LAN2 restrictions on Unifi USG 3P for POE Reolink doorbell

Hi All.
Currently I have an old ubiquity USG-3P that has all my network going through the 1st LAN, which has suited me up to this point, however I’m about to install a POE Reolink Doorbell, and it makes me a little queasy knowing that an externally mounted device could have full access to my network via a convenient ethernet plug.
Does anyone have experience on how to set up some firewalls to allow the reolink on LAN2 to talk to the home assistant on LAN1. I know it would be better to move the home assistant and everything else to LAN2, but I’m not ready for that. So for the moment LAN2 would be for all my cameras

LAN2 on USG-3P doesn’t work as a LAN connection only as a WAN connection. Documented issue, see Unifi Community. So the recommendation is to setup a separate IoT network and a VLAN for it. You could the same for the camera network too.

1 Like

That’s confusing, I’m not seeing this as an issue in the comunity, there are lots of people saying they are doing this

image

Why would you need a second LAN port when you can just setup VLAN(s) through the controller? That way, you just create firewall rules between the two VLANs (your main one and the new one you create) to allow/block traffic and put the camera(s) into the newly created VLAN and you’re done.

There are LOTS of guides (especially on the Unifi communities) regarding setting a separate, isolated IOT VLAN.

Will look into it’

1 Like

If the USG supports it, you could enable MAC address whitelisting on that interface too.

Here is example of what I wrote:

https://community.ui.com/questions/USG-3P-LAN2-not-working/01cb45ef-48e9-49e2-9268-6a69d31d95ad

Thanks for that, so I cannot make a new VLAN without a managed switch?

In the controller, you can create VLANs. But to use them, you need to have a switch that understands VLAN tagging. What kind of switch are you using behind your USG? If it’s not managed, you could pick up a simple managed switch for pretty cheap and setup VLAN tagging on it.

I assume this is what I’m going to have to setup. Sorry I’m not particularly savy with this sort of stuff, I stumble around till the solution works

1 Like

Oh, that’s perfect. The Flex Mini can already do VLAN tagging. So, essentially you create the new VLAN in the controller and you tag one of the ports in the Flex to only expose that VLAN. Then, you plug your unmanaged POE switch into that port. Then your cameras will all be on that new VLAN. Setup your firewall rules to only allow certain traffic between your main VLAN and your IOT VLAN and you’re set.

Edit: You actually don’t need that unmanaged switch to HA unless you are going to hardwire other devices to your main VLAN. If you’re good with just 4 ports off the Flex Mini, you’re already good to go.

I just need to work out how to make the firewall rules, Thanks @lordwizzard and @code-in-progress

1 Like

Poke around the Unifi forums. Lots of people have done guides for IOT VLANs including all the firewall rules needed. It’s actually pretty simple to do.

I have a number of AP’s computers and TV’s connected to the network. There are a couple of wifi smart plugs, but for the most I run zigbee. I was worried if I tried to be too clever I would get into a hole. The only reason for this, is I noticed its easy to get access to the ethernet connector on the POE doorbell

1 Like

Ahhhhh, gotcha. Yeah, I actually decided on the WiFi Reolink Doorbell for that very reason. All my other cameras are POE, but I have their connections secure. The doorbell was the only one that I couldn’t think of how to secure it (and I didn’t want to run the ethernet for it).

1 Like