Well he's mostly right. Ha. A trunk port does include traffic from multiple VLANs (or in this case all of them), but they're NOT untagged. They do in fact have their VLAN tags. This is how you can connect multiple switches together with both switches being able to communicate on all the VLANs.
A couple of mistakes: - I misused "VLAN Hopping" - I meant "inter VLAN Communication" - "local" in UniFi speak means "traffic that is destined for the UDM/USG itself." - "All" in UniFi speak is a Trunk that includes all VLANs (which are tagged) This is why I love this community! Lots of networking experts so keep the knowledge coming! Thank you all for the help!
Yeah, I was going to call this one out, but "inter VLAN Communication" = Routing Trunks don't always include all VLAN traffic. Only vlans assigned to that trunk. But basically you either have trunk or access.
Hi, I came across your video and appreciated you walking through this. Shortly after your video, Unifi released Traffic Rules. Would you please consider updating your video's description to mention those? The reason I ask is that folks should know that using those eliminates much of the burden you mentioned of maintaining IP groups, making securing your VLANs faster to do, if not simpler overall. Just a thought, thanks!
Great vid! Easy to follow and all made sense to me. One question, I tried adding a camera vlan and when I added the 'block' firewall rule you explained I can no longer access the cameras on my default network. I can only access them on the network/subnet I created for the cameras. My IoT vlan which I configured the same way is fine regarding access from my default network. Anything I'm missing or need to change? Something specific to reolink perhaps?
For anyone with UniFi network 8.4.x. They have now updated network to have set options for "Isolate Network" and "Allow Internet Access" that saves you from needing to set these firewall rules manually. Isolate Network specifically let's the devices on that VLAN to communicate with each other and not with any other networks, exactly what you'd want for IoT devices!
Yes it does and its AWESOME! BUTTTTT**** If you click "Isolate Network" it blocks *ALL* networks. Here at my office we run Unifi and What I ended up doing was exactly what Tim did, because I have a VLAN called "ADMIN" and its only Sys Admins allowed on that network so we can still get into our PBX, any IP phones, etc. We want to block anyone on the default network from accessing any other VLANs that have devices on them that should ONLY be accessed by the IT department, dont want an employee going through their phone and seeing an IP, puting it in a browser and start clicking shit lol. So we leave the Voice VLAN "isolated", except to the Admin network.
I currently have 4 VLANs, LAN, IoT, DMZ and Guest. I have also been considering moving my servers to their own VLAN because they don't normally initiate communications to my LAN devices.
I have six VLANs, sever /25, management /27, Home /24, Iot /26, Guest /23, and Native /24. Under normal circumstances, all communication between VLANs is prohibited unless I allow certain activities, such as management allowing to all, and guest denying to all RFC1918 networks, and home to some server network, and server deny to some IoT net, all this with Pfsense makes it straightforward to set up.
In a nutshell, trunk ports expose all traffic from the VLANs by appending the VLAN id to the ethernet frame. This enables devices capable of reading this tag to manage the VLANs as well, making possible things like using the same VLAN across multiple switches or exposing the VLANs to a hypervisor for it to manage them internally.
There is something I don't understand about the trunk port. As you said the trunk port got all the vlans. So if i have port 1 as trunk and connect it to my router with one cable. And the router and switch got vlans 20,30,40. When i make a firewall rule to route between vlan 20 and 30. The traffic has to go through the router right!? My question is that one cable is my bottleneck for bandwidth right? So if i want to increase my bandwidth i have to create LAGG between the switch and the router? I got confused about this because Dlink switches call LAG trunk ports.
@@rethinking3289 yes that’s right: by default inter-VLAN traffic will have to go from your device, through a switch (if you’re using one) up to the router and then back down through the switch and to the other device. If you have a L3 switch, then there’s the potential to bypass the router, and have the switch route the inter-VLAN traffic, but then you’re also bypassing any firewall rules in the router, at least when using a unifi router and switch. Given this, I’m still struggling to understand how a unifi L3 switch is useful, unless you want all inter-VLAN traffic to be wide open.
At 22:02 that just seems ass backwards to me calling the group IOT ONLY when you made the group all the other networks except the IOT network. I would have named the group something like ALL BUT IOT. Just me, but I get why you did it, makes it easier because the firewall rules are backwards.
Great video Tim! Easy to follow and under stand. For blocking inter-vlan routing I just use 1 rule ( Rfc1918 to Rfc1918) just condenses the list a bit As for LAN local this is gateway, you would need to put block rules for your gateway so the other networks ( IoT) can’t hit the firewall interface. Have a great weekend very entertaining :)
Wouldn't be better to set a DROP default policy for everything ? And then open only what we need when we need. That's what's going on with pfsense. It should be the choice of ubiquiti.
Hi Tim. Excellent explanation. You may not be an IT guy but your explanations are superb. Keep up the good work and thanks for helping to make difficult tech easier to undersstand.
Hey, there's a terraform provider for unifi ! You can do it all as-code ! It's very handy to avoid the click simulator that is the unifi interface. Once you understand how it works by spending a little time maybe in the UI, you can really get stuff done fast using the tf provider ! I would love a video about that if you get to spend some time with it ! Great videos man keep it up
Great full explanation Tim! This is becoming more critical specially since working remotely from home and the increase amount of IOT devices at home. However, I still believe it is not as easy as plug and play yet so reserved to bit more advanced users than my parents for instance. Thanks spreading knowledge around this hot topic ;)
Really nice video, very informative. I use pfSense but the concepts are the same. An untagged port passes all the "tagged" traffic that you allow. So you can set the port to allow IoT and IOT Better through but block the other VLAN tags. The other aspect of a "tagged" port, this that the device behind that port doesn't know about VLANs and the switch automatically tags traffic from the port with the VLAN id.
Hi Tim. Excellent video. I also use UDM and I am setting up a similar configuration to isolate IoT devices but I am not sure about the best way to deal with Proxmox. Do you have the VE in a specific VLAN? What about the different VMs? I am running HomeAssistant as a VM and by default it installs in the same VLAN as the VE. How can I get the VM installed in the IoT VLAN? More in general, how can I get to select a specific VLAN in which a given VM will be installed? Hope you can give me some guidance. Cheers
Worth mentioning this is now much, much simpler with Traffic Rules. It can be done in a single rule. Action: Block Category: Local Network Local Network: IOT-Better Traffic Direction: Traffic from all local networks Device/Network: All Devices Schedule: Always Name: Block IOT-Better to All
It's odd that Unifi has inter-VLAN routing enabled by default considering that virtual network segmentation is pretty much the primary reason most people set up VLANs in the first place. I can confirm that both Cisco and HP MLS switches have lanbase routing disabled. On the subject of port assignment, it seems that Unifi takes a space somewhere in the middle of Cisco and HP. By default, Cisco lets any VLAN travel on a Trunk (tagged) port unless specified otherwise, while HP requires you to tag the port for any and all expected VLANS other than Native.
Just setting one of these things up and created an IoT network connected to one port on the UCG Ultra with its own VLAN, everything else is on the default VLAN on a separate switch. I'd like to make a rule to allow all devices on the default network to be able to connect to the ASUS router in access point mode to be able to update it or reboot it without having to connect directly to that access point. Do you think I could figure out how to make a firewall rule which would allow that? Nope. I'm totally new to these Unifi devices, but the firewall section is just plain confusing. Maybe I need to create another VLAN for my trusted network and leave that default network/VLAN basically empty? And how the hell do you make a rule to allow ICMP/Echo/Echo Reply? Sorry, venting.
Hey @TechnoTim, I think you should do an update video to this, i just bought my UDM-SE and found your video extremely helpful but i think Ubiquiti Updated the Ability to Isolate Vlans with a checkbox without having to do all the firewall rules & groups manually, i was using my Laptop connected to the WiFi AP turned off my firewall like you did and tried pinging my desktop and it returned lost packets when "Isolate Network" was checked. BTW Love your videos man they are really informative and helpful for someone new to all of this Gear.
You are correct that VLANs are important for home use too. The missfortune is that you are talking about $1000 to $2000 worth of kit with gateways, layer 3 switches, APs etc... There is no simple way to deliver these features. Plus a big increase in power consumption. If a person has a rack at home then they are not home users but IT Professionals or youtubers.
Hey Tim Great video. I followed it and all worked great by having a Chromecast on my IoT network and my smartphone on my main (trusted) network until i add the firewall rule "blok IoT to All". After adding the rule I can´t see my Chromecast (On IoT) on the list of devices I can cast to on my smartphone. I have Multicast DNS and IGMP Snooping enabled. If I pause the firewall rule, the Chromecast return on the list of devices I can cast to. Do you have any ideer what I am doing wrong?
Sorry for commenting on an "old" video... I don't like this "ONLY" group you are creating (@16:13). Every time you add a new network, you will have to edit all your ONLY groups to include the new network...this is a ticking time bomb in your setup. There must be a better way 🙂
One issue after doing this. Thoughts? First - Great video! I've been wanting to segregate my IoT network for a long time now, but haven't. I randomly searched and found this yesterday, and it was so well done I decided to learn this morning. Follow step by step, and got it done a few minutes ago. Thank you! I can see the IoT devices (such as chromecasts) when I pull up the menu to cast from youtube, but if I try to cast to any of them, it just hangs and won't connect. If I move my phone to the IoT network, it works flawlessly. Any idea why this might be? For reference, my network is super simple. Basically it's all auto configed and using the default settings. The only major change is following this process to put the IoT devices on their own VLAN (101) by restricting the WiFi they use (Pariahs) to the IoT newtork.
Ive been using unifi for almost 3 years and i never used profiles for my firewall rules lol. My firewall rules are a mess lol, i have everything secure but its definitely a mess.
Actually all the trunk are tag port except the native vlan in Cisco, which means it a allow one untag vlan go to trunk; and trunk port are usually between switches and router and sometime also support Pc NIC that support it, for a sample in your window machine if you find the adopters setting that you can specify a VLAN number and then you can connect to an trunk port Is very useful if you using VM and all the access port is on untag port, for security and device doesn’t understand VLAN ID
I just got my UDM PRO SE and Tim as usual has perfect timing for the content I need! Wow thanks Tim!
Год назад+1
That's OK but ONE suggestion. Best practice in IT security is to block everything and that provide firewall exceptions. First ... You have better CPU performance of your router/firewall gateway, cause you mostly blocking than allowing. Second ... your network is more readable. You showed other side, you saying allow all except bla bla bla which lead to tons of rules especially when you using network in way how you do it. It's more easy and readable to count with one basic rule "block everything" and than add few rules which accept connect than setup tons of rules witch SHOULD block something, cause it's hard to debug if you really blocking everything what you want. Main purpose of firewall is to block. So I agree with what you done, but I suggest to swap it.
I am using OPNsense. But no matter the OS, I wonder if you could provide a screen shot or a text representation of a rule set for an interface as per your ideas above. Thanks!
Год назад
@@colorxlabs7200 I don't have some easy setup usable for example and for now using routerOS (Mikrotik). But it's like: 1 Accept ALL from Trusted-vlan # exceptions rule placed higher 2 Drop ALL # Drop everything
How do you RDP into a "isolated" IOT network? If i try to ping my now locked down network i dont get a response obv. because its getting dropped. But like now i cant access anything anymore.
@@braderunnah2204 yeah i didnt use Firewall rules now. I Opted for traffic rules and then i blacklisted communication between my networks. Works flawlessly and whitelisting stuff also works easy. And with my knowledge its the same thing from a security standpoint.
As someone who's entire network is Ubiquiti equipment, I can honestly say that i hate Ubiquiti lol. Their GUI is not user friendly or logical, and quite often they add more features without fixing pre-existing bugs (I'm pretty sure there are one or two bugs that are going on 5+ years at this point). You can't throttle IPs, only ports (and wifi throttling is separate), so when I wanted to throttle a single computer connected to a non Ubiquiti switch I discovered I could not. A feature that my old $60 router could easy do. So I had to purchase a Ubiquiti switch and replace my netgear switch just to change the port egress and throttle a single computer. Thanks Ubiquiti! I love the consolidated dashboard but after 6 years of dealing with Ubiquiti's crap I don't think it is worth it. I ended up here because I assumed Inter VLAN routing was disabled by default like all other equipment I have setup.
Hey everyone, maybe this was already answered but if not then I apologize. I just got my first UDM Pro and when I create a new network and then assign the new Wi-Fi SSID to the network I just created, my devices will connect to the IoT network for example, but they won't DHCP or get out to the internet. I have ATT fiber and have enabled passthrough and it's still not working. Any guidance would be greatly apprecated!
The logic behind Unifi GUI approach may be superior for WIFI configuration, but for VLAN and firewall issues it is sub-standard. You spend far too long agonising over how to expose a VLAN and individual hosts from that VLAN to other VLANs. If anyone here at Unifi sees this.... Guys finally improve this interface and above all describe it properly, just like the CLI.
So my network setting screen is different from yours...(v 3.1.16) and the only option I have is to create a 'New Virtual Network', I do not have 'Create New Network'. Does that matter? Also have a section just under where you enter the VLAN ID called ISOLATION (There is a checkbox to select "Network"). When I hover of the info circle for Isolation(Network), it tells me, "your guest hotspot profile will automatically be applied to this Guest Network. Connected clients will be isolated from all other internal networks. The restrictions can be modified in your Guest Hotspot Profile". So my question is, Do I need to check "Network"? I do not use a Guest Hotspot and to me, this checkbox should say Guest Network instead of Network. (btw, just under the circle I, it also references for more isolation options, to check out Traffic Rules). Thanks
Hi Tim, I really enjoy your videos because you take your time to explain by providing details. I do have a question for you. It appears that somebody keeps hijacking my Unfi AP Pro and possibly my wifi access. How can I protect myself better my controller is a DMSE but I am new to Networking. Thank you.
The only "Advanced" wifi setting for the IOT network for me is, turning 5 GHz off. Most IOT devices don't work with 5 Ghz or even work better on the 2.4GHz.
What about IOT communicating with your media server. I want my Poweredger to be on a separate vlan from my IOT but still want some of my IOT to communicate with truenas for media
I dont like that Python script running around in the wild that break vlan security.... I rather seg the line physically f*** that and then use routing rules to give access to traverse...
At 10:40 with the trunk port, you're mostly right. Ha. A trunk port does include traffic from multiple VLANs (or in this case all of them), but they're NOT untagged. They do in fact have their VLAN tags. This is how you can connect multiple switches together with both switches being able to communicate on all the VLANs.
VLANs are a must if you ever work from home. Imagine having your Work laptop on the same network as some data mining iot device from China. Absurd how common that is even amongst IT who should know better
Do you know how to block IOT devices from accessing the udm console? Whenever I try to make a LAN local rule it shows up after the Accounting Defined Network rules so it doesn't seem to work.
Thanks, that was helpful. But it stopped just as it was getting interesting. I set up an entertainment network, an iot network and so on. But certain devices need to communicate accross vlan boundries. For instance Home Assistant (now running in iot) needs to access a few devices in other vlans and vice versa. Hope to see a video on this. Thanks!
I would love a spreadsheet of your rule setup. I'm trying to run a similar setup. I got super hung up on trying to do inter vlan blocking without the established and related sessions rule at the top.
I have not seen one, but I think people could benefit from a greenfield video. We have very similar setups and man going from 2 docker boxes, to tearing down my 4 server vmware cluster to building a 3 server harvester cluster has been a journey and now I'm at the "now what" point. The VMUG savings alone pays the power at least :) while I burn brain cycles trying to bone up on what I'm missing. In the homelab tour you talk about the three piholes and I was curious what you meant for the dns vip. What's running the VIP or did I miss that as a pihole feature?
This is great!! I got a new UDM SE and some security cameras. You made this pretty easy. I want to clear up one issue for my setup. I assume devices in your IOT-Better VLAN can do bidirectional communication with external network and services with the rules you defined. Is that correct? If so, I think my situation is the same. I need my cameras to be able to connect to security operators that get contacted when the camera and their AI host software detect inappropriate activity. If that occurs the security operators come on interactively and starts querying the perps, and as required dispatching the police.
Hello work for an internet company and I have two isp of the Internet to source / and I need to isolate the Wi-Fi on the first isp /wan 1 of the Internet and isolate the second source( wan2 ) of the Internet for Dream Machine only
Would like to avoid end users to be able to connect switches to there network outlet. Only one device connected to a port shall be allowed to get connected to the network. Can this be done in a Unifi switch? Thanks!
This is awesome....period! I had no idea how to set my Unfi gear up. This video walked me thru step by step. I learned so much along the way. Again, this was top notch! Thank you man. :)
This video is fantastic. I have a controller and AP's and have been thinking about using a gateway but putting it off for ages. This covers pretty much all the questions I had.
from your video, you have a mgmt default network and a main network that the rest of the home user are on (the main) in the video. so what network will you placedPlex in?
@Techno Tim another way is just to dchp over the vlan i use opnsense dchp over vlan and this will allow the firewall to stop traffic from teach to each other much more easy than the way your doing it here tho it does work of course ps love the channel =3
I have been having massive issues with my udm idk what the hell was going on but i decided to create some vlans to get some more control on whatever is going on. Changed all ports and added rules. Now things are working like they should. Big thanks for taking the time to go through how to set things up. much appreciated. for days my network was sometimes working off and on. This was a huge help. thanks.
For the life of me I just can't get this firewall rule to work. Even copying everything exactly step by step here. If the rule is enabled, I can suddenly no longer ping or ssh into anything on the IOT network or out. It's like it's blocking things both ways. Pause the rule and viola, suddenly it works but it works both ways. Wonder if something has changed perhaps? Doesn't look like it.
This requires a rule to allow established and related. You can actually see them in his video as first rules in Internet In and Lan In (check 23:22), but Tim does not mention ever. Maybe he forgot about it when making this video because he has many other rules, and maybe was just using his existing production system that had this already. I just started using UDM coming from pfSense so I am learning also but I ran into this problem and had to figure it out... just add a rule in Lan In, Name it something like "Allow Established and Related to any", Accept in Action, Make sure before predifned is checked, and sure source and destination is any, any. Advanced: Manual, check Match State Established and Related. Then drag it to very top of all other rules. This makes it so the other VLAN talks back over established/related ie. pings or other requests from you etc. I also do this for IPSec and you would place a similar rule in Internet In.
At 10:44 yes I am watching and yes you got it right! :)
Thank you Tom! 😅
Well he's mostly right. Ha. A trunk port does include traffic from multiple VLANs (or in this case all of them), but they're NOT untagged. They do in fact have their VLAN tags. This is how you can connect multiple switches together with both switches being able to communicate on all the VLANs.
A couple of mistakes:
- I misused "VLAN Hopping" - I meant "inter VLAN Communication"
- "local" in UniFi speak means "traffic that is destined for the UDM/USG itself."
- "All" in UniFi speak is a Trunk that includes all VLANs (which are tagged)
This is why I love this community! Lots of networking experts so keep the knowledge coming! Thank you all for the help!
It is called routing.
Yeah, I was going to call this one out, but "inter VLAN Communication" = Routing
Trunks don't always include all VLAN traffic. Only vlans assigned to that trunk. But basically you either have trunk or access.
Hi, I came across your video and appreciated you walking through this. Shortly after your video, Unifi released Traffic Rules. Would you please consider updating your video's description to mention those? The reason I ask is that folks should know that using those eliminates much of the burden you mentioned of maintaining IP groups, making securing your VLANs faster to do, if not simpler overall. Just a thought, thanks!
@TechnoTim
You might wann pin your comment as its fallen down the comment list
your pin got lost when you edited it @TechnoTim
This is exactly the video I have been after. Such a great explanation. Thanks a lot Tim!
thanks Tim!, this was super helpful. I set my VLANs up a long time ago and this was a great refresher.
You found your voice, an inspiration. Love watching your content.
Thank you!!!
Hi, thank you for this tutorial. Is there any way to setup DSCP tagging for QoS based on ports?
Great vid! Easy to follow and all made sense to me. One question, I tried adding a camera vlan and when I added the 'block' firewall rule you explained I can no longer access the cameras on my default network. I can only access them on the network/subnet I created for the cameras. My IoT vlan which I configured the same way is fine regarding access from my default network. Anything I'm missing or need to change? Something specific to reolink perhaps?
Why we can use device isolation to stop one vlan to other?
In my network, UDM PRO not change to Third Party Gateway. Why? My gateway is a Fortigate. I buy this UDM to manager UAP's
How do I configure a Plex server, cause I can't view my content on my viewing devices, or my computer can't see it.
For anyone with UniFi network 8.4.x. They have now updated network to have set options for "Isolate Network" and "Allow Internet Access" that saves you from needing to set these firewall rules manually. Isolate Network specifically let's the devices on that VLAN to communicate with each other and not with any other networks, exactly what you'd want for IoT devices!
Yes it does and its AWESOME! BUTTTTT**** If you click "Isolate Network" it blocks *ALL* networks. Here at my office we run Unifi and What I ended up doing was exactly what Tim did, because I have a VLAN called "ADMIN" and its only Sys Admins allowed on that network so we can still get into our PBX, any IP phones, etc. We want to block anyone on the default network from accessing any other VLANs that have devices on them that should ONLY be accessed by the IT department, dont want an employee going through their phone and seeing an IP, puting it in a browser and start clicking shit lol. So we leave the Voice VLAN "isolated", except to the Admin network.
Have you set up VLANs? How do you use them?
I currently have 4 VLANs, LAN, IoT, DMZ and Guest. I have also been considering moving my servers to their own VLAN because they don't normally initiate communications to my LAN devices.
I have six VLANs, sever /25, management /27, Home /24, Iot /26, Guest /23, and Native /24. Under normal circumstances, all communication between VLANs is prohibited unless I allow certain activities, such as management allowing to all, and guest denying to all RFC1918 networks, and home to some server network, and server deny to some IoT net, all this with Pfsense makes it straightforward to set up.
In a nutshell, trunk ports expose all traffic from the VLANs by appending the VLAN id to the ethernet frame. This enables devices capable of reading this tag to manage the VLANs as well, making possible things like using the same VLAN across multiple switches or exposing the VLANs to a hypervisor for it to manage them internally.
There is something I don't understand about the trunk port. As you said the trunk port got all the vlans. So if i have port 1 as trunk and connect it to my router with one cable. And the router and switch got vlans 20,30,40. When i make a firewall rule to route between vlan 20 and 30. The traffic has to go through the router right!? My question is that one cable is my bottleneck for bandwidth right?
So if i want to increase my bandwidth i have to create LAGG between the switch and the router?
I got confused about this because Dlink switches call LAG trunk ports.
@@rethinking3289 yes that’s right: by default inter-VLAN traffic will have to go from your device, through a switch (if you’re using one) up to the router and then back down through the switch and to the other device. If you have a L3 switch, then there’s the potential to bypass the router, and have the switch route the inter-VLAN traffic, but then you’re also bypassing any firewall rules in the router, at least when using a unifi router and switch. Given this, I’m still struggling to understand how a unifi L3 switch is useful, unless you want all inter-VLAN traffic to be wide open.
@@Techintx yeah, to me in most cases you create vlans to isolate your network and only allow specific traffic with firewall rules as needed.
At 22:02 that just seems ass backwards to me calling the group IOT ONLY when you made the group all the other networks except the IOT network.
I would have named the group something like ALL BUT IOT. Just me, but I get why you did it, makes it easier because the firewall rules are backwards.
21:49 better name more logical would be: "All Minus IOT-BETTER" or "All Except ...", "All Other" etc
Great video Tim! Easy to follow and under stand. For blocking inter-vlan routing I just use 1 rule ( Rfc1918 to Rfc1918) just condenses the list a bit
As for LAN local this is gateway, you would need to put block rules for your gateway so the other networks ( IoT) can’t hit the firewall interface. Have a great weekend very entertaining :)
Great tip! Thanks for stopping by!
@@TechnoTim You need to pin this comment to the top.
WAN-Local same story, WAN-IN jumps the gateway (I think)
Wouldn't be better to set a DROP default policy for everything ? And then open only what we need when we need. That's what's going on with pfsense. It should be the choice of ubiquiti.
I see you're using LastPass, maybe considering recent news its time to make the switch? Have you thought about doing a video on Bitwarden deployment?
In the IT space here on RUclips, I think Tim is the best teacher. Dude's got skills.
Thank you!
I am fairly new to home networking/Linux and I found this episode to be the ONLY explanation I have understood of VLANs. Thank You. lol
Hi Tim.
Excellent explanation. You may not be an IT guy but your explanations are superb. Keep up the good work and thanks for helping to make difficult tech easier to undersstand.
Hey, there's a terraform provider for unifi ! You can do it all as-code ! It's very handy to avoid the click simulator that is the unifi interface. Once you understand how it works by spending a little time maybe in the UI, you can really get stuff done fast using the tf provider ! I would love a video about that if you get to spend some time with it ! Great videos man keep it up
Hey there.. can you share? (thank you)
@@bcookbsdwebsol comment got removed twice... paultyng/unifi on the terraform registry
Great full explanation Tim! This is becoming more critical specially since working remotely from home and the increase amount of IOT devices at home.
However, I still believe it is not as easy as plug and play yet so reserved to bit more advanced users than my parents for instance.
Thanks spreading knowledge around this hot topic ;)
so you say that it is cheap and than start unifi ;)
cheap means some cheap tplink or openwrt or else not some fancy stuff cmon
Really nice video, very informative. I use pfSense but the concepts are the same. An untagged port passes all the "tagged" traffic that you allow. So you can set the port to allow IoT and IOT Better through but block the other VLAN tags. The other aspect of a "tagged" port, this that the device behind that port doesn't know about VLANs and the switch automatically tags traffic from the port with the VLAN id.
Hi Tim. Excellent video. I also use UDM and I am setting up a similar configuration to isolate IoT devices but I am not sure about the best way to deal with Proxmox. Do you have the VE in a specific VLAN? What about the different VMs? I am running HomeAssistant as a VM and by default it installs in the same VLAN as the VE. How can I get the VM installed in the IoT VLAN? More in general, how can I get to select a specific VLAN in which a given VM will be installed? Hope you can give me some guidance. Cheers
Worth mentioning this is now much, much simpler with Traffic Rules. It can be done in a single rule.
Action: Block
Category: Local Network
Local Network: IOT-Better
Traffic Direction: Traffic from all local networks
Device/Network: All Devices
Schedule: Always
Name: Block IOT-Better to All
You're the hero we don't deserve...
Nowadays it's even easier - just tick "isolate network" at network level, and it's done!
@@Marc42 The same to block Internet access. Tick off 'Allow Internet Access' at network level.
@@Marc42 Then the devices on that network cant talk to each other. This is only good for guest VLAN network
@@mike-oh7pzyes they can, the description has “devices on this network are able to communicate with each other
Ever thought about using terraform to manage it? It's nice to have it in code and I don't like clicking in a UI :)
Never knew there was a terraform provider plug-in for UniFi. There goes my day. 🙂
Yes, I have looked at it a few times! It's in my backlog!
yup, way to go ! I use the tf provider and CI pipelines to push updates to my network and it's been saving me so much time clicking around in the UI
It's odd that Unifi has inter-VLAN routing enabled by default considering that virtual network segmentation is pretty much the primary reason most people set up VLANs in the first place. I can confirm that both Cisco and HP MLS switches have lanbase routing disabled.
On the subject of port assignment, it seems that Unifi takes a space somewhere in the middle of Cisco and HP. By default, Cisco lets any VLAN travel on a Trunk (tagged) port unless specified otherwise, while HP requires you to tag the port for any and all expected VLANS other than Native.
What tool did he use draw and animate his network architecture diagram? Awesome video as usual.
Just setting one of these things up and created an IoT network connected to one port on the UCG Ultra with its own VLAN, everything else is on the default VLAN on a separate switch. I'd like to make a rule to allow all devices on the default network to be able to connect to the ASUS router in access point mode to be able to update it or reboot it without having to connect directly to that access point. Do you think I could figure out how to make a firewall rule which would allow that? Nope. I'm totally new to these Unifi devices, but the firewall section is just plain confusing. Maybe I need to create another VLAN for my trusted network and leave that default network/VLAN basically empty? And how the hell do you make a rule to allow ICMP/Echo/Echo Reply? Sorry, venting.
Greate Tim! What about recording a video to show different vulnerability scan tools? Greenbone, nexsus, Kalilinux and so on... Thanks!
Hey @TechnoTim, I think you should do an update video to this, i just bought my UDM-SE and found your video extremely helpful but i think Ubiquiti Updated the Ability to Isolate Vlans with a checkbox without having to do all the firewall rules & groups manually, i was using my Laptop connected to the WiFi AP turned off my firewall like you did and tried pinging my desktop and it returned lost packets when "Isolate Network" was checked. BTW Love your videos man they are really informative and helpful for someone new to all of this Gear.
You are correct that VLANs are important for home use too. The missfortune is that you are talking about $1000 to $2000 worth of kit with gateways, layer 3 switches, APs etc... There is no simple way to deliver these features. Plus a big increase in power consumption. If a person has a rack at home then they are not home users but IT Professionals or youtubers.
OK I need some help... can you do this... but with a 3rd party gateway (meraki preferred)
Hey Tim
Great video.
I followed it and all worked great by having a Chromecast on my IoT network and my smartphone on my main (trusted) network until i add the firewall rule "blok IoT to All". After adding the rule I can´t see my Chromecast (On IoT) on the list of devices I can cast to on my smartphone.
I have Multicast DNS and IGMP Snooping enabled.
If I pause the firewall rule, the Chromecast return on the list of devices I can cast to.
Do you have any ideer what I am doing wrong?
Sorry for commenting on an "old" video...
I don't like this "ONLY" group you are creating (@16:13). Every time you add a new network, you will have to edit all your ONLY groups to include the new network...this is a ticking time bomb in your setup. There must be a better way 🙂
regarding the "vlan hopping" it isn't that, it's because you have "Multicast DNS" on for the Network. That allows devices to traverse VLANs.
One issue after doing this. Thoughts?
First - Great video! I've been wanting to segregate my IoT network for a long time now, but haven't. I randomly searched and found this yesterday, and it was so well done I decided to learn this morning. Follow step by step, and got it done a few minutes ago. Thank you!
I can see the IoT devices (such as chromecasts) when I pull up the menu to cast from youtube, but if I try to cast to any of them, it just hangs and won't connect. If I move my phone to the IoT network, it works flawlessly. Any idea why this might be?
For reference, my network is super simple. Basically it's all auto configed and using the default settings. The only major change is following this process to put the IoT devices on their own VLAN (101) by restricting the WiFi they use (Pariahs) to the IoT newtork.
Or you can just put the iots on a guest network. That will just handle the firewall for you
Ive been using unifi for almost 3 years and i never used profiles for my firewall rules lol. My firewall rules are a mess lol, i have everything secure but its definitely a mess.
communication between vlans is just inter vlan routing, vlan hopping is an attack that allows the hacker to hop around between different vlans I think
Actually all the trunk are tag port except the native vlan in Cisco, which means it a allow one untag vlan go to trunk; and trunk port are usually between switches and router and sometime also support Pc NIC that support it, for a sample in your window machine if you find the adopters setting that you can specify a VLAN number and then you can connect to an trunk port
Is very useful if you using VM
and all the access port is on untag port, for security and device doesn’t understand VLAN ID
Thanks for this! I made it through the VLAN’s myself and got intimidated by the FW rules. Now I can follow what you have and finish the job!
Literally was working on some VLAN stuff last night, great timing to make sure I have everything buttoned up properly. Thanks!
It blocks in both directions for me!? Don’t get it
Get directed to a VPC and a Virtual Network.
Try to get out of that. :)
Coming in clutch! Just got the UDM Pro! Great vids as always
Can you discuss about disposable containerization
I just got my UDM PRO SE and Tim as usual has perfect timing for the content I need! Wow thanks Tim!
That's OK but ONE suggestion. Best practice in IT security is to block everything and that provide firewall exceptions. First ... You have better CPU performance of your router/firewall gateway, cause you mostly blocking than allowing. Second ... your network is more readable. You showed other side, you saying allow all except bla bla bla which lead to tons of rules especially when you using network in way how you do it. It's more easy and readable to count with one basic rule "block everything" and than add few rules which accept connect than setup tons of rules witch SHOULD block something, cause it's hard to debug if you really blocking everything what you want. Main purpose of firewall is to block. So I agree with what you done, but I suggest to swap it.
I am using OPNsense. But no matter the OS, I wonder if you could provide a screen shot or a text representation of a rule set for an interface as per your ideas above. Thanks!
@@colorxlabs7200 I don't have some easy setup usable for example and for now using routerOS (Mikrotik). But it's like:
1 Accept ALL from Trusted-vlan # exceptions rule placed higher
2 Drop ALL # Drop everything
How do you RDP into a "isolated" IOT network? If i try to ping my now locked down network i dont get a response obv. because its getting dropped. But like now i cant access anything anymore.
Having the same issue - did you figure this out yet?
@@braderunnah2204 yeah i didnt use Firewall rules now. I Opted for traffic rules and then i blacklisted communication between my networks. Works flawlessly and whitelisting stuff also works easy. And with my knowledge its the same thing from a security standpoint.
How do i tag wan port with 2 vlans? 1 taged and 2 untaged?
As someone who's entire network is Ubiquiti equipment, I can honestly say that i hate Ubiquiti lol. Their GUI is not user friendly or logical, and quite often they add more features without fixing pre-existing bugs (I'm pretty sure there are one or two bugs that are going on 5+ years at this point). You can't throttle IPs, only ports (and wifi throttling is separate), so when I wanted to throttle a single computer connected to a non Ubiquiti switch I discovered I could not. A feature that my old $60 router could easy do. So I had to purchase a Ubiquiti switch and replace my netgear switch just to change the port egress and throttle a single computer. Thanks Ubiquiti! I love the consolidated dashboard but after 6 years of dealing with Ubiquiti's crap I don't think it is worth it. I ended up here because I assumed Inter VLAN routing was disabled by default like all other equipment I have setup.
Hey everyone, maybe this was already answered but if not then I apologize. I just got my first UDM Pro and when I create a new network and then assign the new Wi-Fi SSID to the network I just created, my devices will connect to the IoT network for example, but they won't DHCP or get out to the internet. I have ATT fiber and have enabled passthrough and it's still not working. Any guidance would be greatly apprecated!
Is it posiable to have my VMs on proxmox use this on a single NIC on my server?? I have UDM pro and their Layer 2 switch
The logic behind Unifi GUI approach may be superior for WIFI configuration, but for VLAN and firewall issues it is sub-standard. You spend far too long agonising over how to expose a VLAN and individual hosts from that VLAN to other VLANs. If anyone here at Unifi sees this.... Guys finally improve this interface and above all describe it properly, just like the CLI.
So my network setting screen is different from yours...(v 3.1.16) and the only option I have is to create a 'New Virtual Network', I do not have 'Create New Network'. Does that matter? Also have a section just under where you enter the VLAN ID called ISOLATION (There is a checkbox to select "Network"). When I hover of the info circle for Isolation(Network), it tells me, "your guest hotspot profile will automatically be applied to this Guest Network. Connected clients will be isolated from all other internal networks. The restrictions can be modified in your Guest Hotspot Profile". So my question is, Do I need to check "Network"? I do not use a Guest Hotspot and to me, this checkbox should say Guest Network instead of Network. (btw, just under the circle I, it also references for more isolation options, to check out Traffic Rules). Thanks
I am a CCNA and you did a great job.
I have IOT setup on Vlan have checked no communication to standard network. I am confused over your setup maybe its outdated .... VLAN is tied to IOT
disallowing ping means blocking ICMP, what other protocols needs to be blocked when a VLAN getting configured for better security?
Why you enable windows firewall ?
Thanks. Very helpful. Definitely getting my head around all of this more and more. Appreciate your making this video. Cheers!
Hi Tim, I really enjoy your videos because you take your time to explain by providing details. I do have a question for you. It appears that somebody keeps hijacking my Unfi AP Pro and possibly my wifi access. How can I protect myself better my controller is a DMSE but I am new to Networking. Thank you.
The only "Advanced" wifi setting for the IOT network for me is, turning 5 GHz off. Most IOT devices don't work with 5 Ghz or even work better on the 2.4GHz.
What about IOT communicating with your media server. I want my Poweredger to be on a separate vlan from my IOT but still want some of my IOT to communicate with truenas for media
I dont like that Python script running around in the wild that break vlan security....
I rather seg the line physically f*** that and then use routing rules to give access to traverse...
At 10:40 with the trunk port, you're mostly right. Ha. A trunk port does include traffic from multiple VLANs (or in this case all of them), but they're NOT untagged. They do in fact have their VLAN tags. This is how you can connect multiple switches together with both switches being able to communicate on all the VLANs.
VLANs are a must if you ever work from home. Imagine having your Work laptop on the same network as some data mining iot device from China. Absurd how common that is even amongst IT who should know better
Do you know how to block IOT devices from accessing the udm console? Whenever I try to make a LAN local rule it shows up after the Accounting Defined Network rules so it doesn't seem to work.
Wow I haven't watch ItsMyNaturalColour in a long time. I'll have to lookup his vlan videos after this
Very informative video! What's the difference between your Default and Main networks?
Is it possible to have Ui Protect on a different vlan? When I moved my cameras, protect couldn't see them anymore.
Is it possible to create a VLAN for my unifi protect cameras? I tried doing this but I cannot get the cameras detected inside of Protect.
Thanks, that was helpful. But it stopped just as it was getting interesting. I set up an entertainment network, an iot network and so on. But certain devices need to communicate accross vlan boundries. For instance Home Assistant (now running in iot) needs to access a few devices in other vlans and vice versa. Hope to see a video on this. Thanks!
I would love a spreadsheet of your rule setup. I'm trying to run a similar setup. I got super hung up on trying to do inter vlan blocking without the established and related sessions rule at the top.
The more i look at other firewall the more i believe Pfsnese the is the most simple most clear firewall out there.
I have not seen one, but I think people could benefit from a greenfield video. We have very similar setups and man going from 2 docker boxes, to tearing down my 4 server vmware cluster to building a 3 server harvester cluster has been a journey and now I'm at the "now what" point. The VMUG savings alone pays the power at least :) while I burn brain cycles trying to bone up on what I'm missing. In the homelab tour you talk about the three piholes and I was curious what you meant for the dns vip. What's running the VIP or did I miss that as a pihole feature?
This is great!! I got a new UDM SE and some security cameras. You made this pretty easy. I want to clear up one issue for my setup. I assume devices in your IOT-Better VLAN can do bidirectional communication with external network and services with the rules you defined. Is that correct? If so, I think my situation is the same.
I need my cameras to be able to connect to security operators that get contacted when the camera and their AI host software detect inappropriate activity. If that occurs the security operators come on interactively and starts querying the perps, and as required dispatching the police.
Hello
work for an internet company and I have two isp of the Internet to source / and I need to isolate the Wi-Fi on the first isp /wan 1 of the Internet and isolate the second source( wan2 ) of the Internet for Dream Machine only
THANK YOU for helping me get this setup! I needed it for PCI compliance. Thank you again!!!!
Great vid, Thanks, but I have a longer, more entailed question, can I send you an email question please ?
Aaaah shit... Welp, my Firewall rules page is completely different.
Would like to avoid end users to be able to connect switches to there network outlet. Only one device connected to a port shall be allowed to get connected to the network.
Can this be done in a Unifi switch?
Thanks!
This is awesome....period! I had no idea how to set my Unfi gear up. This video walked me thru step by step. I learned so much along the way. Again, this was top notch! Thank you man. :)
I tried adding a unifi ac long range access point to my network. It shows up in my wifi but won't connect to it. Any ideas?
I made it through 22-minutes then all turned to confusion. "Do this but you could do this and that" always twists my brain into knots.
This video is fantastic. I have a controller and AP's and have been thinking about using a gateway but putting it off for ages. This covers pretty much all the questions I had.
from your video, you have a mgmt default network and a main network that the rest of the home user are on (the main) in the video. so what network will you placedPlex in?
need a vid on how to block IOT devices from being able to ping the console/router
Hello, in which situation could it be useful to apply a rule on the OUT interface ?!?
what about blocking your iot network from accessing your trusted network gateway, and blocking access to network console
@Techno Tim another way is just to dchp over the vlan i use opnsense dchp over vlan and this will allow the firewall to stop traffic from teach to each other much more easy than the way your doing it here tho it does work of course
ps love the channel =3
Did I miss a video on how the rings of the networks are numbered / used? Would be interested in a useful strategy if there's one to be shared.
Awesome tutorial that helpt me BIGTIME so thank you !
Great info and explanation, liked and subbed, appreciate the hard work you put into these.
Any pointers on sharing a wireless printer across multiple VLANs setup using this process?
I have been having massive issues with my udm idk what the hell was going on but i decided to create some vlans to get some more control on whatever is going on. Changed all ports and added rules. Now things are working like they should. Big thanks for taking the time to go through how to set things up. much appreciated. for days my network was sometimes working off and on. This was a huge help. thanks.
Would be nice to see how to create VLANs with OPNSense and Omada lol.
For the life of me I just can't get this firewall rule to work. Even copying everything exactly step by step here. If the rule is enabled, I can suddenly no longer ping or ssh into anything on the IOT network or out. It's like it's blocking things both ways. Pause the rule and viola, suddenly it works but it works both ways. Wonder if something has changed perhaps? Doesn't look like it.
This requires a rule to allow established and related. You can actually see them in his video as first rules in Internet In and Lan In (check 23:22), but Tim does not mention ever. Maybe he forgot about it when making this video because he has many other rules, and maybe was just using his existing production system that had this already. I just started using UDM coming from pfSense so I am learning also but I ran into this problem and had to figure it out... just add a rule in Lan In, Name it something like "Allow Established and Related to any", Accept in Action, Make sure before predifned is checked, and sure source and destination is any, any. Advanced: Manual, check Match State Established and Related. Then drag it to very top of all other rules. This makes it so the other VLAN talks back over established/related ie. pings or other requests from you etc. I also do this for IPSec and you would place a similar rule in Internet In.
jesus this is cumbersome