There are a lot of version of this walkthrough out there on RUclips, but (for me at least) this is the only one that took the appropriate time and amount of hand-holding that I need to not just implement the FW rules, but also to help me understand the WHY. That is huge! Thanks a ton!
I've watched a ton of these firewall setup videos but this one is probably the best at explaining what each setting does so thanks. The reason I keep watching them is I can't for the life of me get my macbook on VLAN 1 to talk to a Pi server on VLAN 2. It wont ping, it wont shh. But it will if I connect the wifi on the mac to the VLAN 2 wifi network. If followed every little detail in this video (which is almost identical to many others) and put in an allow rule for pi ip to talk to the mac ip. I've also tried it as a all VLAN 2 to all VLAN 1 rule. Still won't work. Hope that makes sense but is there any other gotchya that could be preventing this in unifi?
Do you have another device (non Mac) on VLAN 1, that you can’t try pinging the Pi server? Can your Mac ping other devices on VLAN2? If this is a “server” make sure the local firewall isn’t blocking the pings. I have seen that cause issues like this and people are troubleshooting the wrong device. If you want to email me at tim@ethernetblueprint.com, we can have a convo about some options.
I watched several videos and this is the one where things started clicking. I loved the format of showing the vulnerability, applying the fix and confirming vulnerability is negated along with clear and concise explanations during the process. I also like that the gateways were isolated. Before this video, I was struggling to figure out why I could ping my gateway addresses even though my networks were isolated and now I know. This is the first ever super thanks I have given. It’s well deserved. I’ll be adding one to the follow up video on configuring VLANs on Unifi switches. Many things clicked in that video also.
A thousand thanks for your kind words and your generosity. I do my best to try and help the newbies of the Unifi space. I love getting feedback that tells me I was able to help... All the best!
I am finally considering a Unifi setup now that their OS is more well-baked, and you had the most recent Unifi OS VLAN video, so I decided to stop by and see how things have improved over the last few years. However, I must say that this video is probably one for the best for anyone new to VLANs in general, not just VLANs on Unifi. You, sir, are the only one that “teaches one how to fish instead of just giving one a fish” by explaining the logic behind firewall rules, thus giving one the ability to not just copy your foundational firewall rules (which were spot on as the bare minimum starting point), but also gain the confidence to start coming up with their own firewall rules unique to their situation. Looking forward to joining you on this journey to learn from each other!
Wait until you start getting into triple monitors. It's a game changer. Working with VM's on Linux? One screen for a video guide, one to interface, and another with common command templates to copy and paste. Playing video games? One screen for the game, one for discord, and another for a game guide or a map for reference. Researching a new product and comparing stuff? One screen for review videos or articles, one screen for searching product retailers, and another for documenting options and taking notes. The possibilities are endless.
On the portion of the video (about 333.) where you set up group Block IOT from other gateways, you set up a group that included 192.168.1.1 and 192.168.3.1. There is no 192.168.3.1 but there is a x.x.99.1. Perhaps you meant to use 99 instead of 3?
You don't understand how helpful this has been!! No-one else that I watch has broken what rules to make down so well. I wanted to ask what if I need devices on my IOT to talk to each other? I have a lot of devices that would need inter-vlan communication. Would I just not do the drop all private ip addresses traffic or some other allow rule? Thanks
I am so pleased to hear that my video helped you out. I can't thank you enough for that. As for your questions, just to be clear, the firewall rules only apply when one VLAN is talking to another one. This is called Inter-VLAN communication. If IOT devices are talking to each other, they would most likely be in the same IOT VLAN and would not be affected by the firewall rules. Unless I am not understanding what you are asking here...
Well I don't know if I'm asking it right myself...I just assume that when you enter the firewall rule to Block all private IPs for the Iot vlan that that would prevent anything on the IOT from talking to anything but the internet including other Iot devices on the same vlan@@ethernetblueprint
Do you not recommend the Isolate Network checkbox in 8.3.32 (different from the Guest Network checkbox) on the Unifi VLAN (Network) configuration screen for the IOT network?
This is a valid point. That is one way to do it sure. Simple and fast. It will create a single Isolate rule in the FW rules. (FW Rule it Creates) Isolate IPv4 Traffic From Selected Subnets To Any Local Subnet, Drop, LAN In, All, 192.168.X.0/24, Any, (4 Networks), Any, 60001 If you needed to allow other VLANs to communicate with your IOT network, you could simply add your "allow" rules above this rule and they should communicate. I simply wanted to point out how to make FW rules from scratch to accomplish to same thing so it helps people learn how the rules work.
Glad you are using the new UI. Aside from that, what a great job of providing the list of items to change, their order and a great explanation as to why. I've watched other videos that assume way to much of the audience.
Great tutorial! I have recently setup two additional VLANs (Family and IOT). I did this because I liked your "kids" network in your prior video. I have not set any rules yet, just been busy getting devices on the correct VLAN/Wifi. Will be playing with firewall rules soon. My question is... The first thing that came to mind when you were creating rules, especially the port rules, was what are the chances that one mistake could potentially lock you out of the gateway from ALL networks. It just made me think I should be VERY careful!
It is possible however there are fail safes in place that warn you about it. If you look through the comments here, I talke about that with another viewer because he got a warning on his and it wouldnt allow him to set that rule. However, just know that is possible. Be Careful.
Outstanding presentation with the new interface. I would like to have a private wireless for my wife, because of her job. Could I use a shared key for default, IOT, Wife's Wifi and use the Guest 99 network with the standard isolation with it's own password? I am going to check out your VLAN video. Maybe I can come up with other ideas. Also, one of the things that gets frustrating is when videos are not updated when there is a noticeable OS change. I look forward to you continuing to do so.
If I understand correctly, you are asking if you can setup muliple password (Private Pre-shared keys) for the default, IOT and Wife (all connecting to the same SSID) and then setup a separate WiFi name for guest and still make all this work in the Firewall... If so, the answer is yes. The firewall rules are based on the VLANs, not how the WiFi networks are setup. You could create a shared SSID for all of your "main" networks and then create a Guest VLAN and choose the isolation check box... Then create a separate Guest SSID for that network. As a matter of fact, I think that is a better way to do that anyways. It is nice for the guests to be able to connect to a separate SSID so they know they are on the guest network...
Yeah, super handy on the guest landing page. I appreciate the re-accepting of the Guest EULA after a period of time for a business. So you don't saturate the DHCP range. But for home use I very much like disabling so users at my house don't have to re-accept to "logon".
Great tutorial, thanks! I love all the details! I just followed your previous tutorial to setup my vLan protections on my UDM SE, your earlier tutorial was super helpful!! I think you were on 7.x in that tutorial. Glad to see this updated tutorial, on 8.0.26! I saw you had a Guest firewall rule for "Allow DNS Packets to External Name Servers". It would be great to see a tutorial on this topic. I am looking to block all DNS (Port 53) queries out (on my various vLans), unless they come from my DNS (PiHole or other DNS like ControlD or NextDNS) server, if someone on my network tries to change their DNS, my goal is that they will not connect to another DNS server and their Name Resolution will fail. It would be good to see options, but wanted to share an idea (I'm sure you have considered this topic too! Great Job! Thanks!
You will most likely have to do that with Firewall rules on a standard VLAN and not by clicking the guest portal policy checkbox... The guest rules in this video were automatically generated by the system and can't be updated... I am confident you could create a VLAN like I did the IOT network in this video and then add rules to control the DNS servers...
This is exactly what i was looking for! I applied your IOT logic to a Vland for crypto mining. This way i don't compromise my default network with some shady new crypto mining software and wallets. 😂😁 Thanks you!
Holy crap that is a lot of steps to accomplish a goal that is so commonly held by virtually all users of this network gear. Is it worth it when you could just make an IOT guest network where the devices can ONLY communicate with the internet and nothing else? Not many IOT devices can communicate without the cloud anyways, right?
The FW Rule aspect of this is optional. You do have the option to just mark the "Isolate Network" checkbox when creating the network which would allow it to communicate to the internet, but not to other VLANs. The FW Rule portion is more for environments where IOT devices need to be able to have a 1:1 communication with other parts of your network. (ie. smart cameras talking to a NAS for example)
Hey Tim! Just found your channel, I have a bunch of UniFi gear and have been running it for years, but you have taught me quite a bit and this video right here has helped me figure a bunch of stuff out! As a thanks, I noticed that your audio is being done from a laptop/phone mic, which works, but, I have a set of lavaliers that I would love to send you as a thanks. But I couldn't DM you, Drop me a line back and I'll find a way to get them to you! Thank you for the great information!
PPSK is really cool, but only supports WPA2, so no 6ghz networks, which is a huge bummer. I'm guessing for your home network, other video shots 6ghz, you're just using multiple SSIDs instead? great video, thanks.
I assume that 6Ghz is coming. When I did this video originally, I didn't have my U7 Pro yet, so I honestly didn't know about that. In this case, I did this, just to show viewers that it could be done. My home network has multiple SSIDs and that is how I typically set up my networks.
Yessir, you explained it well. It's easier to understand the more advanced parts once a baseline has been understood and configured. Just what I needed as there are more and more IOTs and guests in my house these days.
This video is great. I've been looking into unify for a while now, but my biggest reservations about diving into it has been VLANs. I'm pretty familiar with vlans as I do IT at a large resort and everything we connect to a network has a different VLAN. Everyone says unify can do VLANs, but they don't elaborate further and I want something robust enough for firewall rules like the ones you demonstrated. My biggest concern was that unify either would not allow firewall rules, or they would be very limited. This video demonstrates the capabilities well and has shown this is exactly what I'm looking for. I plan to start ordering my components over the next couple of weeks and setting everything up and I could not be more excited.
I appreciate your kind words... Just so you know, I did a full Unifi series and even have a downloadable document for the firewall rules too... check out my playlist for that 8 part series... one video has been dedicated to FW rules...
I wanted to create some simple rules and VLAN's, not touched networking for many many years, since I did CCNA when I was 16 (Now 35!!!) this jogged the memory nicely, also new to UniFi so understanding it's flow this really helped. All networks now created and all rules and VLAN's setup! Happy with it. I just now have the joy or resetting all my dumb smart devices to be on my IoT network! I presume those devices can still talk externally to the web for their native apps to still work etc? Thanks though, brilliantly spoken!
Nice. I am so glad to hear you dusted off the old VLAN knowledge a bit and this helped you! The IOT devices will be able to communicate with the internet, yes.
Thank you!! One question, when setting up your LAN LOCAL rules, why do you explicitly add DENY rules instead of explicitly adding ACCEPT rules with a default DENY at the end? This seems like the only place where you do not follow the "deny by default" best practice? This doesn't seem to scale with more networks (but maybe this is intentional for the video!). Also, Unifi has a firewall option for "network type" of "Gateway IP Address", which I believe is the 192.168.x.1. Would you recommend using that Unifi default instead of creating the groups like "DROP IOT to its Gateway"? Thank you!!!
You bring up a good point. Most of the home networks that are setup as on the smaller side so this ruleset works pretty well. For larger scale networks, your suggestion would work better for scale. Most of the reasons I do this this way is to be able to teach people who are newer to Unifi and Firewalls in general. Deny by default practices can more difficult to troubleshoot - especially if you are newer. As far as your second question, I am not familiar with where that setting is to be able to answer your question. Sorry man!
Should be noted/updated that the PPSK setting is ONLY available when using only 2.4 and 5GHz wifi bands. Will not be available when using 6GHz band. This is noted in an updated version of Network application.
That is interesting. I didn't know that. Thank you for bringing this to my attention. I haven't had the chance to play with any of the APs that have the 6Ghz band on them yet.
Great video. I still fail to understand a point. We need to introduce a FW rule "Block IOT to other Gateways". Obviously, your machine inside the IOT network is able to connect/reach the gateway inside the default network. Therefore you need this rule. But I still fail to see why the FW rule "DROP ALL private IP communication" is not enough... Any observations/development on this point?
I understand the confusion. This is because of the type of rule it is... The "LAN in" rule is different than the "LAN Local" rules. The LAN In rules control intercommunication between VLANs. (ie. this device over here can not talk to this device over there) However, Unifi uses the LAN local rules to allow you to block local service services that run on the local device... (ssh, dhcp, https, dns, etc...). You almost have to think of accessing the web portal of the UDM as a service. You are going to an IP configured on the device (a gateway) and accessing a https page. So a LAN Local Firewall rule is required on the gateways (both its own gw and the other gw's) to block that traffic. Note: With the rules I created in here to block traffic to other gateways, I chose to just block all ports - Kill ALL access to services on those GW IP addresses. However, I could have created the "block other gateways" rule to just block ssh, https and http like I did on the "blocking its own gw" rule. I hope that makes sense and helps you out a bit...
Thanks so much for a great video. I have tried for a while but now I finally have got my VLANs to work. I even used my knowledge from the video to figure out how to get all my Denon/HEOS stuff to work on the IoT! Much obliged! Just two small question if you don’t mind though. Should I not block access to the gateway from the guest network? I have tried to understand the rules ubiquity has given me but I don’t seem to find that? Next a more general question. In the firewall rules from ubiquity there are 4 “accept” at the end. What good are they if no “drop” after them? Maybe I have misunderstood something?
I would make sure you block access to the gateway from your guest network.. (either with your own rules or the built in ones) If you hit the guest checkbox for that VLAN and let it do it for you, I believe it will block access to the gateway for you without you putting in any FW rules. It isolates that network and only allows guest to get the internet. Hope that helps!
As a seasoned firewall admin I thought I knew what I was doing as I started throwing random firewall rules into my new UDM, and it wasn’t working! This makes loads of sense and I’m excited to try it… Also these states look like iptable states, so that’ll be the next thing I start researching! Thanks for the great breakdown 🎉
Great Video : But a question, in the Port Group "BLOCK IOT to other Gateways" you included 192.168.3.1. Your VLAN list did not include a network 3, you did change to 99 for the guest network. Did you really mean to include 192.168.99.1 instead of 192.168.3.1 in that group?
No, that was an error on my part. I have had so many setups over the years, I think I just confused myself. Sorry if it caused any confusion with your setup. (also, sorry for the delay'ed response. For some reason, this message when into my "held for review" category and I didn't check that until now.
Great tutorial, but one question: I followed your exact approach yet I'm able to ping other devices on the IOT network while on the IOT network. I thought that should have been blocked based on the rules? I'm using a new UCG Ultra running latest software.
With these rules, you should to be able to ping and communicate within the IOT VLAN. Thats normal. You shouldn’t be able to reach other VLANs or get to the IOT gateway on ports 80, 443 and 22. If you were to do device isolation, then you’d achieve what you’re talking about. Hope that makes sense.
Absolutely incredible video! I have a question on how you set up your pinters specifically. I read that putting them on their own VLAN is the way to go, and someone who is learning I would love to try and do that but I was having issues getting it to communicate with my other devices on my other VLANS. Do you have any recommendations on firewall rules or should I just throw it on the IOT VLAN?
Follow up question, with the rules I put in that video, if you did have them in the IOT VLAN, are you able to communicate with them from the main VLANs?
Of course I will test this when I have time, but will the "Drop Private to Private" rule affect devices on the same network, or only those attempting to route to other networks? I'm thinking about devices like Sonos that "talk to each other" (multicast, I believe). I suppose I should check how to add Sonos to the IOT network anyway, because there's some auto-discovery between the app and the devices, and if my phone is on my default network, IDK if it can find the players.
So a couple things here. 1) No it will not affect same network devices from talking to each other since they don’t reverse through the Firewall. 2) with sonos, even though it’s a smart device, I have found that you have a better experience if you put Sonos on the same network as your phones. The rules to make Sonos work across VLANs can get complicated and still might not work that great. In most cases, Most devices that use multicast like chromecasts will work with these rules but you need to enable mDNS…
It does not in most cases. If your phone is on your default network and mDNS is enabled, with these rules, it should be able to control your IOT devices. However, there can be exceptions depending on the technology of the device and how it communicates on the network.
If the network has an L3 switch and you set the VLAN network to use that switch as its router (go to networks -> select network -> router dropdown -> select L3 switch as router for the network) to make VLAN routing happen at the L3 switch level instead of in the gateway/firewall, then these firewall rules wont have any effect, correct? You can keep that VLAN from being able to talk to other devices on different VLANs by checking the "Isolate Network (ACL)" box under advanced settings for that network, but is there any way to really make custom rules to allow one device to talk to other but not the other things on that VLAN? My example would be I want my UNVR, cameras, doorbell, and chime to all be on VLAN 30, I want the cameras and such to never be able to access any other VLANs and no one on the other VLAN to be able to type the IP and directly access a camera, but I do want the UNVR to be able to access VLAN 1 where the Cloud Key is located so it can be managed properly by the controller and show up in the web management interface for my whole Unifi network.
Using the UDM as router between VLAN's you get terrible speeds if you want to copy data between those networks. If you L3 switch support ACL's you have to use them to allow/block traffic between vlan's. The L3 switches of ubnt are way to expensive.
I went to your site to purchase one of your services but it says to wait after May 1st. Today is the 5th and site hasn't updated. I need help with some misconfiguration (I think) on my UDM Pro some sites are not resolving for me. It looks like DNS issues.
Shoot... thanks for reminding me. I may have to push back that date because I don't have a ton of free time for new home building projects... however I may be able to help you out... why don't you email me at tim@ethernetblueprint.com and remind me that it is from this comment and we can work out a time to look into your issue...
Great information I’ve just started getting into the UniFi ecosystem with a Cloud Gateway Ultra. Certainly feels like a massive upgrade in terms of features and capabilities over my standard WiFi 6 router which is now be converted to a temporary access point. I’ve set a Vlan for wired devices and one for wireless for now to add some degree of separation. Once I add a UniFi AP then I can add separate vlans for IoT and Guests.
Awesome... This is great. Make sure you watch my VLANs and Switching Video to ensure your switch is setup the way you want it too. That video compliments this one. Congrats!
Hi. Great video but one part confuses me one bit. At the 33:42 mark you add the 192.168.3.1 adress which I dont really know what it corresponds to. Was the 192.168.99.1 intended as the Guest VLAN Gateway? Other than that u made my configuration process a lot easier. Thank You.
You are correct... I am so sorry that was confusing. The 3.1 address was a mistake. That was supposed to be the 99.1 for the guest gateway... Sorry about that and good catch!
Hi, Nice video. I wonder how I will get my IOT clients to join my IOT network. As it is al my clients are on my Default network. I am able to log in with my phone to IOT network and It shows up on IOT, but how will this be done with say a speaker ?
It depends on the IOT device... many of them have bluetooth on board to help with setup.. however, if that isn't an option, you can join your phone to the IOT network temporarily for setup. I had to to this with my MyQ Garage door system. Once I had it connected, I moved my phone back to my default network and everything works like it should.
Thanks for this great video but I have a question about the rule to block the IOT network from it's own gateway, why can't you just combine it into one group with the port group? It seems redundant to create a separate rule for this.
I actually need to test this a little more. I have a lot of people ask me this question and to be honest, this is the way I have always done it and have never just blocked the gateway. I will have to test and get back to the group!
v8.2 is again a lot different, i.e. with guest AND network isolation. Ping to Windows PC's in other vlan doesn't seem to work as standard. Not sure why?
Damn Unifi... always changing things. If you want to email me at tim@ethernetblueprint.com, I can give a little further help if you like. Just let me know which comment you were for reference.
These are all local stuff. And if my phone and all its apps are on the default network I assume all my apps will work such as homekit, lutron, anker/eufy cameras, thermostats etc through their native apps. What happens when I am away from home (work, vacation etc)? Will I be able to use the native apps on my phone to get to lutron, homekit, thermostat and cameras?
Question: if I select isolate network, will that override ANY allow rules I put in the firewall? I am trying to share a DNS server across vlans and no matter the rule I put in place it does not work….only thing I can think of is I have isolate network selected for my iot.
This is great. I did find one more thing that needs consideration from the IOT network. If you run the network controller on a local PC like I do, then that is also accessible from the IOT network and needs to be blocked in the firewall, much like the gateway access was done.
This is great but I get an error saying 443 cannot be blocked as it is used by direct remote connect feature - even though it is only related to the IoT network!
I have ran into this before. The fix for this is to turn off Direct Remote Access (yes, you will still have remote access to your device). Leave the network application and go to your OS Settings --> Console Settings --> Direct Remote Access Checkbox (towards the bottom of the page), you can just uncheck that box and you won't get that error anymore.
What that video I referenced in the other comment... when you are assigning your VLANs, you will need to go into the Manual settings below that and there is Voip Check box which allows you to select your Voice VLAN and assign it to a port on your Unifi switch.
Yes I did and that was an oversight in that video. I am sorry for the confusion. When I redid the video in my Newbie Series which is in my playlist (VLANs is Video #4), I corrected my mistake and gave my viewers a downloadable PDF that they can take with them when setting up their systems. Sorry for my mistake here...
Maybe it went over my head or I'm too stupid .. why didn't you include the IoT gateway in the same group as the other gateway IP addresses and just blocked it that way? I'm assuming because it will block all access to the IoT vlan, so you have to specify which ports to block that communicate with the IoT gateway IP?
Good question. I agree that it can be a little confusing. You are correct though; we don't want to block the IOT gateway from the IOT network. We only want to block http, https and ssh access to the IOT gateway, so we have to do that with ports. Sorry if that wasn't explained well enough in the video.
@@ethernetblueprint No worries - thanks for confirming. I'm actually configuring my own UDM Pro at the moment and your videos are a huge help. I appreciate it!
Not if they are Unifi... They will just learn them from the controller... However, if you want to assign a vlan to a port, you will need to do that still... Check out my VLANs on Unifi Switches video to help with that!
I don’t have much personal experience with these devices yet. I have read there can be some unique challenges. As I setup Home Assistant in my home, I do plan to deploy some and may be able offer more insight. Sorry I do t have more information than that.
Cant I just make a gateway group and then block the IoT network from that group? Doesn't that block the IoT from all gateway addresses? I don't understand why there is a need for the Other Gateways and then the IoT to its gateway using ports.
You can try it but I don't think you want to block the IOT network from its own gateway on all ports. I honestly haven't done it before so I don't know if that will block access to the internet or not.
@@ethernetblueprint Thanks! I did try it and everything is working fine. I see the IoT devices do try to access their gateway at a regular interval in the "triggers" log, but everything is working as expected so far.
Hi I have unifi controller and have created default LAN as normal and a guest LAN to work with guest wifi and 1 default wifi .. perfect when guest come over they use guest and work laptops go on guest also simple... BUT I want to setup another VLAN and Wifi called TESTLAN & TESTLAN WIFI so I can connect test laptops and pc`s that have internet and can only talk on TESTLAN not default please I'm struggling to set this up as the current TESTLAN & TESTLAN WIFI can talk to my default LAN & Wifi devices also ... please help i want full separation on the test LAN please i think i can do it with Firewall rule on LAN but not sure how !
The easy way to do this is to create your new VLAN and check the isolate network in the advanced settings on that screen. This will allow your devices on that network to communicate with each other, but not with the other parts of the network. No firewall rules to set. just a simple checkbox.
@ethernetblueprint thank you I don't have that option in the settings nor do i have no internet option in the end just had to create a firewall rule on lan in to to drop all :) works well
Thank you so much. After watching several videos and web based walk-throughs, but I could not get things working 100% - finally scrapped and went through your video and presto everything is working, have my Iot and Cameras on separate vlans as well as my Guest Network. Tested, retested and everything is communicating as it should and blocked as it should. I am getting a ton of DROP invalid State trigger events for various devices I have, mostly Apple ones (home pods, Apple TVs, iPads, iPhones) as well as some out door eufy cams. Within an hour I’m seeing 60 plus triggers, 95% are Apple devices. This seems excessive, but I’m unsure if this is anything to be concerned about.
Thank you! This is the bomb-diddly!!!! I have attempted this in 3 prior efforts with compromised results. After testing, I am now convinced that my IoT is configured as I had hoped. Not being a Net Admin type, the explanations were matched nicely with the recipes. A fantastic balance! An excellent time investment. Thank you again!! One small suggestion that would have completed my setup .... the recipe to expose the printer on the default vlan to those connected to the Guest vlan. BUT, I have enough knowledge now (from the camera examples?) to try to pull that off. Did I learn to fish??? ;-)
Rel 8.1.127 Tried configuring the printer. Let it be used from the Guest vlan. Created the rule. It can't be moved above the "Drop All Private IP Communication" rule, as you stressed. LAN Local, Accept, Source = Guest, Destination = Default, IPv4 for both, Match state = New, Established Connect an iPad to Guest. Apps don't find a printer. Thoughts? Suggestions?
Printing depends on a couple factors, but there are a couple of things you can try... However, I will warn you that not all printers play well with VLANs though... 1) make sure mDNS is enabled and is allowing the VLANs that need to talk to each other. Some printers use this to communicate with their devices 2) I would edit your rule and try the following... put the printer IP in an IP group by itself... then try the rule 'LAN Local, Accept, Source =Guest, Destination Port/IP Group and choose your printer... don't add the new, established... just leave that out... Also make sure that your new printer rule is above the 'Drop all private IP' rules that you created earlier... They run in order and you don't want that the traffic blocked before it hits your rule.
Nice walk through. Still following it and slowly setting things up but it is helping a lot. My only so far is I have the Cloud Gateway Ultra and in it the options are Guest Network and Isolate Network compared to your "Isolation" when setting up the guest vlan. Do I check both of these or just guest or just isolation ?
Unifi loves to change their own wording... For a guest network you can check either one... but you don't need to check both. If you check the Guest Network box, you will be able to setup a guest Portal page for your guests to use in the Hotspot manager... If you check Isolate Network box, then it will just lock it down and not give any additional guest portal features... Hope that makes sense!
@@ethernetblueprint Ha ha, thanks for the reply. I did end up checking both at the time I think. Another new thing ive recently discovered is that when it comes to vLan if your using a switch other than a ubiquiti one there is no way to have some devices on vlan 1 and others on vlan 2 as they are all tagged on the vlan set in the port for untagged traffic. Which is mildly annoying as I then need to pick up more of their kit, just to put something on a particular vlan instead of getting it and building in time. Unless.... you happen to know of a way ? :D
I followed this closely, but in my case my traffic from Default to IOT is getting dropped by the catch all rule... Though clearly ABOVE it i have allow from default network to All Private IPs. The log confirms it is the catch all denial that is dropping it.
I think it was because I have a UDM and then a USW downstream, and my VLANS were setup on the USW. I guess I was thinking the further downstream the better. However this made devices I connected via AP show up with no Network at all? I will take you up on that email but wanted to leave this comment for the next person who might have this issue.
Hi, Tim. Great, Great, three times more GREAT job on this and the VLANs on a Unifi Switch Video (ruclips.net/video/PdYgB_84ejg/видео.htmlsi=en2wNhHCtQvbUz1C). There are a lot of well-intentioned, but poorly implemented video walk-throughs masking themselves as Unifi "tutorials." It's not their fault, but time advances, software changes, and all the pre 8.x Network content is rendered obsolete (for those that aren't on the latest GA releases). I've watched a ton of Unifi videos from Techno Tim (software engineer), Tom (IT services business owner) over at Lawerence Systems, Leader Academy and many others now pale in comparison to these high quality videos!!👏🏻👏🏻👏🏻👏🏻👏🏻 I wonder how long it took you to record, and then edit this 41-minute masterpiece? Care to give us a little behind the scenes info? I've got a suggestion for a future video when you have the time and if you find it worth your while: VPNs, VPNs, VPNs!!! Covering Teleport, VPN Server, VPN Client and Site-to-Site VPN to the same detail and degree that you've done here. SUBSCRIBED!
Thanks so much for your kind words. I plan on updating this VLAN Video as new releases come out because Unifi does change their interface quite a bit. To answer your question, a video like this takes more planning ahead of time than it does to actually record it. Although, I am not a natural speaker so I have a lot of mess-ups that need to be rerecorded. I would say overall this video probably took me 6-7 hours to plan, write, implement and edit, but that is a guess. I truly enjoy doing it so I don't look at the clock much. And it is comments like this that make it 100% worth it to me. I love helping people. That is a great suggestion for videos. You will be happy to know that I have some VPN Videos in the works and plan on doing a couple videos on them in the upcoming future. It is a little tricky at my home because I have Verizon 5G home internet and will need to work through some of the NAT challenges on their hardware. Thanks again for your kind words and feedback! I will do my best not to let you down!
One of the best, if not, the best unifi firewall tutorial on youtube. You explain it so well!! Question for you: I didn't need to block the ssh,http,https ports on my vlan gateways, i just blocked the gateway ips. Did you block the ports just for that extra security? Thanks!
Thanks for the watch and compliment. The local rules are there just to block assess to the gateway when on the restricted VLANs. If the rule you created does the same thing, then you don't need them. I would double check though that you can't access the gateway from your restricted VLANs. I have never just blocked the gateway as I don't know what that will do.... But I have had so many people ask me that I think I am going to test it and see what happens. Thanks again for the comment!
@@ethernetblueprint Thanks for the quick reply. So I blocked the IOT vlan from accessing the IOT gateway by just blocking the IOT gateway IP. I never blocked the ports. It works perfectly. Should I block the ports as extra security?
@@ethernetblueprint I just found that! Thank you. The tag lines for this video said "Start here!" but i should have just gone to your channel and looked closer at the titles. 😁
Thank you so much for this. Been searching for a logical and more importantly logical explanation of the logic. My first venture into VLANs as our collection of IoT devices is growing! Now have to figure out how to assign MAC address of wired device to VLAN.....via a Ubiquiti Express - Thanks again
I'm glad this video helped... I have a new series coming out that goes over FW rules too and it has more detail in it. Hoping to help as many as I can.
When setting up VLans, SSIDS for separate Wifis (or Privvate Pre-Share Keys) and Firewall rules on an already existing network, do you recommend changing DHCP lease times to short intervals (say a minute or so) while testing the network/client connections, and afterwards changing the DHCP lease time back to the default setting of one day?
I personally havent done this for my networks. What is your reason for asking? Is there something that isn't happening by leaving the defaults in there?
@@ethernetblueprint My thought was that clients that would be moving from the default LAN to a VLAN would obtain IP addresses faster allowing me to check whether things are working correctly and perhaps having to reboot the network less frequent.
Typically when a device goes from one network to the other, it will trigger an IP request. Now this can depend on the client as some devices don't always do a great job at this. (I've seen this with smart light switches)... I don't know that I would change the lease time setting to combat something that doesn't happen that often. However, your specific case may sway you the other direction. Keep me posted though. I like to learn!
I don't own any Unifi products (yet), just asking of curiosity... 1) So Unify accepts all traffic by default, and you add rules to block. Does it also accept all for ipv6, so basically all the blocking rules you created can be avoided between devices that use ipv6 ? 2) For the Unifi Gateway Lite, I guess you would need to combine that with a layer 2 switch to handle those VLANs, right? 3) Why is blocking traffic to the gateway so interesting? Isn't the Unifi Controller (which doesn't have to be the gateway) the admin of everything and therefore much more valuable to protect ? Thanks for the video 🙂
Thanks for watching... Let me see if I can answer these for you... 1) There are separate ipv6 firewall rules that would need to be created in order to block that traffic. Yes, allows everything by default. 2) All the Unifi switches are smart switches and can handle VLANs. (Even the $29 Flex mini 5 port switch. If you plan on using a different brand of switch, it would need to be able to do VLANing. I will be doing a video on some mixing different brand devices at some point. 3) In the case of the UXG Lite, the controller is another device and it should be protected like we did with the router in this video... However, with the UDM series, the controller and the router are the same device which is why I did it the way I did. Hopefully that makes sense!
Very good explanation. It also nice to have a video with the last versions of Unifi console & network application. Overall explanations is very good & your testing labs is good example as a starting point. To be more specific with UniFi, I believe that you should have address how to setup Unifi PoE+ camera on a specific VLAN for videosurveillance as many unify customer will have Unifi Protect and Unifi cameras. In this case would you keep the Protect UNVR in the default or in the speficic cameras VLAN ?
Thanks for the best video about VLANs on current UniFi interface layout Unifi is about to release (eta 1-2 months) a new EA firmware version that will bring a lot of options for ACL rules to L3 switches. If you have an L3 switch around could you do a detailed video on those rules and the setup once the new firmware releases?
First off, thanks for your tremendous generosity. I will have to look into the Layer 3 switch though as I don't use them much. Appreciate the awareness though. More to come.
Outstanding Video..... I have a USG and 3 access points, and want to keep Guests, IOT, and my default all separate, so your video hit a sweet spot for me. I've very concerned about getting hacked thru IOT (like Wyze) and this helped to show how to block the IOT to the gateways. I'll probably have to watch it a few more times to get it right, but thank you.
You may not claim to be an educator, but I am and you did a superb job. Came to see this method on the new interface and this was a great video and you have an excellent way of speaking for these. One idea you might do would be to provide a firewall rule summary in a PDF or something to make reference easier. Maybe even make this apart of a subscription if you wanted to monetize it. Anyway, good job.
You easily earned a sub for this. I'm very new to unifi gateways after using pfsense for years and firewalla for a few months this was just what I needed after getting my UDM Pro SE up and running yesterday. I had my pfsense dialed in for years, but I wanted to get a more user-friendly network solution for my home just in case something happens to me. This tutorial is solid and I'll be employing much of this ruleset to my network to start as my basic setup is very similar to your example. Great job and Thanks!
I just discovered your channel and have been watching all your UniFi related videos. This is one of your best! Thank you for taking the time to make all of them. Possibly stupid question...do these firewall rules with respect to the IoT network interfere with my ability to control those devices remotely from my smartphone? I know that the default network can communicate with the IoT network, but my phone would not be on the default network if I am away. So for example, would I be able to use Apple Home to remotely lock my front door while I am on vacation, or adjust the thermostat, etc.? Or would the firewall rules prevent that?
Glad I’ve been able to help. To answer your question about HomeKit, yes you can still control things when you’re away from home even if the devices are on the IOT network. I don’t have a ton of experience with this yet, but I’m in the process of setting up Home Assistant with Apple HomeKit and will have to do more testing. So far I have Phillips Hue lights hub on my IOT network running in HomeKit and it works great remotely using these exact firewall rules. More to come though.
One of my friend said many years ago for his boss: "for thank you I won't feed my family". So please take small tip from me with huge words of appreciation. Great tutorial, the one was very helpful with my first steps to Unifi :)
I didn't make cameras a part of this video... when I do my next "refresh" of it, I will add them in just so people have a reference. Personally, I would recommend putting your cameras and NVR on their own Camera network... and not have them be on the IOT... But the situation, setup and types of cameras all can play into this decision... may need a little more info....
@@ethernetblueprint thank you for getting back to me. I’m retired military and I’ve had to install a rack of cameras around my house do problems with my neighbors. I have two cameras that are wired by ethernet and 10 g4 instant around the house. I really appreciate your video. It was the first time I’ve seen one that actually allowed me to understand and how it’s set up for firewall, etc. I looked at your website. I was gonna try emailing you but noticed that I couldn’t do that. My house is already constructed so adding ethernet connections for the remaining cameras would be way too expensive for me. I look forward to seeing you next video.
Just so you know, I do talk about cameras on the VLANs on a Unifi Switch video that I did recently... If you ever have any questions that need further explanation, email me at tim@ethernetblueprint.com and I will try to help where I can...
Hi Tim, excellent step-by-step tutorial, followed you along in setting it up. Thank you, concise and also sufficient details. One small thing you already mentioned: Unibuiti changes things and I am running version 8.0.28 In this version there is no upper tab / bookmark line anymore with items like LAN-IN, LAN-Out etc. Greetings from Amsterdam.
Maybe I am looking in the wrong place from where you are talking about?? I don't see any changes in 8.0.28 from what I showed on the video. Can you help me find what is missing now?
Do you recommend using fixed IP addresses for devices and clients when setting up firewall rules and groups, especially if there will be a rule allow a specific IOT client to talk to specific device in the trusted network? Currently, I have a few fixed IP addresses for some of my Unifi devices but I let DHCP hand out IPs to other devices and all clients.
I do use some static IPs (or IP Reservations) in my setups. Cameras, NAS, Printers... If I have a 1:1 rule that allows a device to communicate with another device in a different VLAN, I will usually reserve those IPs so it doesn't change and break my rule. But for the most part, I let DHCP run most of my IP addressing.
Tim, I'm struggling with OpenVPN for ANY linux distro. It keeps prompting for authentication when I have imported the .ovpn file into ANY linux distro and try to connect. The same export of the config file works and connects on my phone. Can't seem to get the exports of OVPN or Wireguard to work on Linux though. Wireguard only connects with ipv6 and OVPN keeps throwing the pop-up to provide an authentication password. I've watched multiple videos and looked at multiple threads and can't lick this this issue. Thoughts on a video on VPN server and exporting config and importing into a Linux distro?
How are you putting things like apple tv, Roku etc on a separate vlan? I want to make an AV vlan for apple tvs, our smart tv, xbox and other things. If you could help that would be great.. Also I love your video. It helps a lot for network dummies like me. It was very easy to follow.. One suggestion for you, please include kids network in your future videos like you did in your previous video. It really helped..
Thanks for the reply... Let me dive into this a little bit for you. Once the VLAN is created, there are two ways you can get your devices to use it. 1) Create a new IOT Wifi network (or IOT Passphrase like I talk about in this video), and connect those devices to that WiFi network... or 2) if they are hardlined, you would need to click on that port in the switchport settings and click the dropdown for Native VLAN / Network in the port settings. You should see the IOT Vlan listed in that list. They should pull an IP address from the IOT Vlan and follow the rules you setup. As far as your suggestion goes for a kids network, I have some videos coming down the pipe that covers this very subject. Thanks for watching!
what about putting Unifi cameras on a vlan ? They are POE so would not need wifi ssid or key to access that vlan and you would just select the vlan in the ports they are connected ? Would this cause any issues given all the same firewall rules ?
I like POE cameras on their own VLAN. I just didn’t make it part of this video. My next version will cover cameras better. If they aren’t Wi-Fi cameras, no SSID is necessary. Just the network and the VLAN rules. They really only need internet only rules like the IOT ruleset.
Thanks, great video. Question, most network engineers suggest best practice is to have the default network as a “management” VLAN and create a new VLAN for your main/corporate/internal network. You haven’t done that in this case, just wondered what your thoughts are on separating management from main networks.
I agree with you whole heartedly when it comes to a small business network and that is how I typically set those up. As a matter of fact, that is how my home network is setup. All of my equipment is on the default and my home devices are on a homeVLAN. However, from a typical home network perspective, I don't know that it is 100% necessary if you have the VLAN locked down. Either way, it is a great call out!
Tim, this was helpful to understand the importance of VLAN’s. I really want to do something similar but your comment about Sonos makes me not want to proceed. I am not qualified to troubleshoot any networking and I would just end up resetting everything back to default!
There are a lot of version of this walkthrough out there on RUclips, but (for me at least) this is the only one that took the appropriate time and amount of hand-holding that I need to not just implement the FW rules, but also to help me understand the WHY. That is huge!
Thanks a ton!
Thanks for watching. I'm so glad it helped you out.
I am new to the Unifi dream router and loving the custom settings. I agree this is an excellent video that explains the settings very well.
I am a Unifi virgin. I have watched many videos to try to understan the world of Unifi, this video is gold! You explain it well. Thank you!
Thanks. Hope you subscribed. Next week I’m going to cover the switching aspect of VLANs.
I've watched a ton of these firewall setup videos but this one is probably the best at explaining what each setting does so thanks. The reason I keep watching them is I can't for the life of me get my macbook on VLAN 1 to talk to a Pi server on VLAN 2. It wont ping, it wont shh. But it will if I connect the wifi on the mac to the VLAN 2 wifi network. If followed every little detail in this video (which is almost identical to many others) and put in an allow rule for pi ip to talk to the mac ip. I've also tried it as a all VLAN 2 to all VLAN 1 rule. Still won't work. Hope that makes sense but is there any other gotchya that could be preventing this in unifi?
Do you have another device (non Mac) on VLAN 1, that you can’t try pinging the Pi server? Can your Mac ping other devices on VLAN2? If this is a “server” make sure the local firewall isn’t blocking the pings. I have seen that cause issues like this and people are troubleshooting the wrong device. If you want to email me at tim@ethernetblueprint.com, we can have a convo about some options.
UniFi IMO is just NOT ready for bigger jobs/networks. They are very limited on their security features at this time. Hopefully they improve.
What types of things would you be looking for? Just curious.
Finally one of those vlan guide that I can follow and understand easily. VLANS are not that scary after all. Cheers man!
Thanks for the comment. I am super happy to hear that it helped.
Probably the only video with the new interface. Thanks for creating and being very detailed with background info for noobz.
I'm so glad it helped you out!!!
I watched several videos and this is the one where things started clicking. I loved the format of showing the vulnerability, applying the fix and confirming vulnerability is negated along with clear and concise explanations during the process. I also like that the gateways were isolated. Before this video, I was struggling to figure out why I could ping my gateway addresses even though my networks were isolated and now I know. This is the first ever super thanks I have given. It’s well deserved. I’ll be adding one to the follow up video on configuring VLANs on Unifi switches. Many things clicked in that video also.
A thousand thanks for your kind words and your generosity. I do my best to try and help the newbies of the Unifi space. I love getting feedback that tells me I was able to help... All the best!
I am finally considering a Unifi setup now that their OS is more well-baked, and you had the most recent Unifi OS VLAN video, so I decided to stop by and see how things have improved over the last few years. However, I must say that this video is probably one for the best for anyone new to VLANs in general, not just VLANs on Unifi. You, sir, are the only one that “teaches one how to fish instead of just giving one a fish” by explaining the logic behind firewall rules, thus giving one the ability to not just copy your foundational firewall rules (which were spot on as the bare minimum starting point), but also gain the confidence to start coming up with their own firewall rules unique to their situation. Looking forward to joining you on this journey to learn from each other!
Wow. Thanks so much. I am very heppy to hear that it helped you!
I agree, this was extremely clear with no fluff@@ethernetblueprint
Thanks! Great tutorial. I set it up and it works perfectly. A dual screen setup to watch the video and work on the other is the way to do it!!!
I’m happy to hear it got you set up. Thanks for the super tip.
Wait until you start getting into triple monitors. It's a game changer. Working with VM's on Linux? One screen for a video guide, one to interface, and another with common command templates to copy and paste. Playing video games? One screen for the game, one for discord, and another for a game guide or a map for reference. Researching a new product and comparing stuff? One screen for review videos or articles, one screen for searching product retailers, and another for documenting options and taking notes. The possibilities are endless.
On the portion of the video (about 333.) where you set up group Block IOT from other gateways, you set up a group that included 192.168.1.1 and 192.168.3.1. There is no 192.168.3.1 but there is a x.x.99.1. Perhaps you meant to use 99 instead of 3?
nice catch... I have done many variations of my test setup and have a VLAN 3 a lot of the time. Sorry if that created any confusion.
Great great video. You are a terrific teacher.
Wow, thank you!
Thanks for explaining all the firewall rules. In other video's I've seen they just tell you do put in certain things but not explain why.
You are quite welcome. I hope you found it helpful!
Wi-Fi Preshared Keys are not available if WPA3 enabled (mandatory for 6 GHz). I forced to use separate Wi-Fi networks with its own passwords.
Yes... at the time, I did not know that. I am hoping that is fixed in the near future. Thanks for the comment to let viewers know!
Top notch. Thank you!
Holy crap. Thank you so much. That is overly kind of you. So glad it helped.
You don't understand how helpful this has been!! No-one else that I watch has broken what rules to make down so well. I wanted to ask what if I need devices on my IOT to talk to each other? I have a lot of devices that would need inter-vlan communication. Would I just not do the drop all private ip addresses traffic or some other allow rule? Thanks
I am so pleased to hear that my video helped you out. I can't thank you enough for that. As for your questions, just to be clear, the firewall rules only apply when one VLAN is talking to another one. This is called Inter-VLAN communication. If IOT devices are talking to each other, they would most likely be in the same IOT VLAN and would not be affected by the firewall rules. Unless I am not understanding what you are asking here...
Well I don't know if I'm asking it right myself...I just assume that when you enter the firewall rule to Block all private IPs for the Iot vlan that that would prevent anything on the IOT from talking to anything but the internet including other Iot devices on the same vlan@@ethernetblueprint
Do you not recommend the Isolate Network checkbox in 8.3.32 (different from the Guest Network checkbox) on the Unifi VLAN (Network) configuration screen for the IOT network?
This is a valid point. That is one way to do it sure. Simple and fast. It will create a single Isolate rule in the FW rules.
(FW Rule it Creates)
Isolate IPv4 Traffic From Selected Subnets To Any Local Subnet, Drop, LAN In, All, 192.168.X.0/24, Any, (4 Networks), Any, 60001
If you needed to allow other VLANs to communicate with your IOT network, you could simply add your "allow" rules above this rule and they should communicate.
I simply wanted to point out how to make FW rules from scratch to accomplish to same thing so it helps people learn how the rules work.
@@ethernetblueprint Thanks!
I had no idea about the "new" Wifi Pre-shared Key assignments to different networks, that's cool. Thank you for explaining and showing that.
Its my pleasure...
Glad you are using the new UI. Aside from that, what a great job of providing the list of items to change, their order and a great explanation as to why. I've watched other videos that assume way to much of the audience.
I'm glad it helped you. Unifi has been busy changing the UI. I think it has changed again a little since I did this video...
Do we need a firewall rule to Drop traffic between Guest and IOT?
The rule that DENYs all private IPs to private IPs covers those not communicating to each other. So no. Not specifically.
Great tutorial! I have recently setup two additional VLANs (Family and IOT). I did this because I liked your "kids" network in your prior video. I have not set any rules yet, just been busy getting devices on the correct VLAN/Wifi. Will be playing with firewall rules soon. My question is... The first thing that came to mind when you were creating rules, especially the port rules, was what are the chances that one mistake could potentially lock you out of the gateway from ALL networks. It just made me think I should be VERY careful!
It is possible however there are fail safes in place that warn you about it. If you look through the comments here, I talke about that with another viewer because he got a warning on his and it wouldnt allow him to set that rule. However, just know that is possible. Be Careful.
Outstanding presentation with the new interface. I would like to have a private wireless for my wife, because of her job. Could I use a shared key for default, IOT, Wife's Wifi and use the Guest 99 network with the standard isolation with it's own password? I am going to check out your VLAN video. Maybe I can come up with other ideas. Also, one of the things that gets frustrating is when videos are not updated when there is a noticeable OS change. I look forward to you continuing to do so.
If I understand correctly, you are asking if you can setup muliple password (Private Pre-shared keys) for the default, IOT and Wife (all connecting to the same SSID) and then setup a separate WiFi name for guest and still make all this work in the Firewall... If so, the answer is yes. The firewall rules are based on the VLANs, not how the WiFi networks are setup. You could create a shared SSID for all of your "main" networks and then create a Guest VLAN and choose the isolation check box... Then create a separate Guest SSID for that network. As a matter of fact, I think that is a better way to do that anyways. It is nice for the guests to be able to connect to a separate SSID so they know they are on the guest network...
Yeah, super handy on the guest landing page. I appreciate the re-accepting of the Guest EULA after a period of time for a business. So you don't saturate the DHCP range. But for home use I very much like disabling so users at my house don't have to re-accept to "logon".
That is a good point about the reauthentication for your guests!
Great tutorial, thanks! I love all the details! I just followed your previous tutorial to setup my vLan protections on my UDM SE, your earlier tutorial was super helpful!! I think you were on 7.x in that tutorial. Glad to see this updated tutorial, on 8.0.26! I saw you had a Guest firewall rule for "Allow DNS Packets to External Name Servers". It would be great to see a tutorial on this topic. I am looking to block all DNS (Port 53) queries out (on my various vLans), unless they come from my DNS (PiHole or other DNS like ControlD or NextDNS) server, if someone on my network tries to change their DNS, my goal is that they will not connect to another DNS server and their Name Resolution will fail. It would be good to see options, but wanted to share an idea (I'm sure you have considered this topic too! Great Job! Thanks!
You will most likely have to do that with Firewall rules on a standard VLAN and not by clicking the guest portal policy checkbox... The guest rules in this video were automatically generated by the system and can't be updated... I am confident you could create a VLAN like I did the IOT network in this video and then add rules to control the DNS servers...
This is exactly what i was looking for! I applied your IOT logic to a Vland for crypto mining. This way i don't compromise my default network with some shady new crypto mining software and wallets. 😂😁 Thanks you!
That’s awesome. I hope the mining is going well.
Absolutely brilliant. Finally configured my Unifi gear!
Boom (Mic Drop). So glad to hear it. Thanks for watching!
Holy crap that is a lot of steps to accomplish a goal that is so commonly held by virtually all users of this network gear. Is it worth it when you could just make an IOT guest network where the devices can ONLY communicate with the internet and nothing else? Not many IOT devices can communicate without the cloud anyways, right?
The FW Rule aspect of this is optional. You do have the option to just mark the "Isolate Network" checkbox when creating the network which would allow it to communicate to the internet, but not to other VLANs. The FW Rule portion is more for environments where IOT devices need to be able to have a 1:1 communication with other parts of your network. (ie. smart cameras talking to a NAS for example)
Hey Tim! Just found your channel, I have a bunch of UniFi gear and have been running it for years, but you have taught me quite a bit and this video right here has helped me figure a bunch of stuff out! As a thanks, I noticed that your audio is being done from a laptop/phone mic, which works, but, I have a set of lavaliers that I would love to send you as a thanks. But I couldn't DM you, Drop me a line back and I'll find a way to get them to you! Thank you for the great information!
Wow... Thanks... I actually use my earbuds, but I wouldn't mind trying out yours... email me at tim@ethernetblueprint.com if you like...
PPSK is really cool, but only supports WPA2, so no 6ghz networks, which is a huge bummer. I'm guessing for your home network, other video shots 6ghz, you're just using multiple SSIDs instead? great video, thanks.
I assume that 6Ghz is coming. When I did this video originally, I didn't have my U7 Pro yet, so I honestly didn't know about that. In this case, I did this, just to show viewers that it could be done. My home network has multiple SSIDs and that is how I typically set up my networks.
Great guide, from zero to hero with everything needed, just one comment - please consider using dark mode ui when recording these, cheers!
Good tip... I will have to do that.
Yessir, you explained it well. It's easier to understand the more advanced parts once a baseline has been understood and configured. Just what I needed as there are more and more IOTs and guests in my house these days.
Awesome. My next video will be on the switching portion of VLANs so I hope to see you back!
Wow, huge work here!, honestly the best vlan class on RUclips. Congrats and thank you
Wow, thank you for your kind words. Glad it helped.
This video is great. I've been looking into unify for a while now, but my biggest reservations about diving into it has been VLANs. I'm pretty familiar with vlans as I do IT at a large resort and everything we connect to a network has a different VLAN. Everyone says unify can do VLANs, but they don't elaborate further and I want something robust enough for firewall rules like the ones you demonstrated. My biggest concern was that unify either would not allow firewall rules, or they would be very limited. This video demonstrates the capabilities well and has shown this is exactly what I'm looking for. I plan to start ordering my components over the next couple of weeks and setting everything up and I could not be more excited.
I appreciate your kind words... Just so you know, I did a full Unifi series and even have a downloadable document for the firewall rules too... check out my playlist for that 8 part series... one video has been dedicated to FW rules...
I wanted to create some simple rules and VLAN's, not touched networking for many many years, since I did CCNA when I was 16 (Now 35!!!) this jogged the memory nicely, also new to UniFi so understanding it's flow this really helped. All networks now created and all rules and VLAN's setup! Happy with it.
I just now have the joy or resetting all my dumb smart devices to be on my IoT network! I presume those devices can still talk externally to the web for their native apps to still work etc?
Thanks though, brilliantly spoken!
Nice. I am so glad to hear you dusted off the old VLAN knowledge a bit and this helped you! The IOT devices will be able to communicate with the internet, yes.
Thank you!! One question, when setting up your LAN LOCAL rules, why do you explicitly add DENY rules instead of explicitly adding ACCEPT rules with a default DENY at the end? This seems like the only place where you do not follow the "deny by default" best practice? This doesn't seem to scale with more networks (but maybe this is intentional for the video!).
Also, Unifi has a firewall option for "network type" of "Gateway IP Address", which I believe is the 192.168.x.1. Would you recommend using that Unifi default instead of creating the groups like "DROP IOT to its Gateway"?
Thank you!!!
You bring up a good point. Most of the home networks that are setup as on the smaller side so this ruleset works pretty well. For larger scale networks, your suggestion would work better for scale. Most of the reasons I do this this way is to be able to teach people who are newer to Unifi and Firewalls in general. Deny by default practices can more difficult to troubleshoot - especially if you are newer.
As far as your second question, I am not familiar with where that setting is to be able to answer your question. Sorry man!
Hello, does it block IPv6 traffic also?.. IPv6 Support in Global Network Settings is disabled/unchecked
This is for IPv4 only. It won’t apply to IPv6.
Should be noted/updated that the PPSK setting is ONLY available when using only 2.4 and 5GHz wifi bands. Will not be available when using 6GHz band. This is noted in an updated version of Network application.
That is interesting. I didn't know that. Thank you for bringing this to my attention. I haven't had the chance to play with any of the APs that have the 6Ghz band on them yet.
Great video. I still fail to understand a point. We need to introduce a FW rule "Block IOT to other Gateways". Obviously, your machine inside the IOT network is able to connect/reach the gateway inside the default network. Therefore you need this rule. But I still fail to see why the FW rule "DROP ALL private IP communication" is not enough... Any observations/development on this point?
I understand the confusion. This is because of the type of rule it is... The "LAN in" rule is different than the "LAN Local" rules. The LAN In rules control intercommunication between VLANs. (ie. this device over here can not talk to this device over there) However, Unifi uses the LAN local rules to allow you to block local service services that run on the local device... (ssh, dhcp, https, dns, etc...). You almost have to think of accessing the web portal of the UDM as a service. You are going to an IP configured on the device (a gateway) and accessing a https page. So a LAN Local Firewall rule is required on the gateways (both its own gw and the other gw's) to block that traffic.
Note: With the rules I created in here to block traffic to other gateways, I chose to just block all ports - Kill ALL access to services on those GW IP addresses. However, I could have created the "block other gateways" rule to just block ssh, https and http like I did on the "blocking its own gw" rule. I hope that makes sense and helps you out a bit...
Thanks so much for a great video. I have tried for a while but now I finally have got my VLANs to work. I even used my knowledge from the video to figure out how to get all my Denon/HEOS stuff to work on the IoT! Much obliged!
Just two small question if you don’t mind though.
Should I not block access to the gateway from the guest network? I have tried to understand the rules ubiquity has given me but I don’t seem to find that?
Next a more general question. In the firewall rules from ubiquity there are 4 “accept” at the end. What good are they if no “drop” after them? Maybe I have misunderstood something?
I would make sure you block access to the gateway from your guest network.. (either with your own rules or the built in ones) If you hit the guest checkbox for that VLAN and let it do it for you, I believe it will block access to the gateway for you without you putting in any FW rules. It isolates that network and only allows guest to get the internet. Hope that helps!
This helped thank you. So many videos watched. This one works and is very well explained.
Glad it was helpful. Thanks for watching.
As a seasoned firewall admin I thought I knew what I was doing as I started throwing random firewall rules into my new UDM, and it wasn’t working! This makes loads of sense and I’m excited to try it… Also these states look like iptable states, so that’ll be the next thing I start researching! Thanks for the great breakdown 🎉
I hope it is helpful to you. Thanks for sharing!
Great Video : But a question, in the Port Group "BLOCK IOT to other Gateways" you included 192.168.3.1. Your VLAN list did not include a network 3, you did change to 99 for the guest network. Did you really mean to include 192.168.99.1 instead of 192.168.3.1 in that group?
No, that was an error on my part. I have had so many setups over the years, I think I just confused myself. Sorry if it caused any confusion with your setup. (also, sorry for the delay'ed response. For some reason, this message when into my "held for review" category and I didn't check that until now.
Great tutorial, but one question:
I followed your exact approach yet I'm able to ping other devices on the IOT network while on the IOT network. I thought that should have been blocked based on the rules? I'm using a new UCG Ultra running latest software.
With these rules, you should to be able to ping and communicate within the IOT VLAN. Thats normal. You shouldn’t be able to reach other VLANs or get to the IOT gateway on ports 80, 443 and 22. If you were to do device isolation, then you’d achieve what you’re talking about. Hope that makes sense.
Thank you for this walkthrough. I've struggled trying to configure the UDMP and you made it simple and straightforward.
Glad it helped!
Thank you! You’re the first, explaining vlans so that I understand it.
Glad it was helpful! Truly!
Absolutely incredible video! I have a question on how you set up your pinters specifically. I read that putting them on their own VLAN is the way to go, and someone who is learning I would love to try and do that but I was having issues getting it to communicate with my other devices on my other VLANS. Do you have any recommendations on firewall rules or should I just throw it on the IOT VLAN?
Follow up question, with the rules I put in that video, if you did have them in the IOT VLAN, are you able to communicate with them from the main VLANs?
Of course I will test this when I have time, but will the "Drop Private to Private" rule affect devices on the same network, or only those attempting to route to other networks? I'm thinking about devices like Sonos that "talk to each other" (multicast, I believe). I suppose I should check how to add Sonos to the IOT network anyway, because there's some auto-discovery between the app and the devices, and if my phone is on my default network, IDK if it can find the players.
So a couple things here. 1) No it will not affect same network devices from talking to each other since they don’t reverse through the Firewall. 2) with sonos, even though it’s a smart device, I have found that you have a better experience if you put Sonos on the same network as your phones. The rules to make Sonos work across VLANs can get complicated and still might not work that great. In most cases, Most devices that use multicast like chromecasts will work with these rules but you need to enable mDNS…
Question about the IOT vlan. If you control your IoT devices with mobile apps, does your phone have to be in the IPT vlan in your situation?
It does not in most cases. If your phone is on your default network and mDNS is enabled, with these rules, it should be able to control your IOT devices. However, there can be exceptions depending on the technology of the device and how it communicates on the network.
If the network has an L3 switch and you set the VLAN network to use that switch as its router (go to networks -> select network -> router dropdown -> select L3 switch as router for the network) to make VLAN routing happen at the L3 switch level instead of in the gateway/firewall, then these firewall rules wont have any effect, correct? You can keep that VLAN from being able to talk to other devices on different VLANs by checking the "Isolate Network (ACL)" box under advanced settings for that network, but is there any way to really make custom rules to allow one device to talk to other but not the other things on that VLAN?
My example would be I want my UNVR, cameras, doorbell, and chime to all be on VLAN 30, I want the cameras and such to never be able to access any other VLANs and no one on the other VLAN to be able to type the IP and directly access a camera, but I do want the UNVR to be able to access VLAN 1 where the Cloud Key is located so it can be managed properly by the controller and show up in the web management interface for my whole Unifi network.
Using the UDM as router between VLAN's you get terrible speeds if you want to copy data between those networks. If you L3 switch support ACL's you have to use them to allow/block traffic between vlan's. The L3 switches of ubnt are way to expensive.
I went to your site to purchase one of your services but it says to wait after May 1st. Today is the 5th and site hasn't updated. I need help with some misconfiguration (I think) on my UDM Pro some sites are not resolving for me. It looks like DNS issues.
Shoot... thanks for reminding me. I may have to push back that date because I don't have a ton of free time for new home building projects... however I may be able to help you out... why don't you email me at tim@ethernetblueprint.com and remind me that it is from this comment and we can work out a time to look into your issue...
Great information I’ve just started getting into the UniFi ecosystem with a Cloud Gateway Ultra. Certainly feels like a massive upgrade in terms of features and capabilities over my standard WiFi 6 router which is now be converted to a temporary access point. I’ve set a Vlan for wired devices and one for wireless for now to add some degree of separation. Once I add a UniFi AP then I can add separate vlans for IoT and Guests.
Awesome... This is great. Make sure you watch my VLANs and Switching Video to ensure your switch is setup the way you want it too. That video compliments this one. Congrats!
Man nice video, makes a lot of sense and the whole thing super easy to learn. Much appreciated!! Thanks a bunch :)
Thanks for watching and for the compliment. I’m happy to share.
Hi. Great video but one part confuses me one bit. At the 33:42 mark you add the 192.168.3.1 adress which I dont really know what it corresponds to. Was the 192.168.99.1 intended as the Guest VLAN Gateway? Other than that u made my configuration process a lot easier. Thank You.
You are correct... I am so sorry that was confusing. The 3.1 address was a mistake. That was supposed to be the 99.1 for the guest gateway... Sorry about that and good catch!
Hi,
Nice video. I wonder how I will get my IOT clients to join my IOT network. As it is al my clients are on my Default network. I am able to log in with my phone to IOT network and It shows up on IOT, but how will this be done with say a speaker ?
It depends on the IOT device... many of them have bluetooth on board to help with setup.. however, if that isn't an option, you can join your phone to the IOT network temporarily for setup. I had to to this with my MyQ Garage door system. Once I had it connected, I moved my phone back to my default network and everything works like it should.
Thanks for this great video but I have a question about the rule to block the IOT network from it's own gateway, why can't you just combine it into one group with the port group? It seems redundant to create a separate rule for this.
I actually need to test this a little more. I have a lot of people ask me this question and to be honest, this is the way I have always done it and have never just blocked the gateway. I will have to test and get back to the group!
v8.2 is again a lot different, i.e. with guest AND network isolation. Ping to Windows PC's in other vlan doesn't seem to work as standard. Not sure why?
Damn Unifi... always changing things. If you want to email me at tim@ethernetblueprint.com, I can give a little further help if you like. Just let me know which comment you were for reference.
These are all local stuff. And if my phone and all its apps are on the default network I assume all my apps will work such as homekit, lutron, anker/eufy cameras, thermostats etc through their native apps. What happens when I am away from home (work, vacation etc)? Will I be able to use the native apps on my phone to get to lutron, homekit, thermostat and cameras?
If the apps typically allow you to run them natively when away from the house then yes, that should still work. These rules should not affect that.
Question: if I select isolate network, will that override ANY allow rules I put in the firewall? I am trying to share a DNS server across vlans and no matter the rule I put in place it does not work….only thing I can think of is I have isolate network selected for my iot.
Yes. The isolate network will override the firewall rules... You will need to uncheck that to allow communication with that VLAN.
This is great. I did find one more thing that needs consideration from the IOT network. If you run the network controller on a local PC like I do, then that is also accessible from the IOT network and needs to be blocked in the firewall, much like the gateway access was done.
Great call out! Thanks for sharing with the viewers. I did forget about that!
This is great but I get an error saying 443 cannot be blocked as it is used by direct remote connect feature - even though it is only related to the IoT network!
I have ran into this before. The fix for this is to turn off Direct Remote Access (yes, you will still have remote access to your device). Leave the network application and go to your OS Settings --> Console Settings --> Direct Remote Access Checkbox (towards the bottom of the page), you can just uncheck that box and you won't get that error anymore.
So if I create a VLAN for voice, is I tag the ports that the VOIP phones use to force them to use that VLAN?
What that video I referenced in the other comment... when you are assigning your VLANs, you will need to go into the Manual settings below that and there is Voip Check box which allows you to select your Voice VLAN and assign it to a port on your Unifi switch.
For the block IOT Access other gateways, didn't you make guest 192.168.99.1? why did you put 192.168.3.1 in there?
Yes I did and that was an oversight in that video. I am sorry for the confusion. When I redid the video in my Newbie Series which is in my playlist (VLANs is Video #4), I corrected my mistake and gave my viewers a downloadable PDF that they can take with them when setting up their systems. Sorry for my mistake here...
@@ethernetblueprint oh gotcha no worries I was just trying to be sure I wasn't misunderstanding something thank you!
Maybe it went over my head or I'm too stupid .. why didn't you include the IoT gateway in the same group as the other gateway IP addresses and just blocked it that way? I'm assuming because it will block all access to the IoT vlan, so you have to specify which ports to block that communicate with the IoT gateway IP?
I thought the same thing
Good question. I agree that it can be a little confusing. You are correct though; we don't want to block the IOT gateway from the IOT network. We only want to block http, https and ssh access to the IOT gateway, so we have to do that with ports. Sorry if that wasn't explained well enough in the video.
@@ethernetblueprint No worries - thanks for confirming. I'm actually configuring my own UDM Pro at the moment and your videos are a huge help. I appreciate it!
do i also need to create the VLANs on my USW & USW pro devices?
Not if they are Unifi... They will just learn them from the controller... However, if you want to assign a vlan to a port, you will need to do that still... Check out my VLANs on Unifi Switches video to help with that!
This works great with a wifi device but how does it do with a thread/matter devices?
I don’t have much personal experience with these devices yet. I have read there can be some unique challenges. As I setup Home Assistant in my home, I do plan to deploy some and may be able offer more insight. Sorry I do t have more information than that.
Cant I just make a gateway group and then block the IoT network from that group? Doesn't that block the IoT from all gateway addresses? I don't understand why there is a need for the Other Gateways and then the IoT to its gateway using ports.
You can try it but I don't think you want to block the IOT network from its own gateway on all ports. I honestly haven't done it before so I don't know if that will block access to the internet or not.
@@ethernetblueprint Thanks! I did try it and everything is working fine. I see the IoT devices do try to access their gateway at a regular interval in the "triggers" log, but everything is working as expected so far.
Do I tag ports with the VLAN I want devices to use?
Check out this video which covers that.... ruclips.net/video/PdYgB_84ejg/видео.html
Thanks. I learn something new today.
Glad to hear it!
Hi I have unifi controller and have created default LAN as normal and a guest LAN to work with guest wifi and 1 default wifi .. perfect when guest come over they use guest and work laptops go on guest also simple... BUT I want to setup another VLAN and Wifi called TESTLAN & TESTLAN WIFI so I can connect test laptops and pc`s that have internet and can only talk on TESTLAN not default please I'm struggling to set this up as the current TESTLAN & TESTLAN WIFI can talk to my default LAN & Wifi devices also ... please help i want full separation on the test LAN please
i think i can do it with Firewall rule on LAN but not sure how !
The easy way to do this is to create your new VLAN and check the isolate network in the advanced settings on that screen. This will allow your devices on that network to communicate with each other, but not with the other parts of the network. No firewall rules to set. just a simple checkbox.
@ethernetblueprint thank you I don't have that option in the settings nor do i have no internet option in the end just had to create a firewall rule on lan in to to drop all :) works well
Thank you so much. After watching several videos and web based walk-throughs, but I could not get things working 100% - finally scrapped and went through your video and presto everything is working, have my Iot and Cameras on separate vlans as well as my Guest Network. Tested, retested and everything is communicating as it should and blocked as it should.
I am getting a ton of DROP invalid State trigger events for various devices I have, mostly Apple ones (home pods, Apple TVs, iPads, iPhones) as well as some out door eufy cams. Within an hour I’m seeing 60 plus triggers, 95% are Apple devices. This seems excessive, but I’m unsure if this is anything to be concerned about.
I have read that can be common and a lot of times it’s from a malformed packet. I get a lot of those too. It has never presented an issue.
@@ethernetblueprint Thanks once again! I'll just ignore those and move on.
Thank you! This is the bomb-diddly!!!!
I have attempted this in 3 prior efforts with compromised results. After testing, I am now convinced that my IoT is configured as I had hoped. Not being a Net Admin type, the explanations were matched nicely with the recipes. A fantastic balance!
An excellent time investment. Thank you again!!
One small suggestion that would have completed my setup .... the recipe to expose the printer on the default vlan to those connected to the Guest vlan. BUT, I have enough knowledge now (from the camera examples?) to try to pull that off. Did I learn to fish??? ;-)
Rel 8.1.127
Tried configuring the printer. Let it be used from the Guest vlan. Created the rule. It can't be moved above the "Drop All Private IP Communication" rule, as you stressed.
LAN Local, Accept, Source = Guest, Destination = Default, IPv4 for both, Match state = New, Established
Connect an iPad to Guest. Apps don't find a printer.
Thoughts? Suggestions?
Printing depends on a couple factors, but there are a couple of things you can try... However, I will warn you that not all printers play well with VLANs though...
1) make sure mDNS is enabled and is allowing the VLANs that need to talk to each other. Some printers use this to communicate with their devices
2) I would edit your rule and try the following... put the printer IP in an IP group by itself... then try the rule
'LAN Local, Accept, Source =Guest, Destination Port/IP Group and choose your printer... don't add the new, established... just leave that out...
Also make sure that your new printer rule is above the 'Drop all private IP' rules that you created earlier... They run in order and you don't want that the traffic blocked before it hits your rule.
you can make a baby do it! thank you very much!
Hahah. Thanks
Amazing tutorial! Thank you!
Glad it was helpful! Thanks!
Nice walk through. Still following it and slowly setting things up but it is helping a lot. My only so far is I have the Cloud Gateway Ultra and in it the options are Guest Network and Isolate Network compared to your "Isolation" when setting up the guest vlan. Do I check both of these or just guest or just isolation ?
Unifi loves to change their own wording... For a guest network you can check either one... but you don't need to check both. If you check the Guest Network box, you will be able to setup a guest Portal page for your guests to use in the Hotspot manager... If you check Isolate Network box, then it will just lock it down and not give any additional guest portal features... Hope that makes sense!
@@ethernetblueprint Ha ha, thanks for the reply. I did end up checking both at the time I think.
Another new thing ive recently discovered is that when it comes to vLan if your using a switch other than a ubiquiti one there is no way to have some devices on vlan 1 and others on vlan 2 as they are all tagged on the vlan set in the port for untagged traffic.
Which is mildly annoying as I then need to pick up more of their kit, just to put something on a particular vlan instead of getting it and building in time.
Unless.... you happen to know of a way ? :D
Thank you sir count me in to your subscriber.
Welcome aboard! Thanks
Ur goated bro. Thanks for this
You are so welcome. I hope it helped.
I followed this closely, but in my case my traffic from Default to IOT is getting dropped by the catch all rule... Though clearly ABOVE it i have allow from default network to All Private IPs. The log confirms it is the catch all denial that is dropping it.
Why don't you email me at tim@ethernetblueprint.com and let's see if we can figure out what is going on... Too hard to fix in the comment section.
I think it was because I have a UDM and then a USW downstream, and my VLANS were setup on the USW. I guess I was thinking the further downstream the better. However this made devices I connected via AP show up with no Network at all? I will take you up on that email but wanted to leave this comment for the next person who might have this issue.
Thanks for the comment! Always good to help others who are trying to do the same thing.
Hi, Tim.
Great, Great, three times more GREAT job on this and the VLANs on a Unifi Switch Video (ruclips.net/video/PdYgB_84ejg/видео.htmlsi=en2wNhHCtQvbUz1C).
There are a lot of well-intentioned, but poorly implemented video walk-throughs masking themselves as Unifi "tutorials." It's not their fault, but time advances, software changes, and all the pre 8.x Network content is rendered obsolete (for those that aren't on the latest GA releases).
I've watched a ton of Unifi videos from Techno Tim (software engineer), Tom (IT services business owner) over at Lawerence Systems, Leader Academy and many others now pale in comparison to these high quality videos!!👏🏻👏🏻👏🏻👏🏻👏🏻
I wonder how long it took you to record, and then edit this 41-minute masterpiece? Care to give us a little behind the scenes info?
I've got a suggestion for a future video when you have the time and if you find it worth your while: VPNs, VPNs, VPNs!!! Covering Teleport, VPN Server, VPN Client and Site-to-Site VPN to the same detail and degree that you've done here.
SUBSCRIBED!
Thanks so much for your kind words. I plan on updating this VLAN Video as new releases come out because Unifi does change their interface quite a bit.
To answer your question, a video like this takes more planning ahead of time than it does to actually record it. Although, I am not a natural speaker so I have a lot of mess-ups that need to be rerecorded. I would say overall this video probably took me 6-7 hours to plan, write, implement and edit, but that is a guess. I truly enjoy doing it so I don't look at the clock much. And it is comments like this that make it 100% worth it to me. I love helping people.
That is a great suggestion for videos. You will be happy to know that I have some VPN Videos in the works and plan on doing a couple videos on them in the upcoming future. It is a little tricky at my home because I have Verizon 5G home internet and will need to work through some of the NAT challenges on their hardware. Thanks again for your kind words and feedback! I will do my best not to let you down!
One of the best, if not, the best unifi firewall tutorial on youtube. You explain it so well!!
Question for you: I didn't need to block the ssh,http,https ports on my vlan gateways, i just blocked the gateway ips.
Did you block the ports just for that extra security? Thanks!
Thanks for the watch and compliment. The local rules are there just to block assess to the gateway when on the restricted VLANs. If the rule you created does the same thing, then you don't need them. I would double check though that you can't access the gateway from your restricted VLANs. I have never just blocked the gateway as I don't know what that will do.... But I have had so many people ask me that I think I am going to test it and see what happens. Thanks again for the comment!
@@ethernetblueprint
Thanks for the quick reply.
So I blocked the IOT vlan from accessing the IOT gateway by just blocking the IOT gateway IP. I never blocked the ports. It works perfectly.
Should I block the ports as extra security?
If you can't access the device via its local IP address, then I would say problem solved...
Great tutorial. Thanks.
Thank you!!
Confused - setting up VLANs on Unifi is not enough to access those networks - you have to configure the switch ports for tagged/trunk too, yes?
Yes true. I have a separate video that shows that part. This video is Wi-Fi driven.
@@ethernetblueprint I just found that! Thank you. The tag lines for this video said "Start here!" but i should have just gone to your channel and looked closer at the titles. 😁
Glad you found it...
Thank you so much for this. Been searching for a logical and more importantly logical explanation of the logic. My first venture into VLANs as our collection of IoT devices is growing! Now have to figure out how to assign MAC address of wired device to VLAN.....via a Ubiquiti Express - Thanks again
I'm glad this video helped... I have a new series coming out that goes over FW rules too and it has more detail in it. Hoping to help as many as I can.
When setting up VLans, SSIDS for separate Wifis (or Privvate Pre-Share Keys) and Firewall rules on an already existing network, do you recommend changing DHCP lease times to short intervals (say a minute or so) while testing the network/client connections, and afterwards changing the DHCP lease time back to the default setting of one day?
I personally havent done this for my networks. What is your reason for asking? Is there something that isn't happening by leaving the defaults in there?
@@ethernetblueprint
My thought was that clients that would be moving from the default LAN to a VLAN would obtain IP addresses faster allowing me to check whether things are working correctly and perhaps having to reboot the network less frequent.
Typically when a device goes from one network to the other, it will trigger an IP request. Now this can depend on the client as some devices don't always do a great job at this. (I've seen this with smart light switches)... I don't know that I would change the lease time setting to combat something that doesn't happen that often. However, your specific case may sway you the other direction. Keep me posted though. I like to learn!
I don't own any Unifi products (yet), just asking of curiosity...
1) So Unify accepts all traffic by default, and you add rules to block. Does it also accept all for ipv6, so basically all the blocking rules you created can be avoided between devices that use ipv6 ?
2) For the Unifi Gateway Lite, I guess you would need to combine that with a layer 2 switch to handle those VLANs, right?
3) Why is blocking traffic to the gateway so interesting? Isn't the Unifi Controller (which doesn't have to be the gateway) the admin of everything and therefore much more valuable to protect ?
Thanks for the video 🙂
Thanks for watching... Let me see if I can answer these for you...
1) There are separate ipv6 firewall rules that would need to be created in order to block that traffic. Yes, allows everything by default.
2) All the Unifi switches are smart switches and can handle VLANs. (Even the $29 Flex mini 5 port switch. If you plan on using a different brand of switch, it would need to be able to do VLANing. I will be doing a video on some mixing different brand devices at some point.
3) In the case of the UXG Lite, the controller is another device and it should be protected like we did with the router in this video... However, with the UDM series, the controller and the router are the same device which is why I did it the way I did.
Hopefully that makes sense!
Very good explanation. It also nice to have a video with the last versions of Unifi console & network application. Overall explanations is very good & your testing labs is good example as a starting point. To be more specific with UniFi, I believe that you should have address how to setup Unifi PoE+ camera on a specific VLAN for videosurveillance as many unify customer will have Unifi Protect and Unifi cameras. In this case would you keep the Protect UNVR in the default or in the speficic cameras VLAN ?
Great point. I have that video in the hopper. I agree 100%.
Thanks for the best video about VLANs on current UniFi interface layout
Unifi is about to release (eta 1-2 months) a new EA firmware version that will bring a lot of options for ACL rules to L3 switches. If you have an L3 switch around could you do a detailed video on those rules and the setup once the new firmware releases?
First off, thanks for your tremendous generosity. I will have to look into the Layer 3 switch though as I don't use them much. Appreciate the awareness though. More to come.
Outstanding Video..... I have a USG and 3 access points, and want to keep Guests, IOT, and my default all separate, so your video hit a sweet spot for me. I've very concerned about getting hacked thru IOT (like Wyze) and this helped to show how to block the IOT to the gateways. I'll probably have to watch it a few more times to get it right, but thank you.
You are quite welcome. I am happy that it helped!
You may not claim to be an educator, but I am and you did a superb job. Came to see this method on the new interface and this was a great video and you have an excellent way of speaking for these. One idea you might do would be to provide a firewall rule summary in a PDF or something to make reference easier. Maybe even make this apart of a subscription if you wanted to monetize it. Anyway, good job.
I appreciate your kind words. I should include a PDF. Good suggestion.
You easily earned a sub for this. I'm very new to unifi gateways after using pfsense for years and firewalla for a few months this was just what I needed after getting my UDM Pro SE up and running yesterday. I had my pfsense dialed in for years, but I wanted to get a more user-friendly network solution for my home just in case something happens to me. This tutorial is solid and I'll be employing much of this ruleset to my network to start as my basic setup is very similar to your example. Great job and Thanks!
Wow. Thank you very much. I am very pleased to hear that it helped you! Thanks for the sub!
Really great stuff. Love that you used the latest version.
FYI - WiFi Private Pre-Shared Key is not supported on 6 Ghz WiFi
Thanks so much. And that’s good to know about the pre-shared key and 6Ghz. I wasn’t aware of that.
I just discovered your channel and have been watching all your UniFi related videos. This is one of your best! Thank you for taking the time to make all of them.
Possibly stupid question...do these firewall rules with respect to the IoT network interfere with my ability to control those devices remotely from my smartphone? I know that the default network can communicate with the IoT network, but my phone would not be on the default network if I am away. So for example, would I be able to use Apple Home to remotely lock my front door while I am on vacation, or adjust the thermostat, etc.? Or would the firewall rules prevent that?
Glad I’ve been able to help. To answer your question about HomeKit, yes you can still control things when you’re away from home even if the devices are on the IOT network. I don’t have a ton of experience with this yet, but I’m in the process of setting up Home Assistant with Apple HomeKit and will have to do more testing. So far I have Phillips Hue lights hub on my IOT network running in HomeKit and it works great remotely using these exact firewall rules. More to come though.
One of my friend said many years ago for his boss: "for thank you I won't feed my family". So please take small tip from me with huge words of appreciation. Great tutorial, the one was very helpful with my first steps to Unifi :)
Thank you very much for your kind words and generosity. I'm glad I was able to help you out!
Thank you I tried to follow but I couldn’t get my Camaras to work. Should my nvr be in the iot network
I didn't make cameras a part of this video... when I do my next "refresh" of it, I will add them in just so people have a reference. Personally, I would recommend putting your cameras and NVR on their own Camera network... and not have them be on the IOT... But the situation, setup and types of cameras all can play into this decision... may need a little more info....
@@ethernetblueprint thank you for getting back to me. I’m retired military and I’ve had to install a rack of cameras around my house do problems with my neighbors. I have two cameras that are wired by ethernet and 10 g4 instant around the house. I really appreciate your video. It was the first time I’ve seen one that actually allowed me to understand and how it’s set up for firewall, etc. I looked at your website. I was gonna try emailing you but noticed that I couldn’t do that. My house is already constructed so adding ethernet connections for the remaining cameras would be way too expensive for me. I look forward to seeing you next video.
Just so you know, I do talk about cameras on the VLANs on a Unifi Switch video that I did recently... If you ever have any questions that need further explanation, email me at tim@ethernetblueprint.com and I will try to help where I can...
Hi Tim, excellent step-by-step tutorial, followed you along in setting it up. Thank you, concise and also sufficient details. One small thing you already mentioned: Unibuiti changes things and I am running version 8.0.28 In this version there is no upper tab / bookmark line anymore with items like LAN-IN, LAN-Out etc. Greetings from Amsterdam.
Maybe I am looking in the wrong place from where you are talking about?? I don't see any changes in 8.0.28 from what I showed on the video. Can you help me find what is missing now?
Do you recommend using fixed IP addresses for devices and clients when setting up firewall rules and groups, especially if there will be a rule allow a specific IOT client to talk to specific device in the trusted network? Currently, I have a few fixed IP addresses for some of my Unifi devices but I let DHCP hand out IPs to other devices and all clients.
I do use some static IPs (or IP Reservations) in my setups. Cameras, NAS, Printers... If I have a 1:1 rule that allows a device to communicate with another device in a different VLAN, I will usually reserve those IPs so it doesn't change and break my rule. But for the most part, I let DHCP run most of my IP addressing.
Tim, I'm struggling with OpenVPN for ANY linux distro. It keeps prompting for authentication when I have imported the .ovpn file into ANY linux distro and try to connect. The same export of the config file works and connects on my phone. Can't seem to get the exports of OVPN or Wireguard to work on Linux though. Wireguard only connects with ipv6 and OVPN keeps throwing the pop-up to provide an authentication password. I've watched multiple videos and looked at multiple threads and can't lick this this issue. Thoughts on a video on VPN server and exporting config and importing into a Linux distro?
I am sorry to say that I don't know much about Linux so I don't think I'd be much help there.
How are you putting things like apple tv, Roku etc on a separate vlan? I want to make an AV vlan for apple tvs, our smart tv, xbox and other things. If you could help that would be great.. Also I love your video. It helps a lot for network dummies like me. It was very easy to follow.. One suggestion for you, please include kids network in your future videos like you did in your previous video. It really helped..
Thanks for the reply... Let me dive into this a little bit for you.
Once the VLAN is created, there are two ways you can get your devices to use it. 1) Create a new IOT Wifi network (or IOT Passphrase like I talk about in this video), and connect those devices to that WiFi network... or 2) if they are hardlined, you would need to click on that port in the switchport settings and click the dropdown for Native VLAN / Network in the port settings. You should see the IOT Vlan listed in that list. They should pull an IP address from the IOT Vlan and follow the rules you setup.
As far as your suggestion goes for a kids network, I have some videos coming down the pipe that covers this very subject. Thanks for watching!
what about putting Unifi cameras on a vlan ? They are POE so would not need wifi ssid or key to access that vlan and you would just select the vlan in the ports they are connected ? Would this cause any issues given all the same firewall rules ?
I like POE cameras on their own VLAN. I just didn’t make it part of this video. My next version will cover cameras better. If they aren’t Wi-Fi cameras, no SSID is necessary. Just the network and the VLAN rules. They really only need internet only rules like the IOT ruleset.
@@ethernetblueprint awesome so no issues with protect
I like protect... I will be doing some videos soon on it.
Thanks, great video. Question, most network engineers suggest best practice is to have the default network as a “management” VLAN and create a new VLAN for your main/corporate/internal network. You haven’t done that in this case, just wondered what your thoughts are on separating management from main networks.
I agree with you whole heartedly when it comes to a small business network and that is how I typically set those up. As a matter of fact, that is how my home network is setup. All of my equipment is on the default and my home devices are on a homeVLAN. However, from a typical home network perspective, I don't know that it is 100% necessary if you have the VLAN locked down. Either way, it is a great call out!
I am running 2 security systems-one via DVR and the other Unifi Protect. Do I need to secure both camera Systems or just the Non Unifi cameras?
I think I would secure both typically. Are the cameras on the DVR IP cameras or are they analog?
Tim, this was helpful to understand the importance of VLAN’s. I really want to do something similar but your comment about Sonos makes me not want to proceed. I am not qualified to troubleshoot any networking and I would just end up resetting everything back to default!
Sonos will work great if you put it in your default network with your phones... Typically that is what I recommend even though it is less secure.