NEW to UNIFI VLANs?? START HERE!!!
Вставка
- Опубліковано 17 лип 2024
- VLANs VLANs VLANs. Adding a basic VLAN and Firewall configuration in your UDM Pro or UDM Pro SE is a great way to secure your network. In this video, I show you how to create VLANs, Associate them to your Wi-Fi Networks and how to add a basic Firewall configuration so your network is more secure. I also show you how to create a Wi-Fi network using Unifi's new Private Pre-Shared Keys, although this setup will work if you prefer to use multipe SSIDs.
Don't forget to like the video, subscribe to our channel, and hit the notification bell, so you never miss any future content. Thanks for tuning in, and let's get started!
Chapters:
0:00 Intro to VLANs Video
1:31 Topics Covered in Video
5:06 Network Diagram
7:07 Firewall Rules List
9:20 Pre VLAN Setup
11:48 Create New VLANs
15:30 Create Wi-Fi Network w/Preshared Key
17:23 Turn off Guest Portal Landing Page
19:32 Pre-VLAN Testing
22:21 Creating Firewall Rules
----------------------------------------------------------------------------------------------------------------------------------------------------------
Want personalized consulting on your build? Go to www.ethernetblueprint.com/con... and let me personally help you with your planning.
For more information about my courses and self-help options, head over to: www.ethernetblueprint.com.
Learn how to properly plan your home network!
- FREE PLANNING GUIDE: www.ethernetblueprint.com/fre...
- ($27) MORE INDEPTH PLANNING GUIDE: www.ethernetblueprint.com/3fd...
- ($47) WI-FI HEAT MAPPING COURSE: www.ethernetblueprint.com/3d1...
- ($97) FULL PLANNING COURSE: www.ethernetblueprint.com/750... (includes full planning guide and the Wi-Fi Course)
There are a lot of version of this walkthrough out there on UA-cam, but (for me at least) this is the only one that took the appropriate time and amount of hand-holding that I need to not just implement the FW rules, but also to help me understand the WHY. That is huge!
Thanks a ton!
Thanks for watching. I'm so glad it helped you out.
I am new to the Unifi dream router and loving the custom settings. I agree this is an excellent video that explains the settings very well.
I watched several videos and this is the one where things started clicking. I loved the format of showing the vulnerability, applying the fix and confirming vulnerability is negated along with clear and concise explanations during the process. I also like that the gateways were isolated. Before this video, I was struggling to figure out why I could ping my gateway addresses even though my networks were isolated and now I know. This is the first ever super thanks I have given. It’s well deserved. I’ll be adding one to the follow up video on configuring VLANs on Unifi switches. Many things clicked in that video also.
A thousand thanks for your kind words and your generosity. I do my best to try and help the newbies of the Unifi space. I love getting feedback that tells me I was able to help... All the best!
I am finally considering a Unifi setup now that their OS is more well-baked, and you had the most recent Unifi OS VLAN video, so I decided to stop by and see how things have improved over the last few years. However, I must say that this video is probably one for the best for anyone new to VLANs in general, not just VLANs on Unifi. You, sir, are the only one that “teaches one how to fish instead of just giving one a fish” by explaining the logic behind firewall rules, thus giving one the ability to not just copy your foundational firewall rules (which were spot on as the bare minimum starting point), but also gain the confidence to start coming up with their own firewall rules unique to their situation. Looking forward to joining you on this journey to learn from each other!
Wow. Thanks so much. I am very heppy to hear that it helped you!
I agree, this was extremely clear with no fluff@@ethernetblueprint
Probably the only video with the new interface. Thanks for creating and being very detailed with background info for noobz.
I'm so glad it helped you out!!!
Finally one of those vlan guide that I can follow and understand easily. VLANS are not that scary after all. Cheers man!
Thanks for the comment. I am super happy to hear that it helped.
This is an awesome video and great that is has the new interface included - thank you so much for taking the time to create it, I've watched loads of others and it just wasn't as clear as this. I've now setup the basics of my DM Pro and all is working well. I hadn't seen anything on the pre-shared keys so have set that up as well, seems much better to me to just have the one SSID and the password dictates which VLAN - have subscribed so please keep stuff coming : )
I love hearing this!! So glad it helped!
This is AWESOME !! I just got my UDM SE and bunch more Unifi equipment and was looking for a video just like yours. Helped lots !! Thank you.
Awesome man. Thanks so much. I have more UDM videos coming soon. Is there anything you’d like to see?
Wow, huge work here!, honestly the best vlan class on UA-cam. Congrats and thank you
Wow, thank you for your kind words. Glad it helped.
Perfect tutorial! Not that I can only get what you set up but I got some understanding so I can adapt to my own rules using your video. Keep up the good work!
Awesome! I wish you well!
I had no idea about the "new" Wifi Pre-shared Key assignments to different networks, that's cool. Thank you for explaining and showing that.
Its my pleasure...
thank you for this structred yet simple to understand and setup tutorial, appreciate it and now its time to check your other videos 😉
I am really glad it was helpful to you. Anything else you'd like to see a video on that could help you out?
I am a Unifi virgin. I have watched many videos to try to understan the world of Unifi, this video is gold! You explain it well. Thank you!
Thanks. Hope you subscribed. Next week I’m going to cover the switching aspect of VLANs.
Thank you for this walkthrough. I've struggled trying to configure the UDMP and you made it simple and straightforward.
Glad it helped!
Glad you are using the new UI. Aside from that, what a great job of providing the list of items to change, their order and a great explanation as to why. I've watched other videos that assume way to much of the audience.
I'm glad it helped you. Unifi has been busy changing the UI. I think it has changed again a little since I did this video...
Thanks! Great tutorial. I set it up and it works perfectly. A dual screen setup to watch the video and work on the other is the way to do it!!!
I’m happy to hear it got you set up. Thanks for the super tip.
Yessir, you explained it well. It's easier to understand the more advanced parts once a baseline has been understood and configured. Just what I needed as there are more and more IOTs and guests in my house these days.
Awesome. My next video will be on the switching portion of VLANs so I hope to see you back!
Thank you for this video. It was so much clearer and personable than others. You say you're not a teacher, but I'm not convinced.
Thats very kind of you.
Thank you! You’re the first, explaining vlans so that I understand it.
Glad it was helpful! Truly!
I am finally getting fiber. Getting a new home network setup. Going to a dream machine. Love the idea of just one said for multiple v Lans. Goimg to save me a lot of time setting up. Thanks for the walk through.
Happy to do it. Is there anything else you'd like to see a video on that could help you out?
Top notch. Thank you!
Holy crap. Thank you so much. That is overly kind of you. So glad it helped.
You're a good instructor! You saved me tons of headaches and time. Very much appreciate what you're doing.
Wow. Thank you very much. I’m so pleased that it helped you out. Sincerely.
Thanks you! This was so very helpful to assisting me in my basic setup. Great!
Glad it helped!
This is the best tutorial I have seen describing the UniFi setup I was looking for. Thanks a lot for this easy to use tutorial 👍 You got a new subscriber. Can’t wait for more of this stuff!!
Super nice of you to say. Thank you. Is there anything you'd like to see a video on?
@@ethernetblueprint An extension/tutorial on how to setup a VLAN for UniFi cameras together with firewall rules would be very interesting to watch 👍
@@ethernetblueprint Perhaps also implementing a Synology NAS into this setup. Not sure if that needs to be on its own VLAN and how the firewall rules would look like if it needs to reachable from the outside. I guess the safest setup would be to use some sort of VPN solution to be able to safely reach the NAS from the internet. But is there a way to set it up in a safe way without VPN?
Thanks, that's a great tutorial. I am in the process of setting up my UDM Pro. VLANs and Firewall are next...
Awesome... best of luck to you!
Many videos in UA-cam this is the only video that explained firewalls rules in UniFi that I can understand. Thank you for the video.
Thanks so much. Happy it helped.
This is brilliant. Easy to follow and understand. Thanks
Thank you. So happy it helped!
Thanks for explaining all the firewall rules. In other video's I've seen they just tell you do put in certain things but not explain why.
You are quite welcome. I hope you found it helpful!
Amazing tutorial! Thank you!
Glad it was helpful! Thanks!
Thanks. Tons of info, really useful
Awesome... I'm super happy that I could help in any way!
You easily earned a sub for this. I'm very new to unifi gateways after using pfsense for years and firewalla for a few months this was just what I needed after getting my UDM Pro SE up and running yesterday. I had my pfsense dialed in for years, but I wanted to get a more user-friendly network solution for my home just in case something happens to me. This tutorial is solid and I'll be employing much of this ruleset to my network to start as my basic setup is very similar to your example. Great job and Thanks!
Wow. Thank you very much. I am very pleased to hear that it helped you! Thanks for the sub!
Great job of teaching/explaining vlans, watched another video that didn't explain much and hurried through everything
Didn't work and certainly didn't learn anything about what I was doing from other videos
Thank you for teaching subbed & liked!
I appreciate the feedback. Glad it was helpful!
Great great video. You are a terrific teacher.
Wow, thank you!
Beautiful explanation! Thank you 🙏
Glad it was helpful! Sincerely
Great content. Made it easy for me to understand VLANS
I am glad it helped you out!
Thanks for the help!!
Happy to help! Sincerely.
Great video, Tim. Thank you so much!
Glad you liked it!
Great Video..... Will use a bunch of this when my Gear arrives
That’s great to hear.
Outstanding! Thank you!
You're very welcome!
As a seasoned firewall admin I thought I knew what I was doing as I started throwing random firewall rules into my new UDM, and it wasn’t working! This makes loads of sense and I’m excited to try it… Also these states look like iptable states, so that’ll be the next thing I start researching! Thanks for the great breakdown 🎉
I hope it is helpful to you. Thanks for sharing!
Just setup my home network using this video ! Thank you so much of the help ! Would love to know now how to improve WIFI and get the best experience
Glad it helped! You are welcome!
Absolutely brilliant. Finally configured my Unifi gear!
Boom (Mic Drop). So glad to hear it. Thanks for watching!
Thank you for the help💪
Happy to help!
excellent video. thank you!!!!
I enjoyed making it! Glad it helped!
VERY helpful - thank you!!!
Glad it was helpful! Thank you for the comment.
Yeah, super handy on the guest landing page. I appreciate the re-accepting of the Guest EULA after a period of time for a business. So you don't saturate the DHCP range. But for home use I very much like disabling so users at my house don't have to re-accept to "logon".
That is a good point about the reauthentication for your guests!
Thanks Buddy!
Wow. I can’t thank you enough. That is super kind of you.
Congratulations!Great tutorial and learling point
Glad it helped.
This is exactly what i was looking for! I applied your IOT logic to a Vland for crypto mining. This way i don't compromise my default network with some shady new crypto mining software and wallets. 😂😁 Thanks you!
That’s awesome. I hope the mining is going well.
Thank you for the guide!
You are quite welcome. I hope it helped!
@ethernetblueprint Oh did it. I used it to setup my UDM Pro a week ago. :)
Love your video I would love to see you corporate a cameras into that that’s gonna be figured in my mind and I’m really new at this so you did it really well love love to see it. Nice job.
In my home, I do have my cameras on their own VLAN and isolated from the other VLANS.
amazing content one so far
Thanks for watching.
Great tutorial, thanks! I love all the details! I just followed your previous tutorial to setup my vLan protections on my UDM SE, your earlier tutorial was super helpful!! I think you were on 7.x in that tutorial. Glad to see this updated tutorial, on 8.0.26! I saw you had a Guest firewall rule for "Allow DNS Packets to External Name Servers". It would be great to see a tutorial on this topic. I am looking to block all DNS (Port 53) queries out (on my various vLans), unless they come from my DNS (PiHole or other DNS like ControlD or NextDNS) server, if someone on my network tries to change their DNS, my goal is that they will not connect to another DNS server and their Name Resolution will fail. It would be good to see options, but wanted to share an idea (I'm sure you have considered this topic too! Great Job! Thanks!
You will most likely have to do that with Firewall rules on a standard VLAN and not by clicking the guest portal policy checkbox... The guest rules in this video were automatically generated by the system and can't be updated... I am confident you could create a VLAN like I did the IOT network in this video and then add rules to control the DNS servers...
Very helpful. Thank you.
Glad it was helpful! Cheers.
Outstanding Video..... I have a USG and 3 access points, and want to keep Guests, IOT, and my default all separate, so your video hit a sweet spot for me. I've very concerned about getting hacked thru IOT (like Wyze) and this helped to show how to block the IOT to the gateways. I'll probably have to watch it a few more times to get it right, but thank you.
You are quite welcome. I am happy that it helped!
Thanks. I learn something new today.
Glad to hear it!
Thanks!
Wow... Thank you so much. I really appreciate that.
Good job 👍. Everything you showed is very simple, but it may be useful for beginners.
Thanks so much!
It might be simple to you… I’m a UniFi newbie and brand new to VLANs and configuring firewall rules.
Thank you, Tim, for opening the door for me!
You may not claim to be an educator, but I am and you did a superb job. Came to see this method on the new interface and this was a great video and you have an excellent way of speaking for these. One idea you might do would be to provide a firewall rule summary in a PDF or something to make reference easier. Maybe even make this apart of a subscription if you wanted to monetize it. Anyway, good job.
I appreciate your kind words. I should include a PDF. Good suggestion.
Hi Tim, excellent step-by-step tutorial, followed you along in setting it up. Thank you, concise and also sufficient details. One small thing you already mentioned: Unibuiti changes things and I am running version 8.0.28 In this version there is no upper tab / bookmark line anymore with items like LAN-IN, LAN-Out etc. Greetings from Amsterdam.
Maybe I am looking in the wrong place from where you are talking about?? I don't see any changes in 8.0.28 from what I showed on the video. Can you help me find what is missing now?
Really useful tutorial. I'm new to Unifi and I'm sure I'll be configuring, resetting and reconfiguring things for awhile. I am updating my little home network mainly because my WAP is EoL and hasn't had an update in 2 years. I have been using an ERL for several years, which is a great little router, but I am using the WAP as an excuse to build an easier to manage network . I guess it's like Apple once you get into the Unifi ecosystem you're better off staying there. I bought an UDR and Lite 16 port switch to replace my existing switch, AP and router. I have the UDR and switch kinda hanging off my current setup so I can practice with it and not worry about getting my "users" upset. I plan on eventually adding APs to connect a shop and would be interested in ways to connect between buildings.
The VLAN stuff is very timely. I have stayed away from IoT devices because of security concerns. I'm hoping to get a good understanding how to control and secure things both internal and external. What I would like to see is a tutorial on best practices for setting up and securing the Ubiquiti VPN. I also would like to add a NAS to do my own cloud storage as well as local file, media and backup. Thinking about why, where and how to put a NAS on the network while being able to restrict access based on who and where the access is coming from all turns into a confusing mess quick.
Keep up the tutorials. I'm looking forward learning more. 👍
Thank you for tuning in. I think you will like the Unifi echosystem once you get used to it. But don't get me wrong, it definately has its painful moments. I haven't gone too deep into the VPN realm yet, but full intend on doing some videos on that. I know it is a hot topic. Unifi has been making some changes in that area as well. As far as a NAS goes, it really depends on what needs the most access. For me, my default network uses the NAS the most, so that is where I put it. I don't really have a need in my home to have any external devices talk to it so it works well for me there. But that is me. Hope your new direction goes well!
Also, as far as connecting to your shop, check out my Nanobeam point to point video. I plan on doing an update to that since that was made specifically for my brother in law, but that may push you in the right direction. Look at the Nanobeam 5AC from Ubiquiti for creating a wireless bridge to your outbuilding. They work awesome...
Hey Tim! Just found your channel, I have a bunch of UniFi gear and have been running it for years, but you have taught me quite a bit and this video right here has helped me figure a bunch of stuff out! As a thanks, I noticed that your audio is being done from a laptop/phone mic, which works, but, I have a set of lavaliers that I would love to send you as a thanks. But I couldn't DM you, Drop me a line back and I'll find a way to get them to you! Thank you for the great information!
Wow... Thanks... I actually use my earbuds, but I wouldn't mind trying out yours... email me at tim@ethernetblueprint.com if you like...
Really great stuff. Love that you used the latest version.
FYI - WiFi Private Pre-Shared Key is not supported on 6 Ghz WiFi
Thanks so much. And that’s good to know about the pre-shared key and 6Ghz. I wasn’t aware of that.
Thanks Great Video. I had had trouble finding some of the settings and this helped immensley. I followed your instructions and thought i had a problem as i refreshed the gateway page and could still get to it then a light bulb went off. As i had an established connection it remained. Closed the connection and went again and no access. Thought i would mention it in case others thought the same thing. Thanks again
Thank you for commenting and helping my followers!
This is great. I did find one more thing that needs consideration from the IOT network. If you run the network controller on a local PC like I do, then that is also accessible from the IOT network and needs to be blocked in the firewall, much like the gateway access was done.
Great call out! Thanks for sharing with the viewers. I did forget about that!
Thanks
Wow. Thank you. Very kind of you.
Really good walkthrough!!!
Suggest doing a VPN network walkthrough.
Copy that. I will have to do a video on that...
Great information I’ve just started getting into the UniFi ecosystem with a Cloud Gateway Ultra. Certainly feels like a massive upgrade in terms of features and capabilities over my standard WiFi 6 router which is now be converted to a temporary access point. I’ve set a Vlan for wired devices and one for wireless for now to add some degree of separation. Once I add a UniFi AP then I can add separate vlans for IoT and Guests.
Awesome... This is great. Make sure you watch my VLANs and Switching Video to ensure your switch is setup the way you want it too. That video compliments this one. Congrats!
You don't understand how helpful this has been!! No-one else that I watch has broken what rules to make down so well. I wanted to ask what if I need devices on my IOT to talk to each other? I have a lot of devices that would need inter-vlan communication. Would I just not do the drop all private ip addresses traffic or some other allow rule? Thanks
I am so pleased to hear that my video helped you out. I can't thank you enough for that. As for your questions, just to be clear, the firewall rules only apply when one VLAN is talking to another one. This is called Inter-VLAN communication. If IOT devices are talking to each other, they would most likely be in the same IOT VLAN and would not be affected by the firewall rules. Unless I am not understanding what you are asking here...
Well I don't know if I'm asking it right myself...I just assume that when you enter the firewall rule to Block all private IPs for the Iot vlan that that would prevent anything on the IOT from talking to anything but the internet including other Iot devices on the same vlan@@ethernetblueprint
Great guide, from zero to hero with everything needed, just one comment - please consider using dark mode ui when recording these, cheers!
Good tip... I will have to do that.
Great tutorial! I have recently setup two additional VLANs (Family and IOT). I did this because I liked your "kids" network in your prior video. I have not set any rules yet, just been busy getting devices on the correct VLAN/Wifi. Will be playing with firewall rules soon. My question is... The first thing that came to mind when you were creating rules, especially the port rules, was what are the chances that one mistake could potentially lock you out of the gateway from ALL networks. It just made me think I should be VERY careful!
It is possible however there are fail safes in place that warn you about it. If you look through the comments here, I talke about that with another viewer because he got a warning on his and it wouldnt allow him to set that rule. However, just know that is possible. Be Careful.
One of the best, if not, the best unifi firewall tutorial on youtube. You explain it so well!!
Question for you: I didn't need to block the ssh,http,https ports on my vlan gateways, i just blocked the gateway ips.
Did you block the ports just for that extra security? Thanks!
Thanks for the watch and compliment. The local rules are there just to block assess to the gateway when on the restricted VLANs. If the rule you created does the same thing, then you don't need them. I would double check though that you can't access the gateway from your restricted VLANs. I have never just blocked the gateway as I don't know what that will do.... But I have had so many people ask me that I think I am going to test it and see what happens. Thanks again for the comment!
@@ethernetblueprint
Thanks for the quick reply.
So I blocked the IOT vlan from accessing the IOT gateway by just blocking the IOT gateway IP. I never blocked the ports. It works perfectly.
Should I block the ports as extra security?
If you can't access the device via its local IP address, then I would say problem solved...
Thank you sir count me in to your subscriber.
Welcome aboard! Thanks
Nice! Went away from unifi. Going back
Awesome!
I'm a total newbie in the world of home networking. Recently, I made a jump from Asus eco system to Unifi and can't seem to wrap my head around all new concepts like Vlan, traffic/firewall rules and stuff. Your video is so easy to understand and following with, absolutely one of the best for Unifi's new customers to learn from. Thank you for taking your time and effort to share with us your knowledge, cheers !!!!
I am so happy to... This is one that I will be redoing as Unifi Upgrades their interface too...
Tim, this was helpful to understand the importance of VLAN’s. I really want to do something similar but your comment about Sonos makes me not want to proceed. I am not qualified to troubleshoot any networking and I would just end up resetting everything back to default!
Sonos will work great if you put it in your default network with your phones... Typically that is what I recommend even though it is less secure.
Thank you! This is the bomb-diddly!!!!
I have attempted this in 3 prior efforts with compromised results. After testing, I am now convinced that my IoT is configured as I had hoped. Not being a Net Admin type, the explanations were matched nicely with the recipes. A fantastic balance!
An excellent time investment. Thank you again!!
One small suggestion that would have completed my setup .... the recipe to expose the printer on the default vlan to those connected to the Guest vlan. BUT, I have enough knowledge now (from the camera examples?) to try to pull that off. Did I learn to fish??? ;-)
Rel 8.1.127
Tried configuring the printer. Let it be used from the Guest vlan. Created the rule. It can't be moved above the "Drop All Private IP Communication" rule, as you stressed.
LAN Local, Accept, Source = Guest, Destination = Default, IPv4 for both, Match state = New, Established
Connect an iPad to Guest. Apps don't find a printer.
Thoughts? Suggestions?
Printing depends on a couple factors, but there are a couple of things you can try... However, I will warn you that not all printers play well with VLANs though...
1) make sure mDNS is enabled and is allowing the VLANs that need to talk to each other. Some printers use this to communicate with their devices
2) I would edit your rule and try the following... put the printer IP in an IP group by itself... then try the rule
'LAN Local, Accept, Source =Guest, Destination Port/IP Group and choose your printer... don't add the new, established... just leave that out...
Also make sure that your new printer rule is above the 'Drop all private IP' rules that you created earlier... They run in order and you don't want that the traffic blocked before it hits your rule.
I just discovered your channel and have been watching all your UniFi related videos. This is one of your best! Thank you for taking the time to make all of them.
Possibly stupid question...do these firewall rules with respect to the IoT network interfere with my ability to control those devices remotely from my smartphone? I know that the default network can communicate with the IoT network, but my phone would not be on the default network if I am away. So for example, would I be able to use Apple Home to remotely lock my front door while I am on vacation, or adjust the thermostat, etc.? Or would the firewall rules prevent that?
Glad I’ve been able to help. To answer your question about HomeKit, yes you can still control things when you’re away from home even if the devices are on the IOT network. I don’t have a ton of experience with this yet, but I’m in the process of setting up Home Assistant with Apple HomeKit and will have to do more testing. So far I have Phillips Hue lights hub on my IOT network running in HomeKit and it works great remotely using these exact firewall rules. More to come though.
sir.❤❤..
Thanks.
Outstanding presentation with the new interface. I would like to have a private wireless for my wife, because of her job. Could I use a shared key for default, IOT, Wife's Wifi and use the Guest 99 network with the standard isolation with it's own password? I am going to check out your VLAN video. Maybe I can come up with other ideas. Also, one of the things that gets frustrating is when videos are not updated when there is a noticeable OS change. I look forward to you continuing to do so.
If I understand correctly, you are asking if you can setup muliple password (Private Pre-shared keys) for the default, IOT and Wife (all connecting to the same SSID) and then setup a separate WiFi name for guest and still make all this work in the Firewall... If so, the answer is yes. The firewall rules are based on the VLANs, not how the WiFi networks are setup. You could create a shared SSID for all of your "main" networks and then create a Guest VLAN and choose the isolation check box... Then create a separate Guest SSID for that network. As a matter of fact, I think that is a better way to do that anyways. It is nice for the guests to be able to connect to a separate SSID so they know they are on the guest network...
Very good explanation. It also nice to have a video with the last versions of Unifi console & network application. Overall explanations is very good & your testing labs is good example as a starting point. To be more specific with UniFi, I believe that you should have address how to setup Unifi PoE+ camera on a specific VLAN for videosurveillance as many unify customer will have Unifi Protect and Unifi cameras. In this case would you keep the Protect UNVR in the default or in the speficic cameras VLAN ?
Great point. I have that video in the hopper. I agree 100%.
Thanks for the best video about VLANs on current UniFi interface layout
Unifi is about to release (eta 1-2 months) a new EA firmware version that will bring a lot of options for ACL rules to L3 switches. If you have an L3 switch around could you do a detailed video on those rules and the setup once the new firmware releases?
First off, thanks for your tremendous generosity. I will have to look into the Layer 3 switch though as I don't use them much. Appreciate the awareness though. More to come.
Thanks, great video. Question, most network engineers suggest best practice is to have the default network as a “management” VLAN and create a new VLAN for your main/corporate/internal network. You haven’t done that in this case, just wondered what your thoughts are on separating management from main networks.
I agree with you whole heartedly when it comes to a small business network and that is how I typically set those up. As a matter of fact, that is how my home network is setup. All of my equipment is on the default and my home devices are on a homeVLAN. However, from a typical home network perspective, I don't know that it is 100% necessary if you have the VLAN locked down. Either way, it is a great call out!
Absolutely incredible video! I have a question on how you set up your pinters specifically. I read that putting them on their own VLAN is the way to go, and someone who is learning I would love to try and do that but I was having issues getting it to communicate with my other devices on my other VLANS. Do you have any recommendations on firewall rules or should I just throw it on the IOT VLAN?
Follow up question, with the rules I put in that video, if you did have them in the IOT VLAN, are you able to communicate with them from the main VLANs?
Thanks so much for a great video. I have tried for a while but now I finally have got my VLANs to work. I even used my knowledge from the video to figure out how to get all my Denon/HEOS stuff to work on the IoT! Much obliged!
Just two small question if you don’t mind though.
Should I not block access to the gateway from the guest network? I have tried to understand the rules ubiquity has given me but I don’t seem to find that?
Next a more general question. In the firewall rules from ubiquity there are 4 “accept” at the end. What good are they if no “drop” after them? Maybe I have misunderstood something?
I would make sure you block access to the gateway from your guest network.. (either with your own rules or the built in ones) If you hit the guest checkbox for that VLAN and let it do it for you, I believe it will block access to the gateway for you without you putting in any FW rules. It isolates that network and only allows guest to get the internet. Hope that helps!
Nice walk through. Still following it and slowly setting things up but it is helping a lot. My only so far is I have the Cloud Gateway Ultra and in it the options are Guest Network and Isolate Network compared to your "Isolation" when setting up the guest vlan. Do I check both of these or just guest or just isolation ?
Unifi loves to change their own wording... For a guest network you can check either one... but you don't need to check both. If you check the Guest Network box, you will be able to setup a guest Portal page for your guests to use in the Hotspot manager... If you check Isolate Network box, then it will just lock it down and not give any additional guest portal features... Hope that makes sense!
@@ethernetblueprint Ha ha, thanks for the reply. I did end up checking both at the time I think.
Another new thing ive recently discovered is that when it comes to vLan if your using a switch other than a ubiquiti one there is no way to have some devices on vlan 1 and others on vlan 2 as they are all tagged on the vlan set in the port for untagged traffic.
Which is mildly annoying as I then need to pick up more of their kit, just to put something on a particular vlan instead of getting it and building in time.
Unless.... you happen to know of a way ? :D
I have 5 VLANS this helped me eliminate a lot of rules, appreciate it. Nothing to nothing and I do port based policies. I tried the wireless Pre Share key it was acting wonky and handing out wrong IP's. Maybe it needs an update will try again later.
Hmmm... I haven't played with the pre-shared key too much, other than that video... It is weird that its handing out the wrong IPs though... Keep us posted!
I have had a few wonky things going. May need to wipe it and start over, its one of the first releases. I have had ubiquiti forever. Had the USG pro before this but the SSD failed like days after Dream Machine came out, timing...
Great and amazing video. Q: do you have a rule that disables a specific VLAN from getting to the internet?
I haven't tested this, but I would start by creating an Internet Out rule and make the source the VLAN you want to block access out to the internet on... and the destination to ANY...
Tim - thank you for the fantastic video! I found it very helpful. I have a specific use case I'm hoping you (or someone on this channel) might be able to help me with - I have Default, Main (for trusted devices, including my phones), IoT, Camera, and Guest VLANs - and have implemented the firewall rules and IP groups similarly to the recommendations you provided. I do have a Home Assistant server on my IoT network (wired) and was wondering if you would be able to provide any recommendations for additional firewall rules that would allow that device to work more seamlessly with phones and laptops on my Main vlan? Should I make it a static IP and allow it to access the Main vlan? (I trust and update the Home Assistant server.) Thanks again!
I am honestly not 100% sure because I don't know what Home Assistant requires for communication. I would ventury a guess and say, yes. Give it a static IP address and allow communication from your main network to that IP. I think you also need to look into turning on multicast DNS for the VLANs that need to communicate to your server. After a quick google search, it appears that Home Assistant uses that to discover devices. You can find that setting in the Networks area under settings. I am hoping someone who knows more will chime in to help though...
@@ethernetblueprint I'm thinking with the "Established and Related" rule the Default network should be able to communicate with the IoT network without a problem no? That coupled with activating mDNS should allow it to work. This is how I had it setup and Homekit worked fine, which also uses mDNS. My only concern was devices initiating the communication (i.e. when a camera sees motion turn on a light). I tested that and it worked as well. As a note, my Hikvision cameras are in Homekit via a Raspberry Pi running Scrypted and the Pi is hardwired to my Dream Machine Pro on a port that is mapped to my IoT network.
Thank you! I followed your last tutorial to setup my UDR and just updated my settings (I like the one ssid suggestion) with this updated tutorial. I do have a question: I have pihole setup on a rp3b+, should I configure it in any particular way given the parameters you have set out?
I didn't really dive into a 3rd party DNS in this... You may need to setup some specific port 53 rules on your "secure" networks to allow your devices on all VLANs to communicate with that. I don't think you need to change how the piehole is setup though... Maybe check out this guy on YT. I follow his channel too... lots of good Unifi stuff on here... This video is about securing your network with Piehole and Unifi... ua-cam.com/video/j6IzYGAI7IE/v-deo.htmlsi=SlJis0dZT0E854C6
@@ethernetblueprint appreciate the reply! Coincidentally, I used Crosstalk Solutions’ tutorial on the raspberry pi to set up Pihole :)
I am also interested in learning more about setting up a 3rd party DNS server and possibly using a “transparent firewall” with UDM as the main router. I’m thinking about doing something similar to you with AdGuardHome (free) run on a different gateway (GL-iNET Brume 2) by setting it up as a LAN DNS server in router mode (but with all other router functions disabled on it). I think with this device you can just connect its lan port to one of the lan ports of the UDM, initiate AdGuardHome server in its webapp, and then tell the UDM to use its IP as the DNS server. Obviously, getting the firewall rules tweaked correctly will be critical when you decide which VLANs you want to use that DNS server. I’m not well-versed with port rules, so will definitely be taking a look at that video. If you are able to get it to work, I would love to hear what tweaks you made to these basic firewall rules to accommodate the PiHole.
Great video!!! I followed all your steps. My one question is I went onto my IOT vlan and tried printing to my printer which is on the Default vlan. I was able to see the printer from the IOT vlan and I'm not wanting to be able to see that. I was trying to figure out a rule but I am stumped. So, if you can help me please.
So your printer was on default and your computer was on the IOT with these rules set and you were able to print to the printer? When you say "see the printer" what does that mean? Ping it? Print to it?
Do you recommend using fixed IP addresses for devices and clients when setting up firewall rules and groups, especially if there will be a rule allow a specific IOT client to talk to specific device in the trusted network? Currently, I have a few fixed IP addresses for some of my Unifi devices but I let DHCP hand out IPs to other devices and all clients.
I do use some static IPs (or IP Reservations) in my setups. Cameras, NAS, Printers... If I have a 1:1 rule that allows a device to communicate with another device in a different VLAN, I will usually reserve those IPs so it doesn't change and break my rule. But for the most part, I let DHCP run most of my IP addressing.
I've watched a ton of these firewall setup videos but this one is probably the best at explaining what each setting does so thanks. The reason I keep watching them is I can't for the life of me get my macbook on VLAN 1 to talk to a Pi server on VLAN 2. It wont ping, it wont shh. But it will if I connect the wifi on the mac to the VLAN 2 wifi network. If followed every little detail in this video (which is almost identical to many others) and put in an allow rule for pi ip to talk to the mac ip. I've also tried it as a all VLAN 2 to all VLAN 1 rule. Still won't work. Hope that makes sense but is there any other gotchya that could be preventing this in unifi?
Do you have another device (non Mac) on VLAN 1, that you can’t try pinging the Pi server? Can your Mac ping other devices on VLAN2? If this is a “server” make sure the local firewall isn’t blocking the pings. I have seen that cause issues like this and people are troubleshooting the wrong device. If you want to email me at tim@ethernetblueprint.com, we can have a convo about some options.
How are you putting things like apple tv, Roku etc on a separate vlan? I want to make an AV vlan for apple tvs, our smart tv, xbox and other things. If you could help that would be great.. Also I love your video. It helps a lot for network dummies like me. It was very easy to follow.. One suggestion for you, please include kids network in your future videos like you did in your previous video. It really helped..
Thanks for the reply... Let me dive into this a little bit for you.
Once the VLAN is created, there are two ways you can get your devices to use it. 1) Create a new IOT Wifi network (or IOT Passphrase like I talk about in this video), and connect those devices to that WiFi network... or 2) if they are hardlined, you would need to click on that port in the switchport settings and click the dropdown for Native VLAN / Network in the port settings. You should see the IOT Vlan listed in that list. They should pull an IP address from the IOT Vlan and follow the rules you setup.
As far as your suggestion goes for a kids network, I have some videos coming down the pipe that covers this very subject. Thanks for watching!
Of course I will test this when I have time, but will the "Drop Private to Private" rule affect devices on the same network, or only those attempting to route to other networks? I'm thinking about devices like Sonos that "talk to each other" (multicast, I believe). I suppose I should check how to add Sonos to the IOT network anyway, because there's some auto-discovery between the app and the devices, and if my phone is on my default network, IDK if it can find the players.
So a couple things here. 1) No it will not affect same network devices from talking to each other since they don’t reverse through the Firewall. 2) with sonos, even though it’s a smart device, I have found that you have a better experience if you put Sonos on the same network as your phones. The rules to make Sonos work across VLANs can get complicated and still might not work that great. In most cases, Most devices that use multicast like chromecasts will work with these rules but you need to enable mDNS…
PPSK is really cool, but only supports WPA2, so no 6ghz networks, which is a huge bummer. I'm guessing for your home network, other video shots 6ghz, you're just using multiple SSIDs instead? great video, thanks.
I assume that 6Ghz is coming. When I did this video originally, I didn't have my U7 Pro yet, so I honestly didn't know about that. In this case, I did this, just to show viewers that it could be done. My home network has multiple SSIDs and that is how I typically set up my networks.
Awesome in depth explanation and showing it on the latest update is a huge plus! Got a couple questions for you, I was wondering if you use Homekit and how this would work if I wanted to make an IoT VLAN and a Main VLAN. I know my phone has to be on the same VLAN as the Homekit Hubs (this is why I would put all Homekit hubs on the Main VLAN) but how would I make sure the Homekit Hubs communicate with the IoT VLAN since the hubs will be on my Main VLAN? I believe one of your firewall rules may cover this as the Main VLAN can communicate with the IoT but not the other way around, but wanted to maek sure i understood correctly. I also think mDNS may solve this too? Additionally, something a but more complicated i think, in some instances I would need the traffic to originate in the IoT VLAN and go to the Main VLAN as some of the IoT devices would need to communicate with Homekit Hubs due to an automation (i.e. if a camera detects motion turn on exterior lights). I assume this might be able to be done via a Firewall rule? I had a thought of giving all the Homekit hubs static IPs and allowing the IoT VLAN to communicate back to the Main VLAN only to those IP addresses but I'm not sure if that is how you go about it. Anyway if you read all this thank you for taking the time, I appreciate any help!
For your question about HomeKit, I am not 100% sure since I am not familiar with using HomeKit or what it requires... I plan on doing some smart home type videos down the road, but have to learn about it first.. and I have to buy all these things, my channel isn't big enough for the vendors to send me free stuff yet...LOL. However, I think you are on the right track with mDNS and the main VLAN being able to communicate with the IOT network... That would be a good starting point. You may have to play with it a bit... and please report your progress. I'd like to know.
As far as your IOT devices communicating with the Homekit hubs, yes, you can create rules to allow that traffic to take place. Just make sure you order them correctly so the traffic doesn't get dropped before it gets to that rule in line...
You could assign static addresses to your home kits hubs and then put all of those IP addresses in an IP group... then allow your IOT VLAN to communicate with that group... That way it can all be done with one rule... And if you add a home kit or something, you just need to add it to the group and all the rules will apply. That still ensure security, but doesn't give the IOT full access to the main VLAN. Make sense?
@@ethernetblueprint so took the weekend to set everything up and its all working with the rules you show in the video. I didn't need to add any rules to target specific Homekit hubs (homepod, apple tv, etc) it worked just fine. I believe the first rule allowing established and related makes this possible. Also, mDNS is enabled on both VLANs (Main and IoT). To test an automation, I set up a light to turn on when a camera detected motion, when I walked by to trigger the motion sensor in the camera it successfully turned on the light. So no need for the firewall rule where devices in IoT target the Homkit hub IPs which was great.
My next mission here is to allow airplay/casting from the Guest network. I have the network setup on its own VLAN with UniFi's Guest Isolation checked. I have tried to setup rules targeting my Apple TV in the living room but have had no luck. I am unable to ping it from the guest network nor Airplay from my phone. Any ideas??
if you have any question about the other homekit setup let me know!
You may have to treat your guest network like your IOT and just restrict with a normal VLAN to get the additional functionality you are looking for. Keep at it!!
@@ethernetblueprint this is exactly what I ended up doing. I realized with the rules that were in place the IoT and the Guest network (without Network Isolation checked) still could not communicate outside of their own VLAN. I set up 2 rules to allow communication from devices on the guest network to static IPs i created for the printer and apple tv in my living room that are both on the Main network. BOOM ! worked right away. I also went into the Guest network and turned on Device Isolation.. now the devices on the Guest network can't talk to each other and everything is working as intended!
On the portion of the video (about 333.) where you set up group Block IOT from other gateways, you set up a group that included 192.168.1.1 and 192.168.3.1. There is no 192.168.3.1 but there is a x.x.99.1. Perhaps you meant to use 99 instead of 3?
nice catch... I have done many variations of my test setup and have a VLAN 3 a lot of the time. Sorry if that created any confusion.
Thank you!! One question, when setting up your LAN LOCAL rules, why do you explicitly add DENY rules instead of explicitly adding ACCEPT rules with a default DENY at the end? This seems like the only place where you do not follow the "deny by default" best practice? This doesn't seem to scale with more networks (but maybe this is intentional for the video!).
Also, Unifi has a firewall option for "network type" of "Gateway IP Address", which I believe is the 192.168.x.1. Would you recommend using that Unifi default instead of creating the groups like "DROP IOT to its Gateway"?
Thank you!!!
You bring up a good point. Most of the home networks that are setup as on the smaller side so this ruleset works pretty well. For larger scale networks, your suggestion would work better for scale. Most of the reasons I do this this way is to be able to teach people who are newer to Unifi and Firewalls in general. Deny by default practices can more difficult to troubleshoot - especially if you are newer.
As far as your second question, I am not familiar with where that setting is to be able to answer your question. Sorry man!
I am running 2 security systems-one via DVR and the other Unifi Protect. Do I need to secure both camera Systems or just the Non Unifi cameras?
I think I would secure both typically. Are the cameras on the DVR IP cameras or are they analog?
Amazing video ... Appreciate details... I follow almost everything for my scenario. The only pickle I got is my IoT devices still get dhcp range from main dhcp range. my LAN has /22 suffix to have more available networks and IoT is on vlan 20 ... Any hint what to check. ?
What is the IP range for your IOT VLAN 20? And I assume that these are wireless devices connecting via SSID?
@@ethernetblueprint IoT - 10.7.20.6 - 10.7.20.254 .... main LAN 10.7.0.16 - 10.7.3.254 --- IoT is wireless devices - right... even from laptop wifi go on IoT still gets in main LAN dhcp range
Can we take this offline and talk via email? That way you can send me a couple screenshots and we can get to the bottom of it. I am sure there is a reason for it. (and sorry for the delay, the message went into my "held for review" folder and I didn't see it) tim@ethernetblueprint.com