Episode: 3852
Title: HPR3852: UDM ubiquiti Setup for 2023
Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr3852/hpr3852.mp3
Transcribed: 2025-10-25 06:40:21

---

This is Hacker Public Radio Episode 3852 for Tuesday the 9th of May 2023.
Today's show is entitled, UDM Ubequiti Setup for 2023.
It is hosted by Operator and is about 11 minutes long.
It carries a clean flag.
The summary is I talk briefly about my UDM router set up for 2023.
Hello everyone and welcome to another episode of Hacker Public Radio with your host operator.
I'm going to be talking about UDM, I got a clicky keys keyboard here again, so I'm going
to try not to type a whole lot, but anyways UDM is a router, kind of a retail provider for networking
gear, so end user type of thing.
So I used to use OpenMesh before that, it was very slinked in neck gear routers.
Next time around the I got Unified Gear, I would like a 16 port Unified router with Wi-Fi,
but that's not such a thing, it's like multi-vunching printers, right?
You can get these routers and they do kind of everything okay, but at the end of the day
they're not a router, they're not a switch, they're not a wireless access point, they're
not this, they're all kind of lacking in some space, but at the end of the day you got
to keep up and do something, so I have the, it's called a UDM Unified, whatever little
sphere, it's a four port router and wireless access point, kind of all in one, and then
it gives you like a UI with the interface, and ability to block stuff, I've been using
it for a while, my wife actually ran over it when we got it, not over it, but ran into
it because it was at the top of the driveway, so anyways, what I'm going to do is talk
about kind of the setup, and some things you probably don't know about and or haven't
configured with your own home router, really any kind of home brew, anything you can get
a shell on, we can kind of go through some of that stuff, I recently had to completely
redo the networking, I had everything locked down by port and everything segmented off
on its own segment, and now everything is more or less segmented, but the firewall rules
are not there anymore, so I'm going to do the opposite and only and kind of block risky
ports that I know are used for lateral movement instead of trying to track every single
application within my network, right? So there's some gaps there, but the idea is instead
of having to figure out what ports need to be open for what services on web computers
and blocking those to and from, it's just block whatever ports I know that are used for
lateral movement or potentially list of stuff and then allow them on a per computer basis
to and from they need to go to, so that's kind of the segmentation piece of it.
And the other piece I had to add is basically pie hole, and there's a script on my GitHub
and I'll put links in the show notes, so let me go ahead and make some show notes.
There's kind of a pie hole script that makes your unified router a pie hole, you can
add, easily add and remove stuff to it based on his work, so there's a white list and
a black list you can manage, and then you decide what URL you want to use for the blocking
portion of it. The other cool part is that they added a, made it easier to do the blocking
on specific websites, so I have all the domains for Pinterest in this traffic management
piece, so the new UI is a little different, but all in all you can go in and easily, more
easily block one off websites, so if your child, for example, is being obnoxious on YouTube
or whatever, so you know what, you're in the morning, and then after that you can tell
them, hey, we block YouTube until you can figure it out, so per device, per domain, things
like that, and what else will I say about it, about the new setup? I got it pretty straightforward
and don't have it segmented out as much as I used to, but I like it, there's a bunch
of other bells and whistles you can enable, like, firewall security type stuff, so it'll
go and pull down, um, stateful inspection, what they call direct categories, and you
can, um, system sensitivity, dark web blocker, and malicious website blocker, um, those
are all parts of, like, the threat management piece, and it significantly lowers the speed
of the inbound data, so you can still stream, but it's going to be, I think you can probably
do 4k on this, this UDMI have, that's probably three or four years old now, they probably
have faster ones, now they can handle 4k pretty well, but when I bought this thing, it
was a little sluggish, um, for downloading, using that big, big chunk files and stuff
like that, other than that, pretty straightforward, pretty short episode, I will say it's good
for, like, easily identifying, the UI is good for easily identifying what's eating your
traffic, what's not eating your traffic, um, assigning static, so the way I set it up
is that now, instead of hitting IP addresses, I've gone with static DHCP, which, there's
static IPs, which kind of what don't want to do, and then there's, um, static DHCP, which
is a fair amount of people do that, to that, and maybe in a high security environment, you'd
want static IP for your device, you set that on the actual device, and then you maybe
even configure certificate based, certificate based, that working, but that's just not
something, um, I want to dig into, so this time around, since I restarted the router,
instead of having to, a bunch of IP addresses and managing the IP space, I can change my
IP space around, and still have the host names the same, so when you go into settings, you
can say what is called fixed IP, and local DNS record, those are two things, you kind
of want to set on anything you want to get into, so my receiver is got a static IP of
102, and I call it on yoko.localdomain, so I can hit that locally without having to
know the IP address or whatever, that same for my cameras, and all that stuff, that's
a pretty good way to kind of manage all that, um, I will say this stuff kind of reappears
and dispears, so, um, my cameras say that they're like offline, or, you know, not there,
but then it says now, so they're like, great out, and it says wired, but it doesn't say
they're transferring any packets or anything, and from what I found out is that if you have
a switch or router, or a switch plugged into the, the neck ear, or the real link, or, sorry,
the UDM switch, it won't pick up that traffic and graph it, so you're only going to pick
up whatever is plugged into the router itself. Now, I'll say that, except for, that doesn't
work because, you know, we've got, um, the Plex server itself is not directly plugged
into the router, so I don't understand why some of my traffic I can see, and some of my
devices show up, like, the receiver should actually be not there, whether should not be
there, and the Plex server, so there's three devices on here that are on here, on the
network, and they're live, but other devices on that same switch, or on the same network
aren't, don't show up, so it's a little weird how they track the traffic stuff, so you've
got to be a little weary of the dashboards and stuff when you're trying to troubleshoot
the connectivity. Um, that's pretty much all I'll say, um, you know, you don't want to
have the online stuff for the UDM, you want to have local, so once you set up the router,
they're going to tell you, hey, you know, log into the website and set up an account so
you can remotely access your router, and, um, UDM, or Unified, specifically, has had some
security issues in the past, and then there, you know, the folks would say, oh, well, this
doesn't affect people that have local, you know, that aren't logging into their router
through the internet, which is always maybe nervous, right? So definitely try to keep the
authentication local, and they will try to, you know, get you to log in to the website
and have remote access enabled. Um, you don't necessarily want to do that unless you manage
a bunch of routers or something, I don't even know why you would want to do that, but
anyways, pretty standard stuff other than that, um, pretty flat network outside of the
couple of segments I have for, for some stuff. Other tips, the pie whole thing I'll say,
uh, why listing within that script, I've been able to do, but other than that, it's,
everything's been a hunky-dory, as far as I can tell. Google, hope this helps somebody,
and if anybody has any thoughts or guidance on how to easily identify your network ports
or your services that you use internally, and make that like a firewall rule that you
can easily apply to a UDM appliance or anything, that would be cool, but you know, that's called
kind of profiling, or profiling your network and then taking that profile and looking for
anomalies or whatever, or applying firewall rules based on that profile, but if anybody
has anything around that space, I would be interested in figuring that out because I do
not want to remap my internal network again because that was just a server alone itself
for Plex and Cody is like 16 ports or something ridiculous. Um, the receivers, the most, the
noisiest thing on the network, um, believe it or not, and it's, it's quite a mess trying
to figure out what ports are needed, what ports aren't needed, there's broadcast protocols
for streaming media and all kinds of crazy stuff that you have to account for when you're
trying to set and secure things.
You have been listening to Hacker Public Radio at Hacker Public Radio does work. Today's
show was contributed by a HBR listener like yourself. If you ever thought of recording
broadcast, you click on our contribute link to find out how easy it really is.
Hosting for HBR has been kindly provided by an onsthost.com, the internet archive and our
synch.net. On the Sadois status, today's show is released on our Creative Commons,
Attribution 4.0 International License.