New home network sanity check

**Marty_B** · 08-31-2018, 01:46 PM

Pardon my ignorance but what does the ubiquity switch and cloud key get you? This seems like overkill for a home network. (but I do love overkill

)

**sky-knight** · 08-31-2018, 02:19 PM

Braindead VLANs and good port monitoring to start. Sometimes people want to see what's wrong instead of having to put in time to figure it out.

Doing this is like going SSD on your laptop/desktop, once you do it, you'll never go back.

**jcoehoorn** · 08-31-2018, 02:19 PM

The cloud key means you don't need to install software to run full time on a computer somewhere to manage your ubiquiti devices (or pay for the cloud service). The switch gives you the correct fancy 24v PoE (16port models and above) and makes it much easier (or even possible at all vs an unmanaged switch) to handle vlans.

**Marty_B** · 08-31-2018, 06:56 PM

Cool. Thanks for the information. I need to school myself up on virtual lans.

**bluechris** · 08-31-2018, 11:06 PM

Originally Posted by Loudog2

Are you double nat’ing with the untangle and USG configured like that?

Oh yeah only for the wifi clients which are only the employees wifi phones. All company pc's and servers are normal untangle clients.
I decided to do my thing and give to all my coworkers internet and this was a perfect solution. Maybe if we upgrade our work licence to more than 25 users i will stop to use unifi as router but so far i haven't experienced a singe problem and its difficult to explain to my boss why we need the upgrade lol.

**sky-knight** · 09-01-2018, 12:44 AM

Originally Posted by bluechris

Oh yeah only for the wifi clients which are only the employees wifi phones. All company pc's and servers are normal untangle clients.
I decided to do my thing and give to all my coworkers internet and this was a perfect solution. Maybe if we upgrade our work licence to more than 25 users i will stop to use unifi as router but so far i haven't experienced a singe problem and its difficult to explain to my boss why we need the upgrade lol.

If you're going to stack up the Untangle as a router behind the USG, why not untick the NAT box on external? No more double NAT... all you have to do is make sure the USG has a route for any network beyond the Untangle, pointed at the nearest Untangle IP address.

**bluechris** · 09-01-2018, 01:18 AM

Originally Posted by sky-knight

If you're going to stack up the Untangle as a router behind the USG, why not untick the NAT box on external? No more double NAT... all you have to do is make sure the USG has a route for any network beyond the Untangle, pointed at the nearest Untangle IP address.

But untangle does the routing to all pc's and everything , i dont want usg to do that and i dont trust it.
Also with this way the client that connects to untangle that carries all the mobiles which is the usg in bandwidth control got a low priority and thats it, i dont want the mobiles to melt the company internet.

**sky-knight** · 09-01-2018, 10:23 AM

Originally Posted by bluechris

But untangle does the routing to all pc's and everything , i dont want usg to do that and i dont trust it.
Also with this way the client that connects to untangle that carries all the mobiles which is the usg in bandwidth control got a low priority and thats it, i dont want the mobiles to melt the company internet.

I didn't say make Untangle a bridge, I said to turn off NAT. Port forwards would be on the USG entirely, Untangle is routing everything and filtering it. There is no reason to not "trust" the USG, it works well within its sphere. But you take a performance hit, and a headache hit when adding a layer of NAT you don't need.

If you want more ACLs, that's what the firewall module is for.

**bluechris** · 09-01-2018, 11:58 AM

Originally Posted by sky-knight

I didn't say make Untangle a bridge, I said to turn off NAT. Port forwards would be on the USG entirely, Untangle is routing everything and filtering it. There is no reason to not "trust" the USG, it works well within its sphere. But you take a performance hit, and a headache hit when adding a layer of NAT you don't need.

If you want more ACLs, that's what the firewall module is for.

Got you thx, even though i dont want to mess at all with usg in port forwards or anything.

**TheDude** · 11-29-2018, 10:22 PM

This was my approach, hope I got it right...

For my password protected wifi the clients are routed to my main network as I do not share that password. However, I added a second wifi network on my unifi ap as a open guest network and did the following...

I added a vlan tagged interface with a different subnet on untangle like this. (and created a policy for that vlan, rules, captive portal, etc...)
Annotation 2018-11-29 225148.jpg

Then configured my unifi ap-pro to route/tag all traffic through to the new untangle vlan interface... Like here.
Annotation 2018-11-29 224813.jpg

While there is no physical separation, I believe this should work the same? I hope I got it right. Please advise if my logic is off here!

As for my iot devices I am still struggling on the proper approach. What do you do with devices you want local access to but do not trust? The best I could come up with is completely isolate the extremely un-trusted (DVR camera system etc.) and restrict other mildly trusted devices that I need local access to and only allow those the required ports in/out.

Thread: New home network sanity check

LinkBack

Thread Tools

Posting Permissions