Hello, Tildes Tech Support Team,

I'm doing some Homelab stuff. And I'm looking for a way to set up an inexpensive back-up Internet connection. Less about having a connection when I'm home and Internet goes out (Phone hotspot works in a pinch), but more about getting in and getting statuses of stuff when I'm not home and Internet drops.

For background, I have a Ubiquiti Unifi Dream Machine Pro that can do WAN failover. My primary Internet connection is through Verizon Fios. The UDM and the Fios ONT are directly connected via ethernet; I'm not using Verizon's crappy home router. Also, I rarely lose Internet connectivity. This really is just a Homelab experiment to see if it can be done.

I've seen some stuff about getting a cheap, refurb smartphone and a cheap MVNO plan like Google Fi that nets me a handful of GB a month, and then tethering the UDM to the phone somehow (maybe through some cheap router in bridge/passthrough mode like a GLinet travel router). Has anyone had any experience doing this?

But...I actually have a secondary Internet connection already. My apartment complex has WiFi across the complex and for each unit. That I unfortunately have to pay for, even though I don't use it -- I want FULL control over my home network. But since I do have it, is there a way I can take advantage of this? I'm thinking something like a reverse AP, if that exists. But it has to pass through the IP from the apartment WiFi.

I know there will likely be issues with double NATing. But depending on the services/things I'm trying to access or keep access to, that may not be a factor. Like my Unifi hardware talking with the Unifi cloud access stuff. I think double NAT shouldn't matter.

Anyway, appreciate whatever you all got!

I'd normally post this on reddit...but I thought I'd give the Tildes Tech Support Team a try.

I have a Ubiquiti Unifi Cloud Gateway Ultra and I'm trying to better understand zone firewall management and VLANs and all that.

I'll start with a screenshot. I'm only changing the two settings highlighted in red.

I'm trying to understand the difference between two firewall policy settings:

1. Action = Allow ONLY, AND Connection State = Return Traffic
2. Action = Allow AND Auto Allow Return Traffic checked, AND Connection State = All

I have two VLANs -- "Internal" and "Lab." Each is in their own policy zone, also called "Internal" and "Lab." The "Internal" VLAN does not have the "Isolate Network" option checked, but "Lab" does.

What I want is devices in "Internal" able to initiate and maintain connections with devices in "Lab." But I don't want devices in "Lab" able to initiate connections to devices in "Internal."

With Policy 1, "Internal" can't reach "Lab" nor vice versa. Hmm.

With Policy 2, "Internal" can ping and SSH into devices in "Lab," but not the other way around. Perfect; that's what I want.

And now my question(s): What is the difference between these two policies? To me, they look the same. But clearly the end results say they're not. So what's actually going on here? Additionally, assuming I could get Policy 1 to do what I want, is Policy 2 more vulnerable from a cybersecurity perspective than Policy 1?

If it helps, here's a screenshot of my zone matrix, with focus on source "Internal" and destination "Lab."

Thanks!

I come in search for somebody who knows a thing or two about VLANs or, if possible, had set it up for themselves at home (or work).

I have Mikrotik router and Ubiquiti Unifi APs. My goal is to have three separate SSIDs on my APs to differentiate clients. One group would be closest family (group 1), another friends (2) and the last one would be QR-setup guest wifi (3).

The reason is security. I run 24/7 server at home with many services that I don't want other people than #1 to see. But I also run ie. DNS there that I would like all to see (all three groups; or make them use other DNS via DHCP-set-DNS, ie. 1.1.1.1).

So far I believe everything from that list is doable with the right knowledge (that I have yet to achieve). But I would also like some other things and that's part of why I'm asking here.

• Is it possible to initiate connection from #1 to device in #2? Ie. from server to Raspberry that serves as temperature sensor for Home Assistant? Is it some built-in functionality like "higher number VLAN can access all lower numbers" or do I have to setup some exception on my router for speciric IP and port? Or specific LAN port (I have 24 port router, yet not everything is connected via ethernet)
• Do I have to set it all up in specific order? I have read that I can cut myself off from accessing my router if I setup VLAN incorrectly and that's what I don't want to do :-)

If you know how to setup VLAN and could provide some points to kinda carve the path I could stick to, I would be really grateful! I do not want manual of step-by-step instructions, rather some points to follow so I don't fall for something important I missed.

I will of course read up on it myself and will experiment a bit (I have old RB133 or maybe even RB433 around that I can use for learning), but it would be great to have some pointers.

Thanks in advance for any advices or recommendations.