Minor nitpick, but talking about the current iteration of QUIC like it was developed by Google is like saying SSL/TLS was developed by Netscape. Technically true, but vastly different now than X years ago.
As always, great video. I'll have to do a bit more research on this to determine the best settings for me. I'm using a UDMP for a home network. I disabled QUIC and a day or two later, discovered that the Instagram app fails without it, so the family had a fit. Gotta decide whether to block it for specific networks, or block it for all networks, but allow it from certain sources, etc...
Would you know why one would have to use the Traffic Management if a Firewall rule is already in place? I used the Traffic Management rules and the traffic was still passing through, but changed it to the Firewall rules and only then did the traffic stopped passing.
You are not blocking QUIC specifically, you are blocking all UDP traffic on port 80 & 443 which is broader than QUICK itself. What if some other service wants to send UDP packets on those ports?
"...good for voice and video," (also awesome for games, btw) "-but that's all you can do with it so just block it." Because nobody wants to do voice, video, or games?
Can the firewall be configured to allow QUIC for specific hosts in the LAN or specific VLAN? Blocking QUIC for the entire LAN is overkill. For example, how about allowing QUIC for IoT devices like smart TVs. These devices use a lot of data so QUIC would reduce processing load, but given the data is just videos, security is not important, especially when they are assigned their own VLAN.
You definitely can. The way I would do that. Is make an IP Group that you do not want QUIC blocked on and put them in the destination. LAN-IN destination. I could be mistaken, but I think that is certainly a way you could do it. Alternately, make an allow rule above that one for those specific network with the protocol QUIC.
My Unifi network app. Shows a different Traffic Management screen. It doesn't have rules that gives a list like what is shown. It has a place to create static routes and then a place for traffic restrictions. It requres a Add Restriction Group and the dropdown list for categories gives general options like "Business Tools", "File sharing services and tools", and others, but no list to block specific web sites, domains or apps. I thought I was in the latest version of 7.3.83, at least when I check updates it tells me I have the latest. Any tips?
I'm looking into this, but I can't find one that didn't one that did not cause me problems and my network are complex. Would you be able to share with us one typical service that is affected by such a rule? thx
If quic is blocked in can fail back to other means. However -- in corporate and school networks where you have to have control, blocking quic is the right thing to do.
Great Video Willie! Really been enjoying the firewall lockdown series.
Minor nitpick, but talking about the current iteration of QUIC like it was developed by Google is like saying SSL/TLS was developed by Netscape.
Technically true, but vastly different now than X years ago.
As always, great video. I'll have to do a bit more research on this to determine the best settings for me. I'm using a UDMP for a home network. I disabled QUIC and a day or two later, discovered that the Instagram app fails without it, so the family had a fit. Gotta decide whether to block it for specific networks, or block it for all networks, but allow it from certain sources, etc...
Would you know why one would have to use the Traffic Management if a Firewall rule is already in place? I used the Traffic Management rules and the traffic was still passing through, but changed it to the Firewall rules and only then did the traffic stopped passing.
Willie you are the best my friend!
You are not blocking QUIC specifically, you are blocking all UDP traffic on port 80 & 443 which is broader than QUICK itself. What if some other service wants to send UDP packets on those ports?
Typo - you blocked UDP 433 instead of 443.
"...good for voice and video," (also awesome for games, btw) "-but that's all you can do with it so just block it."
Because nobody wants to do voice, video, or games?
Can the firewall be configured to allow QUIC for specific hosts in the LAN or specific VLAN? Blocking QUIC for the entire LAN is overkill. For example, how about allowing QUIC for IoT devices like smart TVs. These devices use a lot of data so QUIC would reduce processing load, but given the data is just videos, security is not important, especially when they are assigned their own VLAN.
You definitely can. The way I would do that. Is make an IP Group that you do not want QUIC blocked on and put them in the destination. LAN-IN destination. I could be mistaken, but I think that is certainly a way you could do it.
Alternately, make an allow rule above that one for those specific network with the protocol QUIC.
My Unifi network app. Shows a different Traffic Management screen. It doesn't have rules that gives a list like what is shown. It has a place to create static routes and then a place for traffic restrictions. It requres a Add Restriction Group and the dropdown list for categories gives general options like "Business Tools", "File sharing services and tools", and others, but no list to block specific web sites, domains or apps. I thought I was in the latest version of 7.3.83, at least when I check updates it tells me I have the latest. Any tips?
Which unifi control do you have?
@@Jr2728 I am using the application version 7.3.83 with a USG
❤
most services use QUIC blocking it will cause you problems.
I'm looking into this, but I can't find one that didn't one that did not cause me problems and my network are complex. Would you be able to share with us one typical service that is affected by such a rule? thx
Blocking QUIC makes the internet experience slower and more annoying for all your users.
I hope they enjoy watching loading-screens...
If quic is blocked in can fail back to other means. However -- in corporate and school networks where you have to have control, blocking quic is the right thing to do.
@@WillieHowe Sure, but the video frames it more like [everyone should block QUIC because all it can do is voice and video.]