วีดีโอ

Love watching your videos, love these series. Is there any chance you can cover off Site magic (site-to-site VPN), or API? I have just seen these new options when logging in to my Unifi today :) (Or has these two things been there all this time and I've never seen it). To note, I don't have a second gateway, so I cannot test this. I assume it would be very simple to setup the site-to-site VPN, being very user friendly.

Multicast👍

Here's the thing, you can get Synology DVA 1622 with 8 licenses for 599, and when you got four cameras with the Synology Nas for 450, you only have to buy two licenses. I got a 1522 plus used for 500 1622 used for 420. The DVA 1622 is limited but allowed me to use my previous cameras and I got AI cameras 5mp 20 FPS pretty much to max out the nas surveillance capabilities, for 50 bucks a piece. UniFi cameras are not twice as expensive as equivalent quality cameras from other brands. They are four times as expensive. I think both systems can be good and I'm still learning about surveillance station, but without hard drives, with my setup, I will have about a 60 TB Nas that can do tons of things unify cannot do and a 36 tb back up nas, and I could theoretically be running 10 good cameras at 50 bucks a pop. I think your price comparisons are inaccurate and unify will be roughly twice the price of Synology with very mediocre cameras unless you want to spend 500 bucks a piece for the new AI ones.

You rock!! I cant believe Unifi does not just move this feature into production. This worked for me and now my security onion is going off the charts lol

Why is an ACL working on networks that are routing to the firewall? ACL cross vlan should be ignored when networks are set to route to firewall, like your first example.

How does the view look from the mobile app? Does it show it as 1 site ? Or do users have to switch between sites to see all recordings ?

Hi, great Video! One thought: Wifi Client Isolation can be set for a whole WIFI network. Is this implemented differently?

I appreciate the amount of detail and the real step by step methods that you share on how you get to the 'under the hood' inner workings on how these poorly documented unifi features are implemented. I am constantly pausing your uploads, especially when you pop onto the unifi switches via ssh and run a variety of arcane cli commands (sometimes after telnetting into the same switch? why? no idea) or run Wireshark and monitor the packets with filters that I haven't even started to learn and then... describe the results they provide from your well thought out empirically designed tests.. simple joy and applause believe it or not.. on my side that is. Please, consider enlarging or highlighting your mouse cursor when using it on your network diagrams and monitor screens. Many times you will refer to 'this port' and 'this switch' or 'the checkbox' setting while I assume you're wiggling the mouse cursor at the relevant part of interest, but the viewer (me at least) has a problem seeing it as its a tiny few pixels either on a 13" or 55" monitor. Please keep rolling these out as you sure are an excellent 'sleeves rolled up' engineer, detective, and instructor for us nerdy nerds.

Such a great video. Answered so many questions. So it appears the only benefit is the single UI and ability to view all cameras on one screen. As you say, disappointing!

how i do ospf for 60ghz antenna and 5ghz as a backup using ospf?

Have you tested the new fast leave function? I’m seeing an issue. If I’m running multiple receivers and one leaves the others stall for a second every time a receiver leaves. This is especially worse when I have multiple streams and a receiver changes from one stream to another.

Do you have a video on setting up Vlans on a L3 switch unifi gateway and any static routing and other settings that needs to occur? Im also wondering what limitations I will have with one L3 switch but also a L2 aggregation switch upstream.

That second to last line, PERFECT! Great video.

Super great timing for me- on multicast filtering setting should all of your networks EXCEPT the network that you need multicast OR opposite do you turn multicast filtering on for only the network in which you have multicast devices? I just know sometimes the names of features don’t actually mean what they imply. Sometimes actually opposite of the name

Thank you for sharing this insightful video. How would one approach this if the NAS is being used primarily for file storage and they wish to utilize the unused second port to create these macvlan networks? Additionally, does the user need to connect an Ethernet cable from port 2 of the NAS to the UDM router-gateway/switch? Currently, I have Pi-hole set up on one VLAN (Secure), which is configured with firewall rules, and the Pihole interface is allowed from all origins. Ideally, I’d like to adopt your approach to create a more secure environment. Thanks!

Good video very informative and well presented. I understood the concept and application easily. 🙏

really great work 👏

Hi, I've been following your channel for a while now. Could you please create more videos about UniFi Protect and a detailed breakdown of its features? It would be really helpful for improving my home network.

Are you using the native macOS Screen Share app to display your other macOS desktops? If you are not, what VNC client and server are you using? Thank you.

Great video, thanks for taking the time to benefit us.

looking awesome

Geez, that is a great collection of tools 🔥

question, you servers and clients, are they on the same subnet.... implying no routing needed from the pfSense... looking at your first diagram, it looks like you aggregated 4 x ? ports between switch and pfSense host, what would be the impact if say that link is 10GbE, and you need to do inter vLan routing... does the traffic move via the pfSense or does only manage/allow the movement via FW rules... building similar, but at a slower, speed. I have a USW Pro aggregate and a USW 8port Aggregation.

How you use all the mac mini together?, I am curious, really good machines you have

You are not only tech savvy, but also super Handy. And you have even more variety of equipment than a professional contractor...

Slick! I liked cookies better ;) Soon you will need to make a rack for the Mac Minier heh

Hello, the Rack is for Desktop or who is the Place of this. I Thing this is a Good Idee for not Buy and when you love woodwork its nice.

What website were you using @8:01 ?

Do IPV4 rules only apply or allow creation with networks that have the switch set as router - or can you apply an ACL IPV4 rule to 2 networks that are "created" on the firewall, have the unifi gateway set as router....meaning inter-vlan traffic between the two is sent to the UDM. I want to intercept this with some ACL allow rules. For instance, I want to create and separate all VLANS via the UDM but then use ACL IPV4 ACL rules to "ALLOW" traffic between 10GB clients on different vlans to avoid the UDM lousy inter-vlan throughput. I have 10GB servers and 10GB clients that must stay in separate vlans but I want their traffic to each other to remain at the switch level to saturate that 10GB link. ACL allow rules was my idea on how to achieve this. Would this work as ACL takes precedence over FW rule when the devices are connected to L3 switch? Or will it ignore ACL rule because the networks have UDM set as gateway? Alternatively I could create all VLANS on the switch, use ACL isolation rules or ACL block IPV4 rules to separate them and then all traffic is passed at line speed/switch level. I feel I may be missing out on some needed future firewalls rules if I do it this way.

hello, I just tried with installing pihole in lxc but when multiple nics are attached pihole takes 5 minutes or more to start, is it a normal behavior or I missed something?

Some other differences... - Traffic Rules Region drops will appear in Insights > Flows, but there is currently no logging of Country Restrictions. - using Allow in General Country Restrictions will automatically block all other traffic. - using Allow in Traffic Rules does not automatically block all other traffic, you would need a separate drop rule.

Forgive me I'm not very experienced in network. But for a simple home setup with say 4-5 Vlans a NAS, a server or 2 and just a bunch of clients mostly needing internet connectivity what is the case to have any networks on the router except for the default or management network for your appliances and server IMPI etc...wouldn't you want to have most everything you could created on the L3 switch to avoid that traffic ever routing to the gateway/FW just to be sent back down the stack? Furthermore for this video wouldn't it just be wise to use IPV4 ACLs if you want one way or directional separation for VLAN seeing as how the L3 isolation is both directions? I don't understand the need for the L3 isolation option unless its just there for people who may not understand how to create IPV4 ACL?

Can we achieve true Layer 3 routing then by creating our networks with the switch as gateway...using L3 network isolation....then using IPV4 ACLs to ALLOW certain VLANS to communicate with each other? Would the latter override the former? Because the L3 network isolation ACL unfortunately is both ways and the IPV4 ACL have source and destination. So would this keep inter-vlan traffic on the L3 switch instead of routing to firewall and back? Am I making sense? This is all because the L3 isolation cant be provisioned with a specific direction, that would make L3 routing finally possible? I purchased a unifi L3 switch a year ago and found out quick it doesn't have any L3 functions so I've been waiting for this to take inter-vlan traffic away from the firewall. I did just change from Pfsense to unify gateway hoping that would make it possible but I'm still unsure. Some things in unifi are great and other things they try to re-invent just making it more confusing than needs to be. I think so many of us already have vlan separation for secure/guest/IOT but want the inter-vlan traffic to be routed at the switch level for the speed and also weight off the FW cpu. I keep all my VLANS isolated from each other except one. My secure VLAN can reach any network but not BOTH ways of course. I'm frustrated lol. Great videos with such great examples as always. I keep coming to you for help before anyone else. you should teach!

By far best explanation about all this. I legit have been looking for days to explain all of this and I think you are the only source even 5+ months later... Good job and you have a new sub. If you are looking for new video ideas. Unifi now lets you add Stamps to DNS Shield. I would be very interested in learning how to create custom stamps within CloudFlare Zero Trust while also doing ad filtering. I have succesfully created my own CloudFlare Zero Trust free account and created my own stamp, but not sure how to add any type of filtering.

Thanks a lot! Are those settings still safe with regard to the Blast-RADIUS attack? Or do we need to configure things differently (e.g. requiring the message authenticator attribute)?

What I did is create unique querier IP addresses for each switch in each VLAN where I have IGMP enabled and want a querier. 192.168.10.0/24 has querier IPs of 192.168.10.5 and 192.168.10.225 192.168.20.0/24 has querier IPs of 192.168.20.5 and 192.168.20.225 192.168.50.0/24 has querier IPs of 192.168.50.5 and 192.168.50.225 ... my management IPs are in 192.168.5.0/24 and aren't defined as querier IPs. To keep things simple, I used the last octet of the management IPs, but obviously changed the subnet. Agg8 show ip igmp snooping querier VID | State | Status | Version | Querier IP | Elected IP ------+----------+-------------+---------+-----------------+----------------- 1 | Disabled | Non-Querier | No | --------- | --------- 5 | Disabled | Non-Querier | No | --------- | --------- 10 | Enabled | Non-Querier | v2 | 192.168.10.225 | 192.168.10.5 20 | Enabled | Non-Querier | v2 | 192.168.20.225 | 192.168.20.5 30 | Disabled | Non-Querier | No | --------- | --------- 50 | Enabled | Non-Querier | v2 | 192.168.50.225 | 192.168.50.5 200 | Disabled | Non-Querier | No | --------- | --------- 666 | Disabled | Non-Querier | No | --------- | --------- 999 | Disabled | Non-Querier | No | --------- | --------- Pro24 show igmpsnooping querier detail Last Querier VLAN ID Address IGMP Version ------- ---------------- ------------ Global IGMP Snooping querier status ----------------------------------- IGMP Snooping Querier Mode..................... Enable Querier Address................................ 0.0.0.0 IGMP Version................................... 2 Querier Query Interval......................... 60 Querier Expiry Interval........................ 125 VLAN 10 : IGMP Snooping querier status ---------------------------------------------- IGMP Snooping Querier VLAN Mode................ Enable Querier Election Participate Mode.............. Disable Querier VLAN Address........................... 192.168.10.5 Operational State.............................. Querier Operational version............................ 2 Operational Max Resp Time...................... 10 VLAN 20 : IGMP Snooping querier status ---------------------------------------------- IGMP Snooping Querier VLAN Mode................ Enable Querier Election Participate Mode.............. Disable Querier VLAN Address........................... 192.168.20.5 Operational State.............................. Querier Operational version............................ 2 Operational Max Resp Time...................... 10 VLAN 50 : IGMP Snooping querier status ---------------------------------------------- IGMP Snooping Querier VLAN Mode................ Enable Querier Election Participate Mode.............. Disable Querier VLAN Address........................... 192.168.50.5 Operational State.............................. Querier Operational version............................ 2 Operational Max Resp Time...................... 10

是不是因为两个ap信号重叠区域的信号强度都低于你设置的67db，所以设备会在两个ap之间反复连接呢？

I checked the "Isolate Network" and Im still able to ping other Networks... Any fix to this?

Thanks for the video, helped a done. My other question is how you could accomplish the same for IPv6 DNS requests? This rule doesn't appear to capture that traffic.

Excellent video. Just ordered my u7 pro max. Time to test out 6ghz before it starts getting stomped on.

Finally a good video that does a deep dive on Ubiquiti! Thank you sir!

Hello I hope you can help me out. I have implemented all this in exactly the same way, but when I inspect with wireshark I notice that during the TLSv1.3 handshake the SNI is completely leaked. Any idea why that can be?

Great video as always. Couple of quick questions: 1 - Which release of switch FW were you running ? If not EA have you tried that ? 2 - Would you generally recommend multicast filtering / IGMP snooping being enabled for surveillance VLANs (Cameras + NVR) as opposed to just media networks (AirPlay etc) ? Thanks

Thank you!

This is the best guy on the Internet on Unifi software, he really goes in detail on any Unifi option. I don't think that even unifi guys know more than him :). Thanks for the video.

Thanks!

Thanks for making my suggestion :D <3

This and your whole channel is very underrated! Thank you for the very detailed information. Keep the good work up!

Hi there, super nice content ive been a unifi consumer for the las few years, but right now with all this mayor upgrades that they have done, im in need of some consulting and brainstorming for an specific scenario that i acquired with EOL switches need to be upgraded and a fortinet routing environment. looking foward to replace it all with unifi, so any advice or idea exchange will be very helpful.

Awesome video, do I need to change settings to my access point in order to benefit from this configuration?