UniFi Network - Firewall Rules for VLANS
Vložit
- čas přidán 19. 06. 2023
- In this video I will explain how to create Firewall Rules so that VLANS cannot talk to each other and also cannot talk to the main LAN.
However I will also explain how to create an additional Firewall Rule which will also allow devices in the Multi Media VLAN to access a NAS on the Main LAN for streaming music and videos to a Smart TV.
I would recommend watching my previous video in which I explain how to create VLANS and thus this Firewall Rule video takes in to account the creation of the VLANS in the previous video.
Link for the VLANS video is here:
• UniFi Network - Config... - Věda a technologie
Tim - this is the one I have been waiting for and is very clear and to the point as always. Thanks so much for not going at a FAST PACE and losing me with a lot of extra content that is not well explained but seems to just be throwing content out for support of calling themselves an expert at this networking subject. WELL DONE and just what and how I need my learning experience to be!
Hey Rik, you're very welcome and sorry for the delay, it's been so time consuming with moving home and trying to fit in household stuff, work and YT, but I'm getting there :-) Thanks so much for your very kind words, yes I've found others go so fast and making the videos so quick and hard to absorb. Glad it's been helpful for you and sorry for the wait.
Thank you so much for this video, I finally setup my network and this explained everything perfectly! Now I know what to do and how to do it properly!
Great to hear and you're very welcome. Hope you find some other videos useful on my channel too!
Very clear instructions, thank you.
@309hex - You're very welcome, glad you found the instructions clear. Thank you for the positive feedback.
Any suggestions for further videos you would like producing ?
Well done. But I would recommend explaining a bit more why you make the selections that your making so that we may understand the concept for the decisions. Might help us make different choices if we understand why the particular selections were made by you in creating a rule. TIA
@zekeserrano5345 - Thanks for your appreciation and your feedback. Yes I see where you're coming from and in future I will try to explain in simple terms as possible why the selections are being done. I'm going to be doing a VPN access video soon so I will apply that method to that video :-)
Many thanks Tim ... followed your VLAN set-up guide and firewall rules and all worked as expected. One small request, it would help me and I'm sure others just starting out on their Unifi journey to understand a bit more about why some of these settings are as they are ... e.g. when setting up the RFC1918 group, why did we add the 172.16.0.0/12 and 10.0.0.0/8 (and why are the subnet number not 16, like the main IP range?) - cheers
Hey @MartinWade99 - Thanks for your kind words and your suggestions, in fact someone else said the same that it would be helpful to explain why things are being done and yes I will certainly take that onboard. I will be doing a VPN connecting video coming soon and this will have firewall rules applied to it including RFC1918, so I will try to explain in simple terms why things are being done that way. Hope you're subscribed and enjoying some other videos too :-)
thx
You're welcome fella
What does the first rule do?
Thanks for the great video
You must ensure you set the first rule as it basically sets a rule to make sure it allows traffic to travel around that should do and is allowed.
I’ve added all the relevant rules from your video but I have one issue.
I have two DNS servers on one of my subnets / VLANs, but these requests are still getting through to them successfully, even with the Drop rule. I was going to add an additional file to allow the traffic through before releasing it was already getting through.
DNS servers are on 10.44.3.0/24 and host using them is on 10.44.2.0/24. Not sure if you have any idea why. The rule does prevent pings between the devices?l!
I believe you can ping DNS servers, from memory, it's been a while since I did this video. Are you able to ping client devices within those subnets ?
Hi, can you allow one specific VLAN to be connected to tor but not the other VLANs
Having checked it looks like you can only use 'Ad blocking' on selected networks/VLANS. For such things as TOR and P2P it appears it can only be applied to all networks in the UniFi Network controller and not to specific/individual VLANS.
I suppose we have to wait for the next update because I reached out to the technical team @ ubiquity and they said will raise this concern to high up to be considered. Thanks for your educated video and keep the good work 😊
Thanks @crypto_1enthusiast945 - Yes I thought they might look in to it, seeing that you mentioned it, it does sound a useful suggestion. So good on you reaching out to UI Tech Support for this 👍. You're very welcome, pleased you like my videos and yes I will keep producing them.
Next one on the list is 'DHCP options' 🤫
I am confused. can you tell me what Network do you use for each vlans? Because on the previous video you used total different networks , Example 192.168.2.0/24, 192.168.3.0/24.....
You can use .2.0/24 and .3.0/24 or .10.0/24 and .20.0/24, as long as they are not used and spare you can use any sequence of VLAN network address ranges, just keep them consistant and that they correspond with the VLANS that you have previously created. Hope that makes sense.
Along with the inter-vlan drop rule, Wouldn't it be better to also have another LAN Local rule preventing access to the gateway?
@assBash - I guess you could add Gateway prevention rules if you so wish, however if devices need access to the Gateway then you would have to make sure to allow those to their own IP address for the Gateway's IP within those VLANS.