welcome to crosstalk solutions my name's chris and this is udm pro complete setup video 5 where we're going to be setting up an iot network with firewall rules iot network stands for internet of things it's stuff like this smart wi-fi plug or your smart refrigerator or that mural frame that i have in the background of my videos right so any of these sort of smart connected devices now the reason that you want smart connected devices isolated onto their own network is because of the threat of these devices being compromised a lot of these devices phone home to like amazon aws services or phone home to the parent company that makes the device and it allows you to have access to these devices from the outside world so think of like an ecobee thermostat for instance i have an ecobee thermostat i can affect changes to my thermostat from anywhere in the world because it is reaching out to a connected service and having these iot devices in their own segregated network really helps you not only control which devices are actually reaching out to the internet but you are separating those devices from your more secure main lan network where your photos and my documents and all of this stuff on your regular computers are so since we are talking about iot and we're going to be digging into unified firewall rules it is a perfect excuse to pour myself a beer not to mention that it is late on a friday afternoon right now and i gotta say that all of the iot devices in my house literally every iot device in my house is on my iot network so i have home assistant on that network all of my tvs and rokus everything anything that's just one of those internet of things devices goes on the iot network period one thing you might want to do is also have a separate network for surveillance cameras so you can have an iot network as well as a surveillance camera network it's going to be the same exact concept for both of those types of you know separate subnets in this video though we're just gonna do the iot network all right so cheers to everyone out there before we hop into this video though like and subscribe to crosstalk solutions if you haven't already it's absolutely free and it really helps out the channel also follow me on twitter at crosstalk sol and if you'd like to buy me another beer there's a link down below to do that as well okay let's get started here i am at the dashboard of unifi i should say the new dashboard of unify network now since we want to create our iot network as a corporate network and not a guest network and we're going to be adding some firewall rules for that network we can't do that in the new interface we have to switch to the classic interface so let's do that first we're going to click settings system settings and then we're going to turn off the new user interface and this is going to bring us back to the original or classic unify interface so we need to start by creating our iot network so we're going to click settings and then we're going to click networks and we want to click create new network it's going to be a corporate network so make sure you choose that we're going to call it crosstalk iot for internet of things we're going to give it vlan id 20 and we're going to give it a subnet of 192.168.20.1 24. click update dhcp range and it pulls this subnet information down into your dhcp range down below but we're going to change it to 2 through 254 so that we take advantage of the complete available set of ip addresses in this network for the dhcp name server we're going to say manual and we're going to give it a couple of public ip addresses 1.1.1.1 and 9.9.9.9 now those both of those services are a little bit content filtered but if you have something like opendns you might want to use that there instead okay so that's it for our network setup we're going to click save and now we have a new crosstalk iot network that exists on vlan 20. next let's create a wireless network because most of these iot devices operate wirelessly so we're going to click wireless networks and we're going to click create new wireless network we'll call this wireless network crosstalk iot as well we're going to click wpa personal for the security type and we're going to give it a security key you can choose to support w3 wpa3 connections but most of these devices are not wi-fi 6 so they're not going to be able to do any sort of wpa3 so for me i'm just going to leave that off now when we want to choose the network we're going to choose crosstalk iot because that's going to put any devices that connect to this wi-fi onto the crosstalk iot vlan that we just created vlan of course stands for virtual local area network and it just essentially means that we've got our lan and then we've got additional separated lan networks called vlans or virtual lands sort of stacked on top of the mainland any switch port that we plug something into can be any one of those as we'll show later in this video or it can be all three of those but a device is only going to be able to see your vlans uh if it can understand vlan tagging and again that's all a little bit complicated i've done a number of videos on vlans but we're also going to dig a little bit into vlans later on in this series all right opening up advanced options you might want to consider only enabling the 2.4 gigahertz band for your iot devices most iot devices are only 2.4 gigahertz and the ones that are you know mixed mode 2.4 and 5 gigahertz they can do 2.4 gigahertz anyways uh 2.4 gigahertz is going to have a little bit more of extended range for your devices and you also wouldn't be cluttering up your five gigahertz uh spectrum for other devices such as your phones and tablets and laptops that can use sort of the higher bandwidth of the five gigahertz spectrum now scrolling down here to user group if you remember the last video we set up a bandwidth throttled user group called crosstalk guest i'm not going to be throttling this iot network but you can if you want to so for me these iot devices use very little bandwidth anyways usually they're just sort of pinging out to the internet and other devices that are connected to the network like my home assistant raspberry pi here i would want that to have full speed because sometimes it has to download updates and stuff and i don't want to slow down that process by throttling it okay so we're going to leave everything else default and then we're going to click save down at the bottom so now we can see that we have the crosstalk iot wireless network we also have the crosstalk iot wired network now this computer that's right behind me we're going to now put this computer wired into the iot network so it is plugged into port 7 on the 24 port switch that i have in the cabinet so let's go to our devices we're going to click on our usw pro 24 we're going to choose port 7 and we're going to edit this port now again this has to do with vlans what i'm doing here is i'm going to change the switch port profile from all when it's in all it means our mainland is the main lan of this port but we also have access to the other two networks vlan 10 the guest network and vlan 20 the iot network if the device that's plugged into that port is tagged to read those other networks like a voice over ip phone might be or something like that but since this computer that i have back here as a test does not understand vlan tagging we are going to manually set port 7 into this iot network meaning that anything plugged into that port natively will receive an ip address on the iot network or 192.168.20.x all right go ahead and apply that change and the device is provisioning as soon as this has finished provisioning we're going to take a quick look at this computer back here all right so the switch has finished provisioning and you can see that i was pinging out to the internet and now i'm getting requests timed out let me go ahead and start recording this screen and if we come over to our command prompt let's get out of that ping we're going to say ipconfig slash release which is going to release the current dhcp lease and then we're going to say ipconfig slash renew and now we can see that i received an iap address of 192.168.20.222 meaning that now we are in the iot network so if i ping back out to the internet we can see that i'm receiving replies from 1.1.1.1 if i ping in fqdn such as slash.org can see that i'm also receiving replies which means that dns is working and the internet's working however remember this is our iot network so what else might be working that we don't actually want to be working well if i ping 192.168.1.1 i'm getting a reply from the main lan interface of our udm pro as well my computer here is 182.168.1.144. and i'm also receiving replies from my main computer here as well which we don't want right we don't want my iot devices or devices that are in the iot network to be able to see computers that aren't in the iot network so let's go ahead and start a persistent ping from this back computer over to my main computer and now we can keep an eye on this as we do our firewall rules which we're going to do next just after this word from our sponsor this video is brought to you by our crosstalk solutions turnkey hosted or on-premises pbx services if you're looking for a technology partner to help painlessly transition you to a brand new pbx then look no further than crosstalk solutions we offer full turnkey pbx installations where we work with you on the design of the system perform a complete setup and test of the pbx and all equipment and then ship everything to you ready for plug and play installation once you receive the equipment we'll guide you through the transition to the new system provide user guides and training material for your users provide administrative training for your administrators and we also include 30 days of post-deployment support with no ongoing monthly maintenance fees we will also ensure to set up your pbx with best practice kerry's law and ray bom act compliant e911 emergency dialing as well as guide you through the phone number porting process if you're switching phone service carriers we have truly designed our turnkey pbx process to be as painless as possible because we know that switching pvx systems can be a daunting task but it doesn't have to be when you choose crosstalk solutions for your voiceover ip needs so check out crosstalksolutions.com for more information on our turnkey pbx packages and when you're ready to get started just fill out the contact form on our website or email info crosstalksolutions.com for a custom quote within one business day all right now back to the video all right thank you so much for that and now into the firewall rules for our iot network so to get to our firewall rules we want to click on routing and firewall and then click on the firewall tab right here so let's talk about all of these various tabs here we have when in when out when local and then the same things for lan as well as guests so essentially these are the directions that traffic can be flowing within our network so let's take a look at the three lan tabs lan in means here's my udm pro this is all traffic that is coming into the lan interfaces from my lan networks right lan out means any traffic coming from the udm pro or anywhere else into the lan networks and then lan local means anything that originates from my local area networks and then is destined for the interface of the udm pro itself on whatever lan we happen to be coming from so that would be my iot network of 192.168.20.1 or my mainland network of 192.168.1.1 if we click on lan in we can see that that has our two networks already in here 182 168 20 192 168.1 if we click on guest in we can see that has my guest network subnet of 192.168.10.0 all right so we're mainly going to be focusing on the land tabs here and the first thing that we want to do is to create a rule that allows for any established or related connections to proceed through uh unhindered if you will right so if anything's already an established connection established means traffic is flowing on a connection that's already been established and related means it's a new packet but from a connection that's already established so we're going to say create new rule and we'll say allow established and related we're going to accept all traffic and then down here under advanced for states want to check the boxes for both established and related and then for source and destination we're going to say any any right we don't care just any uh established or related connections let's allow those through the firewall and we'll click save now these rules are processed in order so as we're adding rules they're going to go each one underneath the next so when you're adding rules to the firewall you kind of want to think through like okay well which rule do i want to catch before i move on to the next rules right and you can always reorder everything once you're done if something's not working the way that you want it to the next rule that we're going to create is for our lan network 192.168.1.1 that network is going to have full access to see all of the other networks right so we don't care if we're in our secure lan the secure lan can see stuff in the iot network such as if you wanted to get access to your home assistant raspberry pi it can also see devices in the guest network right so let's go ahead and create a rule for that but before we do that we want to create a group that encompasses all of the rfc 1918 private address spaces because we're going to say our lan can see all of the other networks right any private address space now we could individually add our networks but by using a group instead we're basically saying it's a catch-all right it's a catch-all for any rules that we create you'll see what i'm talking about in just a second so let's click on groups create new group and we're going to call this local networks and then we'll also call it rfc 1918 this is going to be an address group and we're going to give it 192 168. that basically means any private ip address range 192 168 anything dot anything and we're also going to add two more so the other rfc 1918 private address spaces that are not routable on the internet they're reserved for private subnets are 172 16.0.0.12 as well as 10.0.0 and we're going to save that group basically we just created a group that says any private network right it allows us to use that group in our firewall rules so now let's go back to our rules we're going to click on lan in and we want a rule that says our mainland 192.168.1.x can see anything in those any private address space right so we're going to say create new rule allow lan to anywhere and we're going to click accept scroll down and then our source is going to be network and we want to select our main lan and the destination is address or port group and then that group that we just created so we're saying if the source is the lan and the destination is any private i p address space accept that connection save that rule and now let's create another rule where we are going to block everything else right any other inter vlan communication from any private address space to any other private address space we are blocking right now remember these rules are executed in order so for our land it'll any traffic originating from the land is never going to hit this third rule because it's going to be caught up in the allow land to anywhere rule so let's create our new rule we're going to say block enter vlan traffic and we're going to say drop connections this time we are not accepting connections we are blocking connections scroll all the way down where the source is any rfc 1918 network private network and the destination is also that same group so any private network trying to get to any other private network we are blocking and remember the land rule is above this one so if we're coming from the land we're already authorized you'll never actually hit this rule if you're coming from the land so let's go ahead and save that and then typically firewall rules are applied almost immediately you might be saying well chris your firewall rule was applied but i've got this persistent ping running back here from this computer in my iot network that's pinging my main computer in the lan network well you just created this firewall rule that blocks that why is that still allowed to ping because the first rule that we created was to allow established and related connections right and this is already an established connection if we come over here to settings we can see that the timeout value the state timeout value for icmp which is the protocol that ping uses is 30 seconds so basically if we stop this ping and then we wait 30 seconds we're gonna try it again all right so let's wait that 30 seconds and i'll be right back okay so i think i've waited a good 30 seconds let's go ahead and try it now we're going to run that same pin command and now it's not working okay so now we have successfully blocked all inter vlan traffic being that this computer is in 192.168.20 trying to get over to my other computer here in 192.168.1 which is in in my main lan but there's still some problems here right so the device is in my main lan but we still do have access to a couple other things let's take a look so i can ping 192 168 20. okay so the udm interface of my iot network i can also still ping 192.168.1.1 okay so i can still ping the udm pro interface for my lan network because that's not a lan in rule that is a lan local rule and now we need to create some rules to prevent this from happening because right now if i'm in my iot network i can open up chrome and go to 192.168.1.1 and bring up the interface of unify os right which i don't want to be able to do that from my iot network i don't want devices in the iot network to have any access to this unify interface whatsoever all right so let's do some let's do some blocking there the first thing that we're going to block is my iot network and my guest network's access to other networks gateways and to do that i need to create some more groups so back on my main computer here we're going to click on groups and we're going to create a new group this is going to be an address group and we're going to call this block oops wrong keyboard block iot to gw gateway right and the addresses that we're going to block are 1i2 168 1.1 and then 192.168.10.1 the address of my guest network and we're going to hit save then we're going to add one more that says block guests to gw gateway again and we're going to block 182 168 1.1 and we're going to add and block 192.168.20.1 my iot network so what i'm doing here is for my guest network i'm blocking the mainland and the iot network and for the iot network i'm going to be blocking the mainland and the guest network and we're going to save that and now let's go back to our rules and this time we're going to click on lan local and we're going to add a new rule and in this rule we're going to say block iot to gateways we're going to drop connections and we're going to drop any traffic where the source is the iot network and the destination is the rule that we just created and we're going to save that now let's add another one for our guests block guests to gateway we're going to drop all connections where the network is our guest network and the destination is guest to gateway right so save that and now we have successfully blocked the iot network from seeing any other any other network interfaces so let's test that out so i've refreshed the page that i originally brought up the unifi os and we can see that is just spinning and spinning it is not actually coming back with that page and if i try to ping 192.168.1.1 now i get no reply whatsoever because i am blocking that network but still we're not done yet right because even though i can now no longer get to the udm interfaces of my other networks from the iot network i can still get to the udm interface of the iot network let's take a look at that so if i say ping 192.168.20.1 it's still replying and if i open up unify 192.168.20.1 i can still get to the gui interface of the udm pro you might say well chris why don't you just block 192.168.20.1 from the iot network well if you did that you'd no longer have internet access so what we need to do instead for our third rule is only block the access ports required for the interface of the udm pro which is going to be http https and ssh right so port 80 port 443 and port 22. all right so back on my computer the way that we're going to do this is we're going to create two more groups so we're going to click on groups we're going to create a new group and in this group we're going to call this all gateways which is basically all interfaces of my udm pro and we're going to say 192.168.1.1 we're going to say 192.168 10.1 for the guest network and 192.168.20.1 and we're going to save that group now those are the gateways we also need to add another group so create new group this time it's going to be a port group so we're going to call this udm pro access ports and the ports that we're going to add are 80 for http 443 for https and 22 for ssh and let's go ahead and save that and now we need to add another rule so we're going to go back to rules ipv4 click on lan local create a new rule and we're going to say block iot from udm pro access we're going to turn that on we're going to drop everything where the network is iot and the destination is our gateway ip address group that we just created and the ports that we restricted so we're going to save that and now if we go back to the back computer here i should still be able to ping the interface 192.168.20.1 yep i can still ping it and if we wanted to we could block icmp but i like using icmp for testing stuff right so i usually leave icmp enable but if i bring chrome back up and try to browse https to the interface 192.168.20.1 that was working just a second ago now we can see that it's timing out from the iot network i do not have access to http https or ssh on 192.168.20.1 or any of the other gateway ip addresses 1.1 or 10.1 all right so there you have it for the iot network setup and the related firewall rules now you can dig in a lot deeper and get much more granular with these firewall rules for instance another rule that you might want to add is the ability for devices in the iot network or the guest network to see dns servers such as a pie hole on your main lan right you might want to allow dns through or maybe disallow all other dns servers besides those pie holes now that's going to be beyond the scope of this video series but there's so so much that you can do with these firewall rules but it can also be pretty complicated and confusing at times so if you have questions about any of this put those down in the comments below and i will definitely look those over and answer whatever i can if you like this video make sure you give me a thumbs up and subscribe to crosstalk solutions for more videos just like this one alright we will see you guys in the next video