Part 3 | Ultimate Home Network 2021 | VPN, IPS, Port Security, and Port Forwarding on UniFi 6.0
February 24, 2021Today on the hookup it’s part 3 of my Ultimate Secure Smart Home Network Series. In Part 1 I walked you through hardware selection using UniFi equipment, in Part 2 I covered VLANs, wireless networks, and firewall rules, and today we’re going to look at port security, intrusion prevention systems, and VPNs on the UniFi 6.0 controller.
In part 2 I mentioned that I made a questionable decision by putting my most untrusted devices, my IP security cameras, onto my main untagged VLAN. Some of the questions asked in the comments indicated that you may need a crash course on networking, so here’s a quick and dirty overview of network communication.
This video is sponsored by HolidayCoro.com, one of the largest light show vendors in America, and the best time to get into the hobby is in the offseason. By starting early you can make sure that you are all ready to go when Halloween and Christmas sneak up on you. HolidayCoro.com has you covered with prebuilt kits including props, controllers, LEDs and power supplies to give you that boost that you need to start your first show, or maybe just level up your existing decorations. Check out HolidayCoro using the link in the description to support my channel.
This won’t be the most in depth look at the OSI model you’ve ever seen, but it will hopefully be easy to understand and give you enough information to make the right decisions for your network.
Layer 1 is the physical networking layer: Whether your devices are connected with radio waves, coaxial cable, ethernet, or fiber it’s still layer 1.
Layer 2 is called the data link layer, which is not a super helpful name, especially when it comes to VLANs.
When two devices are on the same LAN segment, VLAN, or subnet meaning they share the same base part of their IP address they can communicate directly using a network switch. A switch has a big table of device MAC addresses and the corresponding port on the switch that they are attached to. One device sends out a network frame with the source MAC address and the destination MAC address and when that frame reaches the switch it reads the destination MAC address, looks it up on its table, and sends it out the correct port.
Importantly, layer 2 communication doesn’t require any input from the router and can therefore be done quickly and efficiently, but since the router isn’t involved it also doesn’t check any firewall rules and therefore we can’t deny communication between devices on the same VLAN using firewall rules.
Layer 3 is the network layer, which is a fancy way of saying that it uses a router to determine the correct path between devices that aren’t on the same subnet. If two devices are on different VLANs, and therefore different subnets, they need to go through the router in order to communicate, and if they use the router they also get checked for firewall rules, which then allows you to regulate their traffic.
Some people were confused in my last video by my “Echo to Echo” firewall rule where I specifically allowed traffic between my Echo devices, even though they are on the same subnet and therefore shouldn’t need to use the router to communicate. Honestly? I agree, but I can tell you that if I turn that rule off my multiroom audio stops functioning properly, I’m not sure if it’s a bug with UniFi or echo devices, but that rule seems to fix it.
Back to the problem at hand: I can make a firewall rule to block my security cameras from the internet, and from my other VLANs, but I can’t block them from communicating with devices on the same VLAN because they don’t need to use the router to do that. So as I mentioned before the easiest way to break into my network would be to come to my house, tear down a security camera and plug your device into the camera’s ethernet cable.
To minimize that threat, I’m going to use a feature available on UniFi (and almost all other) managed switches, the MAC address allow list.
To do this, find the client that you want to assign to that port, in this case a Hikvision Camera. In the right hand panel you can see the device’s MAC address which we’ll need to copy. You can also see the port it is attached to, which in this case is port 1 on my 16 port Gen2 Switch. Clicking on that link will bring up the switch, then you’ll select ports at the top and click the pencil icon to edit the profile of that switch. Any time I make a mac address isolation, I always name the switch port accordingly so I don’t end up pulling out my hair later if I ever need to change the device attached to that port.
Under MAC filter, paste in the mac address that you copied from the clients page and hit add, then scroll down to the bottom and hit apply. You’ll see your switch change to provisioning and after it’s done the only device that will be able to connect via that port is that specific camera. Technically, someone could grab the MAC address of my camera, spoof the MAC address of their own device and be able to access other devices on my network via Layer 2, but this solution is plenty secure for me, if you are storing government secrets on your network, you may want to take additional measures.
I encourage you to test this for yourself, but you can see that in this example that connecting my laptop to the restricted port doesn’t even give me an IP address, so not only can I not access the internet, but I also can’t access any devices on the network.
I also mentioned in my last video that I wanted my daughter’s PC to use the content filtered network, so what I’ll do is find her computer on the client list and take note of which port on the switch it’s connected to, then click through to that switch, and under ports hit the pencil icon to edit the overrides and select the family network as the available profile. This will force any traffic attached to that port onto that content filtered network. This is also how you would put an entire unmanaged switch onto a specific VLAN, just make sure the uplink port your using is assigned to the correct VLAN in the overrides section and then all of the ports on the unmanaged switch will also be connected to that VLAN.
If you have unused ethernet ports in public places it’s best practice to leave these ports physically disconnected from the switch, called air gapping. This probably applies to very few homes, but in the off chance a business is using this guide, PLEASE don’t leave public ethernet jacks attached and connected to your main VLAN, they are the easiest point of entry for any attacker with physical access to your building, and it’s just as bad or worse than leaving the room with all of your client records unlocked.
Even though firewall rules and port security are the most important tools for securing your network, there are other features available in the dream machine pro that can provide additional layers of security. Specifically IPS and IDS.
IDS stands for intrusion detection system, while IPS stands or intrusion prevention system, and they both have the same main concept, but different final outcomes. IDS and IPS work in the same general way as antivirus software on your computer, which is oddly similar to how your body’s immune system works as well. Basically when a new virus is discovered, security researchers try to pinpoint a part of that virus that it sufficiently unique to identify it without also falsely identifying non-virus files, and they call this part the virus’s signature. These signatures are added to an ever growing and constantly updated database that your antivirus program can reference as it is examining each file on the computer. If part of the file matches the signature in the database it will be flagged, quarantined, or just outright deleted depending on the preferences you set.
IDS and IPS are the same in that they reference a large database of signatures related to malicious network traffic. If you have intrusion detection enabled any matches will generate an alert for you to deal with yourself, while intrusion prevention will block that traffic automatically. The likelihood of false positives, and the impact on your network if legitimate traffic is blocked will determine whether IDS or IPS is right for you. It’s also worth noting that inspecting each packet going through the IPS system is CPU intensive and while the dream machine pro has claims of 3.5 gigabits per second of throughput with IPS enabled, this metric is tested using very similar traffic types and packets and it is expected that real world throughput may be less. I have been able to successfully cap out my dream machine pro’s CPU at 100% utilization by downloading multiple very large torrent files at the same time. This increase in CPU utilization is likely due to the nature of torrent files where data is being pulled from hundreds or sometimes even thousands of unique sources very quickly. Under non-torrent based heavy transfers the CPU utilization never gets close to 100%.
To that end, each category in the IPS menu refers to a subset of signatures for malicious traffic database, so if you want to use peer to peer software, and you’re concerned that your traffic will be blocked by IPS, or that your network speeds will be significantly slowed you can disable just that subset of malicious signatures.
UniFi hasn’t been particularly transparent about where they are pulling their signature database from, whether they are maintaining it on their own, or how often it is being updated, but most people who know more than me seem to think it is largely based in Suricata, which is a popular open source IPS and IDS solution. I also can’t find any information as to whether the signature files are being automatically pushed to the UDM or whether they are being pushed with each new firmware upgrade, but I hope they will offer the option to update signature files without completely updating the firmware of your device, because signature updates should be happening significantly more often than device updates and should be able to be done without the fear of breaking changes.
So that pretty much covers the security of devices that we are willing attaching to our network, but one of the largest vulnerabilities of any network comes when we override the implicit deny rule for incoming traffic. As I said in part 2 of this series, basically all networks are set up so that internal traffic can leave, and returning traffic, called “established and related” is allowed, but external traffic shouldn’t be able to initiate a connection with anything on your network. However, if you are running a service on your home network like a media server, camera system, or home automation hub, you may want to be able to access that service from outside your network by forwarding requests made to your external IP address to an internal device running that service.
This process is called port forwarding, and if you imagine your firewall as a giant building with hundreds of office doors called ports, knocking on most of them will get no answer, but occasionally when you knock on a door it will open and you will be led down a hallway to another door which belongs to a specific device on your network.
In the UniFi controller you can see all of your forwarded ports in advanced features, advanced gateway settings, and then port forwarding. They also show up in your firewall rules as ghosted text that cannot be edited. If you have ports forwarded that you don’t remember doing, you may have uPnP enabled which is a service that allows devices on your network to request that a port be opened. There is almost no reason to have uPnP enabled on your network, so you should disable it in that same advanced features menu and then take a hard look at which devices you actually want to have exposed to the internet.
The more devices on your network that are exposed in this way the greater your risk. In cybersecurity this is referred to as your attack surface, and best practice is to minimize attack surface as much as possible. A castle wall doesn’t have hundreds of exterior doors, it has one main door that is highly fortified. Basically, instead of needing to ensure that each machine and service on your network is secure, which is often impossible with devices like security cameras and NVRs, you put all of your services behind a single door, and you fortify that door as much as possible.
If you are running a lot of services for a lot of people then you might setup a reverse proxy for this door, but for most people with only a few services and a few different people who want to connect to them the best and most secure solution is to use a virtual private network, or VPN. VPN in this context is not like the ones that you see advertised on YouTube all the time. A VPN is a secure tunnel between one device and another. In the case of NordVPN or TunnelBear you have a secure tunnel between your computer and a device at a remote location called a VPN concentrator. This type of VPN allow you to securely send your internet traffic to this remote location through an encrypted tunnel, and then your traffic leaves that remote location exactly as if your computer was located inside of that remote site. This is useful if you’re trying to hide your traffic because you’re doing something illegal, or if you want to access content that is normally not available in your region.
The VPN we’re going to use works exactly the same way, but for a different purpose. Anytime we are outside of our home network, we will use a VPN tunnel to connect back to the dream machine pro, and after that all of our traffic will appear to be originating from inside the local network, allowing us to access our local services just like we can when we are at home, but without the added risk of exposing thos services to the internet.
To set up a VPN in the UniFi 6.0 controller, click on settings, and then advanced features. Scroll down to where it says RADIUS server. RADIUS is remote authentication dial in user service, even though dialing in isn’t really a thing anymore. In this default profile you’ll want to define a user for each person who is going to log into your VPN. Each user has their own password to protect their account, and the VPN itself has a password to prevent unauthorized access. As you can imagine, best practice is for each of these passwords to be strong and unique, don’t use the same password for your VPN and your users. Next head back over to the network section and add a new network. Give it a descriptive name, and under VPN settings you’ll select remote user. The only protocol supported by the UniFi VPN is L2TP, so you can’t change that, and under pre-shared key you will enter a secure password that your users will need to know to connect to your VPN. Enter the gateway and subnet that you want your VPN clients to connect to, and remember to adjust your local IP addresses firewall rule to include this new subnet. For name server, leave it on auto and make sure your default radius profile is selected.
To use this VPN on your remote device you’ll add a VPN configuration using L2TP, for server put in the external IP address for your dream machine, or use a dynamic DNS service like duckDNS. For account put in the user name that you defined in your RADIUS profile, and the password for that user. The secret is the main password for the VPN that you defined when you set up the new network. If your device supports split tunneling you can configure only individual programs and services to use the VPN, but for the most part you should select “Send All Traffic” for the most trouble free configuration.
This solution isn’t perfect, and some services will not operate properly without exposing them to the internet. Push notifications are an example of a service that typically requires a port forwarding, and are difficult to setup to push within a local network. I’ve also noticed that my UniFi VPN connection turns itself off when I come home and connect to the WiFi, this seems like something that it should obviously do, but it also means that every time I leave the house I need to re enable the VPN in the settings menu. I’m sure on an android phone I could accomplish this with tasker, but on iOS I can’t even add a VPN to the home screen control center.
Am I telling you that you absolutely shouldn’t do port forwarding? No. But for each service you are considering exposing you should ask yourself these questions:
- How sure can I be that the developers of this service were both competent and security conscious enough to minimize vulnerabilities?
- How often is this service being updated to provide security patches for the ever evolving cyber security race?
- What data, or privacy is at stake if the service is compromised?
- How likely is it that other devices in your house could be attacked as a result of your forwarded service being compromised.
As always, after you put a solution in place you should test to make sure it functions as expected. You can see for instance that when I try to connect to my blue iris server on the cellular network I get “no response from the server”, but after connecting to my VPN the server connects almost instantly allowing me to remotely view my cameras without needing to expose them to the internet because the VPN makes it appear as if the traffic is local.
In the future I may make a video about reverse proxies and more robust VPN solutions than the built in UniFi VPN, but for now this series has been long enough.
Thank you so much to my awesome patrons over at patreon for continuing to support this channel, if you’re interested in supporting this channel please check out the links in the description. If you enjoyed this video please hit that thumbs up button and consider subscribing, and as always, thanks for watching the hookup.
