UniFi: How to Securely Configure Switch Port VLAN Traffic Restrictions and Avoid VLAN Hopping

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
Tom here from learn systems and UniFi in mid 2023 with the version 7.4 of their Network application Controller made changes to the way you set Port profiles and VLS by adding an option called traffic restrictions and removing what used to be the all Network which was essentially a trunk Port now here is November of 2023 and we're going to be using UniFi version 7.5.1 187 the latest available right now and we're going to show you how to set those traffic restrictions up and what happens when you don't set them up properly which is essentially you will allow VLAN because without the traffic restrictions and just setting the VLAN to the port the other VLS will still pass through the port and that's an important distinction to know because you don't want to set these things up insecurely so let's get [Music] started now the first thing I want to cover is when two and one not to use these traffic restrictions by default when you get a brand new out of the box then adopt it UniFi switch get all the firmware up to date it's going to have the default def fault no traffic restrictions which is what you want for starting out when you have it coming into your firewall in my example here I'm using pfSense but this will substitute for whichever firewall you're using that can pass VLAN traffic or even if you're using one of the UniFi ones when you come out of one of the Lan ports with the VLAN tags attached to it in this case it's this particular Port I've just labeled igc2 in my PF sense you want that Port that is uplinking to the first switch to have it set to no traffic restrictions if you want all of the vlans that are defined both in the firewall and also defined inside the UniFi system to pass of note UniFi in the past long ago used to pass all vlans even if they weren't defined they've actually changed this and unless they've changed it back to my knowledge they will only pass defined vlans so if you define them within your firewall you will always have to Define them again into the switch to get them to pass along belong to the next Port if you're using a UniFi firewall it's going to Define them at the same time so it's not as big of a deal next thing is when you're connecting any two switches together the ports between those switches should be set to all if they're UniFi switches this is going to be the default and the reason why is that way when the vlans that are defined in your firewall are passed along to the first switch and if you have another switch down the line and you would like all those vlans to go no traffic restrictions between them should exist now if you want to restrict traffic we'll be talking about that where you may not want those to go to another switch usually not the case usually all of your switches you want the same and you do it at the Port level of each switch now the final note would be if you're going to a non-unified switch same answer again let's say you're going from a unify switch to a Cisco switch the S Cisco switch you'll want to set to trunk Port all coming into the Cisco and inside of the UniFi you'll do the same thing no traffic restrictions and the same thing goes for access points the restri restrictions on the access points you can think of these a little bit differently because by default yes it'll work fine if you send all of them but maybe you want to restrict what goes out to your ssids because maybe there's some that you'll never send out there so you could say to be more locked down you may want to only send the traffic to the different access points that will actually be used by the access points but if you leave them at all they will definitely work it's always good to start it all and then work backwards once you know you have a working config and restrict to things you're not using so I'll make that as a side note it's up to you but the default port settings will work but now let's talk about when to use traffic restrictions and where it's really important and we're going to get to the demo to show you exactly where these settings are but I want to point out in this scenario here if we have a computer a camera any device attached to a specific Port this is definitely where you want to use traffic restrictions because the goal would be to set that port to the VLAN only that you want it to access and we can use a camera as an example where maybe you want to have a camera landan and this VLAN with the cameras is going to be restricted to only the things you want it to talk to you don't want the traffic restrictions turned off on that because then someone could actually plug into that port and even though it would be default sending the camera Network it's actually still sending all of them if you don't set the traffic restrictions now let's show you how this works by setting this up directly in the port manager inside of unify we're going to click on my usw2 24 Poe we're going to go to the port manager and as I said in the demo we're going to be demoing this with port number 14 by default I just have it labeled as Port testing VLAN I have it set to default one thing I really want to note here especially if it's hard to see is the little scroll bar right here I don't know why they made this scroll as hard and thin as they did to grab but I will note this is caused confusion where people can't see the traffic restrictions because when you click it it drops down below and you have this and it GS a little bit hard to see I just want to make sure that's clear that if you don't think you have it just scroll up and down and you'll look for this little bar right here now the traffic restrictions on there are turned off because we have it at default let's say we wanted it to be caman 60 that's my camera Network so if we set it here but don't put any traffic restrictions this will actually not just switch it so the default is 60 but still send all of the other traffic the way we stop this from happening is we can say block and select block all we want to know what networks we blocking or do we want to allow and only allow C networks and you can hit allow and leave it blank it'll actually work this way where you don't select anything and you're only allowing nothing so block all the networks and they do have a block all option right here and we hit apply it's the more logical way to do this and when we do this now we've restricted that port to exactly what we want it to do now this is my demo computer I have plugged into this it just refreshes with a local address when the address changes here so 192168 60102 60 is my camera Network so this is definitely on my camera Network like we'd expect it to be and if I try to select another Network let's say I tried to VLAN hop to my 777 management Network by choosing this we go here and we see it just says local address 1271 because I've told it no you can't get any other vlans but let's go ahead and test what happens when we turn off traffic restrictions we'll go back over here to Port 14 we're just going to uncheck the box for traffic restrictions we're going to hit apply give it a second to refresh the switch and now the system is able to actually VLAN hop and grab my management Network which is at 10777 7.1 and that is simply because I turn the traffic restrictions off now we can actually take and build this out slightly differently by saying let's go ahead and choose caman 60 but do traffic restrictions to allow and we'll be implicit here and we're just going to allow one more Network on here so we have this Thomas management Bean we don't want the management VLAN on there but what if we wanted the 337 Network on there so we said we're going to send this as the default but then we also going to add this traffic so we're going to ahead and apply these changes and now you see the system can get a local address of 1921 16813 100 because that is what the VLAN is for that but if we go ahead and go back to the normal Network it'll go back to the caman network by default so let's try to VLAN hop though over to our management Network and we can see that it fails this is why it's so important that if you want any particular device to only get access to the network that you segment to such in this case as the cam Network we want to make sure traffic restrictions are on block and just choose block all apply the changes making sure you have block all on is going to be critical in making sure the only Network that's accessible on that Port is the network that you have chose as the primary Network now one more thing worth noting is that you can change your default network name even if you don't have a UniFi firewall this used to be an editable field it's no longer allowed to be edit in the new UI but you can edit it in the old UI so if you switch back to the old UI you can change to name of your default network if you want to I bring it up because you may have noticed some of mine are changed that you've seen in videos I used to be able to change them now I can only change them in the old UI just something worth noting like And subscribe if you want to see some more content from the channel also head over to my forums if you want the script that I use to display the colorful IP address I thought it was just kind of Novel something I was playing with but hey I'll leave a link to that down in the forums where you can just copy and paste that code it's just kind of a novel little bash script that was in my debie and VM for this demo if you want to connect me on the socials head over to lawren systems.com you can connect me whatever socials you find me there and thank [Music] you [Music]
Info
Channel: Lawrence Systems
Views: 33,658
Rating: undefined out of 5
Keywords: LawrenceSystems, Switch Port VLAN Traffic, switch trunk port configuration, switch ports in networking, switch trunk port, Uifi vlan traffic, unifi vlan traffic rules, uifi vlan, unifi vlan, unifi vlan setup, unifi vlan firewall rules, unifi vlans and trunking, unifi vlan tagging, unifi vlan setup 2023, unifi vlan configuration
Id: TCMivAkDBtw
Channel Id: undefined
Length: 9min 13sec (553 seconds)
Published: Sat Nov 04 2023
Related Videos
NEW to UNIFI VLANs?? START HERE!!!
Ethernet Blueprint
31K
UniFi Network Application 8.1.113: Big Update! UI Changes, OSPF, Switch ACLs & More!
Lawrence Systems
29K
Radeon 780M (Ryzen 7 8700G) - DDR5 6000 vs 6400 vs 7200 vs 7600 vs 8000MHz
Ancient Gameplays
8.5K
Unifi New Port profiles and Traffic management
Mactelecom Networks
32K
Managed VS Unmanaged Switches and Support For InterVLAN Routing / Layer Three Switch Routing
Lawrence Systems
306K
Unifi Protect Installation : Onsite job
Mactelecom Networks
41K
A Detailed Comparison of The Latest pfSense and UniFi Firewalls in July 2023
Lawrence Systems
79K
Unifi Network update 8.1.113 : Switch ACLs, OSPF
Mactelecom Networks
41K
Configuring VLANs, Firewall Rules, and WiFi Networks - UniFi Network Application
Techno Tim
171K
Unifi Express Review: Insights From Testing the New Network Controller, Firewall, and Mesh Unit
Lawrence Systems
157K
My Full Unifi Network Setup - Firewall Rules, VLANs, WiFi, and more
Raid Owl
31K
DO NOT design your network like this!! // FREE CCNA // EP 6
NetworkChuck
3M
How To Secure pfsense with Snort: From Tuning Rules To Understanding CPU Performance
Lawrence Systems
43K
Basic Setup and Configuring pfsense Firewall Rules For Home
Lawrence Systems
325K
How To Setup VLANs With pfsense & UniFi 2023
Lawrence Systems
174K
HomeLab Services Tour 2024 - What Am I Self Hosting?
Techno Tim
267K
Powerful protection for your network! // Unifi Express
Christian Lempa
34K
Self Hosted UniFi Controller Tutorial: Managing Multiple Sites & Migrations with Ease!
Lawrence Systems
31K
Unifi traffic management
Mactelecom Networks
42K
Inexpensive Budget Switch: TP Link TL-SG108E HW Rev. 3.0 With VLANS & pfsense Review
Lawrence Systems
474K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.