CODY I NEEDED THIS! I legit just got a new Ubiqiti setup a few months ago and added new switches, AP’s, a NVR etc. I reset my entire network a few days ago and I’m starting from scratch. Your timing is impeccable!
Can't thank you enough for making this video. I am retired it (71 now) and I never thought I would still be doing this. Donating my time as an IT volunteer for non-profits "fixing" stuff.
Cody, one note for the next update to this series- You actually can have a LAN-In firewall rule that blocks all IP addresses from one of your subnets to the gateway address. This won't block internet access, as that traffic's destination IP address isn't a match. It's accomplishes same as the rules you used, but is a little more secure and clean as you do it with fewer rules, and don't end up only blocking specific ports (21,80,443). As other vulnerabilities crop up that affect other ports, you end up better protected. Only gotcha is make sure you test how this affects cams, I don't have a camera network to test with, but this worked great for securing Unifi from my IOT and Guest networks.
@@ayden8901 Sure, but it's a bit complicated, so I'll try my best. If you skip to around 24:07, this is where this all starts to become relevant. Cody wants to prevent devices on various subnets from talking to his Dream Machine (this is best practice, and you should absolutely want this). The way he does this is he makes a firewall rule that blocks devices on each subnet from talking to the gateway address of the Dream Machine on other subnets (example: devices on the IOT network shouldn't talk to the gateway address of *other* networks). Cody demonstrates this from the Secure network, but doesn't block devices on the Secure network from talking to the gateway of the Secure network. Cody explains at 25:38 that if he included 192.168.40.1 in his list, devices on the Secure network would no longer have internet access. This is actually not correct. When the firewall sees a packet coming from a device on the Secure network for the internet, it sees a destination address on the public internet (not the gateway address of the UDM), and would allow it through, even if the firewall rule said to block devices on the secure network from talking to 192.168.40.1. Cody then demonstrates creating a rule that blocks devices on a subnet from talking to the management ports of the gateway address for that subnet, but it still allows those devices to attempt to send other kind of traffic to the UDM Pro (all other ports). The cleaner way that I suggest is stick with Cody at the start: -Create your Allow Established/Related Traffic rule -Create your Allow Default to all VLANs rule -Create the Block Inter-VLAN Routing rule BUT THEN: -Create a rule to block your Guest and IOT networks from talking to every gateway address -Ensure that the network you use when you manage your UDM doesn't block the gateway address on that same subnet I don't have cameras, or a camera subnet, so I'm done here. But if you do, Cody's right that you need to let the cameras talk to their gateway address, and that whatever device you use to view the cameras needs to be allowed to talk to the gateway address for the cameras AND the network that the cameras are on. An odd fluke of Unifi, is the gateway addresses are not treated as the rest of that subnet. If I've lost you at any point here, do exactly what Cody suggested. His guide is still great. But if this all makes sense, you'll probably prefer not allowing random IOT devices to hit almost every port on the UDM, as they have no legitimate reason to be allowed to do this.
@@kuftamarc Your client devices don't actually need to talk to the default vlan. The management IP for switches, APs, etc isn't needed for clients to function. Clients only need to reach DHCP and DNS on gateway IP if the console runs those servers (or other specific IP if running a local DHCP/DNS server elsewhere) and the internet. So my LAN LOCAL rules are to allow est/related, allow DHCP and DNS any/any, allow my Trusted devices IP groups (my user vlan and server vlan subnets for 2 locations, camera subnet and VPN subnet) to Trusted devices (lazy way to allow anything trusted full access to any of those subnets gateways for management), then deny RFC 1918 to RFC 1918. If you want to be a tad more secure you can remove cameras from the Trusted devices IP group, move to a Camera IP group, then on LOCAL LAN allow source camera to destination their gateway with only the ports needed for their functionality. Oh, and because it's not needed I did block my cameras from the internet.
@@Noob-5 Good call on the DNS. I’m not running it on my gateway, so not an issue for me but may be for others. I don’t think you need to allow DHCP any/any, as the destination IP address that your gateway gets is the broadcast IP (255.255.255.255), not the DHCP server’s unicast address, so the gateway wouldn’t block it. You could test to be sure. I block all traffic from most my subnets to their gateway on my IOT and Guest networks and never had an issue picking up an IP.
I have apple homeket devices on the IOT network and now I can't see them from IOS Home app, can I make an exception for devices that need to get to homekit. i realize I could get on the IOT wifi, it would be easier if IOT network can get information to and from homekit hub. I am not sure I am saying this correctly thank you
Great video as always! For those experiencing issues with ICMP/Ping tests and still getting timeouts after setting up the rules to allow network communication, the likely cause is that Windows Firewall blocks ICMP by default. To resolve this, you'll need to create a custom inbound rule in Windows Firewall that specifically enables ICMP over TCP/IPv4. This should allow the devices to communicate successfully.
Thank you Cody for the 2024 yearly complete setup. Unifi changes their UI so much every year that it really does help each and everyone of us to start from scratch without forgetting anything. I really was looking forward to this video as I am after moving house and had to reset all my network devices. Your videos helped me set my network before and I'm very thankful! Keep doing what you do best, a great job!
What perfect timing! I was just watching your 2023 video as I'm going to re-do and start from scratch my UDM-Pro this afternoon. I guess I'll delay a bit after I digest this video. Thank you!
Great video. Can you expand on what you said at 24:55 around not wanting to block a camera VLANs gateways due to it slowing things down. What then would be the process for setting up a camera VLAN? Would you still create "Black Cameras To Gateways" and "Block Cameras to UDM Interface" rules for the camera VLAN?
Thank you Cody for making and remaking this video every year. Unifi changes their UI so much that it really is needed so we can go back and refer to something when needed. Your videos helped me set my network a year ago and I'm very thankful!
Thank you for this information! I just bought a new UDM, POE 24 port switch, NVR and 6 cameras for my new home and I am slowly installing it now. Very timely information!
Great video, don’t know if I missed it or misunderstood, but with the separate VLANS for IOT and secure, how do I control my IOT devices with my iPhone that would be connected to the secure network?
If I followed this design what network would I use for my main workstation and my server? Secure? Also... when you say IOT what kind of devices are you talking about? What about a Nest thermostat or Nvidia Shield or Apple TV? Last question, what about iPhones, should they be on IOT as well?
Thanks Cody good video. I am trying to find some more information on why you would allow Default to talk to all LANs and Devices. Are there specific reasons or white papers you can help point me at to address why this is needed. I have been running without this for some time and just want to expand my knowledge incase I have been doing something incorrect.
This is the best video but one issue I had with this setup is that HomeKit devices on the IoT network stop working when the blocking firewall rules are put into effect. I tried searching the UI community and Reddit but looks like there’s not a clear guide on how to keep HomeKit devices segregated on an IoT VLAN while allowing HomeKit to work properly. I tried putting HomePods on the IoT but iPhones on the Secure VLAN can’t reach them. Same for the other configuration. mDNS settings didn’t clear this up for me. I would love if you could take this one as a separate video: “HomeKit Setup with UniFi.”
Thanks a lot, Cody, for this video! I guess all of us really appreciate your work!! ...but, may I ask you a question please? The identity VPN feature... I would like to do the same as you in your video to allow the vpn users only access to my nas (it has the function as an exchange drive for teachers). So if I do exactly the same as you in your video, is it the same as split tunneling? So the users have access over vpn to my nas from their homes/their common school, but all their home/school traffic (normal browsing, streaming, etc.) doesn't run over our private internet connection... Am I wrong or does all their traffic run over my private internet connection? And if thats the case, how can I only allow split tunneling? I hope you can help or want to help me!! I've tried it with wireguard, but it doesn't work as expected (I'm sure it is a layer 8 problem ;) ) and also with openvpn. It was working, but the connection speed could be much better. Thanks a lot in advance, Cody!!
Probably the best Unifi instructional videos out there. I know most of this of it but great to fill in a few gaps and refresh the brain cell! VPN wifiman for desktop! Didn't even know that existed 🤦🏻♂️🤣
Thank you so much for sharing this video! In addition to using these configurations, how would one set up Pi-hole with Unbound on a Synology NAS and use that as the DNS server on a UDM Pro/Pro Max?
Cody great video! Tks for sharing. Can you help me with one doubt? In the RFC1918 rule, if I have changed the IP address ranges in my network should I adapt the RFC1918 rule as well? Eg: 192.168.1.1 to 1.1.16.1... would affect the three IP ranges in the RFC1918 rule?
Amazing tutorial. Good Job! but I am still with old square USG due to less budget that satisfies home security needs. Anyway i got the knowledge. Thanks Cody...
Thank you for sharing your expertise with us in this video. In our company, we have a small office and in different locations. Is it possible to control them all from one location? Sorry for asking, but I am new to the Unifi WiFi network and am trying to figure it out.
Have you considering doing a video showing a potential migration from the UDR to a UDM (pick your flavor)? I know besides myself that others would be interesting in it.
Hey Codi, very nice 2024 tutorial from "zero to hero"! 1 question, does the speed limit rule apply to the entire network or to one single client of that network ? If i got this correctly, setting X/X (mbps) means all guest clients have to share a X/X internet bandwidth...am I right ?
Thank you for this video. What is your reason for having a different WiFi subnet? I get why you want to have separate subnets for your IoT, Guest, and Camera devices, but why split your main subnet into two parts?
Excellent video. Considering upgrading to Unify from a mix of various, random gear...wanted something more Unified, pardon the pun...BTW I found your channel at the right time, great information.
Would be nice to see, which things from this video couldn't be achieved by just using Layer 3. There's almost no resources about Ubiquiti L3 after recent updates. It would be nice to maintain inter-VLAN traffic with ACLs when UDM is down.
WDYT about using the Default network solely for adoption, then having a separate Management VLAN where the Unifi devices live? Would be cool to see a video about setting that up. I set it up but I'm not sure what optimizations are appropriate. Eg, should I check Isolate Network for Default? I did (stupidly) find that if you remove DHCP from Default then you have to boot into recovery mode and reset to factory default settings. Getting into recovery mode was a huge pain, as the UDM-SE just booted as normal despite holding down Reset. It took ~30 tries! EDIT: You started talking about blocking IoT from accessing gateways, then you blocked Secure from accessing gateways? Maybe I'm confused by the naming, eg you have a network named Secure and then create a rule "Secure IoT". I don't like naming the profiles what they are for, instead I name them what they are, eg "IoT gateway". Also I like Trusted for the network name. It would be good to mention that after setting the router to a L3 switch, firewall rules will not be applied anymore. Separating IoT from Secure is good, but you don't want hacking your fridge to compromise other IoT devices (like a door lock!). How to block IoT to IoT by default, but allow it on a case-by-case basis? Traffic on the same VLAN won't use firewall rules, so maybe this is not possible. I find it cleanest (especially when doing this for multiple networks) to block IoT to all gateways' HTTP, HTTPS, and SSH. I don't see a point in blocking non-IoT gateways. It's the same device as IoT's gateway. The important part is that nothing can be done with any gateway.
Very nice video as always! I did my setup not to long ago. But I am struggling with airplay/cast function to my LG smart TV. I like it to be on a other vlan then default with airplay and casting working. Any ideas?
Thank you for this! How do the Traffic & Firewall rules you created differ from the rules created with you check the "Isolate Network" box on the network config?
Yoooo I’m so excited to watch through this, I haven’t touched my UDMSE config in over a year and I know with an update some of my firewall rules went wonky so this will help a lot
Cody, is there a way to copy certain configurations from one UDM backup, and import them into another UDM? For example Copy all the VLANS, Firewall Rules and VPN's from one UDM, and import only those selections into another UDM Pro?
Hi, you say, that you block secure from accessing IoT. Usealy Smartphones and Laptops are in the secure network. What if you want to use a IoT Device App at the secure devices? Do you change the Wifi Network to do this?
What about when using a UNVR for the cameras? You only need to install Protect on the UNVR and then Adopt them via the UNVR in that case, right? I'd read elsewhere to: use both ports on the back of the UNVR. Connect the SFP port on the UNVR to the SFP port on the switch and put the SFP port (on the switch) in the 'Cameras' VLAN. Then connect the RJ-45 port on the back of the UNVR to the switch also and put the RJ-45 port connected to the RJ-45 on the UNVR on your Default network LAN (and that this will improve throughput and reduce buffering). Do you agree with this setup?
Hope you can do a video on the Tesla Wall Connector for some reason,. We Tesla owners can't connect the wall connector to Unifi Wifi. Tesla custumer support are not that informed in networking so we have to rely on our knowhow to find the sultion. Been following you for a while, so maybe you can get down to the cause and see if we can set something up on our settings, other than their recommendation of just having the 2.4Ghz radio on and only using WPA2. Thanks
How happy I was you have done a fantastic and easy to understand installation, very many and good tips for my part. Keep up your movies I love them +++++
Will you be going over any IPV6 configurations in the future with Unfi, love your videos as I have used them for reference to help setup my home network and firewall rules. Thanks!
Have they fixed the issue with the UDM Pro that causes it to brick after power loss until you remove it from power for 24 hours? As of a couple of months ago they hadn't. I had to switch to a UXG-Max and a UCK2.
Hi, what is your advice…the Cloud Gateway Ultra of Max? I have a 1Gb Ethernet connection and I only use the network option in Unifi because my cameras are from Eufy.
Thank you so much for this. Very easy to understand and as a new comer to Ubiquity ecosystem, soon I'll install my home network follow all your steps. Have some questions and wonder what is the best way to contact you for a resolution
Cody, do you know if you will be able to disable shadow mode in the case that you need to run two different networks connected from your UDM PRO LAN port to a second UDM PRO Wan port?
One question about IDS/IPS: is this also limiting the speed for LAN-internal traffic (PC to NAS for example) to the limit of the router used (3.5 Gbps for UDM SE for example)? Is all this traffic then routed "over" the UDM for IDS/IDS inspection? Or is this feature for external WAN connections only? Greetings from germany :)
Great video, I am still a bit confused with my upcoming setup. It's a small office 1000sqft split in 3 areas but open space. I was putting together my setup and ended up over $1000 which I think is a bit overboard, I just want (3) indoor cameras, poe. I have fios gbit coming and running my lines next week, so I was curious if you can provide any suggestions. No doorbels neded just 3 cameras (was thinking 2k torrents) and thats about it, would like 24hr recording and only need 7-10 days storage, specifically the mvr option as im abit confused there, would the $99 option work in my scenario? I appreciate the help!
I legit just got a new Ubiqiti install and added new switches, APs, an NVR, etc. I and I'm starting from scratch. But I have a few questions, in my network there is also a Synology NAS with an Ubuntu Virtual Machine running an ODOO Application. Ask : - In which Vlan is this best placed (Management!)? - This Application must be available via the internet (cloud), certain adjustments are required in the settings (VLAN, Profile, Firewall), only Staff & IoT Users should be able to do this.
So if you want to use PPSK and you want guests to be able to present on say apple tvs and print but dont want guests to see each other or staff, but want staff to be able to see each other for airdrop, I assume your only option would be to create a PPSK SSID for your secure network and your iot network and create a separate SSID for guests on the guest network since device isolation is enabled by SSID? Or would you make a single PPSK SSID and create firewall rules to allow the specific ports etc used by airdrop within the secure network only?
I confuse myself a lot making rules. Whats the best way to write a rule if I have say 5 Roku tvs in IoT? Need the Main secure network to talk to the Rokus but not talk back to secure. Like I said, I confuse myself a lot and what seems logical when making rules doesn’t work sometimes.
Great tutorial, from the preview this routing hardware looks like kind of as Cisco major competitor, sure you can configure yourself into failure, thats always challenges , but i like that this hardware is affordable it have the 2 10GB ports which can be used for wan and for lan.
@17:35, why do you add your main IP and the other 2 IP address to set up RFC1918? - (172.16.0.0 and 10.0.0)? any why those specific numbers and why that subnet?
Do you know how to isolate ipcameras on a vlan with the UDM pro running protect on it. If the cameras are on another vlan the protect app can't see them so I'm looking for a way around that to isolate the cameras from the default network. Unifi support was not helpful. As of now the only way I know how to do it is to buy a separate UNVR pro and put that on its own VLAN with the cameras.
I've been carefully following this and I see a few differences on what I'm seeing only to find out that I'm still on Network 8.0.28 -- I have the original UDM PRO -- I've been hitting update button and I'm not getting any new updates. I'm on the official release. how did you update yours to 8.2.93? Should I switch to release candidate? I have factory reset all my devices today too.
So I use it as a distribution switch all my other switches connect to it. In a home network you probably don’t need this but since I review it it’s in my rack
Question: how come when I setup L3 mitigation, sometimes my network certain devices gets complete slow down to near 0 mbps? I have to physically restart the switch to go back to normal. Also if I go back to normal mitigation L2 it is normal.
That is a good video. But we are having problem with ID or wireguard VPN (we didn't test openvpn). Everything is set to default (ips, firewall, ...). 1. we created wireguard server 2. add some users 3. install wireguard client 4. user vas able to connect to vpn, user was able to ping VPN gw, user was able to ping UDMPM network, user was able to use internet. 5. but user was unable to ping his own local network when connected to VPN. 6. after restart UDMPM, user was able to connect to vpn, ping vpn gw, able to ping UDMPM network. 7. but user was unable to ping his own local network and internet was not working. This is really strange as this happened now on 3 different devices without firewall rules changes. I am missing something or this is some kind of bug. We tried with different router (different brand) and everything is working as it should.
Hey Cody, I think you made a bit of a mistake around the 27 minute mark. You made a port group called Secure IoT and made that the IP of the Secure network gateway. Then after making some block rules, you talked about how you could block the Secure network from being able to get to the UDMP login page, and you used the Secure IoT port group to do that, but this was all about blocking the Secure network from the login page, and had nothing to do with the IoT network, right? Cause your PC had a .40.x address and this was about blocking just to its own gateway login page.
Yeah - I found this entire section confusing. Even the fact that he started by saying that it's not best practice to allow the IoT network access to the UDM, but then switched to stop the Secure network from accessing the UDM. Why would you block your trusted PCs from being able to get to the UDM? How would you then administer the UDM if you don't have it connected to the Unifi Cloud?
Yeah, if you check @23:02 in his 2023 Setup Video, he does as intended I believe for Blocking the IoT Network to Gateways and then Blocking the IoT to UDM Interface.
Ok I followed this better then I did in 2021. But I have a question on one of the firewall rules. The block inter-vlan rule I think is causing all my home automation issues that I randomly have. All my IoT devices are on the same vlan but all my Apple devices are giving me issues especially with AirPlay or AirPrint. Is this a bonjour thing or a rule issue? Or something else. If I remove the rule it works but I kinda don’t want to do that. I was thinking of putting all my Apple devices into their own group with static IPs and allow them but that seems like it may be too much or unnecessary?
Thank you so much for making these complete setup videos! This technically counts as a community service.
CODY I NEEDED THIS! I legit just got a new Ubiqiti setup a few months ago and added new switches, AP’s, a NVR etc. I reset my entire network a few days ago and I’m starting from scratch. Your timing is impeccable!
Literally set mine up a few weeks ago and wished he had a newer guide out... 🤣
Can't thank you enough for making this video. I am retired it (71 now) and I never thought I would still be doing this. Donating my time as an IT volunteer for non-profits "fixing" stuff.
Thanks for watching! That’s great you’re volunteering your time. Hope these videos have been of help :)
Cody, one note for the next update to this series- You actually can have a LAN-In firewall rule that blocks all IP addresses from one of your subnets to the gateway address. This won't block internet access, as that traffic's destination IP address isn't a match. It's accomplishes same as the rules you used, but is a little more secure and clean as you do it with fewer rules, and don't end up only blocking specific ports (21,80,443). As other vulnerabilities crop up that affect other ports, you end up better protected. Only gotcha is make sure you test how this affects cams, I don't have a camera network to test with, but this worked great for securing Unifi from my IOT and Guest networks.
Can you further explain this?
@@ayden8901 Sure, but it's a bit complicated, so I'll try my best. If you skip to around 24:07, this is where this all starts to become relevant. Cody wants to prevent devices on various subnets from talking to his Dream Machine (this is best practice, and you should absolutely want this). The way he does this is he makes a firewall rule that blocks devices on each subnet from talking to the gateway address of the Dream Machine on other subnets (example: devices on the IOT network shouldn't talk to the gateway address of *other* networks). Cody demonstrates this from the Secure network, but doesn't block devices on the Secure network from talking to the gateway of the Secure network.
Cody explains at 25:38 that if he included 192.168.40.1 in his list, devices on the Secure network would no longer have internet access. This is actually not correct. When the firewall sees a packet coming from a device on the Secure network for the internet, it sees a destination address on the public internet (not the gateway address of the UDM), and would allow it through, even if the firewall rule said to block devices on the secure network from talking to 192.168.40.1. Cody then demonstrates creating a rule that blocks devices on a subnet from talking to the management ports of the gateway address for that subnet, but it still allows those devices to attempt to send other kind of traffic to the UDM Pro (all other ports).
The cleaner way that I suggest is stick with Cody at the start:
-Create your Allow Established/Related Traffic rule
-Create your Allow Default to all VLANs rule
-Create the Block Inter-VLAN Routing rule
BUT THEN:
-Create a rule to block your Guest and IOT networks from talking to every gateway address
-Ensure that the network you use when you manage your UDM doesn't block the gateway address on that same subnet
I don't have cameras, or a camera subnet, so I'm done here. But if you do, Cody's right that you need to let the cameras talk to their gateway address, and that whatever device you use to view the cameras needs to be allowed to talk to the gateway address for the cameras AND the network that the cameras are on. An odd fluke of Unifi, is the gateway addresses are not treated as the rest of that subnet.
If I've lost you at any point here, do exactly what Cody suggested. His guide is still great. But if this all makes sense, you'll probably prefer not allowing random IOT devices to hit almost every port on the UDM, as they have no legitimate reason to be allowed to do this.
@@kuftamarc Your client devices don't actually need to talk to the default vlan. The management IP for switches, APs, etc isn't needed for clients to function. Clients only need to reach DHCP and DNS on gateway IP if the console runs those servers (or other specific IP if running a local DHCP/DNS server elsewhere) and the internet. So my LAN LOCAL rules are to allow est/related, allow DHCP and DNS any/any, allow my Trusted devices IP groups (my user vlan and server vlan subnets for 2 locations, camera subnet and VPN subnet) to Trusted devices (lazy way to allow anything trusted full access to any of those subnets gateways for management), then deny RFC 1918 to RFC 1918. If you want to be a tad more secure you can remove cameras from the Trusted devices IP group, move to a Camera IP group, then on LOCAL LAN allow source camera to destination their gateway with only the ports needed for their functionality. Oh, and because it's not needed I did block my cameras from the internet.
@@Noob-5 Good call on the DNS. I’m not running it on my gateway, so not an issue for me but may be for others. I don’t think you need to allow DHCP any/any, as the destination IP address that your gateway gets is the broadcast IP (255.255.255.255), not the DHCP server’s unicast address, so the gateway wouldn’t block it. You could test to be sure. I block all traffic from most my subnets to their gateway on my IOT and Guest networks and never had an issue picking up an IP.
I have apple homeket devices on the IOT network and now I can't see them from IOS Home app, can I make an exception for devices that need to get to homekit. i realize I could get on the IOT wifi, it would be easier if IOT network can get information to and from homekit hub. I am not sure I am saying this correctly thank you
Great video as always! For those experiencing issues with ICMP/Ping tests and still getting timeouts after setting up the rules to allow network communication, the likely cause is that Windows Firewall blocks ICMP by default. To resolve this, you'll need to create a custom inbound rule in Windows Firewall that specifically enables ICMP over TCP/IPv4. This should allow the devices to communicate successfully.
Thank you Cody for the 2024 yearly complete setup. Unifi changes their UI so much every year that it really does help each and everyone of us to start from scratch without forgetting anything.
I really was looking forward to this video as I am after moving house and had to reset all my network devices.
Your videos helped me set my network before and I'm very thankful!
Keep doing what you do best, a great job!
What perfect timing! I was just watching your 2023 video as I'm going to re-do and start from scratch my UDM-Pro this afternoon. I guess I'll delay a bit after I digest this video. Thank you!
Amazing how many creators just happen to put out a Unifi Network Complete guide at the same time... ;) . Love your videos!
Who else?
@ThinkGreek88 SpaceRex on the same day. How funny! This one has more details on firewall etc which is nice. The other is more beginner I would say.
@marc3793 I'm new in the whole network thing..
Trying to set up my new house.
Thanks for the hint I will check the vid out too..
Great video. Can you expand on what you said at 24:55 around not wanting to block a camera VLANs gateways due to it slowing things down. What then would be the process for setting up a camera VLAN? Would you still create "Black Cameras To Gateways" and "Block Cameras to UDM Interface" rules for the camera VLAN?
Thank you Cody for making and remaking this video every year. Unifi changes their UI so much that it really is needed so we can go back and refer to something when needed. Your videos helped me set my network a year ago and I'm very thankful!
Thank you for this information! I just bought a new UDM, POE 24 port switch, NVR and 6 cameras for my new home and I am slowly installing it now. Very timely information!
Thanks for this videos, recently switch to Unifi and loved the guides to know the best practices and new options. Keep it up
Good timing
My Cloud Gateway Ultra will arrive today.
Just launched yesterday here in japan.
Keep up the good work
Great video, don’t know if I missed it or misunderstood, but with the separate VLANS for IOT and secure, how do I control my IOT devices with my iPhone that would be connected to the secure network?
Thank you so much! I was playing with these firewall settings last week and missed the top down rule set. Thanks for making another great video!
Well that was fast! Watching it now as I just got my WAP yesterday so I can finally use my UDM SE.
If I followed this design what network would I use for my main workstation and my server? Secure? Also... when you say IOT what kind of devices are you talking about? What about a Nest thermostat or Nvidia Shield or Apple TV? Last question, what about iPhones, should they be on IOT as well?
Thanks mate! Finally I have clarified to myself how are vlans functioning! Huge thanks!!!
This is an unbelievable guide for any Ubiquiti user and configurator! Tyvm, you're awesome!
Thanks Cody good video. I am trying to find some more information on why you would allow Default to talk to all LANs and Devices. Are there specific reasons or white papers you can help point me at to address why this is needed. I have been running without this for some time and just want to expand my knowledge incase I have been doing something incorrect.
I'm pretty new to this topic and I was just asking myself the same question - would be glad if someone could clarify this!
Just replaced my pfSense router with UDMP SE, this video was fantastic! Thank you Cody!
This is the best video but one issue I had with this setup is that HomeKit devices on the IoT network stop working when the blocking firewall rules are put into effect. I tried searching the UI community and Reddit but looks like there’s not a clear guide on how to keep HomeKit devices segregated on an IoT VLAN while allowing HomeKit to work properly. I tried putting HomePods on the IoT but iPhones on the Secure VLAN can’t reach them. Same for the other configuration. mDNS settings didn’t clear this up for me. I would love if you could take this one as a separate video: “HomeKit Setup with UniFi.”
Thank you for this video will do this weekend and add this as favorite! Keep on going hope reach 100k SOON!
Thanks a lot, Cody, for this video! I guess all of us really appreciate your work!!
...but, may I ask you a question please? The identity VPN feature... I would like to do the same as you in your video to allow the vpn users only access to my nas (it has the function as an exchange drive for teachers).
So if I do exactly the same as you in your video, is it the same as split tunneling? So the users have access over vpn to my nas from their homes/their common school, but all their home/school traffic (normal browsing, streaming, etc.) doesn't run over our private internet connection... Am I wrong or does all their traffic run over my private internet connection? And if thats the case, how can I only allow split tunneling?
I hope you can help or want to help me!! I've tried it with wireguard, but it doesn't work as expected (I'm sure it is a layer 8 problem ;) ) and also with openvpn. It was working, but the connection speed could be much better.
Thanks a lot in advance, Cody!!
Loved this one but hanging out for the Camera Vlan set up. Any time frame?
Probably the best Unifi instructional videos out there. I know most of this of it but great to fill in a few gaps and refresh the brain cell!
VPN wifiman for desktop! Didn't even know that existed 🤦🏻♂️🤣
Thank you so much for sharing this video! In addition to using these configurations, how would one set up Pi-hole with Unbound on a Synology NAS and use that as the DNS server on a UDM Pro/Pro Max?
Cody great video! Tks for sharing. Can you help me with one doubt? In the RFC1918 rule, if I have changed the IP address ranges in my network should I adapt the RFC1918 rule as well? Eg: 192.168.1.1 to 1.1.16.1... would affect the three IP ranges in the RFC1918 rule?
Excellent!! What you do with the printers?? IOT? Secured? or dedicated vlan?
Separate VLAN is good if you need users on more than one VLAN to have access to the same printer(s).
Amazing tutorial. Good Job! but I am still with old square USG due to less budget that satisfies home security needs. Anyway i got the knowledge. Thanks Cody...
Thank you for sharing your expertise with us in this video. In our company, we have a small office and in different locations. Is it possible to control them all from one location?
Sorry for asking, but I am new to the Unifi WiFi network and am trying to figure it out.
Have you considering doing a video showing a potential migration from the UDR to a UDM (pick your flavor)? I know besides myself that others would be interesting in it.
Hey Codi, very nice 2024 tutorial from "zero to hero"! 1 question, does the speed limit rule apply to the entire network or to one single client of that network ? If i got this correctly, setting X/X (mbps) means all guest clients have to share a X/X internet bandwidth...am I right ?
What online courses can you take for unifi to get a deeper understanding of firewall rules etc. Does Ubiquiti offer online courses?
Great video, well structured and explained. I was finally able to apply f/w rules between my vlans and confidently fault find to fine tune. Thank you.
Appreciate the work you put into this and thank you for sharing 🤝
Thank you for this video. What is your reason for having a different WiFi subnet? I get why you want to have separate subnets for your IoT, Guest, and Camera devices, but why split your main subnet into two parts?
Excellent video. Considering upgrading to Unify from a mix of various, random gear...wanted something more Unified, pardon the pun...BTW I found your channel at the right time, great information.
Let’s goooo! Was waiting for this one! ❤
Would be nice to see, which things from this video couldn't be achieved by just using Layer 3. There's almost no resources about Ubiquiti L3 after recent updates. It would be nice to maintain inter-VLAN traffic with ACLs when UDM is down.
WDYT about using the Default network solely for adoption, then having a separate Management VLAN where the Unifi devices live? Would be cool to see a video about setting that up. I set it up but I'm not sure what optimizations are appropriate. Eg, should I check Isolate Network for Default?
I did (stupidly) find that if you remove DHCP from Default then you have to boot into recovery mode and reset to factory default settings. Getting into recovery mode was a huge pain, as the UDM-SE just booted as normal despite holding down Reset. It took ~30 tries!
EDIT: You started talking about blocking IoT from accessing gateways, then you blocked Secure from accessing gateways? Maybe I'm confused by the naming, eg you have a network named Secure and then create a rule "Secure IoT". I don't like naming the profiles what they are for, instead I name them what they are, eg "IoT gateway". Also I like Trusted for the network name.
It would be good to mention that after setting the router to a L3 switch, firewall rules will not be applied anymore.
Separating IoT from Secure is good, but you don't want hacking your fridge to compromise other IoT devices (like a door lock!). How to block IoT to IoT by default, but allow it on a case-by-case basis? Traffic on the same VLAN won't use firewall rules, so maybe this is not possible.
I find it cleanest (especially when doing this for multiple networks) to block IoT to all gateways' HTTP, HTTPS, and SSH. I don't see a point in blocking non-IoT gateways. It's the same device as IoT's gateway. The important part is that nothing can be done with any gateway.
Very nice video as always!
I did my setup not to long ago.
But I am struggling with airplay/cast function to my LG smart TV. I like it to be on a other vlan then default with airplay and casting working. Any ideas?
Thank you for this! How do the Traffic & Firewall rules you created differ from the rules created with you check the "Isolate Network" box on the network config?
So is this a complete guide I can follow to the letter? And does this work if my ISP Modem isn't on Bypass mode?
Yoooo I’m so excited to watch through this, I haven’t touched my UDMSE config in over a year and I know with an update some of my firewall rules went wonky so this will help a lot
Really appreciate your dedication to do this each year, straightforward and clear explanation
Cody, is there a way to copy certain configurations from one UDM backup, and import them into another UDM? For example Copy all the VLANS, Firewall Rules and VPN's from one UDM, and import only those selections into another UDM Pro?
thanks again cody, i needed to use this again after nerfing my UDMP
Hi, you say, that you block secure from accessing IoT. Usealy Smartphones and Laptops are in the secure network. What if you want to use a IoT Device App at the secure devices? Do you change the Wifi Network to do this?
Just setting up a new Company with two sites thank you so much@
Thanks for all the hardwork on this Cody
What about when using a UNVR for the cameras? You only need to install Protect on the UNVR and then Adopt them via the UNVR in that case, right?
I'd read elsewhere to: use both ports on the back of the UNVR. Connect the SFP port on the UNVR to the SFP port on the switch and put the SFP port (on the switch) in the 'Cameras' VLAN. Then connect the RJ-45 port on the back of the UNVR to the switch also and put the RJ-45 port connected to the RJ-45 on the UNVR on your Default network LAN (and that this will improve throughput and reduce buffering).
Do you agree with this setup?
Hi Mac, If you're routing traffic from one UMD to another. Are there any useful firewall rules to harden the setup?
I've just updated my setup with your video last year, but still thank you lol
Hope you can do a video on the Tesla Wall Connector for some reason,. We Tesla owners can't connect the wall connector to Unifi Wifi. Tesla custumer support are not that informed in networking so we have to rely on our knowhow to find the sultion. Been following you for a while, so maybe you can get down to the cause and see if we can set something up on our settings, other than their recommendation of just having the 2.4Ghz radio on and only using WPA2.
Thanks
How happy I was you have done a fantastic and easy to understand installation, very many and good tips for my part. Keep up your movies I love them +++++
As I’ve always said, I love your content! Keep up the great work!
Is there a difference between the 'Simple' Block Networks that you did between Secure and IoT versus the Blocking Inter-VLAN routing?
Will you be going over any IPV6 configurations in the future with Unfi, love your videos as I have used them for reference to help setup my home network and firewall rules. Thanks!
Most likely not as I don’t use it but you never know what the future holds :)
Have they fixed the issue with the UDM Pro that causes it to brick after power loss until you remove it from power for 24 hours? As of a couple of months ago they hadn't. I had to switch to a UXG-Max and a UCK2.
Thanks for wonderful setup complete video from Unifi,
If possible can you make it same kind of setup from TP-Link it would be great helpful 😊
These videos are always super helpful! Thank you!
Hi, what is your advice…the Cloud Gateway Ultra of Max? I have a 1Gb Ethernet connection and I only use the network option in Unifi because my cameras are from Eufy.
Thank you so much for this. Very easy to understand and as a new comer to Ubiquity ecosystem, soon I'll install my home network follow all your steps.
Have some questions and wonder what is the best way to contact you for a resolution
Just the right time before my UDM Pro arrive.
Have fun building it out :)
Cody, do you know if you will be able to disable shadow mode in the case that you need to run two different networks connected from your UDM PRO LAN port to a second UDM PRO Wan port?
Can wait till we have you at 500k subs
I learn a bunch every video you make!
One question about IDS/IPS: is this also limiting the speed for LAN-internal traffic (PC to NAS for example) to the limit of the router used (3.5 Gbps for UDM SE for example)? Is all this traffic then routed "over" the UDM for IDS/IDS inspection? Or is this feature for external WAN connections only? Greetings from germany :)
It only affects wan traffic.
Great video, I am still a bit confused with my upcoming setup. It's a small office 1000sqft split in 3 areas but open space. I was putting together my setup and ended up over $1000 which I think is a bit overboard, I just want (3) indoor cameras, poe. I have fios gbit coming and running my lines next week, so I was curious if you can provide any suggestions. No doorbels neded just 3 cameras (was thinking 2k torrents) and thats about it, would like 24hr recording and only need 7-10 days storage, specifically the mvr option as im abit confused there, would the $99 option work in my scenario? I appreciate the help!
Thanks for the 2024 setup guide.
hello, where do you get the icons to use with draw io ? thanks
I legit just got a new Ubiqiti install and added new switches, APs, an NVR, etc. I and I'm starting from scratch.
But I have a few questions, in my network there is also a Synology NAS with an Ubuntu Virtual Machine running an ODOO Application.
Ask :
- In which Vlan is this best placed (Management!)?
- This Application must be available via the internet (cloud), certain adjustments are required in the settings (VLAN, Profile, Firewall), only Staff & IoT Users should be able to do this.
I watch this every year
Thank you for another build video!
So if you want to use PPSK and you want guests to be able to present on say apple tvs and print but dont want guests to see each other or staff, but want staff to be able to see each other for airdrop, I assume your only option would be to create a PPSK SSID for your secure network and your iot network and create a separate SSID for guests on the guest network since device isolation is enabled by SSID? Or would you make a single PPSK SSID and create firewall rules to allow the specific ports etc used by airdrop within the secure network only?
have you experienced an issue with NVRs dropping connectivity when blocking inter vlan routing?
thank you very much. Even with experience, this is a very good refresh to check if something can (has to) be improved.
Thanks for watching :)
Hey Cody, thanks for you great video.
any chance you can cover off ipv6 and rules between networks?
Thanks Cody, have to have a look later!
I confuse myself a lot making rules. Whats the best way to write a rule if I have say 5 Roku tvs in IoT? Need the Main secure network to talk to the Rokus but not talk back to secure. Like I said, I confuse myself a lot and what seems logical when making rules doesn’t work sometimes.
Isn't default set up to be able to communicate to all networks by default?
Great tutorial, from the preview this routing hardware looks like kind of as Cisco major competitor, sure you can configure yourself into failure, thats always challenges , but i like that this hardware is affordable it have the 2 10GB ports which can be used for wan and for lan.
@17:35, why do you add your main IP and the other 2 IP address to set up RFC1918? - (172.16.0.0 and 10.0.0)? any why those specific numbers and why that subnet?
Any reason to configure switch ports to direct devices to virtual networks vs virtual network override in the device settings?
Great video, but a little fast. How about a video discussing Guest Networks printing to a different VLAN using AirPrint.
Great video, so helpful…💪 thanks! 🙏
Can you do a video on setting up a mail server/ access on the udm?
Love the IoT network name of Deloris - I hope West World can make a movie or one more season to wrap everything up
Do you know how to isolate ipcameras on a vlan with the UDM pro running protect on it. If the cameras are on another vlan the protect app can't see them so I'm looking for a way around that to isolate the cameras from the default network. Unifi support was not helpful. As of now the only way I know how to do it is to buy a separate UNVR pro and put that on its own VLAN with the cameras.
I've been carefully following this and I see a few differences on what I'm seeing only to find out that I'm still on Network 8.0.28 -- I have the original UDM PRO -- I've been hitting update button and I'm not getting any new updates. I'm on the official release. how did you update yours to 8.2.93? Should I switch to release candidate? I have factory reset all my devices today too.
This might be a noob question, but why use the USW-Pro-Aggregation and the Switch Pro Max?
So I use it as a distribution switch all my other switches connect to it. In a home network you probably don’t need this but since I review it it’s in my rack
Great video Cody!
Question: how come when I setup L3 mitigation, sometimes my network certain devices gets complete slow down to near 0 mbps? I have to physically restart the switch to go back to normal. Also if I go back to normal mitigation L2 it is normal.
That is a good video. But we are having problem with ID or wireguard VPN (we didn't test openvpn). Everything is set to default (ips, firewall, ...).
1. we created wireguard server
2. add some users
3. install wireguard client
4. user vas able to connect to vpn, user was able to ping VPN gw, user was able to ping UDMPM network, user was able to use internet.
5. but user was unable to ping his own local network when connected to VPN.
6. after restart UDMPM, user was able to connect to vpn, ping vpn gw, able to ping UDMPM network.
7. but user was unable to ping his own local network and internet was not working.
This is really strange as this happened now on 3 different devices without firewall rules changes. I am missing something or this is some kind of bug.
We tried with different router (different brand) and everything is working as it should.
If I put long range wifi 7 with existing dream box will WiFi 7 work ? Thanks
Hey Cody, I think you made a bit of a mistake around the 27 minute mark. You made a port group called Secure IoT and made that the IP of the Secure network gateway. Then after making some block rules, you talked about how you could block the Secure network from being able to get to the UDMP login page, and you used the Secure IoT port group to do that, but this was all about blocking the Secure network from the login page, and had nothing to do with the IoT network, right? Cause your PC had a .40.x address and this was about blocking just to its own gateway login page.
Yeah - I found this entire section confusing. Even the fact that he started by saying that it's not best practice to allow the IoT network access to the UDM, but then switched to stop the Secure network from accessing the UDM. Why would you block your trusted PCs from being able to get to the UDM? How would you then administer the UDM if you don't have it connected to the Unifi Cloud?
Yeah, if you check @23:02 in his 2023 Setup Video, he does as intended I believe for Blocking the IoT Network to Gateways and then Blocking the IoT to UDM Interface.
Ok I followed this better then I did in 2021. But I have a question on one of the firewall rules. The block inter-vlan rule I think is causing all my home automation issues that I randomly have. All my IoT devices are on the same vlan but all my Apple devices are giving me issues especially with AirPlay or AirPrint. Is this a bonjour thing or a rule issue? Or something else.
If I remove the rule it works but I kinda don’t want to do that. I was thinking of putting all my Apple devices into their own group with static IPs and allow them but that seems like it may be too much or unnecessary?
Bro they should pay you for this. It is greatly appreciated!!