In this guide I show you how to create secure VLANs on a Ubiquiti Unifi Dream Machine Pro. Virtual Local Area Networks (VLANs) allow you to 'virtually' break down your network into different areas. They can be used for many reasons and have lots of benefits, but VLANs are mostly used to keep networks secure by separating trusted and untrusted network traffic, clients and users. Unifi VLANs are not automatically secure, once they are created firewall rules must be applied to secure them. In this example will be creating a couple of VLANs one to be used as a Guest network and one to be used as a IoT network. As well as separating the guests out from the main native LAN (Local Area Network) for security reasons, we are also going to stop them accessing the router interface. Although in this example the scenario is simple, it can easily be scaled to create a more complex multi-VLAN network. It should be noted that if you are looking for just a simple Guest VLAN you do not need to follow this guide, you can simply select 'Guest Network' during the Network set-up and the Firewall rules will be created automatically. VLANs are a great way to secure a network, however it is worth bearing in mind that secure VLANs are restrictive. Careful thought should be put into how they will operate before implementation. Certain devices may need to have specific rules created to allow them to function correctly if you intend to use them across VLANs (for example a network printer). 1. Create your NetworksOpen the UDM Pro interface and select the Network Application. Then select the following Settings->Networks->Create New Network Name: IoT Add Network The rest can be left as default but it is worth noting the IP range of each network for the Firewall rules. For guest networks with predefined rules, select Manual->Guest Network. There is also an option to add content filtering to the Guest Network should you wish. 2. Allow establish and relatedSelect Settings->Security-> Internet Threat Management->Firewall-> Create New Rule. This area is where will be get our Firewalls set-ups. Fill the options in as below: Type: LAN In Description: Allow established/related Action: Accept Protocol: All Source and Destination: Left as is Advanced: Select Match State Related and Match State Established Apply Changes 3. Drop Invalid StateCreate new rule Type: LAN In Description: Drop new/invalid Action: Drop Protocol: All Source and destination: Left as is Advanced: Select Match State New and Match State Invalid Apply changes 4. Create an RFC1918 groupFor this next part we need to create a groups to allow us to apply our next Firewall rule to the right areas. To create a New Group simply scroll down to the Groups section of the Firewall tab and select 'Create New Group' The first group to create is RFC1918. Name: RFC1918 Type: IPv4 Address/Subnet Address: 192.168.0.0/16, 172.16.0.0/12 and 10.0.0.0/8 (press the +Add button to each new line) Apply Change 5. Allow LAN to all VLANsCreate a new Firewall rule Type: LAN In Description: Allow default to all VLANs Action: Accept Protocol: All Source Source Type: Network Network: LAN Network Type: IPv4 Subnet Destination Destination Type: Port/IP Group IPv4 Address Group: RFC1918 Port Group: Any Apply Change 6. Block Inter-VLAN RoutingCreate a new Firewall rule Type: LAN In Description: Block Inter-VLAN routing Action: Drop Source Source Type: Port/IP Group IPv4 Address Group: RFC1918 Destination Destination Type: Port/IP Group IPv4 Address Group: RFC1918 Apply changes 7. Block VLAN to GatewaysThere are two stages to this part and this will need to be done for each VLAN added. a. Create a Block VLAN to Gateways groupCreate New Port/IP Group Profile name: Block IoT to Gateways Type: IPv4 Address/Subnet Address: 192.168.1.1 and 192.168.2.1 (the IP addresses of the Gateways on each subnet not including IoT) Apply changes b. Use the new group to block VLAN to GatewayCreate New Firewall Rule Type: LAN Local Description: Block IoT to gateways (or which ever VLAN it is) Action: Drop Source Source Type: Network Network: IoT Destination Destination Type : Port/IP Group IPv4 Group: Block IoT to Gateways Apply changes 8. Block VLAN to Gateway Interfacea. Create Port/IP Group for GatewayCreate Port/IP Group Profile Name: IoT Gateway (or which ever Gateway it is) Type: IPv4 Address/Subnet Address: 192.168.3.1 (or whatever the gateway IP is) Apply changes b. Create a http, https and SSH Port/IP groupCreate Port/IP group Profile Name: http, https and SSH Type: Port Group Ports: 80, 443 and 22 Apply changes c. Create Block VLAN to Gateway Interface ruleCreate new Firewall rule Type: LAN Local Description: Block IoT to Gateway Interface Action: Block Source Source Type: Network Network Type: IoT Destination Destination Type: IP/Port Group IPv4 Address Group: IoT Gateway Port Group: http, https, SSH Apply changes Conclusion So in those few simple steps you have now created and secured your VLANs. For more complex scenarios just repeat the steps to add more VLANs with the same rules.
I hope this quick guide has been useful. Please feel free to ask any questions in the comments below. If you are based in the UK are looking for Network Services please Contact Us to find out more
0 Comments
|
Huw Jones
Owner of Home Network Solutions Berkshire Categories
All
Archives
May 2024
|