Ubiquiti UniFi - Firewall Rule Vs. IP ACL Rule
Рет қаралды 1,103
Күн бұрын
@Greg.M 3 ай бұрын
As always, you've made a fantastic video. Thank you!
@MrComonroots99 2 ай бұрын
Another great video. Question for you...Have you been able to disable Ubiquity device discovery 10001 from constantly pinging the network?
@hz777 2 ай бұрын
I don't use Ubiquiti Device Discovery. Do you have UniFi network controller self hosted? I know it may use port 10001. If a packet is sent for a legitimate reason, I would not block it. If there are packets you are not sure where they came from, you may want to spend time to eliminate the source.
@MrComonroots99 2 ай бұрын
@@hz777 The issue is running a LAN scan and Ubiquity Device Discovery Service seems to publish all the Gateway IP's even though VLAN access blocks gateway crosstraffic. 🤔
@hz777 2 ай бұрын
I have not encountered such a thing so I don't know... In your case, were the packets from gateway's default network IP address to other VLANs? If so that's strange...
@MrComonroots99 2 ай бұрын
@@hz777 i will have to investigate further. The android app "ping tools" aggressively scans the network and it can find more than nmap. Thanks for the insight
@SY1337 4 ай бұрын
Will you review the new Enterprise Fortress Gateway or UXG-Enterprise?
@hz777 4 ай бұрын
No, I cannot afford either of them.
@SY1337 4 ай бұрын
ok, that's completely understandable. I really like your videos and you're one of the few youtubers out there, who doesn't get sponsored by Ubiquiti and actually points out the downsides of their products. Your honest reviews are incredibly helpful when deciding which products to purchase 👍
@ryanbuster4626 Ай бұрын
Do IPV4 rules only apply or allow creation with networks that have the switch set as router - or can you apply an ACL IPV4 rule to 2 networks that are "created" on the firewall, have the unifi gateway set as router....meaning inter-vlan traffic between the two is sent to the UDM. I want to intercept this with some ACL allow rules. For instance, I want to create and separate all VLANS via the UDM but then use ACL IPV4 ACL rules to "ALLOW" traffic between 10GB clients on different vlans to avoid the UDM lousy inter-vlan throughput. I have 10GB servers and 10GB clients that must stay in separate vlans but I want their traffic to each other to remain at the switch level to saturate that 10GB link. ACL allow rules was my idea on how to achieve this. Would this work as ACL takes precedence over FW rule when the devices are connected to L3 switch? Or will it ignore ACL rule because the networks have UDM set as gateway? Alternatively I could create all VLANS on the switch, use ACL isolation rules or ACL block IPV4 rules to separate them and then all traffic is passed at line speed/switch level. I feel I may be missing out on some needed future firewalls rules if I do it this way.
@hz777 Ай бұрын
IP ACL applies to "normal" VLANs as well. I believe I had already explained the difference between IP ACL and firewall rules in this video. Regarding your question about whether ip acl rule and firewall rule can co-exist, the answer is yes, because technically they are implemented in totally different ways so have nothing to do with each other. However, because ip acl is in switch, it will be executed "earlier" than firewall rule in router, so you may need to look into the whole process to understand whether they conflict and override each other.
@ryanbuster4626 Ай бұрын
@@hz777 Interesting as I received the opposite answer from ChatGpt: ACLs will not work to intercept inter-VLAN traffic routed by the UDM. If the UDM is set as the gateway, it dictates inter-VLAN routing, and traffic must pass through it. This implies IP ACL will have no effect with "normal" or switch facing VLANS. Have you tested this by any chance?
@hz777 Ай бұрын
Have you watched this particular video you are commenting on?
@ryanbuster4626 Ай бұрын
@@hz777 Yes perhaps I'm confused. In this video to answer my question we would need to create IPV4 ACL rule with VLAN 10 and VLAN 30. Those networks are firewall isolated so they certainly have the Unifi gateway set as router in the network pane. In this scenario would IP ACL work since these networks are firewall controlled but connected to same L3 switch? Forgive me if I am not following but I would like to see if IP ACL rule could be applied to vlan 10 and 30. The only examples I saw were with vlan 20 and 40, both of which I assume have the switch set as router. Lol I have watched a bunch of your videos past 2 days. I hope I am not making it more confusing for you.
@hz777 Ай бұрын
The video was several months old, so I cannot remember all the details. Maybe I did not show the network configuration, so caused the confusion from your side believing two of the vlans were managed by L3 switch. No, ALL the vlans in the video were managed by gateway. This video has nothing to do with L3 switch.
@barat7867 3 ай бұрын
You've tested the ping. But will there be a difference if there'll be a 10Gbit Server on VLAN10 and 10Gbit Client on VLAN20 and we'll try the iperf3 to test the speed? I think that Firewall rules will be dependent on the router CPU (and the speed will be limited), but ACL rules will perform better, because L3 communication will be handled in the switch. Or am I wrong?
@hz777 3 ай бұрын
Theoretically ACL will still be faster, but the larger the packet (like in iperf3), the less significant the difference will be.
@barat7867 3 ай бұрын
@@hz777 so L3 on switch may still be worse than putting the NAS inside same VLAN than my PCs (trusted devices)? So then the only benefit (for me) it'll be that if UDM PRO will be turned off (any reason) the inter-VLAN communication will be still working without the router then. Still something, but not much. Was counting that once I'll upgrade my DS916+ to something 10Gbit i could have it in a separate VLAN without the speed loss with L3 ACL on Switch
@hz777 3 ай бұрын
L3 Switch might be still worse in terms of what? Speed for inter VLAN routing? No, it is not true. If you use ACL to secure the VLANs, the speed can only be better.
@barat7867 3 ай бұрын
@@hz777No, no. I mean that even with L3 capable switch (like USW Enterprise) with the ussage of L3 ACL instead of firewall the inter-vlan speeds between 10Gbit PC and 10Gbit NAS may be worse than having those two devices inside one VLAN. Or for ~10Gbit it's still fine? Doing it with Firewall rules will be limited by UDM performance.
@hz777 3 ай бұрын
Of course inter VLAN traffic will be slower, due to more overhead.
THẾ GIỚI 24H
Рет қаралды 10 МЛН
777 or 404
Рет қаралды 1 М.
777 or 404
Рет қаралды 637
Leader Academy
Рет қаралды 23 М.