Isolating my IOT Devices on a VLAN with the Unifi Dream Machine

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hey everybody its lon Seidman and I wanted to do an update today on my home network because I finally did something that I've been meaning to do for a number of years now which is setting up a separate network for my IOT devices things like my light bulbs and smart switches and all these other doodads that connect to your Wi-Fi but sometimes don't get updated all that frequently and might have vulnerabilities oftentimes these devices are a gateway into your network and if somebody is out to get you they might be able to get in through a light bulb and then burrow their way into the rest of your network and what I was able to do was set up something called a VLAN to isolate those devices away from everything else and I'm doing all of this through the use of some unified products which are manufactured by a company called Ubiquiti Networks a number of years ago I bought a bunch of their AC light wireless access points to extend Wi-Fi throughout my home and what's nice about these unified products is that they are typically used in the enterprise but they're relatively easy to configure and they're relatively affordable for an enterprise class product and you get a lot of control over how your network works as a result so you've never been frustrated with some of your consumer networking gear these things will give you a lot more that you can do and configure and it might be a little overwhelming for many folks but I think those of you watching might appreciate what you can do with these things and one of the cool things about these unify access points is that they support VLANs and that allows me to have my computer here connecting to my main network through that access point I've got in the ceiling over there but my smart plug that drives my studio lights can also connect to that access point but it's connecting to a different SSID my IOT network that is on its own VLAN and what's great about this is that that smart plug is isolated from this computer yet both the smart plug and the computer can get out to the internet and do all the things that they need to do online and that is exactly what I wanted to do I don't need two pieces of hardware to do it it's all happening in one device and I couldn't get this working until I got a new router that supported VLANs and I got one through ubiquity called the dream machine this is a device that incorporates a bunch of unified products in one device so it's a router it's a controller which allows you to manage the entire unify family of products on your network it also has a smart switch built into it and it has a wireless access point of its own built in as well and when I got that going and attached up my unify access points to it I've got a single point of configuration I've got these VLANs set up and it's working great and what I wanted to do today was set up a new guest network that's going to isolate itself from those other two networks as well and just kind of stepped you through that configuration process to show you how it works there are so many features on this that I could start a whole youtube channel about it so we're gonna focus on this one task today and I'll show you a few other things along the way that I think are pretty useful and cool but I'm sure we'll come back to this and I'm sure you'll have questions about things that I didn't cover in this video so ask away down in the comments section and we'll try to get some of those things covered in future videos now if you want to let you know in the interest of full disclosure that the dream machine router came in free of charge from ubiquity but I did buy the access points with my own funds all the opinions are about to hear are my own they are not paying for this review nor are they reviewing or approving it before it gets uploaded so let's get into it now and see how all of this works so what you're looking at right now is the unify controller running on my dream machine in the past you had to run this on a separate piece of hardware they have controller devices that you could purchase but you can also just run the controller software on a PC but now it's integrated into the dream machine router which was really helpful this gives you a lot of great analytics as to the health of your network both the wind side and the land side you can see what I have configured here we've got one switch which is the switch that's built into the dream machine I've got four wireless access points the one that's built into the dream machine along with my AC lights that are all over the house it tells me how many wireless clients are connected I can also see how many wired can there are I can also dive into the device section here and see what's going on with individual access points so for example I can click on basement here and get an idea as to how that specific device is doing and I can also see what devices are connected to that access point and what networks they're on so this thing right here is the smart plug that's on the IOT network and you'll notice that it has a different IP address versus my other devices here that are on the main network which is really nice to have there you get some really cool statistics here to see how the access point is performing and if you were in a heavier trafficked environment you could make sure that you have a powerful enough device to meet your traffic needs they even have some things like a site survey that you can run to see what kind of interference might be out there that might be hurting your Wi-Fi performance as well and it logs all this data it just goes on forever and like I said you can spend a lot of time with this but let's dive into the network settings now and see how I have that IOT network configured so I'm going to go down to the lower left hand corner here and click on settings and you'll see the screen will change color here and what I've got it on right now is the Wi-Fi section and the Wi-Fi networks and you can see here right now I've got my main network and I have the IOT network and what I want to do now is create a third network for guests which again is going to be separate and isolated from the other two so I'm going to go over here and click on create new Wi-Fi network I'm going to create an advanced Wi-Fi network just because I have some settings that I want to adjust on here and I'm going to call this guests keep it real simple and I want my guests to know that they can find this pretty quickly and easily we're going to enable the network we're going to go to the security protocol and use WPA personal for what I'm doing here i'm going to set my guest network password i could go further and do a bunch of policies to restrict the kinds of things that my guests can do but I generally trust them so we're just going to leave that alone we're going for the simplified thing with this one the next thing that I want to do here is select a VLAN because we want to isolate this and we have to get a VLAN ID now my IOT network is set to a VLAN ID of two of 100 so I want to make this one 200 just to have it make sense to me personally here so we're going to set that up and then I'm going to click done but I still have to do one other thing which is create the actual network that this wireless network will be associated with so let's go in and set that up now now before we go too much further I did want to show you that that guests network is now showing up on my list of wireless networks in the house here but if I were to connect to it nothing would happen because we don't have a network configured for that guest network to connect to so we're going to go over to networks and we're going to click on local networks and you can see already I've got two networks that are configured one is the land which is my main network the second one is the IOT Network and you can see that these have different subnets I've got dot two for the land and dot four for the IOT network and what I'm gonna do down here is create a new local network for our isolated guest Network and I'm gonna go to advanced just so you can see all the options you have here I'm going to call this guests and I'm gonna leave the network purpose as corporate because there might be things that I may want to allow to go from this network to my main network maybe a chromecast or something like that down the road and I want to have that option the corporate network gives you the most amount of flexibility for how you might have things configured but they do have a provision here for guest networks but again I want to have a little more flexibility so I'm going to leave it on corporate but I am going to have to configure things very carefully here to make it work like a true guest network all right now the first thing you'll see here on the list is the VLAN ID and what we're going to do is type in 200 that's what we configured before we're going to have this be a small LAN and I'm going to give it the subnet of dot six here just so that I can keep track of where everybody's gonna be we're also going to set the DHCP range here for that dot six Network and what'll happen here is that when a device connects to that guests network it's going to be assigned through the DHCP server and address in this range everything else here though I'm going to leave as the default and again there are a lot of things that you can configure here as you can see that we're not going to go into in this video we're just set up a real quick and dirty isolated Network but there are channels that are dedicated to this hardware that can give you a lot of depth on what all of these different things do and why you might want to enable some of those things I'm going to click done here and now we have successfully created that guest network so the next thing now is to connect to it because I want to show you a couple of things and that will lead us into the next setting that we have to make so that things can really get isolated here so let's have a look at what happens when we connect to the guest network all right so this laptop is currently connected to my main network and has the address of 192.168.0.0 4 but what I'm gonna do now is have it connect to the guests network now the first time you connect of course it's going to ask you for the password for the Wi-Fi but of course Windows Mac and many other platforms remember that password after you type it in for the first time and as you can see here now we're on that dot 6 network so we are now running on the guests network and if I go out to Google here and just do a quick Google search you can see the internet is working which is great but we have a problem Houston and that is that I can still access things on the main network so for example if I ping my network attached storage device that I've got at this address on the dot 2 Network I'm able to reach it and we don't want that to happen because we're trying to isolate these networks from each other so what we're gonna need to do here to stop this is to set up some firewall rules in the router to prevent anything from crossing over from one network to the other so let's go back now to the controller and I'll show you how to do that so now we're back on the controller screen here we're going to go over to the left and look for Internet security and then we're going to select firewall from the options there now most of this stuff is going to be set up for you automatically by unify but we've got one here that I set up before for the IOT devices and this is basically dropping any traffic coming from the IOT network to the land it will just drop all of it so nothing from IOT can go to the land but IOT is allowed to go to the way in which is the internet connection and what we're gonna do now is isolate the guests Network in the same way and we're also going to have to isolate IOT and guests from each other so this is going to get a little bit more complicated for me because now I've gone from two networks to three but let's dive in now and configure those rules all right we are back now on the controller and what I'm going to do just to shorten this list up here is click on the land filter to give us a little less to look at what I'm going to do now is click on create new rule and we're going to go over here to the side panel that just popped up and the type is going to be called LAN in in other words anything that's coming into our main network over the local area network from guests in this instance we're gonna say block all guest access for the description we're going to make sure this is enabled we're gonna have this rule apply before the predefined rules so that it overrides the default settings that allow for these these two networks to communicate and what we're gonna do here under action is change this to drop we're gonna leave this as it is and then the source we're going to change over on source type to network and the network we're going to select is guests and this way we can specifically say that anything coming from the guest network will be dropped by the land destination here needs to be set so we're going to go again to network and the network will set as lan and that is pretty much it here so we're going to click on apply and you're going to see here now that that got added to the list now what we're gonna do is go back over to the screen we were at before and I'm gonna reconnect to the guest Network now and we should see some different behavior than we did a few minutes ago so let's go over here and select guests that will get us over to the guest Network and we should get that guest IP that dot six address let's give that a second to get going there so there you go dot 6.34 and hopefully the internet still works so let's click on this link on the nasa.gov home page and sure enough that came in over the internet but now we're gonna go back to my terminal window here and I'm gonna ping the same computer we pinged on the LAN network a minute ago and it shouldn't work so let's see what happens and there you go it's timing out because the firewall is not allowing us to connect I lost a connection to a Nash Drive I was connected to as well so we are now isolated from that land address that we were able to access before so now we've got my guests unable to send anything to the main land network that's great but remember we've got another network on this network we've got my IOT network and if we go to this dot for address of a light bulb that sits on that I Oh T Network we can ping it so in other words the guest network is still able to communicate with IOT and we need to shut down that connection as well so what we're gonna do is go back to our control panel here we're going to create another rule this rule is actually going to be very similar to the one we just created but we're now going to prevent guest traffic from going to the IOT network so we're gonna say block guest traffic oops to IOT we're going to make sure that's enabled the action here is going to be drop we're going to go to source and we're going to have the source network be guests and then we're going to set the destination to be the IOT network here and we'll do and I think that's all we got to do so we're gonna click apply here that will add it to our list of firewall rules I'll probably want to clean up that description to get rid of the typos and if I go back here and go to ping again you can see now that we're blocked from communicating there but we can go and still access the internet here because we haven't restricted when access and now those two networks are separated from each other now what's really neat about this setup is that my unify access points are not running through managed switches so these VLAN tags from the IOT and guess traffic are being passed through unmanaged switches and then when that traffic arrives at the router it knows what to do with it I don't know how it works but it's working and I'm really pleased with just how simple this was to get set up in fact it almost feels too easy to me and that's part of why I'm putting this video out there to see if I'm missing something but I have not been able to get traffic to pierce any of these walls here it's been working great I've now got three isolated networks that I can use for different purposes I could add more networks if I wanted to I could even set up things where maybe the guests can get access to a chromecast or something so I've got more things that I can explore here as well if I want to add more complex firewall rules but in this video I just wanted to show you the basics to get things operating now one thing I'm probably gonna have to do soon though is actually replace that dream machine in the closet and the reason is is that I am told that I can now get gigabit Pro internet from Comcast which is a two gigabit fiber optic symmetrical connection that dream machine in the closet there pretty much maxes out at 850 megabits per second for one of these fiber connections so if you're going to a gig or more you may want to go up to the pro dream machine that is a little bit more robust it can support much faster when connections and still maintain all of the deep packet inspection and some of the other things that it can do and it has a hard drive slot built into it so you can use it as a server for your security cameras that you if I also manufactures so that's a bit of a bump up we're probably going to go to that one again in a few weeks when I learn more about my new internet connection which I'm so excited for but all of the configuration will be the same in fact I think I can copy the configuration from the existing dream machine to the new one the only thing I'm losing on the Pro versus this one is built-in Wi-Fi but I don't need that because I already have the Wi-Fi access points all over the house so we'll be coming back to this as my connection here improves and I'm looking forward to getting that and sharing that experience with you let me know what you thought down in the comments below and until next time this is LAN Simon thanks for watching this channel is brought to you by the lon TV supporters including gold level supporters Tom Albrecht Chris alligretto David Hawkman Brian Parker Mike Patterson and Bill pomrenkes if you want to help the channel you can by contributing as little as a dollar a month head over to LAN TV slash support to learn more and don't forget to subscribe visit lon TV /s
Info
Channel: Lon.TV
Views: 85,441
Rating: undefined out of 5
Keywords:
Id: nzHu3ALuEFo
Channel Id: undefined
Length: 19min 42sec (1182 seconds)
Published: Sun Jun 21 2020
Related Videos
Part 2 | Ultimate Home Network 2021 | VLANs, Firewall Rules, and WiFi Networks for IoT UniFi 6.0
The Hook Up
253K
Secure IoT Network Configuration
Crosstalk Solutions
322K
UniFi Dream Machine - the BEST WiFi router (Review and Advanced Setup)
NetworkChuck
513K
UniFi Dream Machine
Crosstalk Solutions
138K
Setup IoT VLANs and Firewall Rules with UniFi. ULTIMATE (Smart) Home Network Part Three
The Hook Up
318K
UniFi Dream Machine (UDM) Viewer Questions Answered
Willie Howe
37K
Ubiquiti UniFI Dream Machine Setup & Review
Lawrence Systems
166K
Ubiquiti Access Points Explained
Crosstalk Solutions
1.2M
Ubiquiti UniFI Dream Machine Tear Down Photos, IDS/IPS System, Honey Pot and More!
Lawrence Systems
47K
The Dream Machine Review: The Only Router You Will Ever Need!
TechFlow
128K
UniFi Dream Machine and Beacon Set Up
YOLOfotos BobbyGfl
8.8K
Part 1 | Ultimate Home Network 2021 | WiFi 6 and UniFi Dream Machine Pro
The Hook Up
329K
UniFi secure IoT network setup with Google Cast and AirPlay support
zestwork
31K
05 - IoT Network Setup - UDM-Pro Complete Setup 2021
Crosstalk Solutions
74K
03 - UniFi Network Initial Setup - UDM-Pro Complete Setup 2021
Crosstalk Solutions
55K
UniFi Dream Machine Pro (UDM-Pro)
Crosstalk Solutions
522K
TWO YEARS With UniFi - Time For Another Upgrade?
TechTalk with Samir
43K
Huge 2020 Ubiquiti UniFi Home Network Upgrade (Part 2 - Installation & Configuration)
ItsMyNaturalColour
105K
UniFi Dream Machine - Things That No One Told You
KPeyanski
45K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.