I have been using my UDMB to run my home/office network now for a while now, and over the last few months, I have expanded its functionality.
When I first purchased it, I created four Vlans, these have now expanded to eight, and I have stopped using the built-in content filtering, as I have been testing other products for this.
I use my UDMB as a testbed for my small business clients, basically setting things up here in a way that allows me to test firewall rules, etc before rolling it out to my clients.
My Vlans are set up as follows
- Management 10.1.1.0/24
- Home 10.10.1.0/24
- Guest 10.20.1.0/24
- Office 10.30.1.0/24
- IOT 10.40.1.0/24
- Servers 10.50.1.0/24
- VPN Network 10.60.1.0/28 – UDM’s LT2P VPN
- Cameras 10.60.1.0/24 – (will be used on clients that will have protect running, UDM Pro, NVR, etc)
On each network, DHCP is provided by the UDMB, but the DNS name server is the IP address of my Raspberry Pi, each network has a domain name ending .home.arpa
I have added firewall rules to block all the VLANs gateway IPs and SSH access from all Vlans except The management, office, and Home network, and have also blocked ICMP to these too, this works really well and stops users on these accessing the web interface of the UDM or pinging its address when connected.
Threat management is running in IPS mode (detect and block) with the system sensitivity set to level 5, and this appears to be working well.
I have blocked DNS requests to any DNS server other than that of my Pi-Hole, this prevents users from adding their chosen DNS provider to circumvent the content restrictions, I have also added a list of IP addresses for the most common DOH providers to the UDMB’s internet out firewall list so that I can test blocking of browser-based DOH changes.
On My raspberry Pi I have installed pi-hole, this works brilliantly and provides content filtering for my network, and this has been configured as a recursive DNS using unbound, I have found that the content filtering options built into the UDM, whilst good, lacked the facility to block adverts, which just annoy the hell out of me.
I have installed PiVPN on my Raspberry Pi, which provides a really simple way of creating a Wireguard VPN, which is great.
I run my UDM with the latest available beta software I wanted to make sure that these betas would not be affected by any additional software being installed on the unit, No beta software is used for client installs, I only test on mine so I know what’s coming for client devices.
All in all, I love the UDMB, it is great, for me and the small businesses that I support it’s brilliant, it’s easy to set up and configure, and works very well.
Things I would love to be added/amended into the system
- Built-in Wireguard VPN, with QR code management, would be fantastic and would negate the need for a third-party alternative
- Real-time firewall log, OPNsense has this, and it’s really helpful to see what’s happening in real-time
- Separate statistics for wan and inter-VLAN traffic would be brilliant
- Add the assigned network name devices are connected to, in the same way, that the wireless network name has been added to the topology map, this would allow a way to see the logical layout of your network which could be great for troubleshooting ETC
The cloud restore facility worked flawlessly when I needed it to, which was a godsend big thumbs up from me on that 👍 as that really saved my bacon.
I’ve had no issues with the DDNS feature using afraid, which is brilliant for my VPN access, port forwarding works without issue, wireless bandwidth throttling works well, as does the wifi schedules.
For me, personally, the UDMB has been brilliant, my clients love them and they have been a really great bit of kit, I now have a rack so will start playing with the UDM Pro which I’m really looking forward to.
Leave a Comment