Would you consider making a video going over firewall rules to allow traffic only one direction over the site-to-site vpn? I can't seem to figure it out. I want to be able to reach the remote subnet from local but remote shouldn't be able to reach my local subnet.
Good video, thanks. When you set up the firewall rules to allow traffic, does that mean that all the traffic from that subnet will always go through the VPN? Or do you need a rule saying everything from subnet x will always go through the VPN (and not through the local gateway)?
Why when you are creating firewall rules, the direction for both rules is LAN in? When your Vlans go to the remote side is OK. Its LAN in, but when the remote vlans comes to your LAN it is LAN out, isn't it?
It's a great method you got there but it's funny how much hard work you need to do where in fortigate firewalls no traffic can flow on the tunnel unless you define firewall rules is the default. Ubiquiti are so wierd for not doing it by default
Thanks for the Video! Question.. do you know if we could have a Tunnel Between a site that has a static IP and another that got a dynamic one? I wonder if Unifi has a setting for that oneway authentication config.. I asked the support but they seems to not understand my question.. Thanks in advance!
Thanks for watching. I understand your question but the simple answer is that unlike other vendors, in unifi vpn is being kept very basic and thus there is no one way initiation of the vpn tunnel. Whats more annoying is the fact that ubiquiti has chosen to only allow ip addresses in the host field, if they were to support hostnames or fqdn we would have option at least to use ddns hostnames. Annoying.
In my experience it will work with dynamic, however, as you know the dynamic ip will change so if it does then your tunnel will stop wrong until you change to the new ip that has been given on the dynamic side.
If you just block all rfc 1918 to all rfc 1918 traffic it would stop intervlan traffic in one rule. You also dont balck access to other gateways or access to controller management console or ssh.
Anybody having issues resolving windows DNS service to site2site remote subnets? My config works likely this video, however ( 53 UDP) dns or http (80) service is not getting any response from source server in the origin site. I assume its more related to inter-vlans rules but any of the suggestions rules work for me!!
*If you liked this video, please give it a like*
I like your "style" of doing things in UniFi security-wise
Thank you for watching!
Tech Me Out this video absolutely helped me out. Thanks!
Would you consider making a video going over firewall rules to allow traffic only one direction over the site-to-site vpn? I can't seem to figure it out. I want to be able to reach the remote subnet from local but remote shouldn't be able to reach my local subnet.
Awesome video! Love the explanation on the firewall rules, super helpful - great job!
Thank you so much! Much appreciated
Hi there, have you managed to connect an AWS VPN to a UDM? I am struggling with this
Good video, thanks. When you set up the firewall rules to allow traffic, does that mean that all the traffic from that subnet will always go through the VPN? Or do you need a rule saying everything from subnet x will always go through the VPN (and not through the local gateway)?
Why when you are creating firewall rules, the direction for both rules is LAN in? When your Vlans go to the remote side is OK. Its LAN in, but when the remote vlans comes to your LAN it is LAN out, isn't it?
Exactly what i was looking for. thanks!
Glad it was helpful!
It's a great method you got there but it's funny how much hard work you need to do where in fortigate firewalls no traffic can flow on the tunnel unless you define firewall rules is the default. Ubiquiti are so wierd for not doing it by default
Thanks for the Video! Question.. do you know if we could have a Tunnel Between a site that has a static IP and another that got a dynamic one? I wonder if Unifi has a setting for that oneway authentication config.. I asked the support but they seems to not understand my question.. Thanks in advance!
Thanks for watching. I understand your question but the simple answer is that unlike other vendors, in unifi vpn is being kept very basic and thus there is no one way initiation of the vpn tunnel. Whats more annoying is the fact that ubiquiti has chosen to only allow ip addresses in the host field, if they were to support hostnames or fqdn we would have option at least to use ddns hostnames. Annoying.
In my experience it will work with dynamic, however, as you know the dynamic ip will change so if it does then your tunnel will stop wrong until you change to the new ip that has been given on the dynamic side.
Why can't block all inter-vlan routing by blocking from RFC1918 to RFC1918 on both sides. This will create implicit deny.
If you just block all rfc 1918 to all rfc 1918 traffic it would stop intervlan traffic in one rule. You also dont balck access to other gateways or access to controller management console or ssh.
Your block all rules don't block access to the gateway itself, so VPN site can access local site gateway and potentially control it
Does it matter if both devices are on the same console?
What do you mean by on the same console?
Anybody having issues resolving windows DNS service to site2site remote subnets? My config works likely this video, however ( 53 UDP) dns or http (80) service is not getting any response from source server in the origin site. I assume its more related to inter-vlans rules but any of the suggestions rules work for me!!