Unifi Network Complete Setup 2023

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

everyone Cody from Mac Telecom networks the time has finally come to do the complete UniFi setup for 2023 I did a complete UniFi setup for 2022 and people have been requesting a new one a lot has changed in this new user interface in the UniFi OS that we'll be using is 3.1.16. as of this video that is the general release version in the unify Network version we'll be using is 7.5.172 there's going to be a lot of information in this video so I will put timestamps down below and you could go between what you want to watch what you're going to see in this video is the initial setup of our unify console we're going to do Wi-Fi networks we're going to do vlans we're going to do internet settings pns threat management and firewall rules and a whole lot more if you'd like to hire me for Network Consulting visit my website at Mac telecomnetworks.com if you want to become part of the community even more we do have a Discord server and affiliate links down in the description below first off we're going to take a look at some of the devices that you've been Equity offers and we're really going to be using the unify OS consoles I'm using a udmse you may be using a udm pro a dream wall or a dream router or their base model of the udm you could also be using a cloudkey Gen 2 with the USG or a USG Pro but these do have limitations so I'm not going to go into too deep of details of what they can and can't do the udm pro and the udm SE pretty much could do the same things same with the dream wall the dream router is limited when you put on threat management to 750 megabits per second or roughly around there you also need to take into consideration which is that you're going to be using if you have a lot of Poe devices you're probably going to want to go with the professional Poe models if we look at the standard Poe model it only has 95 Watts if we look at the professional ones it has 400 watts and it does Poe across all 24 ports the standard Poe only does it across 16. it's always better to allow yourself more wattage in your budget so that you don't overload your switches another difference between the professional switches and the standard switches the professional come with SFP plus ports and these are 10 gigabit ports the standard switches only have one gigabit ports which would be uplinking to other switches or to your UniFi console the next thing you'd want to look at is Wi-Fi access points and ubiquity has a ton of them my go-to for installations is the UniFi U6 professional the reason why it has Wi-Fi 6 on the 2.4 and the 5 gigahertz if you get something like the U6 LR it only has Wi-Fi 6 on the 5 gigahertz they also do give you a couple outdoor options if you want to capture maybe some outdoor Wi-Fi for your pool area or something like that they have the AC mesh the U6 mesh and the AC mesh professional the u6lr does have an IP rating for outdoor weatherproofing now I'm not going to go over any more gear as that's a whole topic by itself we're going to take a look at what my network setup is so I do have this diagram right here and you can see that I have the udm s e up on the top and going into my udmse I have two internet providers one is one gigabit by 40 megabits per second and the other is three gig by three gig and that's my primary ISP below that the udmse is connecting to my aggregation switch Pro and this is pretty much all overkill for my home network because I do reviews on this you most likely won't need an aggregation switch in your house but if you are going over one or two switches it may be a good idea ubiquity does offer a usw aggregation that is only eight ports and it's not as costly as this aggregation Pro now all of my other switches are plugged into the aggregation Pro we have my usw Enterprise Poe 24 Port we have this Mission critical switch which is great because it has a battery built into it and you would want to use this for door access as it has four Poe plus plus ports next beside that we have my RPS which is a redundant power supply this isn't a UPS and a lot of people get confused they think it's a UPS but it has no battery in it if your power goes out this will go out as well the reason we want this is to have a secondary power supply in our udm Pro or our udm SE they do use these proprietary cables which is shown on the screen I also do have a pdu pro that's plugged into my aggregation switch as well then below that we have all my devices hanging off of it the access points that I'm using in my living room is the U6 Enterprise in wall and then in this office I'm using the U6 Enterprise we'd see these usw Flex switches which are actually powered up by the mission critical on Poe plus plus and these have cameras hanging off of it in my garage and in my patio now these are the different networks that we're going to be creating my default will be 192.168 10.1 24 and it won't have any Wi-Fi network this will have all my ubiquity gear on it as well as my Synology Nas then we have my iot network at 192. 168 20.1 and it will have a Wi-Fi network called Dolores we're going to have a camera Network at 192. 168 30.1 and it will be called Mac Telecom camera and then we'll have guest at 192.168-40.1 and it will be called Mac Telecom guests now the next thing that I need to do is reset all of my devices and then we'll start with the initial setup now my udm SE has been totally reset same with all of my devices to be able to start the initial setup we need to go to unify slash or to the IP address and the default is 192.168 1.1 now you can see the udmse showing up on the screen to do the initial setup it's saying we're committed to securing your data and protecting your privacy I'm going to say setup udmse now it's asking us to put in a console name you could leave it at udmse I'm going to call it Mac Telecom SE I'm going to agree to the terms and service and then we're going to press next the next step it's asking you to sign in to their website at ui.com using our single sign-on this would allow us to manage multiple different unify consoles using unified.ui.com if you don't want to do that you could set up a local account I'm going to sign in to my unify account I ended up skipping the speed test but for this connection I guess in the WAN 1 Port I have my Rogers which is 1000 by 40 and that's what I'm going to tell the udmse and we'll press next now this is something new that I've never seen before it says default IP change we have detected an already configured Network subnet mask at 192. 168 10.1 do you want to use the existing one or set it up manually I'm just going to use the existing one and press finish now the initial setup is done and we're on the unified dashboard under the Mac Telecom SE we could see my Wan IPS for Wan 1 Wan 2 and then we could see the Gateway IP at 192.168 10.1 we could also see the system uptime and we could see the different Wan connections and do speed tests on them you can see traffic identification but there's no traffic as of yet because this is a brand new setup most active access point client types and most active clients which there really isn't anything because we haven't adopted anything so next I need to get my devices adopted and then Wi-Fi connected so I could turn my lights back on in this office we're going to want to go over to unified devices next we could see everything that's ready to be adopted which there's seven we do have a couple more that are missing I'm gonna have to go physically reset those but to adopt them all we need to do is click here if a device isn't adopted into your controller you won't be able to do any configuration on it that's why the adoption process is so important now we need to go set up our networks and our Wi-Fi networks and how we do that we go over to the settings wheel on the left hand side but before that I'm going to switch my console to dark mode so it's a little easier on the eyes we go down to system and then you can see the theme Here we either have dark or light I'm going to click on dark and we're going to apply those changes now we have that done we need to go up to networks so looking back at our drawing the networks that we have is the default which is already created the next one we need to do is the iot so to create a new network all we need to do is go to Virtual networks and press create new I'm going to call this network iot I'm going to uncheck Auto scale I never leave Auto scale on and we're going to put it to 192.168 20.1 24. so that gives us 249 workable hosts I'm going to click on manual and then I'm going to select the VLAN ID you could leave this at whatever you want but I usually match it to the third octet so we're going to put it on 20. this isn't going to have isolation and everything else we're going to leave at default the next Network that we need to create is our cameras I'll create new and we'll call it cameras I'm going to uncheck the auto scale and it will be 192.168.30.1 click on manual switch the VLAN ID to 30 and then we'll press add and the last Network that I need to create is my guest Network so we'll call it guest uncheck Auto scale and it will be 192.168.40.1 we'll go to manual and it will be 40 VLAN this time we're going to select isolation so if I look over the eye icon it says your guest hotspot profile will be automatically applied to your guest networks connected clients will be isolated from other internal networks these restrictions can be modified in the guest hotspot profile we also won't be using the guest hotspot profile that's something like a captive portal and we won't be doing that in this video and then I'm going to press add now just going back to the guest network if we want to put some basic content filters on it we could do that we have content filters right here and there's a couple that you could do you could do none you could do work which blocks explicit pornographic and malicious domains search engines and YouTube in safe mode and then we have family which really just puts YouTube in safe mode as well and then blocks vpns I'm going to put this to work and then press apply changes now our networks are created the next thing we need to do is create Wi-Fi find networks and we'll click on Wi-Fi networks and the first one will be our iot Network which I call Dolores we need to put in a password of a minimum of eight characters so I'm going to do that now under Network we don't want this to be on our default we click the drop down arrow and we're going to put it on iot or whatever one you want it to connect to if you have multiple different access points you could tell this wi-fi network which one to be on by default it will grab all the access points and push it to it but we do have this broadcasting APS and we could create different groups we have advanced and then under manual you could do the hotspot portal you'd select which bands it's working on so the 2.4 the 5 or the 6 gigahertz the only ones that have Wi-Fi 6E right now the access points are the U6 Enterprise and the U6 Enterprise in wall we have different Wi-Fi features like band steering and if we scroll down even more we could do multicast enhancement multicast and broadcast control and we could set our security protocol so we have WPA2 WPA2 Enterprise which would use a radius server using username and password and then we have wpa3 the problem with wpa3 some devices don't like it and they will never Connect Now for this wi-fi network I'm just going to press add Wi-Fi and if we go over to our devices you should see that these are getting ready they are starting to grab that configuration that we just did now the access points have grabbed that Wi-Fi name you could see a bunch of my clients are starting to come on on the 2.4 in the 5 gigahertz that's because I put in the same SSID and password now we have to go ahead and we need to make a couple other Wi-Fi networks the next Network that will make is our camera Network I'm going to create new and call it Mac Telecom camera and we're going to give it a password under the network this time we're going to put it to the cameras and we're going to add the Wi-Fi network now the last Wi-Fi network we need to create is the guest and I'm going to call it Mac Telecom guest and we'll give it a password as well this time we'll put the network as the guest under manual we're not going to have the Hotspot portal on I'm going to turn that off and we're going to want to give the guest a Wi-Fi limit I don't want them using up all my bandwidth so we could see Wi-Fi qos I'm going to click on that it says bandwidth limits can be imposed if you've created at least one profile so looking down we don't have any profiles created I'm going to create a new profile I'm going to call this profile guest and we'll give them 10 up and 10 down and then we're going to apply the changes now if we click back on that Wi-Fi qos we should see that profile which we do is the guest and we're going to add the Wi-Fi network now at this point we have your networks and your Wi-Fi network set up there are a couple things that you could do to optimize it and I'm not going to go super in depth on that but I will show you a few things if you're looking for your Wi-Fi speeds to be a little bit quicker you could bump up the Channel width on the 5 gigahertz to 80. this does introduce some interference if you have neighbors all around you I do live in a subdivision and there would be lots of access points around me one other thing if you don't have any wireless uplinking devices you could turn off wireless meshing which I will do so something like the beacon HD or the U6 extender that is a Wi-Fi meshing device another thing we could do on the access points is set the channels manually so if we go over to settings you're going to see this is managed by global IP we can uncheck that and we could uncheck nightly Channel optimization the channel optimization each night it does a scan of all the the channels and sees which one is the least utilized and then picks that so we're going to uncheck that under 2.4 we only have three channels that are non-overlapping 1 6 and 11 on our five gigahertz we have a bunch of other channels that we could choose from if we go over to insights we could do channel scan so this would be for the 2.4 and it will fill up whichever one is the most utilized and we could do it for the five gigahertz as well most of the time leaving out on default works well but if you are deploying quite a few access points or have a lot of noisy neighbors around you you may want to set these manually with their Wi-Fi created in the networks Associated to it when somebody joins a different network they get it from a certain subnet but with our wired networks we need to actually Define that on the switchboard so what we're going to do we're gonna put all of these cameras in the camera Network you would see that they're in the 192 168 10 Network The One camera that is in the correct subnet is my doorbell because it had the same Wi-Fi SSID in the password that's why it's getting the 30. the first one I'm going Gonna Change is my umbr if we click on the umvr you can see it's on Port 20 on the aggregation switch so we're going to go up to our ports then we'll go to Port manager by default how ubiquity does their ports they are like trunk ports so they allow every single VLAN to go down it so we're going to want to find Port 20 which is my umvr click on that Port we could see that it's active and the network currently is our default I'll hit the drop down arrow and we'll go to cameras once that's done we'll just press apply changes now we need to find all of my other cameras on my switches and then do the same so I'll go to my usw Enterprise 24 Poe will go to Ports Port manager and we could see that I have two G3 flexes on here so I'll click both of them and we'll switch the network and we'll put it on the camera Network and apply the changes and press confirm with my camera since they're a Poe device I usually do a Power Cycle we only could do one at a time though so I'll click on Port 3 and we'll do a power cycle and we'll press confirm then we'll do the same on Port 6. the other cameras are living on my usw Flex switches so let's go over to those switches go to Port manager and we'll select on the three cameras go to the primary Network and put it into the camera Network and then apply the changes we'll press confirm and then I'm going to power cycle each one of these now after switching all of those ports you can see my cameras have all gone into the correct subnet of 192.168.30.x there is one more thing to touch on about Port profiles so if I click on my usw24 and then we just click on some random Port they do now have this traffic restriction I don't typically use it too much but if we look over the eye icon it says when enabled you can allow or block specific virtual Network traffic through this port when we turn it on you could either block everything or you could allow everything we're going to do our blocking between subnets within our firewall rules next we're going to look at our internet so we'll go to settings and we'll click on internet at the top we could see our primary win and then our secondary wind if we want to set a specific DNS for this we'd have to go to manual under DNS server we're going to uncheck Auto and we're going to put in our own servers I'm just going to do 1.1.1.1 and 8.8.8.8 if your ISP requires you to put a VLAN that's where you could do it you could do Mac address cloning and you could also switch it from DHCP to be static or pppoe I don't have either I'm just going to leave it at DHCP also under our internet we have these internet sources so we could make any one of these four ports a win and Port so if we wanted Port 8 to be Wan 2 we would just need to specify that we also have two different types of load balancing one is just failover so if when one goes down when two will pick up the other is distributed I usually don't work with the distributed one unless you're having the exact same speed so one gig by one gig on both lines and then we could set it to 50 percent at that point you're gonna have one packet go down Wan one and then one downwind two this next section is going to be about our firewall so by default ubiquity allows every single Network to talk to each other when you say Network isolation for our guest Network it automatically creates firewall rules for us as you can see here but everything else is allowed to talk to one another now before we get into the firewall rules we're gonna quickly go over what the WAN local Wan in and when out same with the Lan local in and out they are really the same but just on different interfaces and this is from a post about three years ago but it still is the same way so the WAN local apply advice to IP traffic that is destined for the udm itself on the WAN network and the default state is to drop that the WAN in applies to the ipv4 traffic that is ingress and it's destined for other networks and the default is to drop and the WAN out is for the egress so leaving your network and the default is to accept the same thing goes for your Lan Network so we have our Lan local the land local is pointing towards our Gateway IPS so the udm itself and we have a default of accept all of our Lan rules the default is accept that's why we have to put that RFC 1918 inner VLAN blocking rule in the Lan n applies to the traffic that enters the land Ingress so destined for other networks so this is our inner VLAN routing and then the land out would be something like for our vpns I'll probably do a separate full video on this with diagrams once I build those diagrams to explain it a little bit better because it's very hard for some people to understand so the first rule that I put in we create an entry we want it to be our LAN in so that's our communication between our vlans and I call it allow established and related so what this does in my head anyway if the default Network talks to the iot network the iot network is allowed to talk back to the default so we're going to leave it at any any you could lock this down even more you could say the source is default and the destination is iot or whatever you want to do but for this video we'll do any any then we need to scroll down to Advanced and go manual and we need to match state established and match State related and press apply changes now the allows establish and related is very important for your iot network because we will have a block in your VLAN routing rule here shortly so I'm going to create a new entry the next one the type will still be Lan in and it will be called drop invalid State the action is going to be to drop and then we're going to do any any again scroll down go to manual and it will match State invalid and we'll press apply changes the next step we need to do is to create a profile we're going to go to profiles and IP groups IP groups we're going to create new here I'm going to call this RFC 1918 and that's your request for comments 1918 which is white paper based in ipv4 addresses in the private space the type is going to be ipv4 address subnet and the first one will be 192 168 0.0 16. the second one will be 172.16.0.012 and the last one will be 10.0.0.08 we'll press add and then apply changes now going back to our firewall rules we're going to create another entry and it's again under our land in this time we're going to say allow the default Network to all vlans we need to have our default Network to talk to everything because that's where our ubiquity gear sits the action is going to be accept the source will be a network of our default and the destination will be that new group so that allows the default to talk to every single private ipv4 address now this next rule will to be block inner VLAN routing so our cameras won't be able to see the iot the iot won't be able to see our cameras or the default Network and so on and so forth so we'll create a new rule it's going to be done under lanin and it will be called block inner VLAN routing the action is going to be to drop and the source will be a port IP group and it will be RFC 1918 and the destination will be the same thing so we're blocking private subnets from private subnets and we'll apply the changes now I'm going to put this computer onto my camera Network and we shouldn't be able to hit any of the devices that are on my default Network here you can now see that this computer is on 192.168.30.195 which is my camera Network and if we try to ping my RPS which is on 10.190 we shouldn't be able to I'll type in ping192.168.10.190. and you could see that the requests are timing out but what happens if say our camera network has to reach my Synology Nas well we'll put an allow rule in for that and I'll show you now going back to our settings and then firewall and security we're going to create a new entry we're going to do it in land in and this will be to allow our cameras to Nas the source is going to be a network of our cameras and the destination I'm just going to have it as an IP address the IP of my Nas is 192. 168 10.220 we're going to apply the changes and then we need to reorder the rules so under our land we could see this block inner VLAN routing and then we have our allow cameras to NAS well this goes top down in order so once it hits the blocking rule it's going to stop and we would never be able to reach the nest so all we need to do is drag and drop that above the block Rule and we should be good and now opening up a command prompt if we do ping 192.168.10.220 we are able to hit my Synology Nas now we have some base firewall rules in we have inner VLAN routing blocked and we also allow our cameras to our Nas I put this computer on my iot network and we shouldn't be able to hit any other network but if we try to Ping our Gateway or go to our Gateway we're still going to be able to hit that so we're going to have to block that off so our Gateway for our iot network is 192.1 68.20.1 and I'm doing that in the web browser you'd see that the suspicious page blocked from protection and it's coming up at 20.1 if we understand the risk it's going to bring us to our udm Gateway and you can see there we are now at the Mac Telecom SE so especially for our iot Network we don't want that to be able to get to our Gateway maybe our cameras as well if you're using unify protect on your udm console you're not going to want to do this because it will make a remote connection slow and the viewing experience almost unbearable we also don't want to be able to get to the other Gateway so if we go to 192.16840.1 you'll see that there and this is the camera network but it's still pointing towards our unify console so what we need to do we need to go into our firewall and then create some profiles back up my udmse I clicked on the profiles and then I'm going to create a new one here I'm going to call it block iot to gateways so what this is going to do we're going to put in all of our IPS of every single Gateway IP except the iot network so we'll put in 192.168.10.1 we'll put in 192.168.30.1 and then our last one will be our camera Network 192.168.40.1 and then we're going to add that change now we have that we're going to go to application firewall go to firewall rules and then we're going to create new this time it's going to be done under Lan local and land local if you remember at the beginning of the firewall this is towards our Gateway so what I'm going to call this block iot to gateways the action will be to drop and then the source is going to be a network of our iot and the destination is going to be the port IP group of the block iot to gateways and then we're going to add the rule now if I open up a command prompt I shouldn't be able to hit the camera Gateway at 192.168.40.1 and I can't same thing goes if I open up a web browser so 40.1 so we're not able to get there but if I do my own Gateway still 192.168.20.1 which is the iot network we're still going to be able to hit the OS what we have to do here we need to block it the web Port so HTTP https and SSH so we'll go back to the udm interface we'll go to profiles we'll go to IP groups and then we'll create a new group this time it's going to be a port group called HTTP https and SSH the ports we're going to put in is port 80. Port 443 and then we're going to put in 22 for SSH and press add I'm going to create one more group just with the IP of the iot network so I'll just call it iot Gateway it's going to be an ipv4 and the IP of the Gateway which is 192.168 20.1 now going back to my firewall rules we're going to create a new entry it's still going to be under Lan local that's because it's still a Gateway Rule and it will be called block iot do udm interface I'm going to say to drop that will be the action the source is still going to be a network of iot and the destination this time is still a port group but it will be the iot Gateway which has that IP address of 192.168.20.1 and then it's going to be that New Port group that I created and we'll add the rule now with that rule in there if we go back to the iot Gateway we shouldn't be able to reach it and it does look like this website is timing out and that's the basic firewall rules of course you could do a lot more complex things you might have Plex opened up or you might have some port forwarding we're not going to touch on that here because there's so many rules in different situations another way to block communication between your networks is through traffic rules and we will take a look at that in a little while now a couple other things that we could do with the application firewall we do have this ad blocking but it's very simple all we do is click it and then we select the networks that we want to be in there I'm going to turn that off for now we could also do country restrictions so if we turn that on we could say which countries we don't want to talk to in both directions outgoing or incoming I'm just going to pick a couple off the top of my head China Russia maybe we don't want you're not going to want to block your own country because you won't really get anywhere down below under Advanced Internet filter we have something called suspicious activity which used to be their IDs and their IPs solution so you could either have no action you have notify which just sends you alert or you could have notify and block cover detection sensitivity you could have it low medium or high on high it turns on all the toggle switches if you want to customize it you could do that so if you have a threat coming to your network it's going to notify and block it if you have notify and block you could turn all of these on or all of these off and this is based on Sarah cotta and you could do a bit more research into that but we have peer-to-peer we have Tor which is known as the dark web we have scans we have denial of service and then we have some VoIP applications and a bunch more we also have a dark web blocker and it says prevent traffic encrypted by Tor from moving through your networks I'm going to turn that on and we also have malicious web website blocker use unify real-time database to block IP that are known to be malicious and I will turn that on and will apply the changes now another way you could go about blocking countries on the left hand side we have this security Insight under security Insight we have a traffic monitor and you can see all the different applications or websites that you're reaching and what is using at the time you can see at September 24th between 9 and 905 I was using Netflix if we go to filtering activity this is going to show us what was filtered so we could see that I had 33 194 things that were blocked and it was this ad block we could also look at threat blocks at the time range in the last day I haven't had any threat blocks and we could look at traffic rules enforced now our traffic map this is going to show us where our udm is communicating with so you could see everything that is in blue that's where it's been talking to anything with these gray lines through it that's who you've blocked if you wanted to block another country say Iceland all we would need to do is click on it and then we could to block it you'd also look at how much traffic is being sent to and from now this next section is going to be on the unified vpns and there's a few that we're not going to talk about the l2tp we won't be because that is going to be going away soon and same with the site to site VPN we will be talking about the magic site to site VPN if you're using something like a PF Sense on the other side and a unified firewall you'd want to use this site to site VPN now first up is going to be the teleport which is the easiest one to set up but you only could use this on your Android or iOS and you need to download the Wi-Fi man so if you want to use it on mobile that's great and how we do it we enable it and you can see this invitation we need to generate a new link you'd see here that the link expires in 24 hours so you could either email this to somebody if you're using it yourself you could copy it and you could put it in a web browser now we put it into our web browser it says connect to Mac Telecom SE and then we have a QR code all you need to do is open up your camera applique station on your phone and then go to the QR and it will load it into Wi-Fi man the teleport app is supposed to be coming to Mac OS shortly and I hope they do bring that to Windows because that would be great and the back end of it is wireguard now speaking of wireguard we have VPN servers so these VPN servers would be used for remote workers we have wireguard openvpn and then we have the l2tp if we click on the l2tp it says l2tp is traditional VPN that is losing support on several different operating systems so that's why we're going to be touching on it today so what we will be doing is the wire guard and the openvpn the first thing that we need to do is give it a name I'm going to leave it at my wireguard server we have our private key and then we have our public key we have our server address which is either going to use your Wan 1 or your Wan 2 address and then it tells you the port we could enter a address manually if we'd like and now we need to add a client to this so I'm going to click on ADD client right up at the top it says multiple wireguard clients should not share the the same VPN configuration so if you have a bunch of different users give them their own configuration we also have Auto generate or we have manual and then the client name I'll just put it to Kodi this is something new that I haven't seen you could either tap below the download the configuration file or you could scan the QR code I'm just going to download the config file once we download the config file we need to press add and then add again for it to save if you wanted your wireguard VPN the local addresses to be something specific you could change the host address or the subnet here and you could also tell it which name server to use by clicking enable and then putting in your DNS now just to show you that I can't reach my Synology Nas because I'm not on the same network as my udmse we're going to Ping 192.168.10.220 and you can see that the requests are timing out we need to download the wireguard client onto our computer or whatever you're using if you're using a phone they do have an application for that and then we could import tunnels from file and this file will be say saved in my downloads folder I've now added that file to my wireguard client you can see the status the public key the address which is 192.168.3.2 and then the DNS server below that the peer we could see the public key the allowed IP addresses and then the endpoint which is our public IP of our wan1 so now I'm going to activate the wireguard VPN and connect to it just by clicking activate we can see the status is active in the last handshake was eight seconds ago now if I go to the command prompt I should be able to hit my Synology Nas and you can see that I'm able to get to it now the openvpn pretty much works the same way we need to give it a name the server address and the port and then we need user authentication so we're going to create a new user here I'm going to give it a username of Cody and then we're going to do a password of test1234 and create the user now under Advanced we could go to manual we could select a radius profile if we want we could do a Gateway subnet and Below we could see that subnet information and we could also specify a DNS server for this I'll put it to 1.1.1.1 and then we'll press add now after you've added the VPN you need to come back into it and download the configuration file same thing with wireguard we need to have an open VPN client so I'll look for The openvpn Connect and then we're going to go ahead and upload that file on the file it shows us a profile name the server host and then we have our username so this is the username that you've added into that configuration so for me it was Kodi once we press connect it's going to prompt us for our password now once the password is put in and you could see that I'm connected to that Network and I'm going to see if I could ping the Synology Nas again I'll press the up arrow and you could see that we could hit the nas one thing with these vpns they have access to everything on the network so if we go back to my unified devices you can see my pdu Pro is at 10.142 so let's try to Ping that ping 192.168.10.142 you may not want this so what we have to do we need to implement some firewall rules the first thing that I do is to create a profile of the VPN subnet if you don't know where the VPN subnet is all you need to go to teleport and VPN go to VPN server click on your openvpn server or your wireguard it works the same for both scroll down to the bottom and then find your gateway and subnet for me it's 192.168 4.024 we'll go back to profiles we'll go to IP groups and then we're going to create a new group this time I'm going to call this VPN users the type is going to be an ipv4 subnet and I'll be putting in 192.168.4.0 24 and we're going to add that and then we're going to press add once again now we need to go back to our firewall rules so we'll go to application firewall and we're going to go to firewall rules we're going to create a new entry and this time the type is going to be Lan out for the description I'm going to say block VPN users to all subnets after we do the block rule we'll end up putting an allow rule just to allow it to go to the Synology Nas so the action will be to drop the source is going to be a port IP group of that new one that we just created VPN users in the destination will be that RFC 1918 group that we created earlier that has every single ipv4 address in it now I'm going to add the rule with that rule added I shouldn't be able to hit this pdu Pro anymore so let's give it a try and as you can see we're blocked off from hitting the pdu pro but if we try to hit my Synology Nas we're also blocked off from hitting that so we need to put in an allow rule going back to the firewall rules we're going to create an entry it's going to be the type of Lan out again and this time we'll say VPN to Nas the action will be to accept the port IP group will be VPN users and then the destination I'm just going to put an IP address of my Nas 192.168 1.10.220 and we're going to add the rule currently how it sits the rule won't work we need to go over to Lan and then we need to go over to this right here we could say VPN to Nas is under the block rule so we need to drag and drop that above once we do that we go back to our Command Prompt press up and we should be able to hit the nas in a second and you can see that the replies went through so that's how we do some basic firewall rules for our vpns the next one we have is a VPN client so say we have something like nordvpn and we want to route a full subnet through it we could do that we could give it a description I'll just call it nordvpn because that's what I use and I do have an affiliate link down below for Nord I'm not sponsored by them at all it's just who I use trust who you want then you need to put the username the password and the configuration file from whichever VPN provider that you're using I have another full video on this which I will put in the description so I'm going to go ahead put that information in and then we're going to test and save now that I have all the Nord information in and the config file we could do the test then save okay so it's showing that it's connected and it's been up for two seconds and we could see this local IP which is a Nord server but how do we go about routing a full network over that well I'm going to show you so if we go over to networks I'm going to create a new virtual Network I'll call this nordvpn I'll give it an address of 192.168-66.1 and then we'll also give it a VLAN of 66 and we'll add that now to route that subnet over it we need to go over to routing and this is like policy based routing we're going to go to the traffic roads all traffic types and then we're going to say on you could either do this on a device or you could do it on a network I'm going to go over to nordvpn now under interface this is where we want to select that new openvpn file so we'll click on there you'd see primary Wan 1 Wan 2 or the nordvpn and then we're going to add the entry now if you have a Wi-Fi network connected to that subnet everybody who connects to it will be going through the nordvpn which is really great now the last VPN type that we need to talk about is the magic site to site VPN and this is all done through unifi.ui.com and you need to have a couple consoles at least one with the public IP and they all need to be on the new UniFi OS 3 or above so looking here we could see that we have the site magic I'm going to go ahead and click on there under the name it's telling us site magic group one and then it's showing me all of my consoles that are capable of doing site magic vpns we're just going to select my Mac Telecom SE which has a public IP address and then my mom and Sean's now we need to select which subnets we want to be able to communicate I'm just going to say 192.168 10.0 my default Network on my udmse and then at my mom's their default at 192.168.1.0 we'll press connect and once we do you'll see this going Amber and when it's fully connected it will be green we could see that it's now fully connected and on my mom's site there is an access point there at 192.168 1.72 so let's try to Ping that ping 192.168.1.72 and we are able to hit that now the same firewall rules apply to the site to site vpns doing the Lan out firewall rule so if you need to do that go back a little bit and Implement those now that we've done our firewall rules we could take a look at traffic rules and this kind of works the same way we have of an action which we could block allow or we could do speed limits we have different categories so this is app where we could block something like Instagram or whatever you want there are a bunch of different categories so there's app Group would let us block a bunch of social media we have domain name IP address region and then we have internet and local network so if you're wanting to block VLAN traffic between certain networks we could do that we could specify the local network we'll say my iot network and then we could do the traffic direction if you don't want to talk at all you could do to and from if you want to tap one-way communication you can as well traffic from all local networks or traffic to all local networks and then we specify on which device so we'll say to block to the camera network but you could also do it on a device maybe like this PC and we could put it on a schedule and then a description so this is really great if you're trying to do more content filtering currently I don't use the traffic rules to do my blocking between my vlans I still find the firewall rules easier but what I will use this for 4 is content filtering now one other thing that you could do with this is wired speed limits and this will apply to your wireless as well we already did Wireless qos on our guest network but that only applies to the Wi-Fi so if we want to do a speed limit we could select the category which is going to be internet and then we could do our download and upload speed I'm going to move it to megabits per second and we're just going to give it 10 by 10. then we could select which device so we could either select a full subnet or we could select one specific device or multiple devices I'm just going to put it on the 74156 network and then we'll call it speed limit of 10 by 10. now you could put this on a schedule as well so if this is a school system you might want to have it on a schedule so that they have little internet access during class but on their lunch break they could have more internet that's one use case for this now we're quickly gonna touch on routing you already saw how I did the nordvpn but if you wanted specific traffic going down your Wan 1 or Wan 2 if you have two isps this is where we would do it we would create a new entry we could have all traffic or we could have specific traffic under specific traffic we could do domain IP or region if we do all traffic everything's going to go through it and we could select our subnet or we could select a device so say I had a VoIP Network and I wanted a dedicated to WAN 2. we could do that so we could click on the network and then we could click on the interface and select Wan 2 and we could just say VoIP to WAN 2. every time a phone is connected to that Network it's not going to go down our primary when it's going to go down our secondary so this is really great to to customize and do policy-based routing now we're getting near the end of this video so we're just going to touch on a few other things like if we go over to our system what we could do here we have our country we have our language and then we have our time format as well as if you want it light mode dark mode or system and then we have our updates which we have console and application which we have to go to the unify OS we have our device firmware and we have automatic device updates I have mine currently turned off but we could also add a schedule we have backups where this would just back up the unify network controller and then we have advanced under Advanced we have Wi-Fi man support and then we have our interface they do have a legacy interface but it doesn't add most of these features so now we just stick to the new one if you want to access the command line interface of your access point or your switch you need to make sure these debugging tools are on we also have email Services inform host and then we have our device authentication so under the device authentication if you need to log into one of your your access points through something like putty or SSH this is the username and the password that you would use unless you've already put in SSH Keys now speaking about backups this is where we would back up our full unifios as well as our applications so we would go to console settings and if you're tied to the unify Cloud we would have system config backup we could backup now which I will do and you could see a backup was created this is stored at account.ui.com but it also downloads a config file for you locally on your computer now if you want to restore all we do is Click restore and then we can see the console and we could see the backup date we have a bunch of different save files in there so you want to select which one you want to go back to also we could back up the whole thing or we could do specific applications say I only wanted to do unify talk I could click on talk put in my password and then restore and that's only going to restore the unify talk application to the backup date that I selected now a couple other small thing things if we want to look at our system log we do that on the left hand side we could see some critical notifications which my internet went down and I needed a couple things to be adopted we could also see security detections currently I have no security detections but this is from our suspicious activity if you do have something it will pop up here we have updates if we have any updates we have admin activity so this is where we could see who logged in when we also have our client and we could see different descriptions of what is happening and then we could see different AP triggers which there was no events and then we could see our triggers and this is all based on our firewall rules or our traffic rules so you can see Mac Telecom unvr was blocked from accessing 192.168 10.43 and you can see the rule that was taken that hit now another thing that ubiquity did introduce in this update was their Wi-Fi insights and we could see our coverage so my AP density is currently good right now I only have one access point in my controller I need to reset the other one and get it back in here but if it's showing that it isn't good that may be an indication that you need to add another AP into your house or into your business another neat feature that ubiquity just introduced was on our topology page we now could show the internet traffic if I click play it will do this diagram and it will show us where our traffic is going so we have my internet going to my udmsc going to my udm Pro and then the most traffic is going down to this computer it's probably my computer right now and my MVR my map looks a little bit messed up because some of my Flex switches aren't in this controller yet yours should look pretty much correct the last thing we're going to talk about is a couple tools that could help you with your home deployment or a business deployment the first one is Unified Design Center so this lets us input a design or a floor plan into it and draw on some walls put access points put data Jacks as well as cameras so we could see if we hover over Wi-Fi what our Wi-Fi is going to look like this will give us a good indication on where to put our access points now for capacity planning calculator.ui.com is a great tool so we could see what these could handle if we wanted to check out how many cameras the umvr could handle we'd click on the umbr go to protect and we could see that it handles 50 HD cameras if we started putting on 4K cameras it would shrink the size of the HD cameras that we could put on so this is a great capacity planner now that's going to be it for this video on the unify complete setup for 2023 and I'm sure I did miss some things it was a very long video but we will do updated videos whenever a new network controller comes out or a UniFi OS I'm hoping for unify Network 2024 video we see a whole bunch of new gear from ubiquity which would be really great to have high availability within our UniFi consoles if you have any questions about this video please leave it in the comments below if you like this video hit the Thumbs Up Button if you're new here please subscribe and hit the Bell icon alright thanks

Info

Channel: Mactelecom Networks

Views: 192,518

Rating: undefined out of 5

Keywords: ubiquiti unifi, udm pro, unifi dream machine pro, unifi network, optimize unifi wifi, ubiquiti unifi dream machine, udm setup 2023, udm se setup, udm pro setup 2023, udm pro setup vpn, unifi wireguard, unifi wireguard vpn server, unifi site magic, unifi site to site vpn, unifi backup controller, udm pro se wifi setup, unifi firewall rules, unifi firewall setup, unifi firewall rules explained, unifi firewall vpn, unifi firewall and security settings

Id: bWJNZvXXgf8

Channel Id: undefined

Length: 47min 16sec (2836 seconds)

Published: Tue Sep 26 2023