Unifi network complete setup 2022

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hey everyone Cody from Mac Telecom networks in this video we're going to do a unify Network 2022 build out I do these about once a year and they've added quite a lot since the last one this video is going to be pretty long so I will have time stamps to certain sections down below if you're new here please subscribe and hit the Bell icon if you'd like to hire me for Network Consulting unify Network Consulting unified protect unified talk unify access or uid visit macdelecomnetworks.com you can find me on Twitter at Mac Telecom n and if you'd like to support the channel I do have affiliate links in the description below so first off this is the network that I currently have and I'm going to be resetting all of this network so that we could do this video I do have a couple switches days you Chained and we really shouldn't do that I'm waiting on some copper sfps all my switches really should be plugging into this usw Pro aggregation switch but first we're going to take the camera downstairs and I'm going to talk about what I use in my rack and why I use it and this could apply to home or business so let's get downstairs and look at the Rock okay and this is my network rack which has gotten a bit Messier because I've been adding some things for testing I am going to be redoing this once some things come out of Early Access but let's start at the top this first patch panel there's nothing connected to it but the bottom one we do have connections going into it and the reason why we use a patch panel is because we want to terminate all the cables that are running through our business or through our house in one common place so these cables that are attached to these Keystone Jacks would be running into our wall into a faceplate or maybe behind some servers the next device is the 24 Port Enterprise Poe switch and the reason I have this switch is because it could do power over ethernet to give my access points and my camera's power as well as it does 2.5 gigabit Ethernet connections on 12 of the ports I have a U6 Enterprise which has a 2.5 gigabit Ethernet interface so this switch really comes in handy on the sides we have them all connected with DAC cables going down to our usw egg irrigation switch which the DAC cables do 10 gigabits per second now that brings us to the usw pro aggregation switch so this switch is used as my distribution switch we really should have every single other switch plugging into this as I said earlier I don't have all the copper sfps as I'm waiting for them this switch has 28 10 gigabit Ethernet interfaces and then it has four 25 gigabit Ethernet interfaces on the end below that we have my firewall and I'm using the udm SE so this hosts our network controller unify protect unify access unify talk and uid if we look here right at this cable this is Port 9 and that's my Wan one I do have a Wan 2 and that will be for load balancing which we will take a look at now this next switch I don't really need but I got it just to do a review on and it's the mission critical switch one good thing about this switch is it has Poe plus plus which I could power my usw Flex switches for my cameras below that we have the pvu professional which I'm waiting for a firmware update so it gives us the Virtual Router redundancy so we could add two udm Pros or two udmses into our topology and then I have a Synology ds1621xs plus and this is used for my computer backups we have an RPS which is a redundant power supply and then we have my unbr Pro which is used for cameras now I'm going to reset all of this ubiquity gear and then we're going to start with the network configurations now I'm back at the computer and we need to do the initial setup of the udm se you can see currently that I can't reach out to Google and the default IP address for the udm Pro or the SC is 192.168 1.1 so I'll type that in now we can see it's showing this loading page for the udmse and it's saying that UniFi is committed to protecting our privacy and we'll say setup udmse the first step is to name our console I'm going to call it Mac Telecom SE and then we need to agree to the terms in the end user license and press next now we need to sign in with their single sign-on account or you could skip this and do a local account I'm going to put in my single sign-on information and then press next now my udmse ran a speed test and it's showing us our results and we'll press next this next step is something new that I haven't seen before and it's saying default IP change we have detected an already configured Network subnet mask or it says use previous subnet mask we'll do that for now if we need to change it we will we're now at the dashboard for my udmse and we need to put in our username and password and I have two Factor authentication turned on and I will show you that when we get to the security portion of this video now in the dashboard of the udmse we're under our applications we could see that our Network needs an update protect access talk and uid I'm going to update the network the protect we won't be using as I use my umvr Pro to host the protect controller but we will be using unify access unify talk and uid for this video we're just focusing on the unified Network and we're also going to set up uid one-click Wi-Fi one-click VPN because I think it's a great function for businesses well the applications are updating let's take a look at this dashboard and what it has to offer so we can see underneath we have the unify OS and we can see which version we're at which we're at 2.5.11 which is the latest stable update we could see our release Channel if we want to go into the Beta or the Early Access release Channel we could switch that here I always have my auto updates turned off but if you're not coming into your controller at least once a month I would leave those on now if we go to devices we could see a few devices that are showing offline that's because we haven't adopted anything into our controller yet once we have our devices in our controller they would all show up under this list we could also take a look at our admins which is just my account right now and we could add other admins under our console settings this is where we could give our console a name and we could do system config backup so this will push the backup to the cloud which is at account.ui.com so if your udm pro or your udm SE ever failed you could just get a new one put it in the rack sign into your single sign-on and then load the backup and all your config will go into it we could also set up our location and time zone we could do Advanced so remote access and if we need to SSH into our udmse we would have to click this and then set a password we have some console controls where you could restart turn off factory reset download a support file or we could transfer this ownership so when I'm setting up customers I have my account as the owner but when I hand it over to them I transfer the ownership next we have push notification settings and you can see that there's a whole bunch of different things so we can see the hard drive fails we can see console updates we have some admin activities and then we have our backups so we could either have it push notify us or we could have it send an email we have our map for geolocation I'm not going to show that and then we have a system log so this system log is going to show us a couple things we could see that talk was updated and we could view the improvements we could see that uid is ready to update as well and we could see the admin activity under storage it's going to show us if we have a hard drive in the udm Pro or the udmsc which right now I just have a four terabyte drive and then under about this console it's going to show us the model it will show us our Wan IP and the Gateway it will show up where our system is up to date and it will also show us things like our memory and our CPU load now all of our applications that we'll be using are up to date the next step is to get all of our devices adopted into our network controller so we'll click on the network controller and this is our main dashboard for our network controller it's going to show us some traffic overview client information as well as our Wan one and our Wan 2 but this won't show too much yet as it's factory restarted so on the left hand pane we could see unified devices from the unified devices we get to see my Mac Telecom SE and then a whole list of these devices that need to be adopted all we need to do is click to adopt and then press adopt device and they'll start are going into our network controller once this is done if they need firmware updates it will show and will update those so now all of our devices have adopted into our network controller so we could create new networks and Wi-Fi networks and these will push the configuration to the devices that are in this list we can see that my cameras are on the 10 Network which they shouldn't be we're going to have to create a network for the cameras by itself and this is the list of networks that we're going to create so we have our default Network on 192.168 10.1 24. we have iot cameras guests and staff so we're going to create all of these networks as well as the associated Wi-Fi networks for them besides default we're not going to have the Wi-Fi network for that so to start creating our networks we need to go to the settings wheel on the left hand side here we can see Wi-Fi networks we could see networks internet teleport and VPN traffic management firewall and security profiles and systems the one we want is under networks and the first Network I'm going to create is the iot network and right here we can see that it's going to be going through my router of my Mac Telecom SE I do have a couple layer 3 switches that we could do the routing through but I like to keep it on my SE for now as the layer 3 switching still isn't working that well under Gateway and IP subnet I always uncheck Auto scale Network and for this network we're going to be having it on the 192 168 20.1 Network this will automatically update our DHCP range so it starts at dot 6 and goes to 254. under Advanced configuration I put mine to manual and then the VLAN ID I always match with my third octet so this will be 20. for this network type it will just be standard and then the content filtering I'm just going to leave that off and we'll press add Network now we'd need to add my camera Network so we'll name it camera it's going to go through my Mac Telecom SE turn off auto scale and we'll put it on 192.168.30.1 we'll go under manual we'll put the VLAN ID as 30 and then we'll apply the network the next Network we're going to do is our guest Network we're going to turn off the auto scale we'll put them on 192. 16840.1 and then under manual we'll give them the VLAN ID of 40 and this time for the network type we'll put them as a guest Network so putting them as a guest Network this will automatically create firewall rules for us so they could only go out to the internet they can't see any other networks that we've created I'm not going to add a Content filter to this either and we'll press add Network in the last Network we're going to create is our staff Network we're going to uncheck Auto scale and it will be 192.168.50.1 we'll go to manual put a VLAN ID of 50 and then add the network so now that our networks are created we need to create our Wi-Fi networks and we could do that by clicking on Wi-Fi and then adding a network so the first one I'll put in is called staff we'll give it a password for this I'm just going to do test one two three four but you will want to make it a stronger password and then under Network this is where we select our VLAN so if we click the drop down arrow we can see all of those different networks that we created and we could see our staff Network I'm going to have it broadcasting over all my APS because I only have two but you could create a group to specify which access points you want this SSID to go over and then underneath here we're just going to leave it on the advanced configuration under the auto and press add Wi-Fi network I'll create one more Wi-Fi network because the process is the same for every other one so we'll create and I'll call this one guest we'll give it a password of test1234 and then we'll select the network of guests now for the guest Network we're going to go to the advanced configuration and then go to manual and the reason I'm doing this I want to put a bandwidth profile on this guest Network so that they could only get 10 down and 10 up so we're going to create a new bandwidth profile and I'm going to call this one guest and we'll give them 10 down and then we'll give them 10 up and we'll apply the changes now going back to the Wi-Fi network we can see under the bandwidth profile that we have that guest profile created and we're going to add it to the Wi-Fi network this will make it so that our guests could only get 10 down and 10 up now our Wi-Fi networks are created but we need to move over some hardwired connections to the correct VLAN so I'll show you how we do that on my usw24 Poe I know I have some cameras on it so I'm going to click on that switch and then we're going to go over to Ports from ports we're going to go to port management one really nice update that ubiquity provided us with is the ability to see the icons of what's connected so we could see on Port 1 that I have a G4 Pro Port 2 is my U6 Enterprise and so on and so forth so to change the network that the cameras are on I will click on Port 1 I'll click on Port 3 that's a G3 Flex we'll click on Port 6 Port 10 and that's it for this switch and then below we can see all the ports are selected and then our Port profile file so by default ubiquity sets it to the all profile which means it's a trunk and all vlans could go through it we need to set this to our camera Network so if we scroll down we could see cameras and then we could apply the changes to make the cameras get an IP quicker I'll click on the port and then we'll Port power cycle we'll press confirm and this will power cycle the poe on that Port the camera will go down and then come back up we also need to make sure that my umvr Pro is in that camera Network because when we put in firewall rules it would be blocked if it wasn't in the same network so this is my umvr Pro this is on my aggregation switch we'll click on the port and then we'll just put it into the camera Network and all my cameras should be able to reach it now we have the basic setup for our unify Network we've created Wi-Fi networks we know how to put vlans on hard cabled ports and we have all of our cameras moved over the next section will focus more on security and firewall rules the first thing that you should do for security within your udm pro or your udm SE is to enable two-factor authentication and how we do that we go to account.ui.com we would then sign in with our single sign-on account and then go to my security under my security we could see a few things here we could see multi-factor authentication I'm currently using UI verify but you could add new methods a couple of the methods that we have is app authentication so we could use something like Google Authenticator or authy we have email authentication or SMS I prefer UI verify out of all of them if you were to select app authentication we would click on here a QR code would come up and then with Google Authenticator or authi we would scan that QR code then it would give us our six digit key now that we have two-factor authentication enabled we need to make some firewall rules how ubiquity works by default when we create networks we could get everywhere there's no blocking rules in place I'm currently on the iot network we could go ipconfig and see that I'm on 192.168 20.241. if we look at one of the devices on the side we can see my 24 Poe at 10.58 we shouldn't be able to Ping this but we can so 192.168.10.58 and you can see that those pings are going through so we need to make sure that the iot network and every other network is blocked out by blocking inner VLAN routing so to get to our firewall rules we need to go to settings and the first thing I'm going to do is to create a port or an IP group and we can find that under profiles and we could create a new group this new group name is RFC 1918 and what this is it's all the private IP addresses in ipv4 so 192.168.0.0 16. 172.16.0.0.12 and 10.0.0.08 and then we'll add those in now the IP group is created we need to go over to firewall and security we're going to click on create new rule and then under the type it's going to be Lan in so Lan in is everything except our Gateway IP so the dot ones for my instance the description I'm going to say allow default to all vlans so that my default Network hosts all of my unified gear below we're going to have the action of accept the source is going to be a network of default and the destination is going to be that Port IP group and that will be that RFC 1918 so the default Network could get to every single private ipv4 address now with just one rule we could block out inner VLAN routing so we're going to create a new rule and this rule will be done under the Lan in as well and I'll call it block intervlan routing the action is going to be to drop this time and the source is going to be a port IP group of the RFC 1918 and so is the destination so that's going to block private IPS to private IPS now that we have the inner VLAN routing rule created we shouldn't be able to Ping that switch so I'll go 192.168 10.58 and you can see that it is blocking that rule but we could still hit the Gateway so if I go 192.168 10.1 we could hit that we could also hit 20.1 and we could hit 30.1 so any Gateway that we've created we're going to be able to hit those and we need to block those out because we don't want anybody getting to our firewall so I'm just going to show you how to do this on one network but it would apply to every other network besides our default so we're going to go down to profiles and then we're going to go to Port and IP group and we're going to create a new group this first group name we'll just do the iot network so I'll call it block iot to gateways it's going to be an ipv4 address subnet and if I bring this screenshot up we'll see our subnets so we don't want to put our iot Network in this group but we need to put in the camera the default the guest in the staff so the camera Gateway would be 192.168.30.1 the default network is 192.168.10.1 the guest network is 40. and the staff network is 50. we're going to add that and then we're going to apply the changes I'm going to go to Port and IP group again and I'm going to create one just called iot Gateway and we'll put in the iot Gateway IP address so 192.168.20.1 we also need to create a port group for HTTP https and SSH so the first Port will be Port 80 and 443 and then 22. now that we have those groups created we need to go back to firewall and security and then create a new rule this time under the type we're going to be using the Lan local which is for our gateways and I'll call it block iot do gateways the action is going to be to drop the source is going to be a network of our iot Network the destination is going to be a port an IP group of our block iot to gateways and then press apply now let's try to Ping our camera Gateway so ping 192.168.30.1 and we could see that we're not able to get to it we wouldn't be able to get to the default Network either but we could still get to our own and the reason for that we can't block our own Gateway if we did we wouldn't be able to go to the Internet so we need to block out HTTP https and SSH towards the IP address of 192.168.20.1 so going back under firewall and security we're going to create a new rule we'll go this time to Lan local and I'll just call it block iot to udm interface the action is going to be to drop the source network is going to be an iot Network and the destination will be a port IP group this time it will just be the iot Gateway which we have that 192.1682.1 and then we'll have the port group of HTTP https and SSH and we'll apply the changes still if we do a ping towards that we're going to be able to get through because we need access to the internet but if I open up a web browser and go to 192.16820.1 it won't let us to the web interface of our udmse and you can see here that it's just timing out now let's say we want our camera Network to be able to hit our NOS well we can't currently because it's on 192.168 10.220 but we could add a rule in our firewall rules to accept that so we'll go to firewall and security and then we'll create a new rule this is going to be under the type of Lan in and we'll just say allow cam to Nas the action is going to be to accept and then the source will be a network of our cameras and the destination I'm just going to give it an IP address of 192.168.10.220 which is my Nas and then we'll press apply changes we still won't be able to reach our Nas on the camera Network because this rule is under the block intervene routing so to switch that we just need to drag and drop and then we'll be able to get to our NOS so if I bring up a command prompt we'll be able to Ping 192.168.10.220. lots of people have asked about casting between networks and we need to make sure that we have mdns on which is on by default now but there are a few other things really we should be having our phones and our Chromecast as well as our alexas and all of that on our iot network but if you're not going to I'll show you how we could cast to them so if we go back to firewall and security we create a new rule this is going to be a rule for Lan in it will be allow established and related typically I always put this in but I did forget to do it before we started so we're going to accept and then if we scroll down and go manual we could do match establish and match related now I have two Google devices that I cast my music to so I could go to profiles scroll down and we could create a new group I'll call this Google Music these are just my Nest Minis and then I'll put in the IP addresses of them so 192 168.20.108 and then I'll put in 192.16820.117 we'll apply the changes and then I'm going to go back to firewall and security now let's say again we want our camera Network for some reason to get to our Google Music we need to create a new rule and this time it will again be under Lan in and I'll call it cam to music we're going to accept that the network is going to be our camera Network and then our destination will be that new group that I created of Google music and we'll press apply changes now going under the land section we need to drag and drop cam to music above the block inner VLAN routing now this is going to allow me to cast from the camera Network to my Google minis there's so many different ways to do firewall rules that you may have a different way to do these things and that could be correct as well now we're quickly going to touch on threat management I'm not going to go too in depth with it as in a new update coming in the next weeks or months it's going to be a lot better but at the top we could restrict countries if we'd like we could block countries completely out all we would need to do is select the country so if we wanted to block Canada out we'd just click it and then press apply changes you could add whichever countries you want to block out and then under our threat management we have off detect only and detect and block I personally put mine on detect and block I'd rather it being blocked and if it was a good connection coming in I put it on my allow list and I always put on my system sensitivity up to high and apply the changes now to be able to see if any threat are coming in you should get a notification but if you don't you could always look on the left hand side where it says system log under the system log it's going to show us the admins that have accessed our consoles but then we have this threats and under threats if you do have any it will show up here and you could assess it now let's take a look at something that's new only to the udmsc right now but it will be added to the udm pro eventually and hopefully it's sooner than later but we have this traffic management and we could create a new rule say we didn't want our staff Network to look at social media during business hours so we could block that out we could go to actionablock we could do it for applications and then we could select social media so Facebook Instagram we could do WeChat we could do WhatsApp Snapchat so on and so forth and then we can select our Target so our Target could either be a full subnet which I'll do it on my staff or it could be per device now under this we could do a schedule so we could have it always every day every week one time only or we could do custom so I'm going to do custom and we'll select Monday Tuesday Wednesday Thursday Friday we'll leave Saturday and Sunday open and we'll do it between 9 A.M and 5 PM now that we've selected our time we could give it a name we'll say block staff to social media and then we could add the rule from here they won't be able to get to those applications that we've added one other thing we're going to look at before we move to the uid portion of this is how to do load balancing and again load balancing is only available on our udmse depending when you're watching this video so to do load balancing we need to go up to our internet I have two different internet connections coming into my udmse one on Port 9 and 1 on Port 10. you could make Port 8 an ISP connection if you'd wanted but you could only run two at a time we can't have three wins connected to this down below we have our load balancing we have failover only or distributed and we could do this at whatever we want 99 or a 50 50 balance or you could scroll down you need press apply and then it would start working now we're quickly going to go over uid and uid one-click Wi-Fi and one click VPN this is more geared towards businesses but you need to apply for a uid workspace and how you do that you go to ui.com uid if you scroll down on the web page you can see here apply for uid invite and once you have your workspace you can start setting it up going back to my udmse we could see I have uid and we need to set it up so I'll click setup it says activate uid we have one click Wi-Fi one click VPN uid door access and then we have ldap integration I'm going to agree to the terms and then we're going to press activate uid I already have a workspace so I don't need to create one this is just a warning about your doors and the migration process that it will take and step one is to enter our workspace domain so I'm going to put my workspace domain in and then we're going to press continue on step two it's asking us to enter the uid agent token and I'll show you how to do that I'm going to go to my uid workspace and from the UI ID workspace I'm going to click on settings under settings we can see unify OS consoles and then at the top we could see uid agent token we need to create a new token I'm going to call this udmse it will never expire and then we'll create the token we need to copy this token and then paste it and press continue step 3 we need to add the device to a site which I have mac Telecom networks already created and we'll press continue now it's asking if we want to import our unify OS users which I'm going to as it's just me on there right now and we'll press continue on step 5 it's going to ask us what services we want to activate we're just going to activate one-click Wi-Fi and one click VPN and deselect the bottom two and press continue now I'm in my uid workspace we can see the one-click Wi-Fi is set up but the VPN isn't the reason the one-click Wi-Fi is set up is because if we go to our settings wheel and then I click on Wi-Fi I have this to auto set up Wi-Fi on UniFi OS consoles once it's brought into the workspace if we look back at my udmse it automatically created two different y I find networks we could see uid and then uid iot and they're both running over the default Network which we won't really want so I'm going to go back to uid we'll click on the one-click Wi-Fi and then on the side we're going to click on host device from this host device it's going to tell us the device it will tell us if it's enabled or disabled the model number and the uid agent as well as the IP address I'm going to click on that and then we can see uid Wi-Fi if we want to change the uid Wi-Fi SSID we need to go back into our settings wheel and then go to the Wi-Fi section but under here we could switch the network that it's running on if we click the drop down menu we could say that we want it on iot cameras saf or guests we could also tell it which wi-fi band to work on 5 2.4 or both of them we could also enable or disable the iot Wi-Fi as well as the guest now before we look at the uid application on my iPhone let's configure the one click VPN and then it's saying setup one-clickvpn will hit the setup button in the right corner set up a one-click VPN the VPN name will be Mac Telecom networks VPN we'll have it going over my Mac Telecom SE and it will be running openvpn we can see the VPN server which is my public IP the protocol that it's using and then the port number we could also show advanced settings under the advanced settings this is where we could tell it what subnet to be or it will just create its own I'm going to put it on 192.168.62.1 24. we'll leave the DNS optional and then we'll press next now it's saying do you want to secure your VPN connection this is with adaptive VPN which I just did a video on so if you want to check that out I'll put it in the description below if you don't have your ISP gear in bridge mode you'll have to port forward the port for the openvpn towards your udm pro or udmse for this to be able to work now looking under our users I already have two users we have one that's Mac Telecom test which we will use to test this configuration out if you want to add a new user click on the top and then we could add a new user or we could import them from G Suite or office 365. once the user's been added we need to give them assignments so I'm going to click on this Mac Telecom test and then we can see assignments we could assign them to whatever Wi-Fi we'd like so we'll just do it the Mac Telecom networks and then we could do it to the VPN as well if we had doors set up we would be able to give them NFC cards or an eight-digit character to get in and then we'll press save now I'm on my iPhone in the uid app and we could see that I have the Wi-Fi here and we have my VPN I'm not going to connect to the Wi-Fi but I will connect to the VPN so I'll click on the VPN and you can see that it's connected that's how easy it is to be able to do a VPN with uid but we still need to make some firewall rules so if I was trying to ping one of my ubiquity devices it would be able to go through and I'll show you that so I have my UniFi RPS on 192.168 10.57 and we can press go and it's going to Ping across but we probably don't want all of our VPN users to be able to reach our gear so let's make some firewall rules just to allow this VPN to get to my Synology Nas going back to my udamse I clicked on profiles and we're going to create a new group within this group I'll put the uid VPN subnet which is 192.168 62.024 and then we'll apply the changes now I'm going to create another group with all my other subnet so I'll say all networks and then we'll put in the IP address subnets of 192.168.10.024 we'll also do 192.168.20.0 24 and then 192.168.50.0 24. now going to our firewall in security we're going to have to put in a new rule so we'll create a new rule and this time it's going to be a type of Lan out and we're going to say block uid VPN to Networks I'm going to drop the traffic the port or the source is going to be a port group of our uid VPN the destination is going to be a port IP group of our all networks and then we'll press apply changes now going back to my phone that's connected to the VPN I'm going to press ping and we shouldn't be able to get to 10.57 and you can see there that the requests are timing out but now we need to put an allow rule in to allow this VPN to get to our Nas so we'll go back to firewall and security and we'll create a new rule under this new rule it will be in Lan out and we'll say uid VPN to Nas will accept the traffic the port IP group is going to be our uid VPN and then under our destination we'll put an IP address and the IP address will be of my Synology Nas now we need to put that allow rule above the block rule so we could see rule 2001 is uid VPN to NASA is under the block rule so I'll drag and drop it above it and we should now be able to reach the NAS from our VPN going back to my phone I'll try pinging 192.168.10.220 and you could see that those ping replies are going through so that was a whole lot to go over but this is a perfect setup for your home or small business there are different firewall rules that you could do which will be different for everybody depending on the scenario I really think uid has a lot to offer to small to mid-sized businesses everything that I showed in this video on uid would be for the basic tier you could have up to 50 users in that tier as well as three doors if you have any questions about this video please leave it in the comments below if you like this video hit the Thumbs Up Button if you're new here please subscribe and hit the Bell icon alright thanks

Info

Channel: Mactelecom Networks

Views: 168,774

Rating: undefined out of 5

Keywords: udm pro, unifi threat management, udm pro firewall rules, udm pro firewall setup, ubiquiti networks, udm se firewall, unifi uid, unifi uid setup, unifi uid vpn, unifi uid wifi

Id: r9CKLv68Z8I

Channel Id: undefined

Length: 32min 51sec (1971 seconds)

Published: Mon Oct 31 2022