Rob, this is the best series ever. I know it's a bit outside the "smart home" core content realm and more into networking, but it's perfect because that's what most of us need -- network configuration for smart home enthusiasts, beyond the basics but not as complex as enterprise-level pro networking. You hit the sweet spot. Currently running a UDM-Pro, 24 port POE and 5 APs. Have made big strides in making the network more secure thanks to this series.
13:29 "...and then remember to adjust your local IP address' firewall rule to include this new subnet" is where my cranium exploded. Went back and looked at Part 2 and Part 3 to see your firewall rules and couldn't figure out where this one was. (Fantastic video series, BTW...THANK YOU!)
Hi Rob, The videos are great just one question... In the video above you are talking about setting up the VPN hosted from the UDM pro and at 13:30 you mention "remember to adjust your local IP address's firewall rule to include this new subnet". I thought I knew what this meant but I must not as I can't get the VPN to work properly. Any chance you could do a video purely about setting up a VPN from the UDMP? Just in case anyone else knows what's wrong, here are a few more specifics... When i connect a client to the VPN, the client thinks it is connected but I don't think the UDM does because under "Networks" of the UDMP's settings, it says 0 IP leases have been issued. The client also doesn't show up in the clients section of the main UI on the UDMP. Although the client reports that it is connected. My guess is that the connection has been made but that there is some rule missing which actually allows it to communicate with anything. Anyone have any ideas?
Hey Rob, I know you’ve already heard this over and over but I just wanted to say a huge thank you for putting together such an amazingly detailed and comprehensive series covering both how to set up the UDM Pro as well as a really useful guide to topics like how to split up your network into VLAN’s (and why) and still get the functionality you want by using firewall rules, port security and even VPN. I have spent ages trying to get my head around this stuff from lots of different sources; I only wish I’d found your videos first as they not only explained everything in understandable, logical terms but it covered everything I needed all in one place! Can’t thank you enough. I know you started off with lengthy videos and edited them down tightly, which must have been hard work - though long videos don’t put me off and for all those with too short an attention span, this clearly ain’t a topic for them! Anyway, I’m not complaining - It just mean there was so much valuable information densely packed in here that I had to watch both Part 2 and 3 twice over to make sure I didn’t miss bits! Out of interest, I also watched the videos on the UDM Pro from Crosstalk Solutions covering quite a few of the same issues (though I preferred your delivery style and explanations). One key difference is that he used the USW-Pro-24 which has some Layer 3 capabilities - so he could block communication between devices on a VLAN and didn’t need MAC address filtering. This got me thinking that using the switch’s VLAN routing capabilities would be one way to have your cameras on a different VLAN and let the switch carry the load rather than bog down the CPU on the UDM Pro maybe? (I know you’ve looked at using a 2nd NIC from your replies to comments) One major difference though was that he ensured none of the devices on his IoT VLAN could ping the main LAN gateway or those of other VLAN’s, and also blocked traffic from the IoT VLAN to ports that could enable access to the UDM Pro GUI on the IoT VLAN gateway IP address, which I thought was a good idea and was not something you covered in your videos. Wonder what you make of these differences and would be interested to hear your thoughts (if you have time) 👍 - sorry for the long comment
Shoutout to you for making such a complex subject that comprehensible. I can only imagine the time and energy you put into those vidoes. In the name of all of us watching but rarely commenting: THANK YOU!
This is one of the most helpful series I’ve ever watched on UA-cam, and I am firmly in the pro-sumer category and deal with networking often, although it’s not my primary job responsibility. The tips on products alone are more than worth the sub and notification. Thank you!
Trunk Configuration = All VLANs (Untagget ports) A switchport can be configured for 1 VLAN only for Cisco thats switchport access vlan 6 switchport mode access spanning-tree portfast This port will have traffic on VLAN 6 and 6 only. The trunk (Untagget port) configuration above makes traffic traverse native VLAN but that port can still see all VLANs and you can vlan-hop between them without going through the gateway. Good job one the vidz thanks for all your work
You truly have an excellent way of presenting, explaining and visualizing the various topics in the right amount of time divided into parts. And, completely free from goofiness and acting out like pretty much every one else does. Thank you so much. Now it's time to put the stuff I've learned from you into practice.
11:59 Hey Rob, Not all VPN users are "trying to hide their traffic because their doing something illegal". It is more of a freedom choice. That said, this is definitely a great video series.
True true, but I've always considered VPNs to be a little bit foolish if what you're looking for is privacy. A VPN service has the ability to collect SIGNIFICANTLY more data about you than whatever can be scraped from your viewport and dns requests anyways.
@@TheHookUp Agreed, the VPN use should never be considered the "ultimate privacy" solution, rather it is more of an initial step of Protection. Hardening the browser is equally important. Personally, I always couple the use of VPN with Browser's privacy-enhancing addons (i.e. HTTPS Everywhere, Privacy Badger, NoScript, Canvas Blocker).
I like the MAC address restriction. Another approach would be to add a 2nd NIC to your NVR, then put all cameras and that 2nd NIC on a completely restricted VLAN.
This series was incredible. You covered so many important nuances that an advanced home network operator will face when configuring the network. Well done!
4:35 this firewall rule poses one potential problem: if you accidentally unplugged and swapped the port on the switch with another camera, then this camera will not work anymore.
Brilliant video and enjoyed watching the series. I setup the VPN but I could not connect to my LT2P server through my iPhone. I followed the unifi troubleshooting faq and updated my ports on my isp router. It now works and allows me to control my non-internet enabled iot device network whilst away from the home. Thank you.
Man, thanks for going into such depth on all of this. I am just now dabbling my feet into some more advanced IT stuff as a hobby/back-up career plan, and you are certainly giving me a lot to study and consider.
8:54 this is exactly what I was hunting around for on the internet. I want the ability to add/modify my own signature file but I was under the impression that I didn't have a feature enabled or something to that extent. C'mon Ubiquiti! And by the way, I stuck around for your whole video and it was put together very well. I got my Unifi network built up a couple months ago and have a near identical setup to yours (minus the untagged cameras). Keep it up!
Good series. I'll watch again because of the complexity in certain areas. I know I'm late to the party but I'm having a heck of a time trying to design a network that keeps my cameras off the Internet. I want to set up Home Assistant, so I'm only looking at window/door switches that send/receive information to HA. But I'm also starting out with 5 Reolink IP PoE cameras - gradually adding up to 16. I'm debating whether to purchase a PoE Managed Switch or a Reolink NVR. Reolink told me to try one of their NVR models to use saying not all PoE switches use the correct protocal which means the cameras will drop off or not work altogether. Also, HA can view the cameras either through their IP address or through the NVR. I have an HA automation to send out notifications on person detection but only to certain devices that have the HA app installed. I'm thinking about dropping the whole kit and cabootle in an IoT VLAN with no Internet access but that presents problems: Ubuntu and HA updates on HA Server, updates to the NVR, and making sure the camera automations can reach the HA app on iphones when they are away from the house. Thank you
Very helpful series mate 👍 I will have to watch part 2 a few times to fully understand the process but I will get there ... Thank you for the knowledge 🙏
I just ordered a Dm pro, an extra 8 port POE switch, and 2 access points along with 1,000’ of cat6 and the required terminals. Thank you for the great videos, we’ve struggled with bad home networking for years using off the shelf home routers; and now that we have nearly 50 devices on the network at any given time it’s worth the money to invest in a solid home setup!
Thank you for the video. Recently my ISP router went down and i lost communication with most of my iot devices. I did get them back but it took a lot of work. Also, I didn't like the idea of the old one being taken away with information about my network. So i need to rethink my current network. Id not thought about this until the ISP router went down.
Hi Rob @The Hook Up Any chance of maybe doing a modern version of this video that would be suitable for new protocols, such as Matter, which use IPv6 only? I love the security of fully segmenting network devices, but this method breaks Matter and the suggestion is to flatten networks to allow Matter to work. Could we do the same thing restricting devices with port/IP groups instead of VLANs ?
Great video! Thanks! I now have MAC filtering activated for all my POE camera's. I want to do the same for my outdoor AP, but MAC filtering doesn't work for an AP. When you activate the MAC filtering, only the AP is able to connect to the network, but all clients connected to the AP are not. Does anybody know how to only allow the AP to connect to my switch, but also allow it's clients to connect to the network?
i'm trying to connect to my vpn from an android device and only options i have are l2tp/ipsec PSK or l2tp/IPSec RSA and I don't seem to be able to connect to my vpn using my wan and a user account setup? Is there a way to get just basic l2tp on android or am I missing something on configuring for ipsec p sk/rsa?
Really Great stuff. Helped me a lot. But I can not get my Philips Hue working from a IoT network. the same issue with my Danfoss Link heat display. Do you have a tutorial or guide? once again, thanks for great videos.
Great explanation on Networking Basics. I never use MAC address filtering because of MAC address spoofing attacks where the hacker hunts the network for valid and original MAC addresses and circumvents access control measures, giving the hacker the advantage to pose as one of the valid MAC addresses. But you are correct in your situation, MAC spoofing is unlikely. I learned all of this info in CISCO academy and you have definitely done your homework. Good job.
I would love thoughts on the new 7.1 OS, specifically regarding the Teleport functionality built-in to it. It looks like it automatically creates a new network (at least a new subnet #). Any firewall rules needed? Any idea if this has similar push notification limitations?
Great guide , is it possible to route VLAN traffic over magic VPN? Scenario is site A (UDM + USW24) and site B (UDR) connected with Magic VPN and each with a set of Cameras. Only site A has NVR and its cameras are on the same VLAN. And for the Cameras on site B to save streaming on NVR , they should be on the same VLAN?
I've reviewed all the videos looking for a solution. I have a VLAN for all my wired cameras. Pretty much set up the way you did it here, but I have a wireless camera that I want to add to this VLAN. It comes in over the wireless AP and I do not know how to get it onto the IP Camera VLAN using the VLAN DHCP. You intercepted your IP camera at the port, but on the wireless there is no port.
Hello Tait, at 13:30 you mentioned that adjust the "local ip address firewall rule to include this new subnet". I did go to Security > Internet Threat Management > Firewall > Group > All Local IP Address and add 192.168.3.0/24 there but I'm still unable to start the VPN on my iPhone. Is there a setting that I'm missing out here? Thank you! PS: I'm able to do it via wifi but not LTE
I think IDS/IPS signature updates are daily. I have had the occasional one fail and it always alerts me, however a manual retry usually results in it updating.
About to have my house wired, the wireless access points are Poe? Is it safe to put one outside or will it compromise the network? I know with cameras you explained to do something with the MAC address can I do that with the wifi access point as well?
The doesn't match what the RADIUS profile setup screen shows. It's asking for the Authentication server. Is that the UDM? (I don't have the Pro, just a UDM.)
Great video; love the clear explanations with visual analogies! How would you compare VPN through Unifi device as shown in this video vs VPN using Wireguard through Unraid?
I have started on this but there is a very important feature missing in Unifi. Parental Controls and scheduling capabilities. I wish I knew this before I jumped on it, for me it’s more important than VLANs and other security stuff for a home user.
is there some other settings or config needed to get mac filtering to work. I have tried this on both a USW-Lite-16-PoE and USW-Lite-8-PoE and even after applying the filter and confirming it is place a host with a different mac is able to connect and access the network
Great video series....got a question about the VPN....as a cellular internet use (T-Mobile Home Internet) I have no Public IP address and as I see it, the onboard VPN would be useless. I have, with my Home Assistant, been successful in getting to it from the outside with ZeroTier.....any way to use Zero Tier to view the Unifi Protect cameras?
How much difference does IDS and IPS make if you have good firewall rules? Like I have an edge router… should I upgrade to UDM pro just because of IDS and IPS?
Glad I found you again. You have made a big step from holiday LEDs. When I discovered your holiday lights I was looking for inside LEDs for mounting on rafters and under cabinets. Primarily white but at least some place holiday and party color. I couldn't find the review you linked to before and expect that much has changed in 3 years. Also control options somewhere I saw one that was power supply and controller in one. Anyway could you do a 2021 update my wife wants me to finish this lighting project. Thanks
Great videos, thanks! Unfortunately, there is no Mac Filter option in the port configuration tab. Only things I can do there is change the name and select a Switch Port Profile. After that, only an informational table shows this: Operation: Switching, Link Negotiation: Auto, Storm Control: Disabled, LLDP MED: Enabled. Did was that changed or am I doing something wrong?
i tried the mac filtering and tested the port with my laptop and i can still use the internet with a different device other then the one allowed by the mac filter. i think u forgot to tell us the firewall rule that tells the udm pro to drop the connection
In your next video you should cover firewall rules for the VPN connection. VPN connections bypass the LAN IN rules gaining full access to all your VLANS. You need to create LAN OUT rules if you want to restrict access. You also have to make your own network group for them as it's not in the predefined "Networks".
Hi, Your videos made life easier for me setting up my new home BIG THANK YOU. One thing if possible to add to the group of essential devices you mentioned. Do you plan to make any videos about NAS (i.e. Synology) especially that they are also becoming a necessity and can run Docker & Virtual Machines on which Home Assistant can be hosted. Looking forward to more good stuff. Wishing you a happy, safe, and fruitful 2022
By the way, how many switches(Level2)/routers Lvl3 do you have? It looks like you have at least 3: one for cameras, one for media and another 1 or 2 (including virtual one) for IoT and NoT?
so for users behind NAT having to port forward 1194.. is it ok to only forward that port and is it secure? - I've read some say that changing this port to something else makes it more secure, but others say for a hacker, using a non standard port just delays them a few more seconds.
Regarding the IDS/IPS signature updates, it appears from my UDMP's system logs that the signature info updates daily or every other day. Ubiquiti Support could best confirm the how, when and from where the IDS/IPS signatures are updated. My experience with Ubiquiti support has been very positive. Ubiquiti Support assisted with an ISP problem when they didn't have to, i.e. wasn't an Ubiquiti problem.
Any tips on port forwarding to a VLAN IP? I'm having a hell of a time getting a remote connection to my Surveillance Server. I have all of my surveillance equipment on its own VLAN to help control multicast storms.
Love the videos! My VPN however is behaving strangely, even though I did exactly as in this video. When connected to the VPN, some parts of my regular LAN are available (Hue hub, UDM-Pro, Netgear access point, etc.), and others are not (synology nas, DX800a phone, windows PCs). I first thought it was port related, but that doesn't seem to be the case as most communicate though port 80. Also my firewall rules are exactly as in video 2. Any thoughts?
I found a partial solution: you need to specify a VLAN in the User profile in Radius. Once that is in place, the VPN user seems to have more access to the full network. E.g. now RDP to other computers on the network works. Synology NAS webinterface is still unreachable through ip-adress.
Love these series - set up my USG-based Unifi system based on your prior 2019 series. Just bought the UDM Pro as an upgrade. With the USG I had set up port forwarding to send all incoming traffic to a home server (forwarded ALL incoming ports with a single entry). When I replicate the same configuration with the UDM Pro, it won't work. I've tried factory resetting and installing from scratch (it took hours to record my old settings!), re-provisioning, rebooting, etc, and cannot get any traffic through the UDM Pro with a reply from my server. Any ideas on how such a set up should work under the UDM Pro?
I started having issues with game consoles. Tried all the recommended port forwarding, even game specific. Ended up creating a separate vlan and enabling upnp on that vlan. Fixed the issues.
This series is awesome...thank you so much for that! I was wondering if a DMZ (demilitarized zone) would be a suitable place for (potentionally) vulnerable services and how that could be accomplished.
Can you set the UniFi USG so that it sends all http and https originating from LAN trough a VPN (Nord or Proton)? So that all devices on LAN would be behind a VPN for those protocols?
Would it make sense to put your blue iris box on the camera vlan and only allow traffic to originate from your main vlan, so that you can access the recordings? Does it work like that?
The best solution I've seen is to put 2 network cards in the blue iris machine, one for communicating with cameras (which would be on a camera only vlan) and another for communicating with blue iris remotely.
nice tutorial. I'm wondering now how to configure google home in "home assistant" without using "Home Assistant Cloud". In the past, I have to use duckdns and do port forwarding to my HA server. What do you suggest about that?
Wow what an informative video! Quezon for you? I have almost identical setup as you on this video. Trying to do a simple port forward for.a Helium Miner is proving to be very difficult for my limited knowledge. Are there any additional steps needs to properly forward a port besides the advance gateway steps? Thank you so much for your help! Subscribed!
For port forwarding to my NAS (external offsite backup) I used a seperate VLAN to my secure network. As I do not use link aggregation and my NAS has 2 ethernet ports I can connect 1 to the secure VLAN and the other to the seperate (for me IoT) VLAN. I don't know if this is overkill? It does seem that Unifi does not like it because often I do not see a IP address of one of the ports. The NAS tels me the connection is OK.
Did you, by any chance, create a writeup with your settings for UDM Pro? They would be a great refresher for yourself (when you forget why and how you`ve configured specific features), and a fantastic how to for us following in your footsteps
Thanks so much - this was quite helpful. Got my UDM last week and I feel confident in my setup. For Part 4 - how about ipv6? I have it functionally working but have concerns about how the firewall and other security components should be configured.
![Lp. Сердце Вселенной #60 РОЖДЕНИЕ ЛОЛОЛОШКИ [Финал] • Майнкрафт](http://i.ytimg.com/vi/YoR0pAV9FVQ/mqdefault.jpg)
My Unifi stuff arrives this week, I’ll be watching this series about 2,615 times
I'll be watching 802.11 times
@@MichaelStephenLau ¹
Me too ....
Rob, this is the best series ever. I know it's a bit outside the "smart home" core content realm and more into networking, but it's perfect because that's what most of us need -- network configuration for smart home enthusiasts, beyond the basics but not as complex as enterprise-level pro networking. You hit the sweet spot.
Currently running a UDM-Pro, 24 port POE and 5 APs. Have made big strides in making the network more secure thanks to this series.
13:29 "...and then remember to adjust your local IP address' firewall rule to include this new subnet" is where my cranium exploded. Went back and looked at Part 2 and Part 3 to see your firewall rules and couldn't figure out where this one was. (Fantastic video series, BTW...THANK YOU!)
Hi Rob, The videos are great just one question... In the video above you are talking about setting up the VPN hosted from the UDM pro and at 13:30 you mention "remember to adjust your local IP address's firewall rule to include this new subnet". I thought I knew what this meant but I must not as I can't get the VPN to work properly. Any chance you could do a video purely about setting up a VPN from the UDMP?
Just in case anyone else knows what's wrong, here are a few more specifics... When i connect a client to the VPN, the client thinks it is connected but I don't think the UDM does because under "Networks" of the UDMP's settings, it says 0 IP leases have been issued. The client also doesn't show up in the clients section of the main UI on the UDMP. Although the client reports that it is connected. My guess is that the connection has been made but that there is some rule missing which actually allows it to communicate with anything. Anyone have any ideas?
Hey Rob, I know you’ve already heard this over and over but I just wanted to say a huge thank you for putting together such an amazingly detailed and comprehensive series covering both how to set up the UDM Pro as well as a really useful guide to topics like how to split up your network into VLAN’s (and why) and still get the functionality you want by using firewall rules, port security and even VPN. I have spent ages trying to get my head around this stuff from lots of different sources; I only wish I’d found your videos first as they not only explained everything in understandable, logical terms but it covered everything I needed all in one place! Can’t thank you enough.
I know you started off with lengthy videos and edited them down tightly, which must have been hard work - though long videos don’t put me off and for all those with too short an attention span, this clearly ain’t a topic for them! Anyway, I’m not complaining - It just mean there was so much valuable information densely packed in here that I had to watch both Part 2 and 3 twice over to make sure I didn’t miss bits!
Out of interest, I also watched the videos on the UDM Pro from Crosstalk Solutions covering quite a few of the same issues (though I preferred your delivery style and explanations). One key difference is that he used the USW-Pro-24 which has some Layer 3 capabilities - so he could block communication between devices on a VLAN and didn’t need MAC address filtering. This got me thinking that using the switch’s VLAN routing capabilities would be one way to have your cameras on a different VLAN and let the switch carry the load rather than bog down the CPU on the UDM Pro maybe? (I know you’ve looked at using a 2nd NIC from your replies to comments) One major difference though was that he ensured none of the devices on his IoT VLAN could ping the main LAN gateway or those of other VLAN’s, and also blocked traffic from the IoT VLAN to ports that could enable access to the UDM Pro GUI on the IoT VLAN gateway IP address, which I thought was a good idea and was not something you covered in your videos. Wonder what you make of these differences and would be interested to hear your thoughts (if you have time) 👍 - sorry for the long comment
Question @13:51 When you're say Your "Public IP Address" are you talking about the default gateway.
Shoutout to you for making such a complex subject that comprehensible. I can only imagine the time and energy you put into those vidoes. In the name of all of us watching but rarely commenting: THANK YOU!
This is one of the most helpful series I’ve ever watched on UA-cam, and I am firmly in the pro-sumer category and deal with networking often, although it’s not my primary job responsibility.
The tips on products alone are more than worth the sub and notification.
Thank you!
Thanks Donald!
Trunk Configuration = All VLANs (Untagget ports)
A switchport can be configured for 1 VLAN only
for Cisco thats
switchport access vlan 6
switchport mode access
spanning-tree portfast
This port will have traffic on VLAN 6 and 6 only.
The trunk (Untagget port) configuration above makes traffic traverse native VLAN but that port can still see all VLANs and you can vlan-hop between them without going through the gateway.
Good job one the vidz thanks for all your work
Definitely better in 3 videos:
- more videos!
- more ads, good for you
- added feedback on comments from previous videos in the series
Well done!
Great Video, but is there going to be a Part 4 for the Wireless Optimization trailed in Part 2? I was really looking forward to that bit!
Ah CRAP! I knew I was forgetting something.
@@TheHookUp Yes please do WiFi optimization! Also best practices for traffic segmentation on WiFi...separate SSIDs or is there another way?
+1 on this
+1 on wireless optimization and settings
+1 Wireless Optimization
Great video. Not a lot of people think about port security
Not that your other videos aren’t great, but your UniFi videos are so good. Need input lol.
You truly have an excellent way of presenting, explaining and visualizing the various topics in the right amount of time divided into parts. And, completely free from goofiness and acting out like pretty much every one else does. Thank you so much. Now it's time to put the stuff I've learned from you into practice.
11:59 Hey Rob, Not all VPN users are "trying to hide their traffic because their doing something illegal". It is more of a freedom choice. That said, this is definitely a great video series.
True true, but I've always considered VPNs to be a little bit foolish if what you're looking for is privacy. A VPN service has the ability to collect SIGNIFICANTLY more data about you than whatever can be scraped from your viewport and dns requests anyways.
@@TheHookUp Agreed, the VPN use should never be considered the "ultimate privacy" solution, rather it is more of an initial step of Protection. Hardening the browser is equally important.
Personally, I always couple the use of VPN with Browser's privacy-enhancing addons (i.e. HTTPS Everywhere, Privacy Badger, NoScript, Canvas Blocker).
I like the MAC address restriction.
Another approach would be to add a 2nd NIC to your NVR, then put all cameras and that 2nd NIC on a completely restricted VLAN.
Will enjoy a vid on reverse proxies for sure!
Bravo 👏 I am watching your videos for year! Great job! Was waiting forever for a deep dive on unifi setup. Thanks 🙏
Do you have a video or blog that discusses how to keep Home Assistant working when the internet is out but local WiFi is active?
This series was incredible. You covered so many important nuances that an advanced home network operator will face when configuring the network. Well done!
4:35 this firewall rule poses one potential problem: if you accidentally unplugged and swapped the port on the switch with another camera, then this camera will not work anymore.
Brilliant video and enjoyed watching the series. I setup the VPN but I could not connect to my LT2P server through my iPhone. I followed the unifi troubleshooting faq and updated my ports on my isp router. It now works and allows me to control my non-internet enabled iot device network whilst away from the home. Thank you.
Wow , i need to watch this again . There is a lot in this video .
Man thanks so much for this set of awesome videos, helped my out a bunch! couldn't have done it without you!
Man, thanks for going into such depth on all of this. I am just now dabbling my feet into some more advanced IT stuff as a hobby/back-up career plan, and you are certainly giving me a lot to study and consider.
8:54 this is exactly what I was hunting around for on the internet. I want the ability to add/modify my own signature file but I was under the impression that I didn't have a feature enabled or something to that extent. C'mon Ubiquiti! And by the way, I stuck around for your whole video and it was put together very well. I got my Unifi network built up a couple months ago and have a near identical setup to yours (minus the untagged cameras). Keep it up!
Good series. I'll watch again because of the complexity in certain areas. I know I'm late to the party but I'm having a heck of a time trying to design a network that keeps my cameras off the Internet. I want to set up Home Assistant, so I'm only looking at window/door switches that send/receive information to HA. But I'm also starting out with 5 Reolink IP PoE cameras - gradually adding up to 16. I'm debating whether to purchase a PoE Managed Switch or a Reolink NVR. Reolink told me to try one of their NVR models to use saying not all PoE switches use the correct protocal which means the cameras will drop off or not work altogether. Also, HA can view the cameras either through their IP address or through the NVR. I have an HA automation to send out notifications on person detection but only to certain devices that have the HA app installed.
I'm thinking about dropping the whole kit and cabootle in an IoT VLAN with no Internet access but that presents problems: Ubuntu and HA updates on HA Server, updates to the NVR, and making sure the camera automations can reach the HA app on iphones when they are away from the house.
Thank you
Very helpful series mate 👍 I will have to watch part 2 a few times to fully understand the process but I will get there ... Thank you for the knowledge 🙏
I just ordered a Dm pro, an extra 8 port POE switch, and 2 access points along with 1,000’ of cat6 and the required terminals.
Thank you for the great videos, we’ve struggled with bad home networking for years using off the shelf home routers; and now that we have nearly 50 devices on the network at any given time it’s worth the money to invest in a solid home setup!
Site to Site VPN with dynamic IPs on both sides.....please provide a guide on this!
Thank you for the video. Recently my ISP router went down and i lost communication with most of my iot devices. I did get them back but it took a lot of work. Also, I didn't like the idea of the old one being taken away with information about my network. So i need to rethink my current network. Id not thought about this until the ISP router went down.
Hi Rob @The Hook Up
Any chance of maybe doing a modern version of this video that would be suitable for new protocols, such as Matter, which use IPv6 only? I love the security of fully segmenting network devices, but this method breaks Matter and the suggestion is to flatten networks to allow Matter to work.
Could we do the same thing restricting devices with port/IP groups instead of VLANs ?
Great video! Thanks!
I now have MAC filtering activated for all my POE camera's. I want to do the same for my outdoor AP, but MAC filtering doesn't work for an AP. When you activate the MAC filtering, only the AP is able to connect to the network, but all clients connected to the AP are not.
Does anybody know how to only allow the AP to connect to my switch, but also allow it's clients to connect to the network?
I just watched all three parts. Now I'm going to watch them again! Great stuff, this helps me a lot.
i'm trying to connect to my vpn from an android device and only options i have are l2tp/ipsec PSK or l2tp/IPSec RSA and I don't seem to be able to connect to my vpn using my wan and a user account setup? Is there a way to get just basic l2tp on android or am I missing something on configuring for ipsec p sk/rsa?
Really Great stuff. Helped me a lot. But I can not get my Philips Hue working from a IoT network. the same issue with my Danfoss Link heat display. Do you have a tutorial or guide? once again, thanks for great videos.
Would be great to have a video on how to setup WireGuard (on a server / raspi) together with UniFi.
Great explanation on Networking Basics. I never use MAC address filtering because of MAC address spoofing attacks where the hacker hunts the network for valid and original MAC addresses and circumvents access control measures, giving the hacker the advantage to pose as one of the valid MAC addresses. But you are correct in your situation, MAC spoofing is unlikely. I learned all of this info in CISCO academy and you have definitely done your homework. Good job.
if you create a "guest" network, should that network be included in the "all Local Networks" group?
Can an AppleTV be setup to use a VPN to access a remote Plex server, or is that one of those cases where you would have no choice but to port forward?
But if you use a VPN tunnel, will you still receive Home assistant app notifications, and sending location updates?
I would love thoughts on the new 7.1 OS, specifically regarding the Teleport functionality built-in to it. It looks like it automatically creates a new network (at least a new subnet #). Any firewall rules needed? Any idea if this has similar push notification limitations?
Hi. Have you find out about the firewall rules? As soon I implemented the rules suggested in part 2 Teleport stop working..
Great guide , is it possible to route VLAN traffic over magic VPN? Scenario is site A (UDM + USW24) and site B (UDR) connected with Magic VPN and each with a set of Cameras. Only site A has NVR and its cameras are on the same VLAN. And for the Cameras on site B to save streaming on NVR , they should be on the same VLAN?
How do you update firmware on devices in NoT vlan ?
What about the public IP. What should I use in there?
Really excellent series. I learned a lot!
Instant like for the thumbnail- boomer af but absolutely amazing. Thankyou
I've reviewed all the videos looking for a solution. I have a VLAN for all my wired cameras. Pretty much set up the way you did it here, but I have a wireless camera that I want to add to this VLAN. It comes in over the wireless AP and I do not know how to get it onto the IP Camera VLAN using the VLAN DHCP. You intercepted your IP camera at the port, but on the wireless there is no port.
Could you please guide me: I have my printer on not vlan ho who I access the same printer from LAN
Why would Ubiquiti not use the IPsec protocol for VPN?
I don't have a UDM however I want to remote into home while I'm away. I've seen reverse proxies as another alternative. What do you recommend?
Do you port forward your Plex server? I have Plex and my CCTV Port Forwarded for external use.
Hello Tait, at 13:30 you mentioned that adjust the "local ip address firewall rule to include this new subnet". I did go to Security > Internet Threat Management > Firewall > Group > All Local IP Address and add 192.168.3.0/24 there but I'm still unable to start the VPN on my iPhone. Is there a setting that I'm missing out here? Thank you!
PS: I'm able to do it via wifi but not LTE
I think IDS/IPS signature updates are daily. I have had the occasional one fail and it always alerts me, however a manual retry usually results in it updating.
About to have my house wired, the wireless access points are Poe? Is it safe to put one outside or will it compromise the network? I know with cameras you explained to do something with the MAC address can I do that with the wifi access point as well?
The doesn't match what the RADIUS profile setup screen shows. It's asking for the Authentication server. Is that the UDM? (I don't have the Pro, just a UDM.)
Thanks for the very helpful videos The only thing that was missing was the Wireless System optimization you referred to in part 2, I think.
Another great, and very instructional, video. A really great series!
Great video; love the clear explanations with visual analogies! How would you compare VPN through Unifi device as shown in this video vs VPN using Wireguard through Unraid?
Unifi also unofficially has a wireguard binary. it's a bit more involved to setup than clicking in the ui, but it works
I have started on this but there is a very important feature missing in Unifi. Parental Controls and scheduling capabilities. I wish I knew this before I jumped on it, for me it’s more important than VLANs and other security stuff for a home user.
is there some other settings or config needed to get mac filtering to work. I have tried this on both a USW-Lite-16-PoE and USW-Lite-8-PoE and even after applying the filter and confirming it is place a host with a different mac is able to connect and access the network
Great video series....got a question about the VPN....as a cellular internet use (T-Mobile Home Internet) I have no Public IP address and as I see it, the onboard VPN would be useless. I have, with my Home Assistant, been successful in getting to it from the outside with ZeroTier.....any way to use Zero Tier to view the Unifi Protect cameras?
How much difference does IDS and IPS make if you have good firewall rules? Like I have an edge router… should I upgrade to UDM pro just because of IDS and IPS?
Glad I found you again. You have made a big step from holiday LEDs. When I discovered your holiday lights I was looking for inside LEDs for mounting on rafters and under cabinets. Primarily white but at least some place holiday and party color. I couldn't find the review you linked to before and expect that much has changed in 3 years. Also control options somewhere I saw one that was power supply and controller in one. Anyway could you do a 2021 update my wife wants me to finish this lighting project. Thanks
Great videos, thanks!
Unfortunately, there is no Mac Filter option in the port configuration tab. Only things I can do there is change the name and select a Switch Port Profile.
After that, only an informational table shows this: Operation: Switching, Link Negotiation: Auto, Storm Control: Disabled, LLDP MED: Enabled.
Did was that changed or am I doing something wrong?
Just got a UDM Pro and really enjoyed these tutorials. Thanks!
That said, I would enjoy a reverse proxy video.
i tried the mac filtering and tested the port with my laptop and i can still use the internet with a different device other then the one allowed by the mac filter. i think u forgot to tell us the firewall rule that tells the udm pro to drop the connection
Does push notifications work when VPN is turned off on your phone?
I can only connect to the VPN if I am on the same network. If I am on my phone LTE provider I can't!
In your next video you should cover firewall rules for the VPN connection. VPN connections bypass the LAN IN rules gaining full access to all your VLANS. You need to create LAN OUT rules if you want to restrict access. You also have to make your own network group for them as it's not in the predefined "Networks".
The settings are in different places in UniFi 7.2!
True, Ubiquiti mixes names and makes other categories. And then the beginner gets confused by the settings.
Hi,
Your videos made life easier for me setting up my new home BIG THANK YOU.
One thing if possible to add to the group of essential devices you mentioned. Do you plan to make any videos about NAS (i.e. Synology) especially that they are also becoming a necessity and can run Docker & Virtual Machines on which Home Assistant can be hosted.
Looking forward to more good stuff.
Wishing you a happy, safe, and fruitful 2022
Great video as always Rob. keep up the good work
Hey Rob @TheHookUp I recently heard of a new VPN option in the Dream Machine called Teleport, under the hood it's Wiregaurd and much easier to setup 😀
By the way, how many switches(Level2)/routers Lvl3 do you have? It looks like you have at least 3: one for cameras, one for media and another 1 or 2 (including virtual one) for IoT and NoT?
so for users behind NAT having to port forward 1194.. is it ok to only forward that port and is it secure? - I've read some say that changing this port to something else makes it more secure, but others say for a hacker, using a non standard port just delays them a few more seconds.
Regarding the IDS/IPS signature updates, it appears from my UDMP's system logs that the signature info updates daily or every other day. Ubiquiti Support could best confirm the how, when and from where the IDS/IPS signatures are updated. My experience with Ubiquiti support has been very positive. Ubiquiti Support assisted with an ISP problem when they didn't have to, i.e. wasn't an Ubiquiti problem.
Wondering if you have plans to talk about them read based IoT devices and how to manage them securely...
Great content! I'm really looking forward to you covering additional reverse proxies and VPN options beyond what the UDM Pro is capable of.
@The Hook UP In the VPN drawing there you have 'Pubic IP' :)
Haha, that is odd, I even made the same mistake on all of them.
Any tips on port forwarding to a VLAN IP? I'm having a hell of a time getting a remote connection to my Surveillance Server. I have all of my surveillance equipment on its own VLAN to help control multicast storms.
FREAKING!!! good job. Thank you
Thank you for the time and effort you put into your videos!
Love the videos! My VPN however is behaving strangely, even though I did exactly as in this video. When connected to the VPN, some parts of my regular LAN are available (Hue hub, UDM-Pro, Netgear access point, etc.), and others are not (synology nas, DX800a phone, windows PCs). I first thought it was port related, but that doesn't seem to be the case as most communicate though port 80. Also my firewall rules are exactly as in video 2.
Any thoughts?
I found a partial solution: you need to specify a VLAN in the User profile in Radius. Once that is in place, the VPN user seems to have more access to the full network. E.g. now RDP to other computers on the network works. Synology NAS webinterface is still unreachable through ip-adress.
Love these series - set up my USG-based Unifi system based on your prior 2019 series. Just bought the UDM Pro as an upgrade. With the USG I had set up port forwarding to send all incoming traffic to a home server (forwarded ALL incoming ports with a single entry). When I replicate the same configuration with the UDM Pro, it won't work. I've tried factory resetting and installing from scratch (it took hours to record my old settings!), re-provisioning, rebooting, etc, and cannot get any traffic through the UDM Pro with a reply from my server. Any ideas on how such a set up should work under the UDM Pro?
I started having issues with game consoles. Tried all the recommended port forwarding, even game specific. Ended up creating a separate vlan and enabling upnp on that vlan. Fixed the issues.
This series is awesome...thank you so much for that! I was wondering if a DMZ (demilitarized zone) would be a suitable place for (potentionally) vulnerable services and how that could be accomplished.
So you can use the vpn using a usg and unifi version and not pay for an external version?
Can you set the UniFi USG so that it sends all http and https originating from LAN trough a VPN (Nord or Proton)? So that all devices on LAN would be behind a VPN for those protocols?
Thanks a lot for all the insights in this topic. Helped a lot in setting things up.
Would it make sense to put your blue iris box on the camera vlan and only allow traffic to originate from your main vlan, so that you can access the recordings? Does it work like that?
The best solution I've seen is to put 2 network cards in the blue iris machine, one for communicating with cameras (which would be on a camera only vlan) and another for communicating with blue iris remotely.
nice tutorial. I'm wondering now how to configure google home in "home assistant" without using "Home Assistant Cloud". In the past, I have to use duckdns and do port forwarding to my HA server. What do you suggest about that?
I was about to ask the same question. I'm not in a position where I want to pay monthly for nabu casa.
People have LAN jacks in the bathrooms? Never seen that before.
Hey man... I have a web server inside the udm pro. I just can't figure out how to make it accessible to the wan. Can you help?
Wow what an informative video! Quezon for you? I have almost identical setup as you on this video. Trying to do a simple port forward for.a Helium Miner is proving to be very difficult for my limited knowledge. Are there any additional steps needs to properly forward a port besides the advance gateway steps? Thank you so much for your help! Subscribed!
Yuuuussss! Ive been looking forward to this video!
For port forwarding to my NAS (external offsite backup) I used a seperate VLAN to my secure network. As I do not use link aggregation and my NAS has 2 ethernet ports I can connect 1 to the secure VLAN and the other to the seperate (for me IoT) VLAN. I don't know if this is overkill? It does seem that Unifi does not like it because often I do not see a IP address of one of the ports. The NAS tels me the connection is OK.
Did you, by any chance, create a writeup with your settings for UDM Pro? They would be a great refresher for yourself (when you forget why and how you`ve configured specific features), and a fantastic how to for us following in your footsteps
Why not just put the cameras in a completely new VLAN dedicated to them?
Why do they need to connect to anything?
Thanks so much - this was quite helpful. Got my UDM last week and I feel confident in my setup.
For Part 4 - how about ipv6? I have it functionally working but have concerns about how the firewall and other security components should be configured.