unifi usg firewall best practices

What would be my best option for the installation here? You won't get the pretty interface of the UniFi controller for the router, but it sounds like you're enough of a power user that it might be worth it.

These are technically VLANs, but each VLAN corresponds to a port on the router in this case.

The router and one of the switches will be in one location, and the other will be ~100ft away with a couple of CAT6 runs between the two.

This is an unofficial community-led place to discuss all of Ubiquiti's products, such as the EdgeRouter, UniFi, AirFiber, etc.

With the :). For my example i will be using the Stable Candidate 5.5.11. Not sure if it's doable in a way that will survive a re-provisioning on the USG. Should I just set up an internal DNS server somewhere and use that? You can't do Reservations for devices that are not there yet. Or should I tell the gateway itself to use this as its DNS and configure my ISP's servers as the upstream servers? There is no way (yet?) I've got a UniFi Security Gateway, UniFi AP AC PRO, and a UniFi switch (the switch is still in transit) and am wondering what the best practices around setting up servers in this environment are. 254 Lan1 10. Privacy Policy, Using PowerCLI to Get and Set DVS Traffic Shaping Settings, Unable to Sync vLCM Updates - Error: 'integrity.fault.HostPatchInvalidVendorCode', Using Runecast to Check Pure Storage Best Practices, Using PowerCLI to Provision your Pure Storage Infrastructure, Using Python to Provision your Pure Storage Infrastructure, Using Ansible to Provision your Pure Storage Infrastructure, Using Terraform to Provision your Pure Storage Infrastructure, What's New in the Pure Storage vRealize Orchestrator Plugin 3.5, Using Terraform to Deploy the Pure1 VM Analytics Collector, The first step is to create your radius profile.

Overview. That is coming in the latest roadmap. I'll have to try the config.gateway.json stuff the next time I have time to play with it. I am going to be doing an installation where I plan to use a USG and two Unifi 24 port switches. Currently, I'm using a DD-WRT router and have split my network into four subnets. I can work with this easily enough, but it would be nice if I could just recreate my current config all at once.

Right now I use DHCP to assign all addresses and have pinned the servers and cameras to fixed addresses. Then refer to the final few bits of this article to save them in your config.gateway.json. Cookies help us deliver our Services. Should I tell the security gateway to provide this to the clients, then use the gateway as the upstream server?

Unifi Controller 5.5.11 Configuration is quite simple! Password: password to be used for client conenctivity, Next up on the Radius Service configuration is the, The only thing you will do here is set the, Next up on the configuration is to browse to. First up is the user, select Users and then enter in the following details. I would expect it fairly soon, but that doesn't help you now. ... it is recommended to put these devices on a separate VLAN.

Browse to. Any thoughts? Once the Unifi USG provisions it automatically adds in the needed firewall rules, you can now configure your normal L2TP client to connect. I'm still going to try to get the USG to do what I want. 2a) If I do decide to set up an internal DNS server, how should this be configured? Basically I have wireless clients, WiFi Cameras, servers, and untrusted servers (think IoT stuff). 2) This is much easier to do on an EdgeRouter. Assuming: and find the config options you just added. Please see below on how you can get this setup. Press J to jump to the feed. Nothing else is needed! Currently, I'm using a DD-WRT router and have split my network into four subnets. to pre-configure clients on the USG via the Controller UI before they connect to the network. Is this true? I can't figure out where to configure the "faketld" piece of the puzzle on the UniFi gear. In other words, if a brand new something comes onto the network with the name "blah" I'm able to look it up as "blah.faketld" (I know fake tlds are bad, that will get fixed eventually). By using our Services or clicking I agree, you agree to our use of cookies. Copyright © DAVIDSTAMEN. For my example i will be using the Stable Candidate 5.5.11. You can, however, set them via the CLI, then make the CLI changes persist by putting the settings in config.gateway.json. However, in businesses it seems like the need for ongoing Press question mark to learn the rest of the keyboard shortcuts. Some users (myself included) like to avoid using the default management VLAN of 1. The UniFi Dream Machine (UDM) and UniFi Security Gateway (USG) models offer administrators many useful features to manage their UniFi network, including the ability to create and manage firewall rules that help ensure the security of the network. Ubiquiti Unifi Equipment now supports local radius auth using the 5.5.x code of controller! Configuration is quite simple!

Once everything is complete you will now have an extra bubble with VPN statistics! All Rights Reserved. Here you will create a new network with the following details.. Gateway/Subnet: IP Information for your VPN Clients. You can do the reservations for unseen devices -- presuming you know their MAC addresses -- by configuring them in the config.gateway.json. New comments cannot be posted and votes cannot be cast. We now need to set up our new router.

I've got a UniFi Security Gateway, UniFi AP AC PRO, and a UniFi switch (the switch is still in transit) and am wondering what the best practices around setting up servers in this environment are. I find the Unifi devices, and their documentation, to be quite straightforward So, no real complaints there. I have been waiting for native GUI support for L2TP vpn with local users and it is finally here!

I really got sold on the deep packet inspection and the UniFi controller stuff. On the DD-WRT router, all of the DHCP assigned hosts go are resolvable with a custom top level domain. I figured that the future is going to be all about UniFi, so it made sense to go all UniFi instead of UniFi plus EdgeRouter. to do this browse to, Here you will create a name for your radius profile, the only thing you will change here is the, Next up on the configuration is the Radius Service Configuration. See: https://community.ubnt.com/t5/EdgeMAX/Setting-up-Local-DNS/td-p/449259.

It is a best practice to set up a regular maintenance schedule to make updated changes to the firewall rules.

I've already got the internal DNS server set up, so hopefully that will solve some of the problems. This can be for a number of reasons such as reducing the security vulnerability footprint, customizing for specific customers or environments, or we just like to change it from the default VLAN. 2a) Again, this is making me think you might be happier with an EdgeRouter.

Please see below on how you can get this setup. It may also be desired to add firewall rules to block traffic between the "trusted LAN" and the LAN that is chosen for the Chromecast/Google Home devices.

Ubiquiti Unifi Equipment now supports local radius auth using the 5.5.x code of controller! I have been waiting for native GUI support for L2TP vpn with local users and it is finally here!

Yeah, I'm kind of thinking that the USG might not be the ideal choice.