UniFi Secure IoT Network Setup – I need your input, again!



hi I'm Willie and thank you for coming to my channel thank you to everyone I am so glad that you're here before we get started on tonight's content I just want to do a little bit of housekeeping so the first thing is you have major voices heard and I appreciate that so next week because it's gonna take me a few days we are going to do the full stack of these dye cells so this is coming next week we're gonna do the gateway the switch in the access point and I may have to break it up into a few videos you know I don't like my videos to get too long but there's a lot to this this is a new product and so you know we got to give it we got to give it a fair shake so that's coming next week the next thing that I wanted to talk to you about is I have a new watch I have a tick watch and I'm gonna do a video on this I may do it on a live stream or whatever but if you follow me for a while you know I have a pebble time round and Fitbit bought pebble the support officially ends for the software on the pebble they extended it to June of 2018 however there's no hardware warranty on those devices and it's a bit disingenuous to me that it's a bit may be deceiving if you had a target I was at Target last weekend and they have brand-new Fitbit Arella Fitbit pebble time rounds and these things have no warranty as far as I know anyway my pebble the back button stop stop working so I needed to get when you watch so I went with a tick watch and so far I love it I'm gonna do a video but we my buddy Luke has a shooting range that he has made in his shop and we were gonna dangle the the watch and we're gonna shoot it I need you to go over to my Twitter and my Instagram the links for those are down there and I want you to vote on which caliber of ammunition we are going to use to shoot that so we will try to get it captured in slow motion so you can see it and we'll do just a video on that so please go over and take the time to vote on that and then also a friend of mine named Brittany has a YouTube channel and I used to work with her and if you or someone you know is into makeup and the vlog scene Britney has her own makeup channel and I'm gonna put a link to her channel down in the description and she is hilarious in fact if you if you listen to her talk about how she traded her tricycle for a donut she's absolutely hilarious she's really good with makeup I think she's gonna be I think she's going to be a pretty big youtuber in a couple years but I'll put her link and if you or anyone you know is interested in that you know go check her out so I think that's all the housekeeping items that I have let's see we're gonna shoot the pebble I need you to vote on that we're gonna do the Zeiss elf full stack and I wanted to tell you about Brittany perfect so what tonight's video is about is I get the question all the time about unify IOT network setup now you know that I have an edge router set up that is we called IOT but in in reality it's really any network where you don't want any of those machines to see your mainland or any other land and I use this build out all the time for compliance-driven solutions so we are gonna look at that we're gonna look at two different ways to accomplish that on the unify system so let's let's get to it so the easiest way and you can see I've got the lab USG and I've got a mesh hooked up now the easiest way to create a network on unify that can't get to anything else is just to make it a guest Network but that comes with some other challenges because if we tag everything as guest then they're not going to be able see each other but it will accomplish it and what I will say is if you have devices that have to talk together like different sono speakers and and all those kinds of things out of the gate just doing this you will those devices won't be able to talk to each other you'll have to enable multicast and do all kinds of stuff I'm not gonna cover that now I'm gonna cover how to lock the networks down so the first way we're gonna do this is we're gonna create guest networks all the way around so let's do that so we've come in to unify we're gonna go into networks and right now you can see we've got happy land and we want our land to be happy we don't want anybody jacking around in there so we're gonna create a new network and we're gonna call this the IOT network and we're going to make it a guest network we're gonna make it VLAN 99 and we're gonna make it 10 that 10.10 dot 1 / 24 we're gonna let it have all of the ranges at once we're not going to get into any other complicated setup we're going to click Save so now unify is going to provision this out to the USG it's gonna set up those guest rules and no one in that network is gonna be able to get to any of our other networks a lot of your IOT devices are also not hardwired so now what we need to do is we need to create a wireless network that corresponds to this and then we're gonna take it one step further if you remember right the access points themselves actually have a firewall that can be configured and that's the guest network in it at the access point you know physical access point stops people from being able to communicate so let's take a look at that we're gonna come over here to wireless we're gonna create a new wireless network and for simplicity we're gonna call it IOT we are gonna make it personal and we're gonna say and I'll show you this it's going to be awesome IOT network exclamation point and then we're gonna check this apply guests policies if you remember what that does now everything is provisioning so we can go down here to guest control and without the guest portal turned on what it does is it uses these post authorization restrictions right here to configure that firewall that is on the access point and that's what keeps the wireless devices if you don't have a USG from being able to get to anything on your internal networks so we'll apply that we'll go back here and we'll look looks like we've still got devices provisioning but this is done this is done if you have IOT devices they absolutely cannot get to your land they cannot see each other they can't see any other devices you're done but what happens if you have multiple multiple devices that need to be able to see each other so now we're gonna kind of strip out some of that that we've done we're gonna do this the second way so we're actually gonna go to our I Oh T Network we're gonna take off the guest access on the wireless network we're going to change the type the network is gonna go to a corporate network and then we're gonna build out firewall rules so we're gonna take a look at this make sure everything's provision everything's happy now so we're gonna go back to our settings we are going to go back to wireless networks we are gonna edit this and we're gonna uncheck the apply guest policies so now that firewall will actually be turned off on the AP that's the first step devices still probably won't be able to see each other they might be able to I haven't actually confirmed that but I'm just gonna run on the assumption that they can't so we're gonna come in here to networks and how we've got this set up as a guest network we're gonna change this now to a corporate network and we're gonna save this once everything is provisioned we need to go in and we need to create a set of firewall rules on the land in now you can go back to my edge router videos and I explained the land and land out land local went in laying out way and local rules and as I explained them on and edge router they are the same for a USG because remember inside every USG there's an edge driver trying to bust out right I love that saying for some reason so let's see if everything is provision looks like our USG excuse me is still provisioning and we'll give it just a second so one other quick thing is if you if you remember how they used to have the little refresh thing here if you go into your preferences there's this slider right here that says enable refresh button save and close look our refresh button is back so you can turn that refresh button back on all right so let's go in now let's go to our network we can see that it is no longer a guest network so now we need to hop over to the firewall and we need to create some rules and we're going to create them in the land end now everything is run through this USG so we don't need to create any groups or any settings or anything like that we're gonna create a new rule we're going to call this IOT rule one and we're gonna run it before the predefined rules because remember the firewall processes those rules in order we want to drop all traffic and you can enable logging if you want to but now what we're gonna do is our source is going to be our IOT network our destination is going to be our happy our happy land we're gonna save that now what you can see is on the land in rule set it created rule number 2000 that's enabled it's called IOT 1 it's gonna drop all protocols from the IOT network that try to get to the happy land and that's it it's really that easy then you can start adding exceptions and things like that so if you liked this video please give me a thumbs up please subscribe please comment and share please follow me on Twitter and Instagram if you need to buy any gear there's always those amazon affiliate links that doesn't change your price but I appreciate that couple bucks that it throws over to the channel go check Brittany out go vote on the caliber that we're gonna shoot that watch with if you need consulting those links are down there too I'm taking on more and more consulting clients all the time and I've got expanded hours for consulting and those early a.m. appointments and the late PM appointments and Saturdays and Sundays and as always we'll see you in the next video

30 Comments

  1. Willie Howe said:

    Follow up video coming as I forgot one detail!

    May 22, 2019
    Reply
  2. Eric Frederich said:

    After setting it as a corporate network but before setting the firewall rule I'm confused how these two networks could see each other without defining any routes. Are these routes implicit? My route list is completely empty and my two corporate networks can see each other.

    May 22, 2019
    Reply
  3. Jeff smith said:

    Can you link the video that explains the WAN IN, WAN OUT, WAN LOCAL, etc ?

    May 22, 2019
    Reply
  4. Tony Calabrese said:

    Would this IoT setup keep cloud cameras from getting hacked?

    May 22, 2019
    Reply
  5. luckydice said:

    Video starts at 3:30

    May 22, 2019
    Reply
  6. kaging said:

    starts at 3:30

    May 22, 2019
    Reply
  7. Pedro Lopez said:

    I have a question… I setup the Lan In Firewall rule.. I cannot ping my cloudkey or switch but I can still ping my LAN 1 from the IOT network. I set IOT network to Vlan 10 and the wireless IOT network. Thank You for any suggestions.. I enjoy your videos.
    USG, Cloudkey, Switch8 60W, and AP PRO C

    May 22, 2019
    Reply
  8. Zachary Carter said:

    Do I need to add exceptions for DNS or DHCP?

    May 22, 2019
    Reply
  9. Whit Whittle said:

    Sorry to bring up a question on an older video, but with your setup, should you be able to ping from your LAN to your IoT network? I've setup mine following this, but I can't communicate from my main LAN to the IoT network….I feel like I'm missing something?

    May 22, 2019
    Reply
  10. bferrell said:

    Willie – I did exactly this, except I added a Accept Established from IOT->LAN so that my LAN could reach into (initiate the communication) the IOT network to communicate. I have been placing my HomeKit Devices in the IOT network and it all appears to be working fine.

    May 22, 2019
    Reply
  11. Kelvin W said:

    Awesome video.. only things I'd ask is please reduce the pre-content plugs (4 minutes is a bit excessive). Also, when you reference your EdgeRouter FW policy video, please could you add links in the description 🙂

    But loved the video and format, so thumbs up and subscribed.. Thanks for making this.

    May 22, 2019
    Reply
  12. TrillasAdventures said:

    So if i create this IOT network but my phone is still on my main WLAN will my phone be able to control things on the IOT vlan?

    May 22, 2019
    Reply
  13. Ben TheGuru said:

    LOL, just took over large client who got screwed over with bullshit networking, bloody Chinese Zyxel USG310, still with plastic on it that is about to be removed.

    May 22, 2019
    Reply
  14. Brittney Sun Beauty said:

    Thanks for the shout out Willie! My next upload Sunday is when I chat about you 😊 Also, super excited about the tick watch, I used to have a pebble time round and I loved it!! ps. Keep up the amazing videos and content!

    May 22, 2019
    Reply
  15. Jeffrey Ragland said:

    Months ago I had a business customer install a Ring Pro doorbell, after which I had to spent hours trying to get through the USG firewall. Thanks for making this a simple process for everyone. I will now re-configure my home USG to work with an Ecobee thermostat using this procedure. Thanks!

    May 22, 2019
    Reply
  16. Philip Cook said:

    Perfect timing. I was just wanting to segment my camera network. Now I don't need to go rooting around on the web.

    May 22, 2019
    Reply
  17. Lee Tyler said:

    Thank You so much for doing this!! Thank you for reading my email and doing this you’re awesome. I’m guessing you just tag each device with the new network vlan?

    May 22, 2019
    Reply
  18. Eric Muhly said:

    Please explain why this still allows network scan utilities to find devices. For example, Net Analyzer on iOS finds the IP addresses of the other devices on my guest network. However I cannot ping them. So the firewall does seem to be working to some degree. Thanks for the great tutorial.

    May 22, 2019
    Reply
  19. Jeff Gruber said:

    Great vid Willie, nice and quick setup for IoT devices. I do mine slightly different, but achieve the same in the end.

    May 22, 2019
    Reply
  20. Tookster said:

    Willie you beauty, just what i have been waiting for! Can't wait to get this setup tmr!

    May 22, 2019
    Reply
  21. Patrick Langendoen said:

    Thanks. I personally prefer not to allow my IoT stuff to access the internet. Only allow access to the local mqtt server. No need for the Chinese developers to know stuff about me and my usage.

    May 22, 2019
    Reply
  22. Eric Goodrich said:

    Remington .44 Mag

    May 22, 2019
    Reply
  23. SyberPrepper said:

    Love all your videos but I really need videos like this. Setting up VLANs and how to setup the various rules to make them secure. Another video I would love to see from you is how to setup a backup VLAN using separate NICs on each PC. Would love to see all the VLAN setup and USG rules and issues for this. Thanks.

    May 22, 2019
    Reply
  24. orion smith said:

    50 BMG

    May 22, 2019
    Reply
  25. joel toh said:

    Is that a Xiaomi router at the back? Btw not sure how many of the neck beards here care about makeup

    May 22, 2019
    Reply
  26. jcgoobee said:

    It's great that you can lock down wireless network but I don't think you can lock down unifi switches by port security like the Efgeswitches can. Big bummer as this should be a basic feature.

    May 22, 2019
    Reply
  27. @rgod360 said:

    vlan dynamic vlan dynamic vlan dynamic in UAP is my fantasy ajajajajajja 😛

    May 22, 2019
    Reply
  28. Michel Helvensteijn said:

    45 Magnum

    May 22, 2019
    Reply
  29. Fausto B. Cruz said:

    I can't like the video because you forgot one major thing, you never set the IoT wlan to vlan 99 so it will be on the "Happy LAN" corporate network and will never follow the firewall rules. womp, womp…

    May 22, 2019
    Reply
  30. Charlie d'Gabriel said:

    you are a life saver, thanks a million..!

    May 22, 2019
    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *