I love this content, just a regular home user learning (trying) this channel has poke my interest that I will be taking some classes to lear a bout IT security..... Thanks Tom

@danielkirk8571

Жыл бұрын

Exactly the same. If it wasn't for Tom's channel, I wouldn't have my own home lab using PfSense. I now have this with a dual WAN setup and loving the journey.

well , our Corp just moved into their new building and i did a full Ubiquiti network with 15 switches, 10Gb Agg Switch, UDMSE, UNVR, RPS's Access Controls, APC security and Audio in a MDF/IDF setup with fiber backbones and a second rack of servers. I used a management network, system network, VOIP network, Camera Network, IoT Network, and Guest Network . The 6 networks definitely helped split the traffic with over 500 endpoints total so far... i wouldn't have wanted my network device IPs mixing at all with my systems and servers. it was an extremely smooth installation as i layed out from drawings, and configured most of the equipment before the move, installed over Memorial Day weekend and built out the network racks /APs/Cameras /VOIPs etc and tested and then moved the servers 2 and 3 days before we moved the offices in. It was a blast configuring and setting up ... I wouldn't have mixed the Vlan's for anything.

I recently did this to clear up some more statics on my main lan. As Tom says, it was pretty painless. Thanks for another great video!

Asked this some days ago on a live stream - and here it is! MANY THANKS!👍

One of the best walkthroughs on KZread 🙏🏼

How To Setup VLANs With pfsense & UniFI 2022 kzread.info/dash/bejne/iYGt3JmMhs_Yl8Y.html David Bombal Video on VLAN Hopping With Cisco & Python kzread.info/dash/bejne/hZ1628qioM-bZ6Q.html)e ⏱ Timestamps ⏱ 00:00 ▶ UniFi Management VLAN 02:14 ▶ Network Demo Setup 03:50 ▶ How to Change management VLAN 04:34 ▶VLANs and UniFi Security

I have hired LS before and I can highly recommend them!

This is what i was looking for !! Thanks for sharing Tom!

Great content. Keep it coming

This is an interesting topic to me that I'm just starting to play with. I'm going to need a lot more information :) I have a mix of equipment (not all Unifi). Don't even get me started on what you need to do to change the management vlan on a netgear switch (pvid vs untagged headache). I had a lot of trouble changing the management vlan on a unifi AP, and I that's because once I did, the controller is now not in the same network. You've probably covered it elsewhere, but definitely point people to something that covers that. I'm using Option 43, but of course I set that up a year ago, and I had to rediscover it. It's not just that you need traffic routed between networks, the device needs to know in what network the controller can be found. Maybe that just automagically happens in an all-unifi deployment? There seems to be a lot of different options to deal with the default vlan, and I'm honestly not informed enough to know why one is better than the other. Do I change the native vlan on trunks? Should I not route the default vlan /at all/? Should I change the default vlan into a guest vlan dumpster fire and pretend to any guest that there aren't any vlans at all, or is that the opposite of a good idea and I should blackhole default? Does any of this make any difference without proper 802.1x support? Does unifi have a way to indicate that "unknown" mac addresses for their "Radius MAC Authentication" feature are dumped into some "default" (not -the- default) vlan?

Never thought about that! Thanks, but now I have to redo my home networks... again. Always learning something new on your channel I can try and apply.

Booya! Sounds like I segregated my VLANs correctly ! I was just wondering about exactly this subject!

Typically I put all my MSP clients WIFI on VLAN 2 and VoIP devices on VLAN10. I keep all my workstations/laptops as untagged. Should I be looking to move my clients workstations to a dedicated VLAN?

Thank you

I love this, but I'm having an issue with IPv6 on a VLAN Trunk. I configured a Guest Network, VLAN10 and assigned it a static IPv4 interface, IPv6 was set to Track Interface "WAN". DHCP6 shows only a WAN at the top of the page, and when I connect to the source of the VLAN I only get a IPv4 DHCP address. is there something different for IPv6 we should know.

Thanks, great video.

3:56 June 2024 - I don't see the "Services" tab in "Options" on any of my unifi devices. I'm wondering if "Management VLAN" has been renamed and/or relocated in a Unifi OS update? Your content is always very helpful. Thanks!

It is called default VLAN 1, not native VLAN. Native VLAN is a term used when trunking. Native VLAN is used for management traffic/protocols in a Trunk. It is recommended to use another VLAN for native because default VLAN cannot be changed. It is always 1. If you put Native VLAN on 1. Then it means every device connected on default VLAN can transfer over the trunk line. Most offices are using untagged port with a VLAN Port. So VLAN1 cannot be exposed.

I was about to try this “because I can”, not “should”. I just still need to convince myself that re-adopting an AP is not going to be a massive hassle. Not that I’ve ever had to do that, but still. A new Wifi 6 AP is more likely.

Why just change the native vlan like cisco? It is possible to do this in unify?

Thanks for your informative videos - greatly appreciated. Do you have a video on how to setup an Ubuntuserver with 2 nic’s… one for management purposes and the other for the services? Thanks

@LAWRENCESYSTEMS

Жыл бұрын

Check out www.youtube.com/@learnlinuxtv for Linux tutorials

Big brain: put every single device on its own vlan. 100 devices, 100 vlans. Boom lol

Are you trying to say that pruning the VLAN trunks is more secure than segregating devices off of VLAN 1?

192.168.1.x all unifi hardware 192.168.10.x main wifi 192.168.2x.x gaming 10.10.x.x IOT All network is guest network and port for gaming is isolated on switch.

This has been giving headaches all day. How do you set management VLAN on the new UI? I realised USW Flex Mini goes offline when I change the management VLAN to anything but VLAN 1.

Does adding a VoIP Vlan slow throughput on the Vlan1?

@LAWRENCESYSTEMS

Жыл бұрын

VLANs all share the same physical connection so it does not slow it down or speed it up. It all remains the same

First Thanks for the video. I moved my normal network from VLAN 1 as I couldn’t tag it and now I have all my services working (still waiting for mDNS reflector). I ought to ditch the management SSID as I never use it but at least it’s paused

Tried to watch but for some reason the video does not load and play (2022.08.24 11:55 PDT).

I have a unifi switch connected to my cheap spectrum router that does do vlans. I created a network on vlan 20, created a port profile with vlan 1 as native. As soon as I assign that port profile to the port connecred to my laptop , I loose network connectivity. I am trying to understand why this is happening and I can ping other networks that I had set up within the switch. Can someone please help answer this questions for me. I onky have unifi switch, cloud key and my spectrum router.

@enmanuel7112

Жыл бұрын

you need a router that supports vlans, and the cheapo isp router won't do

Most of the time when I talk to people about CLEARING clients off Lan1 they look at me with a ? mark on their faces... The thing is, lots of ''professionals'' are leaning their recommendations over their ''experience'' and consultants are cheaping out on hardware. I've seen small Business Routers getting crushed by inter Vlan I/O s, May be this can explain why this rule is sometimes overlooked or ignored.

Hi Tom, love your channel. Can you make a video showing how to add MFA to PfSense itself, using FreeRadius+OpenVPN-export (or any other easier method)? There's only one YT video on that topic but it's not very well done.

@LAWRENCESYSTEMS

Жыл бұрын

It's not well supported in pfsense yet.

Is it possible for hackers to hijack your AP and get your SSID?

@LAWRENCESYSTEMS

Жыл бұрын

I am not aware of any flaws in their system that would allow that.

I follow infosec people on Twitter. VLANs are not an obstacle to red teamers.

Why you're right: You just are. Why you're wrong: You just aren't.

Let’s make a video of optical modules together, we sincerely invite you to cooperate with us, we have 10 years of experience in optical module sales and are a trustworthy company, looking forward to your reply~

First

Nah. Once you have an intruder ANYWHERE in your network, a VLAN will not stop them from moving around! It’s more or less trivial to make custom packets to hop around any VLAN, so again, VLANS are more for broadcast separation and network design than security.

@MT-yo3mg

Жыл бұрын

I disagree. Yes, there are exploits but also possible mitigations. Every layer of security helps, even if not flawless. Ofcourse, ultimately, everything can be broken. VLANing is not THE solution, but should be part of an over-arching, architectural design.

@jameswhite1910

Жыл бұрын

Gotta agree with @MT83. Your network security is like peeling an onion. One of the pieces is VLans. Another is having a lock on the front door. Your magic packet may bypass a VLan - but how did you get it onto the network in the first place - you had to bypass several OTHER layers (each with their own risks) first. In the end, you can ALWAYS drive a bulldozer through a brick wall into a server room and plug a cable into a trunk port (unless you have only SSH traffic on all ports) - but security is based on layers and needs to balance cost, efficiency and actual risk of attack. A real attack on say, the Pentagon, means you must traverse hundreds of millions of dollars worth of "layers". While you can't afford that in your business, you can be about 90% as safe by following simple rules such as VLan segregation and SSH.