Best video yet. PDF is a bonus that I was going to create. I like the way you've cleaned up the firewall rules from a previous video. Thanks for doing these.
Thank you for making this video Tim. You explained the Firewall rules very well. Lot's of other peoples video's race through without thoroughly explaining them.
Thank you for creating this video!! Simple, slow and well explained I finally have implemented these firewall rules on my Unifi home network. Others content creators making Unifi videos even though there content is great also forget that some of us are newbies and then need to slow down as you did a phenomenal job doing. I had all this fancy hardware and for the last year I knew that it was only nice looking and not what it was designed to do. Now with these rules, I feel more like my network is more secure and I thank you again for making that happen.
Amazing video, I just got a cloud gateway max and everything worked flawlessly. I can talk to my phillips hue bridge and other IoT devices with no issues.
Hi I work as a network engineer - Firewall rules should ALWAYS encompass every single possible eventuality. So if you're going super secure then you want to allow exactly what you want and then at the bottom if no traffic matches any other parameter you want a deny all rule. Something new comes online that you need to communicate and it's failing then you can add a rule for it. Basically you always want your last rule to be a catch all bucket of some kind.
That is already in place with the use of rule #4 "Drop All Private IP Networks" that he has to prevent Inter-VLAN routing. To enforce this, you'd have to remove rule #1 "Allow Established and Related Traffic" and move these actions into each rule that was created for the granular level of access. At least that's how I see it but I may have overlooked something. I'm not a Unifi magician.
@@kevinoconnor6570 I was actually speaking more to what's good practice and why you have a catch all. However, after reading your comment I went and actually reviewed the rules. I'm ignoring rule 1 because I don't know what Unifi calls related traffic - that's not an industry term. Rule 4 should be drop any any, instead of private addresses. Layer 3 switches can't distinguish between what is a public or private IP address, so unless Unifi builds tables into their switches that have the classifications then I could maliciously get onto the network using a static "public" IP and communicate within the network. This is more of a deeper discussion with firewall rules, so I'm not sure if it's worth discussing the topic. I do love networking though so I enjoy the communication, and I'm Always seeking to be proven wrong as that means I get to learn something new!
Tim, these tutorials are awesome! Thank you for your time and effort in creating them! You're an excellent teacher and I appreciate you helping me get my network setup. Still learning and appreciate having your videos as a resource for setup and reference. 👍
I have to say a massive thank you! Not only for this video but for the previous ones too, you have not only helped my sort my unifi setup into something much better than it was, but also helped me understand the basics of networking in general. Clear and useful information which makes me much more confident in managing my network. Also the PDF is a great resource. I can't thank you enough.
I just brought the UDMse and was trying to set it up. This is the best video I've seen so far. You explained the firewall rules exceptionally well and easy to understand. Thank you for making this video!
Thanks, this was an incredibly useful video. I struggled following along with other walk throughs because they were outdated for the current Unifi UI. This video and the companion pdf was incredibly helpful for setting the rules I needed, which were slightly different from yours.
Very well made... i like the way you point out to all the small things which are obvius for those who are using this GUI for a long time. One thing for the naming convention of firewall rules: There are several auto-generated rules, which appear and disapperar depending on some checkboxes, i.e. Guest Network, Isolate Network, Port Forwarding and so on. For a better overwview i chosse names in this way: all rules from myself have only small chars, all auto-generated are starting with a capital letter, so it is very clear which ones i made and wich ones are system generated. All Profile IP groups are named , i.e. "ipg block vLAN gateways block 24 28 29". All Port groups are named , i.e. , and all Port Forwarings are named , i.e. "pf wan to 443 for HomeConfig"
There's nothing more annoying than when different brands use different terminologies for the same thing. I usually work with FortiGates, so it took me a minute to wrap my brain around UniFi's way of doing things. Thank you for saving me a lot of time and headache-I've finally got everything secured correctly.
Tim.... thanks very much for that video on firewall rules, very helpful. It was fantastic. I greatly appreciate you building on the previous version of this and providing the lists of profiles and rules in nice consolidated lists.
Having in the last week moved into the Unifi eco system this was exactly what I was looking for. See how things are done then configure away ... -SUB'd
Many thanks, Tim, for taking the time to explain this so clearly. It is the most confusing aspect for a newbie like me. Can you also explain when you would use rules under the categories not covered in this video - the Internet rules and the LAN Out rules. What are they used for?
Well, LAN out Rules can be used for VLANs too but would be setup differently than these to achieve the results you’re looking for. WAN Rules are for allowing or blocking access from the internet. Then there are the IPv6 rules (the ones we were setting are IPv4) which are a different type of IP addressing. That may require its own video to explain that.
Had to disable Remote Direct Connection in order to enable the port 443 inclusion to the gateway ports for the camera. Makes sense since they use the same 443 port so I had to choose.
I was watching your other VLAN video "NEW to UNIFI VLANs?? START HERE!!!" where you created a port group that included all gateway IPs except for IOT. I was thinking to myself, couldn't I create a port group that includes ALL gateways and just add an Allow rule for IOT to access it's own gateway. This way we don't have to create separate port groups whenver we add more VLANs. This video answered my question :D
Thanks a lot for the video & pdf :) Interesting fact: I have a pi-hole for DNS in my Default network. After applying rule 1-4 and 6 i can not ping or use the pihole web interface or the gateways from the IOT network as expected, BUT the nslookup still works and the answer is comming from my pi-hole. I made a wireshark trace and the answer is indeed coming from my pi-hole. I assume this works without rule 5 (allow dns port 53) because i distribute the pi-hole IP as dns server by dhcp with the UDM as the only dns entry and the UDM manages this internally.
Maybe try editing the LAN-IN rule for the IOT Network to the PI hole device to an any any rule and not just limit it to port 53. I haven't used pihole before and don't know if it uses other ports outside of 53. You could pause the rules one at a time to see if any of them fix the issue.. then you know where you need to look. I'm sorry I don't know more about the pihole... never used one.
Hi Tim, just came accross the 8 part series UNIFI FOR NEWBIES, great set of videos. I do have a couple of questions 1. On the Firewall Guide, IP Group #1 Private IP Addresses, please explain what the three (3) addresses are. 2. If you had a SimpliSafe or Ring alarm system with wireless cameras would you suggest putting them in their own vlan with rules to stop all traffic to and from other vlans, and still be able to talk to and from the home (default) vlan. Thanks and once again... Great Series
1. These IP ranges ensure that the firewall rules apply to all devices within those subnets. These IPs are only used in private networks, meaning any device connected to a router in a local area network will use addresses like 192.168.x.x, 172.16.x.x, or 10.x.x.x. An example of a non-private IP would be something like 8.8.8.8, which is a public IP used on the internet. 2. It can be good practise to seprate your SimpliSage/Ring. A slightly different example but shares the same concept of security, is, separating an access point across different VLANs can help protect it. You might have it give off separate networks for guests, home, CCTV, etc., while dedicating one VLAN purely for remoting into the access point to manage it. This keeps the management interface secure and prevents tampering. Plus, if one system is compromised, the others remain unaffected. While some might see this as overkill, it’s a solid approach to network security.
Great videos! Thank you for putting these together! I have a Synology NAS on my network. It hosts a Plex server along with file shares right now. My question for you and the group is, what is the best practice for which vlan to it on?
I run my Synology NAS with Plex on my IOT network where my TVs are networked... I still have access to it from the main network, but I have it IP'd on the IOT VLAN... Works great. Part of my reasoning for that though was because I had plex running in a docker and kind of had to do this way. If you use VMware for you Plex server, I think you have some more options...
Tim, this was a great video. Thanks for making it. I did have one question? Can you give an example of the LAN IN rule for the NOTE part of rule #5 for using another DNS server?
Let me see if I can do this in a comment... If you still have questions you can send me an email to tim@ethernetblueprint.com and I can give a litte more info. You will need to create an IP Port Group for the DNS Server. It should just include the IP address of the DNS Server. Type - Name - Action - Src Type - Address - Port - Dst Type - Address - Port - Match State LAN IN - "Allow IOT to DNS Server" - Allow - IOT VLAN - Any - Port Grp - New DNS Server - No Action Required
Hi Tim, as I have been learning how to secure my network with an IOT and guest network, I have found a vulnerability that I have not been able to resolve. In our house, we all have Apple iPhones, when my kids friends come over and try to access our main network, apple allows my kids to share the main network password with their guests. Are you familiar with this and if so, do you by chance have a method to secure this? I was thinking of hiding the main network as a possible solution. What are your thoughts?
You are correct... since that is done on the phone, there is no way to block it on the network... that I have found. Option 1: You could create a kids VLAN that is kind of locked down and put your kids devices on that... then when they share, they are sharing the kids network. Option 2: Install a Firewalla Device on the main network. It won't block the issue from happening, but it will allow you quite a bit more control of the devices on that main network. I will be doing a video on this very soon. That is how I manage my kids devices on my main network.
Great video! How does ids/ips play into all this? Is that something we should turn on in addition to firewall rules? Does it affect online gaming experience? (NAT open/closed)
Yes... IDS/IPS are additional security benefits that you can turn on for extra protection benefits like DOS attacks or random overseas IP addresses trying to gain access to your network.. I do recommend having these turned on in addition to FW rules which are for your internal VLANs. These services do add overhead to your router and "can" reduce internet speeds. This depends on your equipment capabilities. In general, your gaming should still work fine though. Or at least that has been my case. I have mine turned on and set to strict and gaming still works fine...
Hi, thanks for this video. However, I just applied rules 1 to 4 and I still am able to ping devices on other VLANS. I allready rebooted the udmSE. The only difference I have is that my default iprange is within 10.0.0.0/24, other ranges are 10.0.50.0/24, 10.0.100.0/24 and 10.0.200.0/24. Only when I move the fourth rule to the top or the first rule to the bottom, then I can't ping the other devices.
Great video! Just jumped right into the Unifi system from the "cookie cutter ISP setups". I noticed that the "Rule #2: Drop Invalid Traffic - This Rule blocks all packets on the LAN that are not Valid" - I noticed on my own network this has triggered/has a lot of initiations from the insights tab ("inspection" section) in the Unifi console...Happening in the middle of the night for a lot of apple/other reputable device (very high number on the ports indicating private usage?)... Are these general updates for the devices, or a little bit of "everything" including suspicious activity. Looks like onto learning wireshark to dive into these data packets
There can be quite a bit of invalid traffic on a network... and this can encompass quite a bit. Many times, this is a network session not properly closing with the correct tags in it...
Very useful video, thanks. You used firewall rules to isolate a network but could you explain how the "Isolate Network" setting is used? For example could you isolate a network and then use firewall rules to allow certain traffic through? Does the "Isolate Network" check box just automatically do what you set up manually?
You bet. I talk about the isolate network in the Guest WiFi Video 5 (but just briefly). If you check that box, it will block access each of the other VLANs... However, it will not block access to the router like we do in rules 5-8 (LAN Local Rules) - So, if that was important to you, you would need to add those rules in addition to checking the box. Hope that helps and thanks for watching!
thank you tim, i was stuggling with something, i can ping from my computer on "IOT" network to my phone on the "Main" network. but some how i have no idea i cant access any gateway from my phone on the IOT network but i can get to the main gateway on the computer on IOT. i no its a mouthfull, should i just remove all "Rules and start again?
Hi again Tim, question for you on my specific set up. I have a Work Network (VLAN 2 - 10.168.2.1/24). This VLAN should of course, have internet access and should not be able to see any other VLAN's. But what I don't want is traffic from the Default Network to be able to send to the Work Network. I assume that I could replicate Rule 5 (IOT) for the Work Network, but to prevent any device on my Default VLAN to see the devices on the Work Network, my guess would be change Rule 1, instead of "Any" in the 2 Address fields, add all my VLAN IP's except my Work Network IP? Does this sound correct? Thanks again
Hi there. You could simply add an additional LAN IN rule above the “allow default to all private IPs” that says “Deny default to work network” which will stop that traffic but still allow default to talk to everything else. You would need to create a new IP group for your work VLAN. Hopefully that makes sense.
I'm still very new to this and following this video right now, how exactly did you populate or decide to populate your IP groups? That's one thing that I didn't quite pick up in the video so far and I won't be able to create a rule without an IP included in the group.
The IP Group simply includes the IP addresses of the devices that you want to control. For example, if you wanted to create a rule for your cameras, you would create an IP group that has the IP Addresses of each of your cameras... and then create a rule for that group.
Thanks for the nice video Tim, I've got a question about 19:01 So even though your local machine and camera vlans are different, you could ping from the machine to camera because trunking? I tried it myself Port 33: Local machine (192.168.1.x) Default VLAN, Allow all Port 35: AP(192.168.20.x) Staff VLAN, Allow all and i was able to ping from PC to AP (I was thinking it's because both ports are trunk port) Then, I changed AP to block all tagged vlan and ping didn't work from local machine > AP (I was thinking because now AP is access port since block all vlans) Is it correct? so, to ping each other both ports should they be always trunk each other's vlans? * I couldn't ping from local PC to AP(blocked all status) once I reboot the AP, I was able to ping right after changing Tagged VLAN on AP without rebooting. **** Soon after I was able to ping from PC to AP again.. how I could ping to AP despite AP blocked all tagged VLAN?
Is there a reason that the AP is on the Staff VLAN? If it were me, I would put the AP on the default VLAN so it gets an IP 192.168.1.x like your PC. The port on the PC can be set to block all (access port) and the AP should be set as Allow All (Trunk) If you have WiFi networks on that are on different VLANs, (ie. guest WiFi, Staff WiFi, Default WiFi...) then you will need the AP to be in trunk mode so it can communicate all the VLANs to your connected devices. But the AP's local IP address (called the Native VLAN) would be best served on the default VLAN.
Thank you for your effort, the great video and the clear instructions and presentations! Three questions came to my mind: 1.) If I select "Block All" to the vlan tagging on the several ports in the port manager..... isn´t it redundant to the firewall rules? 2.) What is the better choice (also for Client Vlans)? To block every other vlan gateway except own gateway (only for http(s) and SSH traffic, so DNS and Ping etc will still work) or block every GW including own GW but allow DNS only? 3.) After isolating VLAN and setting specific allow rules (e.g. Synology to client PC) I can reach the devices by IP, but not by hostname anymore. The hostnames have been filled out with their IP in the Unifi DNS Tab under Routing. Each VLAN has its own Gateway set as DNS Server. Do you have a clue what I am missing? Stay healthy and best regards
Thanks for the reply. 1) The FW rules and the switch port tagging work together to allow or block access. By setting the "block all" setting at the port level, you ensure that the device connected can only communicate on that network. Trunk ports really only come into play with VMWare like servers, switch to switch communication, AP communication... any device that hands out and communicates on multiple VLANs while plugged into a single port. Most of your devices (PCs, IOT Devices, Printers) should be set to Block all and just communicate on the single network. Your Synology may be an exception to this if you have it communicating on different VLANs at the same time. Then leaving it on the allow all port would be best. 2) It is really up to the user. Pros and Cons to both. If you block everything and choose to just allow the ports that need open, if you add a technology into the home (plex server for example), you would have to go open those ports for it to work. If you allow most ports to be open, but just block access to the local device on ssh, https and http, then it can make it easier to add other technologies down the road (IMO) 3) DNS can be tricky. I have my synology on my IOT VLAN and sometimes my PC will get to my files by DNS name and other times not. I don't think is a FW rule that is stopping it. I think it is the fact that Unifi DNS isn't the best. You may be better served to use an outside DNS to avoid some of the finicky issues like this... Its kind of trial and error. Sorry I can't give you a better answer. Hope this helps!
@@ethernetblueprint Dear Tim, thank you again for your kind, fast and professional answer. As you mentioned the Unifi DNS in its current state is not reliable for different VLANs, at least from what I have tested the previous days. I switched to a rasberry pi with pihole + unbound installed and together with your best practice tips regarding the firewall rules and the comments, I managed to get it all working, with only the minimum machines and ports allowed for the adblocking and the name resolution. The gateways are not accessible inside the 6 vlans , the 6 vlans are separated and the pihole Interface recognizes every client + I can configure proper A-Records. Thank you so much again for these great videos. Wishing you all the best and best regards from autria.
It depends on the where the DNS server is located. If it is sitting in your network on another VLAN, then yes, you would need to make sure you have a LAN IN rule for DNS to that DNS server... If it is a public DNS on the web, no, it would not be needed...
Ah this was great! I had the issue of HomeKit not working when I serrated IoT and realized it was because my management VLAN and Primary device VLAN were different. After I added the rule to allow my Primary VLAN to reach the IoT then everything started working. What are your thoughts about having a separate management VLAN?
I like a mgmt VLAN. I use one in my home but that is difficult to explain to super newbies and didn’t want to complicate things. I give my mgmt VLAN the same access as my Default network for the most part.
I have just got a new smart cat flap with a hub and it can not connect to the internt, if i connect it to my unifi express directly it works but as soon as i plug it into the 48 port switch it will not connect dose any know why this is happerning?
For a test lab setup i had connected the WAN from a Cloud Gateway Ultra to my local LAN. For easy config from my Work PC i had configurated a simple port forwarding under the PF section (wan1 - port 443 ---> IP of CGU port 443. This had not worked, i needed the setup a 2nd rule with "wan local 443 ---> IP of CGU port 443". it had only worked with both rules active. is this the right way or did i made something wrong ?
When I create and activate the "Drop IOT to all gateways" rule my U6 Pro loses its connection to the controller, however the Wifi still works, just showing as offline (lost power, press to resolve etc). When I pause the rule it becomes online again. I am on the UCG Ultra, same interface as your UDM pro. I have tripple checked the rule, identical to the tutorial. All functions regarding the rules are working perfect btw, just that this rule makes my unifi AP show as offline and thereby not cofigurable if i wanted to do something with it etc. Any ideas? 😅
I’m not familiar with that kind of server or how it needs to communicate with the network. I may need a bit more information. I’d be happy to try and help. If you want to email me at tim@ethernetblueprint.com we can talk through it a little more.
The fact that this video is over 1 hour long shows that firewalls are a beast.
They can be.
Best video yet. PDF is a bonus that I was going to create. I like the way you've cleaned up the firewall rules from a previous video. Thanks for doing these.
You are very welcome. I hope it helps you out.
@@ethernetblueprinti need to contact you directly for some help and advice
Tim@ethernetblueprint.com
Thank you. Awesome. Quite possibly the most helpful video on the entire internet.
Best compliment Ever!! Thanks.
Thank you for making this video Tim. You explained the Firewall rules very well. Lot's of other peoples video's race through without thoroughly explaining them.
It truly is my pleasure. Thanks for watching.
@@ethernetblueprinthow do i contact you directly pls
You can email me at tim@ethernetblueprint.com
Thank you for creating this video!! Simple, slow and well explained I finally have implemented these firewall rules on my Unifi home network. Others content creators making Unifi videos even though there content is great also forget that some of us are newbies and then need to slow down as you did a phenomenal job doing. I had all this fancy hardware and for the last year I knew that it was only nice looking and not what it was designed to do. Now with these rules, I feel more like my network is more secure and I thank you again for making that happen.
Hey, that’s great. Congrats. Glad I could help. Thanks for watching.
Amazing video, I just got a cloud gateway max and everything worked flawlessly. I can talk to my phillips hue bridge and other IoT devices with no issues.
Boom (Mic Drop). Nice work! Thanks so much for watching.
Hi I work as a network engineer - Firewall rules should ALWAYS encompass every single possible eventuality. So if you're going super secure then you want to allow exactly what you want and then at the bottom if no traffic matches any other parameter you want a deny all rule. Something new comes online that you need to communicate and it's failing then you can add a rule for it. Basically you always want your last rule to be a catch all bucket of some kind.
I appreciate the insight. Thanks for watching!
That is already in place with the use of rule #4 "Drop All Private IP Networks" that he has to prevent Inter-VLAN routing. To enforce this, you'd have to remove rule #1 "Allow Established and Related Traffic" and move these actions into each rule that was created for the granular level of access. At least that's how I see it but I may have overlooked something. I'm not a Unifi magician.
@@kevinoconnor6570 I was actually speaking more to what's good practice and why you have a catch all. However, after reading your comment I went and actually reviewed the rules. I'm ignoring rule 1 because I don't know what Unifi calls related traffic - that's not an industry term. Rule 4 should be drop any any, instead of private addresses. Layer 3 switches can't distinguish between what is a public or private IP address, so unless Unifi builds tables into their switches that have the classifications then I could maliciously get onto the network using a static "public" IP and communicate within the network.
This is more of a deeper discussion with firewall rules, so I'm not sure if it's worth discussing the topic. I do love networking though so I enjoy the communication, and I'm Always seeking to be proven wrong as that means I get to learn something new!
Tim, these tutorials are awesome! Thank you for your time and effort in creating them! You're an excellent teacher and I appreciate you helping me get my network setup. Still learning and appreciate having your videos as a resource for setup and reference. 👍
Thanks Scott. Happy to help in any way I can. All the best!!
I have to say a massive thank you! Not only for this video but for the previous ones too, you have not only helped my sort my unifi setup into something much better than it was, but also helped me understand the basics of networking in general. Clear and useful information which makes me much more confident in managing my network. Also the PDF is a great resource. I can't thank you enough.
You are quite welcome. I'm glad you found it helpful! All the best with your setup!
I just brought the UDMse and was trying to set it up. This is the best video I've seen so far. You explained the firewall rules exceptionally well and easy to understand. Thank you for making this video!
I’m so happy to do it. Thank you for watching.
Thanks, this was an incredibly useful video. I struggled following along with other walk throughs because they were outdated for the current Unifi UI. This video and the companion pdf was incredibly helpful for setting the rules I needed, which were slightly different from yours.
I’m so glad to hear that. Thank you so much for watching.
Great tutorial ! Thank you so much for posting it !
You are quite welcome. The series has been a lot of work, but I am happy to share it!
Very well made... i like the way you point out to all the small things which are obvius for those who are using this GUI for a long time.
One thing for the naming convention of firewall rules: There are several auto-generated rules, which appear and disapperar depending on some checkboxes, i.e. Guest Network, Isolate Network, Port Forwarding and so on.
For a better overwview i chosse names in this way: all rules from myself have only small chars, all auto-generated are starting with a capital letter, so it is very clear which ones i made and wich ones are system generated.
All Profile IP groups are named , i.e. "ipg block vLAN gateways block 24 28 29". All Port groups are named , i.e. , and all Port Forwarings are named , i.e. "pf wan to 443 for HomeConfig"
That is so smart... I'm glad you took this info and changed it to fit you. That is what it is all about. Thanks so much for watching.
There's nothing more annoying than when different brands use different terminologies for the same thing. I usually work with FortiGates, so it took me a minute to wrap my brain around UniFi's way of doing things. Thank you for saving me a lot of time and headache-I've finally got everything secured correctly.
I hear you. I came from the Cisco world myself. Glad you’re good to go now.
Tim.... thanks very much for that video on firewall rules, very helpful. It was fantastic. I greatly appreciate you building on the previous version of this and providing the lists of profiles and rules in nice consolidated lists.
I am so happy to do it as long as you all find it helpful. Thanks so much for watching!
This is the best tutoirial ive seen on here that is relevant to eexactly what i needed.
Thanks very much. I am glad you found it helpful.
Fantastic videos. Keep it up!
Thanks so much.
Having in the last week moved into the Unifi eco system this was exactly what I was looking for. See how things are done then configure away ...
-SUB'd
Hey thanks! Glad you found it helpful!
Thank you Tim this was really helpful.
You are quite welcome!
Many thanks, Tim, for taking the time to explain this so clearly. It is the most confusing aspect for a newbie like me. Can you also explain when you would use rules under the categories not covered in this video - the Internet rules and the LAN Out rules. What are they used for?
Well, LAN out Rules can be used for VLANs too but would be setup differently than these to achieve the results you’re looking for. WAN Rules are for allowing or blocking access from the internet. Then there are the IPv6 rules (the ones we were setting are IPv4) which are a different type of IP addressing. That may require its own video to explain that.
Had to disable Remote Direct Connection in order to enable the port 443 inclusion to the gateway ports for the camera. Makes sense since they use the same 443 port so I had to choose.
I have had that heard that from other users too... mine was disabled by default but apparently that isn't always the case. Glad you figured it out!
I was watching your other VLAN video "NEW to UNIFI VLANs?? START HERE!!!" where you created a port group that included all gateway IPs except for IOT. I was thinking to myself, couldn't I create a port group that includes ALL gateways and just add an Allow rule for IOT to access it's own gateway. This way we don't have to create separate port groups whenver we add more VLANs. This video answered my question :D
I got that question a lot in the comments of that video so I had to find out for myself. Glad I was able to answer it for you as well.
Your videos are absolutely awesome
Thanks so much. I appreciate that. Thanks for taking the time to watch them.
Excellent instructional video
Thanks so much. Appreciate you watching.
This is an excellent video. Thank you
Thanks. I am glad you found it helpful!
@@ethernetblueprint would you know if this also works across a site to site VPN. Limit remote subnet access to local default and controller.
Yes, it would. As long as you had the firewall rules set for the local subnets use in the VPN....
Thank you for the video it is helping me out a lot
Happy to help. Thanks for watching!
Thanks a lot for the video & pdf :) Interesting fact: I have a pi-hole for DNS in my Default network. After applying rule 1-4 and 6 i can not ping or use the pihole web interface or the gateways from the IOT network as expected, BUT the nslookup still works and the answer is comming from my pi-hole. I made a wireshark trace and the answer is indeed coming from my pi-hole. I assume this works without rule 5 (allow dns port 53) because i distribute the pi-hole IP as dns server by dhcp with the UDM as the only dns entry and the UDM manages this internally.
Maybe try editing the LAN-IN rule for the IOT Network to the PI hole device to an any any rule and not just limit it to port 53. I haven't used pihole before and don't know if it uses other ports outside of 53.
You could pause the rules one at a time to see if any of them fix the issue.. then you know where you need to look. I'm sorry I don't know more about the pihole... never used one.
Unifi encourages using traffic rules. You may want to do a followup video on those.
I will have a separate video on traffic rules...
Hi Tim, just came accross the 8 part series UNIFI FOR NEWBIES, great set of videos. I do have a couple of questions 1. On the Firewall Guide, IP Group #1 Private IP Addresses, please explain what the three (3) addresses are. 2. If you had a SimpliSafe or Ring alarm system with wireless cameras would you suggest putting them in their own vlan with rules to stop all traffic to and from other vlans, and still be able to talk to and from the home (default) vlan. Thanks and once again... Great Series
Can you send me an email? Might be hard to answer all this in the comments… tim@ethernetblueprint.com
1. These IP ranges ensure that the firewall rules apply to all devices within those subnets. These IPs are only used in private networks, meaning any device connected to a router in a local area network will use addresses like 192.168.x.x, 172.16.x.x, or 10.x.x.x. An example of a non-private IP would be something like 8.8.8.8, which is a public IP used on the internet.
2. It can be good practise to seprate your SimpliSage/Ring. A slightly different example but shares the same concept of security, is, separating an access point across different VLANs can help protect it. You might have it give off separate networks for guests, home, CCTV, etc., while dedicating one VLAN purely for remoting into the access point to manage it. This keeps the management interface secure and prevents tampering. Plus, if one system is compromised, the others remain unaffected. While some might see this as overkill, it’s a solid approach to network security.
very, very good, thank you
You are so welcome. Thanks for watching!
this is fantastic
So glad you liked it. Thanks for watching.
Great videos! Thank you for putting these together! I have a Synology NAS on my network. It hosts a Plex server along with file shares right now. My question for you and the group is, what is the best practice for which vlan to it on?
I run my Synology NAS with Plex on my IOT network where my TVs are networked... I still have access to it from the main network, but I have it IP'd on the IOT VLAN... Works great. Part of my reasoning for that though was because I had plex running in a docker and kind of had to do this way. If you use VMware for you Plex server, I think you have some more options...
@@ethernetblueprint Thank you!!!!
Tim, this was a great video. Thanks for making it. I did have one question? Can you give an example of the LAN IN rule for the NOTE part of rule #5 for using another DNS server?
Let me see if I can do this in a comment... If you still have questions you can send me an email to tim@ethernetblueprint.com and I can give a litte more info.
You will need to create an IP Port Group for the DNS Server. It should just include the IP address of the DNS Server.
Type - Name - Action - Src Type - Address - Port - Dst Type - Address - Port - Match State
LAN IN - "Allow IOT to DNS Server" - Allow - IOT VLAN - Any - Port Grp - New DNS Server - No Action Required
Hi Tim, as I have been learning how to secure my network with an IOT and guest network, I have found a vulnerability that I have not been able to resolve. In our house, we all have Apple iPhones, when my kids friends come over and try to access our main network, apple allows my kids to share the main network password with their guests. Are you familiar with this and if so, do you by chance have a method to secure this? I was thinking of hiding the main network as a possible solution. What are your thoughts?
You are correct... since that is done on the phone, there is no way to block it on the network... that I have found.
Option 1: You could create a kids VLAN that is kind of locked down and put your kids devices on that... then when they share, they are sharing the kids network.
Option 2: Install a Firewalla Device on the main network. It won't block the issue from happening, but it will allow you quite a bit more control of the devices on that main network. I will be doing a video on this very soon. That is how I manage my kids devices on my main network.
Great video! How does ids/ips play into all this? Is that something we should turn on in addition to firewall rules? Does it affect online gaming experience? (NAT open/closed)
Yes... IDS/IPS are additional security benefits that you can turn on for extra protection benefits like DOS attacks or random overseas IP addresses trying to gain access to your network.. I do recommend having these turned on in addition to FW rules which are for your internal VLANs. These services do add overhead to your router and "can" reduce internet speeds. This depends on your equipment capabilities. In general, your gaming should still work fine though. Or at least that has been my case. I have mine turned on and set to strict and gaming still works fine...
Thanks!
Wow. Thanks a lot. That is super kind of you. Appreciate you watching.
Hi, thanks for this video. However, I just applied rules 1 to 4 and I still am able to ping devices on other VLANS. I allready rebooted the udmSE. The only difference I have is that my default iprange is within 10.0.0.0/24, other ranges are 10.0.50.0/24, 10.0.100.0/24 and 10.0.200.0/24. Only when I move the fourth rule to the top or the first rule to the bottom, then I can't ping the other devices.
email me at tim@ethernetblueprint.com and I can see if can figure out what is going on... That shouldn't be the case...
Great video! Just jumped right into the Unifi system from the "cookie cutter ISP setups". I noticed that the "Rule #2: Drop Invalid Traffic - This Rule blocks all packets on the LAN that are not Valid" -
I noticed on my own network this has triggered/has a lot of initiations from the insights tab ("inspection" section) in the Unifi console...Happening in the middle of the night for a lot of apple/other reputable device (very high number on the ports indicating private usage?)... Are these general updates for the devices, or a little bit of "everything" including suspicious activity. Looks like onto learning wireshark to dive into these data packets
There can be quite a bit of invalid traffic on a network... and this can encompass quite a bit. Many times, this is a network session not properly closing with the correct tags in it...
Very useful video, thanks. You used firewall rules to isolate a network but could you explain how the "Isolate Network" setting is used? For example could you isolate a network and then use firewall rules to allow certain traffic through? Does the "Isolate Network" check box just automatically do what you set up manually?
You bet. I talk about the isolate network in the Guest WiFi Video 5 (but just briefly). If you check that box, it will block access each of the other VLANs... However, it will not block access to the router like we do in rules 5-8 (LAN Local Rules) - So, if that was important to you, you would need to add those rules in addition to checking the box. Hope that helps and thanks for watching!
awesome
Glad you liked. Hope it was helpful!
Ah firewall, the Dark Side of the Force.
Take me to it, you will. - Thanks for watching!
thank you tim, i was stuggling with something, i can ping from my computer on "IOT" network to my phone on the "Main" network. but some how i have no idea i cant access any gateway from my phone on the IOT network but i can get to the main gateway on the computer on IOT. i no its a mouthfull, should i just remove all "Rules and start again?
Email me at tim@ethernetblueprint.com and I’ll see if I can help you out.
Hi again Tim, question for you on my specific set up. I have a Work Network (VLAN 2 - 10.168.2.1/24). This VLAN should of course, have internet access and should not be able to see any other VLAN's. But what I don't want is traffic from the Default Network to be able to send to the Work Network.
I assume that I could replicate Rule 5 (IOT) for the Work Network, but to prevent any device on my Default VLAN to see the devices on the Work Network, my guess would be change Rule 1, instead of "Any" in the 2 Address fields, add all my VLAN IP's except my Work Network IP? Does this sound correct?
Thanks again
Hi there. You could simply add an additional LAN IN rule above the “allow default to all private IPs” that says “Deny default to work network” which will stop that traffic but still allow default to talk to everything else. You would need to create a new IP group for your work VLAN. Hopefully that makes sense.
@@ethernetblueprint That does make sense! Thanks so very much
Why not use lan out? Isn’t it better to stop packet before it outs the interface?
I'm sure there may be an arguement for LAN In vs LAN Out, but, to me, the LAN In rules are easier to understand and teach to beginners...
I'm still very new to this and following this video right now, how exactly did you populate or decide to populate your IP groups? That's one thing that I didn't quite pick up in the video so far and I won't be able to create a rule without an IP included in the group.
The IP Group simply includes the IP addresses of the devices that you want to control. For example, if you wanted to create a rule for your cameras, you would create an IP group that has the IP Addresses of each of your cameras... and then create a rule for that group.
Thanks for the nice video Tim, I've got a question about 19:01
So even though your local machine and camera vlans are different, you could ping from the machine to camera because trunking?
I tried it myself
Port 33: Local machine (192.168.1.x) Default VLAN, Allow all
Port 35: AP(192.168.20.x) Staff VLAN, Allow all
and i was able to ping from PC to AP (I was thinking it's because both ports are trunk port)
Then, I changed AP to block all tagged vlan and ping didn't work from local machine > AP (I was thinking because now AP is access port since block all vlans)
Is it correct? so, to ping each other both ports should they be always trunk each other's vlans?
* I couldn't ping from local PC to AP(blocked all status) once I reboot the AP, I was able to ping right after changing Tagged VLAN on AP without rebooting.
**** Soon after I was able to ping from PC to AP again.. how I could ping to AP despite AP blocked all tagged VLAN?
Is there a reason that the AP is on the Staff VLAN? If it were me, I would put the AP on the default VLAN so it gets an IP 192.168.1.x like your PC. The port on the PC can be set to block all (access port) and the AP should be set as Allow All (Trunk) If you have WiFi networks on that are on different VLANs, (ie. guest WiFi, Staff WiFi, Default WiFi...) then you will need the AP to be in trunk mode so it can communicate all the VLANs to your connected devices. But the AP's local IP address (called the Native VLAN) would be best served on the default VLAN.
Thank you for your effort, the great video and the clear instructions and presentations! Three questions came to my mind:
1.) If I select "Block All" to the vlan tagging on the several ports in the port manager..... isn´t it redundant to the firewall rules?
2.) What is the better choice (also for Client Vlans)? To block every other vlan gateway except own gateway (only for http(s) and SSH traffic, so DNS and Ping etc will still work) or block every GW including own GW but allow DNS only?
3.) After isolating VLAN and setting specific allow rules (e.g. Synology to client PC) I can reach the devices by IP, but not by hostname anymore. The hostnames have been filled out with their IP in the Unifi DNS Tab under Routing. Each VLAN has its own Gateway set as DNS Server. Do you have a clue what I am missing?
Stay healthy and best regards
Thanks for the reply.
1) The FW rules and the switch port tagging work together to allow or block access. By setting the "block all" setting at the port level, you ensure that the device connected can only communicate on that network. Trunk ports really only come into play with VMWare like servers, switch to switch communication, AP communication... any device that hands out and communicates on multiple VLANs while plugged into a single port. Most of your devices (PCs, IOT Devices, Printers) should be set to Block all and just communicate on the single network. Your Synology may be an exception to this if you have it communicating on different VLANs at the same time. Then leaving it on the allow all port would be best.
2) It is really up to the user. Pros and Cons to both. If you block everything and choose to just allow the ports that need open, if you add a technology into the home (plex server for example), you would have to go open those ports for it to work. If you allow most ports to be open, but just block access to the local device on ssh, https and http, then it can make it easier to add other technologies down the road (IMO)
3) DNS can be tricky. I have my synology on my IOT VLAN and sometimes my PC will get to my files by DNS name and other times not. I don't think is a FW rule that is stopping it. I think it is the fact that Unifi DNS isn't the best. You may be better served to use an outside DNS to avoid some of the finicky issues like this... Its kind of trial and error. Sorry I can't give you a better answer.
Hope this helps!
@@ethernetblueprint Dear Tim, thank you again for your kind, fast and professional answer. As you mentioned the Unifi DNS in its current state is not reliable for different VLANs, at least from what I have tested the previous days. I switched to a rasberry pi with pihole + unbound installed and together with your best practice tips regarding the firewall rules and the comments, I managed to get it all working, with only the minimum machines and ports allowed for the adblocking and the name resolution. The gateways are not accessible inside the 6 vlans , the 6 vlans are separated and the pihole Interface recognizes every client + I can configure proper A-Records. Thank you so much again for these great videos. Wishing you all the best and best regards from autria.
Thanks for sharing this. I know you are not alone in this as many out there do like to manage their DNS. Nice job on getting things going!
Great stuff! Is rule 5 (IOT DNS) necessary if I've already set manual DNS servers for my IOT network?
It depends on the where the DNS server is located. If it is sitting in your network on another VLAN, then yes, you would need to make sure you have a LAN IN rule for DNS to that DNS server... If it is a public DNS on the web, no, it would not be needed...
Ah this was great! I had the issue of HomeKit not working when I serrated IoT and realized it was because my management VLAN and Primary device VLAN were different. After I added the rule to allow my Primary VLAN to reach the IoT then everything started working. What are your thoughts about having a separate management VLAN?
I like a mgmt VLAN. I use one in my home but that is difficult to explain to super newbies and didn’t want to complicate things. I give my mgmt VLAN the same access as my Default network for the most part.
@@ethernetblueprint That's what I ended up doing. Thanks very much for this guide - it helped me understand the actual theory.
You are welcome! Thanks for watching. I am glad it helped.
I have just got a new smart cat flap with a hub and it can not connect to the internt, if i connect it to my unifi express directly it works but as soon as i plug it into the 48 port switch it will not connect dose any know why this is happerning?
Smart cat flap? Is the switch configured? Can other devices in the switch reach the internet? I would need more info on what works and what doesn’t.
When i do drop invalid traffic lan i can no longer reach Unifi web pages
Hmmm... Are you doing a LAN In Rule or a LAN Local rule??? Are you talking about the cloud URL or the local one?
For a test lab setup i had connected the WAN from a Cloud Gateway Ultra to my local LAN. For easy config from my Work PC i had configurated a simple port forwarding under the PF section (wan1 - port 443 ---> IP of CGU port 443. This had not worked, i needed the setup a 2nd rule with "wan local 443 ---> IP of CGU port 443". it had only worked with both rules active.
is this the right way or did i made something wrong ?
What exactly are you trying to do and how do you want it to work... I'm not sure I am following.
When I create and activate the "Drop IOT to all gateways" rule my U6 Pro loses its connection to the controller, however the Wifi still works, just showing as offline (lost power, press to resolve etc). When I pause the rule it becomes online again. I am on the UCG Ultra, same interface as your UDM pro. I have tripple checked the rule, identical to the tutorial.
All functions regarding the rules are working perfect btw, just that this rule makes my unifi AP show as offline and thereby not cofigurable if i wanted to do something with it etc. Any ideas? 😅
Is the AP connected to the IOT VLAN on the switch?
Hey, how can i do the LAN local rules for my Proxmox Homelab? If i handle it like the IoT LAN local rules, i wont be able to update my servers.
I’m not familiar with that kind of server or how it needs to communicate with the network. I may need a bit more information. I’d be happy to try and help. If you want to email me at tim@ethernetblueprint.com we can talk through it a little more.
1:05:52 "pi" not pie ;-) i was to fast, you fixed it
hahaha... that was recording fatigue I think... I thought someone would nail me on that!... Thanks for watching!
OK :)))))))))
Hope it helped!
How do i contact you directly pls
Email me at tim@ethernetblueprint.com. I usually respond pretty quickly.
Ctrl+C Ctrl+V Tim, save yourself from all the typing.
LOL... Good Tip!