My Unifi stuff arrives this week, I’ll be watching this series about 2,615 times

Rob, this is the best series ever. I know it's a bit outside the "smart home" core content realm and more into networking, but it's perfect because that's what most of us need -- network configuration for smart home enthusiasts, beyond the basics but not as complex as enterprise-level pro networking. You hit the sweet spot. Currently running a UDM-Pro, 24 port POE and 5 APs. Have made big strides in making the network more secure thanks to this series.

Shoutout to you for making such a complex subject that comprehensible. I can only imagine the time and energy you put into those vidoes. In the name of all of us watching but rarely commenting: THANK YOU!

13:29 "...and then remember to adjust your local IP address' firewall rule to include this new subnet" is where my cranium exploded. Went back and looked at Part 2 and Part 3 to see your firewall rules and couldn't figure out where this one was. (Fantastic video series, BTW...THANK YOU!)

Hey Rob, I know you’ve already heard this over and over but I just wanted to say a huge thank you for putting together such an amazingly detailed and comprehensive series covering both how to set up the UDM Pro as well as a really useful guide to topics like how to split up your network into VLAN’s (and why) and still get the functionality you want by using firewall rules, port security and even VPN. I have spent ages trying to get my head around this stuff from lots of different sources; I only wish I’d found your videos first as they not only explained everything in understandable, logical terms but it covered everything I needed all in one place! Can’t thank you enough. I know you started off with lengthy videos and edited them down tightly, which must have been hard work - though long videos don’t put me off and for all those with too short an attention span, this clearly ain’t a topic for them! Anyway, I’m not complaining - It just mean there was so much valuable information densely packed in here that I had to watch both Part 2 and 3 twice over to make sure I didn’t miss bits! Out of interest, I also watched the videos on the UDM Pro from Crosstalk Solutions covering quite a few of the same issues (though I preferred your delivery style and explanations). One key difference is that he used the USW-Pro-24 which has some Layer 3 capabilities - so he could block communication between devices on a VLAN and didn’t need MAC address filtering. This got me thinking that using the switch’s VLAN routing capabilities would be one way to have your cameras on a different VLAN and let the switch carry the load rather than bog down the CPU on the UDM Pro maybe? (I know you’ve looked at using a 2nd NIC from your replies to comments) One major difference though was that he ensured none of the devices on his IoT VLAN could ping the main LAN gateway or those of other VLAN’s, and also blocked traffic from the IoT VLAN to ports that could enable access to the UDM Pro GUI on the IoT VLAN gateway IP address, which I thought was a good idea and was not something you covered in your videos. Wonder what you make of these differences and would be interested to hear your thoughts (if you have time) 👍 - sorry for the long comment

I like the MAC address restriction. Another approach would be to add a 2nd NIC to your NVR, then put all cameras and that 2nd NIC on a completely restricted VLAN.

Great Video, but is there going to be a Part 4 for the Wireless Optimization trailed in Part 2? I was really looking forward to that bit!

Will enjoy a vid on reverse proxies for sure!

Not that your other videos aren’t great, but your UniFi videos are so good. Need input lol.

Definitely better in 3 videos: - more videos! - more ads, good for you - added feedback on comments from previous videos in the series Well done!

This is one of the most helpful series I’ve ever watched on KZbin, and I am firmly in the pro-sumer category and deal with networking often, although it’s not my primary job responsibility. The tips on products alone are more than worth the sub and notification. Thank you!

You truly have an excellent way of presenting, explaining and visualizing the various topics in the right amount of time divided into parts. And, completely free from goofiness and acting out like pretty much every one else does. Thank you so much. Now it's time to put the stuff I've learned from you into practice.

Trunk Configuration = All VLANs (Untagget ports) A switchport can be configured for 1 VLAN only for Cisco thats switchport access vlan 6 switchport mode access spanning-tree portfast This port will have traffic on VLAN 6 and 6 only. The trunk (Untagget port) configuration above makes traffic traverse native VLAN but that port can still see all VLANs and you can vlan-hop between them without going through the gateway. Good job one the vidz thanks for all your work

Bravo 👏 I am watching your videos for year! Great job! Was waiting forever for a deep dive on unifi setup. Thanks 🙏

Wow , i need to watch this again . There is a lot in this video .

This series was incredible. You covered so many important nuances that an advanced home network operator will face when configuring the network. Well done!

Would be great to have a video on how to setup WireGuard (on a server / raspi) together with UniFi.

Hi Rob, The videos are great just one question... In the video above you are talking about setting up the VPN hosted from the UDM pro and at 13:30 you mention "remember to adjust your local IP address's firewall rule to include this new subnet". I thought I knew what this meant but I must not as I can't get the VPN to work properly. Any chance you could do a video purely about setting up a VPN from the UDMP? Just in case anyone else knows what's wrong, here are a few more specifics... When i connect a client to the VPN, the client thinks it is connected but I don't think the UDM does because under "Networks" of the UDMP's settings, it says 0 IP leases have been issued. The client also doesn't show up in the clients section of the main UI on the UDMP. Although the client reports that it is connected. My guess is that the connection has been made but that there is some rule missing which actually allows it to communicate with anything. Anyone have any ideas?

Man, thanks for going into such depth on all of this. I am just now dabbling my feet into some more advanced IT stuff as a hobby/back-up career plan, and you are certainly giving me a lot to study and consider.

Brilliant video and enjoyed watching the series. I setup the VPN but I could not connect to my LT2P server through my iPhone. I followed the unifi troubleshooting faq and updated my ports on my isp router. It now works and allows me to control my non-internet enabled iot device network whilst away from the home. Thank you.

8:54 this is exactly what I was hunting around for on the internet. I want the ability to add/modify my own signature file but I was under the impression that I didn't have a feature enabled or something to that extent. C'mon Ubiquiti! And by the way, I stuck around for your whole video and it was put together very well. I got my Unifi network built up a couple months ago and have a near identical setup to yours (minus the untagged cameras). Keep it up!

Very helpful series mate 👍 I will have to watch part 2 a few times to fully understand the process but I will get there ... Thank you for the knowledge 🙏

I just ordered a Dm pro, an extra 8 port POE switch, and 2 access points along with 1,000’ of cat6 and the required terminals. Thank you for the great videos, we’ve struggled with bad home networking for years using off the shelf home routers; and now that we have nearly 50 devices on the network at any given time it’s worth the money to invest in a solid home setup!

In your next video you should cover firewall rules for the VPN connection. VPN connections bypass the LAN IN rules gaining full access to all your VLANS. You need to create LAN OUT rules if you want to restrict access. You also have to make your own network group for them as it's not in the predefined "Networks".

I just watched all three parts. Now I'm going to watch them again! Great stuff, this helps me a lot.

Great content! I'm really looking forward to you covering additional reverse proxies and VPN options beyond what the UDM Pro is capable of.

Do you have a video or blog that discusses how to keep Home Assistant working when the internet is out but local WiFi is active?

Great explanation on Networking Basics. I never use MAC address filtering because of MAC address spoofing attacks where the hacker hunts the network for valid and original MAC addresses and circumvents access control measures, giving the hacker the advantage to pose as one of the valid MAC addresses. But you are correct in your situation, MAC spoofing is unlikely. I learned all of this info in CISCO academy and you have definitely done your homework. Good job.

Thank you for the video. Recently my ISP router went down and i lost communication with most of my iot devices. I did get them back but it took a lot of work. Also, I didn't like the idea of the old one being taken away with information about my network. So i need to rethink my current network. Id not thought about this until the ISP router went down.

Man thanks so much for this set of awesome videos, helped my out a bunch! couldn't have done it without you!

Great video. Not a lot of people think about port security

11:59 Hey Rob, Not all VPN users are "trying to hide their traffic because their doing something illegal". It is more of a freedom choice. That said, this is definitely a great video series.

Good series. I'll watch again because of the complexity in certain areas. I know I'm late to the party but I'm having a heck of a time trying to design a network that keeps my cameras off the Internet. I want to set up Home Assistant, so I'm only looking at window/door switches that send/receive information to HA. But I'm also starting out with 5 Reolink IP PoE cameras - gradually adding up to 16. I'm debating whether to purchase a PoE Managed Switch or a Reolink NVR. Reolink told me to try one of their NVR models to use saying not all PoE switches use the correct protocal which means the cameras will drop off or not work altogether. Also, HA can view the cameras either through their IP address or through the NVR. I have an HA automation to send out notifications on person detection but only to certain devices that have the HA app installed. I'm thinking about dropping the whole kit and cabootle in an IoT VLAN with no Internet access but that presents problems: Ubuntu and HA updates on HA Server, updates to the NVR, and making sure the camera automations can reach the HA app on iphones when they are away from the house. Thank you

Instant like for the thumbnail- boomer af but absolutely amazing. Thankyou

Just got a UDM Pro and really enjoyed these tutorials. Thanks! That said, I would enjoy a reverse proxy video.

Hey Rob @TheHookUp I recently heard of a new VPN option in the Dream Machine called Teleport, under the hood it's Wiregaurd and much easier to setup 😀

@The Hook UP In the VPN drawing there you have 'Pubic IP' :)

Another great, and very instructional, video. A really great series!

This series is awesome...thank you so much for that! I was wondering if a DMZ (demilitarized zone) would be a suitable place for (potentionally) vulnerable services and how that could be accomplished.

Great video; love the clear explanations with visual analogies! How would you compare VPN through Unifi device as shown in this video vs VPN using Wireguard through Unraid?

Really excellent series. I learned a lot!

Thanks for the very helpful videos The only thing that was missing was the Wireless System optimization you referred to in part 2, I think.

The settings are in different places in UniFi 7.2!

Hi, Your videos made life easier for me setting up my new home BIG THANK YOU. One thing if possible to add to the group of essential devices you mentioned. Do you plan to make any videos about NAS (i.e. Synology) especially that they are also becoming a necessity and can run Docker & Virtual Machines on which Home Assistant can be hosted. Looking forward to more good stuff. Wishing you a happy, safe, and fruitful 2022

I would love thoughts on the new 7.1 OS, specifically regarding the Teleport functionality built-in to it. It looks like it automatically creates a new network (at least a new subnet #). Any firewall rules needed? Any idea if this has similar push notification limitations?

FREAKING!!! good job. Thank you

Thanks a lot for all the insights in this topic. Helped a lot in setting things up.

Glad I found you again. You have made a big step from holiday LEDs. When I discovered your holiday lights I was looking for inside LEDs for mounting on rafters and under cabinets. Primarily white but at least some place holiday and party color. I couldn't find the review you linked to before and expect that much has changed in 3 years. Also control options somewhere I saw one that was power supply and controller in one. Anyway could you do a 2021 update my wife wants me to finish this lighting project. Thanks

Question @13:51 When you're say Your "Public IP Address" are you talking about the default gateway.

Great vid Rob! I would love to see a reverse proxy video in the same eli5 way you did with this one. Cheers!

Great video series! I know your whole network is based on Unifi products, but I would LOVE a video or two on the TP-Link Omada products if you could get your hands on them! They offer many of the same great features at a much lower price point.

I think IDS/IPS signature updates are daily. I have had the occasional one fail and it always alerts me, however a manual retry usually results in it updating.

Are you going to do a reaction video to talk about the Ubiquiti breach? The fact it's been revealed on Krebs they downplayed the incident and it's even more catastrophic than reported to the media makes me feel Ubiquiti is dead in the water for me.

Thank you for the time and effort you put into your videos!

i'm trying to connect to my vpn from an android device and only options i have are l2tp/ipsec PSK or l2tp/IPSec RSA and I don't seem to be able to connect to my vpn using my wan and a user account setup? Is there a way to get just basic l2tp on android or am I missing something on configuring for ipsec p sk/rsa?

4:35 this firewall rule poses one potential problem: if you accidentally unplugged and swapped the port on the switch with another camera, then this camera will not work anymore.

Great video as always Rob. keep up the good work

Good stuff, you got great teaching skills ;-). This is like a good meal, consumed in 15 min but took hours to prepare :-) 1.Is there a reason why you don't use port isolation? It is available under advanced network settings and WiFi settings as well. There only a few devices/services that need to be allowed to talk with other devices in your network, other than that every device should be isolated to stop lateral movement. 2. Also you can whitelist the address for your device that do require to go out. By doing this even if somebody has access to your physical network port and spoof your device MAC address (which is usually written on the camera sticker) it cannot "attack" other devices as the port is isolated, and cannot use the internet (can only go to the whitelisted websites for that MAC/IP Address).

I have started on this but there is a very important feature missing in Unifi. Parental Controls and scheduling capabilities. I wish I knew this before I jumped on it, for me it’s more important than VLANs and other security stuff for a home user.

Thanks so much - this was quite helpful. Got my UDM last week and I feel confident in my setup. For Part 4 - how about ipv6? I have it functionally working but have concerns about how the firewall and other security components should be configured.

I like the "Pubic IP", I think I'll also start referring my external IP as "pubic" 😅

Great video!!! Thanks, but what about the "more robust vpn solutions than the built-in unifi vpn"? I would love to see a video about that! Keep going!

But if you use a VPN tunnel, will you still receive Home assistant app notifications, and sending location updates?

Really Great stuff. Helped me a lot. But I can not get my Philips Hue working from a IoT network. the same issue with my Danfoss Link heat display. Do you have a tutorial or guide? once again, thanks for great videos.

Hi Rob @The Hook Up Any chance of maybe doing a modern version of this video that would be suitable for new protocols, such as Matter, which use IPv6 only? I love the security of fully segmenting network devices, but this method breaks Matter and the suggestion is to flatten networks to allow Matter to work. Could we do the same thing restricting devices with port/IP groups instead of VLANs ?

I started having issues with game consoles. Tried all the recommended port forwarding, even game specific. Ended up creating a separate vlan and enabling upnp on that vlan. Fixed the issues.

As always Great information. Thank you.

The biggest issue that I see with MAC filtering is spoofing a mac address is childs play. If someone really wanted to do it you can spoof, and be running in less time than it takes to read this message. Especially when most cameras have the mac address printed right on the device. With that said its like anything else every layer of security helps.

Site to Site VPN with dynamic IPs on both sides.....please provide a guide on this!

Thanks for posting these videos. Very helpful.

As always very comprehensive and an excellent overview. Any chance you could cover a hot topic on the forums at the moment for Unifi Dream Machine Pro? Hairpin NAT for services that advertise access external from your network. I remember the principals for Ubiquity Edge Routers, but wondered how that applied to Dream Machine?

Did you, by any chance, create a writeup with your settings for UDM Pro? They would be a great refresher for yourself (when you forget why and how you`ve configured specific features), and a fantastic how to for us following in your footsteps

A Windows VPN for mounting a "network drive" on and external PC would be slick

Great set of videos! You need to blink more! LOL

Great series Rob. I've been wondering for awhile if you would consider doing a video addressing how to use SSL/https with a valid SSL certificate for local services, on a local network that does not use port forwarding. For security, I've always been told the more layers the better. While I realize the traffic I'm referring to is on my internal network, I'd prefer that this traffic be encrypted (through SSL/https). A decent example would be the Unifi Controller, while it is SSL/https, the SSL certificate is not valid (at least for my setup). Another example is BitWarden, which many will be moving to because of LastPass' recent changes. I've seen some tutorials for valid SSL certificates for SSL/https using a reverse-proxy like Traefik, but they seem to require port forwarding to allow the Certificate Authority access to your network (I may be wrong about this detail). The driving force behind my request is that I'm doing everything I can to avoid port forwarding, lol. Thanks.

Yuuuussss! Ive been looking forward to this video!

Great video! Thanks! I now have MAC filtering activated for all my POE camera's. I want to do the same for my outdoor AP, but MAC filtering doesn't work for an AP. When you activate the MAC filtering, only the AP is able to connect to the network, but all clients connected to the AP are not. Does anybody know how to only allow the AP to connect to my switch, but also allow it's clients to connect to the network?

I don't have Unify stuff, but I have PiVPN and PiHole running on my Raspberry PI

Wow what an informative video! Quezon for you? I have almost identical setup as you on this video. Trying to do a simple port forward for.a Helium Miner is proving to be very difficult for my limited knowledge. Are there any additional steps needs to properly forward a port besides the advance gateway steps? Thank you so much for your help! Subscribed!

Consideration number 5: Are you actually going to keep the service updated?

Regarding the IDS/IPS signature updates, it appears from my UDMP's system logs that the signature info updates daily or every other day. Ubiquiti Support could best confirm the how, when and from where the IDS/IPS signatures are updated. My experience with Ubiquiti support has been very positive. Ubiquiti Support assisted with an ISP problem when they didn't have to, i.e. wasn't an Ubiquiti problem.

Could you please guide me: I have my printer on not vlan ho who I access the same printer from LAN

Can an AppleTV be setup to use a VPN to access a remote Plex server, or is that one of those cases where you would have no choice but to port forward?

Wondering if you have plans to talk about them read based IoT devices and how to manage them securely...

nice tutorial. I'm wondering now how to configure google home in "home assistant" without using "Home Assistant Cloud". In the past, I have to use duckdns and do port forwarding to my HA server. What do you suggest about that?

What about the public IP. What should I use in there?

i tried the mac filtering and tested the port with my laptop and i can still use the internet with a different device other then the one allowed by the mac filter. i think u forgot to tell us the firewall rule that tells the udm pro to drop the connection

I've reviewed all the videos looking for a solution. I have a VLAN for all my wired cameras. Pretty much set up the way you did it here, but I have a wireless camera that I want to add to this VLAN. It comes in over the wireless AP and I do not know how to get it onto the IP Camera VLAN using the VLAN DHCP. You intercepted your IP camera at the port, but on the wireless there is no port.

How do you update firmware on devices in NoT vlan ?

Why not just put the cameras in a completely new VLAN dedicated to them? Why do they need to connect to anything?

if you create a "guest" network, should that network be included in the "all Local Networks" group?

I don't have a UDM however I want to remote into home while I'm away. I've seen reverse proxies as another alternative. What do you recommend?

Do you port forward your Plex server? I have Plex and my CCTV Port Forwarded for external use.

I can only connect to the VPN if I am on the same network. If I am on my phone LTE provider I can't!

How much difference does IDS and IPS make if you have good firewall rules? Like I have an edge router… should I upgrade to UDM pro just because of IDS and IPS?

About to have my house wired, the wireless access points are Poe? Is it safe to put one outside or will it compromise the network? I know with cameras you explained to do something with the MAC address can I do that with the wifi access point as well?

Now with Teleport I guess all this steps for VPN will change to a more simple approach.

Great guide , is it possible to route VLAN traffic over magic VPN? Scenario is site A (UDM + USW24) and site B (UDR) connected with Magic VPN and each with a set of Cameras. Only site A has NVR and its cameras are on the same VLAN. And for the Cameras on site B to save streaming on NVR , they should be on the same VLAN?

Love these series - set up my USG-based Unifi system based on your prior 2019 series. Just bought the UDM Pro as an upgrade. With the USG I had set up port forwarding to send all incoming traffic to a home server (forwarded ALL incoming ports with a single entry). When I replicate the same configuration with the UDM Pro, it won't work. I've tried factory resetting and installing from scratch (it took hours to record my old settings!), re-provisioning, rebooting, etc, and cannot get any traffic through the UDM Pro with a reply from my server. Any ideas on how such a set up should work under the UDM Pro?

The doesn't match what the RADIUS profile setup screen shows. It's asking for the Authentication server. Is that the UDM? (I don't have the Pro, just a UDM.)