I'm so glad to hear that. Thanks for watching!

It’s truly my pleasure. I’m so glad that you’ve found it helpful.

Wow... That is great to hear. Thank you. I will do my very best to keep making content like this. I will have a Firewalls -part 2 coming out in the near future...

I am so glad it was helpful to you! I appreciate the kind comment.

I’m humbled by that. Thank you so much.

You are very welcome. I hope it helps you out.

@@ethernetblueprinti need to contact you directly for some help and advice

Tim@ethernetblueprint.com

It truly is my pleasure. Thanks for watching.

@@ethernetblueprinthow do i contact you directly pls

You can email me at tim@ethernetblueprint.com

You are quite welcome. I hope you find it helpful and sub'd to the channel!

Thank you for your kind words... Congrats on your setup and welcome to Unifi

Hey, that’s great. Congrats. Glad I could help. Thanks for watching.

You are quite welcome. I'm glad you found it helpful! All the best with your setup!

Boom (Mic Drop). Nice work! Thanks so much for watching.

Thanks for sharing that. I’m so happy to hear that.

So glad it helped you! Appreciate your kind comment!

Sweet. Congrats! You are so welcome!

Great! I love hearing that. Congrats on your setup!

They can be.

That's great. Congrats. Welcome to Unifi!

@@ethernetblueprint Thanks!

I’m so happy to do it. Thank you for watching.

I appreciate the insight. Thanks for watching!

That is already in place with the use of rule #4 "Drop All Private IP Networks" that he has to prevent Inter-VLAN routing. To enforce this, you'd have to remove rule #1 "Allow Established and Related Traffic" and move these actions into each rule that was created for the granular level of access. At least that's how I see it but I may have overlooked something. I'm not a Unifi magician.

@@kevinoconnor6570 I was actually speaking more to what's good practice and why you have a catch all. However, after reading your comment I went and actually reviewed the rules. I'm ignoring rule 1 because I don't know what Unifi calls related traffic - that's not an industry term. Rule 4 should be drop any any, instead of private addresses. Layer 3 switches can't distinguish between what is a public or private IP address, so unless Unifi builds tables into their switches that have the classifications then I could maliciously get onto the network using a static "public" IP and communicate within the network. This is more of a deeper discussion with firewall rules, so I'm not sure if it's worth discussing the topic. I do love networking though so I enjoy the communication, and I'm Always seeking to be proven wrong as that means I get to learn something new!

​@ethernetblueprint I'd love to see how this is written, and also printer access for guests.

Thanks Scott. Happy to help in any way I can. All the best!!

It was my pleasure! Thank you for watching!

That's all I can ask for!

Thanks! I hope it was helpful to you in some way!

I'm so happy you found it helpful!

That is so smart... I'm glad you took this info and changed it to fit you. That is what it is all about. Thanks so much for watching.

I am super glad it was helpful to you. Best of luck with your project!

@@ethernetblueprint Question Sir. Trying to intergrate Unifi into my Home Assistant. My Unifi is on my default LAN, and my Home Assistant is on my IoT. I do have firewalls set up following your video. Do I need some form of firewall rule to see my Unifi? If yes do I need to make a LanIN or a LanOut for Home Assistant to see the IP for Unifi?

I’m so glad to hear that. Thank you so much for watching.

So glad you found it helpful. Thanks for watching.

Best compliment Ever!! Thanks.

That is perfect. This is meant to give a good starting point and hopefully teach the basics so you can add rules in your home to customize your needs... Thanks for watching! Glad it helped!

You are so welcome! Thanks for watching!

You are quite welcome. The series has been a lot of work, but I am happy to share it!

Thanks very much. I am glad you found it helpful.

I am so happy to do it as long as you all find it helpful. Thanks so much for watching!

I hear you. I came from the Cisco world myself. Glad you’re good to go now.

Hey thanks! Glad you found it helpful!

I appreciate your comment and suggestion. I will say that with this series especially, I am trying to keep this very beginner level since many of my followers are new to this. I think logging rules and checking flows would be a bit advanced. Either way, you are very correct. If DNS, DHCP, and NTP are things you want to control, then you would probably need rules for that. Unifi does have an mDNS checkbox that allows you to add the VLANs you want to talk and that does allow that to happen outside the firewall...

Check out this video I created on my channel... kzbin.info/www/bejne/oZKXY2ilrth9ask. I do have another video coming soon that talks about a device called Firewalla, which is what I use at my house for this...

You are quite welcome!

You are so welcome. Thanks for watching!

You should be able to create a rule(s) that allows your cameras to talk to your homebridge VM... Make sure that is a static or reserved IP so it never changes, then put all of your camera IPs into an IP group and then allow communication from that IP group to your Homebridge IP. Make sure that rule is moved up in the order so it is executed before the block all rule. I don't have a ton of experience with homebridge, but you should be able to do with FW rules and not need to move your server to another VLAN...

@ thank you. I am going to give this a shot tonight. Appreciate you

Thanks so much. I appreciate that. Thanks for taking the time to watch them.

Thanks so much.

Thanks. I am glad you found it helpful!

@@ethernetblueprint would you know if this also works across a site to site VPN. Limit remote subnet access to local default and controller.

Yes, it would. As long as you had the firewall rules set for the local subnets use in the VPN....

Happy to help. Thanks for watching!

I can say that I have done this exact setup in homes that are using Home Assistant with Sonos, Lutron, unifi cameras and all sorts of other smart gadgets... The users of that space were able to be on the secure VLAN and still communicate with home assistant devices.... Sonos was the only challenge, but I think we found a workaround for that as well...

Thanks so much. Appreciate you watching.

Well, LAN out Rules can be used for VLANs too but would be setup differently than these to achieve the results you’re looking for. WAN Rules are for allowing or blocking access from the internet. Then there are the IPv6 rules (the ones we were setting are IPv4) which are a different type of IP addressing. That may require its own video to explain that.

I do plan on doing something on that, but I have to buy all my own devices for testing and I don't have any ONVIF devices at the moment. Now, that being said, I have heard that the FW rules in Protect 5.0 is a little buggy at the moment... so I am hoping that gets a little more stable soon.

@@ethernetblueprint makes sense, look forward to it I'm looking at the reolink cameras I didn't know about the buggy firewall rules but did hear Protect 5.0 needs improvement with the onvif support but as first iteration it's heading in the right direction Thanks again for the help, I did get my iot device on the IoT network and it works!

Nice. Congrats. I definitely expect to see a lot of improvements with the ONVIF Support soon.

Thank you very much for your generosity! You are too kind!

You are quite welcome. I hope it helped!

I got that question a lot in the comments of that video so I had to find out for myself. Glad I was able to answer it for you as well.

If you plug either a "dummy switch" or a Unifi switch into a port that is assigned to the IOT VLAN (for example), yes, all the ports on that new switch will be in that VLAN... AND, if that switch is a managed switch that can do VLANs, then you will break its ability to change ports to a different VLAN. To do VLANs on the secondary switch, it would need to be set as a trunk port.

There are Guest FW rules too that automatically get put in place when you check the hotspot, landing page boxes on the network. I would go in those rules and create one that allows the network to talk to the printer IP to see if that helps.

Thanks so much. I hope it helped you in some way!

In my firewall rule sheet, you’ll notice that I have a Camera VLAN that is configured differently. That is because the cameras need to talk to their own gateway so they can record their footage. So you can put the doorbell on the IOT network, but you would need to set up the firewall rules like I have the camera network in my example. Or, you can just create a Camera network and put the G4 out there by itself. Up to you, but the firewall rules need to be set up like the camera example.

Thank you... The Firewall rules affect ANY device on the IOT network (wired or wifi), so you shouldn't have to do anything special for that one camera... The directions here would work for that too - even though it is WiFi. Unless I am missing something in your question...

I will have to look into that. I have setup many homes and up to now haven’t had a need to utilize IPv6. Is there a reason you’re planning on using it in your home?

Can you send me an email? Might be hard to answer all this in the comments… tim@ethernetblueprint.com

1. These IP ranges ensure that the firewall rules apply to all devices within those subnets. These IPs are only used in private networks, meaning any device connected to a router in a local area network will use addresses like 192.168.x.x, 172.16.x.x, or 10.x.x.x. An example of a non-private IP would be something like 8.8.8.8, which is a public IP used on the internet. 2. It can be good practise to seprate your SimpliSage/Ring. A slightly different example but shares the same concept of security, is, separating an access point across different VLANs can help protect it. You might have it give off separate networks for guests, home, CCTV, etc., while dedicating one VLAN purely for remoting into the access point to manage it. This keeps the management interface secure and prevents tampering. Plus, if one system is compromised, the others remain unaffected. While some might see this as overkill, it’s a solid approach to network security.

I run my Synology NAS with Plex on my IOT network where my TVs are networked... I still have access to it from the main network, but I have it IP'd on the IOT VLAN... Works great. Part of my reasoning for that though was because I had plex running in a docker and kind of had to do this way. If you use VMware for you Plex server, I think you have some more options...

@@ethernetblueprint Thank you!!!!

There are a ton of different ways of doing this, so if that way works for you, and it’s easy to understand better, go with it. There isn’t a right and wrong way. I just wanted to create this to give people a starting point, but I encourage my viewers to take it from there and adjust things to fit their own Preferences.

If you setup the Guest network to be isolated, I don't think ping will work. Because we used the built in Guest checkbox to make these rules, you may need to add a rule allow that communication.

Thanks. Thanks for the suggestion. I will tell you that if you have your Google mesh in "router mode", it will be difficult to take advantage of the Fw rules in this video... You essentially have multiple routers and the rules you put in place on the CGM, would not affect the devices connected to the Google devices. Bridge mode may solve this, but I guess I'm not sure what you are going for or what you are looking to do with the 2 systems. What would you be looking to do with the port forwarding?

@ethernetblueprint My first concern is Home Assistant. I want to make sure HA can communicate with everything, wired or wireless. My current setup is AT&T Fiber Router (in passthrough mode) -> Cloud Gateway Max -> Google Wifi. Anything hardwired goes to a Unifi device. Anything wireless goes through Google, with the exception of the HA sitting on a Pi and hardwired to the Google WiFi router. I have port forwarding set for port 8123 on the Google router and that is enabling me to get to the HA from a wired machine. I have yet to add an IOT device to the wired network, but I didn't know enough to know if it's going to work. My second concern is my Plex server. Am I going to need to wire that into the Google router or can I keep it on the Unifi network and enable port forwarding in a way that my wireless devices can get to it? Thanks!

Can you put the Google WiFi Pucks in "AP Mode" so they are no longer acting as a router and handing out IP Addresses?? If not, I think your setup is going to give you a lot of challenges, even with port forwarding setup.

@@ethernetblueprint I think the closest setting to this is to put the Google WiFi router in bridge mode. Unfortunately, this disables the mesh functionality.

@@ethernetblueprint I've had some success. For my Plex server which is hardwired on the Unifi network, I set port forwarding for 32400 (TCP/UDP) on the Google router for any device that needs to get to Plex from wifi and it seems to be letting those devices find the server. Google TV, Android tablet and phone. I still need to setup a wired IOT device so I can see if the port forwarding configuration for Home Assistant is working. I'll report back once I get around to that.

I will have a separate video on traffic rules...

You bet. I talk about the isolate network in the Guest WiFi Video 5 (but just briefly). If you check that box, it will block access each of the other VLANs... However, it will not block access to the router like we do in rules 5-8 (LAN Local Rules) - So, if that was important to you, you would need to add those rules in addition to checking the box. Hope that helps and thanks for watching!

It is just 2 ways to do the same thing... as a matter of fact, my other VLAN videos just do the HTTP/HTTPS and SSH rules like those other videos... They both offer security... I would go with whatever you are comfortable with....

@ thanks, i was in the understanding that this way blocked also internet acess but this way workes for me, and your great explanation made me able to make some custom rules that was needed for my setup..

Perfect. That is exactly what I was hoping for... Good luck!

So glad you liked it. Thanks for watching.

You are so welcome. Thanks for watching!

Maybe try editing the LAN-IN rule for the IOT Network to the PI hole device to an any any rule and not just limit it to port 53. I haven't used pihole before and don't know if it uses other ports outside of 53. You could pause the rules one at a time to see if any of them fix the issue.. then you know where you need to look. I'm sorry I don't know more about the pihole... never used one.

Yes... IDS/IPS are additional security benefits that you can turn on for extra protection benefits like DOS attacks or random overseas IP addresses trying to gain access to your network.. I do recommend having these turned on in addition to FW rules which are for your internal VLANs. These services do add overhead to your router and "can" reduce internet speeds. This depends on your equipment capabilities. In general, your gaming should still work fine though. Or at least that has been my case. I have mine turned on and set to strict and gaming still works fine...

Let me see if I can do this in a comment... If you still have questions you can send me an email to tim@ethernetblueprint.com and I can give a litte more info. You will need to create an IP Port Group for the DNS Server. It should just include the IP address of the DNS Server. Type - Name - Action - Src Type - Address - Port - Dst Type - Address - Port - Match State LAN IN - "Allow IOT to DNS Server" - Allow - IOT VLAN - Any - Port Grp - New DNS Server - No Action Required

Its a good question... A ping is not considered part of an established/related traffic. It is viewed different as standard network intercommunication. This is because "it operates on a lower level of the network protocol stack (ICMP) and is essentially a single, short-lived communication used to check reachability" As far as the private IP group. There are many ways to handle this. You could an Any any too. I like using IP groups to allow you to have more control of the rules. Any Any rules can be tougher to troubleshoot IMO...

@@ethernetblueprint Thank you for the response and clarification on my questions. Ah, so private IP groups is just good up front "housekeeping" as it were.

You got it! Just covers all your bases. But it is optional.

Hi there... If you set up the rules like I have in the video and have the "allow default to Any" (right below "allow established and related" and "drop invalid") but still on top of your blocking rules, you should be able to ping from the default to that VLAN. I have found there are other factors the block ping like windows firewalls or maybe you still have the isolate button checked on that VLAN that you can't ping... maybe?!? If you set it up like my rules, you should be able to ping it.

@@ethernetblueprint Thanks for the response. Everything looks like the way you set it up. I have seemed to notice that when I have changed things, sometimes incorrectly, and change them back the network gets confused. I assigned a VLAN to a port on my switch and then decided that was not a good thing and changed it back. It seemed to hold on to that setting. When things get quiet I may power cycle a few pieces of equipment.

There can be quite a bit of invalid traffic on a network... and this can encompass quite a bit. Many times, this is a network session not properly closing with the correct tags in it...

Thank you. I have it on the list for VPN, but I have tripple NAT going on right now so, I will be looking to talk VPN once I get my new Fiber service running and my verizon is my backup.

@@ethernetblueprint cool sounds like you have lots of fun times ahead of you. I sorted the issue with guis, it was a DNS issue (another video for you!) Now i have to solve the issue with the VPN client blocking WiFi Calling.

Does the casting feature work when your phone and Roku are on the same network? I will say that having VLANs can cause things like this to happen... not all communication protocols play nice with different VLANs... I did a quick google search and it specifically states that Casting to a Roku does not work when VLANs are in play. (but that was a quick 5 min search... I didn't research it any deeper than that)

@@ethernetblueprint Yes, casting works when the Roku is on the same VLAN as my phone. Thank you for your response. I have opened a ticket with Ubiquiti. I did a lot of searching around the internet on this topic as well. I'm surprised it's still an issue to this day. Lots of the reported issues have dates going back like 4 years ago. None of the threads and posts I saw ever has a definitive solution. I hope Ubiquiti can resolve this, it seems like such a common use case to not have work on a system this sophisticated.

And I feel it is a limitation with Roku... Not Ubiquiti...

@@ethernetblueprint yeah casting works perfectly when the phone is on the same VLAN as the Roku. I looked this up and it’s been an ongoing issue forever. Apparently other Ubiquiti routers you’re able to do some work arounds and configure it by editing some .json. Unfortunately you can’t do that on the dream machine pro. But you’re right, it probably can work on Ubiquiti, but whatever settings I need to enable doesn’t seem to be working. I have an open ticket with Ubiquiti, so far they suggested a bunch of things I’ve already tried and still can’t get it to work.

Thanks for the reply. 1) The FW rules and the switch port tagging work together to allow or block access. By setting the "block all" setting at the port level, you ensure that the device connected can only communicate on that network. Trunk ports really only come into play with VMWare like servers, switch to switch communication, AP communication... any device that hands out and communicates on multiple VLANs while plugged into a single port. Most of your devices (PCs, IOT Devices, Printers) should be set to Block all and just communicate on the single network. Your Synology may be an exception to this if you have it communicating on different VLANs at the same time. Then leaving it on the allow all port would be best. 2) It is really up to the user. Pros and Cons to both. If you block everything and choose to just allow the ports that need open, if you add a technology into the home (plex server for example), you would have to go open those ports for it to work. If you allow most ports to be open, but just block access to the local device on ssh, https and http, then it can make it easier to add other technologies down the road (IMO) 3) DNS can be tricky. I have my synology on my IOT VLAN and sometimes my PC will get to my files by DNS name and other times not. I don't think is a FW rule that is stopping it. I think it is the fact that Unifi DNS isn't the best. You may be better served to use an outside DNS to avoid some of the finicky issues like this... Its kind of trial and error. Sorry I can't give you a better answer. Hope this helps!

​@@ethernetblueprint Dear Tim, thank you again for your kind, fast and professional answer. As you mentioned the Unifi DNS in its current state is not reliable for different VLANs, at least from what I have tested the previous days. I switched to a rasberry pi with pihole + unbound installed and together with your best practice tips regarding the firewall rules and the comments, I managed to get it all working, with only the minimum machines and ports allowed for the adblocking and the name resolution. The gateways are not accessible inside the 6 vlans , the 6 vlans are separated and the pihole Interface recognizes every client + I can configure proper A-Records. Thank you so much again for these great videos. Wishing you all the best and best regards from autria.

Thanks for sharing this. I know you are not alone in this as many out there do like to manage their DNS. Nice job on getting things going!

Hi there. I may have to do a separate video on this, but let's see if I can push you in the right direction at least... Admittenly, I don't fully understand how HomeKit works since I don't use it myself, so you may have to do a little more research here, but I would try the following: 1) In Settings - Networks, make sure your IOT, Default and Camera VLANs are included in the mDNS box. 2) Create a LAN IN rule that allows IOT VLAN to talk to Camera VLAN. Drag this rule so it is above the Deny all Private IPs rule 3) Create LAN IN rule that allows the Camera VLAN to talk to the IOT VLAN. Drag this rule so it is below the IOT VLAN you just created and above the Deny Private IP to Private IP rule. This will allow communication between those VLANs... I am sure that there are better and more secure ways of doing this, but I just don't have a full understanding on how HomeKit communicates... For example, you may only need to have your cameras talk to the HomePod/Apple TV HomeKit server. The rules I suggested opens up the whole VLAN to each other... So please do a little research on this...

Is there a reason that the AP is on the Staff VLAN? If it were me, I would put the AP on the default VLAN so it gets an IP 192.168.1.x like your PC. The port on the PC can be set to block all (access port) and the AP should be set as Allow All (Trunk) If you have WiFi networks on that are on different VLANs, (ie. guest WiFi, Staff WiFi, Default WiFi...) then you will need the AP to be in trunk mode so it can communicate all the VLANs to your connected devices. But the AP's local IP address (called the Native VLAN) would be best served on the default VLAN.

Personally, I would put the NVR in the camera VLAN yes... That way the cameras can talk directly to it with no VLAN challenges.

I have had that heard that from other users too... mine was disabled by default but apparently that isn't always the case. Glad you figured it out!

You are correct... since that is done on the phone, there is no way to block it on the network... that I have found. Option 1: You could create a kids VLAN that is kind of locked down and put your kids devices on that... then when they share, they are sharing the kids network. Option 2: Install a Firewalla Device on the main network. It won't block the issue from happening, but it will allow you quite a bit more control of the devices on that main network. I will be doing a video on this very soon. That is how I manage my kids devices on my main network.

Glad you found it helpful.

I would think this work over VLANs but I haven’t tested with ONVIF since that’s so new. Did you set up the FW rules like I showed in the PDF?

@@ethernetblueprint Yes I did all the rules. I searched around the web any alot of users are having the same problem with ONVIF.

the ONVIF is very new so I am sure there are bugs they need to work through. Sorry for your issue.

It is still working... I just double checked. www.dropbox.com/scl/fi/x7g4vtqe7tahcdbbwm984/VLAN-FW-Summary.pdf?rlkey=b7wkur9ut9vlg1em9y9gf5907&e=1&st=oahosl3p&dl=0

Are you wanting to block just a few outside IPs or are you wanting to block something like China???

@@ethernetblueprint a few outside IP's. I already have countries blocked. Some how my internal NAS is getting failed admin sign on attempts from an external IP. Not sure how they are getting in.

Wow. Thanks a lot. That is super kind of you. Appreciate you watching.

It depends on the where the DNS server is located. If it is sitting in your network on another VLAN, then yes, you would need to make sure you have a LAN IN rule for DNS to that DNS server... If it is a public DNS on the web, no, it would not be needed...

@erinhickey4214 Hi....newbie question. So I am using Open DNS for DNS for my unifi which is across my entire network. So you are saying I can just use "Any" here? Thx

@@ethernetblueprint I have Cloudflare DNS for all my VLANs. If this is the case, are you saying I do not need the "DNS" option for the IoTs and can use ANY? Is this what you did?

Good question. It covers those. It covers ALL 192.168.x.x VLANs.

@@ethernetblueprint Thanks Tim, figured it out after a little investigation and testing. I appreciate the quick response and those rules worked out great. Great videos and excellent presentations.

Nice work!

Yes you will. That will be a LAN-IN Rule and it will need to go above the Deny all Private to All Private rule. You will want to make an IP group that has your NAS IP address in it and use that in the rule. For the cameras, the LOCAL rules can block access to the UDM Pro NVR. I have an example of how the cameras need to be setup in the video and on my downloadable guide that is in the description.

The IP Group simply includes the IP addresses of the devices that you want to control. For example, if you wanted to create a rule for your cameras, you would create an IP group that has the IP Addresses of each of your cameras... and then create a rule for that group.

I like a mgmt VLAN. I use one in my home but that is difficult to explain to super newbies and didn’t want to complicate things. I give my mgmt VLAN the same access as my Default network for the most part.

@@ethernetblueprint That's what I ended up doing. Thanks very much for this guide - it helped me understand the actual theory.

You are welcome! Thanks for watching. I am glad it helped.

Hi there. You could simply add an additional LAN IN rule above the “allow default to all private IPs” that says “Deny default to work network” which will stop that traffic but still allow default to talk to everything else. You would need to create a new IP group for your work VLAN. Hopefully that makes sense.

@@ethernetblueprint That does make sense! Thanks so very much

Very awesome. I hope it arrives fast.

Glad you liked. Hope it was helpful!

Take me to it, you will. - Thanks for watching!

Email me at tim@ethernetblueprint.com and I’ll see if I can help you out.

email me at tim@ethernetblueprint.com and I can see if can figure out what is going on... That shouldn't be the case...