Complete Unifi Configuration New User Interface

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
everyone cody from mac telecom networks so i put a post on my community page on my youtube channel asking if you'd want to see a full build with a unified network in the new controller and the majority of you said yes we are also voting on if we wanted to do it in one long video or we wanted to do it in sections and 71 percent of you said they'd like one long video so that is what this is going to be i'll put timestamps down below if you want to skip to certain sections as this is going to be a long video it will be similar to my other unifi full builds but it will be in the new ui if you're new here please hit the subscribe button make sure to hit the bell icon if you'd like to hire me for network consulting visit www.mactelecomnetworks.com you'd find us on instagram mac telecom networks and we have a discord server which i'll put a link in the description below the first thing to consider when building a unifi network is where you're going to host the controller so if you have a udm based model or the udm pro it has a controller built inside of it but if you have a usg a usg pro 4 or any other device you're going to need that controller hosted elsewhere we could use a cloud key which has the network controller on it or we could also download the controller directly to our pc you could host this on a server as well if you're an msp and you want to host it in the cloud the solution i use is hostify so i have the majority of my customers sitting on a hostify server for this video i'll be using a udm pro so i'll have my controller built in to the device itself before we get into any configuration let's go over the topology of the equipment that i have at the top we have my internet connection going into the lan port of the udm pro from the s p plus port we're going into an aggregation switch pro and then from the aggregation switch pro we're going into my unifi enterprise switch poe we're going into unify switch flex and then we have a switch light 16 poe that's plugging into my enterprise 24 poe the reason it's not plugging into my aggregation switch pro right now i'm waiting on an sfp copper module we also have my unvr pro plugged into the aggregation switch and then from the unifi enterprise 24 poe we have a bunch of cameras connected as well as access points so the access points that i'll be using is two unifi six lr access points these are wi-fi six compatible and then i have an in-wall hd and then i have a unifi six light access point so the networks we're gonna create will have my main lan at 192 168 10.1 24 and then we'll have a management vlan so this management vlan will be for all of my ubiquity devices we'll have an iot network on 192.168.30.1 24. we'll have a camera on 192.168.40.1 24 and then we'll have a guest on 192.168.50.1 24. the wi-fi networks we're going to create is mac telecom which will be sitting on my lan this computer will be the only thing that's able to connect to that and then we have my iot which most of my devices in my house tvs playstations xboxes smart light switches they'll be connected to that we'll have the queen's house which is our guest network and then we'll have mac telecom camera for my wi-fi cameras the first thing we need to do is get our udm pro configured with internet access i have a static ip address so i'll have to assign the udm pro that static ip but mostly you will probably have a dhcp address to find where our udm pro is sitting we could go down to a command line and then we could type in ipconfig from here you could see that our default gateway is 192.168.1.1 so i'll type that into a browser and it's bringing up our udm pro it's saying connecting to the internet it won't get an internet connection as i haven't configured that static ip but typically you should be connected right away i'm going to go to advanced internet options and my connection type is going to be static ip address if you have pppoe you'd choose that as well now depending on the way an interface you're going to be choosing if you're using a fiber optic cable or if you're using a copper cable this is the interface i'm going to be using a copper cable so we'll be using the wan if you're using fiber optics you could have wan2 which is the sfp i'll fill in my ip address my gateway my subnet mask and then my dns servers and then we'll press next now that i've added my static information it's going to be checking for the internet speed we can see internet connected we'll press next and it's telling us ui is committed to protecting your privacy and security we'll just say set up udm now we're going to give it a console name i'm going to call it mac telecom and then we're going to agree to the end user license and press next now we need to select a setup type so either personal or for business i'm not really too sure if this affects your config at all but i'll select business and then it's going to ask you for a business type i'll scroll down and i'll pick technology and telecommunications and then it will ask us our business size i'll just say small business and we'll press next now you need to have a unify account to log into the udm pro if you don't you could say create account i'm going to type in my username and password and then press next now in this next step it says select a backup so if you need to recover you could select backup but we're going to be doing this completely new so i'll say continue without backup and then we have an update schedule so it says daily and we're not going to have this on at all i'm going to disable it and then press next we leave auto optimize on for now but if we run into issues we'll end up turning that off and i'll press next now it's testing our speed which is pretty much what my internet provider promises me and we'll press next and this last step is just going to be to review your information and we can press finish and it's going to set up your console which will take a few minutes now it's all loaded and we can see this is the main page of my udm pro it may look similar if you're using a cloud key gen 2 as it's using the new unify os so we have our network controller we have our protect controller we have access and talk we have one admin under manage user and then we have our system settings let's go into the system settings from the system settings you can see the console name you can see your wan ip address you can see the gateway ip the mac address you can see the owner of the console we can see the uptime the current unifi os version and then we could see compliance details below that we could see performance so we could see our cpu load we could see cpu temperature and our memory we scroll down even further we could see hardware so we could see the processor and then we could see the memory that's built into the udm pro we could also see storage and capacity so we have internal storage and then we have disk storage now it's important to stay up to date with firmware updates and we could take a look at that on the left hand pane we can see overall that our udm pro is up to date on version 1.10.4 and we could see when it was last checked we could also see the release channel which is official if you want you could do release candidate or you could do beta under our network controller we can see there's an update available the current version is 6.2.26 and it's under the official channel and we could see the same for the protect controller i'm going to go ahead and update this network controller i won't be using unifi protect through my unified dream machine so we could click on these three dots and we can press stop i will be using unify access and unify talk once it's available in canada so we'll leave these as is if we scroll lower down we turned off automatic updates but if you want to turn them on you can do so so we have the unified dream machine pro we could click on the toggle switch and then we have our application under location and time this is where we'll be doing our geo fencing i'm not going to do anything to this but you can if you'd like and then we could click on advanced under advanced we could rename our console we could turn on ssh and we could have on remote access if you want to remotely manage your udm pro or look at your unifi protect cameras through the udm pro you need to have remote access on we could enable analytics and improvements and then we have some console controls under the console controls we could restart power off factory reset download a support file or we could restore the console from a backup we also have backup config so this will push a backup of our udm pro controller to our account.ui.com you want to have this turned off just check off the toggle switch and you could do a backup now you could also specify when we want to schedule the backups i have mine every monday weekly at 12am we could also download a backup file direct now we've seen the settings of the udm pro let's get into our network controller in the network controller updated to 6.4.54 we'll click on the network and this is our dashboard at the top it's saying not seeing everything you need and you could go to the classic dashboard where my face is covering you could see the wan ip address and the gateway ip below that we have our system utilization we have our system up time we have the internet we have our uptime and then we have our latency we could run a speed test and see the down utilization and we could see the up utilization in the middle we could see a traffic overview which we don't have any traffic currently running and then we have client devices which it shows we have windows and we have other at the bottom it's just showing some verbage for some unified gear so if we go back to our drawing we want to set the mainland to 192.168.10.1 24. we're currently on 192.168.1.1 so we'll go down to the settings wheel and then we'll select networks from the networks we'll select our lan then we'll select advanced and scroll down we can see that we have a dhcp server on and it says to auto scale network we don't want to have that we'll check it off and now we can switch what our subnet is so i'll put it on 192 168 10.1 24 and then we'll auto configure the dhcp range now the dhcp range starts from 192 168 10.6 to 254 and we'll apply the changes now that we've switched the lan subnet the next thing we need to do is adopt all of our unified devices so if we look in the left pane we'll see unified devices and here are all the devices that could be adopted into my controller with my u6 light we have my enterprise 24 poe u6 lr another u6 lr and then a bunch of switches so we need to click on each one of these devices and then press adopt device while the devices are adopting we could create our network so let's look back at our topology and the networks we need to create our management network iot camera and guest so we'll start with our management we'll go to the settings wheel and then we'll click on networks here we're going to add a new network we're going to give it a network name of management and then the router is going to be our mac telecom which is the udm pro if you have any layer 3 switches you could use that as well and then we need to go down to advance we need to give it a vlan id and for this network it will be vlan 20. i like to match my third octet to the vlan we'll scroll down and we'll turn off auto scale we'll select our gateway ipsubnet right now it's at 192.168.2.1 we're going to switch that to 20.1 and then auto configure the dhcp and press add network next we need to do the same thing for our iot network so we'll add new network we'll call it iot the router will be mac telecom go down to advanced and then we'll give it a vlan id of 30. we'll turn off auto scale and we'll put the subnet as 192 168 30.1 slash 24 and then we'll auto configure the dhcp and press add network we'll do our camera network so it will be name of camera and then advanced put it on vlan id 40 turn off auto scale and the subnet will be 192 168 40.1 slash twenty four auto configure the dhcp add the network and the last one we need to do is our guest network so we'll call it guest and then we'll press advanced we'll give it a vlan id of 50 and then we're going to turn on device isolation so it can't talk to anything else but the internet we'll scroll down and we'll deselect auto scale and we'll give it a subnet of 192.168.50.1 24 auto configure the dhcp and add the network now that we've created all of our vlans we need to create our wi-fi network and we'll start with mac telecom i'll go back to my unifi controller and then we'll click wi-fi networks here we're going to add a new wi-fi network and this will be called mac telecom we need to specify a password it must be a minimum of eight characters and then we need to select the network that it's going to be on for mac telecom it's going to be on the lan we could take a look at advanced settings here we could have different wi-fi bands if we just want this to go over the 2.4 or the 5 gigahertz we could set it i'm going to leave it at both and then we could optimize for iot wi-fi connectivity everything else i'm going to leave at default and we'll press add wi-fi network the next network we need to create is our iot network we'll add new wi-fi network we'll call it dolores and then we'll give it a password under the network we're going to specify the iot network in advanced we want to have the iot optimization turned on and we'll press add wi-fi network the next wi-fi network we need to create is our mac telecom camera so i'll call it mac telecom camera give it a password and then we need to specify the camera land so we'll press camera and then add wi-fi network and the last wi-fi network we need to create is our guest network so we'll call it the queen's house and then we'll give it a password we'll specify the network which will be our guest and then we'll add wi-fi network we now have our vlans created and our wi-fi networks we need to go back to our devices and make sure they don't have any firmware updates so i'll click on unified devices and there's two different views that you could look at your devices there's this list view or there's the icon view we'll go back to the list view and we can see that pretty much every device requires a firmware update i'll start with my access points and then i'll move down to the switches so all we need to do is click on the update available and it's going to tell us are you sure you want to upgrade the in-wall hd from 5.60.18 to 5.60.19 and i'll press confirm the updates do take a few minutes and it will boot you off the wireless now the firmware upgrades have been applied to all of our devices we need to set all these devices onto our management vlan so all we need to do is click on each of the switches and access points go to settings and then we need to go to services under services we could see where the management vlan is i'll click on the drop down menu and then we'll select management we'll scroll down and we'll press apply changes i'll do that for every other switch in access points and then we'll be back all the switches and access points are now in the management network the next thing we need to do we need to put our wired devices on the correct network so we could go over to our clients tab and then we could do display options here we could filter out just for our wired network we could see my desktop computer here and then we have an xbox so the xbox we would want to put that onto the iot network we'll click on the client and we could see that it's on the usw 16 poe on port 1 so we'll go over to the switch and then press settings under the settings tab we'll go down to ports we'll select port 1 and then we'll go to port profile currently all the ports will be set to all which means there are trunk port and all vlans can pass over it which we don't want so we'll click the drop down menu and we'll scroll down to our iot network we'll press apply changes and now that port one so my xbox is on the iot network i need to do the same thing for all of my cameras we can see my unvr pro it's currently on the 192.168.10.169 but we need that to be on the camera network we'll click on the unbr pro we see that it's on the usw pro aggregation on port 23. we'll go to settings and then we'll go to ports we'll scroll down to port 23 i'm going to give this a name of unvr pro and then we'll put it in the port profile of our camera network and then apply changes so i'm going to go through the list make sure all of my cameras are on the correct vlan as well as my iot devices this next section will be for network security so we'll be taking a look at our firewall and threat management we'll start off with our firewall so i'll click on my settings wheel and then we'll go over to traffic and security to find the firewall in the new user interface we need to go to global threat management we'll scroll down and we can see firewall i'm not really a huge fan of how they do the firewall in the new user interface i typically go back to the classic view but for this video we'll stay in the new user interface first thing i'll do is to create a new group this new group will be called rfc 1918 and the type that this will be will be an ipv4 address subnet and then we're going to add an address this is all of our private ip addresses so the first address will be 192.168.0.0.16. the second address will be 172.16.0.0.12 and then the third address will be 10.0.0 and we'll press apply changes the first section of firewall rules we'll be making is under our lan interface so we'll click on the lan and then create new rule the type will be lan in and then we're going to allow established and related we're going to enable this rule and then the rule applied will be before predefined rules we're going to accept the traffic and then we're going to use all the protocols the source and destination will be any any and then under advanced we're going to want to turn on the toggle switch for match state established and match state related and press supply and the next rule under the lan that we're going to want to create is the drop invalid state so we'll create new rule and then the type will be lan in and we'll call it drop invalid state we're going to have it enabled and then our action will be to drop the protocols will be all source and destination any any and then under advanced we're going to want to match invalid state and press apply under the firewall rules we could see they go top down so we want to allow established and related and then drop in valid state the next firewall rule we're going to create is to allow our main lan access to everything so the type will be lan in the description will be allow lan to all vlans before the predefined rules we're going to accept the traffic and then the protocols will be all the source is going to be a network of our lan and the destination is going to be that group that we created so it'll be the rfc 1918 and then we'll press apply changes and the next rule we want to create is our block inner vlan routing so our iot network won't be able to see our lan network management or guest and vice versa so we'll create new rule it will be under our lan in and i'll call it block inner vlan routing the action will be to drop the protocols all and the source will be that group of rfc 1918 and the destination will be rfc 1918 as well and we'll press apply changes now our iot network can't see our lan network our management network cameras or our guest network but it could still get to the gateways of each of those networks so i could get to 192 168 40.1 for our camera network or the 10.1 which is our lan network and we don't want that to happen so what we need to do we need to create a new group and i'm going to call this new group block iot to gateways the type is going to be ipv4 address subnet and then we're going to add the gateways of every other gateway except the iot so if we look back here we're going to have to add in 192.168.10.1 20.1 40 and 50.1 we'll type 192.168.10.1 then we'll add an address of 192.168.20.1 192.168.40.1 and then 192 168 50.1 and then we'll apply the changes now to make it so the iot can't reach those gateways we need to create a new rule this time under the type it's going to be lan local and then we're going to call it block iot do gateways the action is going to be to drop the source is going to be a network of our iot and then the destination will be that new group we created so block iot to gateways and we'll press apply changes but if we were on our iot network we could still reach 192.168.30.1 which is the iot gateway there's no way to block that ip address but we can block the port group of http https and ssh so we'll scroll down and we need to create two groups the first one will be the iot gateway and this will be the ipv4 address of our gateway so 192 168 30.1 and we'll press apply changes the next group will be for http https and ssh and it will be a port group and we'll add the ports so we'll add port 80 we'll add port 443 and then we'll add port 22 and press apply changes now back under the lan we're going to create a new rule it will be under lan local and this will be the block iot to firewall interface we're going to drop the traffic the source is going to be our iot and then the destination will be the ipv4 address group of the iot gateway and then the port group of http https and ssh and we'll press apply changes so we need to do that for every other subnet besides the guess because we put on device isolation the guests automatically create the firewall rules for us but it's the same steps as i did for the iot network now let's take a look at threat management at the top it says detect and block intrusions to my network receive an alert when threats or malicious activity are detected on your network and automatically block threats in malicious activity on your network so currently it's turned off we could have it just to alert us or we could have it to detect and block which i'm gonna have below that we have our system sensitivity so we have maximum performance and at the other end we have maximum protection i typically put mine on three which is balanced we could also scroll down and see advanced features and customizations so we have restrict access to malicious ips and then we have restrict access to the tor network we also have a threat management allow list so if we want to create a new allow list that's where we would do it below that we have our signature suppression and then we have network scanners so the threat scanner if we have this turned on it will scan all of our networks and tell us what ports are open on the devices i'll leave that off for now and then we have internal honeypots apply honeypot to your networks to detect malware worms and other type of malicious traffic attempting to scan your network for vulnerabilities we are going to turn that on so we'll create a honeypot this will be for our land network and it always takes the dot 2 of whatever subnet you're on we'll create then we'll create a honeypot for the rest of our networks we need to click on honeypot and then press create and it will keep going down the list until we have no more networks to create on so that's it we have our land management iot camera and our guest below that we have our customized threat management so here's where you could turn on and off different customizations we have our virus and malware with our p2p we have our hacking i'm going to turn on denial of service and then we have our internet traffic types everything else i'll leave at default and we'll press apply changes now to go to our threat management dashboard we need to go over to the left pane and click on the shield this is the threat management under threat management this will show us an overview and from the overview we could block countries so we could block china if we want we could block iran we could block brazil any country that you want if you want to unblock them you just go to the block countries list and press unblock you could also specify which direction you want to do it in so this is both or you could specify incoming or outgoing in the bottom left-hand corner it will show you the total threats by severity high medium or low top threats by geography attempt severity source top threats by classification attempts and severity if you have any threats it will show under this traffic log if you turned on the network scanning it will show under endpoint scans and then honeypot will show under the honeypot one other thing we could do to protect yourself and have better security is to do mac address filtering so on my cameras i only want to have that camera mac address being able to use that port somebody pulled my camera down and plugged a laptop in they wouldn't be able to access that so we'll go over to my client list and then we'll pick my garage camera this garage camera is connected to my usw enterprise port 3 i'm going to copy the mac address and then we'll go to port 3. under port 3 we have the mac id filter allow list we're going to copy and paste the mac address and then we'll press add mac id then we'll press apply changes so now this will lock this port to that mac address and the camera will be the only thing that's able to go on to it and that's it for this video i'm sure i missed a couple things but it's already been going fairly long if you have any questions about this video please leave it in the comments below if you like this video hit the thumbs up button if you're new here please subscribe and hit the bell icon alright thanks
Info
Channel: Mactelecom Networks
Views: 21,028
Rating: undefined out of 5
Keywords: udm pro, udm pro configuration, udm pro config, udm pro configure ports, udm pro configuration backup, unifi wifi 6, unifi wifi setup, unifi vlan setup, unifi vlans tutorial, unifi vlan firewall rules, unifi firewall rules, unifi firewall setup, unifi threat management, unifi threat management alert, unifi threat management review, Full unifi setup
Id: 5pke3594WNk
Channel Id: undefined
Length: 26min 21sec (1581 seconds)
Published: Fri Nov 19 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.