UDM Pro Complete Setup: Setting Up an IoT Network with Firewall Rules

Jul 9, 2024

UDM Pro Complete Setup: Setting Up an IoT Network with Firewall Rules

Overview

  • Presenter: Chris from Crosstalk Solutions
  • Platform: UDM Pro
  • Topic: Setting up an IoT network with specific firewall rules

Key Concepts

IoT Network

  • Definition: Internet of Things (IoT) includes smart devices like Wi-Fi plugs, smart refrigerators, etc.
  • Purpose: Isolate IoT devices on their own network to mitigate threats and control internet access.
  • Benefit: Separate IoT devices from secure main LAN (Local Area Network).

Network Creation Steps

  1. Switch to Classic Interface
    • Click Settings
    • System Settings → Turn off new user interface
  2. Create IoT Network
    • Settings → Networks → Create New Network
    • Network Type: Corporate Network
    • Network Name: Crosstalk IoT
    • VLAN ID: 20
    • Subnet: 192.168.20.1/24
    • DHCP Range: 2-254
    • Name Server: 1.1.1.1, 9.9.9.9
  3. Create Wireless Network
    • Settings → Wireless Networks → Create New Wireless Network
    • Network Name: Crosstalk IoT
    • Security: WPA Personal, separate key
    • Choose Network: Crosstalk IoT
    • Optionally enable only 2.4 GHz for extended range

VLANs

  • Explanation: Virtual Local Area Networks, separate traffic within the same physical network.
  • Configuration: Define which VLANs a switch port can access.
  • Practical Step:
    • Assign IoT network to a specific switch port (e.g., port 7)

Firewall Rules

Types of LAN Traffic

  • LAN In: Traffic coming into LAN interface
  • LAN Out: Traffic from LAN interface out to network
  • LAN Local: Traffic from LAN destined for local router interface

Rule Creation Strategy

  1. Allow Established/Related Connections
    • Create new rule: Allow established and related connections
    • Set source and destination to Any
    • Enable Established and Related
  2. Allow Secure LAN (192.168.1.x) Access
    • Create Rule Group for Private Address Space
      • Include 192.168.x.x, 172.16.x.x, 10.x.x.x
    • Rule: Allow LAN to Private Address Space
    • Source: Secure LAN
    • Destination: Private Address Space Group
  3. Block Inter-VLAN Traffic
    • Create Rule: Block Inter-VLAN Traffic
    • Source and Destination: Private Address Space Group
  4. Block IoT/Guest Network to Gateway Interface
    • Rule for blocking IoT to gateways (*.1
    • Separate rule for blocking guests to gateways (*.1)
    • Configure under LAN Local
  5. Block Specific Ports (80, 443, 22) from IoT
    • Create Port Group for UDM Pro Access Ports
      • Include ports 80, 443, 22
    • Block IoT Network from Gateway Interfaces on these ports

Testing and Verification

  • Verify rules using ping and browser tests
    • Ping tests initially show successful connections
    • Apply firewall rules, then test again to confirm restrictions
  • Tools: ipconfig /release and ipconfig /renew

Additional Notes

  • Use Cases: Apply similar rules to guest networks, set up DNS access (e.g., Pi-hole)
  • Continuous Improvement: Regularly update and verify firewall rules
  • Resources and Support: Crosstalk Solutions for more help on PBX setup and network management

Conclusion

  • Contact Info: For questions, follow Crosstalk Solutions on social media, like and subscribe to their content.
  • Further Topics: Explore more on firewall rules, VLAN configurations, and security setups.

Full transcript