great thorough test (I did something similar but not as thorough...) to my surprise my ethernet wasn't able to communicate with my VLAN but my VLAN was able to communicate with my ethernet device!!! (not good from a security perspective...) I had to rearrange my hole network... all is much better... these are indispensable videos! thanks once again for the high quality content!
I really appreciate all your videos! You do an amazing job of running all sorts of examples. Please Keep Up The Good Work! Thank You! I think a fun and informative video to do would be on how Firewall Rules, ACL (on Layer 3 Switches), AND Client Device Isolation interact with each other. . . . Unifi has in the last month or so introduced basic ACL controls in the controller - (I am hoping they increase the detailed control to be more like the firewall rules). Correct me if I am wrong, but it seems like between those 3 ways we are able to 'manage' traffic on our networks that it depends on what device the packets touch on their journey through our unifi networks. For example, Firewall rules are ignored if the packets ONLY traverse the layer 3 switch. Could the same be said for ACL rules if: 1) We have 2 VLANs set up on 2 different Networks; 2) Both VLANs are accessible via the Access Point; 3) ACL's are established on the layer 3 switch that won't allow the VLANs to talk to each other; 4) Client Device Isolation on the AP is NOT enabled; 5) The AP is connected to the layer 3 Switch. If I connect to one of the VLANs via the AP and I want to connect to another device on the OTHER VLAN that is also connected to the AP, would the devices still be able to talk to each other?
There is a mistake in scenario 4. At 17:38, both clients are on their own AP, but Computer1 (M1) has Isolation disabled (ZCDI_NO) and Computer2 (M2) has isolation enabled (ZCDI_YES). Ping from M1 to M2 didn't work, which means from NOT isolated to isolated! And vice versa, ping from M2 to M1 did work, which means from isolated to NOT isolated! But maybe, M2 was "Computer1" and M1 was "Computer2"? Also, I'm missing a scenario with Device Isolation enabled on both devices, but on different APs. In other words, scenario 4 with Device Isolation enabled on both clients. From your findings, I *assume* both computers should be isolated from each other in that scenario. Edit: In scenario 5, where you pinged the debian host, you pinged from Computer1. If Computer1 was M1 (ZCDI_NO), it's no wonder ping worked, as client isolation was disabled for Computer1.
It's not a mistake. I perhaps confused you about computer 1&2 with M2&M1. If you check the UniFi network controller topology and my diagram, you can see computer 1, the M2, is connected to u6-enterprise.
Ah ok. I took a closer look at the terminal windows and the prompts prove you right. Computer1 is indeed M2 and Computer2 is M1. I still wonder, if isolation is working across multiple APs, when isolation is enabled on both. I have 10 AP in the company I work for and will test it soon.
I like the way you explain things. Keep up the good work :) I was wondering what happens in "Scenario 3" if you add an ARP entry manually to Computer #1?
In fact, after tearing down the testing environment, I had the same regret that I did not include that step in the video. I assume it won't work but don't have an environment to quickly verify that.
Hey man I think the Client Device Isolation on Different APs is bugged past firmware 6.2.49 Can you try again on that firmware and let me know the results. I've brought up the issue with UniFi support to make sure they are aware of this possible issue to get it resolved in future firmware versions. Great videos!
Hi, have you tested it under that version? If so can you please share the results? And did you raise a ticket with Ubiquiti? If so did they acknowledge a bug?
Brilliant analysis and nicely explained.
great thorough test (I did something similar but not as thorough...) to my surprise my ethernet wasn't able to communicate with my VLAN but my VLAN was able to communicate with my ethernet device!!! (not good from a security perspective...) I had to rearrange my hole network... all is much better... these are indispensable videos! thanks once again for the high quality content!
Your video is getting better and better =) thank you.
I really appreciate all your videos! You do an amazing job of running all sorts of examples. Please Keep Up The Good Work! Thank You!
I think a fun and informative video to do would be on how Firewall Rules, ACL (on Layer 3 Switches), AND Client Device Isolation interact with each other.
. . . Unifi has in the last month or so introduced basic ACL controls in the controller - (I am hoping they increase the detailed control to be more like the firewall rules). Correct me if I am wrong, but it seems like between those 3 ways we are able to 'manage' traffic on our networks that it depends on what device the packets touch on their journey through our unifi networks. For example, Firewall rules are ignored if the packets ONLY traverse the layer 3 switch. Could the same be said for ACL rules if:
1) We have 2 VLANs set up on 2 different Networks;
2) Both VLANs are accessible via the Access Point;
3) ACL's are established on the layer 3 switch that won't allow the VLANs to talk to each other;
4) Client Device Isolation on the AP is NOT enabled;
5) The AP is connected to the layer 3 Switch.
If I connect to one of the VLANs via the AP and I want to connect to another device on the OTHER VLAN that is also connected to the AP, would the devices still be able to talk to each other?
Replied in the other comment under the ACL video.
I love the detailed explanation.
Glad it was helpful!
There is a mistake in scenario 4. At 17:38, both clients are on their own AP, but Computer1 (M1) has Isolation disabled (ZCDI_NO) and Computer2 (M2) has isolation enabled (ZCDI_YES). Ping from M1 to M2 didn't work, which means from NOT isolated to isolated! And vice versa, ping from M2 to M1 did work, which means from isolated to NOT isolated!
But maybe, M2 was "Computer1" and M1 was "Computer2"?
Also, I'm missing a scenario with Device Isolation enabled on both devices, but on different APs. In other words, scenario 4 with Device Isolation enabled on both clients. From your findings, I *assume* both computers should be isolated from each other in that scenario.
Edit: In scenario 5, where you pinged the debian host, you pinged from Computer1. If Computer1 was M1 (ZCDI_NO), it's no wonder ping worked, as client isolation was disabled for Computer1.
It's not a mistake. I perhaps confused you about computer 1&2 with M2&M1. If you check the UniFi network controller topology and my diagram, you can see computer 1, the M2, is connected to u6-enterprise.
Ah ok. I took a closer look at the terminal windows and the prompts prove you right. Computer1 is indeed M2 and Computer2 is M1. I still wonder, if isolation is working across multiple APs, when isolation is enabled on both. I have 10 AP in the company I work for and will test it soon.
@@kainothdurft1022 Please let us know in comments once you have the result.
@@hz777 I tested it today. Client isolation works on one AP but not across APs.😒
thank you
I like the way you explain things. Keep up the good work :)
I was wondering what happens in "Scenario 3" if you add an ARP entry manually to Computer #1?
In fact, after tearing down the testing environment, I had the same regret that I did not include that step in the video. I assume it won't work but don't have an environment to quickly verify that.
@@hz777 he he, no worries 🙂 Maybe next time when you test something similar.
Nice video!!
Thanks for testing this! i always wondered if it worked. also how did you get the dark mode? can windows do that?
Dark mode? You mean the theme of OS? It's a standard feature nowadays, so I will be surprised if Windows does not support it.
Hey man I think the Client Device Isolation on Different APs is bugged past firmware 6.2.49 Can you try again on that firmware and let me know the results. I've brought up the issue with UniFi support to make sure they are aware of this possible issue to get it resolved in future firmware versions. Great videos!
Hi, have you tested it under that version? If so can you please share the results? And did you raise a ticket with Ubiquiti? If so did they acknowledge a bug?