Unifi USG and UDM Firewall Rules 2020

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hey everyone cody from mac telecom networks in this video we're gonna go over unifi firewall rules and we're also gonna configure some firewall rules i'll also explain to you what the when in when it went local same with the lan and the guest firewall rules do and we'll configure different sets of firewall rules to block all inner vlan routing and to put in some accept rules to allow us to reach different devices we'll also set some rules up so that our ip cameras can't actually connect to the internet but we could connect to our ip cameras if we log in through our vpn if you guys are new here hit the subscribe button make sure to hit the like button if you'd like to hire me for network consulting visit www.mac telecom networks dot com and you can find us on instagram at mac telecom networks so first off let's go over some of the actual firewall rules and i'll post this link down in the description below this is just from help.ui.com and it explains what the firewall rules do and the differences between them first off we need to understand what these all do so there's three different types there's your wan there's your lan and then there's the guest so the wan it contains ipv4 firewall rules that apply to actual wan connection for the lan it contains ipv4 firewall rules which are for your actual land so different corporate networks for guests these rules will apply to the actual guest network if we're to go into our unifi controller go to networks go to local networks and then go to create so we'll create an advanced down here this is where we're specifying between corporate which would be our land and guest so if we're doing guests all those firewall rules will be done under the guest and if we're doing corporate that will all be done under the land and then these other three those just pertain to ipv6 which we won't be covering so then within the wan lan and guests there's three different subsets of firewall rules so there's the in out in local so the local applies to the traffic that is destined for the udm or the usg itself the in applies to traffic that is entering the interface so the ingress is destined for other networks so this could be inner vlan routing from one network to the other out applies to the traffic that is exiting the interfaces so the egress of our network so if we're going out to the internet or out to another network so within unify firewalls there are different states so there's new established invalid in related so new are the incoming packets and they're from new connections so brand new connections that you haven't made before in that session established are the incoming packets that are already associated with an existing connection related are new packets but they're already associated with existing connections and invalid means that the incoming packets do not match any of the other states all right so let's get started with some of the firewall rules the basic firewall rules to allow connectivity and to block inner vlan routing between our different networks so here you can see that i have five different networks i have my main lan which is used for my admin i have my mac telecom guest we have an iot network a camera network and then just another guest network so we want to allow our main land to be able to talk to all these other networks but we don't want these networks to talk to anything else so let's go ahead and create some firewall rules so i usually do mine in classic mode to do the firewall rules so we'll switch over and go to routing and firewall we'll click on firewall and most the rules that we'll be doing are in the actual land section of this so first we're going to go to lan and we're going to create a new rule so our first rule is going to be to allow established in related traffic so what this means is if we already have an established connection to allow it and if there's a new packet incoming that is related to our established connections to allow that as well so we're going to press accept for the actual action and then for states we're going to go established and related and that's it so then we'll press save the next thing we need to do we need to create a group to cover all of our private ip addresses so our 192 168 our 172.17 and our 10.0.0 networks so how we do that we go over to groups and we create a new group so from here we could just call it rfc 1918 and then under here we could specify different networks so the first one will be 192.168.0.0 16. the second one will be 172.16.0.0.12. and the last one will be 10.0.0.0.8 so that covers all our private ip address ranges these ip addresses are non-routable on the internet now we're going to want to go back to the rules ipv4 and go back to lan in so the next rule we want to create is to allow our mainland to be able to talk to every other land so we'll create a new rule so we'll go allow main lan to all and then we'll go accept and under here our source type is going to be a network and this network is going to be our lan and under destination we're going to create click the new report group that we just created the rfc 1918 and then press save so that's going to allow our mainland to be able to talk to anything without any restrictions the next rule that we want to make is to block all inner vlan routing so iot network won't be able to reach our guest network guest network can't reach the iot network or they can't access any other network except their own so how we do that we'll go to create another rule under the lan in so we'll go block all enter vlan routing our action is going to be to drop source will be the rfc 1918 and our destination will be the rfc 1918 then we'll press save that now blocks all the inner vlan communications besides allowing our mainland to talk to everything let's go ahead and i'll show you guys that this inner vlan routing is actually blocked i'm going to go over to my switch and switch this computer into a different network so we'll just go to the pencil icon and then go to switch port profiles and i'm going to move myself into the iot network and we'll press apply from the iot network we should be able to reach our iot gateway but we shouldn't be able to reach any other network the switch has put us into a new network and we could confirm that by going ipconfig and then scrolling up to our adapter and we can see that we're in 192.168.30.87 right now i will be only be able to communicate with devices that are on my network currently so we have a device right here 192 168 30.57 let's try to hit that so ping 192.168.30.57 and we could see that the requests don't time out we could actually um communicate with this device we could also communicate with our gateway which we're going to want to block access to the gateway for anybody else but admins and i'll be showing you guys how to do that as well now if i try to ping or communicate with another device on a different network i won't be able to and i'll just try to hit my front doorbell so we'll just ping 192.168.40.131 and as you can see the requests are timing out so the inner vlan routing has actually worked right now we have inner vlan routing blocked but we could still reach our gateways and gateways of other networks so if i tried to hit the 40.1 gateway ip we're going to be able to do that we don't want to have our clients or iot devices access to our actual router firewall right now we could go up and go to 192.168.30.1 and we can log in to our unified dream machine pro and we don't want to be able to have that next rules we have to do is to block access to all the other network gateways this won't block access to our own gateway but i'll show you guys how to do that after we put these rules in we're going to want to create a few different groups that is block guests to all gateways block iot dollar gateways block camera to all gateways and then the queen's palace which is just a different network i have to all gateways let's go ahead and create these four groups what we're going to do we're going to go into firewall we're going to go to groups and then we're going to create a new group so the first group will be block guest to all gateways and then we're going to end up putting all the gateway ip addresses except the one that the guest is on so 192 168 10.1 192.168.30.1 which is our iot network 192 192.168.40.1 and then 192.168.50.1 and press save so now we have to create another one so this is the block iot to all gateways and the same thing applies we need to put in all the gateways except the iot gateway which is on 30. so 192.168. 10.1 192.168.20.1 40.1 and 50.1 and then press save we need to create two more i'm going to fast forward through this and then we'll get to actually blocking these gateways we have all our groups created we need to go create the firewall rules so we'll go to roll rules ipv6 and then for this time we're gonna go under land local this will block the gateways so we'll go to create new so the first one is going to block guest to all gateways so the action will be to drop our source is going to be a network and this network is going to be our mac telecom guest under the destination it's going to be an address slash port group which will be the block guess to all gateways and then we'll press save we need to make three more rules the next one is to block iot doll gateways and the action is going to be dropped this whole time the source is going to be network of the iot network and the destination will be the address port group of the block iot to all gateways our third rule is going to be to block the camera to all gateways the source type will be network and it will be our camera network and our address port group will be the block cameras to all gateways and our last rule is going to be the queen's palace which will be the action drop and then our source will be a network of the queen's palace and the address support group will be the queen's palace and then we'll press save i'm going to put this computer into one into the iot network and we won't be able to ping any of the other gateways okay so we're back on our iot network i'll go ipconfig and we can see we're on 30.87 so now if i try to ping say the camera gateway we won't be able to so ping 192.168.40.1 and you can see that the request time out if we actually try to go to the url we won't be able to get there either it will time out the same for the 20 network and the 50 network and our admin network which is the most important which is the 10 we won't be able to get there as well but right now there's one issue we could still reach our own gateway so if we ping 192.168.30.1 we're still able to hit that and anybody would be able to get to our router and maybe try to brute force their way into our router firewall but we will create a firewall rule so that we can actually get to this router interface all right so now we have to create a rule so that we can't access any of the gateways except from our admin so what i'm going to do i'm going to create a new group and i'm just going to call this dream machine networks and then i'm going to put all the dream machine network gateway ips so 192.168.10.1 20.1 30.1 40.1 and 50.1 and then press save now we're going to create another group to lock https http and ssh so we'll go create new group it will be a port so we'll just go web and ssh so the first port will be 443 second port will be port 80 and the third port will be 22. so this is for https this is just http and then this will be ssh and we'll press save let's create a rule for an iot network to not be able to reach any of the gateways so we'll go to rules ipv4 lan local and then we'll create a new rule so this rule will be deny iot to gateway web web interface and ssh and you can name this anything you want as long as it makes sense to you so the action is going to be the drop the source will net will be a network and that will be our iot network the destination will be an address port group and it will be the dream machine networks group that we just created and the port group will be the w web and ssh and then we'll press save now i'm going to put this computer back onto the iot network and we'll see that we can't actually access any of the web interfaces we're back on the iot network and you can see that we're at 30.87 again so let's try go to the web interface of 192.168.30.1 and you can see that we're not able to get access to it one thing that the iot network could still do is ping the gateway 30.1 so we could go ahead and block that as well to lock ping request or icmp traffic to our gateway we could go under the lan local create new rule so we could block icmp from iot to gateways so we're going to want to drop and then our protocol will be icmp our source is going to be a network of iot destination will be the ipv4 address group of our dream machine networks and then we can press save now if we try to ping the gateway it should timeout so ping 192.168.30.1 and you can see that it actually times out but we still have internet access so if we try to ping google.ca we get responses and we're able to connect to the internet one set of rules that i've had a lot of people ask me about lately is how to block your cameras from actually reaching out to the internet and i could show you guys how to do that right now now we're going to create a firewall rule so now that our nvr doesn't have access and i'll show you right now that i actually do have access on my phone so i'll click the protect and you guys can see my camera is right there let's go ahead and create a rule and then we won't be able to what we want to do on the when in create a new rule we'll go drop nvr traffic we're going to drop and the source is going to be any and the destination is going to be our network of cameras so we'll press save and now once this provisions we won't be able to access our cameras okay so it's provisioned and you can see at the bottom here it's saying that it can't connect to the controller so now we can't connect to our cameras this is great for security so that the uh your nvr doesn't have access to the internet so you'll have to create a vpn to get into this network and then view your cameras we can see the cameras aren't blocked right now we could go up to the top and go to our cameras and you could see that we could still access it while we're on the internal network but external networks won't be able to see it if i connect my phone to the vpn we'll be able to connect to the web gui of cameras now connected to the vpn i'm going to open up a web browser on my phone and you can see that it brings us to the unifi os and this is our camera system we've created a lot of deny and block rules but if we want to do an accept rule this is how we would do it so we're going to allow the iot network to be able to talk to my synology nas this will be just temporary and i'll show you that i can't hit my synology nas on the iot network right now so if we try to ping my synology nas it will time out so let's go ping 192.168.10.114 and you can see that it times out so we need to put an accept rule above the block all inter vlan routing for this to work so in our firewall rules we're gonna go to lan in we're gonna go create new rule and we're gonna allow iot to nas and then our action will be to accept and the source is going to be a network of our iot network and the destination we'll put in as an ip address of our nas 192.168.10.114 and we'll press save right now we still won't be able to access our nas what you need to make sure to do is actually put this rule above the block all inter vlan routing so now after moving the rule up we will be able to access the nas from our iot network now if we try to hit or nas it should be successful so ping 192.168.10.114. and you could see that we could enter nas now and we could share resources on that so that's pretty much it for firewall rules if there's something else you guys would like to see please leave a comment below and i'll try to do it in a next updated version of this but i think that covers a lot of questions that people had if you guys like this video please hit the thumbs up button if you're new here please subscribe and hit the bell icon alright thanks
Info
Channel: Mactelecom Networks
Views: 36,745
Rating: undefined out of 5
Keywords: ubiquiti networks, unifi dream machine pro, unifi firewall rules, unifi firewall rules between vlans, unifi firewall setup, unifi firewall rules for iot, unifi firewall best practices, unifi firewall rules tutorial, unifi firewall block website, unifi firewall configuration, unifi firewall settings, unifi firewall review, Unifi USG and UDM Firewall Rules, Unifi USG and UDM Firewall Rules 2020, Mactelecom networks
Id: vEQkCow7wdU
Channel Id: undefined
Length: 19min 3sec (1143 seconds)
Published: Mon Oct 19 2020
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.