Hi! Just for anyone who might find this useful: I was having problems with the NTP synchronization of my Shelly devices when setting up the rules. It was ultimately because clients may open other ports for querying NTP. Changing the rule to allow clients from any port to destination port 123 worked for me. An amazing video as always, it has helped me a lot to configure my home network

This is the new standard video for Unifi setup in 2021. Very comprehensive and easy to understand. I thank you for the effort of putting it together. You have a killer setup!

Three years later, even through UniFi interface changes, this video remains the best starting point for a smart home UniFi setup.

As a Network Security Engineer by trade for over 10 years, Kudos on the well done video and making it so accessible to the masses. Great job.

Thanks! This video has been so helpful in helping me to clarify how to batten down the hatches on my smart home security. Much appreash, man - keep up the great work! I dabbled a bit with Unifi but have switched to TP-Link Omada, applying the principles you explained super clearly. Take care and stay safe!

Your videos are seriously an unbelievably valuable resource. You understand the IT space completely, and you offer a level-headed approach to teaching the theories that are most important. I learned a ton and I can easily trust that you're breaking it down the right way. Thanks!

Just like my granddaughter - talking faster than I can think. Even so, yet another video for the reference library. Thank you for creating and sharing your knowledge.

Well, Rob, you saved me again!! I got my 2 U-6-Lite APs installed yesterday, and things went basically pretty well. I defined my wireless network with pretty much default settings (using the classic UI), however I had 4 devices that would not connect. I'd watched this video before, and actually commented, but I'd really forgotten the details. So, my first source for help with the issue was Unifi, and frankly, these days, that's just a waste of time. They finally sent me an email today asking for screen shots of stuff they couldn't explain to me yesterday. They're a mess, and they can't even decide on which UI their going to support. The last encounter I had with them a few weeks ago, the tech had me switch to the classic UI, so that's what I've been using. So, after getting some help from the Unifi community forum yesterday, and some ideas from the problem device vendors' forums (it was a Wyze Cam, a Logitech Harmony Hub, and a couple of old TrendNet cameras that wouldn't connect), I thought I'd take a look at your video again, and BAM!!! It was only a matter of setting the security level to WPA-2 (I had it WPA-2/WPA-3) and disabling PMF (default was optional). Now, it's working like a beast!! So, I'll enjoy my new network for the weekend, maybe give some friendly names to devices, and then Monday tackle the granular definition of IoT/NoT, and VLANS. As I mentioned in my earlier comment, I've mimicked your network infrastructure very closely and I have a lot of the same smart home gadgets as well as Home Assistant. I guess you can call me one of your biggest fans!! Thanks again for the help!! ~Frank

First and foremost, you are a great teacher. The balance between concepts and details that are packed into this video shows that teaching is an art and that you are a very talented artist. Thank you for your work.

Just ordered the new Dream Router and was looking on how to move to the next level with all my IoT devices. With your video, If found all I wanted to know, VLAN, Unifi, Firewalls, Home Assistant, Chromecast, ... . Thank you very much!

omg I cannot tell you how useful this video was, THANK YOU SO MUCH FOR MAKING THIS VIDEO!!! I was having problems with my harmony hub on my IoT network but I was able to figure out the firewall rule I needed from this video. seriously man I cannot thank you enough

From someone not using Ubiquity hardware, and so far behind in time, your videos are still a great source of knowledge. Thanks a lot and keep up the great work.

By far the best walk through and explanation of the unifi system I’ve seen to date, and I’ve seen the vast majority.

Seriously, this is one of many of your videos that should be part of the official unifi documentation. I always learn a lot from your videos. Thanks for sharing ✌️

I started this video thinking "Oh, Ive done a lot of this myself" and ended with "Hmm, I've learnt so much and done a lot wrong" :).

Is there any hope for a update version of this tutorial? It would amazing if you get to do one!

I absolutely HATE that echo/show devices will join networks that they have been told to forget. But, I love your solution! I set up my Unifi rig and firewall rules based on your first series, and I'm still learning from your new series. Thank you so much for making these videos.

Can this guide still be followed with the release of Unifi Network 7.0, or can you make an updated video showing the core changes between the two Unifi Controller versions?

Great video, thank you. A couple of questions: 1. As you did not use the guest network for echo devices, there is no reason they will not be able to communicate locally - i.e. you used LAN network option, meaning that all devices into the same VLAN will be able to intercommunication on all ports. (firewall is not involved in this case, communication done on switch level) 2. I do not see any reason to create an NTP rule - most devices will use TCP to contact the NTP server and will get an answer. Please, correct me if I am wrong. One more thing - I do suggest having an IoT isolated (guest) network for cloud devices that do not need to communicate with each other. And if you use Ethernet IOT make sure you turn on L2 port isolation. I personally like the idea to have your main WLAN (LAN network), then IOT (LAN network), and IOT isolated (guest network). This way you put all Chromecast, echo, printers etc. In IoT, everything else that you do not need to access directly from other WLANs you put in IOT isolated network. Devices in this IOT isolated can not see each other, can not reply to any network request from and other WLANs, and can only connect to the internet (cloud service only). As we have more and more devices (oven, smart switch, outlets, etc) that we have no idea what security protection they have, it may be a good idea to completely isolate them.

Finally someone explains all the Unifi settings! =) thank you Rob!

Rob, Thanks for the video. These have been great and very helpful. The one thing I am struggling with is finding a step by step setup for accessing Sonos across VLANs once the firewall is setup. Can you help with understanding a step by Step review of firewall rules? There are multiple posts via a search but have not been successful in making them work. Is this something even possible or should I just give up and access Sonos on the same VLAN?

Implemented the Plex and chromecast rule sets you mentioned in here then blocked vlan coms completely. Currently watching robocop via Plex on my smart tv which is isolated on a guest network. The firewall rules actually work. Thank you. What an excellent guide. I'll go watch vid 3 now :)

I was rewatching this now as I was redoing my network, and now I have Unifi equipment thought I'd give it a try. Some settings have moved, but most of this is still relevant. Just as a note to anyone watching this. Each AP or AP Group can only have 4 SSID's per radio, so if you have IoT, NoT, Main and Guest setup, that is your limit of 4 SSID's on a particular AP. I know Rob mentioned that quickly, but it is an easy one to miss

Thanks!

5 🌟 tutorial. If you have the time and interest, you should update this tutorial with the new unify network options, like zones firewall rules

Thank you for taking the time to make your video series. As you mentioned, it is difficult to find information on many of the functions within the Unifi system, so your videos are somewhat like a video manual that I can go by to set up my own network. I hope Ubiquiti shows you some love and sends you a pile of money for taking care of one of their biggest oversights when it comes to their products!

Thanks for the informative videos. Small tip for users of BLUESOUND audio. I use Bluesound speakers with multiroom capabilities and it took some time to build in the right port access in the firewall rules. I gave them a static IP adress in my IoT VLAN. They need TCP communication on port 443 and 5353 to become visible as a streaming speaker for your laptop/phone in your MAIN VLAN. So i created a LAN IN rule for the group of static IP adresses of the speakers and a source group port 443/5353. They work fine now.

I've literally just upgraded my home network to the UDM Pro, US-24-PoE, US-8-POE, 3x G3 Camera, 2x NANO HD .... I am so glad I found this video series, going to be spending a few weekends tinkering, thats for sure! Awesome video, very helpful!

If I would have watched this video first, I would have saved myself half a head of a hair. THANK YOU SO MUCH! IGMP was messing up my ESPhome configuration.

That's exactly the tutorial I needed! There's however one thing that wasn't mentioned here - the printers setup - is it better to put them in the same main VLAN, and maybe block it's outbound traffic, or to place it in the NoT VLAN, separating it completely from the internet? Thanks!

the IGMP explanation was very nice, and specially useful because you broke down the possible scenarios. thanks a IoT!

Rob....this is bar none....one of the best networking setup video series that is understandable by humans....regardless of Unifi or not. Excellent work friend!

Thanks for doing this walkthrough! What do you think of using 192.168.0.0/16 when creating the "All Local Networks" group instead of specifying each individual /24 subnet?

First, after finally purchasing a home and starting my smart home journey your content has been immensely informative and entertaining, thank you. Second, I would fit firmly in the pfSense category of part 1 of this series but, I also have extremely limited experience with Unifi hardware. I don’t know what Ubiquity is hiding behind the IGMP snooping switch but your explanation of IGMP snooping @11:00 does not fit with Cisco, HP, etc. IGMP snooping is a switch feature and is used to limit the scope of multicast traffic in a layer 2 network, aka ethernet in this example. Snooping spies on the conversation the source/multicast router and interested party are having over IGMP. It uses that information to limit the delivery of frames to only the ports that have interested parties. Without snooping multicast traffic gets treated as broadcast traffic and is sent out all ports except the one it was received from. When enabling snooping in your vlans you are also probably setting a feature of how to handle ‘unknown groups/addresses.’ I expect Ubiquiti’s default is to drop them and that is why it is causing issues.

Finally a video on setup of UDM Pro that is very well explained, including not just they how but also the why. I'd love to see additional video from you on setup for the Apple eco system as mentioned by someone else below. I have Apple TV and want to limit who can access but not cripple its capabilities. Also have Ring devices and would love to know how to setup for them without crippling their feature set.

Thank you so much for this! PLEASE consider doing a SONOS specific video. :-)

thanks for doing all the hard work for the rest of us! These videos are extremely helpful to me, cant wait for the next one.

Excellent overall coverage. I have some very similar rules on my own UDM setup. There's one suggestion to simplify things that I might suggest. If I recall my OSI layers correctly and am not mistaken about how things work, INTRA-VLAN communications occurs at layer 2, so firewall rules aren't going to stop two devices on the same VLAN from communicating with each other. Correct me if I'm wrong, but I think I'm right here. As a result, instead of separate rules to drop traffic from specific VLANs to other VLANs, I have a single catch-all inter-VLAN traffic drop rule. 1. I create a group that contains all RFC1918 private IP address ranges. This RFC defines a series of subnets that are meant to only be used in private LANs, vs the public Internet. If you create the group covering this list, then any additional VLANs and their corresponding subnets will be covered by this rule without having to edit it later. Those subnets are: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16. If you always plan to use just one of those subnet schemes (192.168.0.0/16 being the most common for home networks),then you could just add the one to that group. I called the group RFC1918PrivateAddresses, but whatever works for you. 2. Create a rule on the LAN IN interface that drops all traffic from the RFC1918PrivateAddresses group to the RFC1918PrivateAddresses group. I called that rule Drop inter-VLAN traffic. As you did in your video, I would get my ALLOW rules in place first, then add this rule last. The first time I set this up, I even started off with this rule disabled to make sure it was positioned at the bottom of the list before enabling it. Traffic between devices on the same VLAN won't be stopped by this rule, as I mentioned at the top, because that traffic never really hits them due to being on the same VLAN and using layer 2 functionality to get the packet to the other device. Again, if I'm mistaken here, please correct me and point me to info to correct my knowledge. This is working for me, but I don't have an identical setup and don't have NoT devices as you do, so if I have this wrong, then I may simply not be running into the same issues you would given my devices.

The quality of this tutorial is outstanding! So many useful tips and explanations. It should be pinned on any Unifi / networking / homelab subreddits and forums.

As always Thank you. The hard part is knowing that I should do this but also knowing how hard some of my devices were to connect to WiFi originally. I have a lot of devices that I would have to change around.

I am so glad I found your channel like a month ago. And as I said in the first part. It is good that someone finally addresses secure home network, especially with smarthome tech in the network. Keep it up!!

Perfect timing! I just installed my UDM-Pro yesterday and it didn’t take my old config file as the old controller was a newer version. Used your tutorial in the past and was happy with the setup. Can’t wait to dive in today. Thanks for your efforts!

Oh perfect, I was waiting for this video! Just ordered my Unifi gear and was hoping you'd release this before it all got here!

Your IGMP explanation was very nice, my Sonos is finally working in years across vlans!

Thank you for taking the time to create this video series! Its a must for those just setting up the dream machine!

Just got my delivery after watching your 2021 video last week and looking forward to setup my unifi network. Keep up the great work :)

I got stuck at the first step of categorizing everything into those 4 buckets (IoT, NoT, Mix, Untrust)! Is there a list or resource on the net that you can point to to help categorize my 50+ devices? I've got multiple brands of Wifi Cams, Work/Personal Laptops, Nests/Echos/HomePods, Smart TVs, Wifi Thermostats, Game systems, Wired Automation hubs, AV Receivers for Airplay, Phones/watches/tablets. Is there something in the Unifi Controller that shows the ports being used by my devices right now?

I was eagerly waiting for this video! Going to move to a new house in a few months and I will be using this series and the 2019 tutorial to setup my network.

Wow! THANK YOU. these three videos should come with the UniFi device from the factory!!!!!!!

Update. Took your advice and set up a network for the IoT stuff as you suggested. I have 3 AP's total, one in the house, one in the garage, and one in the shop in the backyard. I had a LOT of issues with fixed devices bouncing back and forth from AP to AP, and generally just weird stuff happen as a result. By adopting the IoT scheme with the SSID's IoT-House, IoT-Garage, and IoT-Shop, I locked down those pesky roamers to the most dominate AP for each IoT device and the system seems to be working very well as a result. Still too early to know for sure but based on the logfile the last couple of days, I have a strong sense your method is the way to go!

Nice post! In the video you mention firewall rules not working with Device Isolation. After a bunch of experimentation I finally discovered that rules for networks with Device Isolation enabled need to be defined as GUEST rules. If you want to be really sure your rules are applied first, set them as "Before" rules and you can fully control traffic on device isolated networks. Also, I'm not 100% sure, but I have noticed behavior where your "Echo to Echo" example will leak if you don't enable Device Isolation. That's because without isolation, packets can take shortcuts on the switch (which touches on your comment about all that video traffic not having to go through the router), so they don't go through the firewall rules.

Really helpfull video. 1 thing I don't get though: At 29:35, you create a firewall "accept" rule "echo to echo", but all echo device are on the IoT network, so they can talk to each other anyway? Traffic within that vlan is handled at layer 2, so doesn't pass the router as far as my understaning goes. I didn't see any part where you would have blocked that, but I am interested to know how you would recommend blocking devices to talk to each other on the same VLAN since I agree with your reasoning to keep "Device isolation" turned off.

One small tip to help manage things is when you set a device with a static IP, prefix the device name with an underscore to denote that it has a static IP, such as _SomeIoTDevice. Also, remember that devices, like Echos and Google stuff scan your network to detect devices on the network. So if you hook up an Echo, that Echo will report back to Amazon everything that it can see on your network. To help avoid this, when possible create separate VLANs to segregate manufacturer devices. For example, I have a VLAN just for Google devices (anything that uses an Android OS). Perhaps a bit overkill, but that's why we're here, isn't it? 😀

Anyone know of a good resource for setting up rules to allow apple airplay and AirPrint?

The timing for this video could not better! Next week I’m moving and have to setup my DMP. Great walkthrough as always. Thanks!

Great Video Thanks! Hope that one of the viewers has an recommendation for SONOS.

Another awesome video! Jam packed with information I have been looking for but not found until I found your channel!

Very detailed, thank you. One point I don't think is getting much attention is the non Ethernet / TCP/IP radios most of these IoT devices have. Bluetooth and BLE are some, but there's several others. The scary part is that any such "traffic" that say a guests iphone, or someone walking outside the house with a device with a compatible radio engages in communication with ones internal devices via these "side channels" that completely bypass our traditional networks. On any device I get, Unifi gear, laptops, desktops, etc - I always disable the BLE radio. Nothing stops working...something bugs me about having all my switches, my controller, and my access points having a BLE radio that if it's being used I'd have no way to tell. It wouldn't surprise me to find down the road that this has been going on for a while. In the meantime, I'd suggest checking out a cheap SDR device which would allow one to scan the RF for any chatter outside of the expected wifi ranges.

Rob, as always you are my go to channel if i want a detailed yet easy to follow video on a topic.. although i do have to press pause why i go look at my version to compare.. Keep up the good work. found the "new clients" view annoying too as i like to also see which ap's have which devices attached. thanks

I think this video is understood primarily by network engineers. Having been one for more than 20 years, I really had to focus to follow. IGMP is such an advanced topic, I dont understand why you address it. And dont pick a vlan number a-above 255, if you want your IP numbering to comply 🙂

Great video Rob - With respect to the cameras on the LAN network and the bandwidth/cpu issue, why not just put the NVR ( BlueIris ) on the Cameras network. being a windows machine, you could just give the BI machine a second IP address ( camera network ) and tag the switch port with both the lan and camera network vlan's so ( or add a second nic).

Rob, you are the best! thank you so much for these. can we get an updated version of this video

Thanks for the update, I'm still wondering what rule to add to my wireless printer, it's a strange thing as print to its via phone and computer. Also can't wait for VPN, I installed wiregaurd and duck dns but think it gets blocked somehow even though I port forwarded. Can't wait!

A better solution for Cameras is to add a second NIC to the server for the Camera subnet, that solves the security problem while keeping camera streaming traffic off the router. This level of separation could be done with a single NIC listening to two both the production and camera VLANs, providing the server is VLAN aware and handles it correctly. I chose to use a separate NIC as I had an Intel card with 4 x 1Gbps ports which gives me better performance than the motherboard NIC, and it's easy to implement.

I bought a dream machine pro a week ago. I love it! This video has been AMAZING in helping learn what the features of my dream machine pro actually can do and best practices in setting it up! Thank you so much for this content!

Hey, great channel and great vid. I'm finaly gonna start on improving my network security. I was just wondering, what do you do with device updates for your NoT devices...

Excellent video, one of the best I've seen regarding networking. It's a pity you don't use pfsense though, because something like this is needed, I know there are lots of pfsense videos, but they aren't quite so detailed or explained in such an easy way. Looking forward to the next part.

That’s a pretty good scorch mark on your neutral wire-At the lug.. Check into it as it shouldn’t be there..

Man.... wow. As someone that just joined the unifi ecosystem, this is amazing.

How do you find which ports are specific to chromecast or whatever you’re using? I have a FireTV and Fire sticks. I also have a Lutron hub and a Philips Hue hub. I have both HA and Hubitat also. How would I make rules for these hubs?

Super helpful video as always! Are you also putting your NVR(Blue Iris PC) and HA computer on your untagged VLAN or on your NoT Vlan?

Thanks for this amazing video! Any chance you could update it for the new UI (v6.5.55+)? The rules section seems very different now.

Great video series Rob!

yessss! Absolutely loving my udm pro and and unifi system as a whole, your video 2 years ago convinced me to dive into the unifi ecosystem and I am so happy I did! Thank you for doing an update!!

Thanks, Rob, as always brilliant. A little stuck on IPv6 set up for firewall rules and IoT access etc. but a huge thank you. Can't wait for more. Also to remind everyone of the security issues for the Ubiquiti breach and remind everyone to change passwords, set local access only and force 2fa (if already having 2fa to reinstigate it afresh). Thanks.

One thing you forgot was blocking the Vlans from the gateway interfaces and UDM/USG access .Gateways access rule: Firewall rule in "Local lan" Rule "block IOT to GAteway" Rule: Drop,all Source: Network Iot , Destination: address/Port Group " block iot to gateways" in groups add all Vlan gateway address on the network "Not the Source gateway ". block vlans to UDM/USG access. If you block the gateway itself on the Vlan you wont have internet access so you need to block the ports the UDM/USG uses . Local LAN/ Block IOT to USG/UDM Access ports. Rule: "DROP/all" Source: Network- IOT, Destination: address/Port Group "USG Access Ports" In this Group add ports 80,443,22. This will block accessing gateways and udm access

Thanks a lot Rob! I was waiting for this new 2021 series. I’m looking forward for part three. I learned a lot, thanks so much for explaining all that acronyms used in the Advanced settings.

OUTSTANDING video, Rob!! My UDP came yesterday, so I have a lot to unpack and configure!! My infrastructure is very similar to yours, except that I currently have some Sonos devices. I'll probably be getting rid of them, but I'll need to support them for a while longer. Again, you've really done a nice job. ~Frank

I can’t say that I understand everything you’re talking about but this is a great video for learning and exposure to please security related topics. Thanks for doing this I will have to watch it a few times but this is awesome.

You have helped me a lot to understand things better, so thanks a lot. But I must have missed one thing. What is the benefit of the VLANS and the extra WIFI networks? Why not set rules for grouped devices (ip's) instead?

For gamers that have multiple consoles (Xbox, PS5’s and even gaming PC’s), UPNP is generally the most recommended way to create an Open NAT which makes joining games faster and games to perform better. Can you dive into this issue and the UDM pro’s settings as there are millions of gamers that would find the recommendations helpful.

One thing with Tuya devices, make sure you reconnect them after you block the NoT network. Otherwise they get sticky and are still controllable by the internet somehow. Just experienced it where even after applying the firewall rules, I could still control them even on mobile data. They were also still showing as online in the tuya developer console. Pressed the reconnect button in Unifi for all and now they've dropped to offline as they should be.

Thanks a lot for this video. I've just configured my DMP with your help. Your work is much appreciated. Can you help a bit with "Drop all other camera traffic" - what FW rule you've setup there? Thanks again!

I love the tutorial, but it leaves me wondering: Do I also need to copy these IPv4 rules under IPv6? What if they are not exactly the same? Can I disable IPv6?

Great lesson. You mentioned you use PLEX. Do you record from HDHomeRun tuners? If so, do these devices need special rules? My research leads me to believe these tuners have to be on the same VLAN as any devices that use them.

Congrats... Best video I´ve watched so far related to this subject !

Awesome video! Have just setup a Dream Machine and this is very helpful in understanding what devices belong in my various VLAN's

Great content! Thanks for taking the time to explain all the options thoroughly, and not rushing to try and keep the video short.

Thanks for the video Rob. This was really useful. I'm learning Networking as a hobby so love that you've made this easy for us noobs. Just wish you had a discord where I could ask questions in real time!

If you are seeing an issue on your IoT network with devices like Ecobees try turning off Multicast Enhancement. I played around for hours thinking that it was my firewall rules and I finally noticed it was the only network that had this enabled. Turning it off did the trick.

Installing my UDM pro today and walking through these videos. Thanks for putting them together.

This is so good, that I feel guilty for not paying for the info! Thank you!

Excellent source of information. Well written and presented, with great information for intermediate users (which I assume is the target, considering it's for Unify fans). I went with a pfSense build in my house with Unify gear (2 AP6 LR and 4 USW-flex switches), with the controller hosted on the now retired HA Raspberry Pi. The firewall rules are excellent to have as the starting reference and can't wait to see the next one for port management and VPN. Thank you!

Is this the video to watch to start my own wifi business to sell wifi service to others? Please give reference to other videos if it isn't...

HI, i love your video. for a beginner like me its easy to understand. only now we are 2024, would you change anything ? any plans for an updated version of this serie ? :)

Yet another Awesome video Rob - thx

It's crazy how much of this interface has changed in 4 months.. Creating a new network has so many more options now.

Most APs can broadcast 8 SSIDs now. I would make a single IoT network instead of all the different ones for different locations and lock devices to particular APs. That way you decide what is the closest AP.

Although I have my UniFi gear now for two years, I still learned some new things here, so thanks for that Rob. Looking forward to check out the next part.

Thank you for for this detailed, yet easy to understand explanation. Definitely eager to see more Unifi tips and tricks..