Why when you are creating firewall rules, the direction for both rules is LAN in? When your Vlans go to the remote side is OK. Its LAN in, but when the remote vlans comes to your LAN it is LAN out, isn't it?
Would you consider making a video going over firewall rules to allow traffic only one direction over the site-to-site vpn? I can't seem to figure it out. I want to be able to reach the remote subnet from local but remote shouldn't be able to reach my local subnet.
Good video, thanks. When you set up the firewall rules to allow traffic, does that mean that all the traffic from that subnet will always go through the VPN? Or do you need a rule saying everything from subnet x will always go through the VPN (and not through the local gateway)?
Anybody having issues resolving windows DNS service to site2site remote subnets? My config works likely this video, however ( 53 UDP) dns or http (80) service is not getting any response from source server in the origin site. I assume its more related to inter-vlans rules but any of the suggestions rules work for me!!
Thanks for the Video! Question.. do you know if we could have a Tunnel Between a site that has a static IP and another that got a dynamic one? I wonder if Unifi has a setting for that oneway authentication config.. I asked the support but they seems to not understand my question.. Thanks in advance!
Thanks for watching. I understand your question but the simple answer is that unlike other vendors, in unifi vpn is being kept very basic and thus there is no one way initiation of the vpn tunnel. Whats more annoying is the fact that ubiquiti has chosen to only allow ip addresses in the host field, if they were to support hostnames or fqdn we would have option at least to use ddns hostnames. Annoying.
In my experience it will work with dynamic, however, as you know the dynamic ip will change so if it does then your tunnel will stop wrong until you change to the new ip that has been given on the dynamic side.
It's a great method you got there but it's funny how much hard work you need to do where in fortigate firewalls no traffic can flow on the tunnel unless you define firewall rules is the default. Ubiquiti are so wierd for not doing it by default
If you just block all rfc 1918 to all rfc 1918 traffic it would stop intervlan traffic in one rule. You also dont balck access to other gateways or access to controller management console or ssh.
*If you liked this video, please give it a like*
Why when you are creating firewall rules, the direction for both rules is LAN in? When your Vlans go to the remote side is OK. Its LAN in, but when the remote vlans comes to your LAN it is LAN out, isn't it?
Hi there, have you managed to connect an AWS VPN to a UDM? I am struggling with this
I like your "style" of doing things in UniFi security-wise
Thank you for watching!
Would you consider making a video going over firewall rules to allow traffic only one direction over the site-to-site vpn? I can't seem to figure it out. I want to be able to reach the remote subnet from local but remote shouldn't be able to reach my local subnet.
Awesome video! Love the explanation on the firewall rules, super helpful - great job!
Thank you so much! Much appreciated
Good video, thanks. When you set up the firewall rules to allow traffic, does that mean that all the traffic from that subnet will always go through the VPN? Or do you need a rule saying everything from subnet x will always go through the VPN (and not through the local gateway)?
Tech Me Out this video absolutely helped me out. Thanks!
Why can't block all inter-vlan routing by blocking from RFC1918 to RFC1918 on both sides. This will create implicit deny.
Anybody having issues resolving windows DNS service to site2site remote subnets? My config works likely this video, however ( 53 UDP) dns or http (80) service is not getting any response from source server in the origin site. I assume its more related to inter-vlans rules but any of the suggestions rules work for me!!
Thanks for the Video! Question.. do you know if we could have a Tunnel Between a site that has a static IP and another that got a dynamic one? I wonder if Unifi has a setting for that oneway authentication config.. I asked the support but they seems to not understand my question.. Thanks in advance!
Thanks for watching. I understand your question but the simple answer is that unlike other vendors, in unifi vpn is being kept very basic and thus there is no one way initiation of the vpn tunnel. Whats more annoying is the fact that ubiquiti has chosen to only allow ip addresses in the host field, if they were to support hostnames or fqdn we would have option at least to use ddns hostnames. Annoying.
In my experience it will work with dynamic, however, as you know the dynamic ip will change so if it does then your tunnel will stop wrong until you change to the new ip that has been given on the dynamic side.
Does it matter if both devices are on the same console?
What do you mean by on the same console?
It's a great method you got there but it's funny how much hard work you need to do where in fortigate firewalls no traffic can flow on the tunnel unless you define firewall rules is the default. Ubiquiti are so wierd for not doing it by default
Your block all rules don't block access to the gateway itself, so VPN site can access local site gateway and potentially control it
Exactly what i was looking for. thanks!
Glad it was helpful!
If you just block all rfc 1918 to all rfc 1918 traffic it would stop intervlan traffic in one rule. You also dont balck access to other gateways or access to controller management console or ssh.