How Secure is your IOT Network configuration? Make it secure with UniFi in 4 simple steps
ฝัง
- เผยแพร่เมื่อ 23 ก.ย. 2024
- How Secure is your IOT Network configuration? In this video we look at how to set up a secure Iot Network on your UDM Pro. We look at the 4 simple and easy steps that are required to make this happen. By the end of this video you will have moved your IoT devices on to another UniFi network (VLAN) and will no longer be talking to devices on your home network. This is done by a few simple firewall rules to allow traffic one way and only allow traffic back that has been established or is related.
Towards the end we demo setting up a raspberry pi on the IOT network, my heating controls and also testing a Google chrome cast on a different network.
============================================================================
Help me to bring you more great content by:
- Buy me a coffee: www.buymeacoff...
- Join my Patreon here: / insidewire
- Using my Amazon affiliate link to purchase items through Amazon, it wont cost any extra geni.us/BU8zOm
=============================================================================
If you wish to engage services of InsideWire please use the social media links below or contact me via email.
Facebook: / itsinsidewire
Instagram: / itsinsidewire (@itsinsidewire)
Twitter: / itsinsidewire (@itsinsidewire)
Music by: Warriyo
Track name: (e.g. "Venom")
Link to Video: / warriyomusic
Website: warriyo.com
Great video! I'd be interested in the video that explains ports exceptions from IoT to LAN network for enabling an Nvidia Shield to access the Plex Server and NAS
Thanks for the idea! I dont have a shield but would assume it would be similar to another device.
Something else that would be interesting to discuss in a video is why you use a standard dedicated network for guest wifi instead of using the dedicated guest wifi available in Unifi UDM. Talking about basic interactions between your 3 main networks : LAN, IoT and Guest. Who’s able to talk to who and with which restrictions apply
Thanks for the great idea, I’ll work on this 😃
I would love to see a video on how to implement this for a guest-type network. Something where you wouldn’t want guests on your main network, but also allow them to use Chromecasting and AirPlay. Could that even work? Something like device isolation, but allow for Chromecast and Airplay? 🤔
Good idea! I dont see why it wouldnt work as you have the guest rules there in the firewall settings. This is where you would want to be a specific as possible with Ports and IPs rather than networks on the LAN side.
great video. just got my unifi equipment and trying to figure out what devices should go where.
Thanks. Good luck, youll enjoy it!
Great job. Clear clean instructions.
I used it on a USG-Pro-4 , cloud key and a UniFi Switch 16 POE-150W.
I have successfully blocked all internvlan communication and so on.
I don’t have any Ubiquiti access points.
I have 2 questions.
1. I wish to block internal communication between devices inside the guest network?
2. Is there a way to limit speeds via mac accress or IP without using a Ubiquiti AP?
I know this can be handled on the Ubiquiti APs
I am looking or a firewall rule or a setting without using ubiquity APs.
I have not actually tired this with a third party AP. I have always used UniFi ones in my set ups. It would be something id need to test to give you an answer. If you have blocked inter vlan traffic then perhaps it maybe possible.
Great video! I look forward to more. The Plex server example would be helpful.
Let me see what I can do 🙌🏽
Great video!!! You said there were 3 rules, but only created 2. Was the 3rd enabling mDNS?
The third I was going to implement was to allow all traffic from LAN to IOT. Which in my case was already allowed however there maybe instances where all networks are blocked from talking to each other so you would need this rule.
Thanks a lot, great video, would love a video on how to get a Plex server on the main vlan to play on a smart TVs on the IoT vlan, I’ve looked around for such a video and I have not found one.
Thanks, glad you found it useful. Let me see if i can put this video together, so you want the TV on the IOT network to talk back to your main VLAN where the plex server is?
@@InsideWire Yes , that’s the setup I want
If anyone has the same problem -
If the IP Address does not change when switching networks, then disconnect all ethernet ports on udpm , restart, log into the udm pro again, change to IoT and then after its done provisioning, insert the cables in again and the devices should be assigned a new IP
This was really helpful, thank you! The issue I still have is that the Sonos speakers sitting on my IoT network aren't discoverable by the (Mac and iOS) controllers on my main network. Do you know how to configure the IoT VLAN to work with Sonos?
Cant say I have configured a sonos yet, however looking at the website looks like they need a few ports opened. support.sonos.com/s/article/688?language=en_US
Are these all open? and MDNS turned on?
@@InsideWire I came across that as well, but thank you. I assumed it wouldn't be necessary to open the individual ports since I have an allow rule for devices that are established/related. I'm not sure if that's a correct assumption or not
Sorry I just realised I never responded to you. Yes you would be correct as you are allowed established/related. So you shouldn’t need those ports. I don’t have a Sonos but let me have a think and see why I wouldn’t work.
@@InsideWire Having a similar issue with Sonos
I have smart plug that I added to my IoT network which I setup as you describe. I also set up a Guest network and WiFi. I then block LAN IN After other rules to Drop Guest to IoT and to Drop IoT to Guest. I then go into my iPhone, join Guest network, I can control the IoT via the app. But if I ping from my Guest computer laptop to a laptop on IoT, it is blocked. Why is the app on Guest able to control the IoT plug? I have not added any type of Accept from Guest to IoT.
Are those the only two firewall rules you would put in your system? Or do you need to put in other rules to prevent other outside traffic from getting into your network?
Those are the only 2 required to get that working correct. I didnt add in a third rule.
can this be done if you are only using ubiquiti APs and a different brand router?
If the different brand router has the functionality, then it can be done.
With these rules, can I still connect to say my air con controller if I am out and about from my phone (so not connected to my home wifi) or will I need another rule to allow that?
This is depends on how it is set up. But I would imagine if the application is accessible via the web I would image you should be able to. If there is any port forwarding set up or firewall rules configured, these would need changing.
I have an issue where the Samsung smart things hub doesn't work when I set it to IoT, any ideas?
The issue is that even with this setup Google Chromecast Groups don't get seen by the LAN. On mine I have to join my phone to the IOT network if I want to play to a speaker group which is really annoying. Have you found a solution ? I can play directly to individual Chromecast devices from the LAN with no problems it's just groups that don't show up :(
I dont have a Chromecast group to test this against. I would be interested through why its not working. There must be something that the group is using that is not opened up. I would have thought MDNS would suffice.
@@InsideWire OK thanks. I have just found this but it looks a little complicated for me though ;-) ....
community.ui.com/questions/UDMUDMP-IoT-VLAN-Speaker-Group-fix-with-mDNS-and-Google-Nest-Speakers-Chromecasts/37d6239f-303e-4f9f-8727-626acf07d33c
How would you isolate a port on your udm pro, so you can connect your credit card machine on small business. And also what was the purpose of having the rule that allows established and related. Great Video. Cheers
To isolate a port, there are a couple of options. You can create a network and block all networks talking to it, and from it talking to others or there is a device isolation check box which I have not tested myself yet.
Once your network is created you can just tag the port with the correct VLAN and plug in your credit card reader.
The S in IoT stands for Security. :)
Haha. Very big S!