{"id":885,"date":"2019-07-03T22:39:59","date_gmt":"2019-07-04T02:39:59","guid":{"rendered":"http:\/\/www.thesmarthomehookup.com\/test_install\/?p=885"},"modified":"2023-02-08T16:20:22","modified_gmt":"2023-02-08T21:20:22","slug":"unifi-setup-from-scratch-setting-up-vlans-and-firewall-rules","status":"publish","type":"post","link":"https:\/\/www.thesmarthomehookup.com\/test_install\/unifi-setup-from-scratch-setting-up-vlans-and-firewall-rules\/","title":{"rendered":"UniFi Setup from Scratch Part 3 &#8211; Setting Up VLANs and Firewall Rules"},"content":{"rendered":"<p><iframe src=\"https:\/\/www.youtube.com\/embed\/p3SfeQTaaxw\" width=\"560\" height=\"315\" frameborder=\"0\" allowfullscreen=\"allowfullscreen\"><\/iframe><\/p>\n<p>Today on the hookup I\u2019m going to show you how to create the most secure smart home network possible by creating VLANs and firewall rules to separate your IoT and NoT devices from the rest of your network.&nbsp; This is part 3, the final part of my Ultimate Smart Home Network Series\u2026 here we go.<\/p>\n<p>In part 1 of this series I showed you how to pick the right networking hardware for your needs and price point.&nbsp; In part 2 I showed you how to set up your new equipment, migrate from your old network, and start dividing your network by device type.&nbsp; Today I\u2019m going to walk you through creating VLANs and firewall rules to make sure your network is as safe and secure as possible without limiting functionality.<\/p>\n<p>At this point if you\u2019ve been following along with this video series you should have a fully functioning home network with multiple SSIDs being broadcast for your different device types.&nbsp; So far all of your devices are on a single subnet and can all communicate with each other, which is not great since a single compromised IoT device could allow a hacker to setup a tunnel into your home network.&nbsp; To segregate your network by device type we are going to setup virtual local area networks or VLANS.&nbsp; You can think of each VLAN as a completely separate network with a different router, a different switch, and different access points.&nbsp; By default, one VLAN can\u2019t access another VLAN any more than you can access your neighbors home network from your own.&nbsp; The advantage of a VLAN is of course that you don\u2019t have to actually have separate equipment, since the separation is going to happen via software.&nbsp; The other advantage is that we can easily set up different firewall rules to allow only specific traffic to be able to cross VLANs since cutting your IoT devices off from your network completely will disable some of their most useful features.<\/p>\n<p>To setup our first VLAN we\u2019re going to click on settings -&gt; network, and click on \u201ccreate new network\u201d.&nbsp; I\u2019m going to call this network IoT,&nbsp; select \u201ccorporate\u201d for the purpose, select LAN as the network group, assign it to vLAN 20, and I\u2019m going to change the IP range for this group to 192.168.20.1\/24, you don\u2019t need to have the vLAN number match the subnet, but it makes it easier for me to remember.&nbsp; Press Update DHCP range, click the box that says enable IGMP snooping, hit save and you\u2019re all done with that network.<\/p>\n<p>We\u2019re going to repeat these same steps for our NoT VLAN, hit \u201ccreate new network\u201d call it NoT, select \u201ccorporate\u201d, leave LAN as the network group, and this one I\u2019m going to set to VLAN 30 and make my subnet 192.168.30.1\/24, hit update DHCP range, enable IGMP snooping, and press save.<\/p>\n<p>That covers the VLANs for NoT and IoT devices, but I have one more device type on my network: My PoE IP Security cameras.&nbsp; These devices don\u2019t need to talk to anyone or anything.&nbsp; Basically, each camera produces a video stream called RTSP and if you want to see that video stream you connect to the camera directly, but the camera doesn\u2019t need to contact any other device, except for NTP requests to synchronize time, which we\u2019re going to allow everything on our network to do.&nbsp; I originally had my IP cameras on another vLAN as well, but I noticed some degradation in the quality of the stream when doing so.&nbsp; I did some research, and wasn\u2019t able to find any definitive answers as to why it was occurring, but there was speculation that some of the hardware offloading that allows the USG to be such a high throughput router cannot be used across vLANs, and since 9 video streams ranging from 2 to 6 megapixels represents quite a bit of data it could cause some slowdowns.&nbsp; I\u2019ll show you how I regulate their traffic when we setup firewall rules, but I\u2019m not going to set up a separate vLAN for them.<\/p>\n<p>So now you\u2019ve got different VLANs, what\u2019s the point? Firewall rules is the point.&nbsp; We\u2019re going to be able to manage the exact traffic that is allowed to travel across VLANS by writing different rules for the internal firewall.&nbsp; Go to settings, routing and firewall, and then click on firewall on the top.&nbsp; You\u2019ll see lots of different areas where we can apply firewall rules, but the most efficient place to regulate traffic is at the front door of the router before any resources are wasted on determining a route.&nbsp; The tab titled \u201cLAN In\u201d corresponds to that front door, so that\u2019s where we\u2019ll create our rules.<\/p>\n<p>Basically when we set up rules they are processed from the top down, so if the traffic is allowed to pass based on a rule that is higher up on the list, it will not then be subsequently blocked by a rule that is lower on the list.&nbsp; To make things easier on myself I always make more specific rules for allowing traffic, and broad rules for dropping traffic, then I put all the allow rules at the top and the drop rules at the bottom.<\/p>\n<p>The first rules we need to create are the ones that will apply to all of the IP addresses on your network, and one of the most important ones is a rule to allow established and related sessions.&nbsp; This is a common rule that exists on all routers at the WAN level, which is what allows a website or service to talk back to your computer if you establish the initial connection.&nbsp; Since we\u2019re going to be blocking the other networks from communicating from the LAN later on, we need to establish a rule to let them answer if talked to.<\/p>\n<p>To do this click on LAN IN, then click on \u201ccreate new rule\u201d.&nbsp; I always name my rules with whether they are accepting or dropping, so I\u2019m going to call this one \u201cAllow all established and related sessions\u201d select \u201caccept\u201d, then under advanced click on \u201cEstablished\u201d and \u201cRelated\u201d, and then for source we\u2019ll need to create a group that contains all possible IP addresses on all the VLANs, so for me that\u2019s 192.168.86.0\/24, 192.168.30.0\/24 and 192.168.20.0\/24.<\/p>\n<p>I\u2019ll call the group \u201cAll Local IP Addresses\u201d, then select that group for both source and destination.<\/p>\n<p>I also want to allow all the devices on the network to send NTP or time synchronization requests.&nbsp; These requests go out on port 123, so I\u2019m going to create a rule called \u201cAccept all NTP requests\u201d, select \u201caccept\u201d, and under source I\u2019ll select \u201cAll Local IP Addresses\u201d, and under destination I\u2019m going to create a port group called \u201cNTP\u201d that only contains port 123.&nbsp; There are other options for taking care of this NTP problem like creating custom DNS entries to redirect traffic to a local NTP server, or doing fancy routing to trick the NTP traffic, but this solution is plenty secure for now.<\/p>\n<p>Next lets configure your NoT firewall rules.&nbsp; For me, my NoT needs to be able to communicate via MQTT with my MQTT server, so I\u2019m going to make a rule called Allow NoT to MQTT, select accept, then under source I\u2019ll select the NoT network, then under destination select address\/port group, and I\u2019ll add a new group under ip addresses that I\u2019ll call Home Assistant with my specific home assistant server IP address since that is where my MQTT server lives, and under port group I\u2019ll add a new group called MQTT ports that will contain the two common MQTT ports which are 1883 for non secure MQTT and 8883 for secure MQTT.<\/p>\n<p>The next accept rule that I need is one to allow my IoT network to access Home Assistant, or specifically my node red server.&nbsp; I only need this rule because I use the Alexa Local node to configure all my echo voice commands.&nbsp; If you don\u2019t use Alexa local, you probably don\u2019t need this rule.&nbsp; Anyways, I\u2019ll call it \u201cAllow IoT to Home Assistant\u201d, select accept, then for source select your IoT network, and for destination I\u2019m going to put in the IP address of my Home assistant virtual machine.&nbsp; I could enter this as a singular IP address, but I like to use groups instead, and I already have this group defined from my previous rule.<\/p>\n<p>These are basic accept rules that will probably apply to your smart home, but you may need have other ones as well based on your specific devices.&nbsp; For instance, chromecast uses ports 8008, 8009, 5556, 5558, and 5353 when advertising and casting.&nbsp; So for me I needed to add an allow firewall rule to allow my IoT network to communicate on those ports.&nbsp; If you wanted to further limit the rule you could create a group that only contained your chromecast devices to use as the source instead of using the entire IoT network.<\/p>\n<p>If you notice something on your network that doesn\u2019t function after imposing firewall rules you can generally figure out which ports they need for their services with a quick google search.<\/p>\n<p>Alright, that does it for our accept rules, now its time to start blocking traffic.<\/p>\n<p>Our IoT network isn\u2019t allowed to talk to the LAN or the NoT network so we\u2019ll make a rule called \u201cBlock IoT from LAN\u201d, select drop, then under source select the IoT network and under destination select your LAN network.&nbsp; Repeat the exact same process to block IoT from NoT.<\/p>\n<p>Next we\u2019ll create the rules to block the NoT.&nbsp; Remember, the NoT only needs to communicate with the MQTT server, which we\u2019ve already accepted, so all that\u2019s left is to drop the rest of the traffic.&nbsp; Create a rule called \u201cBlock All NoT\u201d and select drop, then for source select the NoT network, and for destination we\u2019re going to create a group that contains every possible ipv4 address, so call it \u201cAll IP Addresses\u201d and&nbsp; start with 0.0.0.0\/1, then 128.0.0.0\/2, then 192.0.0.0\/3, and last 224.0.0.0\/4<\/p>\n<p>As I mentioned earlier, IP cameras don\u2019t need to communicate at all, except for time synchronization to an NTP server which is already allowed by one of our first rules.&nbsp; And again, the reason I didn\u2019t put the cameras on a VLAN is that there seemed to be a performance drop when routing that much data constantly over across the VLAN, so instead I\u2019m going to create an IP address group called Cameras, and add in each of my cameras IP addresses manually.&nbsp; Then I\u2019ll create a rule called \u201cBlock All Cameras\u201d, select drop, and for source I\u2019ll select the Cameras IP group and for destination select that All IP Addresses group.<\/p>\n<p>If you ever need to edit these groups later on you can do it under \u201crouting &amp; firewall\u201d, firewall, then groups.<\/p>\n<p>Since we specified this group based on specific IP addresses we need to make sure that the IP addresses of these cameras won\u2019t change, so if you haven\u2019t already done so you should go to clients then select each camera and click on the gear, then network and turn on the \u201cuse fixed IP\u201d toggle.&nbsp; It will autofill the current IP address of the device, but you can also specify another IP address in this area if you\u2019d like.<\/p>\n<p>The last thing that we need to allow in order for our smart home devices to function as expected is enable multicast DNS or mDNS.&nbsp; Basically these devices will advertise their IP address and their services to all of the other devices on that VLAN.&nbsp; This is required for things like device discovery on amazon echo devices, and chromecast streaming.&nbsp; Multicast traffic can cause significant slowdowns on a network since even a small amount of multicast data takes a relatively long time to process in each access point. We already enabled IGMP snooping to try to control some of this multicast data, but in a smart home multicast is a necessary evil.<\/p>\n<p>In order to allow mDNS is we need to turn off a feature under our site settings.&nbsp; So go to settings then site, and turn off the setting that says \u201cauto optimize network and wireless performance\u201d.&nbsp; We need to do this because disabling mDNS will certainly increase wireless performance, but it\u2019s also going to stop your devices from working.<\/p>\n<p>Now that all of our rules are in place we can force our devices onto their respective VLANS.&nbsp; To do this for our wireless devices we\u2019ll go to settings, then wireless networks and first select your IoT SSID and click edit.&nbsp; Under advanced options we\u2019re going to click on \u201cuse VLAN\u201d and select VLAN 20 since that\u2019s what we assigned to our IoT network earlier.&nbsp; Make sure the button for block LAN to WLAN multicast and broadcast data is unchecked.&nbsp; Also down at the bottom check the enable multicast enhancement button, this is the 2<sup>nd<\/sup> step to allowing your UniFi equipment to optimize that multicast data so it doesn\u2019t slow down your network too much.<\/p>\n<p>Repeat this process for your NoT network, assign it to VLAN 30, make sure the LAN to WLAN multicast button is unchecked, and enable multicast enhancement.<\/p>\n<p>While we\u2019re at it, I got a great suggestion to eliminate some unnecessary SSID broadcasting by disabling the 5ghz NoT SSIDs since none of my NoT devices are capable of 5ghz.&nbsp; Do this by clicking devices, then APs, then select an AP and click the gear.&nbsp; Under WLANs select the 5ghz NoT network and toggle the enabled on this AP switch.&nbsp; Hit queue changes then apply.<\/p>\n<p>After your APs provision and your wireless networks come back up should have a theoretically functioning network, but many of your IoT devices may not function well.&nbsp; The problem is that those mDNS broadcasts cannot cross VLANs by default.&nbsp; So what we need to do is repeat those mDNS broadcasts across all the different vLANS.&nbsp; Luckily the unifi controller makes it pretty easy.&nbsp; All we need to do is go to settings, services, then mDNS and turn on multicast DNS.&nbsp; This, along with the unchecked box for blocking multicast lets devices broadcast their IP addresses across all VLANS which should allow them to function properly, and the IMGP snooping should take those multicast requests and send them only to the devices that need to hear them, which lowers the effect on your network performance.&nbsp; It\u2019s worth noting here that even though these devices are advertising their IP addresses, it doesn\u2019t mean that they will be reachable because they will still have to obey the firewall rules that we setup earlier.<\/p>\n<p>Now that your settings are all in place it\u2019s a good idea to go through and test your most use smart home integrations to make sure they are still working in order to not lose too much of the wife approval factor.<\/p>\n<p>Setting up a network like this isn\u2019t cheap, and it\u2019s not quick, but it is orders of magnitude more secure than letting all of your IoT devices from various manufacturers comingle with your trusted devices.&nbsp; If you follow along with this video your network should be fully functional and very secure, but I\u2019ve only scratched the surface of what is possible with this equipment.<\/p>\n<p>In future videos I\u2019ll cover VPNs, presence detection, custom DNS and other advanced functionality, but you don\u2019t need to wait for me, there are plenty of other youtubers making great networking content, two of my personal favorites are Chris from crosstalk solutions and Willie Howe, you should check them out.&nbsp; Remember that I\u2019m not a network administrator by trade, and while I did consult with professionals while I was making this video I\u2019m not claiming that what I have setup is the only way, or even the best way.&nbsp; If you have something to add, or I got something wrong, please let me know down in the comments.&nbsp; If you\u2019re interested in buying any of the equipment that I used in this video series please consider using my Amazon affiliate links in the description, it doesn\u2019t cost you anything extra but I get a few percent of the profit.<\/p>\n<p>Thank you to all of my awesome patrons over at patreon for your continued support of my channel, if you\u2019re interested in supporting my channel please check out the links in the description.&nbsp; If you enjoyed this video and you\u2019d like to see more like it please consider subscribing, and as always, thanks for watching the hookup.<\/p>\n<p><strong>\ud83d\udd25Amazon US Links\ud83d\udd25<\/strong><\/p>\n<p><strong>UniFi PoE Switches:<\/strong><\/p>\n<p><strong>16 Port 150W PoE:&nbsp;<a href=\"https:\/\/amzn.to\/2WizmUp\">https:\/\/amzn.to\/2WizmUp<\/a><br \/>\n8 Port 150W PoE:&nbsp;<a href=\"https:\/\/amzn.to\/2WNhs05\">https:\/\/amzn.to\/2WNhs05<\/a><br \/>\n8 Port 60W PoE:&nbsp;<a href=\"https:\/\/amzn.to\/2WbNBKA\">https:\/\/amzn.to\/2WbNBKA<\/a><\/strong><\/p>\n<p>&nbsp;<\/p>\n<p><strong>UniFi Access Points:<\/strong><\/p>\n<p><strong>AC-Lite:&nbsp;<a href=\"https:\/\/amzn.to\/2EStWt7\">https:\/\/amzn.to\/2EStWt7<\/a><br \/>\nAC-Pro:&nbsp;<a href=\"https:\/\/amzn.to\/2Im0OLH\">https:\/\/amzn.to\/2Im0OLH<\/a><br \/>\nHD-Nano:&nbsp;<a href=\"https:\/\/amzn.to\/2WOcDn6\">https:\/\/amzn.to\/2WOcDn6<\/a><\/strong><\/p>\n<p>&nbsp;<\/p>\n<p><strong>USG:&nbsp;<a href=\"https:\/\/amzn.to\/2WIzgJH\">https:\/\/amzn.to\/2WIzgJH<\/a><\/strong><\/p>\n<p><strong>Unifi Cloud Key Gen2+:&nbsp;<\/strong><strong><a href=\"https:\/\/amzn.to\/2WlKx3o\">https:\/\/amzn.to\/2WlKx3o<\/a><\/strong><\/p>\n<p>&nbsp;<\/p>\n<p><strong>Google WiFi:&nbsp;<\/strong><strong><a href=\"https:\/\/amzn.to\/2IkSPP5\">https:\/\/amzn.to\/2IkSPP5<\/a><\/strong><\/p>\n<p><strong>\ud83d\udd25<\/strong><strong>Amazon UK Links<\/strong><strong>\ud83d\udd25<\/strong><\/p>\n<p><strong>UniFi PoE Switches:<\/strong><\/p>\n<p><strong>16 Port 150W PoE:&nbsp;<a href=\"https:\/\/amzn.to\/2Ksk1hF\">https:\/\/amzn.to\/2Ksk1hF<\/a><br \/>\n8 Port 150W PoE:&nbsp;<a href=\"https:\/\/amzn.to\/2KqXcuJ\">https:\/\/amzn.to\/2KqXcuJ<\/a><br \/>\n8 Port 60W PoE:&nbsp;<a href=\"https:\/\/amzn.to\/2EUKxwm\">https:\/\/amzn.to\/2EUKxwm<\/a><\/strong><\/p>\n<p><strong>UniFi Access Points:<\/strong><\/p>\n<p><strong>AC-Lite:&nbsp;<a href=\"https:\/\/amzn.to\/31ca0v4\">https:\/\/amzn.to\/31ca0v4<\/a><br \/>\nAC-Pro:&nbsp;<a href=\"https:\/\/amzn.to\/2ER74KI\">https:\/\/amzn.to\/2ER74KI<\/a><br \/>\nHD-Nano:&nbsp;<a href=\"https:\/\/amzn.to\/2KmPeTo\">https:\/\/amzn.to\/2KmPeTo<\/a><\/strong><\/p>\n<p><strong>UniFi Router:<\/strong><\/p>\n<p><strong>USG:&nbsp;<a href=\"https:\/\/amzn.to\/2EN5Pfx\">https:\/\/amzn.to\/2EN5Pfx<\/a><\/strong><\/p>\n<p><strong>Unifi Cloud Key Gen2+:&nbsp;<\/strong><strong><a href=\"https:\/\/amzn.to\/2KqKsnW\">https:\/\/amzn.to\/2KqKsnW<\/a><\/strong><\/p>\n<p>&nbsp;<\/p>\n<p><strong>Google WiFi:&nbsp;<\/strong><strong><a href=\"https:\/\/amzn.to\/2KtV8lM\">https:\/\/amzn.to\/2KtV8lM<\/a><\/strong><\/p>\n<p>&nbsp;<\/p>\n<p><strong>Follow me on Twitter: @TheHookUp1<\/strong><\/p>\n<p><strong>&nbsp;<\/strong><\/p>\n<p><strong>Support my channel:<\/strong><\/p>\n<p><strong>Patreon:&nbsp;<a href=\"https:\/\/www.patreon.com\/thehookup\">https:\/\/www.patreon.com\/thehookup<\/a><br \/>\nTesla Refferal Code:&nbsp;<a href=\"https:\/\/www.tesla.com\/referral\/robert37264\">https:\/\/www.tesla.com\/referral\/robert37264<\/a><\/strong><\/p>\n<p>&nbsp;<\/p>\n<p><strong>Music by&nbsp;<a href=\"http:\/\/www.bensound.com\/\">www.BenSound.com<\/a><\/strong><\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Today on the hookup I\u2019m going to show you how to create the most secure smart home network possible by creating VLANs and firewall rules to separate your IoT and NoT devices from the rest of your network.&nbsp; This is part 3, the final part of my Ultimate Smart Home Network Series\u2026 here we go. [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":2560,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[5],"tags":[],"class_list":["post-885","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-tutorials"],"acf":[],"mb":[],"mfb_rest_fields":["title","gutenberg_elementor_mode"],"_links":{"self":[{"href":"https:\/\/www.thesmarthomehookup.com\/test_install\/wp-json\/wp\/v2\/posts\/885","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.thesmarthomehookup.com\/test_install\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.thesmarthomehookup.com\/test_install\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.thesmarthomehookup.com\/test_install\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.thesmarthomehookup.com\/test_install\/wp-json\/wp\/v2\/comments?post=885"}],"version-history":[{"count":4,"href":"https:\/\/www.thesmarthomehookup.com\/test_install\/wp-json\/wp\/v2\/posts\/885\/revisions"}],"predecessor-version":[{"id":2317,"href":"https:\/\/www.thesmarthomehookup.com\/test_install\/wp-json\/wp\/v2\/posts\/885\/revisions\/2317"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.thesmarthomehookup.com\/test_install\/wp-json\/wp\/v2\/media\/2560"}],"wp:attachment":[{"href":"https:\/\/www.thesmarthomehookup.com\/test_install\/wp-json\/wp\/v2\/media?parent=885"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.thesmarthomehookup.com\/test_install\/wp-json\/wp\/v2\/categories?post=885"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.thesmarthomehookup.com\/test_install\/wp-json\/wp\/v2\/tags?post=885"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}