Unifi Complete Network Setup

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] hey what's going on everybody today i'm going to take you through how to set up a unifi network start to finish unify security gateway switch access point and all fair warning this is going to be a pretty lengthy video we are going to set up each one of these and customize them just a bit much like you would do if you were configuring your own total home network now before we start we're just going to draw out the game plan here and tell you what we're all in for so this is going to be what we have when it's all said and done we're going to connect our security gateway up to the internet up here and then we're going to attach the switch to the lan port of our security gateway and we're going to have this secondary unifi switch flex mini also connected downstream to the main switch we're going to have our access point powered by power over ethernet on our 60 watt unify switch and we're going to end up with three different networks and those are going to be our main lan our guest network and our internet of things network now in order to set these up we have to have an ip address scheme by default our main lan for a security gateway or dream machine is going to be 192.168.1.0 and that is a slash 24 network and we're going to configure up guest to be 192.168.10.0 also a slash 24 and we're going to make our internet of things 192.168.20.0 also slash 24 and we'll go ahead and assign vlan tags to these as well because we will have to assign them vlans now a good rule of thumb is just to keep your vlan tags kind of consistent with something in the network that is familiar and what i mean by that is since we did 192.168.10 we're going to make this one vlan 10 and the same with internet of things since we said 20 we're going to make that vlan 20. and what we're going to do is we're going to configure these networks on our security gateway we're going to put the vlans on certain switch ports and we're going to configure our wireless access point to broadcast our main lan as well as a guest network and when this is all finished we're going to have the pc that we're using for configuration connected to the flex mini on the mainland as well as a pc on the guest network and internet of things now hopefully this big screen of gibberish makes a little bit of sense on where we're actually headed with this video basically we're just setting up an entire network from scratch with unifi equipment so let's go ahead and get started here we're going to start with the security gateway and we're just going to plug that into the wall it needs power obviously and we're going to connect that up to our internet connection now this is kind of just assuming that you already have a modem and all of that set up you can connect this directly to your modem if your isp supports it or you can connect it directly to your isps provided router however that also introduces something called double nat and it's not really optimal and that is a topic for another time so just connect your internet connection to the wan port of the security gateway and connect your computer you're using for configuration to the lan port all right and i had to move some things out of the way a little bit but what we've got here is the yellow cable that i plugged in is our internet connection to the lan port and our red cable is the connection to the computer that we're using for configuration and right now the security gateway is going through its boot up process so it is going to flash white on top until it goes solid white which means it's ready for adoption now while it's doing that we're going to go ahead and get our controller downloaded and ready so all unify equipment is configured from what's called the unify controller so just a piece of software that you can install somewhere on the network usually it's just on a pc if you are in a business setting this would be probably on one of your servers that's going to be on it doesn't have to be running all the time but it does have to be running for you to make any configuration changes so unlike most network equipment where you would log into each device separately and go to its uh kind of management page and change settings on unifi equipment everything's managed from this central controller and to get that we're just going to open up a google session here we're going to type in download unify controller and this first link here downloads ubiquity this is where we're going to want to go and this takes us to the main download page for all things ubiquity and typically what you would do is you would find your device here on the left right now we're using the unifi security gateway which i believe is designated as unifi usg in this list it's actually under unified switching and routing and it's right here unified security gateway that's what we're using so we'll go ahead and go to this page now a lot of these downloads overlap between each other the firmware is specific to each device so security gateway firmware that's going to be different however the software unify network controller these are available for download pretty much under any of these devices that you click because they all use the same controller however if you do want information specific to your device such as firmware or documentation you do find it in the left now to download this controller i'm on windows so i'm going to find unified controller for windows and just click the download button go ahead and accept that agreement download the file and once that has finished downloading we'll go ahead and run it and once the page pops up here we're just going to go ahead and click install and it's going to give us an error that says that it requires java click ok to download from java.com so if you don't already have java installed it will prompt you and it will automatically take you to the java download page so i'm just going to go ahead and agree and start free download run the java file click install and wait for it to finish and now that we have java installed we can go ahead and just exit out of that and go and find our unifi controller download again which is under downloads unify installer and we'll rerun the setup so now when we click install it's actually going to extract the installer and install our unify controller so just wait on this to finish and while it's doing that i'm going to go ahead and close out of these windows we no longer need them all right now we've finished installation i'm going to leave start unified controller after installation checked click finish and that will pop up our unifi controller box which is this right here and it says initializing unify controller now once that is done it'll be a green check mark and we will be able to click this button that says launch a browser to manage the network now this controller will be accessible to anything on the same network you don't have to be on the same computer or server or whatever you installed this on to manage the network you can actually hit this um from anywhere on your network in a web browser and the way you do that is just by browsing to the ip address of this computer because the controller actually sets up a web server on the computer that is accessible on the network and here we have the check mark and we can launch a browser to manage the network now once we click that it's going to open up a web browser we're going to get a security error go ahead and move past that and you can see that we are at https localhost port 8443 now if you are familiar localhost just means basically computer that you're on you can substitute this localhost for the actual ip address of your machine which now that we're plugged into the lan port of the security gateway if we run ipconfig we can see that our ip address is 192.168.1.10 so if we wanted to on another machine on the network once it's all set up we could just substitute this localhost 8443 with 192.168.1.10 which i can go ahead and do right now and it's going to take me to the same page another security error and we're back where we are because that's the ip address of the machine now we need to do our initial setup of the controller so i'm going to go ahead and just name this toasties controller you can name it whatever you want and we have to accept the end user license agreement and we're going to go ahead and click next and it wants us to sign in with our ubiquity account this is optional at least on the security gateway and other devices i do believe that the dream machine um don't quote me on this but i think it's required on the dream machine but i actually haven't tried that so don't hold me to it in order to skip signing in with the ubiquity account which i usually do just for security reasons go to advanced settings and we're going to disable remote access and use your ubiquity account for local access and that will pop up this local administrator username which i'm going to put in toasty and assign it a password and email is technically required to be in there but it doesn't have to be a real email address if you don't want it to be now if you do want remote access by all means leave this enabled um if you want remote access you do have to tie it to a ubiquity account because that's just how that works you can go to ubnt.com and launch a cloud-based controller which will communicate with the local controller and you'll be able to manage your network from anywhere however you do have to sign in with your ubiquity account and enable this remote access so if that's something that floats your boat go ahead leave it enabled and sign in with ubiquiti account but i'm going to go ahead and just create a local admin i'll go ahead and click next and we have these two options automatically optimize my network and enable auto backup i always enable auto backup that is a great feature don't shut that off automatically optimize my network that's good to leave on by itself anyway now if you want to get really deep in the weeds and you know what you're doing you can turn this off and it will not automatically enable some optimizations but we're going to leave that on and click next and this is where it's going to see what devices it can discover so since we're directly connected to our unified security gateway it is showing up here ip1921681.1 and it's been up for 12 minutes so we're going to go ahead and check that and click next and it's going to have a set up a wireless network so even though we haven't adopted any wireless access points or anything like that we're still going to create the wireless network and i'm going to go ahead and name this toasty's wi-fi and assign it a password and i like to combine the two gigahertz and five gigahertz networks names into one and all this is i don't know if you've been anywhere where you can uh see like you browse to connect to wireless network and you've got uh wireless network 2.4 or wireless network 5. what this does is it has both 2.4 and 5 gigahertz network in the same ssid so when you go to connect to the internet you're only going to see toasty's wi-fi and then depending on the signal levels and range it's either going to connect you to the 2.4 gig network or the 5 gig network and that will all be transparent to you and i like that setting so i'm going to go ahead and enable that and click next and then we can just review our configuration make sure we want to name it toasty's controller i do local admin name is toasty and the wi-fi name is toasty's wi-fi and we'll just make sure the country and the time zone are correct that is correct for where i am and we'll click finish and it's going to configure the controller for the first time and this is the page that we are greeted with our setup needs attention and it says that the status reason is that no internet connection was detected now that's probably just because it hasn't uh fully set up yet we can see that we don't have a security gateway status and if we go to devices here on the left we can see that our security gateway is provisioning now the statuses that you're really going to be concerned with is um basically no status and that's where it will just tell us kind of some stats on like how many clients are connected and the cpu usage if you see that then there's really no status it's working as normal but provisioning means that settings from the controller are being pushed to the device updating means that the firmware is being updated and if you see something like adoption failed or disconnected then there's a problem with connectivity between that device and the controller so we're just going to let this provision for now basically what it's doing is it's adopting it to the controller and it's pushing our network configuration that we did during the initial setup which really wasn't much it was just confirming that 192.168.1.1 is going to be the security gateways ip and it's going to be tied to this controller with that uh toasty local admin account and here we go we are finished adopting the security gateway we can see that we now have some stats what you see at the bottom there is the amount of clients that are connected to it currently and kind of a rough throughput of download and upload and if we mouse over it we can see the cpu and memory utilization now if we click on this device it's going to pop up our device configuration on the right and the first thing that i like to do is go to the configuration tab over here and give it an alias i'm just going to call it usg and click save and it's going to provision again to give it that name so just to kind of quickly go through the tabs here you have for pretty much each device we're going to have a details tab that's just going to give us a brief overview and the ip address is configured on that device networks these are going to be the networks that that device has configured and that it's servicing ports for the security gateway there's only three ports on it a wan a lan and a either second wan or second lan port and you can see we have the wan status is green the land status is orange and the only reason the land status is orange is because i have a 100 megabit network card so if it's orange or amber it's going to be operating at 100 megabits per second instead of the full gigabit if i had a gigabit network card on this pc then that would be green config is where all of your pretty much configuration specific to the device is going to happen so general we already configured an alias we can change the led to use the sight settings which is determined by some other settings we'll do later or we can turn the led on and off and that's just the led on the top of the security gateway so if you don't want that blue light on you can turn it off and push that config to it services snmp and some advanced settings that i am not going to go into right now and the last tab is just the statistics and that is the cpu and memory usage if you would like to view that so now we are just going to set up our networks now that we have the security gateway set up and this is going to be the bulk of the configuration so we're just going to get everything set up right now and we should fingers cross to just be able to plug in all of our other devices and have it push those configs to everything later so here is a quick video that you can watch if you want it takes you straight into the new or beta settings it does say here at the top if you can't find everything go to the classic settings there's technically two different menus in the controller that you can use for setup one of them is like the old style menu that a lot of people are probably familiar with and then there's the new kind of more streamlined uh configuration menu and it's kind of going to be personal preference which one you use the concepts are still the same but the location of a lot of the settings are in different places now i will try to use this new menu as much as i know how because i don't know if they're moving to this permanently or not so first thing we're going to configure is networks so we're going to go to the networks setting over here and right now we have our main line which is the 192.168.1.0 network and we're just going to edit this real quick i'm going to change it to actually be called the main lan and we have two of these settings that i've actually never seen before that say coming soon we can't do anything anyway and there's vpn settings that we cannot change and advanced if we would like to assign a vlan id to our main network we can however we are not going to this is going to be the what's called native or untagged vlan that's usually what your main lan is there's usually not a vlan tag associated with it but if you would like there to be you can configure that up here as well as the dhcp server and all of the other network specific options but we're not going to touch any of those we're just going to change the name and apply that setting and we're going to go ahead and add a new network and this is going to be called guest and we actually do have the vpn settings for this one but we're not worrying about that moving down to advanced this is where we are going to configure our vlan id and from our drawing here that we did beforehand we can see that our guest network is going to be 192.168.10.0 and we're going to give it a vlan number of 10. so we're going to change this to 10 instead of 2. we're not going to worry about the domain name for now that's something i usually don't mess with and we're going to not really worry about any of the other settings here now down at the bottom you can see we have restricted authorization access and we basically have all private networks restricted and that is because this is a guest network and actually this is one of the first times that i'm using this new menu to actually set up a network so i'm going to go ahead and click apply changes and i'm going to go ahead and go to the classic settings to configure our internet of things network because i think there are some options that are a little bit different that i like to see now in the classic settings if we go to networks you can see we have all of our same ones that we already saw on the other menu and we'll go to create new network here and here we're going to give this a name and we're going to just call it iot for internet of things and now we have this purpose option and that wasn't present in the other menu we can either do corporate guest wan vlan only remote user vp inside site vpn or vpn client not going to worry about any of those last four really the only two you're going to be worried about is corporate or guest and corporate just means regular lan no special restrictions and guest means that it's a little bit more restrictive and it also assigns what's called the guest user group which we will get to later but for internet of things we're going to keep that as a corporate network or just a regular network and assign that the vlan tag of 20 like we said before now here's where we get to the gateway ip subnet and if we mouse over this it says that this is going to be typed insider notation so we're going to give this the ip address that we want security gateway to have for this network so 192.168.20.1 is going to be the ip address of our security gateway and at the end we're going to put slash 24 and that's going to automatically pop up all of the details for that network range and if we click update dhcp range then that's automatically going to populate our dhcp range for the dhcp server that will be automatically configured once we create this network again we're not going to worry about the domain name or really any of these other options dhcp guarding is kind of a good option to have and what that does is it just guards against rogue dhcp servers which if you've ever dealt with one you know it can kind of wreck the network if you have two different uh dhcp servers going on at the same time especially if they're assigned to dish out ips for two different networks now this does require a security gateway although i'm oh secure uh unifi switch sorry not security gateway um what this does is it basically splits ports between trusted and untrusted and it if it sees a dhcp server on an untrusted port then it's not going to let those requests go through it is a pretty good feature to enable but we're just going to leave it off for now and we're going to go ahead and click save and i actually just noticed that our guest even though we assigned it v line 10 our subnet it automatically put it as vlan 2. now let me just go back to here now this is kind of just for my own uh information so if we go to guest i don't actually see the configuration for the subnet so i guess that the new um menu is a little bit too streamlined at least for me so we're going to actually edit the guest network here in the classic menu and we're going to change that subnet from 2.1 24 to 10.1 24 and update the dhcp range for that also and we're going to go ahead and save so now we have all of our networks defined we have our mainland guest and internet of things and you can see that we have our two vlans ready to go and set up now all of these networks are on port land one so basically what we did was we made lan 1 by default physical port part of this network but it's also looking for vlan tags for vlan 20 and 10 and those are going to be associated with these networks now the next thing that we're going to configure is the wireless networks so you can see from when we did the initial setup we created toasty's wi-fi and if we go into the edit menu here we can configure the security which i already typed in during initial setup and there's a bunch of these other options now if you watch my video on optimizing a unified network there are a few of these that i like to change just to kind of prevent some issues down the road so let's just go ahead and go through here here is the network drop down we can assign which network we want this to be a part of uh not really sure why it says select it should be a part of mainland so anybody connecting to the toasties wi-fi ssid is going to be put on that mainland network that we created actually was created by default but anyways if we scroll down we can see that there's this high performance devices a beta option i like to turn that off what this does is it tries to connect um five five gigahertz devices to the five gigahertz network only tries to keep it off the 2.4 gigahertz just because 5 gigahertz is faster than 2.4 however if you know anything about wi-fi 5 gigahertz also has a much more limited range so what i have found in the field is that this actually causes some issues where a more high performance device will actually have connection problems if it's right there on the edge of connectivity and the rest of these settings we really don't have to worry about i would watch my optimization video for a little bit more details on uh this area i do like to have data rate control enabled a lot of the times for two gigs i'll leave it at six it really depends on the density but i'm not going to get into that in this video for 5g i'm gonna go ahead and up that to nine and save that now let's go ahead and create our other wireless network which is going to be guest i'm just gonna name that uh toasty's guests yes we are gonna enable the wireless network and the security we're going to have um let's go ahead and just say that this is open so this is going to be a wide open network for anybody around they're free to use it whatever now we're going to go ahead and assign that to the network of guest and take a look at the advanced options and you can see that this uh multicast broadcast filtering is already enabled that's what this warning up here was about um and you can see that the accepted device is a security gateway so that does have the ability to broadcast data but none of the other devices will and we can see that the high performance device setting is already disabled so that's good and we're going to go ahead and save that now we're not going to broadcast the internet of things network just because i like to keep the wireless networks kind of to a minimum so we're just going to have the regular wi-fi and the guest wi-fi now the next menu that we're going to look at is the profiles and this is going to have to do with the switches when we set them up so we're going to go to the switch ports tab of the profiles and we can see that we have a profile for each of our networks that we've already created now basically these profiles are how we are going to assign a port to a vlan and you may notice that we actually have two other profiles more than the three networks that we have so each of these profiles for guest internet of things and mainland is basically a profile just for exclusively those networks so if we assign this profile to a port it's only going to be a part of whichever network we sign the profile for now our up links we're going to want to be a part of all unless we want to exclude one of these networks and we're actually going to create a new profile just to kind of show you this and we're going to call this main and internet of things so the purpose of this profile is going to be to pass traffic for our main network and internet of things but not allow the guest network to be a part of it and this is just an example to show you how to set up ways to kind of exclude certain vlans from going over an uplink now for poe we can either not modify the settings or we can change it to one of these exclusive settings i'm not going to touch that though we're just going to leave it as do not modify and for the networks and vlans the native network or the untagged network we're going to leave on the mainland and for the tagged networks instead of selecting all we are only going to select internet of things so we are excluding guests from being tagged in this profile and for the voice network um that wasn't really a part of our scope for setting this up so we're leaving that as none if you do have a voice network that is just another vlan that you can create and do settings for and we are not going to worry about any of the advanced options either we're going to hit save and now we have an additional profile for main and internet of things so at this point we're pretty much ready actually no i lied let's go ahead and enable the security features um for our security gateway before we go ahead and enable everything else so i'm gonna go ahead and go into the security tab of the new settings we're gonna go to internet threat management and click enable for that now i already did a video on just setting up security settings exclusively but this does limit our throughput on our gateway to 85 megabits because i am using the regular security gateway if you're using a dream machine or a dream machine pro your throughput with this enabled is going to be a lot higher 850 megabits or three and a half gigabits respectively now we're going to enable intrusion prevention we wanted to actually block any of the threats that it finds instead of just letting us know that they exist and we're going to up this to maximum protection which enables all 11 of the custom threat management categories and for network scanners i know that since i have a security gateway neither of these options are really going to do anything so i'm not going to worry about them please go to my security settings video if you are using a dream machine because these settings do actually have some use on the device that actually supports them now for the firewall we can create our own rules but we're going to worry about this section in just a little bit i'm not going to go ahead and configure those just yet and we're just looking through all of the rest of the settings to see if there's anything that i want to change and there really isn't so we're going to go ahead and apply the settings and now we have threat management enabled now traffic and device identification we are going to go ahead and create a restriction group so what this does is it analyzes traffic and we can create groups to restrict certain traffic on our network now what i'm going to do i'm going to create a new restriction group here and we're going to name it uh guest restriction and once we've created that we're going to go over to add restriction and i'm going to add peer peer-to-peer category as blocked on this network so i don't want my guests to connect to my guest wireless and then start torrenting everything and bring the network down or get me one of those uh nice letters from my internet company for you know downloading a certain movie that you're not supposed to download um so we're just gonna go ahead and block that all together so let's go ahead and select all applications for peer-to-peer block traffic log the events and enable the restriction and add so now we have this guest restriction group set up blocking peer-to-peer and we're going to go down and apply it to a network so assign restrictions to network and we're going to drop this down put it on guest and the restriction group we're going to apply is a guest restriction that we just made so assign restriction that is now applied to the guest network and we can also apply it to the wireless guest network as well so toasty's guests guest restriction assign restriction now hopefully all of our guests will not be able to use um bittorrent so at this point let's go back to the dashboard or actually our device list and let's start adding some devices so we can see that our security gateway is still provisioning with all those changes that we just made so we're just going to wait on that and then we're going to connect our switch next and here we can see we are done provisioning so i'm going to go ahead and make the connection changes here and since we made these connection changes we have lost connection to the server but this is the changes that i made um did have to move things around a little bit because the power cord to the switch was a little short for where i had it but basically i moved our computer which is the red cable from the lan port of the security gateway to port 4 on our switch and i connected an uplink between the security gateway to that lan port on port 1 of our switch so now if we look at our map we are now dealing with this area um and that's what we have connected um our security gateway on part one of the switch uh the only difference here is that we put our computer on port four of this switch since we uh don't have the smaller switch connected yet and now the network connection of our pc is back up and we can see that we now have a new device in our devices section pending adoption now i do not see a firmware update icon if the device requires a firmware update or has one available there will be an icon here in the top right of the device squares typically we would want to update the firmware before we adopt it but i have already updated the firmware on these so that option is not available at least not on this device i do believe that the next switch will have a firmware option available so we'll be able to see that but what we're going to do is we're going to just click on this device now it brings up the menu on the right and we're going to click adopt so that's going to tie this switch to this controller and the led on the front should change from white to blue basically the general rule with unified devices is if the led is white it is not adopted to a controller if it is blue it is adopted to a controller and we can see that we are provisioning now and we do have an ip address on the switch so this switch did grab 192.168.1.12 from the gateways dhcp server and that is its management address that is how the controller is communicating with this switch now the settings that it is pushing uh during the provision process is pretty much just telling it all of the vlans that we have configured not necessarily any configuration for any of the ports but it's just giving it all the information that the controller has that it may need to use now by default this switch is all on the same lan so every port that we use on the switch is just going to be a part of the same network is one basically functioning as an unmanaged switch at this point because we haven't made any configuration changes on it and now that the provisioning process is complete i'm going to go ahead and go back to the config tab of the device and assign it toasty's main switch as an alias save that it's going to push the new settings to the switch and while it's doing that we're going to go ahead and look at the ports section and kind of the details of this switch so you can see we have the management address on the up link this is going to automatically detect which port is the uplink and we can see that port 1 has been detected as an uplink and it is up linked to toasty's security gateway speed is a thousand and it's running at full duplex now downlinks we don't have any down links to this device yet once we have that other switch we should have another downlink well we should have a downlink which is to an additional switch and here at the top you can see we have port 1 and then there's the port stats and then port 4 running at 100 fdx because that is the speed of my network card for this computer now for the ports if we select a port or more than one port we can edit them and this is where we can assign a name and the profiles so this is where those profiles come into play so port one which we know is our uplink we're gonna go ahead and assign that the name of uplink and it is a part of the switchboard profile all we're going to keep it that way because we want it to tag traffic and deal with the traffic for every vlan since this is the uplink to the security gateway which holds all of those interfaces so we're going to keep that the same we're just going to apply that config which really just changed the name of port 1 to uplink instead of port 1. and we're going to go ahead and assign port 4. we can also just click the edit button here and even though we're not going to keep this computer on this port we're still just going to assign it a name just for the sake of doing it so desktop and i'm going to assign it the profile of mainland so if you remember back to us creating the networks we do know that the mainland is our untagged network it does not have a vlan tag or anything associated with it so technically by being a part of the switch profile switch port profile all we were already on the main network since it's untagged but this is just going to force it to be a part of the main lan only because by default if we did attach another switch to this port and it saw traffic for vlan 10 or vlan 20 then it would automatically pass it on because that is a part of the profile it's passing traffic for all vlans that it knows about this way if we do connect another switch to this port if it sees tagged packets for different vlans it's not going to pass them because it's explicitly told to only be a part of this main network and that's really all we need to do to this switch we are going to set up the wireless port um that we're going to connect our access point to and with this 60 watt switch our last four ports actually have poe capability so port five six seven and eight you can see we have poe we're gonna go ahead and connect our wireless access point to port eight and because the only wireless networks that we configured was for um guest and the main network actually we didn't create a custom profile for that we only created the custom profile for main and internet of things so let's just go ahead real quick configure up a profile for only these two vlans go to the classic settings i'll go ahead and exit out of that go to profiles switch ports and create a new port profile and i'm just going to call this wireless and we're not going to modify the poe settings the native network is going to be the mainland and we're only going to check guest and save so now let's go back to the devices bring up toasty's main switch go to the ports configuration tab and edit port 8 and we are going to again give it the name wireless and we're going to assign the custom profile of wireless so basically all this does is it makes sure that it's only going to be passing traffic or looking for traffic for the mainland which is untagged or vlan 10 which is the guest vlan traffic for vlan 20 or the internet of things is not even going to go in or out of this port and this is really kind of an optimization option as well as a security precaution because any port that is active that has um the ability to be a part of a certain vlan when you get broadcast traffic say for instance let's go to let's pull up our uh drawing here say that something on our internet of things uh vlan sends a broadcast packet if any port has a profile that has the internet of things um vlan a part of it it's going to broadcast or flood that data so yeah this bottom one we configured as internet of things so it's going to broadcast that out here and because this uplink has it uh enabled as a part of the profile it's also going to broadcast it this way and it's going to broadcast it this way and if we kept the internet of things network as a part of the ap's port profile it would also broadcast it to our access point which we did not configure a wireless network for so why does our access point need the broadcast traffic for the internet of things vlan when it is not servicing that network at all so that's the optimization part the other part is that so somebody can't connect something up to that port and just become a part of the internet of things vlan because they have a device that is capable of tagging it so that's where the security comes in by a good just general rule you really want to limit the vlans that are allowed on ports to only those that you want on it now this does make management a little bit more of a pain because anytime you want to add capability for a new network to a device you have to go back and manually add that to the profiles but it kind of is an optimization and a security uh thing to be aware of so at this point let's go ahead and connect up our access point to our switch so now we have our wireless access point connected to port 8 of our main switch which is providing poe and we can already see that the status has been updated for that port in our device ports menu and you can see that we are connected at 1000 fdx or one gigabit and we are pushing poe actually 2.97 watts of poe on that port now what we are not seeing yet is that access point showing up in our device list here so let's go ahead and just do a quick refresh and there it is so you can see that we have the uap pro and it is managed by others so actually this access point was already connected to another controller instance so when we adopt devices to the controller it is tied to that controller until it is reset so for this specific access point since it says it's managed by other we're going to have to reset it wipe the configs that's already on it and then it should show up as pending adoption to this controller so let's go ahead and take our trusty toothpick and shove that in the reset hole until this device resets and i know that that didn't really show up on the camera but you hold the reset button down until the front led turns off um on the access point and then it should start flashing white uh for regular setup so i'm gonna go ahead and just do another refresh see if anything's happened yet and it hasn't so let's just go ahead and wait a few minutes for this to pop back up okay and i did actually have to hold the reset button down again uh the first time it didn't work so if at first you don't succeed try to reset again now you can kind of see from the video that uh the led was flashing and now it is solid so we should be ready for adoption so i'm gonna go ahead and do another refresh on the controller page and yep here we can see that we have it pending adoption instead of managed by other and we can also see that we have a firmware upgrade as well as a warning available so let's go ahead and click on that and you can see that it says pending adoption and lts and what lts means is this device is under long-term support it will receive critical bug fixes and security updates through february of 2021 after this date no updates will be supported now the only reason i am getting this warning is because this is a pretty old access point this is not by any means a new unifi access point so basically this is just a warning that it's about to be out of support and updates will no longer be provided for it but what we're going to do first is we're going to click this button which is the upgrade button and upgrade the firmware to the latest version all right and that took about five or six minutes and now we are showing pending adoption so now we can go to the adopt button over here and actually adopt the access point to the controller so now we moved from adopting to provisioning and we're just always going to have this little warning here for the limited support just because it is an old device let's go ahead and exit out of both of those and just bring this menu up and start going through the different menus for the wireless access point so here you can see our management address some other statistics such as link capacity the amount of clients the load average um looks like we just transitioned from provisioning to all good now we can see the uplink and that we're connected to toasty's main switch number eight number eight being the port that we're on and the port statistics uh radios these are just the radio statistics and wireless lans this is really um one that you do want to look at these are the wireless lans that are being broadcast by this ap so you can see that we have toasties wi-fi on channel 36 and toasty's guests on channel 36 which channel 36 is a 5 gigahertz channel and we also have toasties wi-fi and toasty's guests broadcast on channel 11 which is the 2.4 gigahertz channel so even though if we brought up a device right now to look for the wireless signal we would only see toasty's wi-fi or toasties guests technically there are four radios um being used here two for the 2.4 gigahertz and two for the five gigahertz even though they show up as one now in the clients tab this is where any any device connected to this access point would show up and the configuration tab we're going to go ahead and do what we always do assign it an alias toasty's ap and we'll go ahead and just name it toasty's ap number one just in case you know we feel like adding a second one and we'll go ahead and save that and the settings that we are concerned about really is the radios this is where you can assign specific channels if you would want to change the channel width and the transmit power if you would like to i kind of go over these settings in my unifi optimization video i will say that i like to hard code my channels when possible it does require you know the kind of layout of the network and the wireless rf usage in the area so we're just going to keep this on auto for now since this is the only access point i know i don't have any other access points around actually that's a lie i do have another access point around but i'm not concerned with it overlapping at this moment uh some other features to be aware of is the allow meshing this is for wireless uplinks if that is something you're interested in doing i like to turn that off if it's something i know i'm not going to use just because it does use up some airtime and the only other settings that i'm really concerned about would be under network and we can set a static ip or just continue using dhcp so that's for the management address this 192.168.1.13 address that we pulled from the security gateway we can change that to a static ip if we want to but i'm not going to worry about that uh for now and that's really all i'm concerned about with the access point so we can go ahead and see if we have um a signal on a wireless device here and you can see that we can see toasty's guests and toasty's wi-fi so let's go ahead and just connect to guests since that is open and it says we are connected and that is an unsecure network if we go to the settings you can see that we did pull an ip of 192.168.10.6 and our default gateway is 192.168.1 so this network is working and we have internet access now let's go ahead and try toasty's wi-fi i believe i made the password just password so we're connecting to that we are now connected let's go ahead and look at the settings and you can see we grab an ip address of 1.4 so this is on the main network not the guest network but both of our wireless networks are functioning as normal so at this point we pretty much have a full network uh configured and usable but we still have that last switch to add in here so let's just go ahead and connect that up and adopt it real quick and the connection i just made is from port 7 on our main switch to port 1 of the flex mini and since our main switch has that power over ethernet capability it is actually able to power this flex mini on port 1 just by the ethernet cable itself and we can see that it is already popped up here pending adoption and looks like it has the latest firmware so we don't need to upgrade it so let's just go ahead and click on it and adopt you can see from the overview tab that we pulled 192.168.1.20 that is the management address for this switch and we are now going through the adopting process and now provisioning and the flex mini actually seems like it goes pretty quick and now that we've adopted it it seems like we do have an upgrade option so we're going to go ahead and do this and our update was successful we moved from updating to provisioning and now back to a normal state so we're going to do what we do with all of our devices go to the config tab and assign it an alias we're just going to call it toasty's desktop switch because that's a good use for this now following along with our main diagram let's go ahead and switch the connection and uplink this desktop switch actually well we're already uplinked to the main switch let's go ahead and move our computer connection off of the main switch and onto this desktop switch which is going to complete our original network diagram so we're just going to take our main cable well our main red cable to our pc that we're currently using and we're going to move it from port 4 of the main switch to port 5 of this new desktop switch and that changeover should have been pretty uh instant so if we go oh we're already in the settings menu for this um if we go to the clients tab you can see that we do have the devices uh connected to it biscuit is technically the hostname of my main pc and then this mac address is the virtual machine that we're on don't worry too much about that there is one device plugged in and we can see that it's on port 5 and it's functioning at that 100 megabits because again my network card on this pc is only 100 megabits and if we move to the main switch we can see that we now have nothing on port 4 which we named desktop and let's go to the ports tab we'll go ahead and remove this name from that port and if we just backspace it and hit apply it's going to rename the port the port number and we're going to go ahead and rename port 7 to a desktop switch and we're actually going to assign a port profile to this downlink and it's going to be main and internet of things because i don't plan to have any guests um hardwired to this desktop switch so i'm going to assign it the custom profile of main and internet of things and we're going to go ahead and apply and it's going to provision uh that on the main switch now let's go ahead and go back to the desktop switch the new one that we just plugged in and take a look at the port configuration here so port one we know we connected to the main switch well so we're gonna name that uplink and because on the other side we have the port profile of only main and internet of things we would want to apply that here however it looks like this specific switch does not have the option for custom profiles so that's fine we're just going to keep this one on all you really would want these to match but because the main switch is higher up in this uh network design none of those vlans are going to make it down to the desktop switch anyways so it's not going to cause a problem to keep this one on all but we are going to apply that config for the name and we're just going to assign the desktop name to port 5 and we're going to switch this profile to mainland only and we get this nice error i've actually never seen this before but it says update the unified controller port port 5 might be connected to the unifi controller 192.168.1.10 are you sure you want to update these changes this is a very good warning to get that means that the controller has identified that you are messing with the port that the controller itself is on so it somehow recognized that and is giving us this error so because 192.168.1.10 is a part of the mainland and the change that we're doing is switching the port profile to exclusively the mainland we know that that's not going to cause any issues so we're just going to go ahead and click confirm but that is a good warning to get in case you were trying to switch the port profile of the controller's port to something that would essentially break everything so at this point we now have uh pretty much exactly what we set out to accomplish go ahead and clean up the drawing here real quick there we go um so yeah this is pretty much what we've done so far we've got our gateway connected to the main switch connected to the desktop switch which is connected to our computer and we've configured our access point for the mainland and guest networks and set up all of these networks now the only thing really there is left to do is start adding some clients and make some additional changes so you can see down here we were originally going to add a guest device and an internet of thing device to our desktop switch so let's just go ahead and connect a bunch of arbitrary devices and see what we get all right so what we just did was we connected up a device to port four of our desktop switch this is going to be our internet of things device and i forgot that we were not trunking the guest vlan to our desktop switch so there is a change in our network topology here we are marking guest um off of the desktop switch and we're just moving that to port 3 of our main switch so let's go ahead and make these configuration changes on the controller and we'll start with the main switch if we go to ports we can see port 3 is now green we're going to go ahead and edit this and we're going to call it a guest device we're going to change the profile to guest and we're going to hit apply and we will move on to our desktop switch go to the ports tab you can see port 4 is now active we'll go ahead and edit that and we're going to say internet of things device and we're going to assign the profile for internet of things vlan 20. go ahead and hit apply and we're provisioning and we should see devices there now well actually i'm not sure if they would have updated this fast so let's go ahead and look at our clients tab this is something we haven't been into uh yet um it actually looks like they did show up they're not completely correct oh that one just changed over as we were looking at it so you can see the devices that we have we have a pc here ip address is 1.10 that is this pc that we're using with the controller on it connection you can see the icon is uh i think if we mouse over that we can see now we can't but if we click on it we can see that it is connected to toasty's desktop switch port 5 and it's on the mainland and if we go through the rest of these biscuit don't even worry about that one existing that these two are technically the same thing um a wireless client here oh and we have an error i wonder what that's all about let's go ahead and refresh i'm not sure why it did that but oh we can see that we actually have a host name this time for our wireless device and we can see that it is uh connected to toasty's wi-fi on that access point so this is really where you can get the details of all of your devices and you can sort them by a wireless wired or all and the two pcs that we just connected up was toasty media 3 and toasty media i3 and those are connected to the internet of things and guest networks respectively um however this looks to be wrong 192.168.1.17 should not be the ip address of this device if it is on the guest network because that is not the guest's subnet the guest subnet should be 10 and it's kind of vice versa for oh well that just changed as i was looking at it so i think that these statistics aren't really accurate um because i did just see jelly did say that it was a 10 address but it just changed to a dot one so let's just go ahead and try to ping this device just real quick for my sanity and we can see that the destination is not reachable so have a feeling that that ip address for toasty media i3 is just not up to date yet let's go ahead and do a refresh and see if that changes anything uh hasn't yet while there's usually not a problem with this being accurate the only reason that it's kind of messing up right now is because it came online on the main network it grabbed this ip and then we changed the profile over so this kind of hasn't caught up to all the changes that we've made just yet so actually i just kind of realized a limitation uh you can't see the dhcp leases in the controller apparently so this is really where you can see the ip addresses of each client so all i'm going to do here is i'm going to unplug this and plug it back in and see if it actually uh updates this correctly i'm going to go ahead and do a refresh after plugging that device back into the switch and we are still seeing the same ip address now kind of while i am uh waiting on this to update uh you might be wondering what these little icons mean and why they don't really match anything on the left here so you can see that our first device here has pc and then our biscuit device says gi and jelly our wireless client says a and then our two toasty media pcs has gc and ms um where it's getting these letters is actually from the manufacturer of the network card in the device and we can see that if we go to the insights tab another one that we haven't been to before we can also see our historical stats for our clients here and we can see that the manufacturer of this first one is pcs compu so that's why it says pc biscuit is good way twice as gw jelly is an apple device and these two even though they're named the same they do have two different manufacturers so micro st and g pro com that is where those uh letters come from now what i'm actually going to do is go to this toasty media i3 and forget the device from this database so by default this controller will log all of the insights for all of the clients connected to it over its history and you can actually sort between like the last day the last week the last 120 days or all time and it keeps a past database of all of these different things so neighboring access points here's a massive list of all of the access points that it has seen around it before and i am blurring all of them out because they are actual uh wireless networks that are around here now let's go back to our clients list we can see that i3 has fallen off so i'm going to go ahead and plug that back in to port 3 on our main switch and we should show it uh popping back up here i do believe that that was just an error that because we made the change afterwards it was showing the wrong ip address even though it had the correct ip it just wasn't reporting it properly and that probably would have changed eventually but i didn't want to wait around for it so i just uh forgot that device and reconnecting it so let's go ahead and refresh this page and see if we have found it again uh looks like it hasn't got an ip yet so just while we're waiting on something to happen let's go to the device uh go to the main switch and just make sure that that port is online and it is we see green there get rid of that go to the ports um guest device edit it and we are on the guest profile so everything looks correct uh we're just waiting for it to show back up here i guess all right and i am back about 15 minutes later um apparently there was an issue with the device that i had plugged in there wasn't really an issue with the controller itself i think the computer uh little well mini pc that i have over there uh died while i was doing that so i connected a different one now we have toasty media instead of toasty media i3 and we can see that we are on the guest network and it does have the correct ip so yep all the troubleshooting for that aside um that's just one of the unfortunate events that may happen to you but really it doesn't matter because uh i just wanted to see the correct ip address there so we are now good to go and we can start uh testing these devices so what i'm going to do here is i'm going to open up a remote desktop session to one of these and i have already enabled this capability beforehand so don't worry too much about doing this this is just for testing purposes and i'm going to go ahead and browse to 20.6 which is the toasty media 3 computer and we're just going to open a command prompt on this computer and see what we can ping so we are on the internet of things network or the 20 network let's just see if we can ping 192.168.1.10 which is the unifi controller and we can so we know that we have connectivity between these two networks now what about 1.2168.10 dot and i already forgot that i p address so let's go look at toasty media 10.9 let's see if we can ping that so we can ping from internet of things network to our guest network as well so let's go ahead and minimize this and open up another session to our uh actual guest device so 102.168.10.9 and here we are on our guest device so let's go ahead and open up a command prompt over here and try to ping 102.168.1.10 which is the controller device and we can and we're also going to attempt to ping 20.6 which was our internet of things device and we can so what this means is that all of our networks are able to talk to each other there's really no security between them now the reason that we set these up is to have security so we want our mainland to pretty much be able to talk to everybody any other network we have connected but we don't want our guests to be able to access our mainland that was the whole purpose of setting that up in the first place and same story with the internet of things network as well so let's go back to our controller here and we're going to open up settings routing and firewall and this is where the firewall is finally going to come into play now we have different sections here so we have wan in when out lan local lan inline out lan local guest in guest out and guest local so what do all of these sections mean well so when in is anything coming from we're just going to replace wan with internet so anything coming from the internet through our security gateway to anything on our internal network so if you see in just think of things coming through from the outside into the inside when out self-explanatory is the same thing just opposite this is going to be rules for anything that's coming or initiated from a device inside our network out to the internet through the lan port now local is the one that there's usually a lot of questions on local is for the interface itself so for the wan interface that is the public ip that we have on that interface it's probably a little easier explained with the lan local the local lan interface is our default gateway which is 192.168.1.1 for our main lan these are rules directly related to that interface itself that is a connection being established from somewhere else to that port itself so if you think of it like a different device like a regular router where you would browse to your default gateway's ip address and it brings up the web management interface of a regular router in order to block something like that you would apply it to the lan local interface because that rule would apply to the port itself it's basically a rule for the router and connections to and from the router not anything going through it so hopefully that made sense so let's go ahead and do a lan in rule and we can see that our lan in rules we have accounting these are all default rules uh for our three networks and we are pretty much accepting everything so let's go ahead and create a new rule and this is going to be we're gonna do mainland and we're gonna call this uh established related and what establish related is is a rule that only it's going to allow traffic that has been initiated from the inside basically what we're trying to do is only allow traffic that we want to come into this network so an established related connection is say you're browsing to google.com your inside device initiates a connection out to google's web server and then the reply from google comes back in and it's recognized as a related traffic flow because it was initiated from the inside to begin with and that's really all we want to have access on the inside is only connections that we are establishing we don't want other connections coming into our network that have not previously been asked for so to do this we're just going to name it that the rule is going to be applied before predefined rules this is basically do you want it to appear before or after the default rules that have been applied there automatically we want it before because the way a firewall works is it works top down it's going to go from the top of the list down until it finds a match for a rule so if we place it before the predefined rules then if it matches it'll be applied first you kind of have to be careful with your ordering of firewall rules because it is uh actually in order now we're going to do the action of accept and we're going to do all protocols and in the advanced section we're just going to do established and related as the states and we're not going to match ipsec packets now the source this is the important part so here we have to create an ipv4 address group if we want to do an address groups or we could just do network or we could just do ip address so since we already created the networks i'm going to go ahead and select that and this is the source network so we're going to do from mainland as our source so any traffic coming from the mainland and the ipv4 subnet of the mainland so here we have the two options are either the gateway address or the ipv4 subnet the subnet is going to be anything on the mainland gateway ip address is only going to be traffic from the default gateway which is 192.168.1.1 so we're going to keep that as the whole subnet we can limit it by mac address if we want but we're not going to and now we're going to set up the destination and typically for an established related rule we're going to leave this as any so what this means is the rule is going to apply anything from the mainland to literally anywhere so we're going to go ahead and save that and you can see that it applied a rule index number of 2 2000 and that is for mainland established related now since we explicitly allowed that in order for this to really do what we wanted to do we need an explicit block rule as well so let's create another rule and that is mainland uh drop all and the action is going to be drop we're going to leave that as all uh we're not going to enable logging because that would just be way too much we're not going to enable any of these states and we're going to keep the source and destination um as any now what we are going to change is the rule is going to be applied after predefined rules because this is a drop all rule we want it to be very last in our order of operations so i'm going to go ahead and save that you can see it applied well actually it applied it uh before these predefined rules but it did put it after um the one that we defined and i just realized that we uh kind of made a mistake because we dropped all for all destinations this is uh going to apply to every vlan so we pretty much just black hold our internet of things and guest uh vlans so let's go ahead and set the destination for this block all to the network of mainland for the subnet so this is kind of the inverse of that last rule we're blocking anything from anywhere coming into the main land so this is going to limit that block rule down to just our mainland uh not every network all right so now we have our drop rule and our establish related for the mainland but let's go ahead and make the rest of our established related rules because we want this on all of the lands and technically we could just edit this and throw it into pretty much all of the networks or create a group for it that would probably be a little bit cleaner but i'm just going to create a rule for every network because that is how my thought process works so we're going to go ahead and do a guest established related except all uh check established and related and the network source is going to be a guest and destination of any go ahead and save that create another rule for iot establish related except both check established and related network internet of things to any so now we have our uh three rules on the wrong interface let's see is there a way we can easily change this um well we added these two new rules to the wan section not the lan in so please uh keep in mind what section you're in let's go back to the lan in and just recreate these two okay so now we have them in the correct spot so we have our three established related rules for accepting that establish related traffic and the three sources which is our mainland guest and internet of things networks so now we only have this one drop rule now really we want to drop rule on all of our subnets so let's go ahead and create these drop rules um all we're going to put it after predefined rules and this is going to be our guest drop all rule and the source is going to be anything and the destination is going to be to guest network and we're going to do the same thing for internet of things after predefined rules drop the doo doo doo from anywhere to the network of internet of things so basically what we've just done is created the firewall rules to only allow establish related traffic in and out of all three of our networks so now in order to allow traffic we're going to make our allow rules on guest and internet of things for our main network and this is what should really lock it uh down but also allow relevant traffic between the two so so this is going to be guest we're gonna name it allow main and this is going to be um we want it before the predefined rules but we're probably going to have to uh edit this a little bit um we'll see how this goes but we're going to make an accept rule for all protocols and we're not going to log or match any states and from the source network of main land so any traffic coming from the mainland to our guest network is going to be accepted so let's go ahead and save that and let's see where that showed up in the list here um good it actually showed up exactly where i wanted to right in the middle now let's see if we can actually change these rule orders oh we can alright so you can just uh drag them around to change the order if you wish now let's go ahead and create another one for internet of things allow maine except don't match any of that uh from the mainland to internet of things accept and we're gonna go ahead and save that so now this should be our full rule set so establish related again from all uh networks and we are allowing traffic from the mainland to go into the guest and internet of things network however any traffic that's originating from guest or internet of things should not be able to initiate itself into the mainland because of our block rules and we don't have an explicit allow statement so let's go ahead and test these rules so on this one this is the main computer 1.10 we're just going to ping 10.9 and we're getting a reply so that is to our guest network and i think it was 20.10 oh what was the ip of the other one i can't keep track here 20.6 so 28.26 and going back to our thing we're still provisioning so that rule might not be updated yet let's keep an eye on it and there we go our traffic's going through so um the security gateway does have to provision itself for these rules to take effect so that is why these first ones failed because that rule hadn't technically made it to our gateway yet so let's go ahead and exit out of that and rdp to our guest device so 10.9 that is the one we're on now and let's go ahead and try to ping something on the internet of things network so 20.6 and this should fail and it does now let's go ahead and try and ping the controller itself so 1.10 and these also fail now something that we don't know if it works or not is actually for the default gateways so we can ping the default gateway of the other networks we can ping all of them and that is because in order to ping the actual interfaces on the security gateway those are those local rules so if you want to block communication from the interfaces on the gateway itself you have to apply those rules to uh local i'm not really too worried about that because i can't the traffic's not going in to either of those networks um and i'm not too worried about the interface itself so i'm just gonna leave that open to me that's fine but if you want to add those rules uh to the local interface i might as well just show you how to do it while we're here and this is already a video that's probably about a week long let's go ahead and go to back to the firewall tab and if we go to lan local this is where we can apply those rules and i'm just going to create one of them and it's going to be for internet of things and it's going to be for block interface traffic we're going to go ahead and drop all now we need to be careful with this one because we don't want to um disallow the actual uh devices on the internet of things network from communicating with the router so we are going to put this after the predefined rules so make sure it's last and this is going to be to block everything from uh anywhere in the destination of uh the internet of things gateway ip address and after we save that we do need to create another rule to accept and this is going to be internet of things allow local and we are accepting traffic from the internet of things network subnet and the destination is the internet of things gateway ip address so this is what's going to allow the local traffic to actually go through so now we have the two lan local rules one to accept internet of things traffic to the internet of things interface and one to deny everything else from uh talking to that interface specifically so let's go to the devices and uh just wait for it to stop provisioning and test it all right and we're done provisioning so let's go back to our um guest device so this is the 10.9 on the guest network and let's go ahead and try and ping all of those interfaces again so if we try to ping the main lands default gateway we can we try to ping the guest default gateway which is the same network ron we can but if we try to ping the internet of things gateway address 20.1 we fail because we created that new rule to block that traffic now just to be sure let's go ahead and initiate another remote desktop connection to our internet of things device and because we are on the main network we are able to establish a connection into um internet of things network but if we bring up the command prompt here and we try to ping the controller itself which as you can see we are rdp'ed from that uh actual device the 192.168.1.10 to this device so there is communication happening is just where it came from i am able to establish a connection from the main network to the internet of things network but i cannot initiate a connection from this internet of things network uh to really any other network because of those rules we created and we can try and ping the uh 10.9 ip as well and we will fail but because we are on the local network we should be able to ping 20.1 yep because we created that allow rule so that is how you lock down your different networks using the firewall rules and go ahead and disconnect from both of those and we're pretty much uh good to go that was a pretty in-depth setup i know that this video is very long and hopefully you're skipping around it using the links in the description that i'm going to put below i'm just going to take you through a few of the menus here that we can see after a full network has been created you can see we have a capacity um statistic as well as utilization you can see we have two switches um it even shows us how many wired clients we have how many total ports are in our network and how many are available and the power consumption of our network that some pretty cool stuff um access points still you see some stats there you can even see the usage of um the up link and the downlink and down here just our wireless channel distributions we only have the one access point and it's only using the channel 36 and 11. you can kind of see because channel 11 is not quite green there's probably some interference there so if we wanted to tune it we could take a look at that but we're not going to worry about it um if we go to the map this is our complete network map we've got our security gateway our main switch and we can see we have toasty media directly connected to the main switch access point as well and then our desktop switch with our other three devices which technically those are two but our other devices are connected to the desktop switch now if we click on one of these should be able to see some oh no we can't see any stats it just collapses them if we click on them i actually don't use this very much but we can show link labels and see what the speed is and what port it's on so gateway is connected to main switch on number one and then the down links from the main switch port seven of desktop switch uh port three oh sorry i got that backwards this is port seven um of the main switch to port one of this one and this is port three of the main switch uh this isn't going to tell what port it is on that in device because there's only the one port so moving on through here we've already been to the devices section um way more than once again you can sort between wireless and wired devices if you want to there's even this lts section which is the limited support devices um pretty much if you have a number here you probably want to replace them pretty soon clients this is going to show everybody connected to your network and statistics will show a pretty detailed overview of the traffic flowing through your network so you can see that our overall traffic stats is 586 megabytes so far through the whole thing and you can kind of see the breakdown per traffic type so file transfers have the most and file transfers do count as provisioning for access points and other devices so that is why there is so much data for file transfers that is from firmware updates that we've done as well as a provisioning across the network and you can see network protocols is pretty much our number two that's any control protocol and if we want to further break it down you can see these categories down below so file transfer web file transfer again firmware updates and whatnot and we can see icloud so that was obviously coming from our apple wireless device it classified that data as well as onedrive and you can see that uh youtube has even taken up some if you click on it says there's no clients for the selected application so let's see if we can find uh one of these well you can see here's one for web traffic um it'll show a breakdown of that per device so so far this pc that we're on right here is the one taking up the most of it and you can even go further down into it since since we clicked on this device it popped up the device's menu here on the right and we can actually look at the device specific traffic and have a list of it there so pretty cool statistics stuff um moving on to insights well we've already kind of looked at this a little bit but you can see we can have client history neighboring access points you can even see past connections guest authorizations switch stats let's go ahead and go here this is showing us basically a per port statistic of all of our connections and what type of ports they are now we can look at the controller logs which we don't have anything yet and last but not least threat management you can see that since we've created this network we actually have four detected threats and uh they were all in the united states they were all high severity and the source was actually 1.10 uh the computer that we're on and the threat was uh apparently a peer-to-peer uh threat and we have no medium or severity or low severity threats um we can see the traffic log here source uh the pc that we're on and the destination was actually this 10.13 13.10 i'm not entirely sure what that is but i know that it is on um my local network so there was a potential uh threat detected between this computer and whatever device of this is and we can add it to the allow list we can add it to the deny list we can block it or suppress it so that is what the traffic or not traffic threat management tab does and if you want to see a list of all the events that you have done here's basically a list of everything that has happened on the controller as well as any alerts directly below that which the only alerts we are seeing are those four threat management uh high severity errors is about it this is probably the most in-depth video i have ever done hopefully this got you from start to finish setting up a complete unifi network you can use all of the topics that i've gone over in this video to add more switches add more access points add more vlans but all the concepts are pretty much the same so if there are any questions and i'm sure there are a ton leave them in the comments down below i'll try to get to them and let me know if there is anything that i may have missed and i will try to hit it later so as always happy networking

Info

Channel: Toasty Answers

Views: 271,390

Rating: 4.8916082 out of 5

Keywords: Unifi, Ubiquiti, Networking, Home Networking, Setup, How to, UAP, Security Gateway, Unifi Switch, USW, Security, VLANs, Firewall, Tutorial, Complete Setup, Network Configuration, Configuration, Controller, Dream Machine, UDM

Id: 7m4d1K9Npw4

Channel Id: undefined

Length: 78min 36sec (4716 seconds)

Published: Mon Feb 15 2021