VLANs
A basic look
A basic look
With Unifi Network 9 they overhaul the UI and policies for Firewalls, VLANs, ACLs, and generally the entire security aspect of Unifi. I think it's a good change, but a different thing to learn. Traditional ideas apply, but the application of them is not typical to how a network engineer would apply them. The GUI makes it ease for learning overall concepts and I think is a good learning tool. There are two overarching philosophies to this setup and are all based on one setting. Default Security Posture: Allow All/Block All. I choose to allow all since I generally want everything to talk to each other because I don't have much. It is currently a flat /24 for everything which is fine for my setup. The camera is something I could individually turn off internet access for very easily, but I want to go through the whole setup so if I ever get the chance to add more cameras I just connect and click assign. Plus I want my home lab to be more lab like giving myself things to learn and practice on.
Also, I have non-Ubiquiti L2 switches, so all traffic will have to traverse the router to change VLANs, but it's directly plugged into the built-in switch on it anyway, and it's low traffic volume so it's fine.
Segment one camera on my network to stop external access but allow internal access.
To stop anyone from accessing the camera at all even though I have strong passwords.
Implement a VLAN for my camera, allowing for further easy expansion. Apply a policy to stop external traffic. Updates for camera will be done on as needed basis.
Export of current config
I began by exporting my current config, because you should always have a backup:
-Network > Settings > UCG Ultra > Control Plane > Backups > Download
Now we can begin. There are plenty of guides online, but this is my basic overview that I learned from those guides. Networks tab is your VLANs, Policy Table is your inter-VLAN traffic, Zones is Unifi's grouping and visual overview of the Policy Table. Groups are a collection of devices. I'll start with making a new VLAN for my camera. I'll show what I set then explain why.
-Network > Settings > New Virtual Network > Inserted the following:
Name, Router, Zone: Internal, Auto-scale off, /24 address space, VLAN ID, Isolate Network Off, Allow Internet Access Off, IPv6 off.
Zone is Internal, we change this in a second in zones, but you can create this in either order.
/24 Future expansion on the 172 network space.
Isolate network off to allow internal devices to communicate.
Allow Internet Access off, this creates a policy which I'll go over.
Now we can set up a zone. Zones are collecting VLANs for overall settings configs. Not a template but easy settings config. This way I could create another network that I don't want to access the internet but allow internal access very easily.
-Network > Settings > Policy Engine > Zones > Create Zone > Name: No Internet, Networks: Cameras
I know have the network No Internet (NI) and its default policies set. The default policies as seen in the Zone Matrix shows that the Source:Destination have been applied, but adjustments need made. Creating a policy on Source: Internal, Destination: No Internet. Steps:
Name: Allow NI to talk to Internal
Source: No Internet, All
Port: All
Action: Allow
Auto Allow Return Traffic: Checked (Very important see below)
Destination: Internal, Any
Port: Any
IP Version: Both (I don't use IPv6 now but just in case)
Protocol: All
Connection State: All (I think this is to dynamically move devices between networks like in authentication but lack documentation)
Schedule: Always (neat feature)
Note: Policy propriety is based on specificity over general rules, this seems to be a lacking aspect that needs to be addressed. Unifi Community Thread
Once you create this policy, it auto creates a "mirror" (brick wall icon) of this policy saying yes I allow return from Internal to No Internet. I think this means full traffic passing between them, but we'll find out.
Going to Client Devices and selecting my camera, I can then assign the device to my Camera's Group. Note, this is not the Camera's VLAN. I want to do group based defining over device specific VLAN overrides on the device itself. My thinking is it gives more flexibility and searching options. However, after some research, this isn't a thing which actually makes sense. When I connect a device, it will get whatever VLANs are on that interface and then from there whatever is default. That means that while configuring the device, it will be in a network you may not want it to be in. So we either have to do DHCP reservation or assign that port to a specific VLAN. I think for me a DHCP reservation is better as if I ever forget about the assignment or have to overhaul my camera will automatically go to that VLAN. In the future when I have a full stack, I'll assign via interface more likely, but for now this is fine.
-Network > Client Device > Main > My camera > Settings
Assign the device to the group for future searching. Going to Overview and grabbing its MAC I can make a DHCP reservation:
-Network > Client Device > DHCP > Add Fixed IP Client
Device is already in use
Well looks like if it's already there you can't assign it? But you can apply it when in the device??? It's weird. I can set "Virtual Network Override" and Fixed IP while in the previous menu. It says make sure VLAN tagging is allowed on all switches (direct from router) and apply. Now it grabbed an IP in the correct subnet. Going to the Reolink app, I can not view the camera anymore on cellular. Which is a step in the right direction. Connect to Wi-Fi and... No connection. Now the fun part.
Trying to ping the camera on my pc doesn't work either. Undoing the VLAN override and pinging does work so it does accept ICMP. Adding the same policy rule again but swapping source and destination. Reapplying VLAN override and I can reach via PING. Going to the Camera's IP on my PC and I can successfully log in and see the camera. However, the app, even when on Wi-Fi, does not work.
Reviewing the camera's settings on my PC I can see Enable external access is enabled. I could've disabled this, but you never trust a camera. Looking at its settings I added it via UID in the app. Assigning it to use the IP and it works. So I set the current IP as a DHCP reservation, and I'm done!
In the end, I successfully got the camera on a no internet access VLAN and was able to reach the device took a bit of troubleshooting, but I think this was a good practice of my knowledge, and I'm glad I did it.
YouTube: Lawrence Systems I think gives the best videos for this particular topic.
Lawrence Systems: UniFi Zone Firewall Rules Explained – Secure Your Network
Lawrence Systems: How to Use the New UniFi Policy Engine and Object Oriented Networking
Unifi: