I typically write firewall rules to prevent SSH or just general login access to the Unifi gateway from all vlans that don't need it. I make sure trunk ports have only the vlan access they need (Unifi defaults to all ports be full trunks - thus if you know the vlan and are able to set the tagging up on your device, you could gain access to any vlan via any port). I also tend to disable inter-vlan communication in general. Though, I typically enable inter-vlan communication that originates from the primary network only.
Would the "isolate network" tick box under your IOT network essentially do the same thing? Wondering why you wouldn't use that over manually creating a firewall rule
It would. That is how I isolate my IoT network without having firewall rules for that specific network. As all of my IoT devices talk directly to the internet and I have to use apps on my phone or tablet, there is no reason for any of my other networks to have to speak directly to the IoT network.
I just do an "Established and Related" rule for all networks, which includes my IoT network. I do not do this rule for each and every network. Cuts down on the number of rules I have.
I have a guest and IoT network. I would love to access the IoT devices from the main network but it currently doesn't allow it and I am not sure how to configure that. The network rules seem backwards to me (I will get used to it at some point 😀 )
Hard to explain in a comment, but you want to isolate the iot network via fire wall rules, not via the checkmark during network creation. Isolating IoT using the checkmark option blocks traffic in and out. Not really what you want. You need to create a rule that blocks traffic out of the IoT network, then create a rule that allows established and related. The latter rule will allow any device in the IoT network out only when an incoming connection is established first. “Ethernet Blueprint” has a good video on creating these exact firewall rules. Should solve your exact problem.
Can 2 separate guest networks within one Unifi network be created? I have a new need to do this and I don't want to cause myself problems in the future.
Yes. Just create two VLANs and set them as Guest Networks. Find this down on the left. It is a check box called Guest Network. You can then use you Security rules to tighten security or allow specif apps or ports.
Thanks for your video, very helpful! I have a Denon Reciver and the AirPlay doesn't work anymore! I did a network reset on the Denon and then AirPlay worked again. After two days it doesn't work anymore! Can there be a setting somewhere in the UNIFI that I have to turn off or activate??? Greetings from Austria 🇦🇹
according to Denon's support page their system uses the following ports: 3813, 443, 80, 8080, 5020 If you've made any firewall rules that permit only 443 or 80 (HTTPS or HTTP respectively) then you'll need to permit the other ports potentially. This would be for outbound traffic, don't port forward those ports to the Denon device. As for airplay, some have found success enabling 'Multicast Enhancement' on the WiFi SSID their Denon is attached to. And make sure your iOS device is on the same SSID. Also make sure isolation or Guest is NOT on as that would prevent device to device communication. Other things people have found that helped: disabling multicast and broadcast filtering. Denon also recommends enabling UPNP with some routers but not all (some it says specifically to disable it), so you might try that but recognize that UPNP is a vulnerability.
@@danmaier2077 - what setting did you change so that you could Airplay to your Denon receiver ? I put most things on an IOT vlan and check the IOT but my Sonos speakers must live on my everyday network so streaming works
@ It works again, in the UniFi settings I had to activate Multicast Enhancement I haven't configured IOT, I don't need it. Many do everything configure, IOT, guests etc. I only have my default network and it's enough for us at home
What other settings would you configure on your Ubiquiti set up?
I typically write firewall rules to prevent SSH or just general login access to the Unifi gateway from all vlans that don't need it. I make sure trunk ports have only the vlan access they need (Unifi defaults to all ports be full trunks - thus if you know the vlan and are able to set the tagging up on your device, you could gain access to any vlan via any port). I also tend to disable inter-vlan communication in general. Though, I typically enable inter-vlan communication that originates from the primary network only.
Thanks mate. I fit in the 'network noob' group, over my head for complex network settings. These style videos really help out.
Would the "isolate network" tick box under your IOT network essentially do the same thing? Wondering why you wouldn't use that over manually creating a firewall rule
It depends on whether you are going to be using the guest portal, hope to do a video on it soon.
It would. That is how I isolate my IoT network without having firewall rules for that specific network. As all of my IoT devices talk directly to the internet and I have to use apps on my phone or tablet, there is no reason for any of my other networks to have to speak directly to the IoT network.
@@MrSunDevil23 that's what I thought. I have one of my VLANs configured this way and it seemed to work.
I created a fw rule to stop http access to the udm pro on the iot/guest/camera networks just to be safe
from the network to the gateway?
Yes that’s correct
I just do an "Established and Related" rule for all networks, which includes my IoT network. I do not do this rule for each and every network. Cuts down on the number of rules I have.
Good vids dude
Appreciate it
I have a guest and IoT network. I would love to access the IoT devices from the main network but it currently doesn't allow it and I am not sure how to configure that. The network rules seem backwards to me (I will get used to it at some point 😀 )
Hard to explain in a comment, but you want to isolate the iot network via fire wall rules, not via the checkmark during network creation. Isolating IoT using the checkmark option blocks traffic in and out. Not really what you want. You need to create a rule that blocks traffic out of the IoT network, then create a rule that allows established and related. The latter rule will allow any device in the IoT network out only when an incoming connection is established first.
“Ethernet Blueprint” has a good video on creating these exact firewall rules. Should solve your exact problem.
Can 2 separate guest networks within one Unifi network be created? I have a new need to do this and I don't want to cause myself problems in the future.
Yes. Just create two VLANs and set them as Guest Networks. Find this down on the left. It is a check box called Guest Network. You can then use you Security rules to tighten security or allow specif apps or ports.
thx
Thanks for your video, very helpful!
I have a Denon Reciver and the AirPlay doesn't work anymore! I did a network reset on the Denon and then AirPlay worked again. After two days it doesn't work anymore! Can there be a setting somewhere in the UNIFI that I have to turn off or activate???
Greetings from Austria 🇦🇹
according to Denon's support page their system uses the following ports: 3813, 443, 80, 8080, 5020
If you've made any firewall rules that permit only 443 or 80 (HTTPS or HTTP respectively) then you'll need to permit the other ports potentially. This would be for outbound traffic, don't port forward those ports to the Denon device.
As for airplay, some have found success enabling 'Multicast Enhancement' on the WiFi SSID their Denon is attached to. And make sure your iOS device is on the same SSID. Also make sure isolation or Guest is NOT on as that would prevent device to device communication.
Other things people have found that helped: disabling multicast and broadcast filtering. Denon also recommends enabling UPNP with some routers but not all (some it says specifically to disable it), so you might try that but recognize that UPNP is a vulnerability.
@ it’s working now! It was the UNFI , one setting in the UNFI Controller! Thanks 🙏
@@danmaier2077 Glad to hear you got it working!
@@danmaier2077 - what setting did you change so that you could Airplay to your Denon receiver ? I put most things on an IOT vlan and check the IOT but my Sonos speakers must live on my everyday network so streaming works
@ It works again, in the UniFi settings I had to activate Multicast Enhancement
I haven't configured IOT, I don't need it. Many do everything configure, IOT, guests etc. I only have my default network and it's enough for us at home
Keep up the awesome work! 👏
Thank you! Will do!
Great video
ways to prevent wifi users from sharing block mobile hotspots
Why the anon mask?