This is the new standard video for Unifi setup in 2021. Very comprehensive and easy to understand. I thank you for the effort of putting it together. You have a killer setup!
Your videos are seriously an unbelievably valuable resource. You understand the IT space completely, and you offer a level-headed approach to teaching the theories that are most important. I learned a ton and I can easily trust that you're breaking it down the right way. Thanks!
Just like my granddaughter - talking faster than I can think. Even so, yet another video for the reference library. Thank you for creating and sharing your knowledge.
2 ปีที่แล้ว +1
Just ordered the new Dream Router and was looking on how to move to the next level with all my IoT devices. With your video, If found all I wanted to know, VLAN, Unifi, Firewalls, Home Assistant, Chromecast, ... . Thank you very much!
omg I cannot tell you how useful this video was, THANK YOU SO MUCH FOR MAKING THIS VIDEO!!! I was having problems with my harmony hub on my IoT network but I was able to figure out the firewall rule I needed from this video. seriously man I cannot thank you enough
From someone not using Ubiquity hardware, and so far behind in time, your videos are still a great source of knowledge. Thanks a lot and keep up the great work.
I absolutely HATE that echo/show devices will join networks that they have been told to forget. But, I love your solution! I set up my Unifi rig and firewall rules based on your first series, and I'm still learning from your new series. Thank you so much for making these videos.
Seriously, this is one of many of your videos that should be part of the official unifi documentation. I always learn a lot from your videos. Thanks for sharing ✌️
Thanks! This video has been so helpful in helping me to clarify how to batten down the hatches on my smart home security. Much appreash, man - keep up the great work! I dabbled a bit with Unifi but have switched to TP-Link Omada, applying the principles you explained super clearly. Take care and stay safe!
Well, Rob, you saved me again!! I got my 2 U-6-Lite APs installed yesterday, and things went basically pretty well. I defined my wireless network with pretty much default settings (using the classic UI), however I had 4 devices that would not connect. I'd watched this video before, and actually commented, but I'd really forgotten the details. So, my first source for help with the issue was Unifi, and frankly, these days, that's just a waste of time. They finally sent me an email today asking for screen shots of stuff they couldn't explain to me yesterday. They're a mess, and they can't even decide on which UI their going to support. The last encounter I had with them a few weeks ago, the tech had me switch to the classic UI, so that's what I've been using. So, after getting some help from the Unifi community forum yesterday, and some ideas from the problem device vendors' forums (it was a Wyze Cam, a Logitech Harmony Hub, and a couple of old TrendNet cameras that wouldn't connect), I thought I'd take a look at your video again, and BAM!!! It was only a matter of setting the security level to WPA-2 (I had it WPA-2/WPA-3) and disabling PMF (default was optional). Now, it's working like a beast!! So, I'll enjoy my new network for the weekend, maybe give some friendly names to devices, and then Monday tackle the granular definition of IoT/NoT, and VLANS. As I mentioned in my earlier comment, I've mimicked your network infrastructure very closely and I have a lot of the same smart home gadgets as well as Home Assistant. I guess you can call me one of your biggest fans!! Thanks again for the help!! ~Frank
I was rewatching this now as I was redoing my network, and now I have Unifi equipment thought I'd give it a try. Some settings have moved, but most of this is still relevant. Just as a note to anyone watching this. Each AP or AP Group can only have 4 SSID's per radio, so if you have IoT, NoT, Main and Guest setup, that is your limit of 4 SSID's on a particular AP. I know Rob mentioned that quickly, but it is an easy one to miss
Out of curiosity, do you know if each SSID occupies a radio full-time, or if, say, NoT and Guest don't have any connections the radios are free to be divvied up between Main and IoT as needed? (apologies if this doesn't make sense, hardware level stuff is a little out of my AO)
Thank you for taking the time to make your video series. As you mentioned, it is difficult to find information on many of the functions within the Unifi system, so your videos are somewhat like a video manual that I can go by to set up my own network. I hope Ubiquiti shows you some love and sends you a pile of money for taking care of one of their biggest oversights when it comes to their products!
Thanks for the informative videos. Small tip for users of BLUESOUND audio. I use Bluesound speakers with multiroom capabilities and it took some time to build in the right port access in the firewall rules. I gave them a static IP adress in my IoT VLAN. They need TCP communication on port 443 and 5353 to become visible as a streaming speaker for your laptop/phone in your MAIN VLAN. So i created a LAN IN rule for the group of static IP adresses of the speakers and a source group port 443/5353. They work fine now.
As always Thank you. The hard part is knowing that I should do this but also knowing how hard some of my devices were to connect to WiFi originally. I have a lot of devices that I would have to change around.
I've literally just upgraded my home network to the UDM Pro, US-24-PoE, US-8-POE, 3x G3 Camera, 2x NANO HD .... I am so glad I found this video series, going to be spending a few weekends tinkering, thats for sure! Awesome video, very helpful!
The quality of this tutorial is outstanding! So many useful tips and explanations. It should be pinned on any Unifi / networking / homelab subreddits and forums.
I was eagerly waiting for this video! Going to move to a new house in a few months and I will be using this series and the 2019 tutorial to setup my network.
Finally a video on setup of UDM Pro that is very well explained, including not just they how but also the why. I'd love to see additional video from you on setup for the Apple eco system as mentioned by someone else below. I have Apple TV and want to limit who can access but not cripple its capabilities. Also have Ring devices and would love to know how to setup for them without crippling their feature set.
Could you explain how you managed this? I want my Sonos also on the IoT. What ports (UDP/TCP) are needed? What firewall rules ? Is it working for mobile devices over WiFi? Is it working with Sonofy?
Well I guess I have an idea how to fix it. I will use HomeAssistant where all these combine. Then with NodeRed or other let them interact. Hope to have some time next weeks...
Implemented the Plex and chromecast rule sets you mentioned in here then blocked vlan coms completely. Currently watching robocop via Plex on my smart tv which is isolated on a guest network. The firewall rules actually work. Thank you. What an excellent guide. I'll go watch vid 3 now :)
If I would have watched this video first, I would have saved myself half a head of a hair. THANK YOU SO MUCH! IGMP was messing up my ESPhome configuration.
Perfect timing! I just installed my UDM-Pro yesterday and it didn’t take my old config file as the old controller was a newer version. Used your tutorial in the past and was happy with the setup. Can’t wait to dive in today. Thanks for your efforts!
I am so glad I found your channel like a month ago. And as I said in the first part. It is good that someone finally addresses secure home network, especially with smarthome tech in the network. Keep it up!!
Rob, Thanks for the video. These have been great and very helpful. The one thing I am struggling with is finding a step by step setup for accessing Sonos across VLANs once the firewall is setup. Can you help with understanding a step by Step review of firewall rules? There are multiple posts via a search but have not been successful in making them work. Is this something even possible or should I just give up and access Sonos on the same VLAN?
Can this guide still be followed with the release of Unifi Network 7.0, or can you make an updated video showing the core changes between the two Unifi Controller versions?
I think this video is understood primarily by network engineers. Having been one for more than 20 years, I really had to focus to follow. IGMP is such an advanced topic, I dont understand why you address it. And dont pick a vlan number a-above 255, if you want your IP numbering to comply 🙂
Great video, thank you. A couple of questions: 1. As you did not use the guest network for echo devices, there is no reason they will not be able to communicate locally - i.e. you used LAN network option, meaning that all devices into the same VLAN will be able to intercommunication on all ports. (firewall is not involved in this case, communication done on switch level) 2. I do not see any reason to create an NTP rule - most devices will use TCP to contact the NTP server and will get an answer. Please, correct me if I am wrong. One more thing - I do suggest having an IoT isolated (guest) network for cloud devices that do not need to communicate with each other. And if you use Ethernet IOT make sure you turn on L2 port isolation. I personally like the idea to have your main WLAN (LAN network), then IOT (LAN network), and IOT isolated (guest network). This way you put all Chromecast, echo, printers etc. In IoT, everything else that you do not need to access directly from other WLANs you put in IOT isolated network. Devices in this IOT isolated can not see each other, can not reply to any network request from and other WLANs, and can only connect to the internet (cloud service only). As we have more and more devices (oven, smart switch, outlets, etc) that we have no idea what security protection they have, it may be a good idea to completely isolate them.
Talk about detail breakdown. JEEEEEEEEEEEZUS That's probably 300$ worth of tech support if a technician logged in to my system to replicate this setup. THANKS
Update. Took your advice and set up a network for the IoT stuff as you suggested. I have 3 AP's total, one in the house, one in the garage, and one in the shop in the backyard. I had a LOT of issues with fixed devices bouncing back and forth from AP to AP, and generally just weird stuff happen as a result. By adopting the IoT scheme with the SSID's IoT-House, IoT-Garage, and IoT-Shop, I locked down those pesky roamers to the most dominate AP for each IoT device and the system seems to be working very well as a result. Still too early to know for sure but based on the logfile the last couple of days, I have a strong sense your method is the way to go!
A better solution for Cameras is to add a second NIC to the server for the Camera subnet, that solves the security problem while keeping camera streaming traffic off the router. This level of separation could be done with a single NIC listening to two both the production and camera VLANs, providing the server is VLAN aware and handles it correctly. I chose to use a separate NIC as I had an Intel card with 4 x 1Gbps ports which gives me better performance than the motherboard NIC, and it's easy to implement.
First, after finally purchasing a home and starting my smart home journey your content has been immensely informative and entertaining, thank you. Second, I would fit firmly in the pfSense category of part 1 of this series but, I also have extremely limited experience with Unifi hardware. I don’t know what Ubiquity is hiding behind the IGMP snooping switch but your explanation of IGMP snooping @11:00 does not fit with Cisco, HP, etc. IGMP snooping is a switch feature and is used to limit the scope of multicast traffic in a layer 2 network, aka ethernet in this example. Snooping spies on the conversation the source/multicast router and interested party are having over IGMP. It uses that information to limit the delivery of frames to only the ports that have interested parties. Without snooping multicast traffic gets treated as broadcast traffic and is sent out all ports except the one it was received from. When enabling snooping in your vlans you are also probably setting a feature of how to handle ‘unknown groups/addresses.’ I expect Ubiquiti’s default is to drop them and that is why it is causing issues.
Thanks a lot Rob! I was waiting for this new 2021 series. I’m looking forward for part three. I learned a lot, thanks so much for explaining all that acronyms used in the Advanced settings.
That's exactly the tutorial I needed! There's however one thing that wasn't mentioned here - the printers setup - is it better to put them in the same main VLAN, and maybe block it's outbound traffic, or to place it in the NoT VLAN, separating it completely from the internet? Thanks!
I bought a dream machine pro a week ago. I love it! This video has been AMAZING in helping learn what the features of my dream machine pro actually can do and best practices in setting it up! Thank you so much for this content!
Rob....this is bar none....one of the best networking setup video series that is understandable by humans....regardless of Unifi or not. Excellent work friend!
10 หลายเดือนก่อน +1
Rob, you are the best! thank you so much for these. can we get an updated version of this video
Nice post! In the video you mention firewall rules not working with Device Isolation. After a bunch of experimentation I finally discovered that rules for networks with Device Isolation enabled need to be defined as GUEST rules. If you want to be really sure your rules are applied first, set them as "Before" rules and you can fully control traffic on device isolated networks. Also, I'm not 100% sure, but I have noticed behavior where your "Echo to Echo" example will leak if you don't enable Device Isolation. That's because without isolation, packets can take shortcuts on the switch (which touches on your comment about all that video traffic not having to go through the router), so they don't go through the firewall rules.
Device isolation comes from the old wifi guest network industry standard and at least used to be invisible dynamic VLANs automatically assigned to every client that connects. Because it was easy to code, very reliable/secure, super fast. If you assume every enterprise AP was already going to be smart switch jacked into a radio it makes sense.
OUTSTANDING video, Rob!! My UDP came yesterday, so I have a lot to unpack and configure!! My infrastructure is very similar to yours, except that I currently have some Sonos devices. I'll probably be getting rid of them, but I'll need to support them for a while longer. Again, you've really done a nice job. ~Frank
yessss! Absolutely loving my udm pro and and unifi system as a whole, your video 2 years ago convinced me to dive into the unifi ecosystem and I am so happy I did! Thank you for doing an update!!
I can’t say that I understand everything you’re talking about but this is a great video for learning and exposure to please security related topics. Thanks for doing this I will have to watch it a few times but this is awesome.
Rob, as always you are my go to channel if i want a detailed yet easy to follow video on a topic.. although i do have to press pause why i go look at my version to compare.. Keep up the good work. found the "new clients" view annoying too as i like to also see which ap's have which devices attached. thanks
Thanks for doing this walkthrough! What do you think of using 192.168.0.0/16 when creating the "All Local Networks" group instead of specifying each individual /24 subnet?
Thanks, Rob, as always brilliant. A little stuck on IPv6 set up for firewall rules and IoT access etc. but a huge thank you. Can't wait for more. Also to remind everyone of the security issues for the Ubiquiti breach and remind everyone to change passwords, set local access only and force 2fa (if already having 2fa to reinstigate it afresh). Thanks.
If you are seeing an issue on your IoT network with devices like Ecobees try turning off Multicast Enhancement. I played around for hours thinking that it was my firewall rules and I finally noticed it was the only network that had this enabled. Turning it off did the trick.
Excellent overall coverage. I have some very similar rules on my own UDM setup. There's one suggestion to simplify things that I might suggest. If I recall my OSI layers correctly and am not mistaken about how things work, INTRA-VLAN communications occurs at layer 2, so firewall rules aren't going to stop two devices on the same VLAN from communicating with each other. Correct me if I'm wrong, but I think I'm right here. As a result, instead of separate rules to drop traffic from specific VLANs to other VLANs, I have a single catch-all inter-VLAN traffic drop rule. 1. I create a group that contains all RFC1918 private IP address ranges. This RFC defines a series of subnets that are meant to only be used in private LANs, vs the public Internet. If you create the group covering this list, then any additional VLANs and their corresponding subnets will be covered by this rule without having to edit it later. Those subnets are: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16. If you always plan to use just one of those subnet schemes (192.168.0.0/16 being the most common for home networks),then you could just add the one to that group. I called the group RFC1918PrivateAddresses, but whatever works for you. 2. Create a rule on the LAN IN interface that drops all traffic from the RFC1918PrivateAddresses group to the RFC1918PrivateAddresses group. I called that rule Drop inter-VLAN traffic. As you did in your video, I would get my ALLOW rules in place first, then add this rule last. The first time I set this up, I even started off with this rule disabled to make sure it was positioned at the bottom of the list before enabling it. Traffic between devices on the same VLAN won't be stopped by this rule, as I mentioned at the top, because that traffic never really hits them due to being on the same VLAN and using layer 2 functionality to get the packet to the other device. Again, if I'm mistaken here, please correct me and point me to info to correct my knowledge. This is working for me, but I don't have an identical setup and don't have NoT devices as you do, so if I have this wrong, then I may simply not be running into the same issues you would given my devices.
I was wondering this myself. You can't stop clients on the same wifi talking to each other by setting up a firewall rule; that traffic probably won't even be seen by the firewall (they can probably even talk to each other if the firewall is disconnected). AP isolation is the only solution then.
@@PaulSlootman Again, correct me if I'm mistaken. AP isolation will only prevent wireless clients from directly communicating with other wireless clients. Which is a significant benefit on its own. It won't stop the client from communicating with anything else on that same subnet. Depending on the level of subnet isolation you have, that may we'll be quite sufficient.
@@DeliberateGeek Yes, true; but you will typically want to use AP isolation on a guest VLAN, which shouldn't see too much directly-connected clients, usually only WIFI clients.
@@TheHookUp I was getting ready to inject the time when I noticed you had already replied. Now that I look at it really close it makes sense.👍 Did you ever do a part 3?
Although I have my UniFi gear now for two years, I still learned some new things here, so thanks for that Rob. Looking forward to check out the next part.
Great video Rob - With respect to the cameras on the LAN network and the bandwidth/cpu issue, why not just put the NVR ( BlueIris ) on the Cameras network. being a windows machine, you could just give the BI machine a second IP address ( camera network ) and tag the switch port with both the lan and camera network vlan's so ( or add a second nic).
Excellent video, one of the best I've seen regarding networking. It's a pity you don't use pfsense though, because something like this is needed, I know there are lots of pfsense videos, but they aren't quite so detailed or explained in such an easy way. Looking forward to the next part.
Thanks for this awesome video. Knew some of the content already but it definitely cleared things up that I wasn’t 100% on. Already have a UDM Pro setup based on your last video, but will double check and probably change some things. Thanks again!
Excellent source of information. Well written and presented, with great information for intermediate users (which I assume is the target, considering it's for Unify fans). I went with a pfSense build in my house with Unify gear (2 AP6 LR and 4 USW-flex switches), with the controller hosted on the now retired HA Raspberry Pi. The firewall rules are excellent to have as the starting reference and can't wait to see the next one for port management and VPN. Thank you!
I got stuck at the first step of categorizing everything into those 4 buckets (IoT, NoT, Mix, Untrust)! Is there a list or resource on the net that you can point to to help categorize my 50+ devices? I've got multiple brands of Wifi Cams, Work/Personal Laptops, Nests/Echos/HomePods, Smart TVs, Wifi Thermostats, Game systems, Wired Automation hubs, AV Receivers for Airplay, Phones/watches/tablets. Is there something in the Unifi Controller that shows the ports being used by my devices right now?
Really helpfull video. 1 thing I don't get though: At 29:35, you create a firewall "accept" rule "echo to echo", but all echo device are on the IoT network, so they can talk to each other anyway? Traffic within that vlan is handled at layer 2, so doesn't pass the router as far as my understaning goes. I didn't see any part where you would have blocked that, but I am interested to know how you would recommend blocking devices to talk to each other on the same VLAN since I agree with your reasoning to keep "Device isolation" turned off.
Thanks to your comment, I now understood why my IoT to local drop rule was NOT preventing me from pinging one IoT device from another. It only prevents me from connecting other devices outside the IoT vlan. I would also love to learn how to block this device 2 device within the same vlan.
Very detailed, thank you. One point I don't think is getting much attention is the non Ethernet / TCP/IP radios most of these IoT devices have. Bluetooth and BLE are some, but there's several others. The scary part is that any such "traffic" that say a guests iphone, or someone walking outside the house with a device with a compatible radio engages in communication with ones internal devices via these "side channels" that completely bypass our traditional networks. On any device I get, Unifi gear, laptops, desktops, etc - I always disable the BLE radio. Nothing stops working...something bugs me about having all my switches, my controller, and my access points having a BLE radio that if it's being used I'd have no way to tell. It wouldn't surprise me to find down the road that this has been going on for a while. In the meantime, I'd suggest checking out a cheap SDR device which would allow one to scan the RF for any chatter outside of the expected wifi ranges.
This really is the best info for users trying to hop into this. I ended up with a fairly similar setup my coincidence. But from a security perspective, while I get the single pane of glass centralized UI allure, I don't like the idea of blending Layer 2 and 3 the way they do with a USG or UDM Pro. If your unifi controller is compromised, the attacker now has Layer 3 access as well. For that reason I went with an Edgerouter4 instead and it's rock solid. The learning curve is a bit steep but worth it
Many thanks for the Unifi videos - Userful and dense info which helped me hugely. Can't wait to dump my $999 Orbi's.Given your video's i can make that change with way more confidence of the change
For gamers that have multiple consoles (Xbox, PS5’s and even gaming PC’s), UPNP is generally the most recommended way to create an Open NAT which makes joining games faster and games to perform better. Can you dive into this issue and the UDM pro’s settings as there are millions of gamers that would find the recommendations helpful.
Thanks for the video Rob. This was really useful. I'm learning Networking as a hobby so love that you've made this easy for us noobs. Just wish you had a discord where I could ask questions in real time!
Most APs can broadcast 8 SSIDs now. I would make a single IoT network instead of all the different ones for different locations and lock devices to particular APs. That way you decide what is the closest AP.
Thanks for the update, I'm still wondering what rule to add to my wireless printer, it's a strange thing as print to its via phone and computer. Also can't wait for VPN, I installed wiregaurd and duck dns but think it gets blocked somehow even though I port forwarded. Can't wait!
Hey, great channel and great vid. I'm finaly gonna start on improving my network security. I was just wondering, what do you do with device updates for your NoT devices...
This is the new standard video for Unifi setup in 2021. Very comprehensive and easy to understand. I thank you for the effort of putting it together. You have a killer setup!
As a Network Security Engineer by trade for over 10 years, Kudos on the well done video and making it so accessible to the masses. Great job.
Your videos are seriously an unbelievably valuable resource. You understand the IT space completely, and you offer a level-headed approach to teaching the theories that are most important. I learned a ton and I can easily trust that you're breaking it down the right way. Thanks!
Thanks! That means a lot.
Just like my granddaughter - talking faster than I can think. Even so, yet another video for the reference library. Thank you for creating and sharing your knowledge.
Just ordered the new Dream Router and was looking on how to move to the next level with all my IoT devices. With your video, If found all I wanted to know, VLAN, Unifi, Firewalls, Home Assistant, Chromecast, ... . Thank you very much!
I started this video thinking "Oh, Ive done a lot of this myself" and ended with "Hmm, I've learnt so much and done a lot wrong" :).
Finally someone explains all the Unifi settings! =) thank you Rob!
By far the best walk through and explanation of the unifi system I’ve seen to date, and I’ve seen the vast majority.
omg I cannot tell you how useful this video was, THANK YOU SO MUCH FOR MAKING THIS VIDEO!!! I was having problems with my harmony hub on my IoT network but I was able to figure out the firewall rule I needed from this video. seriously man I cannot thank you enough
From someone not using Ubiquity hardware, and so far behind in time, your videos are still a great source of knowledge. Thanks a lot and keep up the great work.
I absolutely HATE that echo/show devices will join networks that they have been told to forget. But, I love your solution! I set up my Unifi rig and firewall rules based on your first series, and I'm still learning from your new series. Thank you so much for making these videos.
Seriously, this is one of many of your videos that should be part of the official unifi documentation. I always learn a lot from your videos.
Thanks for sharing
✌️
Thanks! This video has been so helpful in helping me to clarify how to batten down the hatches on my smart home security. Much appreash, man - keep up the great work! I dabbled a bit with Unifi but have switched to TP-Link Omada, applying the principles you explained super clearly. Take care and stay safe!
Well, Rob, you saved me again!! I got my 2 U-6-Lite APs installed yesterday, and things went basically pretty well. I defined my wireless network with pretty much default settings (using the classic UI), however I had 4 devices that would not connect. I'd watched this video before, and actually commented, but I'd really forgotten the details. So, my first source for help with the issue was Unifi, and frankly, these days, that's just a waste of time. They finally sent me an email today asking for screen shots of stuff they couldn't explain to me yesterday. They're a mess, and they can't even decide on which UI their going to support. The last encounter I had with them a few weeks ago, the tech had me switch to the classic UI, so that's what I've been using. So, after getting some help from the Unifi community forum yesterday, and some ideas from the problem device vendors' forums (it was a Wyze Cam, a Logitech Harmony Hub, and a couple of old TrendNet cameras that wouldn't connect), I thought I'd take a look at your video again, and BAM!!! It was only a matter of setting the security level to WPA-2 (I had it WPA-2/WPA-3) and disabling PMF (default was optional). Now, it's working like a beast!! So, I'll enjoy my new network for the weekend, maybe give some friendly names to devices, and then Monday tackle the granular definition of IoT/NoT, and VLANS. As I mentioned in my earlier comment, I've mimicked your network infrastructure very closely and I have a lot of the same smart home gadgets as well as Home Assistant. I guess you can call me one of your biggest fans!! Thanks again for the help!! ~Frank
Thank you so much for this! PLEASE consider doing a SONOS specific video. :-)
Oh perfect, I was waiting for this video! Just ordered my Unifi gear and was hoping you'd release this before it all got here!
I was rewatching this now as I was redoing my network, and now I have Unifi equipment thought I'd give it a try.
Some settings have moved, but most of this is still relevant.
Just as a note to anyone watching this. Each AP or AP Group can only have 4 SSID's per radio, so if you have IoT, NoT, Main and Guest setup, that is your limit of 4 SSID's on a particular AP. I know Rob mentioned that quickly, but it is an easy one to miss
Out of curiosity, do you know if each SSID occupies a radio full-time, or if, say, NoT and Guest don't have any connections the radios are free to be divvied up between Main and IoT as needed? (apologies if this doesn't make sense, hardware level stuff is a little out of my AO)
Thank you for taking the time to make your video series. As you mentioned, it is difficult to find information on many of the functions within the Unifi system, so your videos are somewhat like a video manual that I can go by to set up my own network. I hope Ubiquiti shows you some love and sends you a pile of money for taking care of one of their biggest oversights when it comes to their products!
thanks for doing all the hard work for the rest of us! These videos are extremely helpful to me, cant wait for the next one.
Thanks for the informative videos. Small tip for users of BLUESOUND audio. I use Bluesound speakers with multiroom capabilities and it took some time to build in the right port access in the firewall rules. I gave them a static IP adress in my IoT VLAN. They need TCP communication on port 443 and 5353 to become visible as a streaming speaker for your laptop/phone in your MAIN VLAN. So i created a LAN IN rule for the group of static IP adresses of the speakers and a source group port 443/5353. They work fine now.
As always Thank you. The hard part is knowing that I should do this but also knowing how hard some of my devices were to connect to WiFi originally. I have a lot of devices that I would have to change around.
I've literally just upgraded my home network to the UDM Pro, US-24-PoE, US-8-POE, 3x G3 Camera, 2x NANO HD .... I am so glad I found this video series, going to be spending a few weekends tinkering, thats for sure! Awesome video, very helpful!
Is there any hope for a update version of this tutorial? It would amazing if you get to do one!
The quality of this tutorial is outstanding! So many useful tips and explanations. It should be pinned on any Unifi / networking / homelab subreddits and forums.
I was eagerly waiting for this video! Going to move to a new house in a few months and I will be using this series and the 2019 tutorial to setup my network.
Wow! THANK YOU. these three videos should come with the UniFi device from the factory!!!!!!!
Finally a video on setup of UDM Pro that is very well explained, including not just they how but also the why. I'd love to see additional video from you on setup for the Apple eco system as mentioned by someone else below. I have Apple TV and want to limit who can access but not cripple its capabilities. Also have Ring devices and would love to know how to setup for them without crippling their feature set.
Your IGMP explanation was very nice, my Sonos is finally working in years across vlans!
Could you explain how you managed this?
I want my Sonos also on the IoT. What ports (UDP/TCP) are needed? What firewall rules ? Is it working for mobile devices over WiFi? Is it working with Sonofy?
I struggling also to get my Sonos working correctly on a separate IOT vlan 😳 please share how you did this 🙏🏻
@@Sergetkint Do you now have a solution?
Well I guess I have an idea how to fix it. I will use HomeAssistant where all these combine. Then with NodeRed or other let them interact.
Hope to have some time next weeks...
Implemented the Plex and chromecast rule sets you mentioned in here then blocked vlan coms completely. Currently watching robocop via Plex on my smart tv which is isolated on a guest network. The firewall rules actually work. Thank you. What an excellent guide. I'll go watch vid 3 now :)
If I would have watched this video first, I would have saved myself half a head of a hair. THANK YOU SO MUCH!
IGMP was messing up my ESPhome configuration.
Perfect timing! I just installed my UDM-Pro yesterday and it didn’t take my old config file as the old controller was a newer version. Used your tutorial in the past and was happy with the setup. Can’t wait to dive in today. Thanks for your efforts!
Great Video Thanks! Hope that one of the viewers has an recommendation for SONOS.
I am so glad I found your channel like a month ago. And as I said in the first part. It is good that someone finally addresses secure home network, especially with smarthome tech in the network.
Keep it up!!
The timing for this video could not better! Next week I’m moving and have to setup my DMP. Great walkthrough as always. Thanks!
Rob, Thanks for the video. These have been great and very helpful. The one thing I am struggling with is finding a step by step setup for accessing Sonos across VLANs once the firewall is setup. Can you help with understanding a step by Step review of firewall rules? There are multiple posts via a search but have not been successful in making them work. Is this something even possible or should I just give up and access Sonos on the same VLAN?
Just got my delivery after watching your 2021 video last week and looking forward to setup my unifi network. Keep up the great work :)
Can this guide still be followed with the release of Unifi Network 7.0, or can you make an updated video showing the core changes between the two Unifi Controller versions?
It's crazy how much of this interface has changed in 4 months.. Creating a new network has so many more options now.
I think this video is understood primarily by network engineers.
Having been one for more than 20 years, I really had to focus to follow.
IGMP is such an advanced topic, I dont understand why you address it.
And dont pick a vlan number a-above 255, if you want your IP numbering to comply 🙂
Great video, thank you. A couple of questions:
1. As you did not use the guest network for echo devices, there is no reason they will not be able to communicate locally - i.e. you used LAN network option, meaning that all devices into the same VLAN will be able to intercommunication on all ports. (firewall is not involved in this case, communication done on switch level)
2. I do not see any reason to create an NTP rule - most devices will use TCP to contact the NTP server and will get an answer.
Please, correct me if I am wrong.
One more thing - I do suggest having an IoT isolated (guest) network for cloud devices that do not need to communicate with each other. And if you use Ethernet IOT make sure you turn on L2 port isolation.
I personally like the idea to have your main WLAN (LAN network), then IOT (LAN network), and IOT isolated (guest network). This way you put all Chromecast, echo, printers etc. In IoT, everything else that you do not need to access directly from other WLANs you put in IOT isolated network. Devices in this IOT isolated can not see each other, can not reply to any network request from and other WLANs, and can only connect to the internet (cloud service only). As we have more and more devices (oven, smart switch, outlets, etc) that we have no idea what security protection they have, it may be a good idea to completely isolate them.
I was wondering how he missed this
Talk about detail breakdown. JEEEEEEEEEEEZUS
That's probably 300$ worth of tech support if a technician logged in to my system to replicate this setup.
THANKS
Man.... wow. As someone that just joined the unifi ecosystem, this is amazing.
Update. Took your advice and set up a network for the IoT stuff as you suggested. I have 3 AP's total, one in the house, one in the garage, and one in the shop in the backyard. I had a LOT of issues with fixed devices bouncing back and forth from AP to AP, and generally just weird stuff happen as a result. By adopting the IoT scheme with the SSID's IoT-House, IoT-Garage, and IoT-Shop, I locked down those pesky roamers to the most dominate AP for each IoT device and the system seems to be working very well as a result. Still too early to know for sure but based on the logfile the last couple of days, I have a strong sense your method is the way to go!
Great to hear Jim!
A better solution for Cameras is to add a second NIC to the server for the Camera subnet, that solves the security problem while keeping camera streaming traffic off the router. This level of separation could be done with a single NIC listening to two both the production and camera VLANs, providing the server is VLAN aware and handles it correctly. I chose to use a separate NIC as I had an Intel card with 4 x 1Gbps ports which gives me better performance than the motherboard NIC, and it's easy to implement.
First, after finally purchasing a home and starting my smart home journey your content has been immensely informative and entertaining, thank you. Second, I would fit firmly in the pfSense category of part 1 of this series but, I also have extremely limited experience with Unifi hardware. I don’t know what Ubiquity is hiding behind the IGMP snooping switch but your explanation of IGMP snooping @11:00 does not fit with Cisco, HP, etc. IGMP snooping is a switch feature and is used to limit the scope of multicast traffic in a layer 2 network, aka ethernet in this example. Snooping spies on the conversation the source/multicast router and interested party are having over IGMP. It uses that information to limit the delivery of frames to only the ports that have interested parties. Without snooping multicast traffic gets treated as broadcast traffic and is sent out all ports except the one it was received from. When enabling snooping in your vlans you are also probably setting a feature of how to handle ‘unknown groups/addresses.’ I expect Ubiquiti’s default is to drop them and that is why it is causing issues.
Exactly this is what I was thinking while watching the video
Thanks a lot Rob! I was waiting for this new 2021 series. I’m looking forward for part three. I learned a lot, thanks so much for explaining all that acronyms used in the Advanced settings.
I bet his neighbors love seeing his 15 SSIDs when they're on their FireTV stick trying to setup WiFI LOL
That's exactly the tutorial I needed! There's however one thing that wasn't mentioned here - the printers setup - is it better to put them in the same main VLAN, and maybe block it's outbound traffic, or to place it in the NoT VLAN, separating it completely from the internet? Thanks!
I bought a dream machine pro a week ago. I love it! This video has been AMAZING in helping learn what the features of my dream machine pro actually can do and best practices in setting it up! Thank you so much for this content!
Rob....this is bar none....one of the best networking setup video series that is understandable by humans....regardless of Unifi or not. Excellent work friend!
Rob, you are the best! thank you so much for these. can we get an updated version of this video
Another awesome video! Jam packed with information I have been looking for but not found until I found your channel!
Nice post! In the video you mention firewall rules not working with Device Isolation. After a bunch of experimentation I finally discovered that rules for networks with Device Isolation enabled need to be defined as GUEST rules. If you want to be really sure your rules are applied first, set them as "Before" rules and you can fully control traffic on device isolated networks. Also, I'm not 100% sure, but I have noticed behavior where your "Echo to Echo" example will leak if you don't enable Device Isolation. That's because without isolation, packets can take shortcuts on the switch (which touches on your comment about all that video traffic not having to go through the router), so they don't go through the firewall rules.
this
Device isolation comes from the old wifi guest network industry standard and at least used to be invisible dynamic VLANs automatically assigned to every client that connects. Because it was easy to code, very reliable/secure, super fast. If you assume every enterprise AP was already going to be smart switch jacked into a radio it makes sense.
Installing my UDM pro today and walking through these videos. Thanks for putting them together.
Awesome video! Have just setup a Dream Machine and this is very helpful in understanding what devices belong in my various VLAN's
OUTSTANDING video, Rob!! My UDP came yesterday, so I have a lot to unpack and configure!! My infrastructure is very similar to yours, except that I currently have some Sonos devices. I'll probably be getting rid of them, but I'll need to support them for a while longer. Again, you've really done a nice job. ~Frank
Did you get rid of your Sonos stuff? I’m a huge fan of my Sonos great and setting my UDMP up now. Curious how well they work together?
yessss! Absolutely loving my udm pro and and unifi system as a whole, your video 2 years ago convinced me to dive into the unifi ecosystem and I am so happy I did! Thank you for doing an update!!
Finally a video that explains every setting in the controller. Thnx 👍👍
I can’t say that I understand everything you’re talking about but this is a great video for learning and exposure to please security related topics. Thanks for doing this I will have to watch it a few times but this is awesome.
Rob, as always you are my go to channel if i want a detailed yet easy to follow video on a topic.. although i do have to press pause why i go look at my version to compare.. Keep up the good work. found the "new clients" view annoying too as i like to also see which ap's have which devices attached. thanks
Thanks for doing this walkthrough! What do you think of using 192.168.0.0/16 when creating the "All Local Networks" group instead of specifying each individual /24 subnet?
Thanks, Rob, as always brilliant. A little stuck on IPv6 set up for firewall rules and IoT access etc. but a huge thank you. Can't wait for more. Also to remind everyone of the security issues for the Ubiquiti breach and remind everyone to change passwords, set local access only and force 2fa (if already having 2fa to reinstigate it afresh). Thanks.
If you are seeing an issue on your IoT network with devices like Ecobees try turning off Multicast Enhancement. I played around for hours thinking that it was my firewall rules and I finally noticed it was the only network that had this enabled. Turning it off did the trick.
Excellent overall coverage. I have some very similar rules on my own UDM setup. There's one suggestion to simplify things that I might suggest. If I recall my OSI layers correctly and am not mistaken about how things work, INTRA-VLAN communications occurs at layer 2, so firewall rules aren't going to stop two devices on the same VLAN from communicating with each other. Correct me if I'm wrong, but I think I'm right here. As a result, instead of separate rules to drop traffic from specific VLANs to other VLANs, I have a single catch-all inter-VLAN traffic drop rule.
1. I create a group that contains all RFC1918 private IP address ranges. This RFC defines a series of subnets that are meant to only be used in private LANs, vs the public Internet. If you create the group covering this list, then any additional VLANs and their corresponding subnets will be covered by this rule without having to edit it later. Those subnets are: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16. If you always plan to use just one of those subnet schemes (192.168.0.0/16 being the most common for home networks),then you could just add the one to that group. I called the group RFC1918PrivateAddresses, but whatever works for you.
2. Create a rule on the LAN IN interface that drops all traffic from the RFC1918PrivateAddresses group to the RFC1918PrivateAddresses group. I called that rule Drop inter-VLAN traffic. As you did in your video, I would get my ALLOW rules in place first, then add this rule last. The first time I set this up, I even started off with this rule disabled to make sure it was positioned at the bottom of the list before enabling it.
Traffic between devices on the same VLAN won't be stopped by this rule, as I mentioned at the top, because that traffic never really hits them due to being on the same VLAN and using layer 2 functionality to get the packet to the other device. Again, if I'm mistaken here, please correct me and point me to info to correct my knowledge. This is working for me, but I don't have an identical setup and don't have NoT devices as you do, so if I have this wrong, then I may simply not be running into the same issues you would given my devices.
I was wondering this myself. You can't stop clients on the same wifi talking to each other by setting up a firewall rule; that traffic probably won't even be seen by the firewall (they can probably even talk to each other if the firewall is disconnected). AP isolation is the only solution then.
@@PaulSlootman Again, correct me if I'm mistaken. AP isolation will only prevent wireless clients from directly communicating with other wireless clients. Which is a significant benefit on its own. It won't stop the client from communicating with anything else on that same subnet. Depending on the level of subnet isolation you have, that may we'll be quite sufficient.
@@DeliberateGeek Yes, true; but you will typically want to use AP isolation on a guest VLAN, which shouldn't see too much directly-connected clients, usually only WIFI clients.
That’s a pretty good scorch mark on your neutral wire-At the lug..
Check into it as it shouldn’t be there..
What part of the video are you talking about?
Edit: oh, that’s dielectric grease, not a scorch.
@@TheHookUp I was getting ready to inject the time when I noticed you had already replied. Now that I look at it really close it makes sense.👍
Did you ever do a part 3?
This is so good, that I feel guilty for not paying for the info! Thank you!
Although I have my UniFi gear now for two years, I still learned some new things here, so thanks for that Rob. Looking forward to check out the next part.
Great video Rob - With respect to the cameras on the LAN network and the bandwidth/cpu issue, why not just put the NVR ( BlueIris ) on the Cameras network. being a windows machine, you could just give the BI machine a second IP address ( camera network ) and tag the switch port with both the lan and camera network vlan's so ( or add a second nic).
Double nic is a good solution and one that I’ve been meaning to test out, just haven’t gotten around to it yet.
Excellent video, one of the best I've seen regarding networking. It's a pity you don't use pfsense though, because something like this is needed, I know there are lots of pfsense videos, but they aren't quite so detailed or explained in such an easy way. Looking forward to the next part.
Thanks for this awesome video. Knew some of the content already but it definitely cleared things up that I wasn’t 100% on. Already have a UDM Pro setup based on your last video, but will double check and probably change some things.
Thanks again!
You can broadcast up to 8 SSIDs per AP, if you turn off wireless uplink. I do that :)
Interesting! Thanks!
Through the old settings, site->services->uplink connectivity monitor->enable wireless uplink (enjoy)
Excellent source of information. Well written and presented, with great information for intermediate users (which I assume is the target, considering it's for Unify fans).
I went with a pfSense build in my house with Unify gear (2 AP6 LR and 4 USW-flex switches), with the controller hosted on the now retired HA Raspberry Pi.
The firewall rules are excellent to have as the starting reference and can't wait to see the next one for port management and VPN.
Thank you!
I got stuck at the first step of categorizing everything into those 4 buckets (IoT, NoT, Mix, Untrust)!
Is there a list or resource on the net that you can point to to help categorize my 50+ devices? I've got multiple brands of Wifi Cams, Work/Personal Laptops, Nests/Echos/HomePods, Smart TVs, Wifi Thermostats, Game systems, Wired Automation hubs, AV Receivers for Airplay, Phones/watches/tablets.
Is there something in the Unifi Controller that shows the ports being used by my devices right now?
This is the exact video we need!!!!
Great content! Thanks for taking the time to explain all the options thoroughly, and not rushing to try and keep the video short.
For those with an NVR, put the NVR on the Protect VLAN with the cameras. You don't want the NVR and cameras on different VLANs.
Correct, that's a lot of traffic to send across VLANS constantly.
Great video. I learned a lot and you explained it great. Can't wait for part 3.
Really helpfull video. 1 thing I don't get though:
At 29:35, you create a firewall "accept" rule "echo to echo", but all echo device are on the IoT network, so they can talk to each other anyway? Traffic within that vlan is handled at layer 2, so doesn't pass the router as far as my understaning goes.
I didn't see any part where you would have blocked that, but I am interested to know how you would recommend blocking devices to talk to each other on the same VLAN since I agree with your reasoning to keep "Device isolation" turned off.
Thanks to your comment, I now understood why my IoT to local drop rule was NOT preventing me from pinging one IoT device from another.
It only prevents me from connecting other devices outside the IoT vlan. I would also love to learn how to block this device 2 device within the same vlan.
Very detailed, thank you. One point I don't think is getting much attention is the non Ethernet / TCP/IP radios most of these IoT devices have. Bluetooth and BLE are some, but there's several others. The scary part is that any such "traffic" that say a guests iphone, or someone walking outside the house with a device with a compatible radio engages in communication with ones internal devices via these "side channels" that completely bypass our traditional networks.
On any device I get, Unifi gear, laptops, desktops, etc - I always disable the BLE radio. Nothing stops working...something bugs me about having all my switches, my controller, and my access points having a BLE radio that if it's being used I'd have no way to tell. It wouldn't surprise me to find down the road that this has been going on for a while. In the meantime, I'd suggest checking out a cheap SDR device which would allow one to scan the RF for any chatter outside of the expected wifi ranges.
Congrats... Best video I´ve watched so far related to this subject !
I am excited on building my network and this is video is perfect because I the UniFi Dream Machine Pro is what I’m getting! Thank you!!!
What a great video ! Thank you for explaining everything so understandable for a lot of people.
Really great job. I really appreciate the quality of your work! Thanks a lot!
This really is the best info for users trying to hop into this. I ended up with a fairly similar setup my coincidence. But from a security perspective, while I get the single pane of glass centralized UI allure, I don't like the idea of blending Layer 2 and 3 the way they do with a USG or UDM Pro. If your unifi controller is compromised, the attacker now has Layer 3 access as well. For that reason I went with an Edgerouter4 instead and it's rock solid. The learning curve is a bit steep but worth it
Yet another Awesome video Rob - thx
Many thanks for the Unifi videos - Userful and dense info which helped me hugely. Can't wait to dump my $999 Orbi's.Given your video's i can make that change with way more confidence of the change
For gamers that have multiple consoles (Xbox, PS5’s and even gaming PC’s), UPNP is generally the most recommended way to create an Open NAT which makes joining games faster and games to perform better. Can you dive into this issue and the UDM pro’s settings as there are millions of gamers that would find the recommendations helpful.
Thanks for the video Rob. This was really useful. I'm learning Networking as a hobby so love that you've made this easy for us noobs.
Just wish you had a discord where I could ask questions in real time!
Thank you for for this detailed, yet easy to understand explanation. Definitely eager to see more Unifi tips and tricks..
Thank you so much! This is exactly the information I was looking for your the best! Subscribed!
Most APs can broadcast 8 SSIDs now. I would make a single IoT network instead of all the different ones for different locations and lock devices to particular APs. That way you decide what is the closest AP.
Your videos are refreshing. Thank you for being thorough.
Brilliant! I am looking forward to part 3.
Thanks for the update, I'm still wondering what rule to add to my wireless printer, it's a strange thing as print to its via phone and computer. Also can't wait for VPN, I installed wiregaurd and duck dns but think it gets blocked somehow even though I port forwarded. Can't wait!
Great video series Rob!
Great video as always. Learned a lot. Thanks! Greets from Germany!
Very good job, amazing video. Can't wait for the next part! :)
Hey, great channel and great vid. I'm finaly gonna start on improving my network security. I was just wondering, what do you do with device updates for your NoT devices...
Watched it once and plan to watch again tomorrow at .75 speed lol. Great info but I'm a bit of a noob
Great explanation for the Unifi setup