UniFi Network BEGINNERS Configuration Guide | 2024

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
so you've decided that UniFi is the right solution for your business or home but you're not a network engineer and you want to make sure that there isn't going to be any security vulnerabilities and you also want to take full advantage of all of the functionality of a business grade system well this is the video for you we're going to talk about everything from basic terminology all the way to more advanced features like vlans and IPS and show you how to set everything up to best practice just the way we would do it if you were to hire us as a consultant so without further Ado let's dive right into it now should you require more Hands-On support not only can we help you spec out your system and deploy it we can also manage and support your entire UniFi ecosystem pricing for this is down in the video description now before we get into our initial configuration we need to discuss terminology specifically the different types of devices that you're going to be working with now if you've been shopping for UniFi equipment you've probably seen things like gateways consoles switches access points and you may not be exactly sure what you need and frankly it can be confusing because very often one piece of Hardware can serve multiple functions well let's break it down a Gateway is a device that sits at the edge of your network it connects your local area network to the broader internet and very often a Gateway can have other functions it could be a wireless access point it can also be a switch it could be a modem and in most cases with UniFi it's going to be a console but we'll break those other terms down next the next term is switch a switch is a device that lets us plug in various devices whether it be printers phones computers cameras other networking equipment such as switches gateways wireless access points door access control systems iot devices you get the idea if it uses an RJ45 or an ethernet cable and it plugs into that device well that device is a switch and most of the UniFi gateways are also switches actually most gate gateways are also switches but when we say switch in the networking World we're typically referring to a standalone device that is strictly a switch now the term wireless access point should be pretty simple that is a wireless radio that broadcast Wi-Fi and in general just like with switching in the networking world when we say Wi-Fi access point we generally are referring to a standalone device that sole purpose is to broadcast Wi-Fi not a device that has a number of different functionality now the last term we're going to cover that somewhat unique to ubiquity is console now what is a console well you don't actually need a console to configure your network that's true you can remote into every single networking device via SSH and configure it but that's not exactly very intuitive although it is what we do in larger networks and it's what we used to do for all networks years ago and this is what makes UniFi really unify and that's the ease of configuration via a console now in most cases your gateway is going to be be your console such as the dream machine pro the dream machine pro se the dream router the UniFi Express all of these are examples of gateways that are consoles as well now there are a couple different types of firewalls from ubiquity or gateways rather that are not going to include a console built into them this includes the Gateway light the Gateway Pro and any of the older USG models you will need a standalone console to administer these networks easily a good example of Standalone console is this this is a cloudkey Gen 2 plus and in addition to helping you administer the network via the network application you can also run protect talk access connect and any other apps ibiquity may come out with in the future now if you're planning on deploying a network that's going to have hundreds or thousands of UniFi devices this guy is not going to cut it you're going to want to take a look at the cloud key Enterprise finally you can also deploy the network Control software via Windows or Mac OS or even on a Linux server but in general I don't recommend this approach because it requires more maintenance and there's nothing like the feeling of knowing that you're going to have to reconfigure your entire network from the ground up because you forgot to do a backup and your computer had some sort of malfunction in general UniFi consoles are going to be far more reliable for administering your network than anything you're going to self host as with most things in life our journey begins with a Gateway in this case the dream machine probe now we're going to we're going to want to plug our internet into the WAN port on the udm but before we do that we're going to want to remove any other networking equipment after all we want this to be the Gateway of our Network now in most cases you may need to go into your modem and set it to bridg mode this is going to ensure that your modem is not also functioning as a Gateway this can create a situation called a double knat and it's generally not a good thing to have on your network if you have any questions you should contact your provider because in some cases they'll have to enable bridge mode for you now let's proceed with plugging in our computer into one of the landan ports on the udm and from there we're going to open up our web browser and we're going to head on over to the IP address of the udm in this case it's going to be 1 192.168.1.1 now we can name our device I think this would be a great deployment for a coffee shop so let's go with something cool now something I want to point out very quickly is that if you are replacing a failed piece of equipment or upgrading you can actually restore from a backup right here let's go ahead and proceed though and we can either create or log into an existing ubiquity account now if you're deploying this for an organization a bit of hous keeping that I recommend is creating a standalone it account for the organization such as ity yourdomain.com in our case we're going to go ahead and sign in with our ubiquity account now because I've signed in with my ubiquity account it's giving me the option to restore from a backup from one of my other consoles because we're going to set this up as a brand new site we're going to go ahead and click continue without backup at this point I recommend you go get a cup of coffee as setting up UniFi OS and updating the console can take up to 20 minutes setup is complete now we can go ahead and log in normally if you see this alert on the internet you should steer clear but it's just telling us that the certificate used to encrypt our traffic between our computer and and the console is self-signed and it hasn't been verified by a third party but in this case we know that the udm pro is trustworthy so let's go ahead and proceed anyway now we're going to log in with our ubiquity account the same account we used earlier awesome now that we're logged into UniFi OS we can actually start plugging devices directly into the ethernet ports on the udm and start using the internet this is something that kind of separates UniFi from other vendors out there and that's that you could basically plug in a switch and start using it immediately without any configuration of course there's a lot of benefits to configuring things and that's what we're going to do next let's go and open up the network application right here and then we're going to head on over to devices you can see right here we have our udm Pro let's go ahead and plug it in our 24 Port Poe switch awesome there's our 24 Port switch I'm going to go ahead and click this button to adopt it and while that's happening I'm going to get get our access point ready in this case we are going to be utilizing the U7 Pro this is an awesome access point for a number of reasons a big one is that in addition to the 2.4 in 5 GHz bands this uses 6 GHz so it's definitely going to Future proof our Network in terms of performance looks like our switch has finished adopting now we just need to wait for our access point to finish booting so we can adopt it if you're not planning on using more than eight ports by the way you're better off getting the udm pro se rather than a standalone switch since you could plug your access point directly into the ethernet ports on the udm itself and there's our access point I'm going to go ahead and adopt it if you're worried about running out of space on your switch one tip is to use a direct attached copper cable like this one these are great because you can use the SFP ports on your equipment and if your equipment is SFP plus equipped you can get faster speeds at 10 gbits per second these generally cost about $20 on Amazon and they come in different colors and lengths I have ones we use linked down in the description below with all the color options but it looks like our U7 access point has been adopted so now we're going to move on to our next chapter and that is going to be virtual networks in order to understand how amazing virtual local area networks are vlans we first seem to understand what we did before we had vlans back in the long ago in the era of 2005 2006 if you wanted to have a separate Network for your guest or a separate Network for your servers you had to physically deploy separate equipment and isolate it physically virtual networks and virtual local area networks specifically is a technology that allows us to do this well virtually and that's what we're going to configure now since we aren't limited by the cost of physical equipment we can have as many as we want and depending on your use case you may have more or less than what I'm going to configure here's what we're going to set up and this is the scheme that we do for most of our clients we're going to set up a core Network the core network is specifically and only for networking equipment it's the what the udm itself is going to sit on the access point the switch and any other servers we may get in the future the second Network we're going to configure is a staff Network or a people Network this is going to be for our employees at our pretend coffee shop the next Network we're going to configure and it's an optional one and that is a VoIP Network now separating your VoIP traffic is good for a number of reasons but sometimes we may not want to do it especially if we are doing pass through on our phones a lot of void phones you know will plug into the wall and the computer will plug into the void phone and if we're using soft phones then we're not going to worry about it but we're going to configure it for the purposes of this guide the next Network that we're going to configure is going to be a security network this will be for our security cameras our door access control system and anything that's related to building security then we'll configure an iot Network this will be specifically optimized for iot devices and a big reason of segregating this traffic is we don't always trust all of our iot devices and many of them have been known to scan our Network and send that Telemetry back to the company that made the product and that company could be in China so we're going to separate that traffic now the last Network we're going to configure is the guest network but as I said earlier your network is going to look different than this one or it might look the same we've done a lot of deployments where we've had less VLS or more VLS depending on your use case so let's begin with conf configuring the core Network to configure our networks we're going to click on the gear icon in the bottom left and then we're going to go to networks here you can see we have one default Network already and this is actually going to be our core Network however we're going to change the scheme currently it is a Class C we're going to move it to a class A specifically 1069 now that second octet that two or actually one to three digigit number can be whatever you want pick a number that's meaningful to you we are big fans of the space program and Apollo and the year that we went to the moon was 69 so that's why all of our networks begin with that second octad of 69 we're going to go ahead and click into it and one thing you'll notice is we can't rename it this is a limitation of the newer version of UniFi OS so we're going to go to system down here Advanced and we're going to switch back to the Legacy interface just for a second we're going to go back to settings networks default and we're just going to call this core Network we're going to save this we're going to go back to user interface and we're going to switch back to the new user interface now we're going to go back to the Gear networks and we can see this network has been named core Network now we're going to change the IP scheme and something to note here whenever we change an IP scheme of a network all of the devices on that Network may not automatically request a new IP address because they're still going to remember the lease that they had before we changed the IP address the easiest way to fix this is either to power cycle those devices or unplug them and plug them back in let's go ahead and change this from automatic scale Network and we're going to do that 10.69 do11 and we're going to do a sl24 for all of our networks we're actually going to do a sl24 and this is going to allow us to have in the neighborhood of 200 devices if you're going to have more than that then you want to do a bigger subnet which is actually a lower number let's go a and scroll down here and talk about these options now content filtering is pretty cool but here it is very aggressive and if we hover over work you can see that YouTube is set to safe mode Google is set to safe mode which Google being in the safe mode is fine uh however YouTube can be pretty aggressive and family is even more aggressive so we're going to leave that alone but we are still going to do DNS filtering specifically we're going to use cloud flares porn and malware blocker now this is a great solution because it blocks those types of content but it's also not overly aggressive and we can have more aggressive forms of filtering if we want to and I'll show you how to do that later on next we're going to change our DHCP range because this is the core Network we're going to be setting static IPS for all of our equipment so I like to start this at 100 and that way I have the first 100 addresses for routing and switching equipment and then for the back end I'm going to stop it at 199 because I like to use 200 and above for my access points next we're going to go ahead and click on show more options and then we're going to change DNS from Auto and we're going to manually enter our DNS servers now don't add any other DNS servers here because if you do you will disable the filtering we're not going to change the least time but we are going to enter in a domain name we don't actually have to since we're not on a Windows ad network but we're going to do it for fun all right that's great and by the way at the Loc TLD is reserved for local network use so you can set anything you want to be local and that will work locally on your network and if we head back over to UniFi devices you can see that our udm Pro is getting ready and that means it is provisioning however if I hit refresh here nothing's happening it's not refreshing and the reason for that is the IP address of our udm has changed it is now no longer 1921 6811 it is instead 10 6911 and I actually probably won't be able to go to it because my computer still has an address in that class C that 192 address so does the access point and the switch the easiest way to fix this is just to unplug these devices and plug them back in because then they will request a new DHCP relase let's start with my computer awesome now let's head over to that new address and we will need to reauthenticate because we are in a new session now we're going to click on network in we'll go to UniFi devices and you can see here our switch is getting ready and our access point is still offline because I power cycled it looks like everything's readapted with a new IP address in our class A but since we're on the topic of the core Network let's go ahead and assign static IPS to these other devices we'll start with the switch I'm going to go to settings and then we're going to change IP settings from DHCP to static now if you mess this up you will actually lock yourself out of the switch but don't worry you can actually just reset your switch for a paperclip and then it will pull up again with a DHCP address and you can try again and if you do that don't feel bad I've done it a number of times the IP address we're going to do 10.69 do12 for the DNS we're going to use the same thing that we used before now since our network is a sl24 our subnet mask is going to be 255.255.255.0 and then our Gateway is the IP address add of our Gateway which is 10.69 do11 now I always recommend giving this a read over just to make sure we enter it in everything correctly but let's go ahead and apply these changes and we'll move on to our access point we're going to click on settings and then we're going to scroll down and we're going to change IP settings to static same thing except this time we're going to use the address 200 for the fourth octat because I like to put the X points on the tail end of the scheme as I said earlier I recommend giving this a read over to confirm everything but let's go ahead and apply changes awesome looks like that did take successfully now we can move on to creating our other networks next is the staff Network we're going to go to the settings icon networks and we're going to create a new virtual Network we're going to call this staff Network we are going to disable autoscale and we're going to type in our scheme 10. 69.2 do1 this will also be a /24 and we're going to change Advanced to manual now something we see here that was not present on our core Network and that is a VLAN ID you see the core network isn't a VLAN it's just a regular Lan and this being a VLAN it needs a VLAN ID this really is only going to be useful if you are connecting ubiquity gear to other non UniFi gear which you can do by the way if you want to use vens though you will need to manually go into that equipment and specify the V lens you're going to be using for every single port on your switch or wireless access point we're also going to leave multicast enabled for those of you wondering what is multicast well if you've ever gone to use an Apple TV and seen it pop up right on your phone or use air print you've probably wondered how did my phone find that device without me entering an IP address or a domain name or just any other information and the answer is multicast more specifically ballour but balour is a multicast protocol basically the Apple TV or air print printer just says hey everybody I'm here hey everybody I'm here and that's great especially on small networks but we typically disable this or at least enable some controls on larger networks to keep things from getting too crowded on the network but in our case we're going to leave this enabled on every Network except our guest Network we can also leave the DHCP range as it is and we're going to change one more setting in here and that's DNS we're going to set that to the same DNS servers we did before I will also change the domain name and let's click add next we're going to create our VoIP Network for this scheme we're going to do 1069 31/24 and we're going to do the exact same settings we did before now we're going to create our security network this will be 10.69 4.1 sl24 and we're going to use the same settings next we're going to make our iot or our building Network for this we're going to do 10 6951 and it will also be a sl24 and we're going to use the same settings as we did for all of our networks finally we're going to create our guest Network and the settings here are going to be very similar with one exception we do 10. 69. 6.1 just like before we're going to change this to manual V ID of6 that's fine and we are going to enable Network isolation this is just one of the layers of security work going to apply to keep our guest traffic separate from all of our other networks we're also going to disable multicast and the DHCP range is fine to be left alone finally we're going to go down under show more and we are going to change the DNS settings and manually add those same DNS servers we added earlier it's not required but you can also add a local domain to the network that looks good let's go ahead and click add and there are our vlans we have a core Network a staff Network vo security iot and a guest network but we're not done with network configuration we're also going to go ahead and disable IPv6 Now The Savvy among you probably have noticed that with the exception of the guest Network I didn't create any additional firewall rules so this means that technically a device on the iot network could talk to a device on the staff Network so are we going to create these rules well the answer is no you see we're already doing more than most organizations do by separating our traffic into vlans and a device on one network would need to know the IP address of that device on the other network in order to communicate even in that case that traffic is going to go over our Gateway so it is going to be sniffed by intrusion prevention and we're going to set that up later now you absolutely can go and configure these rules and it is best practice but for the purposes of a beginner tutorial I don't recommend setting up those rules especially if you are a beginner now we're going to go ahead and head on over to our UniFi devices section and we are going to set up the ports on this switch for the appropriate Network so we're going to click on our switch here and we're going to go into Port manager all right I've got everything selected now I'm just going to go ahead and click on core Network and we're going to change this to staff Network now I don't have anything plugged into these ports but should I plug in for example my computer into one of them we're going to get an IP address that looks like this and you can see by that third octet the two we are on the staff Network now that we have set set up all of our virtual networks and configured our network switch we're going to move on to the next chapter Wi-Fi to get to the Wi-Fi settings we're going to go ahead and click on the gear icon here and then we're going to go to Wi-Fi here we're going to create our staff Network and I'm going to call it Florida coffee staff and we're going to need to choose a password I recommend anything longer than 12 characters because this is a Wi-Fi network password I'm going to use a passphrase as opposed to a password which is easier to remember remember and type in this next section right here is very important and it's where we're going to choose what virtual Network our Wi-Fi network is going to use in this case we're going to go ahead and choose that staff Network the next setting here we're going to choose which access points we want to broadcast this network on this is great if you have certain Wi-Fi networks that you only want to be broadcasted in certain parts of your facility in our case we only have one AP which is why we have the only option there under Advanced we're going to switch it to manual and then here is where we can set a a couple different things first is our hotspot portal I'll show you how to configure this later because we're going to use it on the guest Network and we also have the option of which bands our Wi-Fi is going to broadcast on you will notice because we have a Wi-Fi 7 access point we have a new Option 6 gigahertz let's go ahead and enable that we can also hide the Wi-Fi name now what this does is it's not going to broadcast the network name so if someone wants to join it they're going to have to go to other in their device settings and type in the network name I generally recommend this for staff and iot networks so let's go ahead and enable that client device isolation is not something we're going to have on the staff network but we will use it on our guest Network fast dring is something we generally enable Wi-Fi speed limit is not necessary multicast environment again we want to make sure we enable this if we're planning on using anything that uses ball drawer or a multicast protocol such as air print or AirPlay for security protocol we're going to choose wpa3 but you may notice these other options are gray out and that's because we opted to use 6 GHz now 6 GHz is an awesome Wi-Fi band but it is a newer technology so it doesn't support WPA 2 these are just different security protocols and what you need to know is just the higher number means more secure we're not using WPA 1 at all two is kind of been the standard for a number of years but there are some security vulnerabilities that we know about and so three is the most secure Wi-Fi authentication method that we know of and most devices now coming out now should support wpa3 but you're going to find a couple devices that simply don't work with it and require WPA2 especially on the iot side of things and that's probably because iot devices are notorious for having security vulnerabilities and different issues but that's why we created a separate VLAN for iot but on this network we're going to use WPA 3 that said if you have any issues connecting devices this is the first thing I would check the second thing I would check is disabling hiding your Wi-Fi network from being broadcast next we're going to go ahead and create our iot Network let's go ahead and click create new for the name I'm just going to call it iot remember we're going to be typing this in on devices that may not have great keyboards like thermostats or other devices so we want to keep things as short as we can for password we're going to choose a 12 character passcode that doesn't use symbols as some iot devices actually have issues with symbols which is weird but it happens now for the network we're of course going to choose iot we're going to change change to Advanced and here this might vary depending on your use case some iot devices don't work well if there's a 5 gz Wi-Fi band being broadcasted so we can disable that and strictly have it be a 2 gz band I also like to hide these networks since they're kind of service based networks I don't want people to see them and then if we scroll down to the bottom here we're going to choose WPA 2 for the network and we definitely want to make sure that we enable multicast on this network one option you can configure on this network is client device isolation if your iot devices only need to talk to the internet and not to each other tick this box now we'll add that Network as well lastly we're going to go ahead and create our guest Network and then we're going to set up the captive portal for it for this I'm just going to call it Florida coffee now for guest networks I like to keep this clean and simple remember both the staff and iot networks are hidden so this is the only Network our guests are going to see now if you're planning on using a captive portal we don't want to put a password in here as that means users are going to have to enter a password in twice once when they click on the network and then again when they are prompted to enter the password in the captive portal if you are not planning on running a captive portal and you want to keep your guest network password protected then you should enter a password Here of course we need to switch our Network to guest and then we're going to toggle on advanced settings if we want to use a captive portal we enable hotspot portal captive portal is technically a Cisco term but it's become the industry standard term UniFi likes to refer to this as a hotspot portal either one works now we can enable the 6 GHz band here but if we do so we will not be able to utilize WPA2 so if you're not planning on utilizing a captive portal and you want to use WPA2 to allow more devices to join make sure you do not enable Wi-Fi 6 but since we're using the captive portal and we're not going to have any password here on the WPA side we're going to leave that enabled we obviously don't want to hide the Wi-Fi name but we are going to enable client device isolation what this does is it prevents a device on the guest network from talking not just to other networks but to other devices on the same network this is really good because it's an common attack Vector uh used by malicious actors especially in our coffee shop we don't want someone coming in there setting up a laptop and uh committing malicious acts on our other customers in the shop so very important we enable this functionality for our guest Network we can go ahead and enable fast roaming and we will enable a Wi-Fi speed limit so let's go and create a new Wi-Fi speed limit profile we'll call it guest and this part's going to vary depending upon your internet connection you can always start it off high and lower it uh we'll go with 50 by 20 and we'll add it and you can see we have now added a Wi-Fi speed limit profile so we'll head back to Wi-Fi Now a quick note on the Wi-Fi speed limit this is going to be per guest not for the entire network so make sure you set that limit taking into account that that is going to be the per device speed limit let's go ahead and select that profile and then we're going to make sure that multicast is disabled since this is a guest Network after all and then for security once again because we are using that captive portal we're going to leave this set to open and if we want to we can set up a Wi-Fi schedule this is really good if you're in a place that is well public uh because it's not uncommon for folks to come out to your parking lot and torrent movies and depending on your provider you can get into trouble with that it's also good just to keep people from loitering so if this is a problem here's your solution but we're going to pretend that our fictitious coffee shop operates 24/7 so we'll keep that disabled and then we're going to go ahead and add this wi-fi network and there you have it there are our three wireless networks we have a network dedicated to our staff our iot devices and our guest now we can absolutely set up Wi-Fi tuning for each specific access point but that's a little bit more complicated and the AI technology has gotten better and better and better so you're better off in most cases just clicking the optimize Now button and letting it rip optimizing your Wi-Fi now we're not quite done with the Wi-Fi setup we have one more step to do if you want to utilize the captive portal remember we just need to make sure that we tick that hotspot button when we're in the guest Wi-Fi settings but to configure it we're going to go over to the hotspot configuration tool to do this we're going to go to the hotspot manager and then we're going to click on landing page now this is pretty customizable we can change the background the colors the logo I'm going to go Ahad and find some good photos online on unsplash and grab an icon from the internet there we go I think that looks pretty good for our captive portal I'm going to go ahead and save those changes but I want to show you some of the other options we have in here under authentication if we want to have a password we can do so simply by taking the box and entering in our password we can also charge for payment uh this does require some additional integration and I'm not going to go into it in this video but this is a great solution if you're running some sort of hotel service and you want to charge for different speeds of Wireless we can also issue vouchers this is a really great solution for that same use case but you maybe want to use your existing payment system or you're charging at the time of booking or you want them to be able to come to the front counter pay for a service and you give them a voucher to get online rather than doing all of it through the portal itself all right let's go ahead and test our captive portal here we go let's enter our password and we're in I'm going to run a speed test just to make sure our speed limit is working well the results are in and our speed limit is working now we have one more step we can do to optimize our Wi-Fi performance and that's going to be modifying the AP broadcast settings now as I said earlier when it comes to picking specific channels to broadcast on in most cases you're going to be better off leaving this to Auto but there is a setting we can modify to give us a little bit more perform performance out of our APS and there are some exceptions to this so your mileage may vary but in nine out of 10 situations what I'm going to show you will improve your wireless performance to do so we're going to head on over to the Wi-Fi access point we're going to click on settings and then we're going to come down here and change the transmit power from Auto to high and we're going to do the same thing for all bands now you can also modify the Channel width but this is going to have two caveats number one model devices support higher bandwidth channels and if you live in an area with crowded frequency space actually this could hurt performance not help it but if you're in a very remote area and you're managing all of your own access points manually and you're keeping them separated this can add performance but in general you're better off just setting the transmit power to high and leaving these defaults as they are unless you know what you're doing but I'm going to go ahead and click apply changes and with that we are done this concludes the Wi-Fi chapter next we're going to talk about security security now before we begin I wanted to buunk a common misconception when it comes to network security good network security is not a replacement for other forms of security such as device security data security Cloud security rather it's just a different layer of security now it is true that network security matters far less than it did 10 years ago and that may come as a shock it's not that it doesn't matter it still does and in some ways it matters more but we're no longer in most cases sending our data unencrypted we're using htps for pretty much everything on the internet now there's still a great amount of data people can get from monitoring Network traffic such as what websites you're visiting how much you're time you're spending on a particular site how much data are you transmitting and you can actually tell a lot from that more than you would otherwise think is possible trust me but with that said we still want to enable best practice security and it starts with good password security we recommend 12 characters or more why 12 characters well 12 characters seems to be the number right now that's pretty hard to break unless you have access to a large amount of computational resources or you want to spend a lot of money with AWS now this is going to be true for your Wi-Fi password as well and most importantly your UniFi account password make sure this is a password that is unique don't just add a number to your existing password and if you're not currently use a password manager I recommend one password or dashine I've used them all one pass is my favorite now with all of that out of the way let's actually dive into UniFi and begin optimizing our security for this network to get to security we're going to go to the gear and then we're going to go to security now here we have a couple options let's go over them the first is device identification this is pretty cool essentially what it does is it uses the MAC address of a device to determine what the manufacturer and model of that device is it's not perfect but it works for most common devices anything in the Apple ecosystem Dell HP you know UniFi nest if it's a common manufacturer it's going to show up here it's pretty cool Tech we can also enable or disable traffic identification now this means that we're going to be able to determine what websites our clients are visiting and this is why network security is important because if we don't have good Security in place anyone on a network may have the ability to do this obviously not to the degree that we're going to have in UniFi but they could still monitor this data country restrictions I definitely recommend enabling this and it's not foolproof as getting around it is as simple as using a VPN but it is an additional layer of security that is good now I don't recommend you go crazy with this because you're going to learn very quickly how far your traffic might go to get to a particular website even if it's not in a country that you think it's in what countries do I recommend blocking as of the recording of this video these ones now ad blocking is pretty cool but it is very aggressive not because it's going to block other things it only blocks ads but what you don't realize is that the first few results in a Google search is just ads and while you are probably a tech sa a user most users are not and you're going to get emails very quickly complaining that the internet is down when you're just blocking ads so enable this option with caution the next option is DNS shield now this is new tech and it's it's pretty cool see one of the challenges with using the internet is that at the end of the day you don't know where a website is so you have to ask an index in this case a DNS server hey where is google.com and it's going to tell you the actual address or IP address of google.com the problem is that your ISP or whoever you're getting your DNS request from can tell what you're looking up when you query a DNS and this is a way to mitigate against that now you are kind of moving the problem to the provider so hopefully you trust the DNS provider that you're using but this is an additional layer of security that's pretty cool if you want to play with it we're starting to enable them on some deployments but it is a new tech so again be cautious now let's talk about honey potting the internal Honeypot is a feature that will let us essentially set a trap for the bad guys so if you want you can set one up on your various networks and if any malicious computers try to I don't know take advantage of the honey pot will get a notification I acally have not seen this used in the wild we generally try to secure our networks so it doesn't surprise me that we haven't seen this be triggered now under suspicious activity this is what we call IPS or IDs it stands for intrusion detection system and intrusion prevention system what's the difference well IDs is simply going to detect and notify us of a potential intrusion whereas IPS will take action now in most networks that we're running such as pfSense or palalo we're typically running IDs but the UniFi IPS is actually good enough that we just run IPS as I've actually never seen it give a false flag at least not in the last a year or two so we're going to enable this and tick all of the options we're also going to apply this to all of our networks although we don't have to if we wanted to apply it to one specific Network we're going to set this to notify and block this would be IPS versus IDs and then we're going to set it to high of course we can go in here and customize the categories if we want to but since we're running a udm pro we have more than enough horsepower in order to filter for all of these options we also are going to go ahead and block the dark web and block known malicious IPS this is a good additional layer of security in addition to our Cloud flare filtering that we're doing through DNS we set up earlier in the virtual networks chapter this is going to utilize UniFi custom list of known malicious IPS now I want to say something real quick I think they have done a great job of giving us ready to go out of the box Solutions especially for smaller networks because we need to remember we're not going to have full-time it administrators in most cases administering these small networks and so having a set of tools that we can just turn on and know are not going to give us false positives is really good and it's why we turn most of this on actually all of this on with few exceptions for all of our deployments now let's go ahead and apply our changes and provision this but this is going to conclude our security chapter next we're going to tackle vpns this chapter is optional but if you want to take advantage of the VPN functionality within UniFi we're going to cover the different types of VPN that we can configure and I'm going to show you how to configurative of them now I want to to buunk a myth about using a VPN and that's that using a VPN just makes you more secure and while it can the reality is when we use a VPN we're just moving the burden of information from one provider to another provider and to be honest with you I wouldn't trust any us-based VPN company I would use something like protonvpn or mold that VPN now what are the types of vpns in UniFi well the first type is going to be a VPN server This Is Us configuring our UniFi Gateway as a VPN server so if I have a device like an iPhone or a Macbook and I'm traveling abroad whether in the US or even internationally I can tunnel back into my network and access resources be it servers or just make the internet think that I'm still in my office at home now we can configure these with a couple different flavors of protocols and I'll show you that in a second the second type is going to be a VPN client this is where our UniFi Gateway is acting as the client and it is connecting out to another VPN service now we actually have a video on this where we use mulad VPN to make our entire network appear as though it was in New Zealand now there is a pretty cool use case for this a lot of social media whether it be Tik Tok or meta just is not secure and they are doing a lot of data collecting so what you can do is create a route in UniFi to send any social media traffic out over that VPN so those Services think you're in a different city than you you are pretty cool way to make your network more secure and it anonymizes traffic because it's different from the rest of our traffic on our Network which is just going to go right out the regular Wham now the last type of VPN is going to be a sight to sight VPN and this is something that is very unique and pretty cool and UniFi this is where if we have multiple locations we can actually connect them together to make them appear as one network it's kind of like getting a spool of ethernet and running it from one location all the way across town to the other location so if we have a server be a sonology server that's running an SMB file share well folks at the other location can access those resources just as if they were on the actual physical Network it's pretty cool and it relates to a new technology that uity has called sdw sdw is a phenomenal technology and under the hood it does utilize a VPN but we'll cover that in a later video now let's go ahead and get into configuring our VPN and to do that we're going to click on the gear icon and then VPN now you mean notice we have four tabs here and that's because the first tab is for teleport this is UniFi custom flavor of VPN and what it allows us to do is give folks access to our network via a VPN just by sharing a link they just need to install the Wi-Fi Man app now what's pretty cool about this is we can actually use it for remote deployments of UniFi Talk phones so if you want to give someone UniFi Talk phone for their home office well they can actually connect back to your network using teleport it's pretty cool but we're going to talk more about the VPN server because for most of you that are configuring vpns this is probably what you're going to be using and the other two types we can cover in different videos now when we talk about configuring our udm Pro to be a VPN server one of the most common questions we get is which VPN protocol should I use wire guard openvpn or l2tp and the answer is it depends now in our view wire guard is simply the best fastest and lowest latency VPN protocol and our testing shows that an openvpn is not close behind but there's a reason why a lot of you you're going to opt for lttp and that is compatibility you see my iPhone out of the box supports lttp no third party apps required and that's the one I'm going to show you how to configure in this video because for most of you you can simply input these credentials into any computer and you'll be able to VPN back into your main Network so to do that we're going to head on over to l2tp and then here we can give it a friendly name let's just call it lttp coffee and then we have a pre-populated pre-shared key this is a shared key that everyone who needs to use our VPN service will need and we'll want to share that with them next we're going to choose a public IP address that we can use for our VPN server now most of you are just going to have one and in my case you can actually see this is an internal IP address and the reason for that is this is a lab environment and I actually have it sitting behind another firewall if you do see an internal IP address most likely your modem is not in bridge mode and you want to remedy that as otherwise your VPN is not going to work down here we can create new users and you can see I already have a test user so I'm going to go ahead and create a new user let's call it test two now best practice is to create a unique username and password for each individual that's going to be accessing the VPN under Advanced we're going to select manual we're going to leave radius profile on default and we are going to set up a different range than the default variables in our case we're going to do 10. 69.2 200.1 now as you may have noticed this is outside the range of any of our existing vlans and this is done intentionally it's best practice to have our VLAN Network be separate than the rest of our traffic and if we know the IP of other devices we can still talk to them precluding any fly wall rules that would block that finally we're going to require strong authentication and we can go ahead and add this VPN configuration now I'm going to show you how I would connect my Mac to this VPN server first we're going to go to system settings then we're going to go to VPN we're going to click add VPN configuration and choose l2tp now we just need to fill in the details the first thing we can do is give it a friendly name for configuration we're going to leave this at default and then we're going to need to enter our server address this is going to be this server address found right here then for our account name we're going to enter our username in this case we're going to do test two user authentication is going to be password and we're going to enter in our password which is going to be right here machine authentication is going to be our shared secret and we can copy that right from here and that's it we just need to click create and then to connect we're going to toggle right here that's it you just configured a VPN server and because you're using your hardware and your internet connection there are zero monthly fees to keep this going now we covered a lot of ground in today's video and that's because you guys requested a comprehensive beginner guide to configure UniFi so we've made this video for you we'd like to know what other videos would you like to see perhaps more advanced features in UniFi that we could explore or other Technologies as they relate to it let us know down in the comments below now we make these videos for free fre your enjoyment so if you are planning on purchasing some UniFi gear we'd really appreciate if you could use our affiliate link down in the description it doesn't change your price but it certainly helps us out here and if you are looking to hire someone for IT consulting we would really appreciate your consideration that's all we have for today I hope you guys have a fantastic rest of your day until we meet again bye for now fire in my head you me high R bring me [Music] alarm bring me alarm fire
Info
Channel: Unified IT
Views: 52,605
Rating: undefined out of 5
Keywords:
Id: yWlvuwq5AXE
Channel Id: undefined
Length: 46min 13sec (2773 seconds)
Published: Fri Apr 19 2024
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.