Configuring VLANs, Firewall Rules, and WiFi Networks - UniFi Network Application

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

today we're going to cover setting up vlans using unify's network controller we'll set up a VLAN from start to finish which includes creating a network configuring a wireless network that uses those vlans and then we'll set up firewall rules to make sure we're keeping our Network safe if you think that vlans are only for the Enterprise you're wrong and if you stick around I'll show you how helpful they can be at home too so what is a VLAN a VLAN or a virtual local area network is a group of devices computers or servers that communicate with each other as if they're on the same physical land but they're actually located on separate physical land segments vlans can be created by configuring a managed network switch to segment the network into different broadcast domains so why are vlans important even to the home user vlans are important for security they can help isolate sensitive data and systems from the rest of your network improving security by preventing unauthorized access vlans are also important for performance vlans can be used to separate Network traffic into different segments reducing Network congestion and improving overall performance vlans are also important for management Elance can be used to simplify Network management by grouping devices based on location department or even function making it much easier to configure Monitor and troubleshoot and last but not least vlans give you flexibility vlans allow for Network changes and reconfigurations without physical changes to your network infrastructure saving you time and money and who doesn't want to say that right so what's not to love about vlans then if they give you greater control over your network they help optimize Network traffic and performance and give you better security and give you management flexibility well for me it was knowing where to start the first place I'm going to start is in the unified network controller now let me preface this whole thing with unify will change things it's guaranteed that they'll change something in the UI so I'll try to call Out Concepts and keywords that you can search for within the unify controller if it does change rather than where exactly to click call those out too so the first place you'll want to go is inside of settings once we're in settings you'll want to make sure that you're on networks and here you can see a list of my networks this is my home production right now in my home lab and here are the different vlans that I have set up if we want to create a new VLAN we'll need to create a new network so let's create a new network and then we'll name our Network so I'm going to set up a new network that will be my new iot network I'm just just going to name it iot then you can choose a router you'd like to use to Route this traffic I'm going to keep mine on the udmsc but you could choose a different router if you like next I'm going to uncheck Auto scale Network now if you Auto scale Network it'll pick a subnet for you and scale it for you automatically but I want to be a little bit more prescriptive about my network so I'm going to set up the network that this is on this is a little bit important but you could see that it's suggesting 192.168 3.1 now I don't want that Network you can take it if you want but I'm going to say minus 192 168 100.1 and it's a net mask of Slash 24. again you can change this to anything you like but this is the one we're setting up today the next thing I do is go into manual and change this now you'll get to choose a VLAN ID so a VLAN ID is just an ID to identify your network and this is the ID that your packets will get tagged with so it knows how to route those packets most of the time what I do is I just set this VLAN ID to the third octet in my network that I'm on now I know this doesn't work and it doesn't scale but I don't have that many networks at home for home use it's a good idea for me to do this but if you're in an Enterprise or larger business uh you might want to choose your VLAN ID appropriately so I'll set my VLAN ID to 100. next we'll pick the network type and we want to choose standard you could choose guest Network here but this really doesn't make sense for what we're doing because it will apply guest policies to that network if you had a captive portal or a guest Network you were broadcasting to the public you would use that but we're not well let's keep this as standard content filtering I'm not going to put any but this is the new feature to filter out content you can choose the content filter type of either work or home or work or family pretty much home uh but I'm going to choose none igmp snooping and multicast DNS now these are kind of important especially for an iot Network so here if we read it it says in improves net worth bandwidth by only sending multicast traffic such as AirPlay to the intended Network device this may however increase multicast latency and drop any non-registered multicast traffic such as PTP V2 so my advice here is if you're setting up an iot Network and you're going to have Apple devices or maybe Google devices or devices on that Network that you want to communicate with across networks I would recommend turning this on and the same goes for multicast dns2 you can see it's enabled by default but multicast DNS it says here allows multicast traffic to transmit across multiple networks we recommend using this when using AirPlay or Chromecast so again if you're going to have any network devices that you want to discover on this iot network say you have an app on your network and you want to discover or cast any kind of content to that other network you'll need to make sure that this is on too so I recommend turning these on for an iot Network because your iot network will most likely have Smart devices that you want to communicate with that need this feature and if you're not sure you can keep it off and then when you start troubleshooting your network if you can't cast to something you can turn this back on so next up is DHCP so what's our DHCP mode you could change this to be a DHCP relay or say no DHCP at all but I want unify my unify udmse to act as a DHCP server and I want to set one up so this DHCP server will hand out IP addresses when clients ask for it so on the Range what I typically do you can set this however you like the defaults are great 6 to 254 but what I do on my small networks is I say 100 to about 200. now the likelihood of me having more than 100 DHCP devices on this network is pretty low and the reason why I do this at 100 to 200 so that I know when new clients join if if it's in the 100 to 200 range I know it's a new device that I haven't set up yet and it's easier to find and then I try to keep my static leases lower than that but that's going a little bit too far but you'll want to choose something that makes sense for you 6 to 254 is perfectly fine now we aren't going to do much else here and I don't want to talk through all the options because as you see there are quite a bit but we can keep defaults here if you have some Advanced DHCP use cases feel free to go through there and configure it so let's add this network now so we're adding this network successfully added this iot network and we can see it right here so it's I Capital OT let's change this really quick just so we can differentiate between my existing iot Network iot2 iot better is iot better yeah well iot better I don't know why so we have this iot better Network now and we can use this network already it's already set up if we want to go and assign it to a switchboard we can but let's do one more thing because it's kind of similar and it's assigning this network to a Wi-Fi network very similar to a port but if we go into our Wi-Fi networks what we want to do is create a Wi-Fi network that this VLAN will use when clients connect to it so this is how you can separate your iot devices from your trusted home devices so what we want to do is create a new network and bind our new VLAN to that Network so when we configure our iot devices they join that Network and they get assigned this VLAN it's pretty cool so let's create a new Wi-Fi network as you can see all the mines start with konichiwa so we won't do that but I'll call this the same thing as the network now you you don't have to you can name this network anything you want but I will just so it's not as confusing so I'll call this network iot better and we can set a password for this network under Network we can choose our VLAN default is the default Network that's probably the one you have if you haven't done any vlans yet and that's your flat subnet or your flat Network that all of your devices on but now we're going to segment this with vlance with the one that we just created so let's choose the network we just created iot better I'm going to choose that and then we don't have to do anything else now again there are Advanced things you could do to tweak your network or tweak your Wi-Fi we're not going to change any of that if you have an advanced use case for networks feel free to configure that now we're just going to create this new wireless network that's bound to this new VLAN Network so let's add this right now and if we go into our unify devices we can see right here I have quite a few access points but we can see right here that these access points are now provisioning and getting these new settings so my udm Pro right now is going out and telling all of these access points that they need new configuration that there's a new network available for them and then that new network is bound to our VLAN so this should be done here in a couple of seconds but pretty cool we're pretty far so far while that's wrapping up I mentioned that we can now assign this to switch ports too and we should do that so let's go into one of your switches for you this would be probably your udm pro or udmse and you would configure one of these ports over here but for me I have a few switches and now it's available on all of these switches I'm going to configure it on my workbench switch but let's go into port management and I'm going to choose this port because on this port right here this port number two is my laptop back there that we're going to configure and do some testing So currently this one is on the port profile of all so what does all mean we don't have a VLAN called all do we no we don't so what it means is this is a trunk Port I believe so this is a little bit Advanced even for me because I'm not a networking person but what I think it is is a port that basically has all traffic untagged uh that can see every single VLAN as well I think that's right correct me in the comments if I'm wrong I'm not a network person Tom Lawrence if you're watching this I'm sure you have the right answer so let's pretend that this laptop is an iot device or something that I don't trust and I want to make sure that it can only get to the internet and nothing else so we would go and we would assign that new network to it let's find it in here so we have iot better let's apply that and that should roll out fairly quickly well congratulations we've configured our first VLAN on wired and wireless we're done no we're not done yet but we made a huge leap forward so far we configured a VLAN we've applied it to a switch port and we've applied it to a network but there are a few gotchas that we'll need to work through here and that's configuring firewall and security for these devices now remember we assigned the switch port to that new VLAN we check it it's still iot better and if we look at this device we can see it has a DHCP address now from the new DHCP scope that we created so we know this is on the right VLAN we're doing good right let's remote into this machine and see how good we're doing so I'm in this machine now as you can see up here the RDP address of 192.168 100.163 and let's open a terminal really quick to see what our IP address is so in WSL or Linux I can do an IPA and I can see here that our IP address is the same duh or I wouldn't be able to remote into it pretty cool we're on this VLAN but let's do a little bit more testing first can we get to Google so let's ping google.com yes we can get to Google so we can get out we can get out to the internet and that's a good sign but let's do something else let's ping another device in our Network so if I go back to my workstation we can see that my IP address is 192.168.10.150 and this is my trusted Network so I can get out of my trusted Network to remote into that machine that's not trusted and we'll talk about that a little bit later but the iot device to me is not trusted and so we shouldn't be able to Ping or communicate with this workstation from that iot device or that laptop back there let's give it a shot so if we do a ping to that device we can't ping it but don't think that's because of Any protection that we have in place my Windows Firewall is on so let's turn that off also really quick okay let's turn our firewall off kind of scary but we're going to do it really quick for testing this is all for science we'll turn it back on and now if we go back to that remote machine we can see we're getting a response back now that's not normal and not something you would expect so out of the box unify allows VLAN hoppings so what does VLAN hopping mean well it means you can get from one VLAN to another just hopping without any kind of security in place now a lot of different vendors do this one of two different ways either block all vlans out of the box or you allow all vlans out of the box so unify allows communication between vlans out of the box now I don't know if that's like a quality of life feature or a consumer feature or what you don't see that a lot of times with a lot of vendors so what we need to do is the opposite on other vendors what you have to do is create firewall rules to let you out but what we need to do is create firewall rules to keep this traffic contained to this network this was a little bit challenging when I first started with vlans especially with unify but I think I figured it all out we're going to create some firewall rules now to make sure that this new iot network can't communicate with anything but the network that it's on plus a couple more but we'll save that for later the next thing we'll want to do is go into settings and then we'll want to choose firewall and security now again if you can't find some of these settings that were we're talking about you can type in the search box firewall and security and then click on it in firewall and security you'll see all of my firewall rules we're not going to go through them too much but the idea here is that we want to restrict Network going out to other networks from the VLAN that we're on there's a couple ways to do this but this is the easiest way that I found to do it so once we're here we actually don't want to go into firewall rules first we want to create a group so what is that group going to be well that group is going to be a list of networks that I already have within my network that I don't want to allow this new VLAN to sounds confusing let's just do it really quick so instead of fire One Security go back to settings and then go to profiles so in profiles you can configure a bunch of stuff but what I kind of figured out with profiles it's just a way to group stuff it's a way to Alias stuff and it makes it a lot better for Network management and creating firewall rules that point to a lot of networks and confusing them or having to change them in the future this profile area gives you one place to make changes and they'll then apply to those rules so anyways let's create a profile really quick and then I'll kind of explain what it means you'll want to find a section where you can see Port IP groups and that's what we're going to do a group of ips and ports not going to do ports but just IPS but they're lumped together if you get to the bottom you can see all of mine we're going to create a new group right here so what are we going to call this group well what I typically do is call it the name of the network and then say only so I'm going to say this is iot better only and so if I were to say that it's iot better only what would it be well it would only be the iot better Network so how do we get only the iot better Network we do that by excluding everything else so what I'm going to say is we're going to make this a type of IP address subnets so this is going to allow me to add a list of IP addresses or networks so we know that this network iot better only is 192 168 100.0 24 and I have a bunch of other networks on my network so I need to list those all out for Simplicity I'm only going to list a few I'm not going to list the five or six that I have but if you have multiple vlans you're going to have to list those all out and update those as you add new networks if you can't remember what networks you need to include you could always go back to networks and see all of your networks and for me in this scenario ideally we would add all all of these networks except for the one that we're on right here the dot 100.0 but in this example VLAN that I'm creating what I'm going to do is just add the default Network and add my trusted Network that I'm on right now which I call Main so 0.0 and 10.0 I'm going to add to here so let's go back so the first one as we mentioned would be 192.168.0.0 24 and the next one I would need to add is 192.168.10.0 24. so now this means that hey this group that we're identifying is every network but iot better I should probably call it all networks bought this but only makes more sense to me and I learned that from it's my natural color who has a channel who taught me how to do vlans in his channel so now I'm passing that on and teaching you how to do it so now we have this group what do we do with the group well now we can create our firewall rule to include that group so let's go go into firewall and security now and let's create a new rule now once you get here I'll admit it is kind of confusing how they name all of these different types so I'll try to summarize what these are at least how I think of them internet in that is the Ingress or rules that apply to traffic coming in from the internet so from the WAN internet out is anything egressing that way and or going out of that Wan internet local no idea I'm gonna be honest with you I haven't used that one maybe I have but I should probably look into it if you know let me know in the comments below the local ones kind of get me a little bit confused but I'll mention the ones that I do use on a normal basis plan in this is between two lands so Ingress into the next land and land out is the egress between the two or exiting one Lan and going into another land local no idea I'm not gonna lie I mean I I didn't do my research ahead of time I should look look up and maybe post a comment on what these local ones mean or Tom if you're out there again let me know so and then guest in guest out it's the same thing guesses for that guest Network that we talked about a little bit earlier then there's different versions for IPv6 and Lan V6 and all the V6 stuff that I'm not using right now so anyways so what we normally choose when we're creating a rule for interview land is Lan in so I'm saying hey this is a rule that applies when someone tries to get into this next this land that I'm protecting so what am I going to call this well you might have your own Convention of how you name your firewall rules I kind of have my own too but my convention is typically lock or allow the thing you're blocking or allowing to the thing you're blocking or allowing this will make more sense in a second so what I usually do is block what am I blocking while I'm blocking the iot dash better to to what to all to everything so this rule is really containing that traffic and saying hey you don't get to go outside of your VLAN so then you choose whether or not it's before or after predefined rules there's a bunch of predefined rules for the most part I apply them before theirs are applied so that if it's an allow it can get through but before predefined rules is what you typically choose for enter VLAN firewall rules so I'm going to say what is the action we're going to do well I said it right up here it's block so we're going to drop this then you get to pick your protocol you can pick whether it's TCP UDP both we want all so Source this is where does the traffic originate from so in this case you might think it's that profile that we just created but no we're going to use that as a rule because if you remember that profile is a list of other networks so how do we Define this network that we're on well we change the source type we change it to network then from here we can choose our vlans or our networks so this is the iot better Network so this is saying hey traffic that originates from the iot better Network what do we want to do or where is it traveling to the or or IP group that we just created of can you guess I got a lot in here iot better only this rule alone is basically saying hey if the source originates from the network iot better and is destined outside just drop it and then we could assign a port group if we wanted not for enter VLAN we don't want to assign Port groups but creating and assigning Port groups are super handy for commonly used ports let's say you were setting up a firewall Rule and instead of saying IP to IP you could restrict it even more and say this IP to this IP on these ports and yes you could hand type the port in here if you wanted but if you had that list of common ports say k3s ports and you knew what those were and those were defined you can create a port group and choose that then and then apply that here so that all of your rules that need to use that you could use that profile instead and then another benefit of that is is if you added a port in the future you would just add it in the profile and then all rules that were using that profile would actually get them so pretty cool use profiles whenever you can I even use profiles for one machine because why well because I get to name them it doesn't make it a little bit trick here later on when DNS changes but don't worry about that but my recommendation is to create a profile even for one device I would and I do so anyways enough about that there are a lot more things you can change but for this inner VLAN firewall rule this should be good enough so we should be able to apply this now okay so this successfully applied now let's find our rule in this list so if we look at our firewall rules I can choose Lan right here and then I should be able to see it in this list as you see I have a lot of rules and where's the one that we just created it's right here block iot better to all so since we did that let's remote back into that machine and see what we can do so I'm back in this machine now but let's see if we can ping the Gateway 192 168 100.1 and so we can ping the Gateway because we're on that same network it's within the 100.0 24 address that we're on but what happens if we try to Ping the workstation that I'm on right now which if we look in our history history was 192 168 10.150 we can't ping it so this is a good sign this means that our firewall rule is now containing this network within itself so this network can't communicate with anything which is pretty awesome and now we've successfully locked down this network and it's a perfect Network right now for iot devices this is exactly what I do for iot devices I don't let them communicate with any other device on my network they can only communicate with machines that are on that same network so you're probably wondering how I can communicate with this machine that's behind me that's on a different VLAN I did nothing so I did nothing so remember how I said that out of the box vlans can VLAN hop without any additional configuration well this is my trusted Network here and I made a decision to say that anything on my trusted Network can be land hop now there's a caveat to that there are some vlans that I don't allow it but for the most part most of my vlans I do allow any trusted Network to get over to any of my other vlans so that's helpful if I have like an app and on the app I need to remote control one of those devices an iot device now most of the time you're going to go through the internet and that iot device is going to go through the internet and you're gonna control it that way but there are times when you need to say cast from this device to the iot network and this will allow you to do it and just to prove it let's turn off my firewall on that machine that's behind me that's on this new iot network let's turn it off and we'll will go back to my desktop here and as you can see I can now ping it I couldn't ping it before I realized the firewall was on but those are the things you're going to have to think about too now as you can see I can VLAN hop to that new network that we set up again that's a decision I made it's up to you whether or not you want to do that but I recommend for your other networks you don't allow them only allow it from your trusted Network and possibly even one machine on your trusted Network just in case so there's one more thing that might get you in the future so let's talk about it and that's the order of firewall rules as you can see I have most of my blocks last on here that's because I wanted to process all of the firewall rules hopefully catching one until it gets down the block or hopefully blocking it as it gets down so they're processed in the order that you see them from top to bottom by ID basically so I always have these last because I know that if I allow something that needs to be above a block because if you think about it if I have this one right here above this one right here if it's processing all of these rules in order and it said block well it would never get to the allow so I typically put all of my blocks last and where does this come in handy well it comes in handy if you use DNS or something else that's on another Network like I do so my DNS is on a totally different network and so I have to create exceptions to say hey allow that Network to have DNS otherwise it can't resolve any host names so what you'll want to do is set up a rule similar to this that allows all of your iot devices to get to your DNS now if you're using unifier for your DNS or something upstream and you don't have pie hole setup or an internal DNS server you don't need to worry about this and so this rule basically says Hey On LAN in remember that's enter VLAN between two vlans I think that's inter intra anyways between two vlans allow iot to DNS servers so again before predefined rules and then in Source I'm saying what is the source where's this traffic going to originate from so I could have done this I guess one of two ways I could have said the source is the network that is iot rather than saying it's the port group of iot only but anyways it works this way but I'm saying hey it originates from this network that's only the iot devices the port group for the source doesn't matter but to the destination I'm saying hey it should only be DNS servers but you don't see any IP addresses exactly this is where again profiles come in handy because I specified all of my DNS servers in one of these profiles so as I get more or change DNS servers I only have to change it there I don't have to change it in all of my rules then again here's Port group so I'm saying what port Group Well I created a profile called DNS ports probably only 54. we'll check it but this only allows the destination port to be 53 I don't know if I said 53 or 54 but it's 53. and so this is a rule that I'll need to create and it needs to go above the blocks for that Network let's check really quick on that DNS so this is what I was talking about DNS ports there's only one and then DNS servers I have four set up I have no idea what I know what the fourth one is it's probably the load balancer in between uh the two that I have load balance because sometimes I think the requests come from there but anyways not important but again I highly recommend creating profiles for all of this so that's everything I've learned about vlans using unified devices as you can see the Paradigm is a little bit different from maybe some of the other vendors but once you start to understand them and configure them it's just as easy as all the rest over the last year I've learned a ton about vlans a ton about firewall rules and a ton about how unify works and I hope you learned something too and remember if you found anything in this video helpful don't forget to like And subscribe thanks for watching have you ever considered making a video on unified firewall rules trying to work my way around them uh but a bit lost absolutely I have like I said this I think last thing last video I released I said that video is either two or three in my stack the way that my stack usually works in my backlog I I plan out videos uh and I usually just work out the stack and pop the top one on the stack sometimes things come in hot though where I have to do them ahead of time because of you know obligations but that one's working its way to the top of the stack

Info

Channel: Techno Tim

Views: 112,177

Rating: undefined out of 5

Keywords: unifi, unify, ubiquiti, ubiquity, vlan, vlans, wifi, iot, configure, setup, network controller, networking, udm pro, udm se, profiles, iot network, iot vlan, dream, machine, pro, se, internet of things, allow, block, deny, drop, switch, port, access point, provisioning, technotim, techno tim, homelab, home, business, enterprise, corporate, new ui, ui, unifi network, unifi network setup, unifi network application, unifi network app, lab, home lab, best, latest, inter vlan routing, inter vlan, intervlan

Id: v0B2IDEfnjA

Channel Id: undefined

Length: 30min 39sec (1839 seconds)

Published: Sat Mar 04 2023