Ubiquiti UniFi Thoughts and Questions

[Sammy 737]

@@lightsout can still send his back for a full refund. I can't..

 

Which brings this up.. knowing that past performance is not a predictor of future results, do I really need IDS/IPS/DPI? AFAIK, I haven't had any issues without it.

[sooty234 266]

IPS will block ransomware among other things.

[lightsout 144]

@@lightsout can still send his back for a full refund. I can't..

 

Which brings this up.. knowing that past performance is not a predictor of future results, do I really need IDS/IPS/DPI? AFAIK, I haven't had any issues without it.

Likely no, but that could definitely be said about setting up an IoT vlan, how many of us have had a home device hacked by someone? Maybe someone, probably not many.

I guess that means that you still haven't got CableCARD's for your Prime tuners?

 

I have 7 ethernet connected devices just in my office, two of them Prime Tuners.

No I have more connected devices than 3 and will have cheap switches, but I could successfully have all devices on the proper VLAN (assuming the setup of an IoT network) because of the way the UDM would require me to setup my network.

 

I sold the Prime tuners though and went to YTTV. I do miss handling everything with Emby and keeping everything

I record, but I am digging YTTV. 

[Sammy 737]

I sold the Prime tuners though and went to YTTV. I do miss handling everything with Emby and keeping everything

I record, but I am digging YTTV. 

 

Not to go too far OT, have you checked out Channels? Any TV Everywhere App that you can access via YTTV you can connect to Channels DVR. I've not tried it but if Spectrum doesn't want to make a deal when the Promo I'm on ends I'll be looking into this solution for sure. I put in a FR with Emby, as did others, to implement something such as this but it isn't there yet. I hope it is on the road map.

 

EDIT: I just pulled the trigger on a month's free trial. Not bad, not too bad. Emby has more options exposed to the end user but some may not need so much control. It records to .ts, including the TVE channes so it will play back in Emby after done recording and/or you can run it through MCEBuddy with a bonus of a side JSON file written just for MCEBuddy's use. I haven't played with that much.

Edited May 26, 2020 by Sammy

[lightsout 144]

Not to go too far OT, have you checked out Channels? Any TV Everywhere App that you can access via YTTV you can connect to Channels DVR. I've not tried it but if Spectrum doesn't want to make a deal when the Promo I'm on ends I'll be looking into this solution for sure. I put in a FR with Emby, as did others, to implement something such as this but it isn't there yet. I hope it is on the road map.

 

EDIT: I just pulled the trigger on a month's free trial. Not bad, not too bad. Emby has more options exposed to the end user but some may not need so much control. It records to .ts, including the TVE channes so it will play back in Emby after done recording and/or you can run it through MCEBuddy with a bonus of a side JSON file written just for MCEBuddy's use. I haven't played with that much.

That is very interesting. Right now the DVR on YTTV is suiting my purposes, but this is pretty cool, would like to avoid another sub though.

[rbjtech 4270]

 

Which brings this up.. knowing that past performance is not a predictor of future results, do I really need IDS/IPS/DPI? AFAIK, I haven't had any issues without it.

 

You don't *think* you have any issues but without an IDS/IPS - how do you know ?  With web services being permanently internet facing, a decent IDS/IPS ideally with DPI/SSL inspection is a must imo to protect you from the constant barrage of hack attempts from bots.  These use perfectly legitimate port requests (HTTP,HTTPS,SQL etc - so your firewall is all but useless) but they attempt to gain privileged access using os/application layer vulnerabilities that you may or may not have patched.  An IPS will stop these.

 

The good news is for the better and well configured IPS systems, you should be able to turn on features for particular ports - so if you have a SQL server on the net for example, then you just need to turn on the SQL IPS signatures - thus saving the IPS having to inspect 'everything' - which results in vastly reduced CPU usage.

Edited May 28, 2020 by rbjtech

[lightsout 144]

You don't *think* you have any issues but without an IDS/IPS - how do you know ? With web services being permanently internet facing, a decent IDS/IPS ideally with DPI/SSL inspection is a must imo to protect you from the constant barrage of hack attempts from bots. These use perfectly legitimate port requests (HTTP,HTTPS,SQL etc - so your firewall is all but useless) but they attempt to gain privileged access using os/application layer vulnerabilities that you may or may not have patched. An IPS will stop these.

 

The good news is for the better and well configured IPS systems, you should be able to turn on features for particular ports - so if you have a SQL server on the net for example, then you just need to turn on the SQL IPS signatures - thus saving the IPS having to inspect 'everything' - which results in vastly reduced CPU usage.

Very interesting. I guess I am just naive. When I think of someone hacking my network I picture a guy in range trying to get in through my wifi network.

 

UDM should be at my door when I get home. Happy to have an extra layer of security.

[sooty234 266]

With SNORT (an IPS) enabled on pfsense, you can switch your logs to active, and watch the continuous stream of blocked traffic. The Unifi controller should start giving you multiple alerts fairly soon after IPS is enabled. pfsense catches all of mine before it gets to my UDM, but I have it enabled as a secondary line of defense.

[lightsout 144]

With SNORT (an IPS) enabled on pfsense, you can switch your logs to active, and watch the continuous stream of blocked traffic. The Unifi controller should start giving you multiple alerts fairly soon after IPS is enabled. pfsense catches all of mine before it gets to my UDM, but I have it enabled as a secondary line of defense.

So you have Pfsense, and a UDM, isn't that like having two routers or do you not use the USG in the UDM?

[sooty234 266]

So you have Pfsense, and a UDM, isn't that like having two routers or do you not use the USG in the UDM?

 

Yes, one in front of the other. Each has different tasks, with some overlap of course.

[lightsout 144]

Yes, one in front of the other. Each has different tasks, with some overlap of course.

Interesting setup.

[Spaceboy 2493]

Yes, one in front of the other. Each has different tasks, with some overlap of course.

and just for the inexperienced, which way round is that? I’m guessing udm then pfsense as you go external to internal? I have a pfsense that I’m very happy with and not willing to replace but the udm interests me

[sooty234 266]

Pfsense first, as that's the main line of defense. Being able to create interfaces etc, is very valuable. But behind that is an entire Unifi network. So the configuration and monitoring of the multiple networks (collation and presentation of the DPI etc) has a value all of its own. It's why I chose the Unifi product range. And having a second line of defense is also nice. The Unifi gateways don't NAT when behind another router. So the gateway is assigned an IP as if it's just another device. Then in my case, I changed the subnets to different ranges. It makes portforwarding interesting, having to pass through two firewalls with different IP ranges. But it isn't difficult.

[murky024 1]

For those who were asking about the replacement to the USG line. They have announced the UXG Pro

 

https://community.ui.com/questions/Introducing-the-UniFi-Next-Gen-Gateway-Product-Line-Starting-with-UXG-Pro-/732dd4dd-10bf-463c-8622-382d77702872?page=1

 

https://www.evanmccann.net/blog/unifi-uxg-pro

[lightsout 144]

Just got the UDM hooked up. Haven't done much with it but am already seeing that the wifi AP that it has is pretty stout. I had my Lite about 6' away from my PC and I couldn't hit 200mbps. Disabled the Lite and connected to the UDM which is on the floor below me in the garage, I can easily max my connection with 400mbps. Pretty impressive.

[MRobi 159]

Haha... You guys just caught the Ubiquiti networking bug. Once bitten, you'll never stop spending money

This is so true! I'm eyeing a US-16-XG, just trying to figure out how to get it here without the wife seeing the bill LOL

[lightsout 144]

Was curious about you guys that do an IoT vlan. Where do you put your Emby server? On the main lan or the secondary?

 

Seems like it should be on the vlan especially with a port opened. But does that mean it's a pain to access internally.

 

If I take my server off my main lan there wouldn't then be much left. Probably just my PC and phones and the Odroid SBC that runs pihole.

[sooty234 266]

This is so true! I'm eyeing a US-16-XG, just trying to figure out how to get it here without the wife seeing the bill LOL

 

I've got one of those, now I want one of these.

 

https://store.ui.com/collections/routing-switching/products/usw-pro-24-poe

[sooty234 266]

Was curious about you guys that do an IoT vlan. Where do you put your Emby server? On the main lan or the secondary?

 

Seems like it should be on the vlan especially with a port opened. But does that mean it's a pain to access internally.

 

If I take my server off my main lan there wouldn't then be much left. Probably just my PC and phones and the Odroid SBC that runs pihole.

 

Big stuff on main LAN. That's what you're protecting from the IoT stuff

[Jdiesel 1114]

Keep in mind you might have issues casting to devices if there are on different vlans. For example your Google Homes need to be on the same vlan as your Emby Server if you want to cast to it.

Edited May 31, 2020 by Jdiesel

[sooty234 266]

[sooty234 266]

Pfsense first, as that's the main line of defense. Being able to create interfaces etc, is very valuable. But behind that is an entire Unifi network. So the configuration and monitoring of the multiple networks (collation and presentation of the DPI etc) has a value all of its own. It's why I chose the Unifi product range. And having a second line of defense is also nice. The Unifi gateways don't NAT when behind another router. So the gateway is assigned an IP as if it's just another device. Then in my case, I changed the subnets to different ranges. It makes portforwarding interesting, having to pass through two firewalls with different IP ranges. But it isn't difficult.

 

And even though I have pfsense in front of the network, the IPS on the UDM Pro still caught a threat.

 

[BAlGaInTl 279]

So just for fun, I turned on the threat detection on my USG over the weekend.  My connection is slow enough that it doesn't really affect anything.  I think I noticed that my LAN traffic slowed down a bit when I had a lot going on, but it isn't a huge issue for my home network.  It's going to take some more testing to determine if it was just a blip.

 

It caught several threats over the weekend, so I've decided to leave it on for the moment.

 

But yeah... now I'm looking at the UDM Pro even though I don't "NEED" it.  

 

 

ETA: What "level" of threat protection is good for a home network?  I think I have it on 3 right now.

Edited June 1, 2020 by BAlGaInTl

[Sammy 737]

Can the controller settings be backed up from a USG and restored to a UDM?

[Spaceboy 2493]

so i have a pfsense router, 24 port POE edgeswitch, unfi LR AP indoors, unifi AC mesh pro outdoors and the unifi controller running on a windows pc that is always on. I've also got unifi security cameras but they are setup within Synology Surveillance station which i found to be far better that the free unifi CCTV software.

 

So i am interested in UDM but ONLY for the security features. I'm pretty happy with how everything else is set up. is it worth it or is there another way of getting the same security protection even if its not from unifi?

 

in the middle of a main pc rebuild atm so this is not going to get looked at for a month or two but its still something i'm considering