networking Question for Budman regarding a Ubiqity network setup

[Laser]

Hey Budman

I have just setup a Ubiquity network in my home.

 

 

Cloud Key (2nd Gen)

USG

US-8 150W Switch

2 AP AC Pro Access points.

Inbound connection is Verizon Fios internet via their Gateway Router (Wi-Fi turned off)

 

Everything is up and running well, but I wanted to ask if there is anything you do to the standard config to make it more secure? ie: firewall rules

Also I see you reference VLANs often is that something a home user should setup?

 

Just so you know I am not a network engineer or IT guy just a home user trying to keep things safe and have a network that supports todays internet usage requirements. 

 

Thanks for your insights.

 

[+BudMan MVC]

Well I would suggest you segment your network with vlans if you have a need to isolate devices.  If all you have is your own controlled device, PC, laptops, phones/tablets not so much... But if you have all kinds of IoT devices you might want to segment them from your trusted devices.

 

What sort of devices make up your network?  Do you provide inbound (port forwarding) from the internet to any of your devices internally? Plex Server? Web Server? etc..

 

I isolate things like my nest thermo and protect, alexa devices, roku devices, harmony remote, directv etc from my trusted networks.. Where my PC and devices sit, etc.  And since I serve stuff to the internet (ntp server in the pool) and my plex server to friends and family, etc.  These are all isolated from my main pc and trusted devices network.

 

For rules, yes I do not allow devices on these isolated segments to create any connections into my trusted network(s).. And I limit access to my plex server to friends and family IPs on the port forward rules.  So only IPs that I have listed can access my plex server.  So for example if my friends IP changes - they would have to contact me with their new IP to regain access.

 

What sort of devices are on your network and we can discuss.. Do you have friends and guest come over and connect to your wifi?  If so then yeah I would at min create a guest network for them to access so that if they connect their phone/tablet/laptop on your network they wouldn't access to your devices.. Atleast not controlled access - you might for example allow them to talk to your printer, but not your PC.. You might allow them to talk to your Plex server on 32400, but not the file shares directly, etc. etc..

 

Your problem is if you do not understand even the basics of tcp and ports and protocols, then its going to be a bit of a learning curve... But sure we could work through it makes sense for you to do such a thing.  Keep in mind that many of these consumer devices and their discovery methods don't play well when not on the same network.. So you could break some stuff.

[Laser]

Thanks Budman, great advice for the guest network.

 

I do not have any ports forwarded in this setup. On my old setup I did have a 2 ports open so I could RDP into my desktops, I did change ports on the router & devices but realize that's not much help when it comes to security. I read somewhere RDP was a common attack vector for Ransomware so I have not set that up since changing over the network.

 

My current devices:

I have 2 Nest cams (wi-fi), 2 laptops (wi-fi), 2 Wired Desktops, Synology NAS and handful of Ipads/Phones and a Sonos music system.

Eventually I would like to set up a Plex server but it will not be accessed outside the house.

We don't have any Google or Amazon devices and don't see adding any in the future.

 

Thanks again for taking the time to offer your thoughts.

[+BudMan MVC]

I would isolate those cams

 

So your sonos system is one of the problem children for isolation..  If you start isolating your segment you more then likely going to run into problems with what can access that, etc.  When its not on the same network.

 

As to RDP - yeah would never in a million years open that up to the public net at large.  If you knew your source IP, say you were rdping from work then you could lock it down via source IP so only the work IP could access your port forward for RDP..  But if you need to remote access.  Just setup VPN server on your USG... Its no where as easy as with say pfsense.. But I do recall some info on how to do it on the unifi forums.. Saw it when I was playing with my usg for the couple of weeks I had to run it.. No offense but its behind in features and ease of use compared to something like pfsense.  But I was impressed with how for like 100$ it could handle my 500/50 connection without any issues.. As long as didn't turn off hardware offload   Then it just blew chunks...

 

If you want some help in setting up vpn on the usg.. Let me know, I have been looking for an excuse to fire it back up and update its firmware to current... I would like to get the thing off my shelf and get a few bucks so I could put that money towards new toy(s)..

[Laser]

I appreciate the offer for the VPN help but I don't really need the remote access it was just nice to have if I forgot something at home while I was on the road traveling for work.

 

I will setup a vlan and isolate the cams.  If I run into any issues I will let you know.