Unifi New Port profiles and Traffic management

I used to think that the Cisco CLI was confusing but at least that's concise and consistent. The Ubiquiti GUI is fast becoming a bloated clusterfuck!

These new management scheme is confusing AF. Great explanation Cody but i wish Ubiquiti would have released a primer and some details about how this works before mass deployment.. Great Job as usual supporting your community Cody!

That's such a great improvement for managing the traffic between VLANS. This method looks so much more user friendly than the previous firmware process of creating port groups, established & related rules etc, etc ....... Great job and nice clear instructions !

Your videos are awesome, Cody! Thanks for all the work you do to bring this content to your audience. So during the pandemic, my wife moved her creative agency into our house. This is also where I permanently work now. I'd love to see step-by-step setup for a small business, myself as a remote worker, and a home network all under one UDM-SE setup with wired LAN, Wi-Fi, IoT, wired and wireless cameras, client and server VPN, and Talk including firewall rules.

Great Video Cody, Always delivering above and beyond! Cheers!

Solid content as usual Cody! Thanks for explicitly going through it. Like many others in the thread --- I think it is ridiculously confusing and I would have had it all backwards. Looking forward to the 2023 Complete you mentioned as well.

Yay now what used to be 1 click is now 3! Thank you Ubiquiti for making my wrists hurt even more on large roll outs!

Great video!!! I am not sure why a simple source and destination setup couldn't be created with the rules page with UI. As for the port profile I'll just say it works... I guess I am just old when I want to see terms like native VLAN and allowed VLAN/s. Either way Cody as I said before great video.

Great video Cody - thx. In your next series it would be great if you could cover the firewall rules for things like Airplay, Sonos and Casting from your Default or trusted network to the IoT network please. Thx.

this is solid, easy and i loved the diagrams !

and for the 2023 i'd love to see the usual setting up a couple networks (i.e. guest, main, iot, cameras) plus this video that for the ppl that find the 2023 setup and do not know about this one, its gonna be great for them to see about ports and traffic.

Awesome videos - Would be really cool to see a full install with VLAN and best practice.

This is a good video, thanks!
I should move some of my firewall rules over to traffic management really.
I agree with you on the rules being confusing.
I think if the "traffic direction" dropdown was above the "local network" box and if the "target" box was called something else, you could see where the designer was coming from. But ultimately, it's bad UX.

Thanks Cody. For your upcoming 2023 network build video, I would like to see the basic setup with firewall rules for Main Network, Guest Network including both Wifi and Guest Ethernet Ports on VLAN, IoT both WiFi and IoT Ethernet Ports on VLAN, a WireGuard VPN setup like a Guest Network (Safe Video Streaming and shopping while traveling), and a shared printer setup between Main and Guest Networks. Maybe also some example of setting up multiple WiFi networks in a manner to enable/disable individual APs or even separating 2 and 5 Ghz channels per AP for testing purposes.

Good video, thanks. Would love to see a session on Traffic Management and the available granular control of defining endpoints on network or apps and assigning them to a Wan interface, assuming using load balancing. Example, I want a group of endpoints (PCs, Macs) to always use one of the Wan interfaces (unless that interface goes down). Or, ability to do same at the application level.

With the traffic rules, what helps is to remember that across all the types of rules - "target" is the device or collection of devices or network that the rule is being applied to. So when the target is IoT, and local network is CZcams, and you are blocking traffic "to all local networks" - that's a rule that applies to traffic from IoT (target) to the CZcams network.
I do really wish thay they had used source and destination terminology because that would be consistent with the way the REST OF THE KNOWN UNIVERSE understands networking.
"Target" is just too close in meaning to "destination", hence the confusion.

To me, this makes far more sense than the old way.

Cody - thanks for the info as always! In a recent live stream, you mentioned that the inter-vlan routing firewall rules are now giving some issues…I think you said specifically with devices trying to watch playback/video feed of Protect cameras on a separate camera network. In the next 2023 build, could you go over firewall rules and the updated ones you recommend for blocking/allowing inter-vlan routing?

Hi Cody, I love your very educational videos on everything ubiquiti. Could you provide stepwise instructions on setting up Sonos as segregated VLAN in unifi?

I appreciate your concise and detailed presentations. Speaking of switches - I would like to add a second camera to the end of a cable run. Does unifi make a poe switch that could power two bullets? Thank you again for your videos.

Thanks for this nice overview.
Still need to try it out but if they also improved the API for this, i'm all for it. There were so many awkward things due to the reliance on port profile overrides; the other fuckup was when you wanted to cleanly deprecate the default vlan. I mean cleanly, as in, it'll work well enough that you could for example replace a switch without odd crap.
If it improves... And i hope that somehow it will... Then it's not too far till we can drive this from netbox.
But for that you need to be able to say that all ports, globally should not carry X or Y except this one

@Cody: nice video. I would like to see a 2023 full unifi network configuration video with the focus on vlans, traffic management, port security, ip and/or mac address bounding and port aggregation for NAS. 😅😊 Thanks

I would like to see Unifi move "Port Profiles" up before "restrictions".
This would encourage Port Profile creation.
When you start a new setup, you have no port profiles defined, you would then select "create new profile" from the port profile drop-down, and fill out the allow and/or restrict sections, just as you would in the current setup.
But you would be able to name and save the profile for future use.
This avoids the individual detailed setup of each port, avoiding mistakes on other ports needing the same settings, as you most likely will do under the current setup.

Really good explanation here. Question if you had an in-wall AP where you want both the data ports on the bottom of the access point and the SSID to be on the same network how might you achieve this? Basically, when I assign the SSID to a specific VLAN the data port on the AP doesn't seem to adhere to this and the device gets an IP from the default network. I'm trying to get that in-wall and the ports on it to be on the same network.

Awesome explanation, confusing as hell. I miss Port Profiles...Or they could have just gone to what the Cisco world does and allow you to trunk all, trunk only allowed vlans or set it as an access port - and have easy to understand verbiage for this.

One addition - the flex MINI switch does NOT work properly with the port profiles, i.e. it doesn't support it at all. And the VLAN stuff on that switch have become wildly unstable. I am ripping them out where I need more than 1 VLAN, instead using the non-flex switches (deploying a couple of The Flex Light 8 POE ones, which do appear to have this feature set. If you just need a basic switch with basic VLAN without the new switch restrictions, you CAN get it to work; Just have to do way more work.
Another thing I've noticed since these newer 3.x features came out, is that you absolutely have to ensure you get that VLAN setup right AND that you review it if you upgraded from an older 1.x or 2.x base (I guess it is more the network version, but they were kinda tied at some stage).
Once that was worked out, all is good in the world again.
In short - great new features, some stuff isn't 100% logical (reversed like you mention), and if upgrading after having had this in the past, make sure to review all of it. Stuff will break otherwise.
** corrected aug 3rd 2023 to add the word MINI to the comment about the flex. The actual flex switch DOES work **

If you are using pfsense with layer 3 switches, is it allowing to have an ACL without going to ssh to do this?

hey! Great vid man, but i have a question, so i made an IoT networl, where i have the chromecast (among other things) and i thought i did setup the firewall in a way that from my main connection i could cast to it, but it does not discover it, is it something related to this traffic management instead of firewall settings? Im kinda new to this anyways so i may have gotten it all wrong.

I have set up a single server behind UDM SE Pro using port forwarding and it works. But we have many servers with unique public IP and with different web apps running on them. Is there a way to route traffic to each of these servers when the request comes in? Users will use a URL that is mapped to a public IP .

What happens when you just make the "primary network" a different VLAN? Would that make it how it used to be basically and you don't have to deal with the block and allow?

right until 2:27, what subnet will the PC be connected to after you configured the Voice profile? Assuming the PC is connected to the back of the VoIP phone.

So... is changing the network on the port manager config the same as updating through ethernet port profile and selecting the network on there instead?

Is the UI the same on the UDR?
I have seen you showcase a map where you can block certain traffic, it is possible on the Dream Router?

Cody, on your next video for a UDM build out how about discussing network traffic restrictions in an IOT network for Sonos, Plex, XM radio, etc. How do you set up restrictions to your NAS data but still play back movies in PLEX.

can you set QoS settings directly on the switch without using Dream machine

Is this working as a " Cisco catalyst ios acces list " ??

Would you show an example of speed limit instead of block/allow please? I can't get profile-based bandwidth throttling to work via traffic management.

Hello please make a full small business configuration from scratch, using new options to make the same configuration you had in other 2 or 3 videos (full setup)

Is there a way to block IoT from hitting the gateway/UDM pro IP addresses ?

I would like to see a multi-site setup controlled by one UDM SE.
I want to have the same networks and rules with TALK and four Wi-Fi SSIDs across all sites controlled by the one UDM Console.
This is for a large summer camp with 6 separate fiber drops/sites and one Star Link site.
Two of the sites are 20 miles from the main camp, with 1000 campers and staff moving between them.
I would like to manage Network Rules sharing TALK and Wi-FI login from ONE UDM console.
I have a UDM-Pro at the main camp/office and UDRs at each remote site.
6 sites have 1 Gig fiber service and static IPs.
The 7th and most remote site is at 9000 ft elevation connected via Star Link.

When the Cisco CLI is more consumer-friendly than your web GUI, lol. Ubiquiti needs a better technical writer.

Disaster, who would think like this way to manage vlans xd

This tool is very confusing. I have two networks - "Default" and "VLAN". So, I want the "Default" network to have a speed limit of 600Mb/s. In "Category" I choose "Internet", then desired speed limit. And then the worst thing I have ever seen is the "Target" field... It can see my VLAN network as a group of devices which is nice, but it can't see my "Default' network devices as a group where I want to have a speed limit the most so my servers would work fine if someone decided to download lets say a 100GB game. I need to add them one by one and monitor if I have new devices so I could add them to speed limit devices. Why I can't choose an IP group from IP Groups... Plus the speed limit has a bug or whatever. If I have a speed limit of 850Mb/s in the real speed test I have 750Mb/s. If the limit is 600 I will have 500 etc. It is lying for 100Mb/s every time.

What a dumb way to list to/from directions.
Curious on Threat Management on Dream Router causing too high CPU and Memory usage: are there certain threat categories to enable/disable to minimize bandwidth loss?

voip profile

The way they have this laid out there's no point in using Port Profiles. The Port Profile setting should be at the top which then overrides options below it. It's easier to just manually set the native VLAN etc manually than it is to set a Port Profile. Whoever the UI designer is at Ubiquiti, they need to be fired!

I think Ubiquiti need to sit down and start over. How on earth can you by default allow traffic all over the place...