Thanks, Willie...I have been using a Unified UDM (with Unified switches) for a couple of years now...I am looking forward to your next 2 videos (especially wireless setup)...I have been avoiding setting up IoT and NoT VLANs and rules...this sounds a lot easier than trying to set up rules, and then not having things work...I have a "wife factor" to deal with...:)
So Willie if I put my IoT devices(Google Home Hubs and what not) on a seperate subnet and vlan like you instruct in this video. If I have say my Xboxs on another subnet and vlan, how do I configure the firewall rules to allow the Google devices to control settings of the Xbox like volume and power by voice securely??? Please help
Thanks, Willie.Thank you for your effort to put together this tutorial. I did the Guest network accordingly, but when trying to connect it says: couldn't get IP address. Why is it?
very good, thanks. where i would like help is on firewall rules and the categories (lan in, lan out, wan in, wan out) etc., which are not clear to me even after having read about them
Willie, I am using Synology servers and rt2600ac router. I have g4 pro cameras and switches. I just bought an NVR as my Unifi Cloud Key gen 2 just died. I think heat related. I have had all of my Unifi camera's die. Not sure what to do to follow this video to break up my lan's. .
So when I plug in a new device on my network, what determines which network it will be part of? Do I have to edit the specific port settings that the device is plugged into? Or is it better to do some kind of MAC address filtering where a white list of known devices is allowed on my main network and any other unknown Mac addresses are automatically assigned to the guest network?
For any device which isn’t “VLAN aware” (which is most): If you have a full unifi setup including switches, you simply select the switch, then select the port and change it from “All” (they all default to “All”) to whichever VLAN you want the device to appear on. If you’re not using a unifi switch it’s a little more complicated, first you have to make sure the port where your router is connected to your switch is setup as a “trunk” port (I.e one that carries all the VLANs), login to your switch and make sure all your VLANs are “tagged” on that port. E.g. if you’ve got a USG connected to a netgear switch on port 1, port 1 on the netgear should have all the VLANs you want available to other devices on that switched “tagged”. Then make sure the VLAN on the port where the client device is connected is “untagged” (which basically means any non VLAN-aware decide will be given an IP in that VLAN, rather than the “native” VLAN -usually VLAN 1) E.g. If your laptop is connected on port 2 of your switch and you want it on VLAN 20, you’d edit that port in your switches VLAN settings, remove the “untagged” status on VLAN 1 / native VLAN, add an “untagged” status to VLAN 20 and set the PVID of port 2 to “20”. If the device is VLAN aware, you can just “tag” (tags are only used on trunk ports and for devices that are VLAN aware), the VLAN(s) you want and then select it from within the devices network settings.
Thanks for the video. I purchased a Cloud Key Gen 2 Plus (not long before they announced the first Dream Machine) as I had intended on using the Unifi Protect features (I still haven't bought the Unifi cameras though). Prior to that, I was using the hosted controller on an always-on pc. I've never had a USG, and I didn't see the point in buying the old one since the UDM was released. Can I do any of this IOT/Guest network in any meaningful way without buying a UDM and scrapping the seemingly pointless cloud key?
This is exactly what i am trying to do, but i literally cannot select the "guest network" option at all when creating a new network? If i choose "guest network" and click apply it just reverts the change. Any ideas why it is doing this?
Thanks Willie! I don't have much wired on my USG / Unifi Switch that I would want on a guest network except maybe Xbox and Smartthings Hub. How do I make some plugged in items only connect to this new guest network while allowing other items on same switch connect to non-guest network?
Hi rando. It looks like it's been a year now since you've asked this question so you've likely had your question answered at least somewhere. If not, you would need to go into your unifi UI, go to unifi devices section, click on the Unifi switch that you have say the xBox connected to, then on the right you should see a big "button" that says "Port Manager", click this. From here you will click on the port your xbox is connected to. Then under "Network" drop down box you will select the guest network you created that you want your xbox to be on, then click "Apply Changes" at the bottom of the page. You might have to restart your xbox after making these unifi configurations so that it pulls the correct DHCP address. Hope this helps.
You’ve set up all those guest networks are you able to access them all on your pc or laptop ? Ie do you make your ip or MAC address of your host a super user type of thing ?
I created a rule in Guest In that permits only established and related traffic form the IoT (guest) network back to my primary network. This allows me to still reach into the IoT network anytime I need. You could also further narrow this down to just a subset of devices if you prefer. For example, I need Home Assistant to be able to access all my IoT devices. Willie can let me know if this is a huge mistake.
I was under the impression that once you enable Captive Portal for Guest Network, that all devices on that Guest Network must authenticate through that portal. If this is true, then following the method described in this video, having a Captive Portal is incompatible with most IoT devices as they will not be able to load the portal website to authenticate. Can anyone clarify this?
The problem with this setup is the client isolation. Some IoT devices need to talk to each other to work properly, such as Alexa devices or SONOS speakers. Plus, If I wanted to control a device such as those from my phone, I'd have to make sure I was connected to the IoT network, not a huge deal, but a hassle none the less.
I have to change my phone to the IoT network so that I can see all my Google speaker groups. It's an issue with mDNS. It's a pain as I usually forget to change it back again afterwards. :(
Think that would be beneficial. I know most of the vulnerability in most IoT devices is during the setup phase, but they are still vulnerable nonetheless, and being able to sandbox them while still having access is important. I read up a lot a couple years ago on how HomeKit specifically uses mdns and other protocols to poll devices and issue commands, and can suffer from increased latency if it has to go out to the internet before coming back to another network, so folks have developed mdns mirroring and other things to help with these issues. I’m sure google, Amazon, and others use similar protocols.
