50:28 if you use vlans for example iot, then just set also to 'block all' in tagged vlan. Because when someone clone the mac address of any device of default network it can be accessed by this port as you did not block other traffic -security risk
Wow, that was a good video packed with info, I have a question, how to allow clients in vlan staff-1 and staff-2 to access a NAS on vLAN Security-1 and vLAN Security-1 should not have access to the internet?
38:52 the Wifi Schedule is for times you want to PAUSE the WiFi, not enable it. Your example basically stops the guest wifi from working during business hours 7am to 6pm.
@@ApexOneTech i think that's how it worked with the classic interface (select the times you want it to be active) but for some reason they changed it for the new interface.
Hey Bogdan...this was a great set up and very helpful video. I have a customer that has Comcast/Xfinity as their ISP and paying for 2.5G download speeds. Customer has purchased a Dream Machine Pro SE and (2) Enterprise 24-POE Switches that support (12) 2.5G POE ports. I connected the their Xfinity Router 2.5G port to the Dream Machine 2.5G port and used 10G uplink cable between the two switches. I ran a speed test in the dashboard and I'm getting close to 2.5G speeds from the ISP. Customer purchased a total of (7) U7 Pro AP's and connected them to the individual POE+ 2.5G ports which also show 2.5G connectivity. I have a laptop with a 2.5G ethernet port and when connecting to the individual 1G or 2.5G ports of the switch, my speeds throttle down to about 300mpbs consistently. When I connect to the 1G ports on the Dream Machine I get closet to 1G. All the ports are set to auto negotiate and have tried different combinations and I get the same result. I would've expected to see around 2-2.5G on the 2.5G ports and close to 1G on the 1G ports but all of my speeds throttle down to around 300mpbs from a hard wired perspective. Yet on the Wi-Fi I get around 800mbps setting them to the 80mhz channel width on the 5G network. Thought I'd reach out to see if you'd ever heard of this strange occurrence. Thank you.
That is very strange. A good question to Reddit unless someone knows the answer here. I would verify if it's both switches, test also with another device (you can get a cheap 2.5G to usb-c cable and test on iphone or ipad for example).
15:31 timestamp, I updated the name from "default" to "Management." First, I navigated to Settings (gear icon) > System > Advanced > Interface and switched to "Legacy." In the Legacy UI, I went to "Networks," edited the default name to "Management," and saved the changes. Then, I returned to the new user interface by selecting User Interface > New User Interface.
Small tip: change the vlan ID of your default vlan. If you leave it at 1 by default it’s super easy to do VLAN hopping even when you disabled intervlan routing.
Oh and also, I wouldnt put the management IP’s from your intermediate devices (like switches/routers/AP/…) in your default network but put them in a dedicated management VLAN that has NOT the VLAN tag 1😅
Hi. It is a very useful instruction. But could you film an instruction further regarding VLAN - Security (surveillance cameras, sensors...) with setting the rules for the firewall, for this network to be secured?
What would it be different or recommend for creating Guest WiFi and IoT WiFi from the Network app or from the Identity Enterprise Portal? Thanks in advance, great video.
Can a specific laptop, for example, be on 2 VLANs? Maybe part of the same question, how does staff back up to or use the network storage if they are on a different VLANs?
You would setup traffic rules to first block inter-VLAN communication. Then, add except rules on top of that. For example, allowing staff network to access storage network.
what should I do if I want a vLan for example "The main network" to enter the "Security" Vlan but the "Security" vLan cannot enter "The main network" Vlan
great video.If i have the unifi network in VM and physycal switch 16port- can i change the default IP because i canf find the opcion you show on the video, also my router its OPNSENSE, Thanks.
Great work Bogdan. Thanks for the clear straight explanations about udm se. At network 8.4.62 is shown Internet Source IP / NAT with options to choose. Where this come from - how to erase change ?
What point in the video is about? If you're talking about internet settings, I would leave it on Auto unless you have a specific configuration or Static IP from your ISP.
For example at 15:23 at Networks setting. I see in my panel Networks(8.5.6) after IPv4 a line with Internal source IP / NAT with choices Primary (WAN1) . Follow Autoscale Network...
Very useful thank you ! It would be interesting to see how to deploy a hotspot with SSL, as I don't find any complete, up-to-date documentation on the matter (I tried with a Unifi Express)
Glad it helps! If you're using a cloud gateway with a UI account, then you can access it anywhere with your login at unifi.ui.com. If you need the local network in general, then very simple to use the built-in, pre-configured UniFi Teleport VPN.
Great Video... I never considered 10.1.*.* for the networks. Way easier to manage. Can you change them all after inittially setting them up and if so do you re configure all together in one go or do them one by one ?
Change your gateway IP address scheme. Your devices attached to the network will automatically get the new 10.1** range within 24 hours or you can also power cycle devices.
If you ever get the opportunity to do this for home, that would be so helpful! I’m slowly learning but I love the idea and modular capability of Ubiquiti’s UniFi stuff and I’m planning it for my house at the moment… I’m just unsure of certain things like can I have my internet line in directly from my ONT or does it have to come through the ISP’s wireless router?
Thanks, I'll need to think about it. The videos like this take forever to make lol and my home is constantly in lab mode. To answer your other question, you can have internet come in directly from the ONT depending on what the ISP has setup. I hate working with ISP wirless router. I did one with Quantum Fiber. Supposedly you can't set it up directly but you actually can. Need to search forums for the proper setup for your UniFi gateway depending on the ISP.
I removed my remark on the firewall usage as you mention the firewall at the end. It would be worth though doing a video on how to correctly configure the firewall since having separation based on VLANs only is not really a secure setup (and yes, I do understand it is a bit more complex, but just to avoid that lots of people say based on this video: that is all there is to do to have a safe office network 🙃)
@@ApexOneTech You are in for a ride. I upgraded to the zone based firewall already, and it bottom line comes to this: After upgrading, ALL of your VLANs are dropped into the zone "Internal". Connectivity is not broken, but I do suspect that there is a couple of gaps created as lots of FW rules are duplicated. It took me about 3 hours to review everything, mapping a zone to each VLAN and then gradually moving networks to their appropriate zone after having pre-created the firewall rules between the different zones. Took some time, but this way the amount of hickups was very, very limited (as you will know, the people in the home are the worst of the worst when it comes to being hammered for connectivity issues 🙂. Did have no complaints in the morning - as I wisely performed the migration during night time)
Friend, can you help me configure the Infinity EdgeRouter? I have not been able to solve a problem. I currently have a pool of 5 public IPs, of which I want a private IP to work only with a specific public IP and not use the other public IPs. When I ping the public IP externally, I get to the private IP, but from the private IP it tells me that it is using another public IP, which in this case is the one used by the EdgeRouter to connect to the Internet.
The very first thing I always do after creating my VLANs is to block traffic between VLANs: by default, Unifi Network allows traffic to pass between VLANs (except for Guest VLAN) which is imho very dangerous from a security perspective.
I’m not sure if you mentioned or if i missed it, you didn’t talk about inter-VLAN routing, is it enabled by default or do you have to enable it manually.
No. You use the VLAN name. For example, for switch ports you can set a default network by selecting the VLAN name or adding it as a tagged VLAN. The "VLAN number" is the VLAN ID that is universal between devices. For example, you can set a VoIP phone to have a specific VLAN ID so that it always goes to the proper VLAN once plugged in to your switch (assuming your switch port allows the VLAN ID traffic).
The Ubiquiti Dream Machine (UDM) does not have 2.5Gb PoE ports, which are necessary to fully support the latest high-performance Wi-Fi AP models, such as UniFi’s Wi-Fi 6, 6E and 7 access points. These APs require both higher power and bandwidth (2.5Gb speeds) to maximize their potential..
I'm using Apple's Freeform app. Unfortunately, it's only available on Apple devices as of now. If you know a better app, let me know. Everything else so far has been worse to use.
Always a tradeoff for every device. U6 Pro is "better" but it comes at a cost. You can always have the "best" setup with buying the most advanced gear. The trick is to pick the correct devices with some overhead so that it doesn't cost more than it should.
Freeform. I try to stay in one suite for work (Microsoft) but their Whiteboard app is difficult to use. Freeform works much nicer. Apple really needs a better way to share Freeform pages though.
@10:30 UBNT are pricks for removing manual adoption. Go to Legacy Interface and you can manually adopt devices. Your deployment here is easy, when you get to a site where you have hundreds of WAP's installed along with switching and need to do this bullsh!#, yeah, another reason UBNT gets pulled out of sites. @15:35 rename default in Legacy Interface. Turn off mDNS unless needed, UniFi known to struggle with lots mDNS traffic. DHCP Guarding also wise. @23:25 UniFi Protect cameras on to the UDM are forced to stay on the DEFAULT VLAN, can not seperate. This is one of the reasons the UDM's are for small offices only, not bigger setups. @27:30 Be careful, this feature (Guest Network) either forces Captive portal despite it being off and also blocks internet access, welcome to UniFi bugs and half-baked firmwares. @33:35 NO, default settings are NOT fine. Turn of band steering, it is extemely well known for connectivity issues. Multicast and Broadcast control highly advised on busy networks.
Takes for your input. Trying to keep it simple and not go into work arounds. I haven't yet ran into the issues you mention but I also haven't configured such large sites: maybe it's a matter of time for me lol or they've patched it in an update.
I like you more and more. I, and the rest of the civilized part of the world, watch with horror how a country which in many ways has been a pioneer country for progress and democracy may now elect a man who, if possible, with a calm hand, most of all wants to abolish democracy and in the United States, and rule the country as a dictator. His innermost desire is power for himself as a person, and how many innocents it ends up killing is totally irrelevant to him. I simply don't understand how anyone can vote for a guy like him. If this was all a joke, we'd all be laughing, but as it is, we're crying and hoping that sanity and Kamala Harris prevail to the joy and gift of everyone in America
I would if this was from scratch. But since it's just an upgrade, their modem is fine and even has a 2.5 port. They're not even anywhere close to capacity so not need to change that.
![Blox Fruits Dragon Rework Update [Full Stream]](http://i.ytimg.com/vi/EqDAp8udhm0/mqdefault.jpg)
Might want consider the UCG-Max instead that was released after I made this video: ruclips.net/video/e7VWdddMamw/видео.html
50:28 if you use vlans for example iot, then just set also to 'block all' in tagged vlan. Because when someone clone the mac address of any device of default network it can be accessed by this port as you did not block other traffic -security risk
Good call. That is a security risk a lot of people miss.
Wow, that was a good video packed with info, I have a question, how to allow clients in vlan staff-1 and staff-2 to access a NAS on vLAN Security-1 and vLAN Security-1 should not have access to the internet?
By far, the most comprehensive and easiest (All-in-one) setup guide I ever seen. Good job, liked and subbed! 👏
38:52 the Wifi Schedule is for times you want to PAUSE the WiFi, not enable it. Your example basically stops the guest wifi from working during business hours 7am to 6pm.
ah yeah, thanks for the correction! It would want it to work the way I showed it lol seems more intuitive.
@@ApexOneTech i think that's how it worked with the classic interface (select the times you want it to be active) but for some reason they changed it for the new interface.
Hey Bogdan...this was a great set up and very helpful video. I have a customer that has Comcast/Xfinity as their ISP and paying for 2.5G download speeds. Customer has purchased a Dream Machine Pro SE and (2) Enterprise 24-POE Switches that support (12) 2.5G POE ports. I connected the their Xfinity Router 2.5G port to the Dream Machine 2.5G port and used 10G uplink cable between the two switches. I ran a speed test in the dashboard and I'm getting close to 2.5G speeds from the ISP. Customer purchased a total of (7) U7 Pro AP's and connected them to the individual POE+ 2.5G ports which also show 2.5G connectivity. I have a laptop with a 2.5G ethernet port and when connecting to the individual 1G or 2.5G ports of the switch, my speeds throttle down to about 300mpbs consistently. When I connect to the 1G ports on the Dream Machine I get closet to 1G. All the ports are set to auto negotiate and have tried different combinations and I get the same result. I would've expected to see around 2-2.5G on the 2.5G ports and close to 1G on the 1G ports but all of my speeds throttle down to around 300mpbs from a hard wired perspective. Yet on the Wi-Fi I get around 800mbps setting them to the 80mhz channel width on the 5G network. Thought I'd reach out to see if you'd ever heard of this strange occurrence. Thank you.
That is very strange. A good question to Reddit unless someone knows the answer here. I would verify if it's both switches, test also with another device (you can get a cheap 2.5G to usb-c cable and test on iphone or ipad for example).
15:31 timestamp, I updated the name from "default" to "Management." First, I navigated to Settings (gear icon) > System > Advanced > Interface and switched to "Legacy." In the Legacy UI, I went to "Networks," edited the default name to "Management," and saved the changes. Then, I returned to the new user interface by selecting User Interface > New User Interface.
Totally right! you can do that... I just wanted to keep it simple and in the latest interface.
Small tip: change the vlan ID of your default vlan. If you leave it at 1 by default it’s super easy to do VLAN hopping even when you disabled intervlan routing.
Oh and also, I wouldnt put the management IP’s from your intermediate devices (like switches/routers/AP/…) in your default network but put them in a dedicated management VLAN that has NOT the VLAN tag 1😅
Thanks for the tip!
Great video. I like the long form. You do not waste time with a lot of chit chat either
Hi. It is a very useful instruction.
But could you film an instruction further regarding VLAN - Security (surveillance cameras, sensors...) with setting the rules for the firewall, for this network to be secured?
Yes, I need to do that. In the meantime, @ethernetBlueprint has good video ruclips.net/video/B_0dXLNCGp8/видео.html
What would it be different or recommend for creating Guest WiFi and IoT WiFi from the Network app or from the Identity Enterprise Portal? Thanks in advance, great video.
If you’re using Identity, create it there first. You’ll then see it in your WiFi list and further configure it. Like WiFi name and everything else.
Can a specific laptop, for example, be on 2 VLANs? Maybe part of the same question, how does staff back up to or use the network storage if they are on a different VLANs?
You would setup traffic rules to first block inter-VLAN communication. Then, add except rules on top of that. For example, allowing staff network to access storage network.
Thanks for this video.
I Learned a few new things 👍
Glad to hear it!
It looks like you created a profile for Voip but cant find where you showed it in the video
what should I do if I want a vLan for example "The main network" to enter the "Security" Vlan but the "Security" vLan cannot enter "The main network" Vlan
great video.If i have the unifi network in VM and physycal switch 16port- can i change the default IP because i canf find the opcion you show on the video, also my router its OPNSENSE, Thanks.
Great work Bogdan. Thanks for the clear straight explanations about udm se. At network 8.4.62 is shown Internet Source IP / NAT with options to choose. Where this come from - how to erase change ?
What point in the video is about? If you're talking about internet settings, I would leave it on Auto unless you have a specific configuration or Static IP from your ISP.
For example at 15:23 at Networks setting. I see in my panel Networks(8.5.6) after IPv4 a line with Internal source IP / NAT with choices Primary (WAN1) . Follow Autoscale Network...
@@tomaskisslinger8145 I need to see a screenshot. This interface keeps updating :) See a DM on social or email.
Very useful thank you ! It would be interesting to see how to deploy a hotspot with SSL, as I don't find any complete, up-to-date documentation on the matter (I tried with a Unifi Express)
Hi Bogdan, thanks for the content. Would you please make a video that shows how to remotely access Unifi controller from a different network.
Glad it helps! If you're using a cloud gateway with a UI account, then you can access it anywhere with your login at unifi.ui.com. If you need the local network in general, then very simple to use the built-in, pre-configured UniFi Teleport VPN.
Great Video... I never considered 10.1.*.* for the networks. Way easier to manage. Can you change them all after inittially setting them up and if so do you re configure all together in one go or do them one by one ?
Change your gateway IP address scheme. Your devices attached to the network will automatically get the new 10.1** range within 24 hours or you can also power cycle devices.
@@ApexOneTech I meant to say all my VLANS :)
@@22illingworth @ApexOneTech I wonder the same, will that work for already existing VLAN's too?
If you ever get the opportunity to do this for home, that would be so helpful!
I’m slowly learning but I love the idea and modular capability of Ubiquiti’s UniFi stuff and I’m planning it for my house at the moment… I’m just unsure of certain things like can I have my internet line in directly from my ONT or does it have to come through the ISP’s wireless router?
Thanks, I'll need to think about it. The videos like this take forever to make lol and my home is constantly in lab mode.
To answer your other question, you can have internet come in directly from the ONT depending on what the ISP has setup. I hate working with ISP wirless router. I did one with Quantum Fiber. Supposedly you can't set it up directly but you actually can. Need to search forums for the proper setup for your UniFi gateway depending on the ISP.
please use dark mode on your web browser. we just look to white board screen....
I removed my remark on the firewall usage as you mention the firewall at the end. It would be worth though doing a video on how to correctly configure the firewall since having separation based on VLANs only is not really a secure setup (and yes, I do understand it is a bit more complex, but just to avoid that lots of people say based on this video: that is all there is to do to have a safe office network 🙃)
Yes, will do an update that includes firewall traffic rules. There's a new firewall GUI coming soon that looks way different so I'll wait for that.
@@ApexOneTech You are in for a ride. I upgraded to the zone based firewall already, and it bottom line comes to this: After upgrading, ALL of your VLANs are dropped into the zone "Internal". Connectivity is not broken, but I do suspect that there is a couple of gaps created as lots of FW rules are duplicated.
It took me about 3 hours to review everything, mapping a zone to each VLAN and then gradually moving networks to their appropriate zone after having pre-created the firewall rules between the different zones. Took some time, but this way the amount of hickups was very, very limited (as you will know, the people in the home are the worst of the worst when it comes to being hammered for connectivity issues 🙂. Did have no complaints in the morning - as I wisely performed the migration during night time)
Friend, can you help me configure the Infinity EdgeRouter? I have not been able to solve a problem. I currently have a pool of 5 public IPs, of which I want a private IP to work only with a specific public IP and not use the other public IPs. When I ping the public IP externally, I get to the private IP, but from the private IP it tells me that it is using another public IP, which in this case is the one used by the EdgeRouter to connect to the Internet.
Awesome video. Would love to see a followup on the advanced firewall setup tips.
Noted!
Many thanks! You let me understand a lot of things that before was not so clear.
Glad it was helpful!
I'm very interested in what the VoIP profile was. Didn't see in the video. Great Video!!!
Thanks! Video was getting so long that I cut it out. I'm planning to release a separate video on it.
can you do a video where you use a windows server as the AD, DHCP, DNS and still use the UDMSE as your core network.
The very first thing I always do after creating my VLANs is to block traffic between VLANs: by default, Unifi Network allows traffic to pass between VLANs (except for Guest VLAN) which is imho very dangerous from a security perspective.
I’m not sure if you mentioned or if i missed it, you didn’t talk about inter-VLAN routing, is it enabled by default or do you have to enable it manually.
It is enabled by default. You would have to create traffic firewall rules to block inter VLAN communication. I didn’t go into that in this one.
Would you be able to share the network devices and IP schemas?
What software are you using for your rack and Network diagram?
Apple's Freeform app.
Hie, thanks for this informative video.
Keep it up
Do you have to input the VLANS number into the switch?
No. You use the VLAN name. For example, for switch ports you can set a default network by selecting the VLAN name or adding it as a tagged VLAN. The "VLAN number" is the VLAN ID that is universal between devices. For example, you can set a VoIP phone to have a specific VLAN ID so that it always goes to the proper VLAN once plugged in to your switch (assuming your switch port allows the VLAN ID traffic).
How do you ensure the sound effects match the visuals so well?
I don't know lol. My editor does a good job!
Which software are you using to make the network design?
Freeform app
Any reason you're not using Private Pre-Shared Keys seeing as though you're not using the 6GHz band?
Excellent video. Really helpful
Thank you!
Thanks very informative!
The Ubiquiti Dream Machine (UDM) does not have 2.5Gb PoE ports, which are necessary to fully support the latest high-performance Wi-Fi AP models, such as UniFi’s Wi-Fi 6, 6E and 7 access points. These APs require both higher power and bandwidth (2.5Gb speeds) to maximize their potential..
Right, for sure.
is it save to use 10.1.1.x as a vlan because a lot of vpns and other services are using these ranges right?
I haven’t ran into that issue. Other services and VPNs we would control anyways.
Hi Bogdan, thank you for sharing your knowledge. Thanks to you, my network is now working great.
Awesome! That's my goal!
What program did you use to sketch your architecture?
Apple's Freeform app.
Locked down to the Apple ecosystem for now :(
@@ApexOneTech Thanks for the reply
what network design tool are you using?
I'm using Apple's Freeform app. Unfortunately, it's only available on Apple devices as of now. If you know a better app, let me know. Everything else so far has been worse to use.
Awesome Video!
Is the AP u6-plus better than the u6-pro?
Always a tradeoff for every device. U6 Pro is "better" but it comes at a cost. You can always have the "best" setup with buying the most advanced gear. The trick is to pick the correct devices with some overhead so that it doesn't cost more than it should.
what ios program you use to make those diagrams?
Freeform. I try to stay in one suite for work (Microsoft) but their Whiteboard app is difficult to use. Freeform works much nicer. Apple really needs a better way to share Freeform pages though.
@@ApexOneTech Enjoyed your video! Thanks!
By blocking printers from the internet they will not receive any firmware updates
Correct. As it should be. I hate printers lol. Can always pause the rule once a year to check for an update.
Do people upgrade firmware - hahaha - have over 600 printers in our enterprise and we never upgrade firmware :-)
@10:30 UBNT are pricks for removing manual adoption. Go to Legacy Interface and you can manually adopt devices. Your deployment here is easy, when you get to a site where you have hundreds of WAP's installed along with switching and need to do this bullsh!#, yeah, another reason UBNT gets pulled out of sites.
@15:35 rename default in Legacy Interface. Turn off mDNS unless needed, UniFi known to struggle with lots mDNS traffic. DHCP Guarding also wise.
@23:25 UniFi Protect cameras on to the UDM are forced to stay on the DEFAULT VLAN, can not seperate. This is one of the reasons the UDM's are for small offices only, not bigger setups.
@27:30 Be careful, this feature (Guest Network) either forces Captive portal despite it being off and also blocks internet access, welcome to UniFi bugs and half-baked firmwares.
@33:35 NO, default settings are NOT fine. Turn of band steering, it is extemely well known for connectivity issues. Multicast and Broadcast control highly advised on busy networks.
Takes for your input. Trying to keep it simple and not go into work arounds. I haven't yet ran into the issues you mention but I also haven't configured such large sites: maybe it's a matter of time for me lol or they've patched it in an update.
I like you more and more. I, and the rest of the civilized part of the world, watch with horror how a country which in many ways has been a pioneer country for progress and democracy may now elect a man who, if possible, with a calm hand, most of all wants to abolish democracy and in the United States, and rule the country as a dictator. His innermost desire is power for himself as a person, and how many innocents it ends up killing is totally irrelevant to him. I simply don't understand how anyone can vote for a guy like him. If this was all a joke, we'd all be laughing, but as it is, we're crying and hoping that sanity and Kamala Harris prevail to the joy and gift of everyone in America
Was there a reason you didn't use the Ubiquiti Cable Modem?
I would if this was from scratch. But since it's just an upgrade, their modem is fine and even has a 2.5 port. They're not even anywhere close to capacity so not need to change that.