Відео

I have not tried freeradius with mikrotik, but as I know mikrotik can run it without problem. However I am not sure whether its configuration is similar to pfSense or not.

I am not aware of a way.

Great!

I climbed to my attic and found the box for my u6-pro. Yes, they have the same steel mounting systems.

@@hz777 Thx, 👍

They will be equal: no master-slave, no primary-secibdary, no main-backup.

@@hz777 but how the DHCP-SERVER will work on both?

Each L3 Switch runs its own DHCP server

Too much load to the viewer? Sum of the upper limits of cameras for 3 nvrs is not a small number. Currently I don't see how you can use vantage point without connecting to unifi's website. If the function has to be supported by unifi's backend server, there may also be concern about the loads to their server.

Two routers sharing the same switches is always problematic... A switch can only be adopted in one site, usm pro or pfSense, so the vlans always work with one router. I switched between udm pro and pfSense multiple times and it's pretty easy if you only have one active router. If you can afford some down time, I would not recommend running them together.

@@hz777I see. I can afford the downtime. I just wondered if it was possible to use the UDMPRO pro in conjunction with the pfsense. One of the reasons is that I use UniFi Protect for some cameras.

It's 1 U, ~26 inches deep.

@@hz777Thank you. I assume you are still using this device as your firewall?

@@Kehf27yes but only in my lab though.

I apologize for the number of questions but I’m considering switching to pfsense for my firewall. Are you saying that you no longer recommend pfsense or the Supermicro server? Or are you recommending something else for home usage?

@Kehf27 to really use Unifi gateway in my "production" environment, recently I started using UniFi udm-pro seriously. However, I may switch back to pfSense anytime. BTW, my switching to UniFi was completely due to my youtube channel mainly focusing on UniFi. pfSense is still way ahead of UniFi when it comes to functionality/documentation/community/etc.

It's very easy. My uxg-pro runs behind another router, and the wan port is connected to a UniFi switch in my home network. I simply set a port on the same switch to monitor the port that connects to uxg-pro's wan port, then run Wireshark against the monitoring port

@@hz777 makes sense. what if I have the Unifi as my WAN router, is there way to have WS capture the WAN traffic?

@@TangDynasty1983 the easiest way is to use tcpdump in the router to capture wan traffic to a file, then later using Wireshark to display the captured file.

If the server also has other functions you need so you only want to block the doh function, you are right that's impossible. In this video I assume it's fine to block the server completely.

np😊

@@christianrensch2903no it can't. In fact whether the port on access switch is isolated or not does not matter.

Nope, because the UI's list comes from the url in the DNScrypt-proxy config file. Even if you manually change the file, you won't be able to touch the list of servers hosted on public web. Having said that, I don't see why you want to use DNS Shield if you host your own DNS resolver already.

Good catch! I should have disabled it... Now I have torn down the lab environment, so cannot retest quickly. I will make sure to cover it in my coming "complete wifi client isolation" video.

@@hz777 I just noticed another thing..."Client Device Isolation" is under the "WiFi" category, per Unifi's definition, it only isolates clients under the SAME AP. But in real life, clients would roam among different APs...In order to isolate clients in the same VLAN, should we utilize ACL? I think you might have mentioned it in one of your previous video...Could you please recap this topic in your upcoming "complet wifi client isolation" video, even though this should not be limited to just WiFi...thanks again.

@TangDynasty1983 yes, in one of my previous videos. Yes will mention again in coming one

right, the firewall rule at 4:14 will never be effective because there won't be that type of traffic going through uxg-pro. If one or two of the vlans are managed by uxg-pro, yes, the firewall rule will be effective. Regarding "L3 Network Migration", it's for different purpose instead of firewall. In fact, I have never used "L3 Network Migration". What it is supposed to do is to change the router for that vlan from gateway to L3 swtich.

@@hz777 I have been confused by that "L3 Network Migration" option for some time and I am guessing that others are too. I don't understand why selecting "L3 Network migration" would change the router for that vlan from the gateway to the L3 switch . . . I can do that already in the "Router" dropdown menu above that link even without selecting the "L3 Network Migration" link/option. I guess I still don't understand what that "L3 Network Migration" link is for. I selected it once and it was a mess . . . my topology was ALL messed up - it ended up putting my switch above my UDM pro and clients were connected in places that they were not actually connected. I have NO idea why anyone would select this option! Maybe it would be good to mention it in future videos that "L3 Network Migration" was never selected as part of your setup. I think that would be very helpful to others - your videos are already SO good . . . I don't want to make them harder for you to make - this is just a suggestion.

@Greg.M I GUESS the "L3 Network Migration" does more than simply changing the router option for the VALN. It may change firewall rules to ACL,... When I have time, I will look into it, and if I find anything interesting, I may come up with a video :)

​@@hz777 Ok. Thank You.

I agree with what you said regarding the MAC address. It's very easy to be faked. I think there is a potential reason for Ubiquiti to put more limitations on the UI for IP ACL rule: it's easier to prevent users from doing stupid things for gateway and cloud key. If I remember it correctly, you can only select client Mac address, instead of UniFi device Mac address when defining Mac ACL rules. To limit the same on ip ACL rules will be much more complicated.

@@hz777 I guess If I want to focus on Limiting device access to my network (IoT devices, guest, etc) I could: 1. Networks>L3 Network Isolation (ACL) enable this for the vlans I want to restrict 2. Networks>L3 Device Isolation (ACL) enable this on each of the vlans that is important (ie: IoT and Guest Networks) 3. Security>ACL Rules - Using this I could "ALLOW" using MAC addresses certain IoT devices to talk to each other (for example, a google home to communicate with a thermostat) - I am assuming that these rules come before the other 2 - could you confirm that for me? It is not the best security as it is "Security thorough Obscurity" - the hacker would have to KNOW what the MAC address is of the devices are that are allowed to talk to each other, and even then the rules would only allow the hacker to access or impersonate those devices . . . . That's not so bad, but if it was a NAS device, then that could be problematic . . . but they'd still need to GUESS what the MAC address of the NAS is. Again, not the best. Does that sound like I am thinking about this correctly?

@@Greg.M - The first step can be replaced with firewall rules in most cases, and I personally prefer firewall rules. - The second step is for MAC ACL if I understand you correctly. If so it's not L3. Yes, it's the best way to achieve isolation in the same vlan. - Yes, "alow-rules" should be treated as exceptions, and yes they will be executed first in the generated access lists in the switch. In fact, for this step if firewall rules work (i.e. not the same vlan or not L3 switch vlan) I would prefer firewall rules.

@@hz777 Can you confirm that the router is set as your gateway and not the switch . . . or would it matter? I am not sure what you meant when you said ". . . not L3 switch vlan).

I mean a vlan has a switch as the "router" by "L3 Switch VLAN"

ESXi, but will be migrating to something else.

yep, I have a 48-max and it also does not run telnet. It's sad that Ubiquiti is moving farther and farther away from an "enterprise" brand. LED replaces CLI, what a shame...

@@hz777 My opinion is the CLI this fetur that the swiches makes so good. But witout then is a Dlink Switch DGS-1510 better have for the one Switch more Fetures. But Unifi have the good network controller , that have't dlink and that you use more Switches is the Unifi universus much Better.

I don't quite understand your scenarios and how they are related to mDNS. But for UniFi, the avahi runs on gateway so yes a UniFi gateway is required,; and to make settings a controller is required. However, it does not matter whether the controller is built into the gateway or not.

I think so as well.

The DNScrypt-proxy features are not completely exposed in unifi's DNS Shield yet, so there are something to improve there for sure. And if Ubiquiti can add DNS log function, it will be perfect.

@@hz777 At the moment I have my pihole DNS upstream server set as the LAN port of my Gateway Max to try out DNS Shield. I just purchased this unit. I haven't had a UniFi security device since the USG. Figured I'd see if they made any progress in the space. Indeed, they have.

I have not tried MLO yet because I don't own a wifi7 client device.

I am completely with you on this! But we all know how Ubiquiti responds to this type of "minor" things in the web interface, so I never bothered to suggest anything to them.

@@hz777 actually I was just playing around with it again and I just find out that if you set up the WAN DNS and later go to DNS Shield and change it to auto or manual it gives you a warning message: “the DNS server configured on the WAN will no longer be used” 😂

@andreamessina6439 interesting... So the warning is only implemented in one way instead of completely.