This was awesome - way better than all of the other tutorial videos out there. I love the emphasis on setting everything up first and make sure it works before putting in the firewall rules.
I have to say, I've spent HOURS and HOURS and HOURS planning the rebuild of our current home network (There are 5 adults with multiple PC's/Work PC's, IoT, Cameras/Mobile devices etc, etc) and was able to complete replacements with very little downtime. Today was the big change, adding in the Cloud Gateway Max, I had a couple lessons learned (Biggest rookie lesson? If you think a cable run needs to be 20ft, round up to 30') I have to say these videos you've made have saved me SO much time and a configuration headache that might have made me return it all. This one and the Firewall rule video are LIFESAVERS for those of us that have just enough information to be dangerous. Really, thanks so very much for all of the time you took to make these videos and passing on your experience to us
Congrats on your upgrade... I think that is great.. I am super happy to hear that my videos helped you in some way... It is truly my pleasure making them!
I'm glad I found this video. I like how you carefully explained the significance of each step of installing the networks, and vlans. i really appreciate how you explained how Unifi classifies trunks and access ports. I haven't heard that explained before, and I've been using Unifi equipment for more than a few years. This explanation is awesome. So I'll be putting this into practice on the networks I've already set up, and this time, the VLANs will work. Thank you for taking the time to put this together.
Wow, this is what I have been looking for. Your explanations are short, sweet and to the point. You get on track and stay with the topic at hand. No straying all over the place and getting into the weeds. A good place for newbs to learn. Get the basics now and build up to the technical. Great job!!!!
JUst wanted to say Thanks for these videos! I have been installing Unifi Protect Camera systems for years. This week I redid the networks of too large churches with dream machines. Multiple vlans and multiple ssids on both. Whenever I got stuck I watched one of your videos so thanks again!
Thank you for explaining why the VLAM is jumped to 6, I didn’t know you could use 2-5 for static ip addresses. Learn something new everyday. Thank you for making this video series.
Well thank you so much Tim. I have been watching your videos in preparation and the day finally happened where I moved to my new home, purchased the gear and going through the setup. This would be so overwhelming as a newcomer but these videos and your interactions have really helped. I am going to have my doorbell as wifi, but based on what you showed, i think I understand what to do for WIFI network
Great! It is such a good feeling to be able to help my viewers. My doorbell is WiFi too and it works just fine. I think you will be happy with your new network... not to say that it doesn't come with its own headaches... but keep at it! Nice job!
I'm so green this was is so needed...thank you Sir for helping a senior here with all these setup. So many questions I had you answered now on your other videos
Just found this video series as I am getting into the Ubiquiti ecosystem for a new home. Very well explained. One thing I would change in my personal setup is if I setup a wifi network for IOT or cameras or whatever, these networks don't necessarily need to be broadcasted. It's probably best practice to hide the SSID of these networks, especially if you went through the trouble to separate them into VLANs for security.
Thanks Tim. It would be good at some stage to produce a video of how to use a layer 3 switch to perform some routing, and why and when this is a useful approach.
I appreciate the suggestion. I personally have never used any layer 3 routing so I’d have to do my homework on that one. I have had that suggestion before too so I may need to look into that.
Thank you! I followed everything to the letter,you made me able to understand and set the vlans,ISP PPPOE>USG PRO 4> USW 8> many UNIFI AP and everything works!! Following your guide i've understood many things , i've made also the setup of the firewall rules at the letter and ive created more than one IOT vlan , maybe i need to setup some firewall rule cause home assistant, located on the default network, don't see the devices that i'm been able to register under wifi with a preshared key called IOT , I think it's some firewall rule already made that is blocking or maybe i need to add another specific rule for HM because the IPs of the devices are right in HM, tried also accepting the traffic of "DROP IOT to Other Gateways" and also its Gateway but it doesn't help
I think you will want to put your Home Assistant inside the IOT VLAN too so it can see all the devices... Do you have it setup on a Raspberri Pi or??? I don't know how well they work for device discovery and control when the server is on a different VLAN than the devices...
Grazie! Ho seguito tutto alla lettera e funziona tutto!! e ho capito tante cose, l'unica cosa che non va è home assistant ,situato su rete default, non vede i dispositivi sulle reti IOT , credo sia qualche regola del firewall perchè gli indirizzi sono giusti in HM
Thanks for detailed instruction! One small question: I got both UDM-Pro and PoE Pro Max 24 switch, which is layer 3. I'm not too sure which device to choose when setting up VLAN. Should I choose UDM-Pro? I assume UDM-Pro will communicate VLAN info to all other switches.
I like your videos and the way you explain a lot! One little thing: trunk does not mean ALL VLANs, it means multiple… Do you have a video on the Unifi phone portfolio?
Thanks you for watching True statement. You are 100% correct... For the beginners, I didn't want to get too much into network pruning... Trying to keep the concepts simple. I personally haven't messed with the phones. If Unifi would start sending me free stuff to test, I would gladly broaden my videos, but I haven't cracked that nut yet. I buy everything I do videos on so that limits my content for now...
Great vids and helping a lot as I’m getting ready to set up a proper network. Learning a lot. 8 months ago you spoke of private pre shared keys for passwords for your WiFi to vlans. Would you still suggest this - 3 different password for one WiFi (ssid) - or have 3 separate WiFi ssid’s correlating to their respective vlan?
For me, it’s easier to keep track of SSIDs, so I prefer that, but that’s just me. There’s no real downside unless you want to incorporate WPA3 which has some incompatibility to pre shared keys.
They will still work with static IPs... You would still just make your VLAN normally... Then, go into each device that has a static IP and reserve that IP so it isn't handed out in the dhcp scope... If all of your IPs are close together (ex. 192.168.1.4 - 192.168.1.10), then you can just setup the dhcp scope to not include those IPs... But that depends on your setup. All the VLANs will still work though. Just make sure the devices are put in the proper VLAN after you get them setup.
I typically put the Sonos on the same VLAN that your phones will use... Most times that is the default. In my experience, Sonos doesn't always play well with VLANs.
Can you do an Access Port for a Unifi switch port that links to a dumb switch that has a few devices plugged in? Assuming all of those devices (and the dumb switch) are supposed to be on the selected VLAN ?
Yes. If you setup a port on the switch as an access port and plug a dummy switch into that port, devices plugged into that dummy switch will receive the IP info from the VLAN you assigned.
Question regarding “tagged vlan” blocked-all setting on camera network. I am confused in terms whether you were referring to the device (camera) being able to establish a connection outside its vlan and/or if a device on a different vlan say default trying to connect to the camera (assuming the camera may be a third party camera). So, what does block-all refer to in terms of a device establishing a tcp/ip connection?
The block all basically means that no other VLAN traffic will be delivered on that port. If you look at an AP for example, that single port plugged into the AP may have multiple different VLANs talking on it. (each part of a different Wifi network) So the port needs to configured to allow those VLANs to communicate through the port... However, a camera does not need more than just the camera VLAN traffic on it. Now, if a camera needs to talk to another VLAN, that is not done at the port level. It is done at the firewall level. So setting this port to "block-all" would not have any bearing on it communicating with other VLANs. I hope that helps!
First, like everyone mentioned, awesome video. Learned a lot. However, at 11:58 you mentioned "need to go back and fix it". I fall into that exact situation. What did you mean by that and how do you fix it? My Phillips Hue Hub was already running on my network switch (Default) before I decided to create an IOT VLAN. I reconfigured the switch port following your video and tried to switch the PH Hub to run on my IOT VLAN. But in Client Devices it still shows it using an IP from my Default. Can you explain how to "fix it"? Thanks
I was simply stating at that point in the video that you want to create the VLANs first and then create the wifi networks second otherwise you'd have to go back into each of the WiFi networks and choose the VLAN afterwards to "fix it". To fix what you are talking about, you will need to make sure that the port the PH Hub is in is the IOT VLAN on the switch. Starting at about 31:40 when I talk about assigning a device to an access port. You also may have to reboot the hub because they don't always do a great job of just switching networks...
Thanks for the Videos , Q: Wifi default security protocol , should I not be using the latest WPA3 on the default network, wpa2 on IOT ? by default it is WPA2
This really depends on your environment and devices... you could try it and see if anything breaks or has trouble connecting and then WPA2 as a fall back.
Question… I have a home network. I just bought a UNIFY system for my home. I haven't started setting it up yet. I need to map out how this thing is going to be implemented. One of my questions is, I have a synology NAS. This has multiple uses. I use it's own security app for my 4 cameras around my house (POE). I also use it to feed movies I have stored it to my television downstairs. I also need to connect to it with my main MAC. The question is, would I put the NAS drive in a VLAN with the cameras? Or would I put it by itself and just set the permissions correctly to be able to communicate with all of the VLAN's? And obviously it's one of those things that I need to connect to outside of my home as well. This seems to be my most confusing part to map out. Thanks for any suggestions.
With the NAS, there are some things that can play into this decision. If you just have these functions running as apps on the Synology, then you can most likely create fw rules that will allow it to talk to whatever you want... no matter what network it is in. Where some of the limitation come is when you have things running in containers because there is less network flexibility there... if it has multiple nics on it, it can actually be on mulitple vlans at the same time. I don't know that there is a right or wrong answer here. You may have to play around with it a bit and see what works the best.
@@ethernetblueprint thanks for the answer. I feel like I grasp a lot of this, but when it gets into firewall rules above what you're showing, it's a whole Other language I can't understand. I'm trying, but the learning curve is pretty big.
I assigned all my devices to a VLAN but one of them is not listed the IP Leases. It says I have 7 devices leased, 4 available etc. but I only see 6 in the list. Is this a bug?
That is weird, because after I read this comment, I went and looked myself and it was still there... Are you going to Unifi.ui.com to access the controller... I have heard that the local IP of the controller is limited...
Thanks for all your works!! Make me starting to change my Network for a VLans network 😊 Just a question, on my CGM i can’t see my switch (not Ubiquiti, not manageable) so do i buy a switch ubiquiti to manage ports as you do on this vidéo? By défault it show me on port 3 for example of my CGM one of the devices plug on switch (not ubiquiti) Hope it’s understàdable from a french newbie 😂
You are quite welcome. The only way to get port level information is to have a managed switch. If you elect to get a unifi switch, then you will be able to manage it like I do in the video... If you buy a 3rd party managed switch, it would have its own interface outside of Unifi, but you could see port level information. To me, having all Unifi gear makes it the easiest, however, their switches aren't cheap.
Just wondering. If my Homebridge is on my Synology server which I prefer not to park it in the IoT VLAN, how do I make it talk to the smart home devices in the IoT VLAN without letting other devices to access my Synology server? Newbie here so it's really confusing. Btw the videos are really really helpful. Thank you for all the guides.
Regarding Ports... Is there a way to separate via MAC Addresses? Our house and cabling would be to awkward to try top push everything to a specific physical port.
Adding same reply to your questions: I got all your questions... you may need to email me at tim@ethernetblueprint.com and explain what it is that you are trying to accomplish because I can't really figure that out based on your quesitons... I will do my best to help, but it sounds like you are trying to do some advanced settings and that makes your network very difficult to manage...
@ethernetblueprint Thanks for the quick answer. I was about to replace my old Wi-Fi 5 router by a real 2.5Ge +Wi-Fi 7 ubiquiti network setup. But I read about U7 problems and downgraded my planned AP to U6 Pro, yet retaining full 2.5Ge network backbone for my desktop computers and Plex server. Do you have any comments, insight, or new news about U7? Have you ever been installing them and did you experience problems with them yourself?
No you don’t. You can set up your WLANs to match your VLANs however you like. You can also do pre shared Keys that allow you to have a single WiFi name with multiple passkeys tied to different VLANs. Lots of options here.
It does not. Just makes it easier to troubleshoot and setup VLANs if you plan to do that. You’ll have to configure the UDM and switch separately for your networks.
Thanks for the Saturday night response! 😊 I’ve been binge watching your videos all day. I’m still going to try to exchange the TP POE switch that I bought. I purchased it on July 19. They have a 30 day return policy. I’ll be there the morning of August 19 hoping they’re not good at math. Your videos are great! Thanks!
Question: In setting up your "networks", do they all have to be on the same subnet (192.168, 10.0, 172.16) or can they be mixed and you have to write rules for routing to the internet?
They can be whatever subnet you like. The rules I created in video 4 will work for anything you choose. The networks do have to be private IPs though.. there are some IP addresses reserved for public networks. 192.168.X.X, 172.16.X.X and 10.X.X.X networks will work for this.
You just need to adjust the "Netmask" setting in the VLAN setup. /24 = 254, /23 = 512 and the amount of clients goes up from there as you adjust in that direction.
Adding same reply to your questions: I got all your questions... you may need to email me at tim@ethernetblueprint.com and explain what it is that you are trying to accomplish because I can't really figure that out based on your quesitons... I will do my best to help, but it sounds like you are trying to do some advanced settings and that makes your network very difficult to manage...
2 месяца назад
When I did my setup it automatically set the default network to 192.168.0.1 and I can't change it to 192.168.1.1 because WAN1 is using the 192.168.1.1 address. I get the following error "Address overlaps with network Primary (WAN1) range 192.168.1.0 - 192.168.1.255. Please enter a unique address". Do I need to fix this, or just roll with 0.1 being the default.
The IP doesn't matter... you can roll with it... or you can pick a completely different subnet like a 10.X.X.X if you want. It really boils down to personal preference whichever IP addresses you want to use. If you do want to change it to a 192.168.1.1 to keep it easier for you, my last video about cutting over to a Unifi network covers that... at the end…
I am struggling to get my Sonos App to talk to my Lutron Caseta hub. When I plug them both into my switch, Lutron recognizes the Amp. Shortly after I plug the Amp into the switch (the way Caseta likes), the Amp loses connectivity. Any suggestions?
Hi Tim so I set up my home network like you showed . do I need a unifi. router to make this work ? I went from a Verizon router to a 24 port POE unifi. Switch with 3 u6 pro Access points a 2 cameras thank you. the guest make seem to make all the wifi drop off line
What do I do? I have set up 18 VLANS. An error popped up stating: "You have reached the maximum number of WLANS per band (4) for all APs. This would be fine, except I didn't know that an entire WLAN would be locked to a single VLAN. I'd have thought they could be shared to similar networks I define... like a group or identifier. Am I wrong, and simply missing the option?
Adding same reply to your questions: I got all your questions... you may need to email me at tim@ethernetblueprint.com and explain what it is that you are trying to accomplish because I can't really figure that out based on your quesitons... I will do my best to help, but it sounds like you are trying to do some advanced settings and that makes your network very difficult to manage...
You can leave it selected. I just like to make my own selections and choices and not let the system do that for me. If checked, it will pick your settings like your network and DHCP scope for you...
I want to make sure we are talking about the same things. You’d like clarification on the UniFi Controller itself and the apps that can be installed on a controller (ie. Protect, Network, Talk…) is that correct?
This can be done... You would create your guest network WiFi, leave the password blank (it will show an error)... Then below in the advanced settings, choose Captive Portal in the Hotspot 2.0 setting... This will remove the password area above in the WiFi settings... Then hit Save. (make sure you choose your guest VLAN from the dropdown above) Next go to your captive portal and go to the Authentication Tab (middle one on right side of the screen) and make sure all of the options are unchecked. You can enable the Landing Page or disable it... that is up to you... If you disable it, then guests will just be allowed in without a password. If you enable it, then they will redirected to your landing page and they will just need to click the button to enter...(but no password) Hope that helps!
Why does Ubiquiti insist that you never use the native VLAN, the default one listed as VLAN 1 at 192.168.1.0/24 by default? They say never to use that and leave it for hardware devices like all the Unifi devices. Is there a downside to throwing your secure devices into it? Some kind of latency or unwanted chatter?
I haven't heard that. I use 192.168.1.1 for my default VLAN all the time and rarely have issues. The only time it can cause issues if you are plugging your Unifi Gateway into another router that has that same IP scheme... and even then, I think Unifi recognizes it and changes the IP address that it is using to avoid a conflict. However, I don't see any issue with it.
@@ethernetblueprintGoogle unifi's stance on using the native default VLAN and read about it. I can't see a downside other than exposing a security risk to unwanted devices plugging into your switch.
I cant find a single video on the web where someone actually using L3 switch routing, its FW rule, FW rule, FW rule. Unifi gateways have poor intervlan throughput and cant route a 10GB session. Unless we keep all 10GB devices/servers/clients in the same Vlan we will never get close to 10GB throughput. Now we have ACLs....so we can keep this routing on the switch. The problem is firewall rules combined with ACLs when you have multiple networks, some routing on the switch some routing on the gateway. I just cant believe nobody is doing content like that in a very simple fashion similar to every video copying the same firewall rules to separate vlans.
I may have to do a video on this then. I have never really done that kind of setup and I think L3 switching confuses a lot of new people on Unifi which is what alot of my viewers are. You bring up some good points. I will just have to try it out and see what happens.
@ethernetblueprint For people who don't understand what a L3 switch really is I'm sure it's confusing. However many of know but unifi implementation is so awkward compared to what most of us know (ios) and people like me who know just enough ios to be dangerous in a corporate environment but fine for home networking. One issue we are starting to see more and more with unifi users is mixed 10GB and 1GB networks. This is where L3 shines obviously. I ended up just putting most all 10gb clients on the same vlan even though it's likely less secure. My want or plan is to put every vlan on the switch except for the default or management network. I couldn't quite grasp the ACL in combination with FW rules in unifi...I feel it would be easier to just keep all networks on the switch and operate intervlan exclusively at the switch level. Anyways I'm seeing more and more complaints of unifi gateways not able to route at appropriate speed for 10gb intervlan clients, it's too taxing on the weak ass arm cpu. Perhaps I'll make the change in a year or so after it gains steam. Unifis lack of documentation is the real struggle. For now my L3 switch is still is waste of money, but they tie sfp interfaces to L3 making you purchase them anyways.
I'm convinced you're right. I am ordering my new ProMax 24 POE switch right after the holiday and I will do a video (or maybe a couple) on this subject. I appreciate the suggestion, but you'll have to day tuned. Cheers
@@ethernetblueprint For sure look forward to it. For 90% it wont matter but for us that actually want and pay for that throughput? We buy 10GB appliances and outfit our clients with 10Gb nics...OF COURSE we want that speed right! I've been using a pro max switch for a year but just in L2 "mode" because ACLK weren't available when I bought it. Don't get me started about unifis almost lawsuit worthy claim they have L3 switches...the product pages themselves were ALMOST lies. I digress.
Mine says "Address overlaps with network Teleport range 192.168.2.0 - 192.168.2.255. Please enter a unique address" Do you know what that means when I try put in the host address when starting the vlan.
Hmmm... I read that was an issue a couple years ago. Is your router up to date? I thought this was fixed with an update. Do you have any VPN information setup in your system?
@ everything was updated and no vpn stuff yet. I just got my orders in the mail a couple of weeks ago and just started learning/configuring the firewall rules
Because I haven't ran into that myself, I honestly don't know why you would get that message. Maybe just pick a different IP range and keep things going... I'm sorry I don't know more on that.
This was awesome - way better than all of the other tutorial videos out there. I love the emphasis on setting everything up first and make sure it works before putting in the firewall rules.
I'm so glad that it helped. Thanks for watching!
I have to say, I've spent HOURS and HOURS and HOURS planning the rebuild of our current home network (There are 5 adults with multiple PC's/Work PC's, IoT, Cameras/Mobile devices etc, etc) and was able to complete replacements with very little downtime. Today was the big change, adding in the Cloud Gateway Max, I had a couple lessons learned (Biggest rookie lesson? If you think a cable run needs to be 20ft, round up to 30')
I have to say these videos you've made have saved me SO much time and a configuration headache that might have made me return it all. This one and the Firewall rule video are LIFESAVERS for those of us that have just enough information to be dangerous.
Really, thanks so very much for all of the time you took to make these videos and passing on your experience to us
Congrats on your upgrade... I think that is great.. I am super happy to hear that my videos helped you in some way... It is truly my pleasure making them!
I'm glad I found this video. I like how you carefully explained the significance of each step of installing the networks, and vlans. i really appreciate how you explained how Unifi classifies trunks and access ports. I haven't heard that explained before, and I've been using Unifi equipment for more than a few years. This explanation is awesome. So I'll be putting this into practice on the networks I've already set up, and this time, the VLANs will work. Thank you for taking the time to put this together.
Wow... Thank you very much. I pleased to hear that it helped you in some way... I enjoy making these. Happy Holidays!
The best explanation of vlans, access ports and trunk ports that I have found. Thank you!
That is very kind of you. Thanks! I'm glad that you found it helpful!
Please don't stop; Unifi is just a new experience you faced, and you saved us a lot of time and money.
I'm not stopping! Thanks for watching!
Wow, this is what I have been looking for. Your explanations are short, sweet and to the point. You get on track and stay with the topic at hand. No straying all over the place and getting into the weeds. A good place for newbs to learn. Get the basics now and build up to the technical. Great job!!!!
Appreciate it. I'm glad you found it helpful!
Just amazing. Best series on UNIFI out there!
Hey thanks!. Very kind of you to say!
That naming of VLAN is clever AF! Huge thanks for that tips!
Awesome! Thanks for sharing!
You’re a great teacher! This was great and really helped me. Thank you.
So happy to hear that. It's my pleasure truly!
JUst wanted to say Thanks for these videos! I have been installing Unifi Protect Camera systems for years. This week I redid the networks of too large churches with dream machines. Multiple vlans and multiple ssids on both. Whenever I got stuck I watched one of your videos so thanks again!
That is so great to hear. I am super happy I was able to help. I enjoy making them!
@@ethernetblueprint I had been avoiding the udm for a long time, little pricey but having full control of everything in one place is pretty cool.
That it is... Welcome to the Unifi world!
Thank you for explaining why the VLAM is jumped to 6, I didn’t know you could use 2-5 for static ip addresses. Learn something new everyday. Thank you for making this video series.
Glad it helped.
@Ethernet Blueprint; you are just simple magic! Thank you for this amazing Unifi newbie series👍😎
Wow... thanks alot! I'm glad you enjoyed it!
Well thank you so much Tim. I have been watching your videos in preparation and the day finally happened where I moved to my new home, purchased the gear and going through the setup. This would be so overwhelming as a newcomer but these videos and your interactions have really helped.
I am going to have my doorbell as wifi, but based on what you showed, i think I understand what to do for WIFI network
Great! It is such a good feeling to be able to help my viewers. My doorbell is WiFi too and it works just fine. I think you will be happy with your new network... not to say that it doesn't come with its own headaches... but keep at it! Nice job!
Amazing explanation. You are a great teacher explaining these things. Will continue to watch the series :)
Thank you very much. That is very kind of you!
I'm so green this was is so needed...thank you Sir for helping a senior here with all these setup. So many questions I had you answered now on your other videos
You are so welcome. I am glad they were helpful. I appreciate you watching!
Brilliant video series. Finally someone who can talk to the layman
I hope you find it helpful. Thanks for watching.
Thank you for doing this series and other videos on UniFi it and they have helped me tremendously!!! So again thank you
You are quite welcome. I’m so glad it has helped you.
Just found this video series as I am getting into the Ubiquiti ecosystem for a new home. Very well explained. One thing I would change in my personal setup is if I setup a wifi network for IOT or cameras or whatever, these networks don't necessarily need to be broadcasted. It's probably best practice to hide the SSID of these networks, especially if you went through the trouble to separate them into VLANs for security.
That is a good callout. I will have to talk about that in a later video! Thanks!
Thanks. your video solved all my problems and was easy to understand. I can set up my new and first Unifi router & AP now.
Congratulations! That is AWESOME. Welcome to Unifi!
This is the first time I think I kinda sorta understand VLANs. Thanks!
I'm glad you found it helpful! Thanks for watching!
This is an excellent set of tutorials....thanks so much
I’m glad you found it helpful.
Perfect. I like how you kept it simple and easy to follow. I now have vlans setup for the first time. Hope you create a 201 level next
When you say 201 level, I assume you mean that this video was more 101 level and the next video would take a little deeper dive... yes?
Thanks Tim. It would be good at some stage to produce a video of how to use a layer 3 switch to perform some routing, and why and when this is a useful approach.
I appreciate the suggestion. I personally have never used any layer 3 routing so I’d have to do my homework on that one. I have had that suggestion before too so I may need to look into that.
This video was on point , Thank you
Glad it was helpful! Thanks for watching!
Great video, thanks Tim.
Thank you. I am hope you found it helpful!
Thank you! I followed everything to the letter,you made me able to understand and set the vlans,ISP PPPOE>USG PRO 4> USW 8> many UNIFI AP and everything works!! Following your guide i've understood many things , i've made also the setup of the firewall rules at the letter and ive created more than one IOT vlan , maybe i need to setup some firewall rule cause home assistant, located on the default network, don't see the devices that i'm been able to register under wifi with a preshared key called IOT , I think it's some firewall rule already made that is blocking or maybe i need to add another specific rule for HM because the IPs of the devices are right in HM, tried also accepting the traffic of "DROP IOT to Other Gateways" and also its Gateway but it doesn't help
also the server (where HM is located) is on my default network 1.0
I think you will want to put your Home Assistant inside the IOT VLAN too so it can see all the devices... Do you have it setup on a Raspberri Pi or??? I don't know how well they work for device discovery and control when the server is on a different VLAN than the devices...
Grazie! Ho seguito tutto alla lettera e funziona tutto!! e ho capito tante cose, l'unica cosa che non va è home assistant ,situato su rete default, non vede i dispositivi sulle reti IOT , credo sia qualche regola del firewall perchè gli indirizzi sono giusti in HM
Thanks so much for your generosity.
Thanks for detailed instruction!
One small question: I got both UDM-Pro and PoE Pro Max 24 switch, which is layer 3. I'm not too sure which device to choose when setting up VLAN. Should I choose UDM-Pro? I assume UDM-Pro will communicate VLAN info to all other switches.
The UDM will be your layer 3 device. VLANs info will be communicated to your switch.
I like your videos and the way you explain a lot! One little thing: trunk does not mean ALL VLANs, it means multiple…
Do you have a video on the Unifi phone portfolio?
Thanks you for watching True statement. You are 100% correct... For the beginners, I didn't want to get too much into network pruning... Trying to keep the concepts simple. I personally haven't messed with the phones. If Unifi would start sending me free stuff to test, I would gladly broaden my videos, but I haven't cracked that nut yet. I buy everything I do videos on so that limits my content for now...
Great vids and helping a lot as I’m getting ready to set up a proper network. Learning a lot.
8 months ago you spoke of private pre shared keys for passwords for your WiFi to vlans. Would you still suggest this - 3 different password for one WiFi (ssid) - or have 3 separate WiFi ssid’s correlating to their respective vlan?
For me, it’s easier to keep track of SSIDs, so I prefer that, but that’s just me. There’s no real downside unless you want to incorporate WPA3 which has some incompatibility to pre shared keys.
35:31 What if your cameras have static IPs? Will VLANS still work with devices that have static IPs or do they need to be changed to DHCP mode.
They will still work with static IPs... You would still just make your VLAN normally... Then, go into each device that has a static IP and reserve that IP so it isn't handed out in the dhcp scope... If all of your IPs are close together (ex. 192.168.1.4 - 192.168.1.10), then you can just setup the dhcp scope to not include those IPs... But that depends on your setup. All the VLANs will still work though. Just make sure the devices are put in the proper VLAN after you get them setup.
Will a SONOS group need a isolated VLAN or allow to talk with Default?
I typically put the Sonos on the same VLAN that your phones will use... Most times that is the default. In my experience, Sonos doesn't always play well with VLANs.
Can you do an Access Port for a Unifi switch port that links to a dumb switch that has a few devices plugged in? Assuming all of those devices (and the dumb switch) are supposed to be on the selected VLAN ?
Yes. If you setup a port on the switch as an access port and plug a dummy switch into that port, devices plugged into that dummy switch will receive the IP info from the VLAN you assigned.
Question regarding “tagged vlan” blocked-all setting on camera network. I am confused in terms whether you were referring to the device (camera) being able to establish a connection outside its vlan and/or if a device on a different vlan say default trying to connect to the camera (assuming the camera may be a third party camera). So, what does block-all refer to in terms of a device establishing a tcp/ip connection?
The block all basically means that no other VLAN traffic will be delivered on that port. If you look at an AP for example, that single port plugged into the AP may have multiple different VLANs talking on it. (each part of a different Wifi network) So the port needs to configured to allow those VLANs to communicate through the port... However, a camera does not need more than just the camera VLAN traffic on it.
Now, if a camera needs to talk to another VLAN, that is not done at the port level. It is done at the firewall level. So setting this port to "block-all" would not have any bearing on it communicating with other VLANs. I hope that helps!
First, like everyone mentioned, awesome video. Learned a lot. However, at 11:58 you mentioned "need to go back and fix it". I fall into that exact situation. What did you mean by that and how do you fix it? My Phillips Hue Hub was already running on my network switch (Default) before I decided to create an IOT VLAN. I reconfigured the switch port following your video and tried to switch the PH Hub to run on my IOT VLAN. But in Client Devices it still shows it using an IP from my Default. Can you explain how to "fix it"? Thanks
I was simply stating at that point in the video that you want to create the VLANs first and then create the wifi networks second otherwise you'd have to go back into each of the WiFi networks and choose the VLAN afterwards to "fix it".
To fix what you are talking about, you will need to make sure that the port the PH Hub is in is the IOT VLAN on the switch. Starting at about 31:40 when I talk about assigning a device to an access port. You also may have to reboot the hub because they don't always do a great job of just switching networks...
Thanks for the Videos , Q: Wifi default security protocol , should I not be using the latest WPA3 on the default network, wpa2 on IOT ? by default it is WPA2
This really depends on your environment and devices... you could try it and see if anything breaks or has trouble connecting and then WPA2 as a fall back.
Question… I have a home network. I just bought a UNIFY system for my home. I haven't started setting it up yet. I need to map out how this thing is going to be implemented. One of my questions is, I have a synology NAS. This has multiple uses. I use it's own security app for my 4 cameras around my house (POE). I also use it to feed movies I have stored it to my television downstairs. I also need to connect to it with my main MAC. The question is, would I put the NAS drive in a VLAN with the cameras? Or would I put it by itself and just set the permissions correctly to be able to communicate with all of the VLAN's? And obviously it's one of those things that I need to connect to outside of my home as well. This seems to be my most confusing part to map out. Thanks for any suggestions.
With the NAS, there are some things that can play into this decision. If you just have these functions running as apps on the Synology, then you can most likely create fw rules that will allow it to talk to whatever you want... no matter what network it is in. Where some of the limitation come is when you have things running in containers because there is less network flexibility there... if it has multiple nics on it, it can actually be on mulitple vlans at the same time. I don't know that there is a right or wrong answer here. You may have to play around with it a bit and see what works the best.
@@ethernetblueprint thanks for the answer. I feel like I grasp a lot of this, but when it gets into firewall rules above what you're showing, it's a whole Other language I can't understand. I'm trying, but the learning curve is pretty big.
It can be overwhelming, so I completely understand. Just take it slow do it a step at a time. I'm confident you'll get there.
I assigned all my devices to a VLAN but one of them is not listed the IP Leases. It says I have 7 devices leased, 4 available etc. but I only see 6 in the list. Is this a bug?
As of 2024-11-23, I don't see an option to rotate the topology (video around 4:05 minutes in). Without the rotate option it is quite annoying.
That is weird, because after I read this comment, I went and looked myself and it was still there... Are you going to Unifi.ui.com to access the controller... I have heard that the local IP of the controller is limited...
Thanks for all your works!! Make me starting to change my Network for a VLans network 😊
Just a question, on my CGM i can’t see my switch (not Ubiquiti, not manageable) so do i buy a switch ubiquiti to manage ports as you do on this vidéo? By défault it show me on port 3 for example of my CGM one of the devices plug on switch (not ubiquiti)
Hope it’s understàdable from a french newbie 😂
You are quite welcome. The only way to get port level information is to have a managed switch. If you elect to get a unifi switch, then you will be able to manage it like I do in the video... If you buy a 3rd party managed switch, it would have its own interface outside of Unifi, but you could see port level information. To me, having all Unifi gear makes it the easiest, however, their switches aren't cheap.
@@ethernetblueprint Thx so mutch for this answer!
Just wondering. If my Homebridge is on my Synology server which I prefer not to park it in the IoT VLAN, how do I make it talk to the smart home devices in the IoT VLAN without letting other devices to access my Synology server? Newbie here so it's really confusing.
Btw the videos are really really helpful. Thank you for all the guides.
Is you HomeBridge server running as a VM on the Synology or Docker?
Regarding Ports... Is there a way to separate via MAC Addresses? Our house and cabling would be to awkward to try top push everything to a specific physical port.
Adding same reply to your questions:
I got all your questions... you may need to email me at tim@ethernetblueprint.com and explain what it is that you are trying to accomplish because I can't really figure that out based on your quesitons... I will do my best to help, but it sounds like you are trying to do some advanced settings and that makes your network very difficult to manage...
Can we assign Vlan to ports of the flex mini or flex mini 2.5? Is this a managed or unmanaged switch?
Yes you can. All UniFi switches are managed. Even the switch that is built into the InWall AP can get VLANs.
@ethernetblueprint Thanks for the quick answer. I was about to replace my old Wi-Fi 5 router by a real 2.5Ge +Wi-Fi 7 ubiquiti network setup. But I read about U7 problems and downgraded my planned AP to U6 Pro, yet retaining full 2.5Ge network backbone for my desktop computers and Plex server. Do you have any comments, insight, or new news about U7? Have you ever been installing them and did you experience problems with them yourself?
I have the U7 Pro in my home and haven't had any issues. Which problems are you referring to?
Sorry, wrong video, this was meant for video #6
All Good!
Do you need three WiFi networks with VLAN Magic?
No you don’t. You can set up your WLANs to match your VLANs however you like. You can also do pre shared Keys that allow you to have a single WiFi name with multiple passkeys tied to different VLANs. Lots of options here.
Thanks for the video! I have ordered a DM Pro. Does my secondary switch have to be Ubiquiti?
It does not. Just makes it easier to troubleshoot and setup VLANs if you plan to do that. You’ll have to configure the UDM and switch separately for your networks.
Thanks for the Saturday night response! 😊 I’ve been binge watching your videos all day. I’m still going to try to exchange the TP POE switch that I bought. I purchased it on July 19. They have a 30 day return policy. I’ll be there the morning of August 19 hoping they’re not good at math. Your videos are great! Thanks!
Thanks so much! I appreciate you watching very much!
Question: In setting up your "networks", do they all have to be on the same subnet (192.168, 10.0, 172.16) or can they be mixed and you have to write rules for routing to the internet?
They can be whatever subnet you like. The rules I created in video 4 will work for anything you choose. The networks do have to be private IPs though.. there are some IP addresses reserved for public networks. 192.168.X.X, 172.16.X.X and 10.X.X.X networks will work for this.
Very good video and helpful. If you need more than 254 Ip how you can setup?
You just need to adjust the "Netmask" setting in the VLAN setup. /24 = 254, /23 = 512 and the amount of clients goes up from there as you adjust in that direction.
@@ethernetblueprint Thank you for the help
Do you happen to have any videos covering "Unifi Identity"?
Adding same reply to your questions:
I got all your questions... you may need to email me at tim@ethernetblueprint.com and explain what it is that you are trying to accomplish because I can't really figure that out based on your quesitons... I will do my best to help, but it sounds like you are trying to do some advanced settings and that makes your network very difficult to manage...
When I did my setup it automatically set the default network to 192.168.0.1 and I can't change it to 192.168.1.1 because WAN1 is using the 192.168.1.1 address. I get the following error "Address overlaps with network Primary (WAN1) range 192.168.1.0 - 192.168.1.255. Please enter a unique address". Do I need to fix this, or just roll with 0.1 being the default.
The IP doesn't matter... you can roll with it... or you can pick a completely different subnet like a 10.X.X.X if you want. It really boils down to personal preference whichever IP addresses you want to use.
If you do want to change it to a 192.168.1.1 to keep it easier for you, my last video about cutting over to a Unifi network covers that... at the end…
I am struggling to get my Sonos App to talk to my Lutron Caseta hub. When I plug them both into my switch, Lutron recognizes the Amp. Shortly after I plug the Amp into the switch (the way Caseta likes), the Amp loses connectivity. Any suggestions?
Are these devices on the same network/VLAN? Is the Sonos App supposed to work with a Lutron hub? I have never heard of that before.
Hi Tim
so I set up my home network like you showed . do I need a unifi. router to make this work ?
I went from a Verizon router to a 24 port POE unifi. Switch with 3 u6 pro Access points a 2 cameras
thank you. the guest make seem to make all the wifi drop off line
Well, sorta. The router/gateway is where all the VLANs are created, so you do need a router that is capable of that. The Verizon router is not.
What do I do?
I have set up 18 VLANS.
An error popped up stating: "You have reached the maximum number of WLANS per band (4) for all APs.
This would be fine, except I didn't know that an entire WLAN would be locked to a single VLAN. I'd have thought they could be shared to similar networks I define... like a group or identifier. Am I wrong, and simply missing the option?
Adding same reply to your questions:
I got all your questions... you may need to email me at tim@ethernetblueprint.com and explain what it is that you are trying to accomplish because I can't really figure that out based on your quesitons... I will do my best to help, but it sounds like you are trying to do some advanced settings and that makes your network very difficult to manage...
Thank You
You are quite welcome - I hope it helped!
why you uncheck auto-scale network? what does it do if we didnt uncheck it?
You can leave it selected. I just like to make my own selections and choices and not let the system do that for me. If checked, it will pick your settings like your network and DHCP scope for you...
in new version i found it automatically created 4040 vlan. why it is so?
I would have to know about your setup, but I know Unifi used 4040 as a transit VLAN if you have other routing in place. Do you have layer 3 switches?
awesome video series. Why dont you have a Camera wifi network ex: for the G4 instant. Thank You
So happy to do so. Thanks for watching.
Why did you make the guest vlan ,99 instead of ,5 or ,6?
Yes, why?
That is just personal preference - it could of just been 5 or 6 like you mentioned...It makes it easier for me to spot guest devices on the network...
@@ethernetblueprint oh I see! Thank you.
Hi, Can you make a video on the difference between unifi installer, controller and other apps?
I want to make sure we are talking about the same things. You’d like clarification on the UniFi Controller itself and the apps that can be installed on a controller (ie. Protect, Network, Talk…) is that correct?
@@ethernetblueprint Yes, u r right.
I will see what I can do.
Please guide me how to set up Wifi for guests without a password. Thank you
This can be done... You would create your guest network WiFi, leave the password blank (it will show an error)... Then below in the advanced settings, choose Captive Portal in the Hotspot 2.0 setting... This will remove the password area above in the WiFi settings... Then hit Save. (make sure you choose your guest VLAN from the dropdown above)
Next go to your captive portal and go to the Authentication Tab (middle one on right side of the screen) and make sure all of the options are unchecked. You can enable the Landing Page or disable it... that is up to you... If you disable it, then guests will just be allowed in without a password. If you enable it, then they will redirected to your landing page and they will just need to click the button to enter...(but no password)
Hope that helps!
Why does Ubiquiti insist that you never use the native VLAN, the default one listed as VLAN 1 at 192.168.1.0/24 by default? They say never to use that and leave it for hardware devices like all the Unifi devices. Is there a downside to throwing your secure devices into it? Some kind of latency or unwanted chatter?
I haven't heard that. I use 192.168.1.1 for my default VLAN all the time and rarely have issues. The only time it can cause issues if you are plugging your Unifi Gateway into another router that has that same IP scheme... and even then, I think Unifi recognizes it and changes the IP address that it is using to avoid a conflict. However, I don't see any issue with it.
@@ethernetblueprintGoogle unifi's stance on using the native default VLAN and read about it. I can't see a downside other than exposing a security risk to unwanted devices plugging into your switch.
I may have to check that out!
I cant find a single video on the web where someone actually using L3 switch routing, its FW rule, FW rule, FW rule. Unifi gateways have poor intervlan throughput and cant route a 10GB session. Unless we keep all 10GB devices/servers/clients in the same Vlan we will never get close to 10GB throughput. Now we have ACLs....so we can keep this routing on the switch. The problem is firewall rules combined with ACLs when you have multiple networks, some routing on the switch some routing on the gateway. I just cant believe nobody is doing content like that in a very simple fashion similar to every video copying the same firewall rules to separate vlans.
I may have to do a video on this then. I have never really done that kind of setup and I think L3 switching confuses a lot of new people on Unifi which is what alot of my viewers are. You bring up some good points. I will just have to try it out and see what happens.
@ethernetblueprint For people who don't understand what a L3 switch really is I'm sure it's confusing. However many of know but unifi implementation is so awkward compared to what most of us know (ios) and people like me who know just enough ios to be dangerous in a corporate environment but fine for home networking.
One issue we are starting to see more and more with unifi users is mixed 10GB and 1GB networks. This is where L3 shines obviously. I ended up just putting most all 10gb clients on the same vlan even though it's likely less secure. My want or plan is to put every vlan on the switch except for the default or management network. I couldn't quite grasp the ACL in combination with FW rules in unifi...I feel it would be easier to just keep all networks on the switch and operate intervlan exclusively at the switch level.
Anyways I'm seeing more and more complaints of unifi gateways not able to route at appropriate speed for 10gb intervlan clients, it's too taxing on the weak ass arm cpu.
Perhaps I'll make the change in a year or so after it gains steam. Unifis lack of documentation is the real struggle. For now my L3 switch is still is waste of money, but they tie sfp interfaces to L3 making you purchase them anyways.
I'm convinced you're right. I am ordering my new ProMax 24 POE switch right after the holiday and I will do a video (or maybe a couple) on this subject. I appreciate the suggestion, but you'll have to day tuned. Cheers
@@ethernetblueprint For sure look forward to it. For 90% it wont matter but for us that actually want and pay for that throughput? We buy 10GB appliances and outfit our clients with 10Gb nics...OF COURSE we want that speed right! I've been using a pro max switch for a year but just in L2 "mode" because ACLK weren't available when I bought it. Don't get me started about unifis almost lawsuit worthy claim they have L3 switches...the product pages themselves were ALMOST lies. I digress.
Mine says "Address overlaps with network Teleport range 192.168.2.0 - 192.168.2.255. Please enter a unique address" Do you know what that means when I try put in the host address when starting the vlan.
Hmmm... I read that was an issue a couple years ago. Is your router up to date? I thought this was fixed with an update. Do you have any VPN information setup in your system?
@ everything was updated and no vpn stuff yet. I just got my orders in the mail a couple of weeks ago and just started learning/configuring the firewall rules
Because I haven't ran into that myself, I honestly don't know why you would get that message. Maybe just pick a different IP range and keep things going... I'm sorry I don't know more on that.