For those who have issues casting from Private to ioT network with Chromecast - you need one more rule. Add to the ioT Local Ruleset: allow UDP, destination port 5353(mDNS). [match the allow ioT DNS rule, just using port 5353]. You're welcome.
I just started to setup my 1st iot network today. Literally. Then, I stumble on this video. Absolute gamechanger. You sir, are a gentleman and a scholar!
MQTT is used to broadcast JSON (or similar, i.e. YAML) requests. On IoT devices, this normally tells an MQTT server the status of that device (i.e. on or off, or temperature/humidity). It can also be used to turn the device on off, of course, via 2 way communication. It is highly efficient, as the packets are tiny, and is widely used in the Home Assistant environment, for example. P.S. Nice video. I am obviously here, as my weekend project, coming up, is to move onto a new router, switch, and AP, and implement VLANs for my IoT devices. Thanks for the share!
I agree. It seems people with an edge router are already more experienced, so it would have been a better idea to demo this on a USG and then let the edge ruler folks fill in the blanks.
Maybe - but it would take a lot more setup on my side. I don't use a USG internally. Keep in mind though that it's *almost* the same...you just have to do Corporate LAN instead of VLAN-only when creating the IoT network in UniFi...and then just add the same firewall rules in UniFi instead of the EdgeRouter.
Stuff to think about: 1. Remove/blackhole VLAN1 2. Add new default VLAN to replace VLAN1 3. Add a management VLAN 4a. DNS reflection rule. I use this to redirect all external DNS requests from internal clients to my DNS server from any incorrectly configured client. (I do this for NTP as well as some devices don't accept the DHCP NTP option). 4b. DNS block internal clients from using external DNS services. I've been thinking/working on blocking internal clients from using DNS over HTTPS and/or TLS..... 4c. Move internal DNS server to HTTPS or TLS Going down a rabbit hole. Stopping now. Keep up the good work. You not only need to have a grasp of the tech, but also the charisma to present it. Well done!
Restricting access to external DNS servers is a good idea. How do you plan to block DNS over Https/TLS? I think it’s built into the browser so how would you be able to detect the DNS request? I’d like to do this also.
Your videos are great ! Straightforward and to the point while being clear and conveying information in a way that anyone can understand. LOVE your channel !
Excellent video dude! I just joined the Ubiquity family with two Pro AP's and an Edgerouter 4. I'll still be using my Netgear GS724T switch for the time being, but we also just put in a new security system and I'll soon be spinning up a Blue Iris camera system. I also have a media server on the network. I'm going to try and replicate this for my camera system. Essentially, I may create a total of 4 VLAN's which one will be for cams and another for my existing Smarthings IOT network. I'm still pretty new to all this level of control (I mean my old router did allow me to SSH into it and make a few changes), but I have high hopes. I'm liking the Ubiquity platform thus far (just started literally yesterday) and will start digging in deeper today as soon as my new router comes in. Thanks again for these detailed quality videos; it's really helping me get off my feet with this.
Finally picked up a managed switch to implement this and worked a dream! Thank you for such good videos explaining everything and making it straight forward. I came across one snag. I enabled mDNS but still couldn't see any Google Devices - other IOT devices worked and I could control etc. I found that adding a third rule to the IOT_LOCAL to accept port 5353 on UDP fixed the issue. Hopefully this was the right thing to do!
Thank you! This solved my issue with not being able to see Chromecasts in my IoT network on my trusted LAN. After doing lots of troubleshooting and config tweaks, this is the change that finally resolved it for me.
You rock. This allowed my private LN to talk to devices on my IDIoT LAN using the Apple Home app. What I'm not able to do is connect to these devices when I am outside the network, i.e. on LTE. Do you think that needs a similar 5353 entry on WAN_LOCAL?
This is really great stuff. I have a UDMpro and I'm trying to setup a secure iot network, this is almost exactly what I need. I only say almost because I know next to nothing about networks so I'm making educated guesses as to how the edge router configuration translates to the UDM. It would be extra awesome to have this same video remade with the new unifi interface.
I hit like on this even before watching as this is something everybody should do - at least anyone with IoT devices. Before I made my first IoT purchase (t-stat & lights) I made sure to setup a separate SSID, vLAN & routing/firewall rules. This was early on & the devices used were not ideal, but I committed to not getting any IoT devices until this was at least somewhat segregated from my main LAN. I strongly recommend to any/everybody to setup vLAN or even subnet to isolate traffic (something's better than nothing). PS - SSID is excellent! Also like the 107.
This is a nice first cut for improving IoT security, but you should really have separate VLANs for each unique type of IoT device or you'll be vulnerable to lateral attacks within the IoT domain: e.g., access control on one VLAN, video surveillance on another, home automation on a third, entertainment on a fourth, etc. For WiFi, put each device on a separate WLAN group, and use hidden SSIDs to eliminate unnecessary beaconing polluting WiFi spectrum, and then associate those WLANs with the corresponding IoT VLANs. Now you can control all communication between IoT realms and between IoT, the protected LAN, and the Internet. This last control is often overlooked: always filter Internet traffic from each IoT device to only permit addressing the public IPs they actually need, rather than the entire Internet. You can discover which destinations and protocols these are by initially denying all Internet traffic and checking the firewall logs to see what is getting denied.. This is the standard for enterprise IoT security, as implement by Cisco, Juniper, etc, and is also the approach used going forward in automobile and aircraft IoT networks. An interesting article on IoT enterprise deployment is www.networkworld.com/article/3213868/3-real-world-examples-of-iot-rolled-out-in-the-enterprise.html
Love to see this video updated for the UDM-Pro. Could you do this for both a main network and guest network setup (showing all three separate but showing the guest or main networks being able to access airplay, Chromcast, etc). I want to be able to access all networks from the main network, but have my iOT be separated off
It would be good if you could show people how to handle devices like Phillips Hue, Sonos etc. that need an igmp proxy. I never got this working on my USG
I didn't set up a proxy and Hue works just fine for me. I put all of my IoT on a separate VLAN, and my firewall rules completely separate it from my other 3 VLANs. I control the Hue lights either through my Echo devices, IFTTT applets, or my phone app, which connects through the cloud rather than on the same network. Having said that, my Hue bridge was already set up before I created the IoT VLAN. This setup works for all of my devices except the Harmony hub. In that case I only need it to see my phone if I want to make changes, since I use a Harmony remote rather than the phone app to control my media devices with the hub. I'm using a USG.
I'd also add Samsung SmartView App to this list to help with. I just started testing an IoT VLAN network. My Samsung Smart TV (8 series) is hard wired my my UniFi switch, so I changed the port on the switch to be connected to this VLAN network. This worked to assign an IP within the range of the VLAN. My problem now is that the app on my phone, in my primary LAN network can not connect to the TV. It can see it, but not connect. I have tried a bunch of different firewall rules based on your video, but have yet to be successful. Would also +1 doing this same video with a full UniFi system. Love your videos though!
I was able to get Sonos talking from my secure IoT network to my LAN by following the steps from this post community.ui.com/questions/Yet-another-Unifi-and-Sonos-post/933bc98e-55b7-426a-a58b-8a4c6dc03f24#answer/1772e10a-e4b4-450b-a577-8bbbbfa39517
this is a great tutorial. I used it to build by IOT network about 3 years ago, shortly after you posted it. I finally wised up and built a Pihole on an old PC since I can't find a Raspberry Pi anywhere for reasonable. I came back to this video to see what I was missing on my firewall. The rules you have, fixed me right up. Your Pihole video was really helpful as well. At the end of this video you talk about other firewall rules that could be setup. Any chance you have a blog or video talking about those other rules? Example blocking DHCP for anything other than the pihole.
Great video...been thinking of doing this at my house but just did not want to invest the time to research the firewall rules I needed. This is a great guide which gives me NO excuses now! ;)
It is necessary to add an ‘allow’ rule for address 224.0.0.251 and UDP port 5353 in IDIoT_LOCAL otherwise mDNS will not work (devices inside the IoT VLAN will not be able to broadcast). This gave me problems with Homekit accessories being unresponsive without adding this rule. Homekit accessories will also fail to set up with these rules and I’m still trying to figure out how to overcome this.
Great tutorial! Exactly what I was looking for. Only thing I had to do next to this tutorial is to allow UDP port 5353 in the IOT_local firewall rules. This made my Chromecasts visible again in my main LAN. Just MDNS did not do the trick for me.
Hi Chris, how did you associated IDIoT network with IoT SSID? It's done automatically by set VLAN ID? Another thing is why is necessary create new network for IoT? Is it not enough to use default one? I'm able to obtain correct IP for VLAN 107 if I have corrected setup on EdgeRouter and EdgeSwitch for that VLAN (without any other network on uap).
This is a bit confusing when you are mixing the Edge Router OS with the Unifi OS. Could you do the same thing for a UDM/UDM Pro? For instance, do I need to block all IoT traffic from LAN Local? At the moment I can still ping 192.168.1.1. Do I need a rule to allow time server requests on port 123 for IoT network?
Chris, I thought that "Local" was traffic destined for the router itself. (router services etc) You are saying here that it's on the VLAN itself. And inter-VLAN. Can you elaborate on this please?
That's my understanding as well. Was about to comment that and saw your post. Any intra-VLAN communication wouldn't necessarily hit the firewall (i.e. it could just be directed by the switch), so firewall rules wouldn't apply. I'm no expert but I've used the local rule only to limit access to the management interface to the router itself from the unsecure network.
@crosstalk could refresh this IoT video now that you're using a UDM Pro please? I'm in process of setting my network up, and it would help tremendously.
I have RT-AC88U main router and an old RT-68U as AiMesh. My thought for security stuff (PC, phone, Ipad, etc..) are on the main router and IoT (doorbell camera, light, TV, etc..) will be on the the RT-AC68U. I can also set IoT on the main router under "Guest". Which option is best and safe to protect the main router access?
Great video. Having a hard time translating the Edge Router firewall to the UniFi controller firewall. For example, I don't see a Interface option and I'm also unsure about setting the source versus destination.
Amazing video. Followed your config for my network and started transferring my IoT devices. I have an EdgeRouter 4, Cloud Key (Gen 1), US-8-150W, 2x UAP-AC-PRO, so the setup is pretty the same as yours. I have a streaming box with Kodi and it's configured to access my media library from my NAS using NFS. If I transfer my streaming box to the IOT VLAN, how do I allow it to connect with NFS to my NAS?
How would you combine this with "IOT Across Subnets with EdgeRouter" video that David did for you? Part of his setting up an mdns repeater was that you can atleast ping between subnets and there shouldn't be a firewall rule preventing communication. I'm thinking there should be a firewall to allow video to be sent to a Chromecast on the IoT network from the Secure network, while blocking the Chromecast from accessing the Secure network.
How would I set up jot network with pfsense router and deco x50poe in access mode? My set up is Int>pfsense router>first x50>Poe switch>other two x50’s and a few other hard wired iot devices. My cameras and some other iot devices would be connected via Wi-Fi.
Great timing for a great video. Thanks Chris, very helpful indeed and was just wondering about setting all this up the other day so cheers! Looking forward to your next vid.
Hello Chris, I'm about to setup this solution you made, but I want to be sure to have all the equipment. Right now I have a EdgeRouter X, and I'm about to buy a USW-Flex-Mini and 1 UAP-AC-LR. I want to know if I can do all this with this equipments. Look like I can do it, but I just want to be sure. Thanks for all your help.
Thank you for all your videos - I’m new to the home network world and set up my own thanks to you. Any place I can get this detailed info for TP Link short stack?
Hi Chris, thanks for this video. I'm trying to do a similar setup using the OPNsense firewall. I don't see a similar setting in OPNsense for the advanced rule configuration (20:38). A few posts I read around the Internet suggest that those two options are the default for OPNsense. Is my understanding correct?
I can’t seem to obtain an IP address when trying to connect to IoT network. I have the DHCP server setup. Do you have to link what DHCP server to use for a given VLAN?
Great video. I tried this, but from my main LAN, I am unable to get to the AP connected to the IOT port. To access the AP, I had to be on the IOT network. What firewall rule should I add or reconfigure so that I can get to the AP @10.0.0.40? I can ping 10.0.0.1 from Main LAN, but no other leases.
Great job. Clear clean instructions. I used it on a USG-Pro-4 , cloud key and a UniFi Switch 16 POE-150W. I have successfully blocked all internvlan communication and so on. I don’t have any Ubiquiti access points. I have 2 questions. 1. I wish to block internal communication between devices inside the guest network? 2. Is there a way to limit speeds via mac accress or IP without using a Ubiquiti AP? I know this can be handled on the Ubiquiti APs I am looking or a firewall rule or a setting without using ubiquity APs.
Chris.how do I clear the routing tables? I have an EdgeRouter with VLANs set up folllowing your guide. I have some Cameras that after a power surge can’t be accessed across VLANs. Only if I give them new IPs are they accessible again. This has happened a couple of times and I’m getting tired of changing IPs.
So, you said you have an AppleTV on the IoT network, how does AirPlay work in such setting? can you stream to it from your phone (which happens to be in the secure VLAN)?
Does the edge router not show the ip's of connected devices? It shows my public ip of my wan but I have a old consumer router that i am only using as access point and the mode i am using of the edge router is basic setup. I figured it would show me the ip of the access point. Thanks for any info.
Hi, how does it affect the auto discovery features IE, Apple Bonjour, between mobile devices on secure LAN and the IOT devices on a separate broadcast domain.
I'd love to see an updated version of this. and using a separate security vlan for protect. +1 more for wanting to see this with UBNT gear, maybe a new dream machine pro.
Your diagram shows an AP for the secure network and a 2nd AP for the IoT network. Are there two APs for security reasons? If not, would it be a good idea to configure one UAP-AC-PRO to broadcast SSIDs for the secure network, the IoT network and a guest network?
I currently have 2 ISP's. Is there a way to setup up the edgerouter 4 to have secure network route through ISP#1 on WAN1 and have the IoT devices route through ISP#2 on WAN#2? I tried setting up dual WAN for load balancing. I understand the rules of a percentage load balance...(ex: 50% network traffic on WAN1 and 50% traffic on WAN2). But I was hoping to break it down even further and setup specific VLAN's to use certain ISP's to even out the load balancing.
I understand that by having your private network on a separate VLAN from your IoT devices you will save a lot of bandwidth on the private LAN. But, on average, how much bandwidth do the IoT devices eat up on your internet connection? You seemed to touch on internal traffic, but I would like to know how much traffic the devices have to the outside internet. This is a wonderful video explaining what the general public should for IoT setups. I haven't found anything else that covers this topic as simply nor as completely as you have. Thank you!
Not every IoT device is going to work on the IoT network. Some require local network access to function - such as Philips Hue. But, if you can get *mostly* everything over there, that's better than not having it at all.
Good point! It seems like cloud based devices like Smartthings, Ecobee, Echo etc adapt very easily to an IoT network. Local network centric devices especially like Sonos are much more difficult. Keep up the great work and thanks again.
For clarity: the firewall rule which drops all local traffic on the IoT network would probably not allow us to run a local Home Assistant installation from within that same IoT network, correct? You would then probably need to add more whitelisting rules for each new integration that you're trying to establish?
Hello, I know this video is quite old now, but I found it and now I'm trying to make it work in my network. The only problem I'm having is with the mDNS portion (cast from LAN to chromecast in IOT). It only when I'm wired to the switch, but wifi is not working at all, any tips on that? thanks!
Hi, I'm Brad from Outback Rural QLD Australia. I strongly believe that all IOT must be it's separate vLAN. I have gone a little further by creating 2 IoT vLans - IoT & NoT. The second has basically the same rules as IoT as you shown with a few more including "preferred DNS" and blockling all other DNS servers (I have a standard DNS Drop rule on Google IPv4 & 6). Unlike Iot that can get out to the Internet under special ruleset, NoT can't get out and can't get to other vLans too, however Management vLan can access both IoT, NoT and Cameras vLans one way using "New/Est/Related". My Camera vLan is a bit like the NOT network too but with the NVR also residing in this vLan. I have gone a little further by making my Management vLAN (primary Corporate LAN) having its own vLan number. I have a separate TRUNK vLan that interconnects from USGPRO4 to all my 4 switches and 8 APs etc., for some extra securty. I feel this network design gives a little more security. Yes the security is only as good as the Firewall Rules! I just learning all this stuff, and taking it slowly and building my IoT devices which will basically connect to everything in the home and farm. Any constructive comments most welcome.
Is it possible to do this same level of configuration on a UniFi USG Pro 4? If so, could you do a video showing that? I get lost trying to translate the Edge interface to UniFi for DHCP and DNS configuration you do around the 9 minute mark.
Hi Chris....At 20.40 you explain that the "Allow Established/Related" rule is tied to the network group. This differs to the same stage in Willie Howes video on the same topic. Can you confirm that both the "Allow" and "Drop" rules on the "IN" ruleset are tied to the network group please? Thanks in advance.
Hey Chris! Thanks for the guide. Much appreciated. I followed the guide to the letter, including setting up an mdns repeater on my EdgeRouter 6P, but I still could not see my Chromecasts (on the IoT vlan) from devices running on my trusted vlan. I solved this by adding the following third rule to the IDIoT_LOCAL ruleset: rule 3 { action accept description "Allow MDNS" destination { port 5353 } log disable protocol udp } I can now stream to my Chromecasts and TV's on the IoT vlan from devices on the trusted vlan. I hope this helps someone!
I tried to follow every step but could not get it to work. My edgerouter has a switch interface and I get an error trying to create a vlan on the switch interface. I then tried to create on directly on eth0 but I did not get internet on my access point. I then stripped out the vlan from to get normal internet again. Finally got that working so I can turn off my smart lights. What am I doing wrong? Thank you for any help.
Hi, my kid has desktop computer and connect to internet via ethernet LAN, not WiFi. Can I create a schedule to block internet access for that desktop ethernet LAN every day from 11 PM - 6 AM? Ubiquity only has schedule for WiFi, not ethernet? Thank you.
I followed the great video thanks but have a question. The rule to drop all local traffic on the IDIoT network; does that not mean they cannot talk to each other if needed? Love your videos!
Great video. Do all your smart devices still have accessibility from your smartphone or tablet while outside of your house coverage area? If you have camera that has both a direct connection while on your network but web connection while not on your network is that also possible and able to be secure like you have isolated everything else? I don’t want to loose functionality or accessibility from anywhere of the “smart” items I am buying or have. Thanks
Curious if I can put work and school computers on this network to prevent them from possibly accessing our network? We rarely have to use the printers, but if the printers are on the IoT network, they should be able to communicate, correct?
Just a beginner here, would really like to see this with a USG. I found some other resources online to set the firewall up but doesn't provided details about who to add exceptions from the IoT to private networks.
I don't understand. I followed your instruction and revert back to the classic controller GUI and when trying to create a new wireless network the vlan option under advanced setting is not there
If you were using say an edge switch, how would you configure the ports going to the edge router and your access point? I've gone through everything, but I'm getting DHCP timeout errors reported from my APs on the ioT wifi. Devices on the ioT wifi can't get DHCP. I set both ports on my switch as trunk ports thinking they would pass all the tag info for the APs to pick up the VLAN tag, but something is still not quite right.
Hi Chris, thanks for this clear tutorial! I take the first steps in the edgerouter and to increase knowledge I did set this configuration up... But when I connect to the IOT wifi and go to the internet, I get no response. Looking at the statistics of the firewall, it is all blocked by the local default action.. drop.. For internet access on the IOT network, do you need to add a firewall rule to allow new traffic? Or do I do something wrong elsewhere?
Do you have a video doing the same setup using UDM instead of EdgeRouter? Or can recommend one video performing the same setup with UDM or UDM-Pro? Thanks!
How do you deal devices like Google Home....This would obviously go on the IoT VLAN, however devices on the main network would not be able to control them since they'd be on a different network. I guess i could disconnect my phone from the main network and temporarily put it on the IoT network but this would be a pain to switch back and forth (especially if not broadcasting the SSID) and defeats the whole purpose of setting up the separate VLANs. Great video, thanks for putting it together. Interested in hearing your reply.
Also there is quite a bit of fiddling involved in getting Sonos to work in these setups - took me a good evening of googling to find the right recipe to get the Sonos Controller application on the secure nw PC to actually be able to communicate with the Sonos Bridge in the IoT network.
@@sebdl1286 Well, the end result wasn't a simple recipe, but I'll put the source article links here for your reference - hope they are still valid. I composited my config from these articles after a painful night of googling: en.community.sonos.com/advanced-setups-229000/access-sonos-from-a-different-wireless-network-6808767 help.ubnt.com/hc/en-us/articles/215458888-UniFi-How-to-further-customize-USG-configuration-with-config-gateway-json community.ubnt.com/t5/UniFi-Routing-Switching/Cloud-Key-config-gateway-json-file/td-p/1553060 blog.awelswynol.co.uk/2017/11/unifi-sonos-and-vlans community.ubnt.com/t5/UniFi-Routing-Switching/Configure-Sonos-across-subnets-on-USG/m-p/1982496#M49654 I hope you can figure it out!
Great video"s nicely explained, getting my Dream Machine Pro in a few day so will be using you videos to help me set it up me being a network novice, I have one question, Seri needs to be on the same network has you iPhone or so it keeps telling me 🙂 so if you put your iPhone on the main network and Seri on the IOT network would this work? Thanks again for the great content 👍🏻
Hi there, i have a question as far as i can understand, we have to make 2 vlan and 2 dhcp server and 2 wireless access point, for our private network and Iot, for isolate every things right? Im waiting for your answer. Thnx
I was working with your video as well as "The Hook Up" s and I have been having trouble getting one of my devices to communicate through to my main VLAN. It's an audio casting device, but it seems to only want to communicate on the same network. How would you go about troubleshooting, and finding out what ports a device needs if they aren't findable via a google search?
There's a few methods that you can use. First, you might spend some time googling for " firewall rules" and related terms, to see if there are details about what ports your device needs to operate normally. (And possibly services, like the mDNS stuff Chris talked about; very common, especially for 'casting devices.) From your comment it sounds like you've already done this, but maybe take some more time, and do some specific searching on the company's support forums, or a dedicated subreddit, or other smaller or focused sites. It's pretty rare that required ports, protocols, or services aren't documented at all. (Unless we're talking about Apple, naturally. I love Apple stuff, but they often take a "don't worry your pretty little head about the technical details" approach to documentation...) Failing that, go back to the section of the video where Chris is reviewing the logs. He walks through classic troubleshooting techniques right there. Then go into your firewall rules, and make sure logging is enabled for the rules that block traffic. Then start searching for your problematic device's IP address, and see what that turns up. If it's being blocked, and logging is enabled, it should show up pretty clearly in the logs.
@Crosstalk Solutions Is it possible to have this or an updated version of this documented on the Crosstalk blog, in a similar fashion as the Definitive Guide To Hosted UniFi? I'm following along as best as I can and having to pause quite a bit to make sure you don't get too far ahead of me.
Problem is when you have too many SSIDs you start taking a speed penalty and if I am seeing here- he is assigning the IDIoT SSID to one vlan only meaning you'd need a separate streaming device SSID etc. following this setup unless your streaming devices are all wired.
With this setup, and say I have an AppleTV on the IDIoT vlan, and I have my iPhone on the Data vlan, will my iPhone be able to communicate with the AppleTV using Airplay?
For those who have issues casting from Private to ioT network with Chromecast - you need one more rule. Add to the ioT Local Ruleset: allow UDP, destination port 5353(mDNS). [match the allow ioT DNS rule, just using port 5353]. You're welcome.
I can't thank you enough for all your super simple but through explanations of all the concepts that you teach. You are an absolute legend!
Cheers - thanks!
I just started to setup my 1st iot network today. Literally. Then, I stumble on this video.
Absolute gamechanger.
You sir, are a gentleman and a scholar!
MQTT is used to broadcast JSON (or similar, i.e. YAML) requests. On IoT devices, this normally tells an MQTT server the status of that device (i.e. on or off, or temperature/humidity). It can also be used to turn the device on off, of course, via 2 way communication. It is highly efficient, as the packets are tiny, and is widely used in the Home Assistant environment, for example.
P.S. Nice video. I am obviously here, as my weekend project, coming up, is to move onto a new router, switch, and AP, and implement VLANs for my IoT devices. Thanks for the share!
can you make a video or a article on your website for the USG? so we can follow along with the USG
I agree. It seems people with an edge router are already more experienced, so it would have been a better idea to demo this on a USG and then let the edge ruler folks fill in the blanks.
I totally agree!
Maybe - but it would take a lot more setup on my side. I don't use a USG internally. Keep in mind though that it's *almost* the same...you just have to do Corporate LAN instead of VLAN-only when creating the IoT network in UniFi...and then just add the same firewall rules in UniFi instead of the EdgeRouter.
Agreed. I have full Unifi ecosystem.
+1
Stuff to think about:
1. Remove/blackhole VLAN1
2. Add new default VLAN to replace VLAN1
3. Add a management VLAN
4a. DNS reflection rule. I use this to redirect all external DNS requests from internal clients to my DNS server from any incorrectly configured client. (I do this for NTP as well as some devices don't accept the DHCP NTP option).
4b. DNS block internal clients from using external DNS services. I've been thinking/working on blocking internal clients from using DNS over HTTPS and/or TLS.....
4c. Move internal DNS server to HTTPS or TLS
Going down a rabbit hole. Stopping now.
Keep up the good work. You not only need to have a grasp of the tech, but also the charisma to present it. Well done!
Good feedback - thanks!
Restricting access to external DNS servers is a good idea.
How do you plan to block DNS over Https/TLS? I think it’s built into the browser so how would you be able to detect the DNS request? I’d like to do this also.
Hi Chris
Please make a video for IoT devices again with USG router.
From London with love
Yes please
Your videos are great ! Straightforward and to the point while being clear and conveying information in a way that anyone can understand. LOVE your channel !
Excellent video dude! I just joined the Ubiquity family with two Pro AP's and an Edgerouter 4. I'll still be using my Netgear GS724T switch for the time being, but we also just put in a new security system and I'll soon be spinning up a Blue Iris camera system. I also have a media server on the network. I'm going to try and replicate this for my camera system. Essentially, I may create a total of 4 VLAN's which one will be for cams and another for my existing Smarthings IOT network. I'm still pretty new to all this level of control (I mean my old router did allow me to SSH into it and make a few changes), but I have high hopes. I'm liking the Ubiquity platform thus far (just started literally yesterday) and will start digging in deeper today as soon as my new router comes in.
Thanks again for these detailed quality videos; it's really helping me get off my feet with this.
Finally picked up a managed switch to implement this and worked a dream! Thank you for such good videos explaining everything and making it straight forward.
I came across one snag. I enabled mDNS but still couldn't see any Google Devices - other IOT devices worked and I could control etc. I found that adding a third rule to the IOT_LOCAL to accept port 5353 on UDP fixed the issue. Hopefully this was the right thing to do!
Thanks for the tip! Android devices found my Chromecasts fine but Apple ones didn't until I added the extra rule.
Thank you! This solved my issue with not being able to see Chromecasts in my IoT network on my trusted LAN. After doing lots of troubleshooting and config tweaks, this is the change that finally resolved it for me.
You rock. This allowed my private LN to talk to devices on my IDIoT LAN using the Apple Home app. What I'm not able to do is connect to these devices when I am outside the network, i.e. on LTE. Do you think that needs a similar 5353 entry on WAN_LOCAL?
Thanks for the tip!
This is really great stuff. I have a UDMpro and I'm trying to setup a secure iot network, this is almost exactly what I need. I only say almost because I know next to nothing about networks so I'm making educated guesses as to how the edge router configuration translates to the UDM. It would be extra awesome to have this same video remade with the new unifi interface.
I think the interest in such material would be very high.
Agreed. A new video with all Unifi hardware would be awesome. Get why it wouldn't be a priority but sure would be nice.
My config got wiped. I knew exactly where to come to get things set back up. Thanks again, Chris!!
This is one of the best guides to this setup I've found. Excellent info and great presentation man!
Perfect IoT ssid... perfect
I hit like on this even before watching as this is something everybody should do - at least anyone with IoT devices.
Before I made my first IoT purchase (t-stat & lights) I made sure to setup a separate SSID, vLAN & routing/firewall rules. This was early on & the devices used were not ideal, but I committed to not getting any IoT devices until this was at least somewhat segregated from my main LAN.
I strongly recommend to any/everybody to setup vLAN or even subnet to isolate traffic (something's better than nothing).
PS - SSID is excellent! Also like the 107.
Very well explained!
I followed this comprehensive video today and set up an IoT network for my TP-Link smart plugs.
Thank you Chris.
Thanks for this! It’s such a pain trying to search 20 places to put all of this together is super convenient.
This is a nice first cut for improving IoT security, but you should really have separate VLANs for each unique type of IoT device or you'll be vulnerable to lateral attacks within the IoT domain: e.g., access control on one VLAN, video surveillance on another, home automation on a third, entertainment on a fourth, etc. For WiFi, put each device on a separate WLAN group, and use hidden SSIDs to eliminate unnecessary beaconing polluting WiFi spectrum, and then associate those WLANs with the corresponding IoT VLANs. Now you can control all communication between IoT realms and between IoT, the protected LAN, and the Internet.
This last control is often overlooked: always filter Internet traffic from each IoT device to only permit addressing the public IPs they actually need, rather than the entire Internet. You can discover which destinations and protocols these are by initially denying all Internet traffic and checking the firewall logs to see what is getting denied..
This is the standard for enterprise IoT security, as implement by Cisco, Juniper, etc, and is also the approach used going forward in automobile and aircraft IoT networks. An interesting article on IoT enterprise deployment is www.networkworld.com/article/3213868/3-real-world-examples-of-iot-rolled-out-in-the-enterprise.html
Love to see this video updated for the UDM-Pro. Could you do this for both a main network and guest network setup (showing all three separate but showing the guest or main networks being able to access airplay, Chromcast, etc). I want to be able to access all networks from the main network, but have my iOT be separated off
It would be good if you could show people how to handle devices like Phillips Hue, Sonos etc. that need an igmp proxy. I never got this working on my USG
I didn't set up a proxy and Hue works just fine for me. I put all of my IoT on a separate VLAN, and my firewall rules completely separate it from my other 3 VLANs. I control the Hue lights either through my Echo devices, IFTTT applets, or my phone app, which connects through the cloud rather than on the same network. Having said that, my Hue bridge was already set up before I created the IoT VLAN. This setup works for all of my devices except the Harmony hub. In that case I only need it to see my phone if I want to make changes, since I use a Harmony remote rather than the phone app to control my media devices with the hub. I'm using a USG.
I'd also add Samsung SmartView App to this list to help with. I just started testing an IoT VLAN network. My Samsung Smart TV (8 series) is hard wired my my UniFi switch, so I changed the port on the switch to be connected to this VLAN network. This worked to assign an IP within the range of the VLAN. My problem now is that the app on my phone, in my primary LAN network can not connect to the TV. It can see it, but not connect. I have tried a bunch of different firewall rules based on your video, but have yet to be successful. Would also +1 doing this same video with a full UniFi system. Love your videos though!
Yes please
I was able to get Sonos talking from my secure IoT network to my LAN by following the steps from this post community.ui.com/questions/Yet-another-Unifi-and-Sonos-post/933bc98e-55b7-426a-a58b-8a4c6dc03f24#answer/1772e10a-e4b4-450b-a577-8bbbbfa39517
this is a great tutorial. I used it to build by IOT network about 3 years ago, shortly after you posted it. I finally wised up and built a Pihole on an old PC since I can't find a Raspberry Pi anywhere for reasonable. I came back to this video to see what I was missing on my firewall. The rules you have, fixed me right up. Your Pihole video was really helpful as well.
At the end of this video you talk about other firewall rules that could be setup. Any chance you have a blog or video talking about those other rules?
Example blocking DHCP for anything other than the pihole.
Great video...been thinking of doing this at my house but just did not want to invest the time to research the firewall rules I needed. This is a great guide which gives me NO excuses now! ;)
It is necessary to add an ‘allow’ rule for address 224.0.0.251 and UDP port 5353 in IDIoT_LOCAL otherwise mDNS will not work (devices inside the IoT VLAN will not be able to broadcast). This gave me problems with Homekit accessories being unresponsive without adding this rule.
Homekit accessories will also fail to set up with these rules and I’m still trying to figure out how to overcome this.
Solid information Thank You! Answered a LOT of questions but....
Now I have just as many new questions!!!
Outstanding video. You make things very clear for even people who aren't the best or that knowledgable to do this stuff.
Great tutorial! Exactly what I was looking for. Only thing I had to do next to this tutorial is to allow UDP port 5353 in the IOT_local firewall rules. This made my Chromecasts visible again in my main LAN. Just MDNS did not do the trick for me.
Haven't finished watching yet, but let me say I love the names you gave things.
Late to this channel but you're amazing dude.
What about UDP5353 ? As you created a mDNS repeater, should it be also allowed ?
100% yes - allow UDP5353 on the LOCAL rule. Without this, devices on the secure LAN will not be able to interact with Chromecast in the IoT network.
Hi Chris,
how did you associated IDIoT network with IoT SSID? It's done automatically by set VLAN ID?
Another thing is why is necessary create new network for IoT? Is it not enough to use default one? I'm able to obtain correct IP for VLAN 107 if I have corrected setup on EdgeRouter and EdgeSwitch for that VLAN (without any other network on uap).
Hi Chris, Do you have a tutorial on how you setup the Pi-Hole you mention on your "Secure IoT Network Configuration" video?
Thanks, works great for wireless devises. How would I allocate one of the Edgerouter ports for wired devices?
This is a bit confusing when you are mixing the Edge Router OS with the Unifi OS. Could you do the same thing for a UDM/UDM Pro? For instance, do I need to block all IoT traffic from LAN Local? At the moment I can still ping 192.168.1.1. Do I need a rule to allow time server requests on port 123 for IoT network?
Chris, I thought that "Local" was traffic destined for the router itself. (router services etc) You are saying here that it's on the VLAN itself. And inter-VLAN. Can you elaborate on this please?
That's my understanding as well. Was about to comment that and saw your post. Any intra-VLAN communication wouldn't necessarily hit the firewall (i.e. it could just be directed by the switch), so firewall rules wouldn't apply. I'm no expert but I've used the local rule only to limit access to the management interface to the router itself from the unsecure network.
@crosstalk could refresh this IoT video now that you're using a UDM Pro please? I'm in process of setting my network up, and it would help tremendously.
YES PLEASE! :)
I have RT-AC88U main router and an old RT-68U as AiMesh. My thought for security stuff (PC, phone, Ipad, etc..) are on the main router and IoT (doorbell camera, light, TV, etc..) will be on the the RT-AC68U. I can also set IoT on the main router under "Guest". Which option is best and safe to protect the main router access?
For anyone struggling with vlans and the dual wan feature you want to add the modify balance profile to the vif as per the parent eth interface.
Thank you Chris for the tutorial! Note to others regarding mdns repeater; I had to reboot my Edge Router X before this would work.
Thank you, Thank you, Thank you!! Have been messing with this for hours until I decided to read the comments. Now it works!!
I also found that I had to make a rule in the IDIoT_Local ruleset to allow UDP 5353 or mDNS wouldn't work both ways
Great video. Having a hard time translating the Edge Router firewall to the UniFi controller firewall. For example, I don't see a Interface option and I'm also unsure about setting the source versus destination.
Amazing video. Followed your config for my network and started transferring my IoT devices.
I have an EdgeRouter 4, Cloud Key (Gen 1), US-8-150W, 2x UAP-AC-PRO, so the setup is pretty the same as yours.
I have a streaming box with Kodi and it's configured to access my media library from my NAS using NFS. If I transfer my streaming box to the IOT VLAN, how do I allow it to connect with NFS to my NAS?
How would you combine this with "IOT Across Subnets with EdgeRouter" video that David did for you? Part of his setting up an mdns repeater was that you can atleast ping between subnets and there shouldn't be a firewall rule preventing communication.
I'm thinking there should be a firewall to allow video to be sent to a Chromecast on the IoT network from the Secure network, while blocking the Chromecast from accessing the Secure network.
Great video explanation!!! One suggestion: You should do a video on how to connect to a SONOS speaker in the IoT VLAN from another VLAN.
How would you set up the last rule you talked about at the end of the video about port 53?
Nice video but wouldn’t the IoT port have to be tagged with vlan 107 if you all devices connected to the unmanaged switch to connect to that vlan
How would I set up jot network with pfsense router and deco x50poe in access mode? My set up is
Int>pfsense router>first x50>Poe switch>other two x50’s and a few other hard wired iot devices. My cameras and some other iot devices would be connected via Wi-Fi.
This couldn't have come at a better time... Thanks Chris really appreciated 👍
Great timing for a great video. Thanks Chris, very helpful indeed and was just wondering about setting all this up the other day so cheers! Looking forward to your next vid.
Hello Chris, I'm about to setup this solution you made, but I want to be sure to have all the equipment. Right now I have a EdgeRouter X, and I'm about to buy a USW-Flex-Mini and 1 UAP-AC-LR. I want to know if I can do all this with this equipments. Look like I can do it, but I just want to be sure. Thanks for all your help.
Ha! Crazy small world, I did this two weeks ago for my setup at home as well. Great content Chris, love the channel
Thank you for all your videos - I’m new to the home network world and set up my own thanks to you. Any place I can get this detailed info for TP Link short stack?
Hi Chris, thanks for this video. I'm trying to do a similar setup using the OPNsense firewall. I don't see a similar setting in OPNsense for the advanced rule configuration (20:38). A few posts I read around the Internet suggest that those two options are the default for OPNsense. Is my understanding correct?
I can’t seem to obtain an IP address when trying to connect to IoT network. I have the DHCP server setup. Do you have to link what DHCP server to use for a given VLAN?
Great video. I tried this, but from my main LAN, I am unable to get to the AP connected to the IOT port. To access the AP, I had to be on the IOT network. What firewall rule should I add or reconfigure so that I can get to the AP @10.0.0.40? I can ping 10.0.0.1 from Main LAN, but no other leases.
I've been meaning to do this at my home. Looks like I got a project to do this weekend. Thanks for the video!
Thank you for the video, should I still be available to ping from IoT network to the protected network?
Great job. Clear clean instructions.
I used it on a USG-Pro-4 , cloud key and a UniFi Switch 16 POE-150W.
I have successfully blocked all internvlan communication and so on.
I don’t have any Ubiquiti access points.
I have 2 questions.
1. I wish to block internal communication between devices inside the guest network?
2. Is there a way to limit speeds via mac accress or IP without using a Ubiquiti AP?
I know this can be handled on the Ubiquiti APs
I am looking or a firewall rule or a setting without using ubiquity APs.
Chris.how do I clear the routing tables? I have an EdgeRouter with VLANs set up folllowing your guide. I have some Cameras that after a power surge can’t be accessed across VLANs. Only if I give them new IPs are they accessible again. This has happened a couple of times and I’m getting tired of changing IPs.
So, you said you have an AppleTV on the IoT network, how does AirPlay work in such setting? can you stream to it from your phone (which happens to be in the secure VLAN)?
Does the edge router not show the ip's of connected devices? It shows my public ip of my wan but I have a old consumer router that i am only using as access point and the mode i am using of the edge router is basic setup. I figured it would show me the ip of the access point. Thanks for any info.
Chris, any chance you could do an updated version of this video using a UDM Pro?
Hi, how does it affect the auto discovery features IE, Apple Bonjour, between mobile devices on secure LAN and the IOT devices on a separate broadcast domain.
I'd love to see an updated version of this. and using a separate security vlan for protect. +1 more for wanting to see this with UBNT gear, maybe a new dream machine pro.
Your diagram shows an AP for the secure network and a 2nd AP for the IoT network. Are there two APs for security reasons? If not, would it be a good idea to configure one UAP-AC-PRO to broadcast SSIDs for the secure network, the IoT network and a guest network?
I currently have 2 ISP's. Is there a way to setup up the edgerouter 4 to have secure network route through ISP#1 on WAN1 and have the IoT devices route through ISP#2 on WAN#2? I tried setting up dual WAN for load balancing. I understand the rules of a percentage load balance...(ex: 50% network traffic on WAN1 and 50% traffic on WAN2). But I was hoping to break it down even further and setup specific VLAN's to use certain ISP's to even out the load balancing.
I understand that by having your private network on a separate VLAN from your IoT devices you will save a lot of bandwidth on the private LAN. But, on average, how much bandwidth do the IoT devices eat up on your internet connection? You seemed to touch on internal traffic, but I would like to know how much traffic the devices have to the outside internet.
This is a wonderful video explaining what the general public should for IoT setups. I haven't found anything else that covers this topic as simply nor as completely as you have. Thank you!
Great video! Thanks for pulling it all together. My challenge has been trying to get Sonos speakers on an IoT network!
Not every IoT device is going to work on the IoT network. Some require local network access to function - such as Philips Hue. But, if you can get *mostly* everything over there, that's better than not having it at all.
Good point! It seems like cloud based devices like Smartthings, Ecobee, Echo etc adapt very easily to an IoT network. Local network centric devices especially like Sonos are much more difficult. Keep up the great work and thanks again.
en.community.sonos.com/advanced-setups-229000/access-sonos-from-a-different-wireless-network-6808767 this?
For clarity: the firewall rule which drops all local traffic on the IoT network would probably not allow us to run a local Home Assistant installation from within that same IoT network, correct? You would then probably need to add more whitelisting rules for each new integration that you're trying to establish?
Hello, I know this video is quite old now, but I found it and now I'm trying to make it work in my network. The only problem I'm having is with the mDNS portion (cast from LAN to chromecast in IOT). It only when I'm wired to the switch, but wifi is not working at all, any tips on that? thanks!
Hi, I'm Brad from Outback Rural QLD Australia.
I strongly believe that all IOT must be it's separate vLAN. I have gone a little further by creating 2 IoT vLans - IoT & NoT. The second has basically the same rules as IoT as you shown with a few more including "preferred DNS" and blockling all other DNS servers (I have a standard DNS Drop rule on Google IPv4 & 6). Unlike Iot that can get out to the Internet under special ruleset, NoT can't get out and can't get to other vLans too, however Management vLan can access both IoT, NoT and Cameras vLans one way using "New/Est/Related". My Camera vLan is a bit like the NOT network too but with the NVR also residing in this vLan.
I have gone a little further by making my Management vLAN (primary Corporate LAN) having its own vLan number. I have a separate TRUNK vLan that interconnects from USGPRO4 to all my 4 switches and 8 APs etc., for some extra securty. I feel this network design gives a little more security. Yes the security is only as good as the Firewall Rules!
I just learning all this stuff, and taking it slowly and building my IoT devices which will basically connect to everything in the home and farm.
Any constructive comments most welcome.
Is it possible to do this same level of configuration on a UniFi USG Pro 4? If so, could you do a video showing that? I get lost trying to translate the Edge interface to UniFi for DHCP and DNS configuration you do around the 9 minute mark.
Hi Chris....At 20.40 you explain that the "Allow Established/Related" rule is tied to the network group. This differs to the same stage in Willie Howes video on the same topic. Can you confirm that both the "Allow" and "Drop" rules on the "IN" ruleset are tied to the network group please? Thanks in advance.
Hey Chris! Thanks for the guide. Much appreciated. I followed the guide to the letter, including setting up an mdns repeater on my EdgeRouter 6P, but I still could not see my Chromecasts (on the IoT vlan) from devices running on my trusted vlan. I solved this by adding the following third rule to the IDIoT_LOCAL ruleset:
rule 3 {
action accept
description "Allow MDNS"
destination {
port 5353
}
log disable
protocol udp
}
I can now stream to my Chromecasts and TV's on the IoT vlan from devices on the trusted vlan. I hope this helps someone!
I tried to follow every step but could not get it to work. My edgerouter has a switch interface and I get an error trying to create a vlan on the switch interface. I then tried to create on directly on eth0 but I did not get internet on my access point. I then stripped out the vlan from to get normal internet again. Finally got that working so I can turn off my smart lights. What am I doing wrong? Thank you for any help.
Hi, my kid has desktop computer and connect to internet via ethernet LAN, not WiFi. Can I create a schedule to block internet access for that desktop ethernet LAN every day from 11 PM - 6 AM? Ubiquity only has schedule for WiFi, not ethernet? Thank you.
I followed the great video thanks but have a question. The rule to drop all local traffic on the IDIoT network; does that not mean they cannot talk to each other if needed? Love your videos!
Great video. Do all your smart devices still have accessibility from your smartphone or tablet while outside of your house coverage area? If you have camera that has both a direct connection while on your network but web connection while not on your network is that also possible and able to be secure like you have isolated everything else? I don’t want to loose functionality or accessibility from anywhere of the “smart” items I am buying or have. Thanks
In close neighbour ship I would not run hidden SSID, it makes channel conflict detection less functional.
Curious if I can put work and school computers on this network to prevent them from possibly accessing our network? We rarely have to use the printers, but if the printers are on the IoT network, they should be able to communicate, correct?
Just a beginner here, would really like to see this with a USG. I found some other resources online to set the firewall up but doesn't provided details about who to add exceptions from the IoT to private networks.
The S in 'IoT' is for Security
the IDIoT tag is hilariously ironic.
@@svampebob007 Hahaha... #lmao
Do you have a similar video which shows making the firewall entries on UDM OS (preferably the modern version) or if not, maybe you can make one?
I don't understand. I followed your instruction and revert back to the classic controller GUI and when trying to create a new wireless network the vlan option under advanced setting is not there
If you were using say an edge switch, how would you configure the ports going to the edge router and your access point? I've gone through everything, but I'm getting DHCP timeout errors reported from my APs on the ioT wifi. Devices on the ioT wifi can't get DHCP. I set both ports on my switch as trunk ports thinking they would pass all the tag info for the APs to pick up the VLAN tag, but something is still not quite right.
Hi Chris, thanks for this clear tutorial! I take the first steps in the edgerouter and to increase knowledge I did set this configuration up... But when I connect to the IOT wifi and go to the internet, I get no response. Looking at the statistics of the firewall, it is all blocked by the local default action.. drop.. For internet access on the IOT network, do you need to add a firewall rule to allow new traffic? Or do I do something wrong elsewhere?
Can you do a video on how to setup firewall policies for Sonos on the IoT Vlan?
I use Visio for some small work projects but I wanted to ask did you have some download for Unifi products, did you use screen shots, etc?
Is this the same for the Dream Machine??? and will the iOS functions still work i.e. screen mirroring???
Dumb question but where do you get your Ubiquiti Visio stencils from?
Great video. Would like to see this done with the UniFi controller instead of the Edgerouter. Similar concept but nice to see the exact screens
Do you have a video doing the same setup using UDM instead of EdgeRouter? Or can recommend one video performing the same setup with UDM or UDM-Pro? Thanks!
Would you put UniFi wifi cameras in the IoT vlan?
How do you deal devices like Google Home....This would obviously go on the IoT VLAN, however devices on the main network would not be able to control them since they'd be on a different network. I guess i could disconnect my phone from the main network and temporarily put it on the IoT network but this would be a pain to switch back and forth (especially if not broadcasting the SSID) and defeats the whole purpose of setting up the separate VLANs. Great video, thanks for putting it together. Interested in hearing your reply.
Also there is quite a bit of fiddling involved in getting Sonos to work in these setups - took me a good evening of googling to find the right recipe to get the Sonos Controller application on the secure nw PC to actually be able to communicate with the Sonos Bridge in the IoT network.
I am just about to set up Sonos on a newly created IoT VLAN, as per this Video... Would you mind sharing that "right recipe"?
@@sebdl1286 Well, the end result wasn't a simple recipe, but I'll put the source article links here for your reference - hope they are still valid.
I composited my config from these articles after a painful night of googling:
en.community.sonos.com/advanced-setups-229000/access-sonos-from-a-different-wireless-network-6808767
help.ubnt.com/hc/en-us/articles/215458888-UniFi-How-to-further-customize-USG-configuration-with-config-gateway-json
community.ubnt.com/t5/UniFi-Routing-Switching/Cloud-Key-config-gateway-json-file/td-p/1553060
blog.awelswynol.co.uk/2017/11/unifi-sonos-and-vlans
community.ubnt.com/t5/UniFi-Routing-Switching/Configure-Sonos-across-subnets-on-USG/m-p/1982496#M49654
I hope you can figure it out!
Great video"s nicely explained, getting my Dream Machine Pro in a few day so will be using you videos to help me set it up me being a network novice, I have one question, Seri needs to be on the same network has you iPhone or so it keeps telling me 🙂 so if you put your iPhone on the main network and Seri on the IOT network would this work? Thanks again for the great content 👍🏻
Hi there, i have a question as far as i can understand, we have to make 2 vlan and 2 dhcp server and 2 wireless access point, for our private network and Iot, for isolate every things right? Im waiting for your answer. Thnx
Would like to see similar video with USG instead of Edge Router. Thanks.
I was working with your video as well as "The Hook Up" s and I have been having trouble getting one of my devices to communicate through to my main VLAN. It's an audio casting device, but it seems to only want to communicate on the same network. How would you go about troubleshooting, and finding out what ports a device needs if they aren't findable via a google search?
There's a few methods that you can use. First, you might spend some time googling for " firewall rules" and related terms, to see if there are details about what ports your device needs to operate normally. (And possibly services, like the mDNS stuff Chris talked about; very common, especially for 'casting devices.)
From your comment it sounds like you've already done this, but maybe take some more time, and do some specific searching on the company's support forums, or a dedicated subreddit, or other smaller or focused sites. It's pretty rare that required ports, protocols, or services aren't documented at all. (Unless we're talking about Apple, naturally. I love Apple stuff, but they often take a "don't worry your pretty little head about the technical details" approach to documentation...)
Failing that, go back to the section of the video where Chris is reviewing the logs. He walks through classic troubleshooting techniques right there. Then go into your firewall rules, and make sure logging is enabled for the rules that block traffic. Then start searching for your problematic device's IP address, and see what that turns up. If it's being blocked, and logging is enabled, it should show up pretty clearly in the logs.
@Crosstalk Solutions Is it possible to have this or an updated version of this documented on the Crosstalk blog, in a similar fashion as the Definitive Guide To Hosted UniFi? I'm following along as best as I can and having to pause quite a bit to make sure you don't get too far ahead of me.
What about separating IOT's from streaming? Would there be an advantage to having a
VLAN for IOT's and a VLAN for streaming?
Problem is when you have too many SSIDs you start taking a speed penalty and if I am seeing here- he is assigning the IDIoT SSID to one vlan only meaning you'd need a separate streaming device SSID etc. following this setup unless your streaming devices are all wired.
With this setup, and say I have an AppleTV on the IDIoT vlan, and I have my iPhone on the Data vlan, will my iPhone be able to communicate with the AppleTV using Airplay?