Ubiquiti UniFi Thoughts and Questions

[Sammy 735]

Mine is more complicated than that. For example, my security cams run on Blue Iris which runs on the same PC as Emby and everything else. Now that I've got the UDM, I guess I could move that task over to the NUC I was using as a "cloud key" for my USG but I'd have to add an external HDD for recording.

Also, I'd need to move my Vera Plus Home Automation Controller to one of those dedicated ports on the UDM and put the PoE cams on a separate managed switch to get them all on the IoT network.

This is more than making a few settings changes in my UDM...

[sooty234 266]

39 minutes ago, Sammy said:

Mine is more complicated than that. For example, my security cams run on Blue Iris which runs on the same PC as Emby and everything else. Now that I've got the UDM, I guess I could move that task over to the NUC I was using as a "cloud key" for my USG but I'd have to add an external HDD for recording.

Also, I'd need to move my Vera Plus Home Automation Controller to one of those dedicated ports on the UDM and put the PoE cams on a separate managed switch to get them all on the IoT network.

This is more than making a few settings changes in my UDM...

You should have created a VM for Blue Iris, and had a dual port NIC. Then you could have made separate VLANs for Emby and Blue Iris. If you run Blue Iris on a separate machine (the NUC), then you can easily separate them with VLANs and no complicated rules or tagging. Cloud keys have security issues, anyway. 

[murky024 1]

On 6/9/2020 at 8:54 PM, lightsout said:

On 6/9/2020 at 5:32 PM, rbjtech said:

odd.. - you did put your AP's on separate uncongested radio channels right ?

Yes I have done that. I have not turned down the power on the UDM though. Probably on medium. I'm getting great speeds across the whole house. Better than I did with the AP-pro in the living room. UDM is in the garage fyi.

You might want to look into the Radio AI feature in the controller. This feature scans the area to determine the best channel(s) you should use and the power rates to maximize throughput and reduce interference. It is currently a beta feature but has been around for about a year + and is in a really stable condition.

[Sammy 735]

BTW, this is only found in the Beta Settings:

 

[Sammy 735]

11 hours ago, sooty234 said:

You should have created a VM for Blue Iris, and had a dual port NIC. Then you could have made separate VLANs for Emby and Blue Iris. If you run Blue Iris on a separate machine (the NUC), then you can easily separate them with VLANs and no complicated rules or tagging. Cloud keys have security issues, anyway. 

I still could create a VM, right? I do have a spare intel 1Gig NIC laying about that I can't even sell on eBay for the cost of shipping! I'd still have to put a managed switch at the location where the PoE IP cams connect as there are two other switches to get to the PoE switch that feeds them now as I don't want other items on this leg on the IoT VLAN.

[Sammy 735]

Leaving a AP settings page where I didn't think I made any changes I came across this message in which both options seem to do the same thing.

 

[Sammy 735]

This is interesting.. The WiFi AI says one thing but the UDM says another..

[rbjtech 4260]

Trying to retro-fit VLAN's on a 'flat' network is actually fairly involved if you want to keep your existing networking 'operational'.  For starters, you need to turn on VLAN Management support for your Ubiquiti devices, and unless you have a working 'default' VLAN - you'll lose access to everything .. ask me how I know .. haha.  You also need to invest a bit of time in your firewall rules up-front - there is zero point in implementing VLAN's if they can simply bridge each other at the firewall/udm (which by default, they do …)   You also need to get your head around VLAN Tagging, clients won't need it but all the switches/VM's will.  Lots of other things that need thinking about - such as DHCP scopes, broadcast domains etc.

My personal view, is have a play on some spare equipment if you have it - your home/live network is not the place to be experimenting to see how it all works .. 

[sooty234 266]

I don't think it's that difficult. A bit of reading and bing bang bosh, all done. I've got 6 or 7 networks (I still need to add a few more), about 20 minutes to implement and test. Unifi makes it very easy. And if all you want to do is have static isolated networks, just turn on guest policies and you're done (after making the networks, that is). But if you like fiddling with stuff, then you can make firewall rules and tag stuff. It's fun

[lightsout 144]

4 hours ago, Sammy said:

BTW, this is only found in the Beta Settings:

 

This is interesting, I keep reading to leave the new and beta features alone as they often cause issues. Although performance is fine for me. My devices just seem to want to be

on the UDM, they get great performance when doing so, wasn't really a complaint but an observation.

[Sammy 735]

On 6/17/2020 at 5:31 AM, murky024 said:

You might want to look into the Radio AI feature in the controller. This feature scans the area to determine the best channel(s) you should use and the power rates to maximize throughput and reduce interference. It is currently a beta feature but has been around for about a year + and is in a really stable condition.

Enabling Radio AI created all sorts of havoc with my MiBox s'! They wouldn't even connect to the WiFi at all.

I turned it off and that didn't fix it so I restored from a back up 2 days prior to when I tried WiFi AI and then they would connect and disconnect, connect and disconnect. Playback was unwatchable.

I got in touch with UI.com support via chat and they walked me through changing several WiFi settings and now all is running smooth again.

It seems this feature is too beta right now for me anyways and disabling it doesn't roll back changes it makes to the settings.

[murky024 1]

 

59 minutes ago, Sammy said:

Enabling Radio AI created all sorts of havoc with my MiBox s'! They wouldn't even connect to the WiFi at all.

I turned it off and that didn't fix it so I restored from a back up 2 days prior to when I tried WiFi AI and then they would connect and disconnect, connect and disconnect. Playback was unwatchable.

I got in touch with UI.com support via chat and they walked me through changing several WiFi settings and now all is running smooth again.

It seems this feature is too beta right now for me anyways and disabling it doesn't roll back changes it makes to the settings.

In my radio AI settings I cannot use the DFS channels because of Amazon devices and my TCL TVs. They do not support those channels. That might have been your issue if it was just one device or device type.

[lightsout 144]

 
In my radio AI settings I cannot use the DFS channels because of Amazon devices and my TCL TVs. They do not support those channels. That might have been your issue if it was just one device or device type.

Yeah I have the same issue. I thought for a year that my tcl just couldn't see the 5g signal lol. Until I finally read up on it.

Sammy thanks for being the guinea pig, that was what I thought I had read about the beta features. I'll leave them alone.

[rbjtech 4260]

On 6/17/2020 at 8:11 PM, sooty234 said:

I don't think it's that difficult. A bit of reading and bing bang bosh, all done. I've got 6 or 7 networks (I still need to add a few more), about 20 minutes to implement and test. Unifi makes it very easy. And if all you want to do is have static isolated networks, just turn on guest policies and you're done (after making the networks, that is). But if you like fiddling with stuff, then you can make firewall rules and tag stuff. It's fun

I didn't say it was difficult, I said it was involved and needs planning.   If you are experienced in networking/security then sure, dive in and the terms/concepts should be familiar to you - but if this is your first venture into proper networking then my advice is to try and setup a parallel system and 'migrate' services onto it and when you are happy, then decommission your old kit. 

Edited June 20, 2020 by rbjtech

[sooty234 266]

On 6/1/2020 at 6:16 AM, Spaceboy said:

so i have a pfsense router, 24 port POE edgeswitch, unfi LR AP indoors, unifi AC mesh pro outdoors and the unifi controller running on a windows pc that is always on. I've also got unifi security cameras but they are setup within Synology Surveillance station which i found to be far better that the free unifi CCTV software.

 

So i am interested in UDM but ONLY for the security features. I'm pretty happy with how everything else is set up. is it worth it or is there another way of getting the same security protection even if its not from unifi?

 

in the middle of a main pc rebuild atm so this is not going to get looked at for a month or two but its still something i'm considering

@Spaceboy If your pfsense box has enough juice.

 

Edited June 22, 2020 by sooty234

[sooty234 266]

A little update for you guys. With Snort running on pfsense and IPS enabled on the UDM Pro behind pfsense, they are both blocking a bunch of stuff. Kinda scary to see what's trying to break our stuff. And this is with basic settings, and not strictly hardened. 

 

[mastrmind11 717]

agree.  i have fail2ban set up watching port 22 on my usg and i've got at least 30-40 IPs banned 24x7 since the day I set it up.

[Spaceboy 2493]

A little update for you guys. With Snort running on pfsense and IPS enabled on the UDM Pro behind pfsense, they are both blocking a bunch of stuff. Kinda scary to see what's trying to break our stuff. And this is with basic settings, and not strictly hardened. 
 

So does that mean Snort is not blocking everything then?

And you just followed that tutorial to set up Snort? My pfsense should be sufficient so I’ll give it a go. Ta

[sooty234 266]

2 hours ago, Spaceboy said:

So does that mean Snort is not blocking everything then?

And you just followed that tutorial to set up Snort? My pfsense should be sufficient so I’ll give it a go. Ta

The UDM is catching that particular activity because of its position in the network. The destination is a specific computer which is running software that is the cause of the traffic. So it's inside out. I imagine that Snort would catch it if the UDM wasn't there. And yes, I followed that video, but as you'll see, he suggests experimenting with some of the settings to see what works best for you and doesn't block too much traffic.

[BAlGaInTl 279]

2 hours ago, mastrmind11 said:

agree.  i have fail2ban set up watching port 22 on my usg and i've got at least 30-40 IPs banned 24x7 since the day I set it up.

Is F2B running on your USG?  How did you manage that?

[mastrmind11 717]

26 minutes ago, BAlGaInTl said:

Is F2B running on your USG?  How did you manage that?

no, i believe it's possible, but it's unnecessary since you already have a server probably not doing much.  just forward 22 on the usg to your server and fail2ban config oob will just work.  of course, don't do this if you have no need for external ssh.  it's actually a handy little tool.

[BAlGaInTl 279]

I don't have 

2 hours ago, mastrmind11 said:

no, i believe it's possible, but it's unnecessary since you already have a server probably not doing much.  just forward 22 on the usg to your server and fail2ban config oob will just work.  of course, don't do this if you have no need for external ssh.  it's actually a handy little tool.

I'll take a look... but since I'm running Unraid, I don't think it's that simple.  I looked for a fail2ban equivalent at some point and didn't find it.

[mastrmind11 717]

23 minutes ago, BAlGaInTl said:

I don't have 

I'll take a look... but since I'm running Unraid, I don't think it's that simple.  I looked for a fail2ban equivalent at some point and didn't find it.

ah, yeah, unraid....

[rbjtech 4260]

I'm a little confused with this tbh - the firewall should be configured to silently drop everything except what you explicitly allow in and out.  That is your first line of defence. The idea of an IPS is to then scan legitimately allowed traffic for application/code vulnerabilities as a 2nd line of defence.  If you are getting 100's of hits on your IPS - I suggest you take a look at your firewall first as it's not doing what it is supposed to be doing …   

 

[sooty234 266]

4 hours ago, rbjtech said:

I'm a little confused with this tbh - the firewall should be configured to silently drop everything except what you explicitly allow in and out.  That is your first line of defence. The idea of an IPS is to then scan legitimately allowed traffic for application/code vulnerabilities as a 2nd line of defence.  If you are getting 100's of hits on your IPS - I suggest you take a look at your firewall first as it's not doing what it is supposed to be doing …   

 

Firewalls are in place and are configured appropriately. Firewall logs show me that they are working as expected. Snort goes well beyond a firewall. It is adaptive and evolving, with regular threat rule updates. Take a look.

 

Edited June 27, 2020 by sooty234