I’m so new to this, and it’s all so overwhelming. You explained it in a way that’s much clearer and easier to understand than any of the videos I’ve watched so far. Thank you so much 🙏

Great video, looking forward to part 2

Just when I thought I knew it all pertaining to the new zone base firewall, I learned something new. Thank you for all the hard work you put into your videos.

This was exactly what I needed to know. I'm looking forward to the next video. Thanks!

Great videos, I have yet to watch them all thoroughly, but I plan to. Can you consider a ZBF setup video for self-hosted DNS servers on the Regular (Default) network?

Very clear! Thank you so much, finally I ended understanding these zones.

Thanks for putting together another fantastic lesson. I really liked the way you explained the zone approach. Good point about the block all from new zone to itself only applying to inter VLAN. That was not obvious to me. Device isolation for the IoT network via ACL is an interesting one. Many IoT devices need to communicate with each other. (Phones, plex client, Sonos, etc.)

Great video! Explains exactly (one half of) what I'd like to know. I'm looking forward to the second video! One thing I'd still like to know though: Don't you restrict gateway access from untrusted VLANs to necessary ports? (Or at least block ports 22, 80, 443?) I guess the effort to achieve this might be different for both concepts of video 1of2 and 2o2 and therefore worth to be compared as well? I'm looking foreward to video 2of2!

Another fantastic video 👍

Perfect! I've been holding off switching to zone based firewall as it was a lot of work to get my firewall my rules working correctly and I was worried about issues like this. I'll await upcoming videos 😅

How did you setup all those Terminal windows on their own networks, that's pretty cool.

Thanks for your job there! Waiting for part 2.

First of all... a great video. Especially the real world setups. A lot of other youtubers only glace at a high level. This really helps since I am fairly new to the unifi rules. And just when I setup some old ones, the zbf was introduced. Therefore some questions: How would the setup look like when protect is inside a UDM? When you don't own a UNVR? Do you need to setup rules to the gateway? Which? Could you also elaborate in a new video how to 'migrate' from old policies to new? How can you evaluate which rules to delete or replace with ? I've rules for allowing established and related trafiic. And to block non valid trafic. Allow DNS, etc. I am thinking about deleting al the old policies and start from scratch. Because also some old polcies can interfere with the new zbf ones? And does the new zbf also handle the correct order of policies? Does it also know which rules to put on top? Or is that something you always need to check yourself?

Great video as always. Couple of questions: 1 - With your protect VLAN is that assuming that you are running a separate Protect NVR instead of built into UDM Pro etc ? Reason I ask is that Protect NVR doesn’t appear to do well when adding cameras across VLANs (for example ONVIF cams) so was wondering the topology for Protect in this case. 2 - Understand you’re point about trusting Protect cams but wondering why you would not just want to block cameras outbound to Internet, period since there is always a risk of those feeds being exposed like they are with non UI cams. Don’t get me wrong, we all know that ‘other’ cams (even pro security cams) like to phone home but was just interested regarding your decision there. I generally choose to block all here. 3 - When running a UI infrastructure is there a preferred method you have / recommend for handling NTP locally since a number of devices you may want to block from Internet, still have an NTP requirement ? In this same question, is there a way to intercept and redirect NTP requests from a device and force them to use a different NTP server of your choosing (may be your own etc) ? 4 - The only issue I see with the Unsafe NW device isolation is then the cams cannot talk to an NVR on same Unsafe network for recording capabilities. Therefore what is the best way to have cams isolated from each other BUT allow access to an NVR in same VLAN ? Fantastic video and great timing since UI have not done a great job on demonstrating Zone Based firewalls. More a case that they released the feature and left users to figure it out themselves. Thanks as always.

Excellent explanation, thanks going to set mine up now

for the unsafe vlan, you could have enabled 'Isolate Network' in vlan 70 network settings. This will automatically create new firewall rules that block traffic to other zones.

Excellent video! Does the block all rule block multicast traffic as well? For streaming to iot, you’d want to allow that.

One problem with ACL. It will not work on Layer2 switches. For example two devices connected to USW-Flex-Mini will see each-other. And for wifi connected devices there is option Client Device Isolation. But there is warning with list of unsupported switches when you enable ACL.

Is it possible you explain port forwarding with this new setup? I made a new policy which granted access from external 'any' on ports 80 & 443, to an internal ip on those ports, but nothing worked. Ports stayed closed. (Portchecker from mobile phone on cellular network). Even with an any-any rule from external to internal the external ports stayed closed. Only when I made a policy from external to gateway the ports opened up. Which seems strange. Shouldn't the original policy from external to internal fix that?

For the non-unifi cameras in the unsafe zone, if your NVR was something other than the gateway, you'd need to create ACL rules to allow traffic from the unsafe devices to the MAC of the NVR, correct?

I haven't tested this yet, but does the auto enable return traffic rule do an allow all, or allow related/established?

How do you get all the terminal windows open on the different networks like that

I've configured firewall rules to restrict access to the web interface ie 192.168.1.1, but I can still access it from any VLAN, even though I have Block inter-VLAN rule in place. Could you explain how to correctly block web interface access from all VLANs except the admin VLAN?