Configuring VLANs, Firewall Rules, and WiFi Networks - UniFi Network Application
Рет қаралды 230,987
Күн бұрын
@TechnoTim Жыл бұрын
A couple of mistakes: - I misused "VLAN Hopping" - I meant "inter VLAN Communication" - "local" in UniFi speak means "traffic that is destined for the UDM/USG itself." - "All" in UniFi speak is a Trunk that includes all VLANs (which are tagged) This is why I love this community! Lots of networking experts so keep the knowledge coming! Thank you all for the help!
@bcookbsdwebsol Жыл бұрын
It is called routing.
@MorphicStates Жыл бұрын
Yeah, I was going to call this one out, but "inter VLAN Communication" = Routing Trunks don't always include all VLAN traffic. Only vlans assigned to that trunk. But basically you either have trunk or access.
@VicFryzel Жыл бұрын
Hi, I came across your video and appreciated you walking through this. Shortly after your video, Unifi released Traffic Rules. Would you please consider updating your video's description to mention those? The reason I ask is that folks should know that using those eliminates much of the burden you mentioned of maintaining IP groups, making securing your VLANs faster to do, if not simpler overall. Just a thought, thanks!
@Sauron_Says 11 ай бұрын
@TechnoTim You might wann pin your comment as its fallen down the comment list
@BenCos2018 9 ай бұрын
your pin got lost when you edited it @TechnoTim
@LAWRENCESYSTEMS Жыл бұрын
At 10:44 yes I am watching and yes you got it right! :)
@TechnoTim Жыл бұрын
Thank you Tom! 😅
@ryan.stutzman 8 ай бұрын
Well he's mostly right. Ha. A trunk port does include traffic from multiple VLANs (or in this case all of them), but they're NOT untagged. They do in fact have their VLAN tags. This is how you can connect multiple switches together with both switches being able to communicate on all the VLANs.
@GladeDuck 26 күн бұрын
For anyone with UniFi network 8.4.x. They have now updated network to have set options for "Isolate Network" and "Allow Internet Access" that saves you from needing to set these firewall rules manually. Isolate Network specifically let's the devices on that VLAN to communicate with each other and not with any other networks, exactly what you'd want for IoT devices!
@Kaotix_music 6 күн бұрын
Yes it does and its AWESOME! BUTTTTT**** If you click "Isolate Network" it blocks *ALL* networks. Here at my office we run Unifi and What I ended up doing was exactly what Tim did, because I have a VLAN called "ADMIN" and its only Sys Admins allowed on that network so we can still get into our PBX, any IP phones, etc. We want to block anyone on the default network from accessing any other VLANs that have devices on them that should ONLY be accessed by the IT department, dont want an employee going through their phone and seeing an IP, puting it in a browser and start clicking shit lol. So we leave the Voice VLAN "isolated", except to the Admin network.
@TechnoTim Жыл бұрын
Have you set up VLANs? How do you use them?
@Bill_the_Red_Lichtie Жыл бұрын
I currently have 4 VLANs, LAN, IoT, DMZ and Guest. I have also been considering moving my servers to their own VLAN because they don't normally initiate communications to my LAN devices.
@CRK1918 Жыл бұрын
I have six VLANs, sever /25, management /27, Home /24, Iot /26, Guest /23, and Native /24. Under normal circumstances, all communication between VLANs is prohibited unless I allow certain activities, such as management allowing to all, and guest denying to all RFC1918 networks, and home to some server network, and server deny to some IoT net, all this with Pfsense makes it straightforward to set up.
@AlbusRegis Жыл бұрын
In a nutshell, trunk ports expose all traffic from the VLANs by appending the VLAN id to the ethernet frame. This enables devices capable of reading this tag to manage the VLANs as well, making possible things like using the same VLAN across multiple switches or exposing the VLANs to a hypervisor for it to manage them internally.
@rethinking3289 Жыл бұрын
There is something I don't understand about the trunk port. As you said the trunk port got all the vlans. So if i have port 1 as trunk and connect it to my router with one cable. And the router and switch got vlans 20,30,40. When i make a firewall rule to route between vlan 20 and 30. The traffic has to go through the router right!? My question is that one cable is my bottleneck for bandwidth right? So if i want to increase my bandwidth i have to create LAGG between the switch and the router? I got confused about this because Dlink switches call LAG trunk ports.
@Techintx Жыл бұрын
@@rethinking3289 yes that’s right: by default inter-VLAN traffic will have to go from your device, through a switch (if you’re using one) up to the router and then back down through the switch and to the other device. If you have a L3 switch, then there’s the potential to bypass the router, and have the switch route the inter-VLAN traffic, but then you’re also bypassing any firewall rules in the router, at least when using a unifi router and switch. Given this, I’m still struggling to understand how a unifi L3 switch is useful, unless you want all inter-VLAN traffic to be wide open.
@rethinking3289 Жыл бұрын
@@Techintx yeah, to me in most cases you create vlans to isolate your network and only allow specific traffic with firewall rules as needed.
@hangingwithvoid360 7 ай бұрын
At 22:02 that just seems ass backwards to me calling the group IOT ONLY when you made the group all the other networks except the IOT network. I would have named the group something like ALL BUT IOT. Just me, but I get why you did it, makes it easier because the firewall rules are backwards.
@UnchartedWorlds 11 ай бұрын
21:49 better name more logical would be: "All Minus IOT-BETTER" or "All Except ...", "All Other" etc
@MactelecomNetworks Жыл бұрын
Great video Tim! Easy to follow and under stand. For blocking inter-vlan routing I just use 1 rule ( Rfc1918 to Rfc1918) just condenses the list a bit As for LAN local this is gateway, you would need to put block rules for your gateway so the other networks ( IoT) can’t hit the firewall interface. Have a great weekend very entertaining :)
@TechnoTim Жыл бұрын
Great tip! Thanks for stopping by!
@Polkster13 Жыл бұрын
@@TechnoTim You need to pin this comment to the top.
@TheRealAnthony_real Жыл бұрын
WAN-Local same story, WAN-IN jumps the gateway (I think)
@pbear06 Жыл бұрын
Wouldn't be better to set a DROP default policy for everything ? And then open only what we need when we need. That's what's going on with pfsense. It should be the choice of ubiquiti.
@scottcook6912 Жыл бұрын
In the IT space here on KZbin, I think Tim is the best teacher. Dude's got skills.
@TechnoTim Жыл бұрын
Thank you!
@plotikai Жыл бұрын
I see you're using LastPass, maybe considering recent news its time to make the switch? Have you thought about doing a video on Bitwarden deployment?
@richardsieminski5447 Жыл бұрын
I am fairly new to home networking/Linux and I found this episode to be the ONLY explanation I have understood of VLANs. Thank You. lol
@harryburton959 Жыл бұрын
Hi Tim. Excellent explanation. You may not be an IT guy but your explanations are superb. Keep up the good work and thanks for helping to make difficult tech easier to undersstand.
@MrWadezz Жыл бұрын
Hey, there's a terraform provider for unifi ! You can do it all as-code ! It's very handy to avoid the click simulator that is the unifi interface. Once you understand how it works by spending a little time maybe in the UI, you can really get stuff done fast using the tf provider ! I would love a video about that if you get to spend some time with it ! Great videos man keep it up
@bcookbsdwebsol Жыл бұрын
Hey there.. can you share? (thank you)
@MrWadezz Жыл бұрын
@@bcookbsdwebsol comment got removed twice... paultyng/unifi on the terraform registry
@JavierPerez-fq2fi Жыл бұрын
Great full explanation Tim! This is becoming more critical specially since working remotely from home and the increase amount of IOT devices at home. However, I still believe it is not as easy as plug and play yet so reserved to bit more advanced users than my parents for instance. Thanks spreading knowledge around this hot topic ;)
@MrZiemwit Жыл бұрын
so you say that it is cheap and than start unifi ;) cheap means some cheap tplink or openwrt or else not some fancy stuff cmon
@Bill_the_Red_Lichtie Жыл бұрын
Really nice video, very informative. I use pfSense but the concepts are the same. An untagged port passes all the "tagged" traffic that you allow. So you can set the port to allow IoT and IOT Better through but block the other VLAN tags. The other aspect of a "tagged" port, this that the device behind that port doesn't know about VLANs and the switch automatically tags traffic from the port with the VLAN id.
@drossi2002 Жыл бұрын
Hi Tim. Excellent video. I also use UDM and I am setting up a similar configuration to isolate IoT devices but I am not sure about the best way to deal with Proxmox. Do you have the VE in a specific VLAN? What about the different VMs? I am running HomeAssistant as a VM and by default it installs in the same VLAN as the VE. How can I get the VM installed in the IoT VLAN? More in general, how can I get to select a specific VLAN in which a given VM will be installed? Hope you can give me some guidance. Cheers
@jairuschristensen2888 7 ай бұрын
Worth mentioning this is now much, much simpler with Traffic Rules. It can be done in a single rule. Action: Block Category: Local Network Local Network: IOT-Better Traffic Direction: Traffic from all local networks Device/Network: All Devices Schedule: Always Name: Block IOT-Better to All
@fernandotfmx2805 6 ай бұрын
You're the hero we don't deserve...
@Marc42 2 ай бұрын
Nowadays it's even easier - just tick "isolate network" at network level, and it's done!
@SertexProductions Ай бұрын
@@Marc42 The same to block Internet access. Tick off 'Allow Internet Access' at network level.
@mike-oh7pz Ай бұрын
@@Marc42 Then the devices on that network cant talk to each other. This is only good for guest VLAN network
@nathan12581 Ай бұрын
@@mike-oh7pzyes they can, the description has “devices on this network are able to communicate with each other
@kaspermeesen2798 Жыл бұрын
Ever thought about using terraform to manage it? It's nice to have it in code and I don't like clicking in a UI :)
@kgottsman Жыл бұрын
Never knew there was a terraform provider plug-in for UniFi. There goes my day. 🙂
@TechnoTim Жыл бұрын
Yes, I have looked at it a few times! It's in my backlog!
@MrWadezz Жыл бұрын
yup, way to go ! I use the tf provider and CI pipelines to push updates to my network and it's been saving me so much time clicking around in the UI
@stratixmedia Жыл бұрын
It's odd that Unifi has inter-VLAN routing enabled by default considering that virtual network segmentation is pretty much the primary reason most people set up VLANs in the first place. I can confirm that both Cisco and HP MLS switches have lanbase routing disabled. On the subject of port assignment, it seems that Unifi takes a space somewhere in the middle of Cisco and HP. By default, Cisco lets any VLAN travel on a Trunk (tagged) port unless specified otherwise, while HP requires you to tag the port for any and all expected VLANS other than Native.
@dpz1 Жыл бұрын
What tool did he use draw and animate his network architecture diagram? Awesome video as usual.
@camberwellcarrot420 16 күн бұрын
Just setting one of these things up and created an IoT network connected to one port on the UCG Ultra with its own VLAN, everything else is on the default VLAN on a separate switch. I'd like to make a rule to allow all devices on the default network to be able to connect to the ASUS router in access point mode to be able to update it or reboot it without having to connect directly to that access point. Do you think I could figure out how to make a firewall rule which would allow that? Nope. I'm totally new to these Unifi devices, but the firewall section is just plain confusing. Maybe I need to create another VLAN for my trusted network and leave that default network/VLAN basically empty? And how the hell do you make a rule to allow ICMP/Echo/Echo Reply? Sorry, venting.
@marcomusso3515 Жыл бұрын
Greate Tim! What about recording a video to show different vulnerability scan tools? Greenbone, nexsus, Kalilinux and so on... Thanks!
@FeliXGamR-Jp 4 ай бұрын
Hey @TechnoTim, I think you should do an update video to this, i just bought my UDM-SE and found your video extremely helpful but i think Ubiquiti Updated the Ability to Isolate Vlans with a checkbox without having to do all the firewall rules & groups manually, i was using my Laptop connected to the WiFi AP turned off my firewall like you did and tried pinging my desktop and it returned lost packets when "Isolate Network" was checked. BTW Love your videos man they are really informative and helpful for someone new to all of this Gear.
@24torbenbeck 7 ай бұрын
Hey Tim Great video. I followed it and all worked great by having a Chromecast on my IoT network and my smartphone on my main (trusted) network until i add the firewall rule "blok IoT to All". After adding the rule I can´t see my Chromecast (On IoT) on the list of devices I can cast to on my smartphone. I have Multicast DNS and IGMP Snooping enabled. If I pause the firewall rule, the Chromecast return on the list of devices I can cast to. Do you have any ideer what I am doing wrong?
@PODLine 8 ай бұрын
Sorry for commenting on an "old" video... I don't like this "ONLY" group you are creating (@16:13). Every time you add a new network, you will have to edit all your ONLY groups to include the new network...this is a ticking time bomb in your setup. There must be a better way 🙂
@timrubio6592 12 күн бұрын
OK I need some help... can you do this... but with a 3rd party gateway (meraki preferred)
@justanotherhuman-d6l Жыл бұрын
regarding the "vlan hopping" it isn't that, it's because you have "Multicast DNS" on for the Network. That allows devices to traverse VLANs.
@visualoddity Жыл бұрын
One issue after doing this. Thoughts? First - Great video! I've been wanting to segregate my IoT network for a long time now, but haven't. I randomly searched and found this yesterday, and it was so well done I decided to learn this morning. Follow step by step, and got it done a few minutes ago. Thank you! I can see the IoT devices (such as chromecasts) when I pull up the menu to cast from youtube, but if I try to cast to any of them, it just hangs and won't connect. If I move my phone to the IoT network, it works flawlessly. Any idea why this might be? For reference, my network is super simple. Basically it's all auto configed and using the default settings. The only major change is following this process to put the IoT devices on their own VLAN (101) by restricting the WiFi they use (Pariahs) to the IoT newtork.
@paulw4487 Жыл бұрын
Or you can just put the iots on a guest network. That will just handle the firewall for you
@Ex_impius Жыл бұрын
Ive been using unifi for almost 3 years and i never used profiles for my firewall rules lol. My firewall rules are a mess lol, i have everything secure but its definitely a mess.
@ericilkwatson5557 4 ай бұрын
Hi, thank you for this tutorial. Is there any way to setup DSCP tagging for QoS based on ports?
@Pzdrs Жыл бұрын
communication between vlans is just inter vlan routing, vlan hopping is an attack that allows the hacker to hop around between different vlans I think
@cxl520 Жыл бұрын
Actually all the trunk are tag port except the native vlan in Cisco, which means it a allow one untag vlan go to trunk; and trunk port are usually between switches and router and sometime also support Pc NIC that support it, for a sample in your window machine if you find the adopters setting that you can specify a VLAN number and then you can connect to an trunk port Is very useful if you using VM and all the access port is on untag port, for security and device doesn’t understand VLAN ID
@johnjbateman Жыл бұрын
Thanks for this! I made it through the VLAN’s myself and got intimidated by the FW rules. Now I can follow what you have and finish the job!
@mountainsinmymind Жыл бұрын
Literally was working on some VLAN stuff last night, great timing to make sure I have everything buttoned up properly. Thanks!
@gregsera 4 ай бұрын
It blocks in both directions for me!? Don’t get it
@faikwo Жыл бұрын
This is exactly the video I have been after. Such a great explanation. Thanks a lot Tim!
@ashsharp1985 5 ай бұрын
Get directed to a VPC and a Virtual Network. Try to get out of that. :)
@makeitworktech 3 ай бұрын
Coming in clutch! Just got the UDM Pro! Great vids as always
@bronxandbrenx Жыл бұрын
Can you discuss about disposable containerization
@cvought1 Жыл бұрын
I just got my UDM PRO SE and Tim as usual has perfect timing for the content I need! Wow thanks Tim!
Жыл бұрын
That's OK but ONE suggestion. Best practice in IT security is to block everything and that provide firewall exceptions. First ... You have better CPU performance of your router/firewall gateway, cause you mostly blocking than allowing. Second ... your network is more readable. You showed other side, you saying allow all except bla bla bla which lead to tons of rules especially when you using network in way how you do it. It's more easy and readable to count with one basic rule "block everything" and than add few rules which accept connect than setup tons of rules witch SHOULD block something, cause it's hard to debug if you really blocking everything what you want. Main purpose of firewall is to block. So I agree with what you done, but I suggest to swap it.
@colorxlabs7200 Жыл бұрын
I am using OPNsense. But no matter the OS, I wonder if you could provide a screen shot or a text representation of a rule set for an interface as per your ideas above. Thanks!
Жыл бұрын
@@colorxlabs7200 I don't have some easy setup usable for example and for now using routerOS (Mikrotik). But it's like: 1 Accept ALL from Trusted-vlan # exceptions rule placed higher 2 Drop ALL # Drop everything
@sukhdeepsingh365 Ай бұрын
Why we can use device isolation to stop one vlan to other?
@Craxter Жыл бұрын
How do you RDP into a "isolated" IOT network? If i try to ping my now locked down network i dont get a response obv. because its getting dropped. But like now i cant access anything anymore.
@braderunnah2204 Жыл бұрын
Having the same issue - did you figure this out yet?
@Craxter Жыл бұрын
@@braderunnah2204 yeah i didnt use Firewall rules now. I Opted for traffic rules and then i blacklisted communication between my networks. Works flawlessly and whitelisting stuff also works easy. And with my knowledge its the same thing from a security standpoint.
@MarkJay Жыл бұрын
thanks Tim!, this was super helpful. I set my VLANs up a long time ago and this was a great refresher.
@davidfarrell1062 Ай бұрын
You are correct that VLANs are important for home use too. The missfortune is that you are talking about $1000 to $2000 worth of kit with gateways, layer 3 switches, APs etc... There is no simple way to deliver these features. Plus a big increase in power consumption. If a person has a rack at home then they are not home users but IT Professionals or youtubers.
@BZ804MX 5 ай бұрын
How do i tag wan port with 2 vlans? 1 taged and 2 untaged?
@D4narchy 10 ай бұрын
As someone who's entire network is Ubiquiti equipment, I can honestly say that i hate Ubiquiti lol. Their GUI is not user friendly or logical, and quite often they add more features without fixing pre-existing bugs (I'm pretty sure there are one or two bugs that are going on 5+ years at this point). You can't throttle IPs, only ports (and wifi throttling is separate), so when I wanted to throttle a single computer connected to a non Ubiquiti switch I discovered I could not. A feature that my old $60 router could easy do. So I had to purchase a Ubiquiti switch and replace my netgear switch just to change the port egress and throttle a single computer. Thanks Ubiquiti! I love the consolidated dashboard but after 6 years of dealing with Ubiquiti's crap I don't think it is worth it. I ended up here because I assumed Inter VLAN routing was disabled by default like all other equipment I have setup.
@bryanmontgomery610 8 ай бұрын
Hey everyone, maybe this was already answered but if not then I apologize. I just got my first UDM Pro and when I create a new network and then assign the new Wi-Fi SSID to the network I just created, my devices will connect to the IoT network for example, but they won't DHCP or get out to the internet. I have ATT fiber and have enabled passthrough and it's still not working. Any guidance would be greatly apprecated!
@Woodscape718 4 ай бұрын
Great vid! Easy to follow and all made sense to me. One question, I tried adding a camera vlan and when I added the 'block' firewall rule you explained I can no longer access the cameras on my default network. I can only access them on the network/subnet I created for the cameras. My IoT vlan which I configured the same way is fine regarding access from my default network. Anything I'm missing or need to change? Something specific to reolink perhaps?
@notafbihoneypot8487 Жыл бұрын
Is it posiable to have my VMs on proxmox use this on a single NIC on my server?? I have UDM pro and their Layer 2 switch
@v-for-victory Жыл бұрын
The logic behind Unifi GUI approach may be superior for WIFI configuration, but for VLAN and firewall issues it is sub-standard. You spend far too long agonising over how to expose a VLAN and individual hosts from that VLAN to other VLANs. If anyone here at Unifi sees this.... Guys finally improve this interface and above all describe it properly, just like the CLI.
@cmo_kky Жыл бұрын
So my network setting screen is different from yours...(v 3.1.16) and the only option I have is to create a 'New Virtual Network', I do not have 'Create New Network'. Does that matter? Also have a section just under where you enter the VLAN ID called ISOLATION (There is a checkbox to select "Network"). When I hover of the info circle for Isolation(Network), it tells me, "your guest hotspot profile will automatically be applied to this Guest Network. Connected clients will be isolated from all other internal networks. The restrictions can be modified in your Guest Hotspot Profile". So my question is, Do I need to check "Network"? I do not use a Guest Hotspot and to me, this checkbox should say Guest Network instead of Network. (btw, just under the circle I, it also references for more isolation options, to check out Traffic Rules). Thanks
@doctorithelp 6 ай бұрын
I have IOT setup on Vlan have checked no communication to standard network. I am confused over your setup maybe its outdated .... VLAN is tied to IOT
@plozex 11 ай бұрын
In my network, UDM PRO not change to Third Party Gateway. Why? My gateway is a Fortigate. I buy this UDM to manager UAP's
@huguesgauthier6067 2 ай бұрын
Why you enable windows firewall ?
@j.b6991 11 ай бұрын
disallowing ping means blocking ICMP, what other protocols needs to be blocked when a VLAN getting configured for better security?
@boomerrange689 Жыл бұрын
I am a CCNA and you did a great job.
@NickMach007 Жыл бұрын
Thanks. Very helpful. Definitely getting my head around all of this more and more. Appreciate your making this video. Cheers!
@EricWieber-mi9yj 9 ай бұрын
Hi Tim, I really enjoy your videos because you take your time to explain by providing details. I do have a question for you. It appears that somebody keeps hijacking my Unfi AP Pro and possibly my wifi access. How can I protect myself better my controller is a DMSE but I am new to Networking. Thank you.
@neeftgamer Жыл бұрын
The only "Advanced" wifi setting for the IOT network for me is, turning 5 GHz off. Most IOT devices don't work with 5 Ghz or even work better on the 2.4GHz.
@notsrynot Жыл бұрын
What about IOT communicating with your media server. I want my Poweredger to be on a separate vlan from my IOT but still want some of my IOT to communicate with truenas for media
@ejbully Жыл бұрын
I dont like that Python script running around in the wild that break vlan security.... I rather seg the line physically f*** that and then use routing rules to give access to traverse...
@ryan.stutzman 8 ай бұрын
At 10:40 with the trunk port, you're mostly right. Ha. A trunk port does include traffic from multiple VLANs (or in this case all of them), but they're NOT untagged. They do in fact have their VLAN tags. This is how you can connect multiple switches together with both switches being able to communicate on all the VLANs.
@alienJIZ1990 Жыл бұрын
VLANs are a must if you ever work from home. Imagine having your Work laptop on the same network as some data mining iot device from China. Absurd how common that is even amongst IT who should know better
@urmastertech Жыл бұрын
Wow I haven't watch ItsMyNaturalColour in a long time. I'll have to lookup his vlan videos after this
@spartan5280 Жыл бұрын
Do you know how to block IOT devices from accessing the udm console? Whenever I try to make a LAN local rule it shows up after the Accounting Defined Network rules so it doesn't seem to work.
@TurtleMatey Жыл бұрын
Very informative video! What's the difference between your Default and Main networks?
@doolfarming6252 Жыл бұрын
How do I configure a Plex server, cause I can't view my content on my viewing devices, or my computer can't see it.
@mccawley Жыл бұрын
Is it possible to have Ui Protect on a different vlan? When I moved my cameras, protect couldn't see them anymore.
@xSBridge 10 ай бұрын
Is it possible to create a VLAN for my unifi protect cameras? I tried doing this but I cannot get the cameras detected inside of Protect.
@CliffordFullerton Жыл бұрын
Thanks, that was helpful. But it stopped just as it was getting interesting. I set up an entertainment network, an iot network and so on. But certain devices need to communicate accross vlan boundries. For instance Home Assistant (now running in iot) needs to access a few devices in other vlans and vice versa. Hope to see a video on this. Thanks!
@kyrujames 7 ай бұрын
I would love a spreadsheet of your rule setup. I'm trying to run a similar setup. I got super hung up on trying to do inter vlan blocking without the established and related sessions rule at the top.
@OGParzoval Жыл бұрын
I have not seen one, but I think people could benefit from a greenfield video. We have very similar setups and man going from 2 docker boxes, to tearing down my 4 server vmware cluster to building a 3 server harvester cluster has been a journey and now I'm at the "now what" point. The VMUG savings alone pays the power at least :) while I burn brain cycles trying to bone up on what I'm missing. In the homelab tour you talk about the three piholes and I was curious what you meant for the dns vip. What's running the VIP or did I miss that as a pihole feature?
@haiderhl4316 Жыл бұрын
Hello work for an internet company and I have two isp of the Internet to source / and I need to isolate the Wi-Fi on the first isp /wan 1 of the Internet and isolate the second source( wan2 ) of the Internet for Dream Machine only
@JBoy340a Жыл бұрын
This is great!! I got a new UDM SE and some security cameras. You made this pretty easy. I want to clear up one issue for my setup. I assume devices in your IOT-Better VLAN can do bidirectional communication with external network and services with the rules you defined. Is that correct? If so, I think my situation is the same. I need my cameras to be able to connect to security operators that get contacted when the camera and their AI host software detect inappropriate activity. If that occurs the security operators come on interactively and starts querying the perps, and as required dispatching the police.
@dragonrider6875 Жыл бұрын
THANK YOU for helping me get this setup! I needed it for PCI compliance. Thank you again!!!!
@PatriotsGunClub Жыл бұрын
Great vid, Thanks, but I have a longer, more entailed question, can I send you an email question please ?
@jordanm2984 9 ай бұрын
Aaaah shit... Welp, my Firewall rules page is completely different.
@MrRosentorp Жыл бұрын
Would like to avoid end users to be able to connect switches to there network outlet. Only one device connected to a port shall be allowed to get connected to the network. Can this be done in a Unifi switch? Thanks!
@xaviervillalobos3958 10 ай бұрын
This is awesome....period! I had no idea how to set my Unfi gear up. This video walked me thru step by step. I learned so much along the way. Again, this was top notch! Thank you man. :)
@danieltur-bes2036 Жыл бұрын
I tried adding a unifi ac long range access point to my network. It shows up in my wifi but won't connect to it. Any ideas?
@uniXlyTV 8 ай бұрын
This video is fantastic. I have a controller and AP's and have been thinking about using a gateway but putting it off for ages. This covers pretty much all the questions I had.
@LanceMcGrew 6 ай бұрын
I made it through 22-minutes then all turned to confusion. "Do this but you could do this and that" always twists my brain into knots.
@badazz12r Жыл бұрын
from your video, you have a mgmt default network and a main network that the rest of the home user are on (the main) in the video. so what network will you placedPlex in?
@raykim5568 Жыл бұрын
need a vid on how to block IOT devices from being able to ping the console/router
@pbear06 Жыл бұрын
Hello, in which situation could it be useful to apply a rule on the OUT interface ?!?
@mattx3020 Жыл бұрын
what about blocking your iot network from accessing your trusted network gateway, and blocking access to network console
@TwinTailTerror Жыл бұрын
@Techno Tim another way is just to dchp over the vlan i use opnsense dchp over vlan and this will allow the firewall to stop traffic from teach to each other much more easy than the way your doing it here tho it does work of course ps love the channel =3
@qnxvr576 Жыл бұрын
Did I miss a video on how the rings of the networks are numbered / used? Would be interested in a useful strategy if there's one to be shared.
@b.bimmer4688 6 ай бұрын
Awesome tutorial that helpt me BIGTIME so thank you !
@derekribbons8308 10 ай бұрын
Great info and explanation, liked and subbed, appreciate the hard work you put into these.
@shwagonvids 10 ай бұрын
Any pointers on sharing a wireless printer across multiple VLANs setup using this process?
@Photoshopuzr Жыл бұрын
I have been having massive issues with my udm idk what the hell was going on but i decided to create some vlans to get some more control on whatever is going on. Changed all ports and added rules. Now things are working like they should. Big thanks for taking the time to go through how to set things up. much appreciated. for days my network was sometimes working off and on. This was a huge help. thanks.
@abbcc555 3 ай бұрын
jesus this is cumbersome
@Roguedotexe Жыл бұрын
Would be nice to see how to create VLANs with OPNSense and Omada lol.
@Teeklin 10 ай бұрын
For the life of me I just can't get this firewall rule to work. Even copying everything exactly step by step here. If the rule is enabled, I can suddenly no longer ping or ssh into anything on the IOT network or out. It's like it's blocking things both ways. Pause the rule and viola, suddenly it works but it works both ways. Wonder if something has changed perhaps? Doesn't look like it.
@bsem68 9 ай бұрын
This requires a rule to allow established and related. You can actually see them in his video as first rules in Internet In and Lan In (check 23:22), but Tim does not mention ever. Maybe he forgot about it when making this video because he has many other rules, and maybe was just using his existing production system that had this already. I just started using UDM coming from pfSense so I am learning also but I ran into this problem and had to figure it out... just add a rule in Lan In, Name it something like "Allow Established and Related to any", Accept in Action, Make sure before predifned is checked, and sure source and destination is any, any. Advanced: Manual, check Match State Established and Related. Then drag it to very top of all other rules. This makes it so the other VLAN talks back over established/related ie. pings or other requests from you etc. I also do this for IPSec and you would place a similar rule in Internet In.
@ihasmax Жыл бұрын
Thank you for the video. Unfortunately, on Network 7.5.176 I can't seem to get this to work. I have my IoT device connected to a USW flex mini and set the port it's connected to be the IoT VLAN. I can ping the device just fine from the Default (main) network. But if I then create the same LAN In rule, I can't ping the device any more.
@Ret_af_vet_2019 8 ай бұрын
Did you figure this out? I have a similar issue.
@zippi777 Жыл бұрын
Hi Tim, thanx as always for this awesome video very important for a noob like me!
Jimmy Tries World
Рет қаралды 246 М.
Leader Academy
Рет қаралды 21 М.