WOW that's by far the best unifi firewall video to date! amazing job Frank! I especially liked how you make everything so easy to understand like the lan in, out and local which are always a bit tricky to understand if you are new to unifi firewalls
easily the best explanation to date regarding edge cases for LAN OUT, why it’s the only effective solution for blocking Wireguard to Vlans, etc. These videos are gold. I’ve had my server rack running since August and some things you dive into I’d have realized quicker if these vids had been available (i.e, Unfi’s terminology for setting a port to access and restricting all other Vlans on that port)
this is a really cool concept firewalls using unifi. i think a really great video idea would also be an explanation of saffing portmaster software for windows especially when it comes to the selfhosting angle. what needs to be allowed what doesn't how to block requests not needed etc. along with your videos of firewall unifi, adguard dns a portmaster windows explainer video firewall would give great coverage overall.
Thanks that was well needed we just moved from a meraki to unfi network and was having issues with blocking my vpn to access the unwanted part of the network
Thanks for a very clear and well explained video. In the Internet In traffic rule section did you actually need the DROP RDP rule? I only ask this as there is a BLOCK rule further on down Block All Other Traffic that appears to be doing the same thing.
Thanks! I have to check the order later, but from what I remember, those are the default rules Ubiquiti applies - meaning the port forward created a default "allow" rule for the whole world, and without the deny rule I created, that would be the next rule to apply, so everyone in the world would be able to access it before the other ports get blocked.
Yes, that's why. The "Allow Port Forward" rule is above the "Block All Other Traffic" rule, so the "DROP RDP" rule blocks all the traffic before it can get to that. If you were doing this for real (I just did this as a demo for the firewall), you'd limit the actual traffic down on the port forwarding rule (if it was only one IP like this example).
@wundertech wouldn't it just be easier to call LAN local traffic - WAN facing traffic? Its destined for WAN? Or am I missing something? Not too familiar with Unifi.
Not exactly. It's traffic that originates from a LAN device, trying to get to something running on the UniFi firewall. Like a DNS server, or VPN server, etc
Why you're saying "Unifi doesnt block by default"? How about rule "Block all other traffic"? Rule 20001 seems to be redundant to rule with ID "Final rule for this type"...
@@WunderTechTutorials Rule 6 from top in 19:00 of video: "Block All Other Traffic"... Drop | Internet In | from Any/Any | to Any/Any. Or you refer "all traffic" to "LAN only" traffic? Or am I missing something?
Finally understood when LAN Out is being used!!! 🎉🎉🎉 Thank you Frank ❤️
WOW that's by far the best unifi firewall video to date! amazing job Frank! I especially liked how you make everything so easy to understand like the lan in, out and local which are always a bit tricky to understand if you are new to unifi firewalls
Thanks, Avi! Appreciate you watching!
easily the best explanation to date regarding edge cases for LAN OUT, why it’s the only effective solution for blocking Wireguard to Vlans, etc.
These videos are gold. I’ve had my server rack running since August and some things you dive into I’d have realized quicker if these vids had been available (i.e, Unfi’s terminology for setting a port to access and restricting all other Vlans on that port)
Thank you very much! Appreciate the kind words!
Excellent video and very well explained. Thanks
this is a really cool concept firewalls using unifi. i think a really great video idea would also be an explanation of saffing portmaster software for windows especially when it comes to the selfhosting angle. what needs to be allowed what doesn't how to block requests not needed etc.
along with your videos of firewall unifi, adguard dns a portmaster windows explainer video firewall would give great coverage overall.
Thanks that was well needed we just moved from a meraki to unfi network and was having issues with blocking my vpn to access the unwanted part of the network
Another great video. Thanks for the information, much appreciated 👍🏻
Thanks for a very clear and well explained video. In the Internet In traffic rule section did you actually need the DROP RDP rule? I only ask this as there is a BLOCK rule further on down Block All Other Traffic that appears to be doing the same thing.
Thanks! I have to check the order later, but from what I remember, those are the default rules Ubiquiti applies - meaning the port forward created a default "allow" rule for the whole world, and without the deny rule I created, that would be the next rule to apply, so everyone in the world would be able to access it before the other ports get blocked.
Yes, that's why. The "Allow Port Forward" rule is above the "Block All Other Traffic" rule, so the "DROP RDP" rule blocks all the traffic before it can get to that. If you were doing this for real (I just did this as a demo for the firewall), you'd limit the actual traffic down on the port forwarding rule (if it was only one IP like this example).
thanks for a really good video
Thank you very much!
@wundertech wouldn't it just be easier to call LAN local traffic - WAN facing traffic? Its destined for WAN? Or am I missing something? Not too familiar with Unifi.
Not exactly. It's traffic that originates from a LAN device, trying to get to something running on the UniFi firewall. Like a DNS server, or VPN server, etc
@@WunderTechTutorials Ahh gotcha
I like to add a rule to drop all lan-lan communication and add specific allow rules above.
its missing IPv6 :(
Same principals apply, just different IPs!
IPv6 was future, is future and will be future ;-)
Why you're saying "Unifi doesnt block by default"? How about rule "Block all other traffic"? Rule 20001 seems to be redundant to rule with ID "Final rule for this type"...
With a default setup, all traffic is allowed and must be narrowed down (blocked).
@@WunderTechTutorials Rule 6 from top in 19:00 of video: "Block All Other Traffic"... Drop | Internet In | from Any/Any | to Any/Any.
Or you refer "all traffic" to "LAN only" traffic? Or am I missing something?
Sorry, I thought you meant on the LAN. For the Internet (Internet in), all traffic is blocked by default and allowed in through port forwarding.