There are a lot of version of this walkthrough out there on RUclips, but (for me at least) this is the only one that took the appropriate time and amount of hand-holding that I need to not just implement the FW rules, but also to help me understand the WHY. That is huge! Thanks a ton!
Wait until you start getting into triple monitors. It's a game changer. Working with VM's on Linux? One screen for a video guide, one to interface, and another with common command templates to copy and paste. Playing video games? One screen for the game, one for discord, and another for a game guide or a map for reference. Researching a new product and comparing stuff? One screen for review videos or articles, one screen for searching product retailers, and another for documenting options and taking notes. The possibilities are endless.
I watched several videos and this is the one where things started clicking. I loved the format of showing the vulnerability, applying the fix and confirming vulnerability is negated along with clear and concise explanations during the process. I also like that the gateways were isolated. Before this video, I was struggling to figure out why I could ping my gateway addresses even though my networks were isolated and now I know. This is the first ever super thanks I have given. It’s well deserved. I’ll be adding one to the follow up video on configuring VLANs on Unifi switches. Many things clicked in that video also.
A thousand thanks for your kind words and your generosity. I do my best to try and help the newbies of the Unifi space. I love getting feedback that tells me I was able to help... All the best!
I am finally considering a Unifi setup now that their OS is more well-baked, and you had the most recent Unifi OS VLAN video, so I decided to stop by and see how things have improved over the last few years. However, I must say that this video is probably one for the best for anyone new to VLANs in general, not just VLANs on Unifi. You, sir, are the only one that “teaches one how to fish instead of just giving one a fish” by explaining the logic behind firewall rules, thus giving one the ability to not just copy your foundational firewall rules (which were spot on as the bare minimum starting point), but also gain the confidence to start coming up with their own firewall rules unique to their situation. Looking forward to joining you on this journey to learn from each other!
Glad you are using the new UI. Aside from that, what a great job of providing the list of items to change, their order and a great explanation as to why. I've watched other videos that assume way to much of the audience.
One of my friend said many years ago for his boss: "for thank you I won't feed my family". So please take small tip from me with huge words of appreciation. Great tutorial, the one was very helpful with my first steps to Unifi :)
As a seasoned firewall admin I thought I knew what I was doing as I started throwing random firewall rules into my new UDM, and it wasn’t working! This makes loads of sense and I’m excited to try it… Also these states look like iptable states, so that’ll be the next thing I start researching! Thanks for the great breakdown 🎉
Yessir, you explained it well. It's easier to understand the more advanced parts once a baseline has been understood and configured. Just what I needed as there are more and more IOTs and guests in my house these days.
I am finally getting fiber. Getting a new home network setup. Going to a dream machine. Love the idea of just one said for multiple v Lans. Goimg to save me a lot of time setting up. Thanks for the walk through.
This video is great. I've been looking into unify for a while now, but my biggest reservations about diving into it has been VLANs. I'm pretty familiar with vlans as I do IT at a large resort and everything we connect to a network has a different VLAN. Everyone says unify can do VLANs, but they don't elaborate further and I want something robust enough for firewall rules like the ones you demonstrated. My biggest concern was that unify either would not allow firewall rules, or they would be very limited. This video demonstrates the capabilities well and has shown this is exactly what I'm looking for. I plan to start ordering my components over the next couple of weeks and setting everything up and I could not be more excited.
I appreciate your kind words... Just so you know, I did a full Unifi series and even have a downloadable document for the firewall rules too... check out my playlist for that 8 part series... one video has been dedicated to FW rules...
Awesome video that has helped me start to understand a confusing subject. Had to watch it a couple of times but I now have Guest and IOT separated from the main network and all my Home Assistant stuff seems to still be working fine. Thanks for pulling this and your other videos together for plebs like me.
Awesome... if you haven't already, check out my Unifi for Newbies series in my playlist... it goes into more details on setting up your whole network from start to finish...
Thank you! I didnt know about the feature of being able to integrate multiple VLAN connections into a single SSID. Just need to work out a good time to switch!
This is exactly what i was looking for! I applied your IOT logic to a Vland for crypto mining. This way i don't compromise my default network with some shady new crypto mining software and wallets. 😂😁 Thanks you!
Yeah, super handy on the guest landing page. I appreciate the re-accepting of the Guest EULA after a period of time for a business. So you don't saturate the DHCP range. But for home use I very much like disabling so users at my house don't have to re-accept to "logon".
On the portion of the video (about 333.) where you set up group Block IOT from other gateways, you set up a group that included 192.168.1.1 and 192.168.3.1. There is no 192.168.3.1 but there is a x.x.99.1. Perhaps you meant to use 99 instead of 3?
Thanks for the best video about VLANs on current UniFi interface layout Unifi is about to release (eta 1-2 months) a new EA firmware version that will bring a lot of options for ACL rules to L3 switches. If you have an L3 switch around could you do a detailed video on those rules and the setup once the new firmware releases?
First off, thanks for your tremendous generosity. I will have to look into the Layer 3 switch though as I don't use them much. Appreciate the awareness though. More to come.
You may not claim to be an educator, but I am and you did a superb job. Came to see this method on the new interface and this was a great video and you have an excellent way of speaking for these. One idea you might do would be to provide a firewall rule summary in a PDF or something to make reference easier. Maybe even make this apart of a subscription if you wanted to monetize it. Anyway, good job.
You easily earned a sub for this. I'm very new to unifi gateways after using pfsense for years and firewalla for a few months this was just what I needed after getting my UDM Pro SE up and running yesterday. I had my pfsense dialed in for years, but I wanted to get a more user-friendly network solution for my home just in case something happens to me. This tutorial is solid and I'll be employing much of this ruleset to my network to start as my basic setup is very similar to your example. Great job and Thanks!
Thank you so much for this. Been searching for a logical and more importantly logical explanation of the logic. My first venture into VLANs as our collection of IoT devices is growing! Now have to figure out how to assign MAC address of wired device to VLAN.....via a Ubiquiti Express - Thanks again
I'm glad this video helped... I have a new series coming out that goes over FW rules too and it has more detail in it. Hoping to help as many as I can.
This is great. I did find one more thing that needs consideration from the IOT network. If you run the network controller on a local PC like I do, then that is also accessible from the IOT network and needs to be blocked in the firewall, much like the gateway access was done.
🎯 Key points for quick navigation: 00:00 *🌐 Introduction to VLAN setup and importance in home networks* - Understanding the significance of VLANs in home networks, particularly due to IoT device security concerns, - Starting with a basic setup on a UDM Pro, emphasizing simplicity and essential network segmentation, - Overview of the initial setup and equipment requirements for VLAN configuration. 07:06 *🔧 Creating VLANs and initial network configurations* - Step-by-step creation of VLANs for default, IoT, and guest networks, - Explanation of VLAN IDs and IP addressing schemes for each network, - Importance of segregating traffic to enhance network security and manageability. 11:25 *📶 Setting up Wi-Fi networks with multiple SSIDs and unique passwords* - Configuring a single SSID with multiple pre-shared keys for different VLANs, - Demonstration of how VLAN tagging works with a unified Wi-Fi network, - Benefits of using a single SSID approach versus multiple separate Wi-Fi networks. 15:55 *🛡️ Implementing firewall rules for network security* - Introduction to basic firewall rules to secure VLAN traffic, - Ensuring secure communication between VLANs while restricting unauthorized access, - Overview of essential firewall configurations for home network protection. 19:25 *🛡️ VLANs and Default Network Communication* - VLANs in Ubiquiti allow unrestricted communication by default across all VLANs. - Firewall rules are crucial to restrict inter-VLAN communication effectively. - Example setups demonstrate how different networks can freely communicate initially. 22:28 *🔒 Creating Firewall Rules and IP Groups* - Using IP groups simplifies firewall management by consolidating IP addresses. - Port groups enable unified rules for services like HTTP, HTTPS, and SSH. - Steps involve navigating between security settings and IP/port profile configurations. 26:56 *🌐 All Private IPS and Network Access Control* - Definition and creation of an "All Private IPS" group encompassing all private IP ranges. - Establishing rules to control traffic flow between networks and private IP groups. - Demonstrating how to configure rules that allow specific network access while restricting general private IP communication. 31:30 *🚫 Blocking IoT Network from Gateways* - Implementing rules to prevent IoT networks from accessing specific gateways. - Importance of ordering firewall rules to prioritize security policies. - Testing configurations to verify restricted access to designated gateways and services. Made with HARPA AI
This is the best tutorial I have seen describing the UniFi setup I was looking for. Thanks a lot for this easy to use tutorial 👍 You got a new subscriber. Can’t wait for more of this stuff!!
@@ethernetblueprint Perhaps also implementing a Synology NAS into this setup. Not sure if that needs to be on its own VLAN and how the firewall rules would look like if it needs to reachable from the outside. I guess the safest setup would be to use some sort of VPN solution to be able to safely reach the NAS from the internet. But is there a way to set it up in a safe way without VPN?
Great information I’ve just started getting into the UniFi ecosystem with a Cloud Gateway Ultra. Certainly feels like a massive upgrade in terms of features and capabilities over my standard WiFi 6 router which is now be converted to a temporary access point. I’ve set a Vlan for wired devices and one for wireless for now to add some degree of separation. Once I add a UniFi AP then I can add separate vlans for IoT and Guests.
Awesome... This is great. Make sure you watch my VLANs and Switching Video to ensure your switch is setup the way you want it too. That video compliments this one. Congrats!
You don't understand how helpful this has been!! No-one else that I watch has broken what rules to make down so well. I wanted to ask what if I need devices on my IOT to talk to each other? I have a lot of devices that would need inter-vlan communication. Would I just not do the drop all private ip addresses traffic or some other allow rule? Thanks
I am so pleased to hear that my video helped you out. I can't thank you enough for that. As for your questions, just to be clear, the firewall rules only apply when one VLAN is talking to another one. This is called Inter-VLAN communication. If IOT devices are talking to each other, they would most likely be in the same IOT VLAN and would not be affected by the firewall rules. Unless I am not understanding what you are asking here...
Well I don't know if I'm asking it right myself...I just assume that when you enter the firewall rule to Block all private IPs for the Iot vlan that that would prevent anything on the IOT from talking to anything but the internet including other Iot devices on the same vlan@@ethernetblueprint
I wanted to create some simple rules and VLAN's, not touched networking for many many years, since I did CCNA when I was 16 (Now 35!!!) this jogged the memory nicely, also new to UniFi so understanding it's flow this really helped. All networks now created and all rules and VLAN's setup! Happy with it. I just now have the joy or resetting all my dumb smart devices to be on my IoT network! I presume those devices can still talk externally to the web for their native apps to still work etc? Thanks though, brilliantly spoken!
Nice. I am so glad to hear you dusted off the old VLAN knowledge a bit and this helped you! The IOT devices will be able to communicate with the internet, yes.
One of the best, if not, the best unifi firewall tutorial on youtube. You explain it so well!! Question for you: I didn't need to block the ssh,http,https ports on my vlan gateways, i just blocked the gateway ips. Did you block the ports just for that extra security? Thanks!
Thanks for the watch and compliment. The local rules are there just to block assess to the gateway when on the restricted VLANs. If the rule you created does the same thing, then you don't need them. I would double check though that you can't access the gateway from your restricted VLANs. I have never just blocked the gateway as I don't know what that will do.... But I have had so many people ask me that I think I am going to test it and see what happens. Thanks again for the comment!
@@ethernetblueprint Thanks for the quick reply. So I blocked the IOT vlan from accessing the IOT gateway by just blocking the IOT gateway IP. I never blocked the ports. It works perfectly. Should I block the ports as extra security?
Thanks Great Video. I had had trouble finding some of the settings and this helped immensley. I followed your instructions and thought i had a problem as i refreshed the gateway page and could still get to it then a light bulb went off. As i had an established connection it remained. Closed the connection and went again and no access. Thought i would mention it in case others thought the same thing. Thanks again
Hi Tim, excellent step-by-step tutorial, followed you along in setting it up. Thank you, concise and also sufficient details. One small thing you already mentioned: Unibuiti changes things and I am running version 8.0.28 In this version there is no upper tab / bookmark line anymore with items like LAN-IN, LAN-Out etc. Greetings from Amsterdam.
Maybe I am looking in the wrong place from where you are talking about?? I don't see any changes in 8.0.28 from what I showed on the video. Can you help me find what is missing now?
Perfect tutorial! Not that I can only get what you set up but I got some understanding so I can adapt to my own rules using your video. Keep up the good work!
Outstanding presentation with the new interface. I would like to have a private wireless for my wife, because of her job. Could I use a shared key for default, IOT, Wife's Wifi and use the Guest 99 network with the standard isolation with it's own password? I am going to check out your VLAN video. Maybe I can come up with other ideas. Also, one of the things that gets frustrating is when videos are not updated when there is a noticeable OS change. I look forward to you continuing to do so.
If I understand correctly, you are asking if you can setup muliple password (Private Pre-shared keys) for the default, IOT and Wife (all connecting to the same SSID) and then setup a separate WiFi name for guest and still make all this work in the Firewall... If so, the answer is yes. The firewall rules are based on the VLANs, not how the WiFi networks are setup. You could create a shared SSID for all of your "main" networks and then create a Guest VLAN and choose the isolation check box... Then create a separate Guest SSID for that network. As a matter of fact, I think that is a better way to do that anyways. It is nice for the guests to be able to connect to a separate SSID so they know they are on the guest network...
I'm a total newbie in the world of home networking. Recently, I made a jump from Asus eco system to Unifi and can't seem to wrap my head around all new concepts like Vlan, traffic/firewall rules and stuff. Your video is so easy to understand and following with, absolutely one of the best for Unifi's new customers to learn from. Thank you for taking your time and effort to share with us your knowledge, cheers !!!!
Great tutorial! I have recently setup two additional VLANs (Family and IOT). I did this because I liked your "kids" network in your prior video. I have not set any rules yet, just been busy getting devices on the correct VLAN/Wifi. Will be playing with firewall rules soon. My question is... The first thing that came to mind when you were creating rules, especially the port rules, was what are the chances that one mistake could potentially lock you out of the gateway from ALL networks. It just made me think I should be VERY careful!
It is possible however there are fail safes in place that warn you about it. If you look through the comments here, I talke about that with another viewer because he got a warning on his and it wouldnt allow him to set that rule. However, just know that is possible. Be Careful.
Great tutorial, thanks! I love all the details! I just followed your previous tutorial to setup my vLan protections on my UDM SE, your earlier tutorial was super helpful!! I think you were on 7.x in that tutorial. Glad to see this updated tutorial, on 8.0.26! I saw you had a Guest firewall rule for "Allow DNS Packets to External Name Servers". It would be great to see a tutorial on this topic. I am looking to block all DNS (Port 53) queries out (on my various vLans), unless they come from my DNS (PiHole or other DNS like ControlD or NextDNS) server, if someone on my network tries to change their DNS, my goal is that they will not connect to another DNS server and their Name Resolution will fail. It would be good to see options, but wanted to share an idea (I'm sure you have considered this topic too! Great Job! Thanks!
You will most likely have to do that with Firewall rules on a standard VLAN and not by clicking the guest portal policy checkbox... The guest rules in this video were automatically generated by the system and can't be updated... I am confident you could create a VLAN like I did the IOT network in this video and then add rules to control the DNS servers...
Outstanding Video..... I have a USG and 3 access points, and want to keep Guests, IOT, and my default all separate, so your video hit a sweet spot for me. I've very concerned about getting hacked thru IOT (like Wyze) and this helped to show how to block the IOT to the gateways. I'll probably have to watch it a few more times to get it right, but thank you.
Great job of teaching/explaining vlans, watched another video that didn't explain much and hurried through everything Didn't work and certainly didn't learn anything about what I was doing from other videos Thank you for teaching subbed & liked!
Thank you so much. After watching several videos and web based walk-throughs, but I could not get things working 100% - finally scrapped and went through your video and presto everything is working, have my Iot and Cameras on separate vlans as well as my Guest Network. Tested, retested and everything is communicating as it should and blocked as it should. I am getting a ton of DROP invalid State trigger events for various devices I have, mostly Apple ones (home pods, Apple TVs, iPads, iPhones) as well as some out door eufy cams. Within an hour I’m seeing 60 plus triggers, 95% are Apple devices. This seems excessive, but I’m unsure if this is anything to be concerned about.
This is a GREAT tutorial, thank you very much. Do you see any value in having a separate WIFI for 2G IOT devices? I have about 60 of these devices to connect, and I wonder if they would conflict with 5G traffic at that volume.
Some IOT devices may require you to have an 2G network, but to keep things clean, I would try it without if first and only add if necessary... Make sure you don't have band steering turned on and you "should" be fine. The device is really what determines the need for an isolated 2g network in my experience.
Great video thanks. I am working with omada and they appear very similar. But the firewall entry types are a labelled a little different. I have LAN->WAN, LAN->LAN and [WAN2] IN. Would WAN IN be equivalent to LAN in on unifi? But LAN->LAN only has the options of network to network rules and not IP groups. LAN->WAN has the source and destination options of IP groups. WAN IN has Network source greyed out. Your 1st rule would be WAN IN (ipgroup_any to ipgroup_any)? Looking at your rule for all Private IP groups, may I assume I need to choose LAN->WAN in this case? Many thanks
So I didn't create any WAN rules. If you saw them on my video, those were created by the system. If you are trying to recreate the rules I did in this video, I would think LAN-LAN would be the same as the LAN in Rules, but I don't know that for sure. That is just the one that makes the most sense to me.
Thanks for this great video but I have a question about the rule to block the IOT network from it's own gateway, why can't you just combine it into one group with the port group? It seems redundant to create a separate rule for this.
I actually need to test this a little more. I have a lot of people ask me this question and to be honest, this is the way I have always done it and have never just blocked the gateway. I will have to test and get back to the group!
Thank you! This is the bomb-diddly!!!! I have attempted this in 3 prior efforts with compromised results. After testing, I am now convinced that my IoT is configured as I had hoped. Not being a Net Admin type, the explanations were matched nicely with the recipes. A fantastic balance! An excellent time investment. Thank you again!! One small suggestion that would have completed my setup .... the recipe to expose the printer on the default vlan to those connected to the Guest vlan. BUT, I have enough knowledge now (from the camera examples?) to try to pull that off. Did I learn to fish??? ;-)
Rel 8.1.127 Tried configuring the printer. Let it be used from the Guest vlan. Created the rule. It can't be moved above the "Drop All Private IP Communication" rule, as you stressed. LAN Local, Accept, Source = Guest, Destination = Default, IPv4 for both, Match state = New, Established Connect an iPad to Guest. Apps don't find a printer. Thoughts? Suggestions?
Printing depends on a couple factors, but there are a couple of things you can try... However, I will warn you that not all printers play well with VLANs though... 1) make sure mDNS is enabled and is allowing the VLANs that need to talk to each other. Some printers use this to communicate with their devices 2) I would edit your rule and try the following... put the printer IP in an IP group by itself... then try the rule 'LAN Local, Accept, Source =Guest, Destination Port/IP Group and choose your printer... don't add the new, established... just leave that out... Also make sure that your new printer rule is above the 'Drop all private IP' rules that you created earlier... They run in order and you don't want that the traffic blocked before it hits your rule.
Hi. Great video but one part confuses me one bit. At the 33:42 mark you add the 192.168.3.1 adress which I dont really know what it corresponds to. Was the 192.168.99.1 intended as the Guest VLAN Gateway? Other than that u made my configuration process a lot easier. Thank You.
You are correct... I am so sorry that was confusing. The 3.1 address was a mistake. That was supposed to be the 99.1 for the guest gateway... Sorry about that and good catch!
Thanks so much for a great video. I have tried for a while but now I finally have got my VLANs to work. I even used my knowledge from the video to figure out how to get all my Denon/HEOS stuff to work on the IoT! Much obliged! Just two small question if you don’t mind though. Should I not block access to the gateway from the guest network? I have tried to understand the rules ubiquity has given me but I don’t seem to find that? Next a more general question. In the firewall rules from ubiquity there are 4 “accept” at the end. What good are they if no “drop” after them? Maybe I have misunderstood something?
I would make sure you block access to the gateway from your guest network.. (either with your own rules or the built in ones) If you hit the guest checkbox for that VLAN and let it do it for you, I believe it will block access to the gateway for you without you putting in any FW rules. It isolates that network and only allows guest to get the internet. Hope that helps!
Hey Tim! Just found your channel, I have a bunch of UniFi gear and have been running it for years, but you have taught me quite a bit and this video right here has helped me figure a bunch of stuff out! As a thanks, I noticed that your audio is being done from a laptop/phone mic, which works, but, I have a set of lavaliers that I would love to send you as a thanks. But I couldn't DM you, Drop me a line back and I'll find a way to get them to you! Thank you for the great information!
What if I add a new device to my network? Would that be considered as “not established” or “new” which is not tick marked so it won’t be able to communicate ?
When one device talks to another device on a network, there is a string of bits that are in a certain order that make up a network packet that get sent back and forth. Network sessions between devices can get messed up for a lack of better description and so when the FW sees these sessions, it knows to just drop that traffic. 'Invalid' traffic primarily appear to be for an existing session but that do not have an already existing firewall session
Established and Related and Invalid: I agree that this can be a little confusing. When looking at these factors, your FW is basically making sure the traffic going back and forth is allowed and that packets in the communication are what it expects to see. Invalid traffic for example might be from a stale network session that didn't get closed properly so the network packet has information in it that would flag it as "invalid". It is very common for this to happen and the FW knows to just drop it. In the case Established and Related, when a device on one network (VLAN) is traveling through the firewall to talk to a device on another "restricted" network (VLAN), if that communication is allowed, and the network packet looks like it should, it will be seen as "good" and allow that communication to happen. When this occurs, that device on that first VLAN has now "Established" a communication. The "Related" portion basically allows that the device on that second "restricted" VLAN to respond back and answer to the first device... So, the reason I include this in my firewall rules is because our default network is allowed to talk to other VLANs and this rule allows those other "restricted" VLANs to talk back... However, the "restricted" VLANs are not allowed to Establish a communication to our default network... That is blocked... EXAMPLE: A phone on the default network can talk to an IOT device on the restricted network... And if the communication originates with the phone, the IOT device is allowed to talk back... Phone tells IOT device to turn on a smart light, IOT device says, "yes". However, traffic originating from the IOT network can NOT talk to the default network. The traffic has to originate from the default network for this to happen... That is basically what these rules are allowing to happen and why I add them... I want my default network to talk to other VLANs and be able to have them respond back... And I want to drop network packets that are deemed as "invalid"... I hope that helps...
Great tutorial, but one question: I followed your exact approach yet I'm able to ping other devices on the IOT network while on the IOT network. I thought that should have been blocked based on the rules? I'm using a new UCG Ultra running latest software.
With these rules, you should to be able to ping and communicate within the IOT VLAN. Thats normal. You shouldn’t be able to reach other VLANs or get to the IOT gateway on ports 80, 443 and 22. If you were to do device isolation, then you’d achieve what you’re talking about. Hope that makes sense.
Great video. I still fail to understand a point. We need to introduce a FW rule "Block IOT to other Gateways". Obviously, your machine inside the IOT network is able to connect/reach the gateway inside the default network. Therefore you need this rule. But I still fail to see why the FW rule "DROP ALL private IP communication" is not enough... Any observations/development on this point?
I understand the confusion. This is because of the type of rule it is... The "LAN in" rule is different than the "LAN Local" rules. The LAN In rules control intercommunication between VLANs. (ie. this device over here can not talk to this device over there) However, Unifi uses the LAN local rules to allow you to block local service services that run on the local device... (ssh, dhcp, https, dns, etc...). You almost have to think of accessing the web portal of the UDM as a service. You are going to an IP configured on the device (a gateway) and accessing a https page. So a LAN Local Firewall rule is required on the gateways (both its own gw and the other gw's) to block that traffic. Note: With the rules I created in here to block traffic to other gateways, I chose to just block all ports - Kill ALL access to services on those GW IP addresses. However, I could have created the "block other gateways" rule to just block ssh, https and http like I did on the "blocking its own gw" rule. I hope that makes sense and helps you out a bit...
Thank you!! One question, when setting up your LAN LOCAL rules, why do you explicitly add DENY rules instead of explicitly adding ACCEPT rules with a default DENY at the end? This seems like the only place where you do not follow the "deny by default" best practice? This doesn't seem to scale with more networks (but maybe this is intentional for the video!). Also, Unifi has a firewall option for "network type" of "Gateway IP Address", which I believe is the 192.168.x.1. Would you recommend using that Unifi default instead of creating the groups like "DROP IOT to its Gateway"? Thank you!!!
You bring up a good point. Most of the home networks that are setup as on the smaller side so this ruleset works pretty well. For larger scale networks, your suggestion would work better for scale. Most of the reasons I do this this way is to be able to teach people who are newer to Unifi and Firewalls in general. Deny by default practices can more difficult to troubleshoot - especially if you are newer. As far as your second question, I am not familiar with where that setting is to be able to answer your question. Sorry man!
Do you not recommend the Isolate Network checkbox in 8.3.32 (different from the Guest Network checkbox) on the Unifi VLAN (Network) configuration screen for the IOT network?
This is a valid point. That is one way to do it sure. Simple and fast. It will create a single Isolate rule in the FW rules. (FW Rule it Creates) Isolate IPv4 Traffic From Selected Subnets To Any Local Subnet, Drop, LAN In, All, 192.168.X.0/24, Any, (4 Networks), Any, 60001 If you needed to allow other VLANs to communicate with your IOT network, you could simply add your "allow" rules above this rule and they should communicate. I simply wanted to point out how to make FW rules from scratch to accomplish to same thing so it helps people learn how the rules work.
Really useful tutorial. I'm new to Unifi and I'm sure I'll be configuring, resetting and reconfiguring things for awhile. I am updating my little home network mainly because my WAP is EoL and hasn't had an update in 2 years. I have been using an ERL for several years, which is a great little router, but I am using the WAP as an excuse to build an easier to manage network . I guess it's like Apple once you get into the Unifi ecosystem you're better off staying there. I bought an UDR and Lite 16 port switch to replace my existing switch, AP and router. I have the UDR and switch kinda hanging off my current setup so I can practice with it and not worry about getting my "users" upset. I plan on eventually adding APs to connect a shop and would be interested in ways to connect between buildings. The VLAN stuff is very timely. I have stayed away from IoT devices because of security concerns. I'm hoping to get a good understanding how to control and secure things both internal and external. What I would like to see is a tutorial on best practices for setting up and securing the Ubiquiti VPN. I also would like to add a NAS to do my own cloud storage as well as local file, media and backup. Thinking about why, where and how to put a NAS on the network while being able to restrict access based on who and where the access is coming from all turns into a confusing mess quick. Keep up the tutorials. I'm looking forward learning more. 👍
Thank you for tuning in. I think you will like the Unifi echosystem once you get used to it. But don't get me wrong, it definately has its painful moments. I haven't gone too deep into the VPN realm yet, but full intend on doing some videos on that. I know it is a hot topic. Unifi has been making some changes in that area as well. As far as a NAS goes, it really depends on what needs the most access. For me, my default network uses the NAS the most, so that is where I put it. I don't really have a need in my home to have any external devices talk to it so it works well for me there. But that is me. Hope your new direction goes well!
Also, as far as connecting to your shop, check out my Nanobeam point to point video. I plan on doing an update to that since that was made specifically for my brother in law, but that may push you in the right direction. Look at the Nanobeam 5AC from Ubiquiti for creating a wireless bridge to your outbuilding. They work awesome...
I didn't make cameras a part of this video... when I do my next "refresh" of it, I will add them in just so people have a reference. Personally, I would recommend putting your cameras and NVR on their own Camera network... and not have them be on the IOT... But the situation, setup and types of cameras all can play into this decision... may need a little more info....
@@ethernetblueprint thank you for getting back to me. I’m retired military and I’ve had to install a rack of cameras around my house do problems with my neighbors. I have two cameras that are wired by ethernet and 10 g4 instant around the house. I really appreciate your video. It was the first time I’ve seen one that actually allowed me to understand and how it’s set up for firewall, etc. I looked at your website. I was gonna try emailing you but noticed that I couldn’t do that. My house is already constructed so adding ethernet connections for the remaining cameras would be way too expensive for me. I look forward to seeing you next video.
Just so you know, I do talk about cameras on the VLANs on a Unifi Switch video that I did recently... If you ever have any questions that need further explanation, email me at tim@ethernetblueprint.com and I will try to help where I can...
Excellent and informative videos and explanations!!! Many thanks for all the effort!!! I set up my network following your instructions and work nicely. There is skmething i dont understand though; My default network it is supposed to have access (ping) all the vlans. After i followed your firewall rules it seems that i can ping only devices within the default network but no in the guest or IoT. Did i miss something?
Sounds like you missed something... There should be a LAN in rule to allow Default to ANY right before the block all rule... make sure that is in there and is correct.
@ethernetblueprint That's what I thought but can't figure out what i messed up probably. I have them in the following order: ALLOW established n related, DROP invalid, ALLOW default to all private and DROP all private to all private. The order is not right maybe?
Absolutely incredible video! I have a question on how you set up your pinters specifically. I read that putting them on their own VLAN is the way to go, and someone who is learning I would love to try and do that but I was having issues getting it to communicate with my other devices on my other VLANS. Do you have any recommendations on firewall rules or should I just throw it on the IOT VLAN?
Follow up question, with the rules I put in that video, if you did have them in the IOT VLAN, are you able to communicate with them from the main VLANs?
Tim, this was helpful to understand the importance of VLAN’s. I really want to do something similar but your comment about Sonos makes me not want to proceed. I am not qualified to troubleshoot any networking and I would just end up resetting everything back to default!
I've watched a ton of these firewall setup videos but this one is probably the best at explaining what each setting does so thanks. The reason I keep watching them is I can't for the life of me get my macbook on VLAN 1 to talk to a Pi server on VLAN 2. It wont ping, it wont shh. But it will if I connect the wifi on the mac to the VLAN 2 wifi network. If followed every little detail in this video (which is almost identical to many others) and put in an allow rule for pi ip to talk to the mac ip. I've also tried it as a all VLAN 2 to all VLAN 1 rule. Still won't work. Hope that makes sense but is there any other gotchya that could be preventing this in unifi?
Do you have another device (non Mac) on VLAN 1, that you can’t try pinging the Pi server? Can your Mac ping other devices on VLAN2? If this is a “server” make sure the local firewall isn’t blocking the pings. I have seen that cause issues like this and people are troubleshooting the wrong device. If you want to email me at tim@ethernetblueprint.com, we can have a convo about some options.
Love your video I would love to see you corporate a cameras into that that’s gonna be figured in my mind and I’m really new at this so you did it really well love love to see it. Nice job.
Nice walk through. Still following it and slowly setting things up but it is helping a lot. My only so far is I have the Cloud Gateway Ultra and in it the options are Guest Network and Isolate Network compared to your "Isolation" when setting up the guest vlan. Do I check both of these or just guest or just isolation ?
Unifi loves to change their own wording... For a guest network you can check either one... but you don't need to check both. If you check the Guest Network box, you will be able to setup a guest Portal page for your guests to use in the Hotspot manager... If you check Isolate Network box, then it will just lock it down and not give any additional guest portal features... Hope that makes sense!
@@ethernetblueprint Ha ha, thanks for the reply. I did end up checking both at the time I think. Another new thing ive recently discovered is that when it comes to vLan if your using a switch other than a ubiquiti one there is no way to have some devices on vlan 1 and others on vlan 2 as they are all tagged on the vlan set in the port for untagged traffic. Which is mildly annoying as I then need to pick up more of their kit, just to put something on a particular vlan instead of getting it and building in time. Unless.... you happen to know of a way ? :D
Great great video. You are a terrific teacher.
Wow, thank you!
There are a lot of version of this walkthrough out there on RUclips, but (for me at least) this is the only one that took the appropriate time and amount of hand-holding that I need to not just implement the FW rules, but also to help me understand the WHY. That is huge!
Thanks a ton!
Thanks for watching. I'm so glad it helped you out.
I am new to the Unifi dream router and loving the custom settings. I agree this is an excellent video that explains the settings very well.
Finally one of those vlan guide that I can follow and understand easily. VLANS are not that scary after all. Cheers man!
Thanks for the comment. I am super happy to hear that it helped.
Thanks! Great tutorial. I set it up and it works perfectly. A dual screen setup to watch the video and work on the other is the way to do it!!!
I’m happy to hear it got you set up. Thanks for the super tip.
Wait until you start getting into triple monitors. It's a game changer. Working with VM's on Linux? One screen for a video guide, one to interface, and another with common command templates to copy and paste. Playing video games? One screen for the game, one for discord, and another for a game guide or a map for reference. Researching a new product and comparing stuff? One screen for review videos or articles, one screen for searching product retailers, and another for documenting options and taking notes. The possibilities are endless.
I am a Unifi virgin. I have watched many videos to try to understan the world of Unifi, this video is gold! You explain it well. Thank you!
Thanks. Hope you subscribed. Next week I’m going to cover the switching aspect of VLANs.
Probably the only video with the new interface. Thanks for creating and being very detailed with background info for noobz.
I'm so glad it helped you out!!!
I watched several videos and this is the one where things started clicking. I loved the format of showing the vulnerability, applying the fix and confirming vulnerability is negated along with clear and concise explanations during the process. I also like that the gateways were isolated. Before this video, I was struggling to figure out why I could ping my gateway addresses even though my networks were isolated and now I know. This is the first ever super thanks I have given. It’s well deserved. I’ll be adding one to the follow up video on configuring VLANs on Unifi switches. Many things clicked in that video also.
A thousand thanks for your kind words and your generosity. I do my best to try and help the newbies of the Unifi space. I love getting feedback that tells me I was able to help... All the best!
Top notch. Thank you!
Holy crap. Thank you so much. That is overly kind of you. So glad it helped.
I am finally considering a Unifi setup now that their OS is more well-baked, and you had the most recent Unifi OS VLAN video, so I decided to stop by and see how things have improved over the last few years. However, I must say that this video is probably one for the best for anyone new to VLANs in general, not just VLANs on Unifi. You, sir, are the only one that “teaches one how to fish instead of just giving one a fish” by explaining the logic behind firewall rules, thus giving one the ability to not just copy your foundational firewall rules (which were spot on as the bare minimum starting point), but also gain the confidence to start coming up with their own firewall rules unique to their situation. Looking forward to joining you on this journey to learn from each other!
Wow. Thanks so much. I am very heppy to hear that it helped you!
I agree, this was extremely clear with no fluff@@ethernetblueprint
Glad you are using the new UI. Aside from that, what a great job of providing the list of items to change, their order and a great explanation as to why. I've watched other videos that assume way to much of the audience.
I'm glad it helped you. Unifi has been busy changing the UI. I think it has changed again a little since I did this video...
Thank you! You’re the first, explaining vlans so that I understand it.
Glad it was helpful! Truly!
One of my friend said many years ago for his boss: "for thank you I won't feed my family". So please take small tip from me with huge words of appreciation. Great tutorial, the one was very helpful with my first steps to Unifi :)
Thank you very much for your kind words and generosity. I'm glad I was able to help you out!
As a seasoned firewall admin I thought I knew what I was doing as I started throwing random firewall rules into my new UDM, and it wasn’t working! This makes loads of sense and I’m excited to try it… Also these states look like iptable states, so that’ll be the next thing I start researching! Thanks for the great breakdown 🎉
I hope it is helpful to you. Thanks for sharing!
Yessir, you explained it well. It's easier to understand the more advanced parts once a baseline has been understood and configured. Just what I needed as there are more and more IOTs and guests in my house these days.
Awesome. My next video will be on the switching portion of VLANs so I hope to see you back!
Wow, huge work here!, honestly the best vlan class on RUclips. Congrats and thank you
Wow, thank you for your kind words. Glad it helped.
Awesome content. You saved me a ton of time! Thank you!
You are so welcome. And thank you for your generousity!
Well done, I am getting a much needed education on networks.
Thanks so much! If you haven't already, check out my "Unifi for Newbies" mini series. Its in my playlists!
Thanks Buddy!
Wow. I can’t thank you enough. That is super kind of you.
You're a good instructor! You saved me tons of headaches and time. Very much appreciate what you're doing.
Wow. Thank you very much. I’m so pleased that it helped you out. Sincerely.
Many videos in RUclips this is the only video that explained firewalls rules in UniFi that I can understand. Thank you for the video.
Thanks so much. Happy it helped.
Thanks for explaining all the firewall rules. In other video's I've seen they just tell you do put in certain things but not explain why.
You are quite welcome. I hope you found it helpful!
Thank you for this walkthrough. I've struggled trying to configure the UDMP and you made it simple and straightforward.
Glad it helped!
I had no idea about the "new" Wifi Pre-shared Key assignments to different networks, that's cool. Thank you for explaining and showing that.
Its my pleasure...
sadly that wont work with wifi 7, as its only good for 2.4 and 5 ghz bands :(
I am finally getting fiber. Getting a new home network setup. Going to a dream machine. Love the idea of just one said for multiple v Lans. Goimg to save me a lot of time setting up. Thanks for the walk through.
Happy to do it. Is there anything else you'd like to see a video on that could help you out?
This video is great. I've been looking into unify for a while now, but my biggest reservations about diving into it has been VLANs. I'm pretty familiar with vlans as I do IT at a large resort and everything we connect to a network has a different VLAN. Everyone says unify can do VLANs, but they don't elaborate further and I want something robust enough for firewall rules like the ones you demonstrated. My biggest concern was that unify either would not allow firewall rules, or they would be very limited. This video demonstrates the capabilities well and has shown this is exactly what I'm looking for. I plan to start ordering my components over the next couple of weeks and setting everything up and I could not be more excited.
I appreciate your kind words... Just so you know, I did a full Unifi series and even have a downloadable document for the firewall rules too... check out my playlist for that 8 part series... one video has been dedicated to FW rules...
Absolutely brilliant. Finally configured my Unifi gear!
Boom (Mic Drop). So glad to hear it. Thanks for watching!
amazing video I am keep watching it over and over again
Thanks. I hope you found it helpful. I also have another FW video in my Newbie series. Even has a downloadable cheat sheet for the rules.
Awesome video that has helped me start to understand a confusing subject. Had to watch it a couple of times but I now have Guest and IOT separated from the main network and all my Home Assistant stuff seems to still be working fine. Thanks for pulling this and your other videos together for plebs like me.
You are quite welcome. I have a 8 part series I created too. Its in my playlists... Maybe check that out too if you want...
Very helpful, thank you for this introduction and it helped me setup my first VLANs!
Awesome... if you haven't already, check out my Unifi for Newbies series in my playlist... it goes into more details on setting up your whole network from start to finish...
Danke!
Thanks for your generosity
Thank you! I didnt know about the feature of being able to integrate multiple VLAN connections into a single SSID.
Just need to work out a good time to switch!
Good luck. Thanks for commenting!
This is exactly what i was looking for! I applied your IOT logic to a Vland for crypto mining. This way i don't compromise my default network with some shady new crypto mining software and wallets. 😂😁 Thanks you!
That’s awesome. I hope the mining is going well.
Yeah, super handy on the guest landing page. I appreciate the re-accepting of the Guest EULA after a period of time for a business. So you don't saturate the DHCP range. But for home use I very much like disabling so users at my house don't have to re-accept to "logon".
That is a good point about the reauthentication for your guests!
On the portion of the video (about 333.) where you set up group Block IOT from other gateways, you set up a group that included 192.168.1.1 and 192.168.3.1. There is no 192.168.3.1 but there is a x.x.99.1. Perhaps you meant to use 99 instead of 3?
nice catch... I have done many variations of my test setup and have a VLAN 3 a lot of the time. Sorry if that created any confusion.
This is AWESOME !! I just got my UDM SE and bunch more Unifi equipment and was looking for a video just like yours. Helped lots !! Thank you.
Awesome man. Thanks so much. I have more UDM videos coming soon. Is there anything you’d like to see?
Thanks for the best video about VLANs on current UniFi interface layout
Unifi is about to release (eta 1-2 months) a new EA firmware version that will bring a lot of options for ACL rules to L3 switches. If you have an L3 switch around could you do a detailed video on those rules and the setup once the new firmware releases?
First off, thanks for your tremendous generosity. I will have to look into the Layer 3 switch though as I don't use them much. Appreciate the awareness though. More to come.
You may not claim to be an educator, but I am and you did a superb job. Came to see this method on the new interface and this was a great video and you have an excellent way of speaking for these. One idea you might do would be to provide a firewall rule summary in a PDF or something to make reference easier. Maybe even make this apart of a subscription if you wanted to monetize it. Anyway, good job.
I appreciate your kind words. I should include a PDF. Good suggestion.
Thank you for this video. It was so much clearer and personable than others. You say you're not a teacher, but I'm not convinced.
Thats very kind of you.
You easily earned a sub for this. I'm very new to unifi gateways after using pfsense for years and firewalla for a few months this was just what I needed after getting my UDM Pro SE up and running yesterday. I had my pfsense dialed in for years, but I wanted to get a more user-friendly network solution for my home just in case something happens to me. This tutorial is solid and I'll be employing much of this ruleset to my network to start as my basic setup is very similar to your example. Great job and Thanks!
Wow. Thank you very much. I am very pleased to hear that it helped you! Thanks for the sub!
Thanks!
Wow... Thank you so much. I really appreciate that.
Thank you so much for this. Been searching for a logical and more importantly logical explanation of the logic. My first venture into VLANs as our collection of IoT devices is growing! Now have to figure out how to assign MAC address of wired device to VLAN.....via a Ubiquiti Express - Thanks again
I'm glad this video helped... I have a new series coming out that goes over FW rules too and it has more detail in it. Hoping to help as many as I can.
This is great. I did find one more thing that needs consideration from the IOT network. If you run the network controller on a local PC like I do, then that is also accessible from the IOT network and needs to be blocked in the firewall, much like the gateway access was done.
Great call out! Thanks for sharing with the viewers. I did forget about that!
This is brilliant. Easy to follow and understand. Thanks
Thank you. So happy it helped!
🎯 Key points for quick navigation:
00:00 *🌐 Introduction to VLAN setup and importance in home networks*
- Understanding the significance of VLANs in home networks, particularly due to IoT device security concerns,
- Starting with a basic setup on a UDM Pro, emphasizing simplicity and essential network segmentation,
- Overview of the initial setup and equipment requirements for VLAN configuration.
07:06 *🔧 Creating VLANs and initial network configurations*
- Step-by-step creation of VLANs for default, IoT, and guest networks,
- Explanation of VLAN IDs and IP addressing schemes for each network,
- Importance of segregating traffic to enhance network security and manageability.
11:25 *📶 Setting up Wi-Fi networks with multiple SSIDs and unique passwords*
- Configuring a single SSID with multiple pre-shared keys for different VLANs,
- Demonstration of how VLAN tagging works with a unified Wi-Fi network,
- Benefits of using a single SSID approach versus multiple separate Wi-Fi networks.
15:55 *🛡️ Implementing firewall rules for network security*
- Introduction to basic firewall rules to secure VLAN traffic,
- Ensuring secure communication between VLANs while restricting unauthorized access,
- Overview of essential firewall configurations for home network protection.
19:25 *🛡️ VLANs and Default Network Communication*
- VLANs in Ubiquiti allow unrestricted communication by default across all VLANs.
- Firewall rules are crucial to restrict inter-VLAN communication effectively.
- Example setups demonstrate how different networks can freely communicate initially.
22:28 *🔒 Creating Firewall Rules and IP Groups*
- Using IP groups simplifies firewall management by consolidating IP addresses.
- Port groups enable unified rules for services like HTTP, HTTPS, and SSH.
- Steps involve navigating between security settings and IP/port profile configurations.
26:56 *🌐 All Private IPS and Network Access Control*
- Definition and creation of an "All Private IPS" group encompassing all private IP ranges.
- Establishing rules to control traffic flow between networks and private IP groups.
- Demonstrating how to configure rules that allow specific network access while restricting general private IP communication.
31:30 *🚫 Blocking IoT Network from Gateways*
- Implementing rules to prevent IoT networks from accessing specific gateways.
- Importance of ordering firewall rules to prioritize security policies.
- Testing configurations to verify restricted access to designated gateways and services.
Made with HARPA AI
Wow. Thanks for the assist there.
This is the best tutorial I have seen describing the UniFi setup I was looking for. Thanks a lot for this easy to use tutorial 👍 You got a new subscriber. Can’t wait for more of this stuff!!
Super nice of you to say. Thank you. Is there anything you'd like to see a video on?
@@ethernetblueprint An extension/tutorial on how to setup a VLAN for UniFi cameras together with firewall rules would be very interesting to watch 👍
@@ethernetblueprint Perhaps also implementing a Synology NAS into this setup. Not sure if that needs to be on its own VLAN and how the firewall rules would look like if it needs to reachable from the outside. I guess the safest setup would be to use some sort of VPN solution to be able to safely reach the NAS from the internet. But is there a way to set it up in a safe way without VPN?
Great information I’ve just started getting into the UniFi ecosystem with a Cloud Gateway Ultra. Certainly feels like a massive upgrade in terms of features and capabilities over my standard WiFi 6 router which is now be converted to a temporary access point. I’ve set a Vlan for wired devices and one for wireless for now to add some degree of separation. Once I add a UniFi AP then I can add separate vlans for IoT and Guests.
Awesome... This is great. Make sure you watch my VLANs and Switching Video to ensure your switch is setup the way you want it too. That video compliments this one. Congrats!
Great video, Tim. Thank you so much!
Glad you liked it!
Thanks
Wow. Thank you. Very kind of you.
You don't understand how helpful this has been!! No-one else that I watch has broken what rules to make down so well. I wanted to ask what if I need devices on my IOT to talk to each other? I have a lot of devices that would need inter-vlan communication. Would I just not do the drop all private ip addresses traffic or some other allow rule? Thanks
I am so pleased to hear that my video helped you out. I can't thank you enough for that. As for your questions, just to be clear, the firewall rules only apply when one VLAN is talking to another one. This is called Inter-VLAN communication. If IOT devices are talking to each other, they would most likely be in the same IOT VLAN and would not be affected by the firewall rules. Unless I am not understanding what you are asking here...
Well I don't know if I'm asking it right myself...I just assume that when you enter the firewall rule to Block all private IPs for the Iot vlan that that would prevent anything on the IOT from talking to anything but the internet including other Iot devices on the same vlan@@ethernetblueprint
This helped thank you. So many videos watched. This one works and is very well explained.
Glad it was helpful. Thanks for watching.
Man nice video, makes a lot of sense and the whole thing super easy to learn. Much appreciated!! Thanks a bunch :)
Thanks for watching and for the compliment. I’m happy to share.
Congratulations!Great tutorial and learling point
Glad it helped.
I wanted to create some simple rules and VLAN's, not touched networking for many many years, since I did CCNA when I was 16 (Now 35!!!) this jogged the memory nicely, also new to UniFi so understanding it's flow this really helped. All networks now created and all rules and VLAN's setup! Happy with it.
I just now have the joy or resetting all my dumb smart devices to be on my IoT network! I presume those devices can still talk externally to the web for their native apps to still work etc?
Thanks though, brilliantly spoken!
Nice. I am so glad to hear you dusted off the old VLAN knowledge a bit and this helped you! The IOT devices will be able to communicate with the internet, yes.
Great content. Made it easy for me to understand VLANS
I am glad it helped you out!
Just setup my home network using this video ! Thank you so much of the help ! Would love to know now how to improve WIFI and get the best experience
Glad it helped! You are welcome!
Beautiful explanation! Thank you 🙏
Glad it was helpful! Sincerely
Thanks. I learn something new today.
Glad to hear it!
One of the best, if not, the best unifi firewall tutorial on youtube. You explain it so well!!
Question for you: I didn't need to block the ssh,http,https ports on my vlan gateways, i just blocked the gateway ips.
Did you block the ports just for that extra security? Thanks!
Thanks for the watch and compliment. The local rules are there just to block assess to the gateway when on the restricted VLANs. If the rule you created does the same thing, then you don't need them. I would double check though that you can't access the gateway from your restricted VLANs. I have never just blocked the gateway as I don't know what that will do.... But I have had so many people ask me that I think I am going to test it and see what happens. Thanks again for the comment!
@@ethernetblueprint
Thanks for the quick reply.
So I blocked the IOT vlan from accessing the IOT gateway by just blocking the IOT gateway IP. I never blocked the ports. It works perfectly.
Should I block the ports as extra security?
If you can't access the device via its local IP address, then I would say problem solved...
Good job 👍. Everything you showed is very simple, but it may be useful for beginners.
Thanks so much!
It might be simple to you… I’m a UniFi newbie and brand new to VLANs and configuring firewall rules.
Thank you, Tim, for opening the door for me!
Thanks Great Video. I had had trouble finding some of the settings and this helped immensley. I followed your instructions and thought i had a problem as i refreshed the gateway page and could still get to it then a light bulb went off. As i had an established connection it remained. Closed the connection and went again and no access. Thought i would mention it in case others thought the same thing. Thanks again
Thank you for commenting and helping my followers!
Hi Tim, excellent step-by-step tutorial, followed you along in setting it up. Thank you, concise and also sufficient details. One small thing you already mentioned: Unibuiti changes things and I am running version 8.0.28 In this version there is no upper tab / bookmark line anymore with items like LAN-IN, LAN-Out etc. Greetings from Amsterdam.
Maybe I am looking in the wrong place from where you are talking about?? I don't see any changes in 8.0.28 from what I showed on the video. Can you help me find what is missing now?
Perfect tutorial! Not that I can only get what you set up but I got some understanding so I can adapt to my own rules using your video. Keep up the good work!
Awesome! I wish you well!
Outstanding presentation with the new interface. I would like to have a private wireless for my wife, because of her job. Could I use a shared key for default, IOT, Wife's Wifi and use the Guest 99 network with the standard isolation with it's own password? I am going to check out your VLAN video. Maybe I can come up with other ideas. Also, one of the things that gets frustrating is when videos are not updated when there is a noticeable OS change. I look forward to you continuing to do so.
If I understand correctly, you are asking if you can setup muliple password (Private Pre-shared keys) for the default, IOT and Wife (all connecting to the same SSID) and then setup a separate WiFi name for guest and still make all this work in the Firewall... If so, the answer is yes. The firewall rules are based on the VLANs, not how the WiFi networks are setup. You could create a shared SSID for all of your "main" networks and then create a Guest VLAN and choose the isolation check box... Then create a separate Guest SSID for that network. As a matter of fact, I think that is a better way to do that anyways. It is nice for the guests to be able to connect to a separate SSID so they know they are on the guest network...
I'm a total newbie in the world of home networking. Recently, I made a jump from Asus eco system to Unifi and can't seem to wrap my head around all new concepts like Vlan, traffic/firewall rules and stuff. Your video is so easy to understand and following with, absolutely one of the best for Unifi's new customers to learn from. Thank you for taking your time and effort to share with us your knowledge, cheers !!!!
I am so happy to... This is one that I will be redoing as Unifi Upgrades their interface too...
thank you for this structred yet simple to understand and setup tutorial, appreciate it and now its time to check your other videos 😉
I am really glad it was helpful to you. Anything else you'd like to see a video on that could help you out?
Great tutorial! I have recently setup two additional VLANs (Family and IOT). I did this because I liked your "kids" network in your prior video. I have not set any rules yet, just been busy getting devices on the correct VLAN/Wifi. Will be playing with firewall rules soon. My question is... The first thing that came to mind when you were creating rules, especially the port rules, was what are the chances that one mistake could potentially lock you out of the gateway from ALL networks. It just made me think I should be VERY careful!
It is possible however there are fail safes in place that warn you about it. If you look through the comments here, I talke about that with another viewer because he got a warning on his and it wouldnt allow him to set that rule. However, just know that is possible. Be Careful.
Great Video..... Will use a bunch of this when my Gear arrives
That’s great to hear.
Great tutorial, thanks! I love all the details! I just followed your previous tutorial to setup my vLan protections on my UDM SE, your earlier tutorial was super helpful!! I think you were on 7.x in that tutorial. Glad to see this updated tutorial, on 8.0.26! I saw you had a Guest firewall rule for "Allow DNS Packets to External Name Servers". It would be great to see a tutorial on this topic. I am looking to block all DNS (Port 53) queries out (on my various vLans), unless they come from my DNS (PiHole or other DNS like ControlD or NextDNS) server, if someone on my network tries to change their DNS, my goal is that they will not connect to another DNS server and their Name Resolution will fail. It would be good to see options, but wanted to share an idea (I'm sure you have considered this topic too! Great Job! Thanks!
You will most likely have to do that with Firewall rules on a standard VLAN and not by clicking the guest portal policy checkbox... The guest rules in this video were automatically generated by the system and can't be updated... I am confident you could create a VLAN like I did the IOT network in this video and then add rules to control the DNS servers...
Outstanding Video..... I have a USG and 3 access points, and want to keep Guests, IOT, and my default all separate, so your video hit a sweet spot for me. I've very concerned about getting hacked thru IOT (like Wyze) and this helped to show how to block the IOT to the gateways. I'll probably have to watch it a few more times to get it right, but thank you.
You are quite welcome. I am happy that it helped!
Great job of teaching/explaining vlans, watched another video that didn't explain much and hurried through everything
Didn't work and certainly didn't learn anything about what I was doing from other videos
Thank you for teaching subbed & liked!
I appreciate the feedback. Glad it was helpful!
Really great stuff. Love that you used the latest version.
FYI - WiFi Private Pre-Shared Key is not supported on 6 Ghz WiFi
Thanks so much. And that’s good to know about the pre-shared key and 6Ghz. I wasn’t aware of that.
Great tutorial. Thanks.
Thank you!!
Great guide, from zero to hero with everything needed, just one comment - please consider using dark mode ui when recording these, cheers!
Good tip... I will have to do that.
Thank you so much. After watching several videos and web based walk-throughs, but I could not get things working 100% - finally scrapped and went through your video and presto everything is working, have my Iot and Cameras on separate vlans as well as my Guest Network. Tested, retested and everything is communicating as it should and blocked as it should.
I am getting a ton of DROP invalid State trigger events for various devices I have, mostly Apple ones (home pods, Apple TVs, iPads, iPhones) as well as some out door eufy cams. Within an hour I’m seeing 60 plus triggers, 95% are Apple devices. This seems excessive, but I’m unsure if this is anything to be concerned about.
I have read that can be common and a lot of times it’s from a malformed packet. I get a lot of those too. It has never presented an issue.
@@ethernetblueprint Thanks once again! I'll just ignore those and move on.
This is a GREAT tutorial, thank you very much. Do you see any value in having a separate WIFI for 2G IOT devices? I have about 60 of these devices to connect, and I wonder if they would conflict with 5G traffic at that volume.
Some IOT devices may require you to have an 2G network, but to keep things clean, I would try it without if first and only add if necessary... Make sure you don't have band steering turned on and you "should" be fine. The device is really what determines the need for an isolated 2g network in my experience.
Great video thanks. I am working with omada and they appear very similar.
But the firewall entry types are a labelled a little different. I have LAN->WAN, LAN->LAN and [WAN2] IN.
Would WAN IN be equivalent to LAN in on unifi?
But LAN->LAN only has the options of network to network rules and not IP groups. LAN->WAN has the source and destination options of IP groups. WAN IN has Network source greyed out. Your 1st rule would be WAN IN (ipgroup_any to ipgroup_any)? Looking at your rule for all Private IP groups, may I assume I need to choose LAN->WAN in this case? Many thanks
So I didn't create any WAN rules. If you saw them on my video, those were created by the system. If you are trying to recreate the rules I did in this video, I would think LAN-LAN would be the same as the LAN in Rules, but I don't know that for sure. That is just the one that makes the most sense to me.
Thanks for this great video but I have a question about the rule to block the IOT network from it's own gateway, why can't you just combine it into one group with the port group? It seems redundant to create a separate rule for this.
I actually need to test this a little more. I have a lot of people ask me this question and to be honest, this is the way I have always done it and have never just blocked the gateway. I will have to test and get back to the group!
Thank you! This is the bomb-diddly!!!!
I have attempted this in 3 prior efforts with compromised results. After testing, I am now convinced that my IoT is configured as I had hoped. Not being a Net Admin type, the explanations were matched nicely with the recipes. A fantastic balance!
An excellent time investment. Thank you again!!
One small suggestion that would have completed my setup .... the recipe to expose the printer on the default vlan to those connected to the Guest vlan. BUT, I have enough knowledge now (from the camera examples?) to try to pull that off. Did I learn to fish??? ;-)
Rel 8.1.127
Tried configuring the printer. Let it be used from the Guest vlan. Created the rule. It can't be moved above the "Drop All Private IP Communication" rule, as you stressed.
LAN Local, Accept, Source = Guest, Destination = Default, IPv4 for both, Match state = New, Established
Connect an iPad to Guest. Apps don't find a printer.
Thoughts? Suggestions?
Printing depends on a couple factors, but there are a couple of things you can try... However, I will warn you that not all printers play well with VLANs though...
1) make sure mDNS is enabled and is allowing the VLANs that need to talk to each other. Some printers use this to communicate with their devices
2) I would edit your rule and try the following... put the printer IP in an IP group by itself... then try the rule
'LAN Local, Accept, Source =Guest, Destination Port/IP Group and choose your printer... don't add the new, established... just leave that out...
Also make sure that your new printer rule is above the 'Drop all private IP' rules that you created earlier... They run in order and you don't want that the traffic blocked before it hits your rule.
Amazing tutorial! Thank you!
Glad it was helpful! Thanks!
Hi. Great video but one part confuses me one bit. At the 33:42 mark you add the 192.168.3.1 adress which I dont really know what it corresponds to. Was the 192.168.99.1 intended as the Guest VLAN Gateway? Other than that u made my configuration process a lot easier. Thank You.
You are correct... I am so sorry that was confusing. The 3.1 address was a mistake. That was supposed to be the 99.1 for the guest gateway... Sorry about that and good catch!
Thanks so much for a great video. I have tried for a while but now I finally have got my VLANs to work. I even used my knowledge from the video to figure out how to get all my Denon/HEOS stuff to work on the IoT! Much obliged!
Just two small question if you don’t mind though.
Should I not block access to the gateway from the guest network? I have tried to understand the rules ubiquity has given me but I don’t seem to find that?
Next a more general question. In the firewall rules from ubiquity there are 4 “accept” at the end. What good are they if no “drop” after them? Maybe I have misunderstood something?
I would make sure you block access to the gateway from your guest network.. (either with your own rules or the built in ones) If you hit the guest checkbox for that VLAN and let it do it for you, I believe it will block access to the gateway for you without you putting in any FW rules. It isolates that network and only allows guest to get the internet. Hope that helps!
Thanks you! This was so very helpful to assisting me in my basic setup. Great!
Glad it helped!
Hey Tim! Just found your channel, I have a bunch of UniFi gear and have been running it for years, but you have taught me quite a bit and this video right here has helped me figure a bunch of stuff out! As a thanks, I noticed that your audio is being done from a laptop/phone mic, which works, but, I have a set of lavaliers that I would love to send you as a thanks. But I couldn't DM you, Drop me a line back and I'll find a way to get them to you! Thank you for the great information!
Wow... Thanks... I actually use my earbuds, but I wouldn't mind trying out yours... email me at tim@ethernetblueprint.com if you like...
25:35 I can copy paste but I don’t understand. What is defined as “good traffic” and what is included in “established” and “related” ?
What if I add a new device to my network? Would that be considered as “not established” or “new” which is not tick marked so it won’t be able to communicate ?
What is an example of “invalid” communication ? 26:39
When one device talks to another device on a network, there is a string of bits that are in a certain order that make up a network packet that get sent back and forth. Network sessions between devices can get messed up for a lack of better description and so when the FW sees these sessions, it knows to just drop that traffic. 'Invalid' traffic primarily appear to be for an existing session but that do not have an already existing firewall session
No. It would be able to communicate just fine... (I will talk to Established and Related in original comment)
Established and Related and Invalid: I agree that this can be a little confusing. When looking at these factors, your FW is basically making sure the traffic going back and forth is allowed and that packets in the communication are what it expects to see. Invalid traffic for example might be from a stale network session that didn't get closed properly so the network packet has information in it that would flag it as "invalid". It is very common for this to happen and the FW knows to just drop it.
In the case Established and Related, when a device on one network (VLAN) is traveling through the firewall to talk to a device on another "restricted" network (VLAN), if that communication is allowed, and the network packet looks like it should, it will be seen as "good" and allow that communication to happen. When this occurs, that device on that first VLAN has now "Established" a communication. The "Related" portion basically allows that the device on that second "restricted" VLAN to respond back and answer to the first device...
So, the reason I include this in my firewall rules is because our default network is allowed to talk to other VLANs and this rule allows those other "restricted" VLANs to talk back... However, the "restricted" VLANs are not allowed to Establish a communication to our default network... That is blocked...
EXAMPLE: A phone on the default network can talk to an IOT device on the restricted network... And if the communication originates with the phone, the IOT device is allowed to talk back... Phone tells IOT device to turn on a smart light, IOT device says, "yes". However, traffic originating from the IOT network can NOT talk to the default network. The traffic has to originate from the default network for this to happen... That is basically what these rules are allowing to happen and why I add them... I want my default network to talk to other VLANs and be able to have them respond back... And I want to drop network packets that are deemed as "invalid"...
I hope that helps...
Great tutorial, but one question:
I followed your exact approach yet I'm able to ping other devices on the IOT network while on the IOT network. I thought that should have been blocked based on the rules? I'm using a new UCG Ultra running latest software.
With these rules, you should to be able to ping and communicate within the IOT VLAN. Thats normal. You shouldn’t be able to reach other VLANs or get to the IOT gateway on ports 80, 443 and 22. If you were to do device isolation, then you’d achieve what you’re talking about. Hope that makes sense.
Great video. I still fail to understand a point. We need to introduce a FW rule "Block IOT to other Gateways". Obviously, your machine inside the IOT network is able to connect/reach the gateway inside the default network. Therefore you need this rule. But I still fail to see why the FW rule "DROP ALL private IP communication" is not enough... Any observations/development on this point?
I understand the confusion. This is because of the type of rule it is... The "LAN in" rule is different than the "LAN Local" rules. The LAN In rules control intercommunication between VLANs. (ie. this device over here can not talk to this device over there) However, Unifi uses the LAN local rules to allow you to block local service services that run on the local device... (ssh, dhcp, https, dns, etc...). You almost have to think of accessing the web portal of the UDM as a service. You are going to an IP configured on the device (a gateway) and accessing a https page. So a LAN Local Firewall rule is required on the gateways (both its own gw and the other gw's) to block that traffic.
Note: With the rules I created in here to block traffic to other gateways, I chose to just block all ports - Kill ALL access to services on those GW IP addresses. However, I could have created the "block other gateways" rule to just block ssh, https and http like I did on the "blocking its own gw" rule. I hope that makes sense and helps you out a bit...
Thank you!! One question, when setting up your LAN LOCAL rules, why do you explicitly add DENY rules instead of explicitly adding ACCEPT rules with a default DENY at the end? This seems like the only place where you do not follow the "deny by default" best practice? This doesn't seem to scale with more networks (but maybe this is intentional for the video!).
Also, Unifi has a firewall option for "network type" of "Gateway IP Address", which I believe is the 192.168.x.1. Would you recommend using that Unifi default instead of creating the groups like "DROP IOT to its Gateway"?
Thank you!!!
You bring up a good point. Most of the home networks that are setup as on the smaller side so this ruleset works pretty well. For larger scale networks, your suggestion would work better for scale. Most of the reasons I do this this way is to be able to teach people who are newer to Unifi and Firewalls in general. Deny by default practices can more difficult to troubleshoot - especially if you are newer.
As far as your second question, I am not familiar with where that setting is to be able to answer your question. Sorry man!
Do you not recommend the Isolate Network checkbox in 8.3.32 (different from the Guest Network checkbox) on the Unifi VLAN (Network) configuration screen for the IOT network?
This is a valid point. That is one way to do it sure. Simple and fast. It will create a single Isolate rule in the FW rules.
(FW Rule it Creates)
Isolate IPv4 Traffic From Selected Subnets To Any Local Subnet, Drop, LAN In, All, 192.168.X.0/24, Any, (4 Networks), Any, 60001
If you needed to allow other VLANs to communicate with your IOT network, you could simply add your "allow" rules above this rule and they should communicate.
I simply wanted to point out how to make FW rules from scratch to accomplish to same thing so it helps people learn how the rules work.
@@ethernetblueprint Thanks!
Outstanding! Thank you!
You're very welcome!
Really useful tutorial. I'm new to Unifi and I'm sure I'll be configuring, resetting and reconfiguring things for awhile. I am updating my little home network mainly because my WAP is EoL and hasn't had an update in 2 years. I have been using an ERL for several years, which is a great little router, but I am using the WAP as an excuse to build an easier to manage network . I guess it's like Apple once you get into the Unifi ecosystem you're better off staying there. I bought an UDR and Lite 16 port switch to replace my existing switch, AP and router. I have the UDR and switch kinda hanging off my current setup so I can practice with it and not worry about getting my "users" upset. I plan on eventually adding APs to connect a shop and would be interested in ways to connect between buildings.
The VLAN stuff is very timely. I have stayed away from IoT devices because of security concerns. I'm hoping to get a good understanding how to control and secure things both internal and external. What I would like to see is a tutorial on best practices for setting up and securing the Ubiquiti VPN. I also would like to add a NAS to do my own cloud storage as well as local file, media and backup. Thinking about why, where and how to put a NAS on the network while being able to restrict access based on who and where the access is coming from all turns into a confusing mess quick.
Keep up the tutorials. I'm looking forward learning more. 👍
Thank you for tuning in. I think you will like the Unifi echosystem once you get used to it. But don't get me wrong, it definately has its painful moments. I haven't gone too deep into the VPN realm yet, but full intend on doing some videos on that. I know it is a hot topic. Unifi has been making some changes in that area as well. As far as a NAS goes, it really depends on what needs the most access. For me, my default network uses the NAS the most, so that is where I put it. I don't really have a need in my home to have any external devices talk to it so it works well for me there. But that is me. Hope your new direction goes well!
Also, as far as connecting to your shop, check out my Nanobeam point to point video. I plan on doing an update to that since that was made specifically for my brother in law, but that may push you in the right direction. Look at the Nanobeam 5AC from Ubiquiti for creating a wireless bridge to your outbuilding. They work awesome...
Thank you I tried to follow but I couldn’t get my Camaras to work. Should my nvr be in the iot network
I didn't make cameras a part of this video... when I do my next "refresh" of it, I will add them in just so people have a reference. Personally, I would recommend putting your cameras and NVR on their own Camera network... and not have them be on the IOT... But the situation, setup and types of cameras all can play into this decision... may need a little more info....
@@ethernetblueprint thank you for getting back to me. I’m retired military and I’ve had to install a rack of cameras around my house do problems with my neighbors. I have two cameras that are wired by ethernet and 10 g4 instant around the house. I really appreciate your video. It was the first time I’ve seen one that actually allowed me to understand and how it’s set up for firewall, etc. I looked at your website. I was gonna try emailing you but noticed that I couldn’t do that. My house is already constructed so adding ethernet connections for the remaining cameras would be way too expensive for me. I look forward to seeing you next video.
Just so you know, I do talk about cameras on the VLANs on a Unifi Switch video that I did recently... If you ever have any questions that need further explanation, email me at tim@ethernetblueprint.com and I will try to help where I can...
Thanks, that's a great tutorial. I am in the process of setting up my UDM Pro. VLANs and Firewall are next...
Awesome... best of luck to you!
Really good walkthrough!!!
Suggest doing a VPN network walkthrough.
Copy that. I will have to do a video on that...
Excellent and informative videos and explanations!!! Many thanks for all the effort!!! I set up my network following your instructions and work nicely. There is skmething i dont understand though; My default network it is supposed to have access (ping) all the vlans. After i followed your firewall rules it seems that i can ping only devices within the default network but no in the guest or IoT. Did i miss something?
Sounds like you missed something... There should be a LAN in rule to allow Default to ANY right before the block all rule... make sure that is in there and is correct.
@ethernetblueprint That's what I thought but can't figure out what i messed up probably. I have them in the following order: ALLOW established n related, DROP invalid, ALLOW default to all private and DROP all private to all private. The order is not right maybe?
That is correct. Why dont you email me at tim@ethernetblueprint.com and send me some screenshots and we’ll see if we can figure it out.
@@ethernetblueprint Much appreciated. I just emailed you a few details regarding this issue
All sorted! Many thanks! I had to re-do the firewall rules to make it work properly (no idea why)
Absolutely incredible video! I have a question on how you set up your pinters specifically. I read that putting them on their own VLAN is the way to go, and someone who is learning I would love to try and do that but I was having issues getting it to communicate with my other devices on my other VLANS. Do you have any recommendations on firewall rules or should I just throw it on the IOT VLAN?
Follow up question, with the rules I put in that video, if you did have them in the IOT VLAN, are you able to communicate with them from the main VLANs?
Tim, this was helpful to understand the importance of VLAN’s. I really want to do something similar but your comment about Sonos makes me not want to proceed. I am not qualified to troubleshoot any networking and I would just end up resetting everything back to default!
Sonos will work great if you put it in your default network with your phones... Typically that is what I recommend even though it is less secure.
I've watched a ton of these firewall setup videos but this one is probably the best at explaining what each setting does so thanks. The reason I keep watching them is I can't for the life of me get my macbook on VLAN 1 to talk to a Pi server on VLAN 2. It wont ping, it wont shh. But it will if I connect the wifi on the mac to the VLAN 2 wifi network. If followed every little detail in this video (which is almost identical to many others) and put in an allow rule for pi ip to talk to the mac ip. I've also tried it as a all VLAN 2 to all VLAN 1 rule. Still won't work. Hope that makes sense but is there any other gotchya that could be preventing this in unifi?
Do you have another device (non Mac) on VLAN 1, that you can’t try pinging the Pi server? Can your Mac ping other devices on VLAN2? If this is a “server” make sure the local firewall isn’t blocking the pings. I have seen that cause issues like this and people are troubleshooting the wrong device. If you want to email me at tim@ethernetblueprint.com, we can have a convo about some options.
Love your video I would love to see you corporate a cameras into that that’s gonna be figured in my mind and I’m really new at this so you did it really well love love to see it. Nice job.
In my home, I do have my cameras on their own VLAN and isolated from the other VLANS.
Nice walk through. Still following it and slowly setting things up but it is helping a lot. My only so far is I have the Cloud Gateway Ultra and in it the options are Guest Network and Isolate Network compared to your "Isolation" when setting up the guest vlan. Do I check both of these or just guest or just isolation ?
Unifi loves to change their own wording... For a guest network you can check either one... but you don't need to check both. If you check the Guest Network box, you will be able to setup a guest Portal page for your guests to use in the Hotspot manager... If you check Isolate Network box, then it will just lock it down and not give any additional guest portal features... Hope that makes sense!
@@ethernetblueprint Ha ha, thanks for the reply. I did end up checking both at the time I think.
Another new thing ive recently discovered is that when it comes to vLan if your using a switch other than a ubiquiti one there is no way to have some devices on vlan 1 and others on vlan 2 as they are all tagged on the vlan set in the port for untagged traffic.
Which is mildly annoying as I then need to pick up more of their kit, just to put something on a particular vlan instead of getting it and building in time.
Unless.... you happen to know of a way ? :D
amazing content one so far
Thanks for watching.