First of all... a great video. Especially the real world setups. A lot of other youtubers only glace at a high level. This really helps since I am fairly new to the unifi rules. And just when I setup some old ones, the zbf was introduced. Therefore some questions: How would the setup look like when protect is inside a UDM? When you don't own a UNVR? Do you need to setup rules to the gateway? Which? Could you also elaborate in a new video how to 'migrate' from old policies to new? How can you evaluate which rules to delete or replace with ? I've rules for allowing established and related trafiic. And to block non valid trafic. Allow DNS, etc. I am thinking about deleting al the old policies and start from scratch. Because also some old polcies can interfere with the new zbf ones? And does the new zbf also handle the correct order of policies? Does it also know which rules to put on top? Or is that something you always need to check yourself?

I’m so new to this, and it’s all so overwhelming. You explained it in a way that’s much clearer and easier to understand than any of the videos I’ve watched so far. Thank you so much 🙏

Great video! Explains exactly (one half of) what I'd like to know. I'm looking forward to the second video! One thing I'd still like to know though: Don't you restrict gateway access from untrusted VLANs to necessary ports? (Or at least block ports 22, 80, 443?) I guess the effort to achieve this might be different for both concepts of video 1of2 and 2o2 and therefore worth to be compared as well? I'm looking foreward to video 2of2!

Very clear! Thank you so much, finally I ended understanding these zones.

Great video as always. Couple of questions: 1 - With your protect VLAN is that assuming that you are running a separate Protect NVR instead of built into UDM Pro etc ? Reason I ask is that Protect NVR doesn’t appear to do well when adding cameras across VLANs (for example ONVIF cams) so was wondering the topology for Protect in this case. 2 - Understand you’re point about trusting Protect cams but wondering why you would not just want to block cameras outbound to Internet, period since there is always a risk of those feeds being exposed like they are with non UI cams. Don’t get me wrong, we all know that ‘other’ cams (even pro security cams) like to phone home but was just interested regarding your decision there. I generally choose to block all here. 3 - When running a UI infrastructure is there a preferred method you have / recommend for handling NTP locally since a number of devices you may want to block from Internet, still have an NTP requirement ? In this same question, is there a way to intercept and redirect NTP requests from a device and force them to use a different NTP server of your choosing (may be your own etc) ? 4 - The only issue I see with the Unsafe NW device isolation is then the cams cannot talk to an NVR on same Unsafe network for recording capabilities. Therefore what is the best way to have cams isolated from each other BUT allow access to an NVR in same VLAN ? Fantastic video and great timing since UI have not done a great job on demonstrating Zone Based firewalls. More a case that they released the feature and left users to figure it out themselves. Thanks as always.

Excellent video! Does the block all rule block multicast traffic as well? For streaming to iot, you’d want to allow that.

How do you get all the terminal windows open on the different networks like that

Another fantastic video 👍

This was exactly what I needed to know. I'm looking forward to the next video. Thanks!

Excellent explanation, thanks going to set mine up now

I haven't tested this yet, but does the auto enable return traffic rule do an allow all, or allow related/established?

Great video, looking forward to part 2

for the unsafe vlan, you could have enabled 'Isolate Network' in vlan 70 network settings. This will automatically create new firewall rules that block traffic to other zones.

For the non-unifi cameras in the unsafe zone, if your NVR was something other than the gateway, you'd need to create ACL rules to allow traffic from the unsafe devices to the MAC of the NVR, correct?

Thanks for your job there! Waiting for part 2.

Perfect! I've been holding off switching to zone based firewall as it was a lot of work to get my firewall my rules working correctly and I was worried about issues like this. I'll await upcoming videos 😅

Hi to all. I have tested some vendors for band steering and seamless roaming for mobile clients and i can tell, that UniFi was the worst one for this functionality, sorry for UniFi lovers, but this is truth.

I know this is a little late to the party, but is there a difference if 6GHz is turned off for the AP? I have an environment that is still using UniFi APs that are only capable of 2.4GHz and 5GHz. I have noticed an effect when enabling this for such an environment. I have not performed a WLAN capture with this, however. This is only based on my manual tracking of clients on the network. Also, another consideration, what if you performed this test with a client that only supports 2.4GHz and 5GHz while leaving 6GHz enabled? It seems as all 3 devices you are testing with support 6GHz. I would do this test myself, but the environment this is for is a good distance away and would need another reason to go out there rather than just to test. Also, thank you for your videos. Very in-depth and informative.

I have a similar setup here, using a UCG Ultra on the WAN2 port of my UDM SE. The UCG Ultra is ideal for this role as it has a built-in controller. I don’t worry about multiple layers of NAT and everything works great.

thanks you so much. the thing with the 3 network cards did the trick for me using adguard, proxmox and a vlan setup...:)

Does anybody know how to block access to https router log in screeon on IoT Internal network ? i could do it on old firewall. I can not get it to work with Zone Based F. Please help

哥们可以啊，关注了

So what peak speed will i see with S24 ultra ?

Before I start thank you for clarifying this for me. Unifi uxg or any new routers of that sort support hub and spoke topology. Its just they expect everyone to be on cloud using site magic so there is no resources from unifi. I want to know if you were to configure a hub and spoke. Say the hub is 3rd party router. The spokes are the ubiquiti unifi equipment would you still add the s2s subnet as subnet/interface? Also to keep the hub as the "hub" on unifi side is there a way to tell it only be a spoke or maybe it has to be a stub?

Do you know if you can power with PoE AND USB and which takes priority? For example it would be good to know if a powerbank can be used as a backup power source.

Important topic with AFC

Great testing

Very diligent testing. Thank you for this amazing video! The download speed from a client perspective is indeed disappointing for such an expensive and power hungry access point.

So in short, if using [client] -> [pihole] -> [unbound] -> [upstream dns (google)] -> [unbound] -> [pihole] -> [client], the traffic between pi hole and google is encrypted. Without unbound that external packet is "free text" using dns protocol? Does this prevent "dns leaks" on network level? (Assuming all devices are using pihole for dns)

Great review but the unboxing was atrocious haha

I am using the same switch setup with my E7s and I get an occasional network loop. Turning off data on the ProMax24 switch port which E7 uses for secondary fixes it.

Thanks for very detailed and awesome reviews i am wondering what are your thoughts on how this compares to u6 enterprise and u7 pro max basically what is the best one to use in a bisy environment. Thanks

145F is ridiculous. Does the fan not run?

Wow! those temps!!

Thank you for this review! I have been waiting for someone to review this.

Hands down one of the best KZbin Channels for Walkthroughs, deep explanations and test results. You clearly explain every detail of the tests and make it easy to understand. Thank you!!

Very much enjoyed your video! I always learn something from your videos! Thanks for all your hard working! I recently replaced my two U6 Pro with E7. I have noticed with both primary and backup ports connected, my network gets occasionally loop back, the entire LAN will be down momentary then recover by itself. I have also noticed UDB had trouble to uplink to E7. After unplug the backup link, all worked as normal. Since I don’t have your knowledge and diagnose tool and methods, i can only go by my observations. My setup is fairly simple, my primary is connected to USW 16 pro max with 2.5gb link, and backup was on USW 24 pro max 1gb link, both switches are uplinked to an aggregation switch. I am just wondering if you saw any network loops. Thanks.

Great video. The explanation around the request and response files was fantastic. You showed they reference latitude and longitude for geo-location and the timestamp for check in. I can't help but wonder if there's a way to edit those and circumvent those controls?

I have no oprion for 6 ghz extended range on my e7 :|

I reckon by WiFi 10 we’ll have to climb inside the AP to use it. 😂

Very good video and lots of details! Thank you!!!

Hi, can you go into more detail about your settings for nominating the IGMP querier within UniFi controller? I have a system similar to yours except it's a UDM-SE and 3x USW-Pro-Max-48s (one switch in the middle with lowest IP and nominated at the querier, and the other two uplinked to it). I'm finding that the querier status readings within the CLI on any given switch is giving incorrect and changing results. Each switch occasionally shows itself as the querier and other times it shows 0.0.0.1 as the querier. Despite these readings, IGMP does seem to be working across the three switches using my JustAddPower IP video encoders / decoders. Have you noticed results like this ? I'm given to understand that UniFi's implementation of IGMP and the various advanced settings within UniFi controller for it are not working correctly. This is based on forums etc

Great video. Super clear doing everything by example.

As always, great video! It's a shame that this product has these problems... well it's not even available in my country.

Fantastic! Thank you. Although I've been using Proxmox (on multiple mini-pc's) for several years (running many LXC's (JellyFinn, Plex, Calibre, NginxPM, etc.) along with a large homeassistant implementation (as a VM), I haven't implemented any VLANs mainly because my current router doesn't support it. I considered using OpnSense or PfSense, but decided to go with unifi (as I already used one of their AP's and liked their controller GUI (self-hosted inside docker container)). While I wait for the delivery of my new Unifi router (cloud gateway ultra) and first unifi 16 port PoE switch, I've been trying to learn as much as possible on how to set it all up. This video helped address one question I had, "how should I configure my pihole setup to ensure it can provide DNS services to the various vlans that I intend to set up"? I know I've still got a lot to learn (which is why I did all of this), but your video helped check off a few of those 'to learn' boxes. You've got yourself another subscriber, and I'm looking forward to seeing your more of your videos (previous and upcoming). Cheers!

Interesting video. Nice work as always! In my testing I don't think I experienced the 5 minute delay issue described in the comments below. But when I added interfaces to the pihole server, I used Proxmox SDN so each interface had a distinct bridge. The VLAN tag is established by the SDN config.

Great video!!

Excellent video as always. Your knowledge of networking and UBNT is second to none. They should hire you if they haven’t already!

Awesome work as always! I wish I found your channel sooner!

Who needs to participate in the Ubiquiti Certification Program when this channel exists. 😂❤