YTread Logo
YTread Logo

Part 3 | Ultimate Home Network 2021 | VPN, IPS, Port Security, and Port Forwarding on UniFi 6.0

Part 3 | Ultimate Home Network 2021 | VPN, IPS, Port Security, and Port Forwarding on UniFi 6.0
today on the hookup it's

part

three of my

ultimate

secure smart

home

network

series in

part

one i walk you through hardware selection using

unifi

equipment in

part

two i covered vlans wireless

network

s and firewall rules and today we're going to look at

port

security

intrusion prevention systems and vpns on the

unifi

6.0 controller in

part

two of this series i mentioned that i made a questionable decision by putting my most untrusted devices which are my ip

security

cameras onto my main untagged vlan some of the questions that i saw in the comments indicate that you may need a crash course in

network

ing so here's a quick and dirty overview of

network

communication this definitely won't be the most in-depth look at the osi model that you've ever seen but it will hopefully be easy to understand and give you enough information to help you make the right decisions for your

network

this video is sponsored by pcbway.com if you're a tinkerer inventor or maker and you haven't checked out pcb way you are seriously missing out they obviously produce full featured printed circuit boards with a ton of different materials and options but now they offer basically everything you need to turn your ideas into a physical reality whether you need 3d printing injection molding cnc machining assembly or just plain old pcb manufacturing pcbway can do it all for highly competitive prices check out pcboa's awesome services using the link in the description to sup

port

...
part 3 ultimate home network 2021 vpn ips port security and port forwarding on unifi 6 0
this channel layer one in the osi model is called the physical

network

ing layer whether your devices get connected with radio waves coaxial cables ethernet or fiber it's still layer one layer two is called the data link layer which is not a super helpful name especially when it comes to vlans when two devices are on the same lan segment vlan or subnet meaning that they share the same base

part

of their ip address they can communicate directly using a

network

switch you see a switch has a big table of device mac addresses and the corresponding

port

on the switch that they're attached to one device sends out a

network

frame with a source mac address and a destination mac address and when that frame reaches the switch the switch will look it up in its table and send it out to the correct

port

im

port

antly layer 2 communication doesn't require any input from the router and therefore can be done very quickly and efficiently but since the router isn't involved that also means that it doesn't check any firewall rules and therefore we can't deny communication between devices on the same vlan using firewall rules layer 3 on the other hand is the

network

layer which is a fancy way of saying that it uses a router to determine the correct path between devices that aren't on the same subnet if two devices are on different vlans and therefore different subnets they need to go through the router in order to communicate and as i said before if they use the router...
part 3 ultimate home network 2021 vpn ips port security and port forwarding on unifi 6 0
they also get checked for firewall rules which then allows us to regulate their traffic all right back to the problem at hand i made a firewall rule to block my

security

cameras from the internet and from my other vlans but i can't block them from communicating with devices on the same vlan because they don't need to use the router to do that so as i mentioned before the easiest way to break into my

network

would be to come to my house tear down a

security

camera off the wall and then plug your device into that camera's ethernet cable so to minimize that threat i'm going to use a feature that's available on

unifi

and most other managed switches called mac filtering to do this find the client that you want to assign to that

port

in this case it's a hikvision camera in the right hand panel you can see the device's mac address which you'll need to copy you can also see the

port

that it's attached to which in this case is

port

1 on my 16

port

gen 2 switch clicking on that link will bring up the switch and then you can select the

port

s menu at the top and click on the pencil icon to edit the profile of that switch

port

anytime i make a mac address isolation i always name the switch

port

accordingly so i don't end up pulling my hair out later if i ever need to change the device attached to that

port

under mac filter paste in the mac address that you copied from the clients page and then hit add then scroll down to the bottom and hit apply...
part 3 ultimate home network 2021 vpn ips port security and port forwarding on unifi 6 0
you'll see your switch change to provisioning and after it's done the only device that will be able to connect via that

port

is that specific camera now technically someone could grab the mac address of the camera and then use that mac address to spoof the mac address of their own device which would then allow them to have access to other devices on my

network

via layer 2. but honestly this solution is plenty secure for me and unless you're storing government secrets on your

network

it's probably good enough for you too as always i encourage you to test things for yourself but as you can see in this example connecting my laptop to the restricted

port

doesn't even give me an ip address so not only can i not access the internet but i also can't access any other devices on the

network

i also mentioned in my last video that i wanted my daughter's pc to use the content filtered

network

so what i'll do is find her computer on the client list and take note of which

port

on the switch that it's connected to then click through that switch and under

port

s hit the pencil icon to edit the overrides and then select the family

network

as the available profile this will force any traffic attached to that specific

port

onto the content filtered

network

this is also how you would put an entire unmanaged switch onto a specific vlan just make sure that the uplink

port

that you're using is assigned to the correct vlan in the override section and then all...
of the

port

s on the unmanaged switch will also be on that vlan if you have unused ethernet

port

s in public places it is best practice to leave those

port

s completely physically disconnected from the switch this is a process called air gapping and it probably applies to very few

home

s but in the off chance that a business is watching this guide please don't leave public ethernet jacks attached and connected to your main vlan they are by far the easiest point of entry for any attacker with physical access to your building and honestly it's just as bad or worse than leaving the room with all of your client records unlocked even though firewall rules and

port

security

are the most im

port

ant tools for securing your

network

there are a few other features available in the dream machine pro that can provide additional layers of

security

specifically ips and ids ibs stands for intrusion detection system while ips stands for intrusion prevention system and they both have the same main concept but different final outcomes ids and ips work in the same general way as anti-virus software on your computer which is oddly similar to your body's own immune system basically when a new virus is discovered

security

researchers try to pinpoint a

part

of that virus that's sufficiently unique to identify without also falsely identifying non-virus files they call this

part

of the file the viruses signature these signatures get added to an ever-growing and constantly updated database...
that your antivirus program can reference as it's examining each file on your computer if

part

of the file matches the signature in the database it will be flagged quarantined or just outright deleted depending on the preferences that you set ids and ips work in the same way in that they reference a large database of signatures related to malicious

network

traffic if you have intrusion detection enabled any matches will generate an alert that you'll have to deal with yourself while intrusion prevention will block that traffic automatically the likelihood of false positives and the impact on your

network

if legitimate traffic is blocked will determine whether ids or ips is right for you it's also worth noting that inspecting each packet for malicious traffic is pretty cpu intensive and while the dream machine pro claims to have three and a half gigabits per second of throughput with ips enabled this metric is tested using very similar traffic types and packets and it's reasonable to expect that real world throughput may be less i have actually been able to successfully cap out my dream machine pros cpu at 100 utilization by downloading multiple very large torrent files at the same time this increase in cpu utilization is likely due to the nature of torrent files where the data is being pulled from hundreds or sometimes even thousands of unique sources very quickly under non-torrent based heavy transfers the cpu utilization never even gets close to 100 so i...
imagine that's got something to do with it to that end you can actually select categories in the ips menu to refer to a specific subset of signatures for malicious traffic so if you want to use peer-to-peer software on your

network

and you're concerned that your traffic will be blocked by ips or that your

network

speeds will be significantly slowed you can actually just disable that whole subset of malicious signatures unify hasn't been

part

icularly transparent about where they're pulling their signature database from whether they're maintaining it on their own or how often it's being updated but most people who know more than me seem to think that it's largely based on a product called ciracata which is a popular open source ips and ids solution i also can't find any information as to whether the signature files are being automatically pushed to the udm or whether they're being pushed with each new firmware upgrade but i definitely hope they're going to offer that option to upgrade signature files without completely updating the firmware of your device because signature updates should be happening significantly more than device updates and you should be able to do them without the fear of breaking changes alright so that covers the

security

of the devices that we willingly attach to our

network

but one of the largest vulnerabilities of any

network

comes when we override the implicit deny rule for incoming traffic as i said in

part

two...
of this series basically all

network

s are set up so that internal traffic can leave and returning traffic called established and related is allowed but external traffic shouldn't be allowed to initiate a connection with anything on your

network

however if you're running a service on your

home

network

like a media server camera system or a

home

automation hub you may want to be able to access that service from outside your

network

and the way that you do this is by

forwarding

requests made to your external ip address to an internal ip that runs that service and if you imagine your firewall as a giant building with hundreds of office doors called

port

s knocking on most of them will get no answer but occasionally when you knock on a door it will open and you'll be led down a hallway to another door which belongs to a specific device on your

network

in the

unifi

controller you can see all of your forwarded

port

s in the advanced features advanced gateway settings and then

port

forwarding

they also show up in your firewall rules as ghosted texts that cannot be edited if you have

port

s forwarded that you don't remember doing you may have upnp enabled which is a service that allows devices on your

network

to request that

port

be opened there is almost no reason to have upnp enabled on your

network

so you should definitely disable that in the advanced features menu and then take a hard look at which devices you actually want to have exposed to the internet the more...
devices on your

network

that are exposed in this way the greater your risk in cyber

security

we refer to this as your attack surface and the best practice is to minimize attack surface as much as possible think about a castle a castle wall doesn't have hundreds of exterior doors it has one main door that's highly fortified basically instead of needing to ensure that each machine and service on your

network

is secure which is often impossible with devices like

security

cameras and nvrs you put all of your services behind a single door and then you fortify that one door as much as possible if you're running a lot of services for a lot of people then you might need to set up something like a reverse proxy for the store but for most people with only a few services and a few different people who want to be able to connect to them the best and most secure solution is to use a virtual private

network

or vpn vpn in this context is not like the ones that you see advertised on youtube all the time a vpn is a secure tunnel between one device and another in the case of nordvpn or tunnelbear you have a secure tunnel between your computer and a device at a remote location called a vpn concentrator this type of vpn allows you to securely send your internet traffic to this remote location through an encrypted tunnel and then your traffic leaves that remote location exactly as if your computer was located inside of that site this is useful if you're trying to hide your traffic...
because you're doing something illegal or if you want to access content that's not normally available in your region the vpn that we're going to set up works in the same way but for a totally different purpose anytime that we're outside of our

home

network

we'll use a vpn tunnel to connect back to the dream machine pro and then after that all of our traffic will appear to be originating from inside of our local

network

which allows us to access all of our local services just like we can when we're

home

but without the risk of exposing those services to the internet to set up a vpn in the

unifi

6.0 controller click on settings and then advanced features scroll down to where it says radius server radius stands for remote authentication dial in user service even though dialing in really isn't a thing anymore in this default profile you'll want to define a user for each person who's going to log into your vpn in this case me and my wife each user has their own password to protect their specific account and the vpn itself has a password to prevent unauthorized access as you can imagine best practice is for each of these passwords to be strong and unique don't use the same password for your vpn as you do for your users next head back over to the

network

section and add a new

network

give it a descriptive name and then under vpn settings you'll select remote user the only protocol that's sup

port

ed by the

unifi

vpn is l2tp so you...
can't change that and then under pre-shared key you're going to enter a secure password that your users will need to know in order to connect to your vpn enter the gateway and subnet that you want your vpn clients to connect to and then remember to adjust your local ip addresses firewall rule to include this new subnet for name server you can just leave it on auto and then make sure your default radius profile is selected to use this vpn on your remote device you'll add a vpn configuration using l2tp then for server you'll put in your external ip address for your dream machine pro or use a dynamic dns service like duct dns for account you'll put in your name that you define in your radius profile and then the password for that user the secret is the main password for the vpn that you defined when you set up your new

network

if your device sup

port

s split tunneling you can configure it so only individual programs and services will use the vpn but for the most

part

you should just select send all traffic for the most trouble-free configuration a vpn solution isn't perfect and some services aren't going to operate properly without exposing them to the internet push notifications for example are a service that typically requires

port

forwarding

and it's difficult to change those settings to set up push to work within a local

network

as always after you put a solution in place you should test it to make sure it functions as you expect it to you can...
see for instance that when i try to connect to my blue iris camera server on the cellular

network

i get the response no connection to the server but after connecting to my vpn the server connects almost instantly allowing me to remotely view my cameras without needing to expose them to the internet because the vpn makes it appear as if the traffic is local am i telling you that you absolutely shouldn't do any

port

forwarding

no but for each service you're considering exposing you should ask yourself these four questions number one how sure can i be that the developers of this service were both competent and

security

conscious enough to minimize vulnerabilities number two how often is this service being upgraded to provide

security

patches for the ever-evolving cyber

security

race number three what data or privacy is at stake if the service is compromised and number four how likely is it that other devices in the house could be attacked as a result of this forwarded service being compromised in the future i may make a video about reverse proxies and more robust vpn solutions than the built-in

unifi

vpn but for now this series has been long enough so thank you so much to my awesome patrons over at patreon for continuing to sup

port

this channel if you're interested in sup

port

ing this channel please check out the links down in the description if you enjoyed this video please hit that thumbs up button and consider subscribing and as always thanks for watching the...
hookup you