected device must be tagged. Without a tag the traffic gets dropped as the switch doesn’t know which VLAN the traffic belongs to. This requires that the connected device supports 802.1q by both being able to accept frames with tags as well as apply tags on frames that leave the device.

There is a hybrid, which is what you’ve set-up. You’ve set-up a tagged port for your Users VLAN (switch will leave tags in place as well as require frames to be tagged for this VLAN) and you’ve set-up Media as untagged (access, native, etc.). When packets for the Media VLAN leave the UDMP they won’t have tags and, I’m assuming, you’ve not set-up Roon Core to tag frames so everything coming out of the Core is landing in the Media VLAN. Some UBNT docs for further reading:

Depending on the OS and network card you’re using… your Core may be dropping all the tagged Users frames or it may be treating them as untagged at which point broadcast / multicast may work but nothing would work unicast properly.

I need to understand your IP addressing but, remember, Roon does not support crossing L3 boundaries. We could go into troubleshooting why discovery worked but not connecting is simply because you tried to cross a subnet boundary when your laptop was on the Users subnet and your Core was on the Media subnet. Back to tagged / untagged… The laptop is “natively” on the Users VLAN / subnet and your the Core is natively on the Media VLAN / subnet.

But, look at your config a bit and re-read what I wrote about tagged and untagged ports. Unless you’re going to configure your Core to support 802.1q tags and intend to put it on both the Users and Media VLANs/IP subnets then your port configuration is not correct. If your core isn’t going to support tags then you need to just leave it on a single, untagged, “access” VLAN. OR, use two physical ports: one on Users and one on Media.

And if you want to support tags… What OS is your Core running? What model network adapter do you have? Depending on your network adapter, both Linux and Windows 10 will support 802.1q but you need to decide if you want to go down this rabbit hole as multiple interfaces / VLANs is not “supported” by Roon. Although plenty have it working successfully…

and, also… mods? We’re well into the “tinkering” at this stage.


Thank you @ipeverywhere, for the very thorough reply. This is very helpful. And while I’d read that article you mentioned, re-reading it has helped.

I wonder, if all the media devices are on their own native, untagged subnet, could firewall rules allow access to all relevant ports? I saw that there is one UDP and a range of TCP ports that can be used in forwarding rules for Roon. I’m not exactly sure how I’d implement those on Unifi (what port am I forwarding from?) but would that not solve this issue without a whole lot of tinkering? This would basically allow the remotes and core to communicate intra-vlan, while the core and endpoints would be able to communicate internally within the same vlan.

If that works, and tips in how that might be configured in unifi would be very helpful. I’m just getting my legs here. Clearly. :wink:

Thanks again for your help!


Noted, and agreed … I’ve moved the topic over.

Why did you add a Dream Machine in the first place? I thought that was an all-in-one solution. If you already have switches and access-points (and, presumably, a gateway and key?) then I would have extended it using more radios (APs), or another switch, etc - but not using a dream machine. Maybe I’m missing something.

I haven’t used multiple VLANs, so I dont have much to offer there. Are there compelling reasons in your application? (eg disjoint security policies?) It seems these problems might overlap remote-access / firewall problems, which are discussed periodically on these forums.

Sorry I can’t be more help.

I’d suggest OP is having issues as Roon is trying to run a multicast session in it’s local subnet and you don’t have PIM / IGMP snooping or similar set up to enable multicast routing over a L3 subnet boundary.

I’d be against pumping the audio over a network boundary by routing it unless absolutely necessary. The Unifi routers like the Dream Machine are software based routers and pumping traffic over a network boundary all hits the CPU.

While you might have enough headroom on the firewall / router from a CPU perspective, I’d consider the Roon core to be more akin to a server in your network and keeping it local to the devices accessing it should be your goal from a performance perspective.

I’ve not tried to get Roon multicast RTSP happening over a VLAN boundary. While it may work, you’d need to do some tinkering.

For some more reading:

I’ve been tinkering with this VLAN and Roon business a few times over the past month or so. Until I got roon, I had two VLANs setup on my USG. The reason I did that is I have a pihole to dump ads and other crap that has snuck into my nice internet. But pihole can mess up my wife’s browsing occasionally. So I setup two wifi SSID’s. I have casastokes which is on the primary network ( and I also have casastokes-noAds ( On the main LAN that casastokes connects to, I have the DNS set to automatic in the dhcp server settings, and on the noAds one, I have a manual DNS entry in the DHCP server pointing to the pihole. All my wired clients servers etc live on the main LAN ( including my core.

This worked flawlessly for years, and then roon came along. I had all my laptops, tablets, phones, etc connecting to the noAds network. With some tinkering I was able to get roon running across the boundary, but weird things would happen with sleep on my macbook and occasionally the roon remote app would connect to the core. I could point it there manually by entering the ip address but it was a pain.

So I just went into all my devices and specified the DNS manually for the casastokes SSID.

I’d really love to be able to specify a DNS server based on SSID and not split into two subnets. I haven’t figured that out yet. It’s easy and exactly what makes sense if you split subnets with VLANs and enable mDNS reflection, but roon can’t handle it. I keep thinking that there must be a way to do what I want, but I don’t have the unifi and networking juju to figure it out. So I went the manual DNS config route and got on with my life.

I can’t say enough good things about unifi systems in a fairly tech heavy house.


The reason for the UDMP was that I wanted something easier to configure than the Edge Router I had (still do). I’m a complete novice, in case that wasn’t obvious, so having a single pane designed for a prosumer was important to me. I also wanted the built-in controller (rather than running on a separate machine), and the surveillance drive. I hooked up one of their cameras this evening and it was the most seamless install I’ve ever experienced. I’m very pleased with it, despite the expense.

Thanks for your input @Craig_Joyce. The reason for creating a separate subnet was that I have five RPi endpoints, and I thought it would be best for those to be in their own subnet for security reasons. I cannot say that I have a precise clue as to what the RPi security risks are, but intuitively it seems like a best practice in that they might be exploited as hosts for some kind of network attack? Maybe I’ve just been watching too many movies, but the plan was to put Apple TV’s, RPi endpoints and my Roon Core & Plex Server into a “Media” Vlan. After reviewing this thread though, and trying for hours to get my Apple TV Remote App and Airplay to work across Vlans, I’m not nearly as convinced that the cost/benefit is there. I feel like if I give up on this Media Device Vlan, it reduces the benefit to having Vlans besides obvious things like guest policies, which I already have through the Wifi settings. But, anyway, that’s my question to answer, not yours. I guess for now I will co-mingle personal devices with all the various IOT devices, keep all devices regularly patched, and hope for the best!

1 Like

I usually keep all my IoT stuff in an IoT VLAN with a separate IoT SSID too. Using the Unifi gear that’s easy enough to do. If you have the USG / firewall you can also set up IoT to LAN firewall rules that mean that your IoT devices can only access the internet and not your LAN.

The trouble is when devices rely upon protocols like multicast to function as you have found. I know what you’re trying to do and though I’ve not looked into it properly on a Ubiquiti setup, in a Cisco (or similar) LAN I’d set up a private VLAN to allow blocking of traffic from isolated hosts to anything other than a gateway or other isolated ports in the same community.


If you could create the private VLAN community, all of the hosts could live in the same network segment. Your Rpi and Roon core in the same subnet, but logically put into a container (a community) that lets them only speak amongst themselves and their default gateway. This is like a logical ring fencing of hosts within a VLAN, creating a logical VLAN within the physical VLAN.

Checking the Unifi controller manual, I can see that the Unifi switches support port isolation (tick) but don’t seem to do private VLAN communities.

  • Isolation Select to mark this port as an isolated port.
    An isolated port cannot communicate directly with
    any other isolated port.

It seems you need an Edge switch to set up a private VLAN community unless it can be done from the CLI.

I just logged into a Unifi switch and the syntax is all there, jut doesn’t appear to be implemented in the controller interface.

The problem with this is if you make the changes in the CLI and then manage it with the controller it will overwrite the config changes you made under the hood.

I’d ask Ubiquiti via the controller’s help chat function if it is possible to create a community VLAN using the controller and not just within the CLI on the switch.

Thanks for this @Craig_Joyce. Thing is that even if the endpoints and core are in their own vlan and communicating freely, they still have to communicate with the roon remotes, which are all on private devices like iphones and laptops. I guess I could have one dedicated remote device, like a big tablet, that lives in the same vlan.

It gets further complicated if you consider that the machine core runs on is also a photo file server and plex server that needs to be in the main vlan.

I think the closest I could get without much if any firewall tinkering is to buy a dedicated machine for roon core (or virtualize it within the windows box), buy a dedicated roon remote tablet, and put them in the same vlan as the RPi’s. Having to look for and trek around the house for that remote each time I want to put on some tunes on would be such a bummer though. I have five zones spanning three floors and a back yard. This is how hackers win.


You wouldn’t need to have the endpoints accessing from the remotes, just the Roon core. This could be in another community with the remotes and everything else on your network if you could get private VLANs working with community functionality.

I logged a ticket with Ubiquiti.

This is the response:

Thanks for getting in touch with us!

The UniFi Switches does not support community-based private VLANs.

You can only configure the networks that are shown on the below provided KB article.

With that being said, you cannot configure the networks on the unifi switch. You can only tag and untag VLANs configured at your router/DHCP server end.

1 Like

Are you using one of the Edge routers in a Unifi stack? This is a bit tangential, but that’s awkward. (I understand, their product line is really confusing.)

I used to use an edge router in front of my Omni mesh (to workaround netgear bugs), but once I switched to Unifi I tossed the Edge switch and replaced it with a Unifi switch.

I’d recommend staying within the Unifi family - so the software-defined networking can take care of business for you, and to avoid awkward out-of-band router configurations.

PS. I think your dream machine subsumes the main switch and gateway and key-server components. Do you need more routing/switches (like the Edge)?

I no longer use the Edge router, so I’m 100% Unifi, except … the backplane on the UDMP 8-port switch is only 1Gig (shared across all 8 ports), so I will be adding a 10Gbe aggregating switch via the SFP+ port on the UDMP on which each ethernet port will be a full 1Gig (not shared like the UDMP switch), and that will be the primary switch to the Unifi switches around the house. I went with a Xyxel for that intermediary switch because the comparable Unifi option would have been $500.

I also have the UDMP and a number of UNIFI APs and Switches in my home/SOHO network.

I can tell you now that MDNS in UDMP F/W version 1.8.0 (Latest) is broken so you will not get multicast DNS to work across Vlans.

I have had to install all devices that require multicast on the same user vlan we use for our desktops/laptops/mobile devices.

I just migrated from USg3P to UDMPro too and pretty much only use the one port on the switch to connect to SW8-60 for distribution and PoE connections.

The better IDS/IPS throughput is what I was after mainly, plus an extra SFP connection for my FMC connected audio endpoints.

I tried IoT on a dedicated subnet. Things start to really break when it comes to Home Automation. Throw in Google Home/Nest devices, SmartTVs, Roon Core, Roon endpoints, Smart Thermostat, Smart Outlets, AppleTV, Smart AirConditioner, Philips Hue, the various vendors apps to at least setup these, often needed for ongoing control aspects also… yes all in one home… thing is some work via multicast, some work via Bonjour/mDNS and then some are just flat out mysteries… Although (or maybe because) I do networking for a living it just became way too much of a hassle to administer and try to make it all work across L3 boundaries.

I do utilize multiple SSID on the network to allow multiple WAP keys to be used. That allows for sharing of a key if needed without having to change every device on the network.

Hey again Paul. Have you gotten this working by chance since the Unifi updates were released? I’m still trying to put my roon server and endpoints on different vlans with no luck. I have mDNA on. I have FW rules for 1) allowing all traffic from the vlan where my roon server is, to the IOT/endpoint vlan and 2) allowing established related from/to all public ip’s. But the endpoint stops being visible to the server at that point. :frowning: