Sat · 25 Apr 2026
>therundown.today
→ Get the weekly rundown · free
Setup guide · Router
Advanced60 min setup

UniFi Parental Controls

Layered network filtering for UniFi-equipped homes. VLAN segregation, per-network DNS, DoH and VPN bypass closure, and time-of-day blocks for kids' devices.

Home Network Filtering That Actually Holds Up Against a Motivated Teenager

Updated April 2026 · Advanced · 45–60 min setup · 18 min read

Who this is for

You either have UniFi already, or you're seriously considering it. You're comfortable with terms like VLAN, DHCP, and firewall rule — or you're willing to learn them in one evening. You have a kid who can follow a YouTube tutorial. You want to configure your home network so that defeating any single parental control doesn't defeat the whole system.

If you don't have UniFi and you're not planning to get it, stop and read our NextDNS for Families guide. Most of what this guide accomplishes can be approximated on any router that supports custom DNS — UniFi just makes it dramatically more granular.

If you have UniFi, welcome to one of the most flexible home-network parental control platforms on the market. The catch is that none of it is labeled "parental controls." Every feature here exists for enterprise network segmentation. This guide pulls the right subset together into a coherent family configuration.

What you'll build

By the end of this guide, you'll have:

  1. Network-layer content filtering enforced at the gateway, blocking adult content, malware, and phishing for every device on the network
  2. A segregated Kids VLAN — virtually separate network with tighter rules than the adult network, its own SSID, and isolation from sensitive home devices (NAS, security cameras, work laptops)
  3. DNS routing per network that forces Kids-VLAN devices through NextDNS (or similar filtered DNS) while leaving the adult network untouched
  4. Three bypass closures that defeat the most common technical workarounds: manual DNS change, VPN tunneling, and browser DoH
  5. Per-device time-of-day blocks that cut specific phones, consoles, or tablets off the internet during school and sleep hours
  6. A verification procedure that confirms each layer is actually doing what you think it's doing

This is "defense in depth" for family networking. You're not relying on one tool to catch everything; you're layering controls so that a motivated teenager would need to defeat multiple independent systems to bypass you.

Hardware capability matrix

UniFi's feature set varies by gateway hardware. Before you start, know what you have:

Hardware Content Filtering DPI / App Filtering DoH / DoT Blocking Traffic Rules Notes
UDM Pro / UDM Pro Max Full feature set
UDM / UDM SE ✅ (limited) Full enough
UDR / UDR7 ✅ (limited) Fine for a family
UCG-Ultra Recommended for new builds
UCG-Max Good value
UCG-Lite / UCG-Fiber ⚠️ partial Can run this guide with caveats
Dream Router (original) ⚠️ limited ⚠️ limited Works; some steps limited
USG / USG-Pro (legacy) ⚠️ via CLI Too old for this guide. Upgrade.

If you have UDM Pro / UDR / UCG-Ultra / UCG-Max, you can execute every step in this guide. If you have UCG-Lite or Dream Router original, skip steps involving DPI-based VPN blocking and rely more heavily on DNS-layer filtering. If you have legacy USG, upgrade before following this guide.

Prerequisites

  • UniFi Network Application 9.x or later. Earlier versions have different menu paths.
  • A UniFi gateway from the table above
  • Admin access to the UniFi Network web UI
  • A list of your kids' devices (phones, tablets, consoles, laptops) — either their MAC addresses or the willingness to spot them in the Clients list
  • Optional but strongly recommended: a NextDNS account (see our NextDNS for Families guide). UniFi's built-in Content Filtering is fine; NextDNS stacked on top is substantially better, especially for kids' devices off the home network.
  • A test device on the Kids VLAN that you can use to verify each step (an old iPad works perfectly)

Step 1 — Enable Content Filtering at the gateway

Content Filtering is Ubiquiti's built-in DNS-layer filter. It's free, enforced at the gateway, and the fastest win in this guide.

  1. In the UniFi Network UI, go to Settings → Security → Content Filtering (in some versions: Settings → Internet → Content Filtering)
  2. Enable Content Filtering
  3. Set the default level to Family (blocks adult content, malware, phishing)
  4. Confirm it's set to apply to all networks by default

This is fine as a baseline. It's not as tunable as NextDNS — you can't allowlist a specific site or add custom denylist entries — but it catches the biggest categories and runs at zero cost with no configuration. I recommend keeping it enabled even if you're adding NextDNS on top; the two catch different things and redundancy at this layer is free.

Step 2 — Create a Kids VLAN

The single step that separates prosumer from consumer parental controls. A VLAN is a virtually separate network on the same physical hardware, which means you can apply rules to kids' devices that don't affect the rest of your household.

Create the network

  1. Settings → Networks → Create New Network
  2. Name: Kids (or Family-Kids, or whatever reads cleanly in your Clients list)
  3. Network type: Standard
  4. Set a VLAN ID: 20 (or any unused number between 2–4094)
  5. Assign an IP range — 192.168.20.0/24 works
  6. Under Advanced, enable Isolation if you want to prevent Kids-VLAN devices from seeing your main-network NAS, security cameras, or work devices. Strongly recommended if you have any of those.
  7. DHCP mode: leave as Default
  8. Save

Create a Kids SSID

  1. Go to Settings → WiFi → Create New WiFi Network
  2. SSID: YourHome-Kids (obvious to the kids, different enough that they know which to connect to)
  3. Password: something separate from your main Wi-Fi password. Tell the kids this one; do not tell them the main Wi-Fi password.
  4. Under Advanced, assign this SSID to the Kids network you just created
  5. Save

Move devices onto the Kids VLAN

Two paths, pick one:

  • Easy: Have the kids forget the old Wi-Fi network on their devices and join the new Kids SSID. Done.
  • Bulletproof: In the Clients list, find each kid device by MAC, click it, and set Fixed IP / Network Override to the Kids VLAN. The device will use Kids rules regardless of which SSID it joins (including Ethernet).

Step 3 — Apply filtered DNS to the Kids VLAN

UniFi supports different DNS servers per network. This is where Kids-VLAN traffic starts getting filtered at the DNS layer.

  1. Settings → Networks → Kids
  2. Scroll to Advanced → DHCP Service → DNS Server
  3. Set the DNS servers. Options in order of preference:
    • NextDNS (best): use the IPv4 endpoints shown in your NextDNS setup page, along with the corresponding IPv6 addresses
    • Cloudflare for Families: 1.1.1.3 and 1.0.0.3 (blocks malware + adult content, no account needed)
    • OpenDNS FamilyShield: 208.67.222.123 and 208.67.220.123 (similar to Cloudflare's family tier)
  4. Save

Every device on the Kids VLAN now uses filtered DNS by default. The adult network still uses whatever you have configured for Default.

If using NextDNS, also note the DoH/DoT endpoint ([config-id].dns.nextdns.io) — you'll reference it in Step 5.

Step 4 — Block manual DNS bypass (ports 53 + 853)

A moderately-savvy teenager's first bypass attempt: manually set the DNS on their phone to 8.8.8.8 (Google) or 1.1.1.1 (Cloudflare unfiltered), escaping your Step 3 filtering. You close this at the firewall.

  1. Settings → Security → Traffic Rules → Create New Rule
  2. Name: Block external DNS from Kids VLAN
  3. Action: Block
  4. Source: Kids VLAN (network-based source)
  5. Destination: Any (external) — i.e., any IP outside the Kids VLAN
  6. Ports / Protocols:
    • TCP port 53 (DNS)
    • UDP port 53 (DNS)
    • TCP port 853 (DNS-over-TLS)
    • UDP port 853 (DNS-over-TLS)
  7. Schedule: Always
  8. Exception / Allowlist: allow traffic from the Kids VLAN to your UniFi gateway's LAN IP on port 53. (This is the DNS server the Kids VLAN uses via DHCP. Without this exception, normal DNS breaks.) If you're using NextDNS DoT directly, allow traffic to NextDNS's DoT endpoint IPs instead.
  9. Save

Now any Kids-VLAN device that tries to reach an external DNS server on port 53 or 853 gets blocked. The only DNS that works is the one you configured in Step 3. If they manually change DNS to 8.8.8.8 in their phone's Wi-Fi settings, web pages simply stop loading. Which tends to prompt a conversation.

Step 5 — Close the DNS-over-HTTPS (DoH) bypass

This is the step almost every parental control guide misses, and it's the most common technical bypass a tech-literate teenager will find.

Learned this the hard way. The first time I deployed this config, I was proud of it. Kids VLAN, filtered DNS, port 53 locked down, scheduled bedtime — the works. A few days later, one of my kids asked me, completely straight-faced: "Dad, how come YouTube still works fine on Firefox?" Turns out Firefox ships with Cloudflare DoH enabled by default and was routing right past my network filter. I spent the next hour rebuilding Traffic Rules to close the DoH hole. That's why this step exists in the guide — because it's the step most UniFi parental-control write-ups skip, and it's the one every motivated teenager will find first.

The problem

Firefox, Chrome, Brave, and Edge all ship with DNS-over-HTTPS (DoH) built in. By default, these browsers can route DNS queries directly to Cloudflare, Google, or Mozilla over HTTPS (port 443) — bypassing your network's DNS entirely, including everything you configured in Steps 3 and 4. Your Kids VLAN can have perfect DNS routing and the kid can still install Firefox and be off-leash in three clicks.

You close this one of two ways. Do both if you can.

Fix A — Block known DoH endpoints at the firewall

This is a blunt but effective approach: block the Kids VLAN from reaching the major DoH providers on port 443.

  1. Settings → Security → Traffic Rules → Create New Rule
  2. Name: Block public DoH from Kids VLAN
  3. Action: Block
  4. Source: Kids VLAN
  5. Destination: IPs for major DoH providers. At minimum:
    • Cloudflare: 1.1.1.1, 1.0.0.1, 1.1.1.2, 1.0.0.2, 1.1.1.3, 1.0.0.3
    • Google DNS: 8.8.8.8, 8.8.4.4
    • Quad9: 9.9.9.9, 149.112.112.112
    • Mozilla DoH (via Cloudflare — same IPs as Cloudflare above)
    • NextDNS public addresses (the ones NOT assigned to your config)
  6. Ports: TCP 443 and UDP 443
  7. Schedule: Always
  8. Save

Caveat: DoH provider IP addresses do change, and new providers appear. This rule catches 95%+ of the real-world bypass attempts but is not bulletproof. Revisit quarterly.

Fix B — Block DoH via DPI / App Identification (UDM Pro, UCG-Ultra, UCG-Max only)

If your gateway supports Deep Packet Inspection, UniFi can identify DoH traffic by protocol signature rather than by destination IP — which is much more durable.

  1. Settings → Security → Traffic Rules → Create New Rule
  2. Action: Block
  3. Source: Kids VLAN
  4. Destination: Internet
  5. Application: search the application list for DNS over HTTPS or DoH. If it's present, select it.
  6. Save

This is the strictly better approach if your hardware supports it. On UCG-Lite and older Dream Routers without DPI, fall back to Fix A alone.

Fix C (complementary, not a substitute) — Disable DoH in browsers via Screen Time / Family Link

If you've locked down the devices enough that kids can only use Safari or Chrome in their default config, and you've enabled the "Block Bypass Methods" setting in NextDNS, DoH bypass is largely closed already. Use the firewall fixes above as belt-and-suspenders.

Step 6 — Block VPN traffic

The other common bypass: install a VPN, tunnel all traffic to a VPN provider, none of your filtering applies. Two-layer defense.

Layer 1 — DPI / App Identification (UDM Pro, UCG-Ultra, UCG-Max)

  1. Settings → Security → Traffic Rules → Create New Rule
  2. Name: Block VPN from Kids VLAN
  3. Action: Block
  4. Source: Kids VLAN
  5. Destination: Internet
  6. Application: select VPN or VPN Services from the application list. This catches OpenVPN, WireGuard, IKEv2, and most commercial VPN apps by protocol signature.
  7. Save

Layer 2 — Block known commercial VPN provider endpoints

Even without DPI, you can block the most popular commercial VPN apps by blocking their known endpoint IPs. This is a maintenance chore but closes the gap on hardware without DPI.

Start with: NordVPN, ExpressVPN, ProtonVPN, Surfshark, Mullvad, Cloudflare WARP (1.1.1.1 app). Their endpoint IP ranges are published; search each provider's support docs for "IP addresses" and add them to a blocking rule.

Layer 3 (the real win) — Block VPN app installation on the device

At the Screen Time / Family Link level, restrict app installs to your approval. This prevents the VPN from getting onto the device in the first place, which is far more durable than trying to block an installed VPN at the network level.

Step 7 — Per-device schedules (time-of-day blocks)

UniFi lets you schedule any Traffic Rule on specific days and hours. This is where you enforce bedtime and school-day rules.

  1. Settings → Security → Traffic Rules → Create New Rule
  2. Name: Kid devices — bedtime block
  3. Action: Block
  4. Source: Kids VLAN (or specific device MAC if you only want this for one device)
  5. Destination: Internet (any)
  6. Schedule:
    • Sunday–Thursday: 9:30 PM – 6:30 AM
    • Friday–Saturday: 11:30 PM – 8:00 AM (because weekends)
  7. Save

Repeat for school hours if you want a school-day block (though this tends to be unnecessary if the school has its own network with its own filtering).

The useful pattern is one "all Kids devices" rule for bedtime, plus per-device rules for specific kids or specific devices (the Nintendo Switch getting its own earlier bedtime than the 15-year-old's phone, for example).

Step 8 (optional but recommended) — Isolate IoT devices

If you're building a Kids VLAN anyway, it's a small additional step to create an IoT VLAN at the same time. Put the smart TV, Alexa, Roku, doorbell, smart plugs, and other always-on appliances here. This has two benefits:

  1. Kids VLAN can't be joined by an IoT device a kid reconfigures. (A kid pairing their phone via a smart TV trick, for example.)
  2. Your IoT devices — which are typically a security nightmare — are isolated from your main network and your sensitive devices.

Create an IoT VLAN the same way you created Kids (Step 2). Give it its own SSID. Move the appliances over.

Step 9 — Verification test suite

Run every test from a device on the Kids VLAN. If any test fails, revisit the corresponding step.

DNS filtering (Steps 1 + 3)

  • Visit a known-blocked site (any porn domain, or 2bypass.com). Should return a block page or fail to load.
  • Visit test.nextdns.io (if using NextDNS). Should show the green banner confirming NextDNS is active.

Manual DNS bypass (Step 4)

  • On a test phone, set DNS manually to 8.8.8.8 in Wi-Fi settings.
  • Attempt to load any website. Should fail.
  • Revert DNS to automatic. Browsing should resume.

DoH bypass (Step 5)

  • Install Firefox on the test device. Open about:preferences#privacy and confirm DoH is enabled (it is by default).
  • Try to load a blocked site in Firefox. Should be blocked (filter is enforced despite Firefox's DoH attempt).
  • Try to load 1.1.1.1 directly in Firefox. Should fail or return the router's block page.

VPN bypass (Step 6)

  • Install a free VPN app like ProtonVPN on the test device.
  • Connect the VPN. Should fail to establish, or establish but immediately get blocked.
  • Try browserleaks.com/ip — the reported IP should still be your home IP, not a VPN provider's.

Schedule (Step 7)

  • Temporarily change a schedule to a 5-minute window starting in 2 minutes.
  • Wait for the window. Confirm the test device loses internet.
  • Confirm internet resumes after the window.
  • Restore the real schedule.

Cross-VLAN isolation (Step 2, if enabled)

  • From the test device on Kids VLAN, try to ping or access a device on your main network (NAS, printer, work laptop). Should fail.

Run the full suite once after setup, then quarterly, then after any major UniFi firmware update.

What this configuration doesn't cover

Be honest with yourself about the gaps:

  • Cellular data. A phone on LTE/5G doesn't touch your Wi-Fi at all. None of this applies. Install NextDNS's per-device profile (iOS) or Private DNS (Android) to follow the phone off-network. See the NextDNS guide.
  • A friend's hotspot. A kid's friend tethers their phone, your kid joins that hotspot, and you have zero visibility. No network filter stops this. This is a conversation and a norm, not a config.
  • School-issued Chromebooks on your Wi-Fi. Most school-managed Chromebooks honor the DHCP DNS you push them, so your Step 3 filter will apply — but the managed profile may also force DoH directly to a school service (often Securly or GoGuardian). This usually means content at the school's standard is enforced, not yours. Generally acceptable. If you see gaps, talk to the school IT department.
  • Physical access to the gateway. If your kid can physically reach the UniFi gateway and do a factory reset, everything resets. In practice, they won't — but put the gateway somewhere not obvious.
  • Conversation, context, and judgment. All of this is technical. None of it substitutes for talking to your kid about why the rules exist. The config holds the line while you're building the judgment. Neither works alone.

Gotchas and lessons learned

Things the docs don't tell you and every UniFi family-config guide should:

  • DHCP DNS overrides only apply to new lease acquisitions. If a device is already connected when you change the Kids VLAN DNS, it keeps using the old DNS until its lease renews — which can be up to 24 hours. Force a renewal by bouncing Wi-Fi on the device or rebooting it.
  • UniFi firmware updates occasionally reset Content Filtering to Off. I've seen it happen twice. Check Settings → Security → Content Filtering after every controller update.
  • Some IoT devices hardcode their DNS and ignore DHCP. Smart TVs are the worst offenders, and many Google-branded devices force 8.8.8.8 regardless of what the router tells them. The Step 4 firewall block catches the attempt, but it means those devices appear "broken" until you realize what's happening. If a smart TV suddenly can't load streaming content, check whether it's trying hardcoded DNS.
  • Schedule changes take 1–2 minutes to propagate. Don't assume instant enforcement. If bedtime is 10:00 PM and it's 9:59, give it a minute.
  • The VPN application category only catches signature-identifiable VPNs. WireGuard running on a non-standard port can slip past DPI. Most kids won't set one up, but if you're dealing with a tech-savvy teenager, worth knowing.
  • Apple Private Relay bypasses all of this. iCloud+ users with Private Relay enabled route DNS through Apple's servers, not yours. Disable it via Screen Time → Content & Privacy Restrictions, or turn it off in the child's iCloud settings.
  • MAC randomization breaks MAC-based rules. Modern iOS and Android randomize their MAC addresses per network by default. If you set a Traffic Rule targeting a specific MAC, it may stop applying after the device reconnects. Use IP reservations tied to the Kids VLAN instead, or use client-based rules in the UniFi UI (which tracks clients by device identifier across MAC changes).
  • Controller on a cloud key vs on the gateway behaves differently. Some newer UCG gateways run the controller on-device; older setups run it on a separate Cloud Key or Docker container. Where the controller lives occasionally affects how features behave — worth knowing where yours runs when troubleshooting.
  • Two UniFi sites on the same account can get confused. If you manage a work UniFi site and your home site from the same Ubiquiti account, double-check which site you're editing before saving rules. Pushing a "Block Porn" rule to the wrong network is an embarrassing way to learn this lesson.

Operational rhythm after deployment

Once the config is in place, the work shifts from configuration to observation. A healthy rhythm:

  • Daily (first week only): Glance at the Insights dashboard. You're looking for two things — unfamiliar devices appearing, and blocked traffic patterns emerging.
  • Weekly: Check the Kids VLAN's blocked traffic report. Friday and Saturday spikes are typical. Patterns you've never seen (new domains, new IPs, new protocols) are worth a 2-minute investigation.
  • Monthly: Review all Traffic Rules. Confirm schedules still match your family's routine — school schedule changes, sports seasons, summer vacation. Adjust.
  • Quarterly: Run the full Step 9 verification suite. Firmware updates, silent policy resets, and changing DoH endpoints can all open gaps without warning.
  • After every UniFi controller update: Open Content Filtering and confirm it's still enabled. Check the Traffic Rules list for anything that disappeared. Verify the Kids SSID is still associated with the Kids VLAN.
  • After every iOS or Android major update: Run the verification suite from a kid's device. System-level updates occasionally change how DNS, VPN, or DoH behavior work.

Two habits worth developing:

Screenshot your Traffic Rules list after every major change. If something breaks, you have a known-good reference to rebuild from. Paste them into a Notion page or repo — treat the config like code.

Keep a simple incidents log. Just a running notes file where you jot anything unusual ("Feb 14: Kid 1 tried installing ProtonVPN three times; NextDNS blocked each attempt"). Over 6–12 months you'll build a meaningful picture of whether your controls are holding, improving, or degrading — and whether conversations are moving faster than bypass attempts.

If you don't have UniFi but want this

Most of this guide's concepts translate to any prosumer router:

  • pfSense / OPNsense: Even more powerful than UniFi. Steeper learning curve. If you're already comfortable with command-line networking, this is the ultimate tier.
  • ASUS, Netgear, TP-Link (recent prosumer models): Support custom DNS, some support VLANs, most lack DPI. You can implement Steps 1, 3, and 7 easily; Steps 4, 5, 6 are partial.
  • eero, Nest Wifi, Google Wifi: Consumer mesh — none of this translates. DNS filtering comes only via the vendor's paid service. You'd need to bridge-mode the mesh and put a real router behind it.

The guide you follow matters less than the principles: filter DNS, segregate kids' devices, block the common bypasses, schedule blocks for time-of-day, verify everything.

Why this matters

A typical iOS-only or app-based parental control tool can be disabled by a motivated teenager in under 5 minutes with access to a friend's YouTube tutorial. A UniFi setup configured like this cannot. The kid would need to physically reach your gateway, know the admin password, and have enough time undisturbed to reconfigure rules — at which point you'd notice within minutes because half the devices on the network would stop working.

That's what defense in depth looks like for family filtering. You're not betting the farm on one tool. You're layering network-level, DNS-level, and firewall-level controls so that defeating any single layer doesn't collapse the system.

None of this replaces a conversation about why the rules exist. But it replaces the fantasy that a $15/month app was ever going to hold the line on its own.

Time budget

  • Hardware capability check and prerequisite verification: 10 minutes
  • Step 1 (Content Filtering): 5 minutes
  • Step 2 (Kids VLAN + SSID + device migration): 15–20 minutes
  • Step 3 (Per-VLAN DNS): 5 minutes
  • Step 4 (Block external DNS): 10 minutes
  • Step 5 (Close DoH bypass): 15 minutes
  • Step 6 (Block VPN): 10 minutes (with DPI) or 20 minutes (without)
  • Step 7 (Schedules): 10 minutes per schedule
  • Step 8 (IoT VLAN): 15 minutes if you're doing it
  • Step 9 (Verification): 20 minutes

Realistic total: 1.5–2 hours for a first-time config, spread across an evening. Plan for it that way.

Bottom line

UniFi configured for parental controls isn't a product. It's a network architecture. Nobody else in your family — and almost nobody in your kid's social network — has the combination of hardware, admin access, and knowledge to bypass it. That's not because you're paranoid. It's because you happen to run the kind of network where this kind of control is straightforward to deploy.

If that describes you, this configuration is the most durable parental control stack you can build at home. Deploy it, verify it, and then don't touch it for three months. Check the verification suite quarterly.

For the device-level and off-network piece of this stack (which this guide explicitly does not cover), see our NextDNS for Families guide.

No affiliate relationship with Ubiquiti or NextDNS. I pay for both.

Updated April 2026