A couple of mistakes: - I misused "VLAN Hopping" - I meant "inter VLAN Communication" - "local" in UniFi speak means "traffic that is destined for the UDM/USG itself." - "All" in UniFi speak is a Trunk that includes all VLANs (which are tagged) This is why I love this community! Lots of networking experts so keep the knowledge coming! Thank you all for the help!
Yeah, I was going to call this one out, but "inter VLAN Communication" = Routing Trunks don't always include all VLAN traffic. Only vlans assigned to that trunk. But basically you either have trunk or access.
Hi, I came across your video and appreciated you walking through this. Shortly after your video, Unifi released Traffic Rules. Would you please consider updating your video's description to mention those? The reason I ask is that folks should know that using those eliminates much of the burden you mentioned of maintaining IP groups, making securing your VLANs faster to do, if not simpler overall. Just a thought, thanks!
For anyone with UniFi network 8.4.x. They have now updated network to have set options for "Isolate Network" and "Allow Internet Access" that saves you from needing to set these firewall rules manually. Isolate Network specifically let's the devices on that VLAN to communicate with each other and not with any other networks, exactly what you'd want for IoT devices!
Yes it does and its AWESOME! BUTTTTT**** If you click "Isolate Network" it blocks *ALL* networks. Here at my office we run Unifi and What I ended up doing was exactly what Tim did, because I have a VLAN called "ADMIN" and its only Sys Admins allowed on that network so we can still get into our PBX, any IP phones, etc. We want to block anyone on the default network from accessing any other VLANs that have devices on them that should ONLY be accessed by the IT department, dont want an employee going through their phone and seeing an IP, puting it in a browser and start clicking shit lol. So we leave the Voice VLAN "isolated", except to the Admin network.
@@darmichar73 you may still want to follow how the firewall rules work, but in reverse. Say you have a server cluster running that you want on its own VLAN and than Isolate that network. Well say youre the system administrator and youre not on the same VLAN...now you can't access it from the LAN. So if you have a VLAN set up for yourself outside of the default LAN, guest LAN, IoT LAN, etc....set a rule backwards that ACCEPTS connects from your network, to the isolated network. The network remains isolated from every other network EXCEPT you. You can do that multiple ways. If you just want one computer on the network to access that VLAN, do it by IP of the device (hopefully its static and not DHCP lol), IP groups just like he did in this video (again but, in reverse to Accept...not Drop), or have a VLAN thats created for network admins and just allow that network to access the others. At my office we have "Default", VoIP, Guest, Servers, and Admins. So there, I set it up so each VLAN is isolated, but then created a firewall rule for us admins who are on the admin VLAN to still be able to connect inter VLAN to the other networks. Traffic from the VLAN to us will be dropped, but traffic initiated by us to the VLAN will be accepted until the connection is terminated. At home, same gig. I have Default, IoT, Guest, Servers (I run a few servers for a few different applications out of my house). Same set up, every network isolated, except my phone tablet, MacBook, and PC. All have a static IP so I put those IPs in an IP group just like Tim did, set a firewall run that those IPs can talk to IoT, Guests, Default, and Servers, but will drop connection if vise versa. Only I can establish a handshake, not the other way around.
@@Kaotix_music Thanks for this. I'm nowhere near this complicated yet. Just trying to future proof as I build out my own home automation and NAS setup.
@@darmichar73 Youll get there eventually, especially when you start opening ports on the network and stuff. Servers and NAS are already all running up on my network with Cloudflare tunnels and such, home automation is going to be my next project. I never trusted anything IoT but the more I got into networking, the more I learned how I can protect myself so - thats my next project.
At 10:40 with the trunk port, you're mostly right. Ha. A trunk port does include traffic from multiple VLANs (or in this case all of them), but they're NOT untagged. They do in fact have their VLAN tags. This is how you can connect multiple switches together with both switches being able to communicate on all the VLANs.
Well he's mostly right. Ha. A trunk port does include traffic from multiple VLANs (or in this case all of them), but they're NOT untagged. They do in fact have their VLAN tags. This is how you can connect multiple switches together with both switches being able to communicate on all the VLANs.
Worth mentioning this is now much, much simpler with Traffic Rules. It can be done in a single rule. Action: Block Category: Local Network Local Network: IOT-Better Traffic Direction: Traffic from all local networks Device/Network: All Devices Schedule: Always Name: Block IOT-Better to All
In a nutshell, trunk ports expose all traffic from the VLANs by appending the VLAN id to the ethernet frame. This enables devices capable of reading this tag to manage the VLANs as well, making possible things like using the same VLAN across multiple switches or exposing the VLANs to a hypervisor for it to manage them internally.
There is something I don't understand about the trunk port. As you said the trunk port got all the vlans. So if i have port 1 as trunk and connect it to my router with one cable. And the router and switch got vlans 20,30,40. When i make a firewall rule to route between vlan 20 and 30. The traffic has to go through the router right!? My question is that one cable is my bottleneck for bandwidth right? So if i want to increase my bandwidth i have to create LAGG between the switch and the router? I got confused about this because Dlink switches call LAG trunk ports.
@@rethinking3289 yes that’s right: by default inter-VLAN traffic will have to go from your device, through a switch (if you’re using one) up to the router and then back down through the switch and to the other device. If you have a L3 switch, then there’s the potential to bypass the router, and have the switch route the inter-VLAN traffic, but then you’re also bypassing any firewall rules in the router, at least when using a unifi router and switch. Given this, I’m still struggling to understand how a unifi L3 switch is useful, unless you want all inter-VLAN traffic to be wide open.
I have been having massive issues with my udm idk what the hell was going on but i decided to create some vlans to get some more control on whatever is going on. Changed all ports and added rules. Now things are working like they should. Big thanks for taking the time to go through how to set things up. much appreciated. for days my network was sometimes working off and on. This was a huge help. thanks.
There's a humble vibe behind your videos that is really appreciated. Great videos. This one in particular as a future owner of a DreamMachine SE. Thank you for the content
This video is fantastic. I have a controller and AP's and have been thinking about using a gateway but putting it off for ages. This covers pretty much all the questions I had.
Great video Tim! Easy to follow and under stand. For blocking inter-vlan routing I just use 1 rule ( Rfc1918 to Rfc1918) just condenses the list a bit As for LAN local this is gateway, you would need to put block rules for your gateway so the other networks ( IoT) can’t hit the firewall interface. Have a great weekend very entertaining :)
Wouldn't be better to set a DROP default policy for everything ? And then open only what we need when we need. That's what's going on with pfsense. It should be the choice of ubiquiti.
This is awesome....period! I had no idea how to set my Unfi gear up. This video walked me thru step by step. I learned so much along the way. Again, this was top notch! Thank you man. :)
Hey, there's a terraform provider for unifi ! You can do it all as-code ! It's very handy to avoid the click simulator that is the unifi interface. Once you understand how it works by spending a little time maybe in the UI, you can really get stuff done fast using the tf provider ! I would love a video about that if you get to spend some time with it ! Great videos man keep it up
I would love a spreadsheet of your rule setup. I'm trying to run a similar setup. I got super hung up on trying to do inter vlan blocking without the established and related sessions rule at the top.
Great full explanation Tim! This is becoming more critical specially since working remotely from home and the increase amount of IOT devices at home. However, I still believe it is not as easy as plug and play yet so reserved to bit more advanced users than my parents for instance. Thanks spreading knowledge around this hot topic ;)
Great vid! Easy to follow and all made sense to me. One question, I tried adding a camera vlan and when I added the 'block' firewall rule you explained I can no longer access the cameras on my default network. I can only access them on the network/subnet I created for the cameras. My IoT vlan which I configured the same way is fine regarding access from my default network. Anything I'm missing or need to change? Something specific to reolink perhaps?
Hi Tim. Excellent explanation. You may not be an IT guy but your explanations are superb. Keep up the good work and thanks for helping to make difficult tech easier to undersstand.
Hi Tim, I really enjoy your videos because you take your time to explain by providing details. I do have a question for you. It appears that somebody keeps hijacking my Unfi AP Pro and possibly my wifi access. How can I protect myself better my controller is a DMSE but I am new to Networking. Thank you.
Thanks, that was helpful. But it stopped just as it was getting interesting. I set up an entertainment network, an iot network and so on. But certain devices need to communicate accross vlan boundries. For instance Home Assistant (now running in iot) needs to access a few devices in other vlans and vice versa. Hope to see a video on this. Thanks!
Hi Tim. Excellent video. I also use UDM and I am setting up a similar configuration to isolate IoT devices but I am not sure about the best way to deal with Proxmox. Do you have the VE in a specific VLAN? What about the different VMs? I am running HomeAssistant as a VM and by default it installs in the same VLAN as the VE. How can I get the VM installed in the IoT VLAN? More in general, how can I get to select a specific VLAN in which a given VM will be installed? Hope you can give me some guidance. Cheers
It's odd that Unifi has inter-VLAN routing enabled by default considering that virtual network segmentation is pretty much the primary reason most people set up VLANs in the first place. I can confirm that both Cisco and HP MLS switches have lanbase routing disabled. On the subject of port assignment, it seems that Unifi takes a space somewhere in the middle of Cisco and HP. By default, Cisco lets any VLAN travel on a Trunk (tagged) port unless specified otherwise, while HP requires you to tag the port for any and all expected VLANS other than Native.
I currently have 4 VLANs, LAN, IoT, DMZ and Guest. I have also been considering moving my servers to their own VLAN because they don't normally initiate communications to my LAN devices.
I have six VLANs, sever /25, management /27, Home /24, Iot /26, Guest /23, and Native /24. Under normal circumstances, all communication between VLANs is prohibited unless I allow certain activities, such as management allowing to all, and guest denying to all RFC1918 networks, and home to some server network, and server deny to some IoT net, all this with Pfsense makes it straightforward to set up.
Really nice video, very informative. I use pfSense but the concepts are the same. An untagged port passes all the "tagged" traffic that you allow. So you can set the port to allow IoT and IOT Better through but block the other VLAN tags. The other aspect of a "tagged" port, this that the device behind that port doesn't know about VLANs and the switch automatically tags traffic from the port with the VLAN id.
@Techno Tim another way is just to dchp over the vlan i use opnsense dchp over vlan and this will allow the firewall to stop traffic from teach to each other much more easy than the way your doing it here tho it does work of course ps love the channel =3
One issue after doing this. Thoughts? First - Great video! I've been wanting to segregate my IoT network for a long time now, but haven't. I randomly searched and found this yesterday, and it was so well done I decided to learn this morning. Follow step by step, and got it done a few minutes ago. Thank you! I can see the IoT devices (such as chromecasts) when I pull up the menu to cast from youtube, but if I try to cast to any of them, it just hangs and won't connect. If I move my phone to the IoT network, it works flawlessly. Any idea why this might be? For reference, my network is super simple. Basically it's all auto configed and using the default settings. The only major change is following this process to put the IoT devices on their own VLAN (101) by restricting the WiFi they use (Pariahs) to the IoT newtork.
Thanks for the video, very informative. I was still left with one question that bugged me. How can you use remote access tool from MAIN to IOT vlan? This communication is bidirectional, packets need to go from IOT vlan to MAIN to show the screen. Then I've learned about stateful firewall concept. When IOT sends back packets, they are allowed, because the communication was initiated from MAIN vlan. It was a crucial thing that I was missing. Leaving comment, maybe someone has knowledge gaps like me.
Great tutorial in general. But unfortunately I cannot find in Unify OS 4.0.21 : a.) the function for assigning a VLAN to a port b.) a search function 😳
Actually all the trunk are tag port except the native vlan in Cisco, which means it a allow one untag vlan go to trunk; and trunk port are usually between switches and router and sometime also support Pc NIC that support it, for a sample in your window machine if you find the adopters setting that you can specify a VLAN number and then you can connect to an trunk port Is very useful if you using VM and all the access port is on untag port, for security and device doesn’t understand VLAN ID
disallowing ping means blocking ICMP, what other protocols needs to be blocked when a VLAN getting configured for better security?
Год назад
Great video, I wish it existed a few months ago when I went through this. One thing though, when you set up the allow rule for DNS you use IOT Only as the source. Before you said that the "Only" groups contained all the networks except for the one in the name. Then, aren't you allowing DNS access from all the networks except for the IOT one?
After following this guide, i was unable to connect from my default network to my hosting network. I had to enable advanced options in the firewall rule, and match on "New", "Invalid" and "Related". I.e. allowing established connections. I am unsure why that is. But i was unable to ssh or connect to my reverse proxy unless I made this change. I am uncertain if "Related" should also be allowed or not. But it seems to work now.
Loved this video so much. Great quality and very specific to my needs luckily. I would have loved to know a little more about what other rules you made and for what reason so i knew what i had to look out for when i start setting up my own network next year. I hope to see more great content in the future. I wish you the best!
This is great!! I got a new UDM SE and some security cameras. You made this pretty easy. I want to clear up one issue for my setup. I assume devices in your IOT-Better VLAN can do bidirectional communication with external network and services with the rules you defined. Is that correct? If so, I think my situation is the same. I need my cameras to be able to connect to security operators that get contacted when the camera and their AI host software detect inappropriate activity. If that occurs the security operators come on interactively and starts querying the perps, and as required dispatching the police.
Hey Tim Great video. I followed it and all worked great by having a Chromecast on my IoT network and my smartphone on my main (trusted) network until i add the firewall rule "blok IoT to All". After adding the rule I can´t see my Chromecast (On IoT) on the list of devices I can cast to on my smartphone. I have Multicast DNS and IGMP Snooping enabled. If I pause the firewall rule, the Chromecast return on the list of devices I can cast to. Do you have any ideer what I am doing wrong?
Ive been using unifi for almost 3 years and i never used profiles for my firewall rules lol. My firewall rules are a mess lol, i have everything secure but its definitely a mess.
Hey @TechnoTim, I think you should do an update video to this, i just bought my UDM-SE and found your video extremely helpful but i think Ubiquiti Updated the Ability to Isolate Vlans with a checkbox without having to do all the firewall rules & groups manually, i was using my Laptop connected to the WiFi AP turned off my firewall like you did and tried pinging my desktop and it returned lost packets when "Isolate Network" was checked. BTW Love your videos man they are really informative and helpful for someone new to all of this Gear.
Great video.... but calling UBNT/Unifi enterprise is probably a bit of a stretch. Its great for what it is... but enterprise usually needs more than what UBNT can provide unless you're only needing basic wireless access.
With these IOT firewall rules in place, will a new device that connects to the IOT VLAN via that VLAN wireless automatically grap a VLAN address (using DHCP) and show up on the devices list? I ask because for some reason a wireless security camera that I have is not showing up anywhere when powered on. It is set to log on to the VLAN wirless network, but I dont see it anywhere in the client list.. Thanks ))
from your video, you have a mgmt default network and a main network that the rest of the home user are on (the main) in the video. so what network will you placedPlex in?
I have not seen one, but I think people could benefit from a greenfield video. We have very similar setups and man going from 2 docker boxes, to tearing down my 4 server vmware cluster to building a 3 server harvester cluster has been a journey and now I'm at the "now what" point. The VMUG savings alone pays the power at least :) while I burn brain cycles trying to bone up on what I'm missing. In the homelab tour you talk about the three piholes and I was curious what you meant for the dns vip. What's running the VIP or did I miss that as a pihole feature?
Would like to avoid end users to be able to connect switches to there network outlet. Only one device connected to a port shall be allowed to get connected to the network. Can this be done in a Unifi switch? Thanks!
For clarification, on Wifi VLANs you always need to create a new wifi SSID? If you need 10 different vlans on wifi, you need to setup 10 different SSIDs? Can't be done on same SSID the vlan splitting?
VLANs are a must if you ever work from home. Imagine having your Work laptop on the same network as some data mining iot device from China. Absurd how common that is even amongst IT who should know better
What about IOT communicating with your media server. I want my Poweredger to be on a separate vlan from my IOT but still want some of my IOT to communicate with truenas for media
Hey everyone, maybe this was already answered but if not then I apologize. I just got my first UDM Pro and when I create a new network and then assign the new Wi-Fi SSID to the network I just created, my devices will connect to the IoT network for example, but they won't DHCP or get out to the internet. I have ATT fiber and have enabled passthrough and it's still not working. Any guidance would be greatly apprecated!
Thank you for the video. Unfortunately, on Network 7.5.176 I can't seem to get this to work. I have my IoT device connected to a USW flex mini and set the port it's connected to be the IoT VLAN. I can ping the device just fine from the Default (main) network. But if I then create the same LAN In rule, I can't ping the device any more.
General Unifi question: is the interface the same across devices? I'm trying to shrink route/switch in my lab to 1U and I noticed my local Micro Center has Edge Router X open box for sale.
This video shows the Unifi interface. The Edge series of devices is completely separate. Unifi devices are set up via the controller application. Edge devices are setup via a web interface in each device. I’ve got an Edgerouter X. It’s is a nice little box, but I upgraded to pfSense.
A couple of mistakes:
- I misused "VLAN Hopping" - I meant "inter VLAN Communication"
- "local" in UniFi speak means "traffic that is destined for the UDM/USG itself."
- "All" in UniFi speak is a Trunk that includes all VLANs (which are tagged)
This is why I love this community! Lots of networking experts so keep the knowledge coming! Thank you all for the help!
It is called routing.
Yeah, I was going to call this one out, but "inter VLAN Communication" = Routing
Trunks don't always include all VLAN traffic. Only vlans assigned to that trunk. But basically you either have trunk or access.
Hi, I came across your video and appreciated you walking through this. Shortly after your video, Unifi released Traffic Rules. Would you please consider updating your video's description to mention those? The reason I ask is that folks should know that using those eliminates much of the burden you mentioned of maintaining IP groups, making securing your VLANs faster to do, if not simpler overall. Just a thought, thanks!
@TechnoTim
You might wann pin your comment as its fallen down the comment list
your pin got lost when you edited it @TechnoTim
One year after you made this, and today you helped me fix my IoT (already VLAN'd). Thanks a TON.
For anyone with UniFi network 8.4.x. They have now updated network to have set options for "Isolate Network" and "Allow Internet Access" that saves you from needing to set these firewall rules manually. Isolate Network specifically let's the devices on that VLAN to communicate with each other and not with any other networks, exactly what you'd want for IoT devices!
Yes it does and its AWESOME! BUTTTTT**** If you click "Isolate Network" it blocks *ALL* networks. Here at my office we run Unifi and What I ended up doing was exactly what Tim did, because I have a VLAN called "ADMIN" and its only Sys Admins allowed on that network so we can still get into our PBX, any IP phones, etc. We want to block anyone on the default network from accessing any other VLANs that have devices on them that should ONLY be accessed by the IT department, dont want an employee going through their phone and seeing an IP, puting it in a browser and start clicking shit lol. So we leave the Voice VLAN "isolated", except to the Admin network.
Thank you for this. I followed up to the firewall rules and saw the 'isolate network' option but didn't want to set options I didn't understand.
@@darmichar73 you may still want to follow how the firewall rules work, but in reverse. Say you have a server cluster running that you want on its own VLAN and than Isolate that network. Well say youre the system administrator and youre not on the same VLAN...now you can't access it from the LAN. So if you have a VLAN set up for yourself outside of the default LAN, guest LAN, IoT LAN, etc....set a rule backwards that ACCEPTS connects from your network, to the isolated network. The network remains isolated from every other network EXCEPT you. You can do that multiple ways. If you just want one computer on the network to access that VLAN, do it by IP of the device (hopefully its static and not DHCP lol), IP groups just like he did in this video (again but, in reverse to Accept...not Drop), or have a VLAN thats created for network admins and just allow that network to access the others.
At my office we have "Default", VoIP, Guest, Servers, and Admins. So there, I set it up so each VLAN is isolated, but then created a firewall rule for us admins who are on the admin VLAN to still be able to connect inter VLAN to the other networks. Traffic from the VLAN to us will be dropped, but traffic initiated by us to the VLAN will be accepted until the connection is terminated.
At home, same gig. I have Default, IoT, Guest, Servers (I run a few servers for a few different applications out of my house). Same set up, every network isolated, except my phone tablet, MacBook, and PC. All have a static IP so I put those IPs in an IP group just like Tim did, set a firewall run that those IPs can talk to IoT, Guests, Default, and Servers, but will drop connection if vise versa. Only I can establish a handshake, not the other way around.
@@Kaotix_music Thanks for this. I'm nowhere near this complicated yet. Just trying to future proof as I build out my own home automation and NAS setup.
@@darmichar73 Youll get there eventually, especially when you start opening ports on the network and stuff. Servers and NAS are already all running up on my network with Cloudflare tunnels and such, home automation is going to be my next project. I never trusted anything IoT but the more I got into networking, the more I learned how I can protect myself so - thats my next project.
In the IT space here on RUclips, I think Tim is the best teacher. Dude's got skills.
Thank you!
I am fairly new to home networking/Linux and I found this episode to be the ONLY explanation I have understood of VLANs. Thank You. lol
At 10:40 with the trunk port, you're mostly right. Ha. A trunk port does include traffic from multiple VLANs (or in this case all of them), but they're NOT untagged. They do in fact have their VLAN tags. This is how you can connect multiple switches together with both switches being able to communicate on all the VLANs.
At 10:44 yes I am watching and yes you got it right! :)
Thank you Tom! 😅
Well he's mostly right. Ha. A trunk port does include traffic from multiple VLANs (or in this case all of them), but they're NOT untagged. They do in fact have their VLAN tags. This is how you can connect multiple switches together with both switches being able to communicate on all the VLANs.
Worth mentioning this is now much, much simpler with Traffic Rules. It can be done in a single rule.
Action: Block
Category: Local Network
Local Network: IOT-Better
Traffic Direction: Traffic from all local networks
Device/Network: All Devices
Schedule: Always
Name: Block IOT-Better to All
You're the hero we don't deserve...
Nowadays it's even easier - just tick "isolate network" at network level, and it's done!
@@Marc42 The same to block Internet access. Tick off 'Allow Internet Access' at network level.
@@Marc42 Then the devices on that network cant talk to each other. This is only good for guest VLAN network
@@mike-oh7pzyes they can, the description has “devices on this network are able to communicate with each other
In a nutshell, trunk ports expose all traffic from the VLANs by appending the VLAN id to the ethernet frame. This enables devices capable of reading this tag to manage the VLANs as well, making possible things like using the same VLAN across multiple switches or exposing the VLANs to a hypervisor for it to manage them internally.
There is something I don't understand about the trunk port. As you said the trunk port got all the vlans. So if i have port 1 as trunk and connect it to my router with one cable. And the router and switch got vlans 20,30,40. When i make a firewall rule to route between vlan 20 and 30. The traffic has to go through the router right!? My question is that one cable is my bottleneck for bandwidth right?
So if i want to increase my bandwidth i have to create LAGG between the switch and the router?
I got confused about this because Dlink switches call LAG trunk ports.
@@rethinking3289 yes that’s right: by default inter-VLAN traffic will have to go from your device, through a switch (if you’re using one) up to the router and then back down through the switch and to the other device. If you have a L3 switch, then there’s the potential to bypass the router, and have the switch route the inter-VLAN traffic, but then you’re also bypassing any firewall rules in the router, at least when using a unifi router and switch. Given this, I’m still struggling to understand how a unifi L3 switch is useful, unless you want all inter-VLAN traffic to be wide open.
@@Techintx yeah, to me in most cases you create vlans to isolate your network and only allow specific traffic with firewall rules as needed.
Thanks for this! I made it through the VLAN’s myself and got intimidated by the FW rules. Now I can follow what you have and finish the job!
I am a CCNA and you did a great job.
I have been having massive issues with my udm idk what the hell was going on but i decided to create some vlans to get some more control on whatever is going on. Changed all ports and added rules. Now things are working like they should. Big thanks for taking the time to go through how to set things up. much appreciated. for days my network was sometimes working off and on. This was a huge help. thanks.
There's a humble vibe behind your videos that is really appreciated. Great videos. This one in particular as a future owner of a DreamMachine SE. Thank you for the content
@@impopet thank you! You love it!
I just bought the UDM SE and this video was the best I found to explain how to make an IoT network. Thank you!
Thank you!
Literally was working on some VLAN stuff last night, great timing to make sure I have everything buttoned up properly. Thanks!
This video is fantastic. I have a controller and AP's and have been thinking about using a gateway but putting it off for ages. This covers pretty much all the questions I had.
Great video Tim! Easy to follow and under stand. For blocking inter-vlan routing I just use 1 rule ( Rfc1918 to Rfc1918) just condenses the list a bit
As for LAN local this is gateway, you would need to put block rules for your gateway so the other networks ( IoT) can’t hit the firewall interface. Have a great weekend very entertaining :)
Great tip! Thanks for stopping by!
@@TechnoTim You need to pin this comment to the top.
WAN-Local same story, WAN-IN jumps the gateway (I think)
Wouldn't be better to set a DROP default policy for everything ? And then open only what we need when we need. That's what's going on with pfsense. It should be the choice of ubiquiti.
This is awesome....period! I had no idea how to set my Unfi gear up. This video walked me thru step by step. I learned so much along the way. Again, this was top notch! Thank you man. :)
Hey, there's a terraform provider for unifi ! You can do it all as-code ! It's very handy to avoid the click simulator that is the unifi interface. Once you understand how it works by spending a little time maybe in the UI, you can really get stuff done fast using the tf provider ! I would love a video about that if you get to spend some time with it ! Great videos man keep it up
Hey there.. can you share? (thank you)
@@bcookbsdwebsol comment got removed twice... paultyng/unifi on the terraform registry
Coming in clutch! Just got the UDM Pro! Great vids as always
Thank you Tim! I am a 17 year old network admin in training, and I finally understand all of this! 😅
I would love a spreadsheet of your rule setup. I'm trying to run a similar setup. I got super hung up on trying to do inter vlan blocking without the established and related sessions rule at the top.
THANK YOU for helping me get this setup! I needed it for PCI compliance. Thank you again!!!!
I just got my UDM PRO SE and Tim as usual has perfect timing for the content I need! Wow thanks Tim!
Great full explanation Tim! This is becoming more critical specially since working remotely from home and the increase amount of IOT devices at home.
However, I still believe it is not as easy as plug and play yet so reserved to bit more advanced users than my parents for instance.
Thanks spreading knowledge around this hot topic ;)
Great vid! Easy to follow and all made sense to me. One question, I tried adding a camera vlan and when I added the 'block' firewall rule you explained I can no longer access the cameras on my default network. I can only access them on the network/subnet I created for the cameras. My IoT vlan which I configured the same way is fine regarding access from my default network. Anything I'm missing or need to change? Something specific to reolink perhaps?
Hi Tim.
Excellent explanation. You may not be an IT guy but your explanations are superb. Keep up the good work and thanks for helping to make difficult tech easier to undersstand.
You found your voice, an inspiration. Love watching your content.
Thank you!!!
Did I miss a video on how the rings of the networks are numbered / used? Would be interested in a useful strategy if there's one to be shared.
Very easy to learn, thank you so much!!
What tool did he use draw and animate his network architecture diagram? Awesome video as usual.
Hi Tim, I really enjoy your videos because you take your time to explain by providing details. I do have a question for you. It appears that somebody keeps hijacking my Unfi AP Pro and possibly my wifi access. How can I protect myself better my controller is a DMSE but I am new to Networking. Thank you.
Thanks, that was helpful. But it stopped just as it was getting interesting. I set up an entertainment network, an iot network and so on. But certain devices need to communicate accross vlan boundries. For instance Home Assistant (now running in iot) needs to access a few devices in other vlans and vice versa. Hope to see a video on this. Thanks!
regarding the "vlan hopping" it isn't that, it's because you have "Multicast DNS" on for the Network. That allows devices to traverse VLANs.
This was great and easy to follow! Thank you!
Hi Tim. Excellent video. I also use UDM and I am setting up a similar configuration to isolate IoT devices but I am not sure about the best way to deal with Proxmox. Do you have the VE in a specific VLAN? What about the different VMs? I am running HomeAssistant as a VM and by default it installs in the same VLAN as the VE. How can I get the VM installed in the IoT VLAN? More in general, how can I get to select a specific VLAN in which a given VM will be installed? Hope you can give me some guidance. Cheers
This is exactly the video I have been after. Such a great explanation. Thanks a lot Tim!
It's odd that Unifi has inter-VLAN routing enabled by default considering that virtual network segmentation is pretty much the primary reason most people set up VLANs in the first place. I can confirm that both Cisco and HP MLS switches have lanbase routing disabled.
On the subject of port assignment, it seems that Unifi takes a space somewhere in the middle of Cisco and HP. By default, Cisco lets any VLAN travel on a Trunk (tagged) port unless specified otherwise, while HP requires you to tag the port for any and all expected VLANS other than Native.
communication between vlans is just inter vlan routing, vlan hopping is an attack that allows the hacker to hop around between different vlans I think
Have you set up VLANs? How do you use them?
I currently have 4 VLANs, LAN, IoT, DMZ and Guest. I have also been considering moving my servers to their own VLAN because they don't normally initiate communications to my LAN devices.
I have six VLANs, sever /25, management /27, Home /24, Iot /26, Guest /23, and Native /24. Under normal circumstances, all communication between VLANs is prohibited unless I allow certain activities, such as management allowing to all, and guest denying to all RFC1918 networks, and home to some server network, and server deny to some IoT net, all this with Pfsense makes it straightforward to set up.
Really nice video, very informative. I use pfSense but the concepts are the same. An untagged port passes all the "tagged" traffic that you allow. So you can set the port to allow IoT and IOT Better through but block the other VLAN tags. The other aspect of a "tagged" port, this that the device behind that port doesn't know about VLANs and the switch automatically tags traffic from the port with the VLAN id.
Hi, thank you for this tutorial. Is there any way to setup DSCP tagging for QoS based on ports?
Thanks. Very helpful. Definitely getting my head around all of this more and more. Appreciate your making this video. Cheers!
@Techno Tim another way is just to dchp over the vlan i use opnsense dchp over vlan and this will allow the firewall to stop traffic from teach to each other much more easy than the way your doing it here tho it does work of course
ps love the channel =3
One issue after doing this. Thoughts?
First - Great video! I've been wanting to segregate my IoT network for a long time now, but haven't. I randomly searched and found this yesterday, and it was so well done I decided to learn this morning. Follow step by step, and got it done a few minutes ago. Thank you!
I can see the IoT devices (such as chromecasts) when I pull up the menu to cast from youtube, but if I try to cast to any of them, it just hangs and won't connect. If I move my phone to the IoT network, it works flawlessly. Any idea why this might be?
For reference, my network is super simple. Basically it's all auto configed and using the default settings. The only major change is following this process to put the IoT devices on their own VLAN (101) by restricting the WiFi they use (Pariahs) to the IoT newtork.
Greate Tim! What about recording a video to show different vulnerability scan tools? Greenbone, nexsus, Kalilinux and so on... Thanks!
Thanks for the video, very informative.
I was still left with one question that bugged me. How can you use remote access tool from MAIN to IOT vlan? This communication is bidirectional, packets need to go from IOT vlan to MAIN to show the screen.
Then I've learned about stateful firewall concept. When IOT sends back packets, they are allowed, because the communication was initiated from MAIN vlan.
It was a crucial thing that I was missing. Leaving comment, maybe someone has knowledge gaps like me.
Great tutorial in general. But unfortunately I cannot find in Unify OS 4.0.21 :
a.) the function for assigning a VLAN to a port
b.) a search function 😳
I see you're using LastPass, maybe considering recent news its time to make the switch? Have you thought about doing a video on Bitwarden deployment?
Awesome tutorial that helpt me BIGTIME so thank you !
thanks Tim!, this was super helpful. I set my VLANs up a long time ago and this was a great refresher.
Actually all the trunk are tag port except the native vlan in Cisco, which means it a allow one untag vlan go to trunk; and trunk port are usually between switches and router and sometime also support Pc NIC that support it, for a sample in your window machine if you find the adopters setting that you can specify a VLAN number and then you can connect to an trunk port
Is very useful if you using VM
and all the access port is on untag port, for security and device doesn’t understand VLAN ID
Great video Tim, thanks brother! 👌👌
disallowing ping means blocking ICMP, what other protocols needs to be blocked when a VLAN getting configured for better security?
Great video, I wish it existed a few months ago when I went through this.
One thing though, when you set up the allow rule for DNS you use IOT Only as the source. Before you said that the "Only" groups contained all the networks except for the one in the name. Then, aren't you allowing DNS access from all the networks except for the IOT one?
After following this guide, i was unable to connect from my default network to my hosting network.
I had to enable advanced options in the firewall rule, and match on "New", "Invalid" and "Related". I.e. allowing established connections.
I am unsure why that is. But i was unable to ssh or connect to my reverse proxy unless I made this change.
I am uncertain if "Related" should also be allowed or not. But it seems to work now.
Good content, what’s missing for me is a schema like at 0.31 sec for hardware, their various connections and their must have dependencies.
Loved this video so much. Great quality and very specific to my needs luckily. I would have loved to know a little more about what other rules you made and for what reason so i knew what i had to look out for when i start setting up my own network next year. I hope to see more great content in the future. I wish you the best!
Great info and explanation, liked and subbed, appreciate the hard work you put into these.
Very informative video! What's the difference between your Default and Main networks?
Been looking forward to this one!
Thanks Tim!
This is gold 🥇 thank you mister
Any pointers on sharing a wireless printer across multiple VLANs setup using this process?
This is great!! I got a new UDM SE and some security cameras. You made this pretty easy. I want to clear up one issue for my setup. I assume devices in your IOT-Better VLAN can do bidirectional communication with external network and services with the rules you defined. Is that correct? If so, I think my situation is the same.
I need my cameras to be able to connect to security operators that get contacted when the camera and their AI host software detect inappropriate activity. If that occurs the security operators come on interactively and starts querying the perps, and as required dispatching the police.
Dude, I have been waiting for from you, so thank you very much and please release a printout.
It's there, on my docs site!
Hey Tim
Great video.
I followed it and all worked great by having a Chromecast on my IoT network and my smartphone on my main (trusted) network until i add the firewall rule "blok IoT to All". After adding the rule I can´t see my Chromecast (On IoT) on the list of devices I can cast to on my smartphone.
I have Multicast DNS and IGMP Snooping enabled.
If I pause the firewall rule, the Chromecast return on the list of devices I can cast to.
Do you have any ideer what I am doing wrong?
Ever thought about using terraform to manage it? It's nice to have it in code and I don't like clicking in a UI :)
Never knew there was a terraform provider plug-in for UniFi. There goes my day. 🙂
Yes, I have looked at it a few times! It's in my backlog!
yup, way to go ! I use the tf provider and CI pipelines to push updates to my network and it's been saving me so much time clicking around in the UI
Can you discuss about disposable containerization
Ive been using unifi for almost 3 years and i never used profiles for my firewall rules lol. My firewall rules are a mess lol, i have everything secure but its definitely a mess.
Thanks Tim.
Hey @TechnoTim, I think you should do an update video to this, i just bought my UDM-SE and found your video extremely helpful but i think Ubiquiti Updated the Ability to Isolate Vlans with a checkbox without having to do all the firewall rules & groups manually, i was using my Laptop connected to the WiFi AP turned off my firewall like you did and tried pinging my desktop and it returned lost packets when "Isolate Network" was checked. BTW Love your videos man they are really informative and helpful for someone new to all of this Gear.
Hello, in which situation could it be useful to apply a rule on the OUT interface ?!?
Great video.... but calling UBNT/Unifi enterprise is probably a bit of a stretch. Its great for what it is... but enterprise usually needs more than what UBNT can provide unless you're only needing basic wireless access.
Thanks! Understood.
With these IOT firewall rules in place, will a new device that connects to the IOT VLAN via that VLAN wireless automatically grap a VLAN address (using DHCP) and show up on the devices list? I ask because for some reason a wireless security camera that I have is not showing up anywhere when powered on. It is set to log on to the VLAN wirless network, but I dont see it anywhere in the client list.. Thanks ))
Thank you for the hard work, you make it look really easy 🙏🏽
another excellent video, thansk!
from your video, you have a mgmt default network and a main network that the rest of the home user are on (the main) in the video. so what network will you placedPlex in?
Thanks Tim! You do a wonderful job. Do you still have your virtualized pfSense router when you use the UniFi Dream Machine? or do you run both?
I have not seen one, but I think people could benefit from a greenfield video. We have very similar setups and man going from 2 docker boxes, to tearing down my 4 server vmware cluster to building a 3 server harvester cluster has been a journey and now I'm at the "now what" point. The VMUG savings alone pays the power at least :) while I burn brain cycles trying to bone up on what I'm missing. In the homelab tour you talk about the three piholes and I was curious what you meant for the dns vip. What's running the VIP or did I miss that as a pihole feature?
Hi Tim, thanx as always for this awesome video very important for a noob like me!
In my network, UDM PRO not change to Third Party Gateway. Why? My gateway is a Fortigate. I buy this UDM to manager UAP's
Great video!!!
Wow I haven't watch ItsMyNaturalColour in a long time. I'll have to lookup his vlan videos after this
Is it possible to create a VLAN for my unifi protect cameras? I tried doing this but I cannot get the cameras detected inside of Protect.
Would like to avoid end users to be able to connect switches to there network outlet. Only one device connected to a port shall be allowed to get connected to the network.
Can this be done in a Unifi switch?
Thanks!
Is it posiable to have my VMs on proxmox use this on a single NIC on my server?? I have UDM pro and their Layer 2 switch
Why we can use device isolation to stop one vlan to other?
Thanks man!
For clarification, on Wifi VLANs you always need to create a new wifi SSID? If you need 10 different vlans on wifi, you need to setup 10 different SSIDs? Can't be done on same SSID the vlan splitting?
not that I am aware of, it's 1:1 unless there's something I am overlooking
@@TechnoTim That was a quick answer. Thanks. A quick search it is mentioned about tagged Vlans with Radius autentication that can do the trick.
VLANs are a must if you ever work from home. Imagine having your Work laptop on the same network as some data mining iot device from China. Absurd how common that is even amongst IT who should know better
What about IOT communicating with your media server. I want my Poweredger to be on a separate vlan from my IOT but still want some of my IOT to communicate with truenas for media
I have a question. If you have multiple switches, do you set up the VLAN on the router or even on the switch, or just the switch? Thanks
You should only need to set this once in UniFi Network when you create a network. It will take care of pushing it out too all UniFi devices!
Hey everyone, maybe this was already answered but if not then I apologize. I just got my first UDM Pro and when I create a new network and then assign the new Wi-Fi SSID to the network I just created, my devices will connect to the IoT network for example, but they won't DHCP or get out to the internet. I have ATT fiber and have enabled passthrough and it's still not working. Any guidance would be greatly apprecated!
Is it possible to have Ui Protect on a different vlan? When I moved my cameras, protect couldn't see them anymore.
Thank you for the video. Unfortunately, on Network 7.5.176 I can't seem to get this to work. I have my IoT device connected to a USW flex mini and set the port it's connected to be the IoT VLAN. I can ping the device just fine from the Default (main) network. But if I then create the same LAN In rule, I can't ping the device any more.
Did you figure this out? I have a similar issue.
General Unifi question: is the interface the same across devices? I'm trying to shrink route/switch in my lab to 1U and I noticed my local Micro Center has Edge Router X open box for sale.
This video shows the Unifi interface. The Edge series of devices is completely separate. Unifi devices are set up via the controller application. Edge devices are setup via a web interface in each device.
I’ve got an Edgerouter X. It’s is a nice little box, but I upgraded to pfSense.
I have IOT setup on Vlan have checked no communication to standard network. I am confused over your setup maybe its outdated .... VLAN is tied to IOT
Can you make a video, how to implement a pi-hole to this kind of vlan structure? :)
Just hand out your pihole address in your dhcp scope and then allow all vlans to have access to the pihole ip on port 53!
Thanks mate