UniFi Guest WiFi

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] welcome to crosstalk solutions my name is Chris and today we're going to talk about how to set up a segregated guest Wi-Fi network in unify now I'm using unify version 5.3 eight which when you go through the wizard and set up a Wi-Fi network you can add a guest network and you can apply guests policies to that network that help for things like client isolation and firewall rules and things of that nature so it does set up some basic guest Wi-Fi rules which actually are pretty good for a typical small business now why then would you want a segregated guest Wi-Fi network and when I say segregated guest Wi-Fi network I mean off on its own VLAN with a completely different subnet the reason you would want that would be for a couple of things number one security number two capacity and there are other reasons too but those are the two main reasons that I know of to create this type of network imagine a restaurant scenario okay so you look at the security side of things when you have the built in guest Wi-Fi settings for unify and if I pop on to my phone on that guest Wi-Fi network and I run a network scan I can see all of the devices on the network whether they're guest devices or whether they're regular devices so for security purposes that's a little bit of a security risk because for instance in our restaurant scenario they're going to have point-of-sale terminals those point-of-sale terminals are hopefully on their own network already but if they're not you're going to be able to do a network scan and find them you're going to be able to find the IP addresses now being on that client network you can't actually ping them and you can't get to them you are client isolated but you can see them so some people might not like that the other thing is for capacity so I had a situation with a local restaurant in my area where they had a guest network set up where it was just using the built-in unified guest network and they were running into capacity issues so when they would have a bit day you know their DHCP timeout was set to 24 hours they only had 256 possible or 254 possible addresses - all of the devices they already had on the network available to their guests and so if they had a big day they would run out of IP addresses to hand out to the guests so what I did is I took them off of that I created a segregated guest network on its own VLAN I gave them a Class B Network a 172 16 Network and I changed the DHCP DHCP timeout value to 4 hours right because people aren't in a restaurant for more than 4 hours typically and if they are they can renew their lease let's take a look at how to set up that scenario in unify so what I have here I'm actually building off of the same equipment that I use to do my complete unified set up video this is I guess considered part two of that series so I've got my ubiquity cloud key I've got one UAP AC pro access point I've got a ubiquity USG and I've got a ubiquity 8 port POS which this is the US - 8 - 150 what if you guys are interested in any of this equipment I do have links to all of this equipment Amazon links to all of this equipment down below if you click on those mo Amazon links and purchase this equipment it doesn't change your price at all but I get a very small percentage and that would be my appreciation for putting out this content for you guys ok so here we are we have unify and the first thing that I want to show you is the existing guest Wi-Fi network so if I come over here to settings wireless networks you see we have a guest to network there's no VLAN but guest network is checked meaning that guest policies are applied so we're going to go ahead and edit this there's no password but we do have guest policies and everything else here is default if we look at the beta firewall rules click on firewall we have the guest in guest out and guess local firewall rules so for instance guest in means all of these rules are from the fire while levels and guests in means guests that are in your guest network their traffic that's coming in to the firewall so guests in is basically going out to the Internet or out to other networks and you look at the rules that are set up they're pretty good by default so allowed DNS packets to external name servers okay that's fine allow packets to captive portal that's fine if you're using a guest captive portal and unify allow allow packets to allow subnets all right so that's basically if I've set up other subnets that I want to allow guests to have access to that's fine and then basically everything else is dropped so these guests have access to the Internet which is one of my allowed subnets and they can check DNS from external name servers and if I have a captive portal set up they can use the captive portal but that's about it everything else is dropped so they can't do anything else you can't ping the Gateway of the guest Network you can't open up any services on the guest network you see here like drop packets to intranet drop packets to restricted subnets drop packets to void drop packets to remote user bla bla bla bla okay so they did lock it down pretty good with the default firewall rule so those are fine I'm going to leave those in place the problem though of course is that it's on the same subnet so I might run out of IP addresses if there's a lot of people on the network and also even though I can't get to any other devices on the network I can run a network scan and see all of the devices on the network so we want to prevent both of those things so how do we create our own guest network the first thing we want to do is click on networks and we're going to create a new network we're going to call this guests the purpose of this network is a guest network so we want to check the box right here the network group is land so that refers to the ports on the USG land - as far as I know is not used yet so land should be your only choice gateway subnet we're going to give this 172 dot 16 dot 0 dot 0 / 16 sorry 0.1 / 16 so the gateway of this network is going to be 172 16 0.1 and it's a slash 16 which means I've got 65 thousand available IP addresses in this Class B Network the VLAN I'm going to give it is VLAN 99 and by the way I'm giving you a Class B address but you guys do what you think is best you can make it a Class C if you don't think you're ever going to go over you know the two hundred and fifty some odd IP addresses in the Class B Network or make it a slash 23 if you want it whatever you want I'm just going to do a slash 16 for demonstration purposes okay I'm going to click update DHCP range and this is going to give me 172 1601 through 172 dot 16 dot 255 254 so that should be plenty of DHCP leases and then we're going to set the least time down right now it's set to 24 hours so for our DHCP lease time is 1 14400 seconds ok so everything looks good here we're going to go ahead and save that now the next step is optional but this is something that I like to do for guest networks and that is enable bandwidth throttling so I don't want my guests the clients that are connected to the guest network to be able to suck up all of my internet if they're watching Netflix or YouTube while they're at the restaurant right so I'm going to go over here to user groups and I'm going to create a new user group and I'm going to call this guests and we're going to check both of these boxes to limit the download bandwidth we're going to limit the download to 5,000 kbps or 5 megabits and we're going to limit our upload to 2,000 kbps or 2 megabits so the maximum bandwidth that any one user can suck up is five Meg's down and two Meg's up which is still pretty generous honestly so we're going to save that and now we have our guest user group created finally we need to go over to the wireless networks and we want to edit our guest wireless network so we're going to edit we're going to open up our Advanced Options and we're going to first of all set this to use VLAN ID 99 and then for user group we're going to select guests so the guest user group it ice created originally save that setting and we're all done so the next thing we need to do is just wait about a minute or so for the access points to provision and the USG to provision and then we'll check on our phone we're going to connect to that guest network and we're going to check to see if number one we are in the 170 216 subnet and number two we're going to check our bandwidth to see if we are limited down to five megabits and two megabits okay so my devices have finished provisioning I am going to connect to the guest Network now normally when I'm doing something on the iPhone I use a program called reflector where I can actually record my screen but since I'm doing tests in a guest isolated network that has no access to my main computer here I can't do that so you'll just have to take my word for it that is working I clicked on guest it is now connected if I click info I get an IP address of 172 dot 1680 2.33 that's a really weird IP address to give me in that range but anyways you can see here maybe I can get a clear shot of it there you go 172 1680 233 now if I go bring up a ping tool and I ping 8.8.8.8 go okay so if you can see that I'm getting green responses meaning that it is pinging successfully out to 888 stop that but if I try to ping 172 dot 16 dot 0 dot 1 start you can see that it's all grayed out so all of the pings are just gray gray gray meaning that I am NOT able to ping the Gateway and I certainly cannot open up any services on the Gateway either such as HTTP or HTTPS to get to the unify the USGS interface ok so we're going to stop that the last thing I want to do is run a speed test begin test and there we go so you can see my speed test result there four point six two down and one point nine five up so I have successfully limited my bandwidth on that guess network that was also by the way through my private Internet and private Internet access VPN I I haven't turned on on this phone when I ran that speed test so I'm getting five megabits down two megabits up even with my VPN turned on okay so there you have it that's how you can convert a the built-in guest Wi-Fi network to a completely segregated and secure guest Wi-Fi network and from here if you wanted to add additional firewall rules to allow or disallow your guests from going places or maybe you want to lock it down so they can only use specific DNS servers such as open DNS servers that would be where you have to start working in your firewall rules to make those kinds of things happen and that's beyond the scope of what we're going to talk about today but I hope you guys did enjoy this video if you did enjoy the video please give me a thumbs up if you'd like to see more videos like this please click subscribe my name is Chris with crosstalk solutions and thank you so much for watching [Music] you [Music]

Info

Channel: Crosstalk Solutions

Views: 342,101

Rating: undefined out of 5

Keywords: ubiquiti, unifi, unifi controller, usg, uap-ac-pro, uap-ac-lite, uap-ac-lr, ubiquity, ubiquiti wireless, ubiquiti wifi, wifi, us-8-150w, unifi switch, cloudkey, cloud key

Id: 9dhmS237wsw

Channel Id: undefined

Length: 12min 33sec (753 seconds)

Published: Thu Dec 29 2016