• Sign in to Neowin Faster!

    Create an account on Neowin to contribute and support the site.

  • 0
Sign in to follow this  

Question for Budman regarding a Ubiqity network setup

Question

Laser    0

Hey Budman

I have just setup a Ubiquity network in my home.

 

 

Cloud Key (2nd Gen)

USG

US-8 150W Switch

2 AP AC Pro Access points.

Inbound connection is Verizon Fios internet via their Gateway Router (Wi-Fi turned off)

 

Everything is up and running well, but I wanted to ask if there is anything you do to the standard config to make it more secure? ie: firewall rules

Also I see you reference VLANs often is that something a home user should setup?

 

Just so you know I am not a network engineer or IT guy just a home user trying to keep things safe and have a network that supports todays internet usage requirements. 

 

Thanks for your insights.

 

Share this post


Link to post
Share on other sites

4 answers to this question

Recommended Posts

  • 0
+BudMan    3,331

Well I would suggest you segment your network with vlans if you have a need to isolate devices.  If all you have is your own controlled device, PC, laptops, phones/tablets not so much... But if you have all kinds of IoT devices you might want to segment them from your trusted devices.

 

What sort of devices make up your network?  Do you provide inbound (port forwarding) from the internet to any of your devices internally? Plex Server? Web Server? etc..

 

I isolate things like my nest thermo and protect, alexa devices, roku devices, harmony remote, directv etc from my trusted networks.. Where my PC and devices sit, etc.  And since I serve stuff to the internet (ntp server in the pool) and my plex server to friends and family, etc.  These are all isolated from my main pc and trusted devices network.

 

For rules, yes I do not allow devices on these isolated segments to create any connections into my trusted network(s).. And I limit access to my plex server to friends and family IPs on the port forward rules.  So only IPs that I have listed can access my plex server.  So for example if my friends IP changes - they would have to contact me with their new IP to regain access.

 

What sort of devices are on your network and we can discuss.. Do you have friends and guest come over and connect to your wifi?  If so then yeah I would at min create a guest network for them to access so that if they connect their phone/tablet/laptop on your network they wouldn't access to your devices.. Atleast not controlled access - you might for example allow them to talk to your printer, but not your PC.. You might allow them to talk to your Plex server on 32400, but not the file shares directly, etc. etc..

 

Your problem is if you do not understand even the basics of tcp and ports and protocols, then its going to be a bit of a learning curve... But sure we could work through it makes sense for you to do such a thing.  Keep in mind that many of these consumer devices and their discovery methods don't play well when not on the same network.. So you could break some stuff.

Share this post


Link to post
Share on other sites
  • 0
Laser    0

Thanks Budman, great advice for the guest network.

 

I do not have any ports forwarded in this setup. On my old setup I did have a 2 ports open so I could RDP into my desktops, I did change ports on the router & devices but realize that's not much help when it comes to security. I read somewhere RDP was a common attack vector for Ransomware so I have not set that up since changing over the network.

 

My current devices:

I have 2 Nest cams (wi-fi), 2 laptops (wi-fi), 2 Wired Desktops, Synology NAS and handful of Ipads/Phones and a Sonos music system.

Eventually I would like to set up a Plex server but it will not be accessed outside the house.

We don't have any Google or Amazon devices and don't see adding any in the future.

 

Thanks again for taking the time to offer your thoughts.

Share this post


Link to post
Share on other sites
  • 0
+BudMan    3,331

I would isolate those cams ;)

 

So your sonos system is one of the problem children for isolation..  If you start isolating your segment you more then likely going to run into problems with what can access that, etc.  When its not on the same network.

 

As to RDP - yeah would never in a million years open that up to the public net at large.  If you knew your source IP, say you were rdping from work then you could lock it down via source IP so only the work IP could access your port forward for RDP..  But if you need to remote access.  Just setup VPN server on your USG... Its no where as easy as with say pfsense.. But I do recall some info on how to do it on the unifi forums.. Saw it when I was playing with my usg for the couple of weeks I had to run it.. No offense but its behind in features and ease of use compared to something like pfsense.  But I was impressed with how for like 100$ it could handle my 500/50 connection without any issues.. As long as didn't turn off hardware offload ;)  Then it just blew chunks...

 

If you want some help in setting up vpn on the usg.. Let me know, I have been looking for an excuse to fire it back up and update its firmware to current... I would like to get the thing off my shelf and get a few bucks so I could put that money towards new toy(s)..

Share this post


Link to post
Share on other sites
  • 0
Laser    0

I appreciate the offer for the VPN help but I don't really need the remote access it was just nice to have if I forgot something at home while I was on the road traveling for work.

 

I will setup a vlan and isolate the cams.  If I run into any issues I will let you know.

 

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.