Yes, actually it has a bit. A few things I mention in this video were "fixed" before I even released it. I plan eventually to go back through and touch on the improvements. I will agree that 2FA on VPNs is definitely something that is lacking... for reasons that I might mention in a future video.

SNMP was added in 4.0.3 EA firmware which came out a couple of months before the video was posted.

Yes, this was one feature that got added between the recording of this video and the release. There are a couple others that got either "fixed" or "better" with more recent updates.

I have plans to buy some "recent" APs and redo my first time setup video. 90% of the information will be the same as my existing videos. The main difference is the interface and some of the product information (i.e. newer models do not include PoE injectors, they are a separate purchase). As far as I'm aware, the Ubiquiti equipment doesn't support a "standalone" operation method and requires the controller for all configuration. The good news is the controller is not required once setup is complete unless you are wanting to log historical data or run an active guest portal.

I "believe" you have to have a separate ruleset for each guest network, as they are separate virtual interfaces. I can think of a few exceptions, but I don't want to spitball them here because I have not tested them. The way I would go about it is creating separate rulesets for each Guest network. They should essentially work the same way by only allowing traffic from other networks you designate as "allowed". Hopefully I didn't misunderstand your question.

@@ToastyAnswers My situation does not match yours exactly as you have these "switch" interfaces that I do not. I don't think that is a feature of the ER-8. I could not directly connect, with a PC for example, on the interface if it was a vlan. I had to just specify a network. I was able to apply the same rule to multiple ports each with different networks. I can't post images here otherwise I would.

I won't comment on this.

Shouldn't be, but this will depend on how the Unifi switch is configured. There could be a disconnect with a native VLAN or similar misconfiguration. Without knowing your specific network configuration it would be hard to tell.

I wouldn't say I like them better, but I do like how they implement certain features and the flow of object categorization. I'm certainly very familiar with SonicWalls, but there is plenty I don't like about them as well. There isn't really anything the UDM can do that a SonicWall can't, besides be affordable. The allure of the UDM is that the price/performance ratio is very good and the feature set is decent. If cost wasn't a factor, I would probably be running a SonicWall, Custom Pfsense box, or something else. The problem is that many alternatives cost upwards of $1000 to match the raw throughput of the UDM (you can argue the "robustness" of security features is much higher on more expensive platforms, but just strictly speaking in throughput with all services enabled). For example, to get close to the advertised 3.5Gbps of IPS throughput of the UDM you would need a SonicWall TZ670 which starts around $1700 and must be continually re-licensed in order to remain functional. This is kind of an apples/bananas comparison, but it highlights how attractive the UDM looks at roughly $400 when you start shopping around for UTM appliances.

@@ToastyAnswers I have an old pfSense box, TZ570 on hand. However, UDM for the speed issue is preferred. I have 3 subnets, one for personal devices including 80 iot devices all with fixed IPs in which that topic related to the reconfigure of those IPs looks like a challenge. The grouping issue with the UDM is concerning since I will plan to vLan segments on the personal subnet. The other two subnets are for work related and are isolated and less complex. Was definitely planning on the UDM Pro which allows for 2G fiber, which just became available. This video caused me to pause and comprehend the cross over from pfSense. Probably go UDM, put in second internet via fiber and slowly migrate. Excellent videos on your site. You do fine work. I've been in IT since the mid 80s. Keep up the good work, it is important. Thanks.

Fair point. A lot of my "problems" are nit picks or more along the lines of managing expectations. I will say, however, that there is a difference in network "scale" and network "complexity". The UDM can handle an impressively large network, but falls short when additional complexity is required.

I hoped the timestamps would help with that.

Unfortunately, IPv6 is something I have very little experience with.

Thank you! I plan to... but I'm very flakey.

Yeah, this ends up being an issue when the devices are not "forgotten" from the previous controller prior to moving to the new one. I've had to deal with warring controllers on more than one occasion.

Yeah, I was very late uploading this video and it was recorded quite a while ago. I plan to make a follow-up since a few of my points have been either improved or removed entirely in more recent updates. I didn't notice the SNMP support in the latest notes, I'll have to check that out.

These really only operate in roughly a 300ft diameter, but it could be more or less depending on the specific environment. Wireless operation has a ton of variables. If you are trying to cover a distance of 1km, I would look at the wireless bridge options such as the Nanostations or Ubiquiti's other bridge options. These are better suited to covering large distances.

Forwarding all ports to the second router would make it much easier to manage, but I wouldn't say it is "advisable". By forwarding all ports, you are essentially creating a DMZ between your first and second router. This isn't necessarily "bad" but it widens your attack surface. Also, there are some ports that may be in-use by the router itself. This doesn't usually cause a problem, but some models can get confused and cause undesirable behavior when EVERY port is forwarded without a proper DMZ mode.

Great question. I typically only use the isolate network checkbox for networks I want completely isolated (without firewall rules) but I've never actually tried it as the default. After reading your comment, I actually gave this a go. The main difference I found is that the rules are applied as "LAN IN" rules, which override any "LAN Out" rules configured on the firewall for networks with isolation enabled. This isn't a huge drawback, I'm just personally used to using "LAN Out" rules when configuring my firewalls. I guess the only advantage to creating your own rules is not needing to double up on the "LAN-IN" and "LAN-OUT" rules, but this kind of depends on your approach to firewall rules. I'm just not used to doing it that way so it made more sense to me to stick to "LAN-Out"... but it's probably more work in the long run. Thanks for pointing that out and getting my brain going.

@@ToastyAnswers This is a great video! I have one question though if you don't mind - what's the difference between LAN-IN and LAN-OUT firewall rules? I would've thought we need both (to control for bad actors coming into the network, and bad actors already in the network e.g. virus on an IoT device trying to dial home going out), which then leads me to think maybe I need to use both the "Isolate network" checkbox AND also set up my own firewall rules? Would really love your advice, thank you.

Just from the output it sounds like a routing loop. Typically, when the TTL expires it means there is an unreasonable amount of "hops" between the two destinations. This normally happens when you have static routes configured incorrectly or an issue with NAT between two VPN networks. If routing is set incorrectly you can end up with Site A sending traffic over to Site B, and Site B just sending that traffic straight back to Site A. The traffic just gets bounced between the two different sites since each thinks the correct route is back the other way. Eventually, the TTL on the traffic expires since it's stuck in an infinite loop of being routed the other way.

Not off the top of my head, but I know the C9200s have four SFP+ ports which could be populated with RJ-45 SFPs. The actual port density is nearly identical to the CBS350s (24 1gbps RJ-45 & 4 SFP+ ports). The difference I believe is that the SFP+ module is an additional purchase (the switch comes with a blank module by default). If you haven't looked into the Catelyst line before be prepared for sticker shock.

Yes, the site-specific configuration is carried over with the site. This includes all the wired and wireless networks from the previous site.