UNIFI FIREWALL RULES EXPLAINED

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hi I'm Willie welcome to my channel thank you for being here I appreciate each and every one of you if you are a first-time viewer new viewer please go down and click Subscribe down there if your return viewer or subscriber thank you very much I do appreciate each and every one of you if you need IT consulting go to Willie had I can't fill out that contact form and someone will be in touch with you as soon as possible if we can't help you we'll get you to someone who can that's our promise to you so what we're talking about tonight yes you see this in my hand this is the standard you DM and what we're going to be using this for is we are going to explain and unify firewall rules the default firewall rules now I'm only doing firewall rules I'll reiterate that again when we get to the computer but I'm only doing firewall rules and we're gonna talk about the firewall rules that come on here how to work with them and I'm gonna give you some examples and that is that's all we're gonna do we're not going into any of the other options so if that's what you're looking for you can go ahead and tune out now just giving you a heads up that's gonna be we were gonna explain the firewall rules so let's head on over to the computer and get to it all right so here we are over at our UTM and that says everything is great I think that should say everything is awesome but we'll see how it goes so what we're going to be using is a client device to run our test on is this mickr tick AP that you've seen me have around so the first thing we're gonna do is we're going to show you that you can ping this right now and we'll do this occasionally as a sanity check so let's go check out the firewall rules like I said we are only dealing with the firewall rules so let me explain a little bit about the firewall rules you've seen an edge router video and these are based off of the same logic as the edge router video that I did so you've got three different types of interfaces you've got LAN LAN and guest now what you need to remember is that if you have multiple guest networks they're all handled all the rules for those will be handled under guest if you have multiple LAN or regular VLANs that are not tagged as guests those are also gonna be handled in our land and then while I only recommend that you use one way in and try to use the firewall rules with one way in but let's talk about remember our directions so whether it's way on LAN or guest in our packets coming into the interface which is where we generally want to block things out our packets going out of the interface and then local is reserved for things actually running on the firewall so for LAN it would be things like SSH again from the outside it would be the web interface from the outside for LAN local it would be things like the DHCP server DNS and for guest there's probably not going to be anything running although guest is probably going to get DHCP and also could get that DNS so you need to remember the directions and you need to remember that when we create these networks that it does not create more sets of firewall rules you have to work within these these guidelines and I'm going to show you that so the first thing that we're gonna do real quick is what we're gonna do is we are going to first of all make sure we can still ping 192 168 239 we're good there so what we're gonna do is we're gonna come over to network and we're gonna create a network now forget anything else on here besides guest and corporate while we're dealing with the firewall rules so what a corporate network is is a land or a VLAN but when you're talking about the firewall rules it is going to be a LAN and by default there are no blocked communications between VLANs and we'll show you this here in just a second so we're gonna call this IOT we're gonna make it VLAN 22 and we're gonna make the subnet 192 168 we're just gonna do a class C because I'm feeling lazy tonight and it's a corporate which means it's treated as just a regular network so we're gonna go ahead and save that and what we're gonna do is we're gonna come back out here the device the device should be provisioned already so if we can paying that interface and we can that's perfect so remember we've still got 2.39 which is our maker tik ap so we're going to come over here to the dream machine and this is plugged into port one so what we're gonna do is we're gonna edit this and we're going to call this IOT mikrotik and i'm gonna change this to IOT now what's going to happen is that the micro tag is gonna get a new IP address on that 192 168 22 Network now I will probably have to reboot it here real quick for that to happen so if you can hang with me that is what I'm doing right now and so you should see it disappear and now I plug the mikrotik back in and we are gonna see it boot up and we should get an IP address in the 192 168 22 range and remember while we're waiting for that to boot you just remember that we created this as a corporate which is just a standard land no rules in between any of those VLANs all right so our mikrotik AP has come back online and it should here shortly grab an IP address if you've worked with unify you know just don't get into a big hurry don't try to force things and you know everything should work out ok we'll just see what IP this this grabs okay so I grabbed 192 168 20 2.39 so watch this I can ping it no surprise because there are no firewall rules in between regular lands but ok here's one thing we're gonna do real quick is we're gonna create a group because some of the things that we're gonna do you're gonna have to create groups if you need single IPs and we'll talk about this but I'm going to call this mikrotik and I'm gonna make this 192 168 22.35 rules we're going to drop it it's going to be all traffic and the source is going to be Network and is going to be LAN and the destination is going to be a network and it is going to be IOT so we just created a firewall rule that blocks all the traffic between these two networks and you can see now I can't ping now one thing to note here is that just because I have a rule that goes from the land source to as the source to IOT as a destination if I create a firewall rule here to allow ICMP to the mic the mikrotik watch what happens here so I'll do and accept and it's going to be before the predefined rules and we're going to tell ICMP and what we're gonna do is we're gonna say it is gonna be from land and it's gonna go to the mikrotik and that's what we're gonna allow so anybody should be able to to pin that now firewall rule order is very important so you're gonna see this rule fails here right the really reason it fails is because it's rule number 2001 which means it gets processed after rule 2000 which is our block rule there so we're gonna move that up to the top because when you allow that ICMP traffic to happen and now you see that that works now the reason that this works without the third firewall rule is because without a third firewall rules because what we haven't done is we haven't restricted traffic from the IOT back-to-the-land that's why this ping works successfully I'm going to go ahead and delete these and I'm going to show you win this wouldn't work so successfully because all those rules would be set up properly so when you're dealing with the guest Network when you tag a network as a guest network on unify it creates those block rules automatically in and out of a network so what we're gonna do is we're gonna come back over here we're going to run our sanity check make sure that we can still ping that with no firewall rules so that's good so we're gonna come in here to our I Oh T Network we're gonna edit it and we're gonna make this a guest so what that's gonna do is that is gonna put the lockdown on this network so you can see we're provisioning and as soon as we're done provisioning so it's now applying that default set of firewall rules to the guest network which is the IOT network so right now we may still be able to ping that yes because the device is still provisioning so those rules haven't been completely enforced yet you're gonna see here in a minute when the provisioning is done we should lose the ability to do this ping ok so we are connected and now you see the ping stops so we're going to come in and we're going to go into routing and firewall so for some reason let's say that you just have to ping this one device well we're gonna send you know traffic into this into this guest interface so what we're gonna do is we're gonna create a new rule we're gonna say allow ICMP to the mikrotik and it's going to be before it's gonna be accept ICMP it's gonna be from the land network and it's going to be to the mikrotik now I created this rule and it's gonna fail okay so it's provisioned but I still can't ping it because this guest Network any guest network has a rule that blocks traffic going back out that's part of this being a guess so what I need to do is I need to create another rule and I'm gonna call this allow return from mikrotik it's going to be before predefined rules we're going to accept we're going to leave that the way that it is and we're going to come down here we're going to say if it's an established connection in or relating connection we are going to allow it and we can even go ahead and drill this and we're gonna say from the mikrotik back to land that if it is established or related we're gonna allow it back out and now you can see that ping works because of this firewall rule don't believe me so watch I'll come in here I'll disable this rule we'll save it and now we're provisioned and guess what that's gonna fail all three of those last pings because we don't allow that traffic to get back out of the guest network come in here turn this on and voila it's not magic it's firewall rules now you need to remember when like I said I only recommend creating these these are any rules that you need on one LAN right now with unify and we're really not gonna do much with these we can set up some rules to block things from getting out to the internet and all that that's really about the extent of what I'm gonna do with Wayne rules LAN rules and guest rules are where you're going to spend most of your time and you have to remember every corporate type network is is governed by these these land rules and every guest type network is governed by these rules and once you remember that and you remember the direction and how things are processed remember you need to understand then when the firewall looks at these is reading starting at the lowest rule index number and reading to the highest number so they are you know read 2000 2001 2002 so on and so forth so that is it so get your UTM out get your USG out and play around with these firewall rules alright that's it for this video so I hope you liked the video if you did please give me a thumbs up please subscribe please comment share please follow me on Twitter and Instagram if you need that IT consulting go to will ehow.com fill out that contact form and someone will be in touch with you as soon as possible if you'd like to support the channel by becoming a patron on patreon and thank you to those folks the link is down below and as always all of our affiliate links are down below they don't change your price but they do kick a couple bucks over to the channel so if you've got any questions about your unify firewall rules make sure that you you reach out we'll see if we can answer those questions and as always I'm Willie thank you for being here and I'll see you in the next video

Info

Channel: Willie Howe

Views: 34,340

Rating: undefined out of 5

Keywords: unifi, ubiquiti networks, unifi firewall rules, usg firewall rules, udm, unifi udm, udm firewall rules, how to read firewall rules, how to create firewall rules, how do unifi firewall rules work, ubiquiti firewall rules, willie howe

Id: 55MKIrcy1XM

Channel Id: undefined

Length: 13min 53sec (833 seconds)

Published: Tue Jun 23 2020