WOW that's by far the best unifi firewall video to date! amazing job Frank! I especially liked how you make everything so easy to understand like the lan in, out and local which are always a bit tricky to understand if you are new to unifi firewalls
easily the best explanation to date regarding edge cases for LAN OUT, why it’s the only effective solution for blocking Wireguard to Vlans, etc. These videos are gold. I’ve had my server rack running since August and some things you dive into I’d have realized quicker if these vids had been available (i.e, Unfi’s terminology for setting a port to access and restricting all other Vlans on that port)
Both this one and the previous video are great. I am planning to put in a Ubiquiti network (hopefully sometime this year), but I'm planning to have a big chunk of the basement refinished and move my office down there, then put the rack where my offfice is now, so who knows when :)
This is a great video explaining "How" Firewall rules work. Most videos just tell you to do this and do that. They do not explain what the rules themselves are doing. Great job on explaining this in a way that every day people can understand. My SOP is whenever I have a Block rule, under "Advanced" I change it from "Auto" to "Manual" and turn on Logging. This will then create a log record in my Triggers Log that will show me any traffic that has been blocked. This way if I see something in the logs that is getting blocked that I do want to Allow, then I can either modify the Block rule or add an Accept rule for that traffic above the Block rule. On the Lan Local Block rule to the UDM, I use ports 80, 8080, 443, and 22. I put 8080 in there for "HTTP" and 80 for "HTTPS". Most people do not use 8080 but I would rather have all my bases covered and NOT assume that a browser will only use port 80 for HTTPS.
this is a really cool concept firewalls using unifi. i think a really great video idea would also be an explanation of saffing portmaster software for windows especially when it comes to the selfhosting angle. what needs to be allowed what doesn't how to block requests not needed etc. along with your videos of firewall unifi, adguard dns a portmaster windows explainer video firewall would give great coverage overall.
Thanks that was well needed we just moved from a meraki to unfi network and was having issues with blocking my vpn to access the unwanted part of the network
Thank you! I haven't used the Site Magic VPN (probably should try it now that you mention it), but if it works like the others, it would be a LAN Out rule. I say that with the disclaimer though that I'm not positive, but if I do a video on it, I will definitely bring up the VPN rules and how they're used.
Thanks for a very clear and well explained video. In the Internet In traffic rule section did you actually need the DROP RDP rule? I only ask this as there is a BLOCK rule further on down Block All Other Traffic that appears to be doing the same thing.
Thanks! I have to check the order later, but from what I remember, those are the default rules Ubiquiti applies - meaning the port forward created a default "allow" rule for the whole world, and without the deny rule I created, that would be the next rule to apply, so everyone in the world would be able to access it before the other ports get blocked.
Yes, that's why. The "Allow Port Forward" rule is above the "Block All Other Traffic" rule, so the "DROP RDP" rule blocks all the traffic before it can get to that. If you were doing this for real (I just did this as a demo for the firewall), you'd limit the actual traffic down on the port forwarding rule (if it was only one IP like this example).
@wundertech wouldn't it just be easier to call LAN local traffic - WAN facing traffic? Its destined for WAN? Or am I missing something? Not too familiar with Unifi.
Not exactly. It's traffic that originates from a LAN device, trying to get to something running on the UniFi firewall. Like a DNS server, or VPN server, etc
Would I be correct to say I can use an Internet out rule to allow site to site VPN traffic to access mobile fleet L2TP? E.G. Internet out -> allow/accept -> Protocol= UDP -> Source : Type= IP Address -> IPv4= Static WAN address for UDM SE (configured on site to site) -> Destination: type= IP Address -> IPv4= Mobile unit VPN connection (L2TP). Edit: Using Unifi hosted VPN servers.
I think it might be the opposite - having to allow traffic on the other side, but without having physical access, it's hard to say for certain. You'll have to isolate where the traffic is being blocked.
Ive looked everywhere and copied everything to a T. YET I can still ping devices on my default network when im accessing from the VPN. my vpn ip subnet is 10.0.4.1/24 and my default subnet is 10.0.1.0/24. Ive done verythig you mentioned in the video. Is there anywhere im going wrong?
@@WunderTechTutorials nope, just the one block traffic from iot to other networks. I had to put an any established and related above in order to connect to my nas, which is in iot network.
Why you're saying "Unifi doesnt block by default"? How about rule "Block all other traffic"? Rule 20001 seems to be redundant to rule with ID "Final rule for this type"...
@@WunderTechTutorials Rule 6 from top in 19:00 of video: "Block All Other Traffic"... Drop | Internet In | from Any/Any | to Any/Any. Or you refer "all traffic" to "LAN only" traffic? Or am I missing something?
WOW that's by far the best unifi firewall video to date! amazing job Frank! I especially liked how you make everything so easy to understand like the lan in, out and local which are always a bit tricky to understand if you are new to unifi firewalls
Thanks, Avi! Appreciate you watching!
Great explanation of the Ubiquiti firewall rules. I am in the process of setting up rules on my new home system. Thank you for the video!!!!
easily the best explanation to date regarding edge cases for LAN OUT, why it’s the only effective solution for blocking Wireguard to Vlans, etc.
These videos are gold. I’ve had my server rack running since August and some things you dive into I’d have realized quicker if these vids had been available (i.e, Unfi’s terminology for setting a port to access and restricting all other Vlans on that port)
Thank you very much! Appreciate the kind words!
Finally understood when LAN Out is being used!!! 🎉🎉🎉 Thank you Frank ❤️
Both this one and the previous video are great. I am planning to put in a Ubiquiti network (hopefully sometime this year), but I'm planning to have a big chunk of the basement refinished and move my office down there, then put the rack where my offfice is now, so who knows when :)
This is a great video explaining "How" Firewall rules work. Most videos just tell you to do this and do that. They do not explain what the rules themselves are doing. Great job on explaining this in a way that every day people can understand.
My SOP is whenever I have a Block rule, under "Advanced" I change it from "Auto" to "Manual" and turn on Logging. This will then create a log record in my Triggers Log that will show me any traffic that has been blocked. This way if I see something in the logs that is getting blocked that I do want to Allow, then I can either modify the Block rule or add an Accept rule for that traffic above the Block rule.
On the Lan Local Block rule to the UDM, I use ports 80, 8080, 443, and 22. I put 8080 in there for "HTTP" and 80 for "HTTPS". Most people do not use 8080 but I would rather have all my bases covered and NOT assume that a browser will only use port 80 for HTTPS.
Thank you very much! Great input!
Excellent video and very well explained. Thanks
this is a really cool concept firewalls using unifi. i think a really great video idea would also be an explanation of saffing portmaster software for windows especially when it comes to the selfhosting angle. what needs to be allowed what doesn't how to block requests not needed etc.
along with your videos of firewall unifi, adguard dns a portmaster windows explainer video firewall would give great coverage overall.
Thanks that was well needed we just moved from a meraki to unfi network and was having issues with blocking my vpn to access the unwanted part of the network
Another great video. Thanks for the information, much appreciated 👍🏻
So well explained excellent video thank you. One rule I’d like to of seen is rules around site magic VPNs are they also lan out rules?
Thank you! I haven't used the Site Magic VPN (probably should try it now that you mention it), but if it works like the others, it would be a LAN Out rule. I say that with the disclaimer though that I'm not positive, but if I do a video on it, I will definitely bring up the VPN rules and how they're used.
@ ok thanks will give it a try
Thanks for this video. Your Lan out VPN rules. Would this apply when using Site Magic?
I haven't tested it with Site Magic, but I'd imagine that that's how it's done.
Thanks for a very clear and well explained video. In the Internet In traffic rule section did you actually need the DROP RDP rule? I only ask this as there is a BLOCK rule further on down Block All Other Traffic that appears to be doing the same thing.
Thanks! I have to check the order later, but from what I remember, those are the default rules Ubiquiti applies - meaning the port forward created a default "allow" rule for the whole world, and without the deny rule I created, that would be the next rule to apply, so everyone in the world would be able to access it before the other ports get blocked.
Yes, that's why. The "Allow Port Forward" rule is above the "Block All Other Traffic" rule, so the "DROP RDP" rule blocks all the traffic before it can get to that. If you were doing this for real (I just did this as a demo for the firewall), you'd limit the actual traffic down on the port forwarding rule (if it was only one IP like this example).
I like to add a rule to drop all lan-lan communication and add specific allow rules above.
thanks for a really good video
Thank you very much!
Do you have any information on how to use the new Zone based firewall system?
I am trying to block a device from internet access
@wundertech wouldn't it just be easier to call LAN local traffic - WAN facing traffic? Its destined for WAN? Or am I missing something? Not too familiar with Unifi.
Not exactly. It's traffic that originates from a LAN device, trying to get to something running on the UniFi firewall. Like a DNS server, or VPN server, etc
@@WunderTechTutorials Ahh gotcha
Would I be correct to say I can use an Internet out rule to allow site to site VPN traffic to access mobile fleet L2TP? E.G. Internet out -> allow/accept -> Protocol= UDP -> Source : Type= IP Address -> IPv4= Static WAN address for UDM SE (configured on site to site) -> Destination: type= IP Address -> IPv4= Mobile unit VPN connection (L2TP).
Edit: Using Unifi hosted VPN servers.
I think it might be the opposite - having to allow traffic on the other side, but without having physical access, it's hard to say for certain. You'll have to isolate where the traffic is being blocked.
I can't enter source IP addresses with CIDR. I see you have /24 addresses there. How do you enter them?
Are you using advanced rules, and are you using IP groups?
Ive looked everywhere and copied everything to a T. YET I can still ping devices on my default network when im accessing from the VPN. my vpn ip subnet is 10.0.4.1/24 and my default subnet is 10.0.1.0/24. Ive done verythig you mentioned in the video. Is there anywhere im going wrong?
You'd create a LAN out rule that drops traffic from 10.0.4.0/24 to 10.0.10.0/24 if you want to drop traffic from the VPN subnet to the LAN subnet.
@ believe me, I’ve tried this. It does not want to work. I can still ping the gateway as an VPN client
@@joshuaedo07 Not sure what else it can be then to be honest. All of my VPN rules are always LAN out and I've never had a problem.
its missing IPv6 :(
Same principals apply, just different IPs!
IPv6 was future, is future and will be future ;-)
Funny enough, after I clicked the box to isolate a vlan, it blocks traffic from both directions.
That's very strange. Any other firewall rules added?
@@WunderTechTutorials nope, just the one block traffic from iot to other networks. I had to put an any established and related above in order to connect to my nas, which is in iot network.
Why you're saying "Unifi doesnt block by default"? How about rule "Block all other traffic"? Rule 20001 seems to be redundant to rule with ID "Final rule for this type"...
With a default setup, all traffic is allowed and must be narrowed down (blocked).
@@WunderTechTutorials Rule 6 from top in 19:00 of video: "Block All Other Traffic"... Drop | Internet In | from Any/Any | to Any/Any.
Or you refer "all traffic" to "LAN only" traffic? Or am I missing something?
Sorry, I thought you meant on the LAN. For the Internet (Internet in), all traffic is blocked by default and allowed in through port forwarding.