If you can include using a pi-hole for ad blocking and setting up printer on the IoT network so clients on the other networks can see the printers that would be great.
Great video, thanks. I understand what a DMZ would be used for, but I have a question. If I have a pc on my internal network that has a port forward on (let’s say port 3333 for example). If I put a different pc into the DMZ will all ports get forwarded to this pc, therefore breaking port 3333 to the other pc ?
DMZ is designed as isolated area for devices exposed to the internet, web server etc... The idea behind a DMZ is that if a device in it gets attacked than other devices in internal networks are not vunerable because you usually don't allow traffic between DMZ and internal except for return traffic of incoming request that you allow from Internal to DMZ. Best practice dictates that you actually have a second firewall between your DMZ and Internal networks if passing traffic between them.
Either would work. Depends on how you want to set up your rules. If you just want to restrict traffic between your iOT VLAN and your other internal VLANs, create an internal to internal rule and set the specific networks as needed.
The return traffic button is key as there is no established and related option anymore. Coming from a stateful FW background this should be default in a zone based FW if traffic is allowed one way should be allowed on return without any additional rules. I just converted to unifi from a home ap and coming from a FW background the old rules were so hard to figure out, this is a big step forward and more like a high end palo/fortinet etc. But the one gotcha is to watch for that return traffic as it is needed to allow the "established" traffic where other fw's just auto allow this as a stateful action. Next up for unifi is better logging to track down these issues.
100% what Homie said, they need to create the established return on an allowance rule by default. I've been programming firewalls for years, Forti's, Cisco, Sonicwalls etc... and they have all been using zone based ruling like this for years, glad Unifi made the switch as their previous setup was awful and confusing. What I desperately want to see as well is work around object groups, whether it be groups of ports or groups of devices. I love being able to add a device IP and then name it then further add it to a group and name. In Unifi I can do that with a group but it will only let me add IP's to a group and not work with friendly names which is a pain as I have naming conventions for servers and client devices. Bare in mind, my network is 40+ vlans, 2000 client devices, 50 servers and 100's of IOT devices so client device names is a god send. Here's hoping! In the meantime this will further help manage my estate of 50+ switches and 100+ AP's 😁 Cameras and UNVR next on the shopping list 👍
When you create an allow rule in the new UI, there is an option to auto enable return traffic, which will then create a corresponding firewall rule allowing return traffic with the inverse source and dest. It may not be default but it’s one checkbox.
والله العظيم ماكتبت هاذا المناشده الا من جوع سِالُتكِ بّالُلُُه انَ تْنَقًذَنَا قًبّلُ انَ نَمٌوَتْ مٌنَ شِدِتْ الُجْوَع انَتٌْخيَكِ انَيَ دٌِخلُةِ ْعلُى الُلُُه تْمٌ ْعلُيَكِ انَيَ فَيَ وَجُْهك انَـيَ اخـتْكِ انَـيَ اتْرَجْـاكِ اتْـوَسِـلُ الُـيَـكِ انَـقًـذَنَا لُـوَجُْـه الُـلُُـه. يَــشِــُهدِ الُــلُــُه يَاٌخـيَ انَ مٌنَ الُــصّــبّاحُ حُـتْا الُـانَ يَــحُــرَمٌ ْعـــلُيَـنَـا الاكل غير الماء ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' اخي اول كلامي انا اقسم بالله على كتاب الله اني لااكذب عليك ولا انصب ولا احتال اني بنت يمنيه من اليمن نازحين من انا واسرتي بيننا ایت الشهرب 20 الف يمني والان علينا 60 الف حق 3 شهور وصاحب البيت من الناس الي ماترحم والله يا اخي انه يجي كل يوم يبهدلنا ويتكلم علينا ويريد من البيت للشارع لانناماقدرنا ندفعله الأجار شافونا الجيران نبكي ورجعو تكلمو الجيران ومهلنالاخره الأسبوع معادفعنا له حلف يمين بالله هذا بيخرجنا إلى الشارع رحمه واحنا. بلادنا بسبب هذا الحرب ولانجد قوت يومنا وعايشين اناوامي واخوتي سفار والدنا متوفي الله يرحمه ومامعنا أحد في هذا الدنيا جاانبنا في هذه الظروف القاسيه اخوتي الصغار خرجو للشارع وشافو الجيران ياكلو واوقفو عند بابهم لجل يعطوهم ولو كسره خبز والله الذي له ملك السموات والارض انهم غلفو الباب وطردوهم ورجعو یبکو ایموتو من الجوع ما احد رحمهم وعطلة ردها لقمت عیش والان لوما احدنا ساعدنا في إيكيلو دقيق اقسم بالله انموت من الجوع فيا اخي انا دخيله على الله ثم عليك واريد منك المساعده لوجه الله انشدك بالله تحب الخير واتساعدني ولو ب 500 ريال يمني مع تراسلي واتساب على هذا الرقم 00967713342392 وتطلب اسم بطاقتي وترسلي ولاتتاخر وايعوضك الله بكل خير اخواني سغار شوف كيف حالتهم وساعدنا وأنقذنا قبل أن يطردونا في الشارع تتبهدل أو نموت من الجوع وانا واسرتي نسالك بالله لولك مقدره على مساعد لاتتاخر علينا وجزاك الله خيراπطظعπ~π~ππ~√~
If you can include using a pi-hole for ad blocking and setting up printer on the IoT network so clients on the other networks can see the printers that would be great.
great explanation my man
where are the links to the zone firewall articles?
Great video, thanks. I understand what a DMZ would be used for, but I have a question. If I have a pc on my internal network that has a port forward on (let’s say port 3333 for example). If I put a different pc into the DMZ will all ports get forwarded to this pc, therefore breaking port 3333 to the other pc ?
If I have understood it correctly then moving the PC to a new network would need the rules/port forwarding reconfiguring.
DMZ is designed as isolated area for devices exposed to the internet, web server etc... The idea behind a DMZ is that if a device in it gets attacked than other devices in internal networks are not vunerable because you usually don't allow traffic between DMZ and internal except for return traffic of incoming request that you allow from Internal to DMZ.
Best practice dictates that you actually have a second firewall between your DMZ and Internal networks if passing traffic between them.
So do we move IoT network to a new zone and create policies there or just leave it as-is in Internal?
Either would work. Depends on how you want to set up your rules. If you just want to restrict traffic between your iOT VLAN and your other internal VLANs, create an internal to internal rule and set the specific networks as needed.
The return traffic button is key as there is no established and related option anymore. Coming from a stateful FW background this should be default in a zone based FW if traffic is allowed one way should be allowed on return without any additional rules. I just converted to unifi from a home ap and coming from a FW background the old rules were so hard to figure out, this is a big step forward and more like a high end palo/fortinet etc. But the one gotcha is to watch for that return traffic as it is needed to allow the "established" traffic where other fw's just auto allow this as a stateful action. Next up for unifi is better logging to track down these issues.
There is still an establish and related check box, under connection state you select custom, then you have "new" "invalid" "established" "related".
100% what Homie said, they need to create the established return on an allowance rule by default. I've been programming firewalls for years, Forti's, Cisco, Sonicwalls etc... and they have all been using zone based ruling like this for years, glad Unifi made the switch as their previous setup was awful and confusing.
What I desperately want to see as well is work around object groups, whether it be groups of ports or groups of devices.
I love being able to add a device IP and then name it then further add it to a group and name. In Unifi I can do that with a group but it will only let me add IP's to a group and not work with friendly names which is a pain as I have naming conventions for servers and client devices.
Bare in mind, my network is 40+ vlans, 2000 client devices, 50 servers and 100's of IOT devices so client device names is a god send.
Here's hoping!
In the meantime this will further help manage my estate of 50+ switches and 100+ AP's 😁
Cameras and UNVR next on the shopping list 👍
When you create an allow rule in the new UI, there is an option to auto enable return traffic, which will then create a corresponding firewall rule allowing return traffic with the inverse source and dest. It may not be default but it’s one checkbox.
@@Jcc411I have learned that but what I am saying is it should be automatic like almost every other stateful fw on the market.
@@01Hokiefan it is. It automatically populates and is checked by default. So unless you change it, the return rule is automatically added
والله العظيم ماكتبت هاذا المناشده الا من جوع سِالُتكِ بّالُلُُه انَ تْنَقًذَنَا قًبّلُ انَ نَمٌوَتْ مٌنَ شِدِتْ الُجْوَع انَتٌْخيَكِ انَيَ دٌِخلُةِ ْعلُى الُلُُه تْمٌ ْعلُيَكِ انَيَ فَيَ وَجُْهك انَـيَ اخـتْكِ انَـيَ اتْرَجْـاكِ اتْـوَسِـلُ الُـيَـكِ انَـقًـذَنَا لُـوَجُْـه الُـلُُـه. يَــشِــُهدِ الُــلُــُه يَاٌخـيَ انَ مٌنَ الُــصّــبّاحُ حُـتْا الُـانَ يَــحُــرَمٌ ْعـــلُيَـنَـا الاكل غير الماء ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' اخي اول كلامي انا اقسم بالله على كتاب الله اني لااكذب عليك ولا انصب ولا احتال اني بنت يمنيه من اليمن نازحين من انا واسرتي بيننا ایت الشهرب 20 الف يمني والان علينا 60 الف حق 3 شهور وصاحب البيت من الناس الي ماترحم والله يا اخي انه يجي كل يوم يبهدلنا ويتكلم علينا ويريد من البيت للشارع لانناماقدرنا ندفعله الأجار شافونا الجيران نبكي ورجعو تكلمو الجيران ومهلنالاخره الأسبوع معادفعنا له حلف يمين بالله هذا بيخرجنا إلى الشارع رحمه واحنا. بلادنا بسبب هذا الحرب ولانجد قوت يومنا وعايشين اناوامي واخوتي سفار والدنا متوفي الله يرحمه ومامعنا أحد في هذا الدنيا جاانبنا في هذه الظروف القاسيه اخوتي الصغار خرجو للشارع وشافو الجيران ياكلو واوقفو عند بابهم لجل يعطوهم ولو كسره خبز والله الذي له ملك السموات والارض انهم غلفو الباب وطردوهم ورجعو یبکو ایموتو من الجوع ما احد رحمهم وعطلة ردها لقمت عیش والان لوما احدنا ساعدنا في إيكيلو دقيق اقسم بالله انموت من الجوع فيا اخي انا دخيله على الله ثم عليك واريد منك المساعده لوجه الله انشدك بالله تحب الخير واتساعدني ولو ب 500 ريال يمني مع تراسلي واتساب على هذا الرقم 00967713342392 وتطلب اسم بطاقتي وترسلي ولاتتاخر وايعوضك الله بكل خير اخواني سغار شوف كيف حالتهم وساعدنا وأنقذنا قبل أن يطردونا في الشارع تتبهدل أو نموت من الجوع وانا واسرتي نسالك بالله لولك مقدره على مساعد لاتتاخر علينا وجزاك الله خيراπطظعπ~π~ππ~√~