 So let's talk about building out a small office network a small home network This is actually a build for a client not exactly the same as it's going to be delivered to them But conceptually the same which is why I want to make a video about it a lot of people have this question Now we are starting out with a net gate SG 3100 a unified 24 port switch Doe and a unified cloud key and a uap HD These are just the basics actually more going into the client network just a few more devices But this is the basics to get started and to cover the important parts, which is planning the network Now the first part of the planning is someone may notice on the way on that's the 172 address That's because it's in the lab That's also why I can't put a standard block because someone likes to point this out of blocking standard RFC 1918 addresses if you block them it breaks the way on being that etc. Etc. So The next thing that's really important This is where the planning stage begins and a lot of people start and stop right here They figure out a LAN address range. They want to use this particular range is 192 1685 dot one and They stop there because they just make a big flat network and all the devices live there Problem is people love all kinds of random things like IOT devices that are well known for having security problems And this is what allows easy lateral movement across the network unless you have a Switch that is also doing some type of routing rules. It does not stay contained So everything in the 5.1 network if a device gets compromised compromise can potentially increase your attack surface by laterally moving through the network with no rules So what we did here is on this SG 3100 and I use this one But you can really use any firewall you want I use PF sense because that's what the customer asked for but this does work with other firewalls, of course This is you know, this is FYI here. You can build these VLANs out Also, I may do the same video again with untangle because it's another firewall that we recommend I know someone's gonna ask why we didn't use the unify USG Series because we're using unify switch and a unify access point and a reason why is because the more complex rules That need to be created often there's problems with them in the USG. It just it kind of falls flat on features It's good for security. It works. It just doesn't have a lot of features to it. All right moving on So these are all VLANs we have created office camera phone and guest and they're already set up and already created so we chose 10 for the network that is gonna be where the office computers live Cameras are gonna be on the 20 network phone is on the 30 network guest is on the 10 dot 1 dot 40 that network now I'll give you a Couple reasons for this one you want to start your land out to be something not standard not zero or one So it's five dot one instead of zero dot one or one dot one because those are really common And if you want a VPN back into your office a lot of times you're gonna have a problem where oh, no I'm on a zero network or a one network is I'm at you know a friend's house You have routing problems if your network matches their network at the VPN goes well Do I route locally? Do I route there? There's ways around it, but FYI make it different solve problems Next 10 20 and 30. I leave them all into 192 range To make it kind of easy to understand that okay They're all gonna be common addresses then the guest range We set that over on the 10 and I do a lot of times when I build guest networks out for clients that way the guest network Is on a completely different range and you can quickly just if you're looking through piles of IP addresses for stuff You can go okay all the 10 stuff has to do with guest networks And all the 192 stuff is equipment that they're using in the office Like I said, this is just how I did it. It doesn't have to be done that way There is one more thing that's common 10 20 30 40 Across there relates to because these are all v-lands that we're going to be defining Well, they're defined already, but we're going to show how we actually implement them So 100 200 300 400 now they could have been 10 20 30 40. It really doesn't matter This just comes down to I started at 100 200 300. So that's where they are now And it's just a common schema. There's not a reason you have to do it that way I could have made them one two three four. I could have come up with complete arbitrary numbers, but Let's go ahead and create one more. So I was walking through the process of what had to be done This has already been done for 100 200 300 400. So The one thing you didn't see in this list and a lot of people go I want to put all my iot crap on an iot crap network. Good idea Let's build it out Let's build it out as 500 Now parent interface means what's it going to be attached to it's going to be attached to the land And then if you're not familiar with the sg 3100 watch my review on it But there is a four port switch on the back of it We're only going to be using one of the ports, but that essentially is the land Some devices it's just going to be one port for the land and that's fine too So 500 and this is called iot crap It was called out of t-crap. I don't need to put network we get the idea All right, so we've got the out of t-crap and we're going to interfaces assignments And here's iot crap ready to be assigned it add By default it just uses because these were all called opt 1 2 3 4 etc. So it's going to call it op 6 we click on it enable iot crap And it's going to be static Now we need an ip scheme for it and we'll go ahead and put this one into 10 range as well That way, you know, that's the iot crap The ranges can't overlap if that's not obvious Each ip address has to be each subnet with ip has to be unique. They can't overlap You can split it so we can have a 50 and then split them But that's a longer and more detailed discussion for the most part for simplicity slash 24 on each one Save apply So now we've added one more All right now the next thing you have to do services each ip server And we have to go over to iot crap. These are created on the fly. I've already enabled all these like I said This is the process you went through to build all these other ones So enable it we have to give it a range So we'll start at 10 10 Go to uh, I don't know 250 That way if you wanted to statically assign a couple you have a couple room at the end when you're deciding ranges Sometimes you may want to start them here because you want to start statically assigning and the way pf sense works when you do static assignments you want to make sure You have enough range because you can't assign statically devices IP addresses that are within the range, but we'll leave this one to 10 We'll assume all the iot stuff can just be wherever That's usually not the most relevant relevant information is where it's at Usually it calls out to the internet for its functionality anyways Now we will come back over here to the land network and I do have speaking of reservations One of the things I like to do is create reservations for things And they're right here at the bottom of the land. So Right here is 5.5. That's our unify cloud key gen 2 plus and what you do is you go here We're gonna you can go in Creating static mappings is easy. Just click the little add static mapping type in an ip address on there My laptop was plugged in is why you're seeing that it's not plugged in at the moment But that's one of the other leases that were in there But I love assigning everything via the dhcp in pf sense for static mapping The reason for that is that way everything is where it should be all the time in a very predictable place I really do find that important and one of the reasons of assigning it here Versus just statically signing each device. You can actually do both and I've done this as well In the reason for that is if you sign each device Statically and then you have to I don't know that factory reset that device because of whatever reason For example, like my laptop has a static assignment at home. Whenever I reset or reload it No big deal. I know it's going to get the same ip address if I want to statically assign it I can but I know that ip address is always reserved based on the mac address So having that does help map your network It's also great if you have everything set to dhcp if you decide to move your network range You just go and edit all the mappings here instead of logging into every device Restart all the devices or tell them to get new ip addresses. They all are on that new range So I highly recommend Doing this and having all your leases set up So that's all we had to do on a pf sense side to create that new network with one more exception Which was the rules and we're going to cover all the rules now So we'll start with wan because I'm in my office right now not in Where the studio where all this is set up. So I have a couple Nat rules to allow external access to devices in there including the unify and including to get to the firewall itself Here's the basic land network. We're going to leave this one wide open for now And what this allows us to do is go through and say, okay The land can get to where it needs to get to and the land is where we're going to have all over devices living We've already made the switches on there the access points on there the cloud heat all lives on this land Which is the five network the office computers are all going to live here now We're going to make the assumption that we want the office computers to do whatever They want to be able to get to the internet and do things but then of course They're all segmented out. So if you wanted to create rules around them, you could and we're not blocking access to Manage the firewall from the office network because we're assuming is probably where your computer will live Now camera network, this is where we're going to get a little bit Specific with the firewall rules if you didn't notice up here the firewall has been moved to 10443 I always move the firewall from whatever the default port is which is 443 and pf cents And it's just one of those it's not as much secure through obscurity is but having it on 443 Can create other problems if you have to map through and that to your internal devices That also may be running on an hds port like that as well And it's just nice to have it on a different port But what this does is if you're on the camera network This means block the firewall so destination the firewall block 10443 and this rule persists across All these different networks Then we say Only allow a single destination because the cameras This is particular setup because we're using a cloud key gen 2 plus with unify protect and unify protect Is on 5.5 the same ip address is the cloud key itself. There's probably some way to split it I didn't really look into that and this is going to vary with your design of your network If you have an nvr, you could just put the nvr in there and for example only allow the nvr external access But for sake of this we don't want the different cameras on the camera network going anywhere except for their one destination which is going to be This now a couple notes about that just a quick note If you add cameras to the unify protect You can add them on the 5 network is how we did this and then move them and we're going to cover that and when we get to the physical part Move them over to the camera network and they realize what they were adopted to so they keep trying to contact Even if they move on a different network, they will go back and route over here So you can trust that the cameras can't get out to the internet They can only go one place And just for ease of use so do you have to manually adopt them? I did have them on the land network and we moved them like so we're going to cover that when we get to the physical air Phone network this is making the assumption that there's not an internal pbx But let's say they're using whatever provider they're using for external access Say, you know hosted pbx external to their office is There so the phones do need to get to the internet We don't want the phones to go back to the land or the office because what if this You know cloud provider using pushes some weird firmware. I know it's a real edge case attack here I'm tinfoil hat in this but if the phones became compromised in some way Where would they be able to go? Well, they got to get to the internet to work They can't talk to the firewall So if they were able to get into the phone They can't talk to the firewall itself to try to admin it and they can't talk to the land or the office with the other devices There, of course, you could also add blocks for a guest in iot crap if you wanted to This is the guest network and we once again block the firewall We block the private networks that way the source is someone from the guest network But the destination cannot be which is what this alias means Cannot be because it's got the exclamation point from it the land office camera or phone And this is the alias list once again Like I said, this is the list on there if you need to add another network and someone will point out You could just block all rfc, etc, etc But you run into the problem of it's in a lab and it doesn't work like that now looks When you see the rule itself too Single access invert match and this is the important part is that the inverts connected there back to the rules Now when we created iot crap network A lot of people who asked me this question about pfcense and security They say well, you know, what's the default way to set this? So what's the best practice to set this up? We know is it secure and from the pfcense people and I like that they've said this They go if it's the best practice we make it the default So the default when you create a new network is not to do anything the network is completely dead It's blocked. There's no rules that allow any traffic to pass And I've seen a lot of people they create a network. They add the dhcp server and they go nothing gets an address Nothing's working. What's going on? Well, you don't have a rule now What we need is and where you can copy this rule was recreated We're gonna add a rule here change this to any interface source The iot crap net invert match destination single host or alias private networks allow block private So we have that same rule here again apply changes and the firewall rule too. This is the copy rule option So we're just gonna copy it easy We just have to change Which interface it's on iot crap and iot crap net save Apply now it has the same rules You like so you can create these manually you can click copy for Making a little bit easier, but we have the same idea. We block access to the firewall admin now It's up to you Obviously iot crap will have access to the guest and guest has access to iot crap if you wanted to create another Rule to block those two you could just throw it out there if you wanted to do that I don't worry about as much because this is kind of where the junk on the network lives All right, now let's go over to unify So by default When you adopt a unify switch when you get it set up the default profile is all and we'll explain what that means here so we go here to profile And I did this right here in case you're wondering you just check the little box That says profile to show it on the tab if not it looks like this I think it should be there by default, but it's obviously really easy to do So you want to see what the profile is for each port Now the profile all means send everything send the LAN and all the VLANs whatever they might be down the pipe So coming from the firewall we definitely need the firewalls got the 100 200 300 400 500 VLANs to find or any ones we decide in the future So we need all those to come through into the switches on Unify here and some devices are definitely going to need those too if we want the Access points for example, they also need for each one you plug in to be set to the all because you want to parse The VLANs inside the access point not define the VLAN and then push it to the x-point There's ways you can do it There's maybe more advanced setups where there are circumstances, but for the sake of this talk right here This is the ideal way you want to set this up You could only send the VLANs that are only going to be used on it for further restrictions Like I said, you can really get fine grain if that's what you wanted to do But for sake of this talk, we're going to assume you want to send all And that's going to create the least amount of headaches for you Now there's only one switch involved in this if you have another switch the ports that the switch is attached to Like another managed switch or another unified switch you want all that means send all the VLANs over to the next switch That way you can parse the VLANs on the next switch as well So that's the reason we have all now another option besides all Is of course just sending the LAN which means send the native LAN network the five network But don't send all those other VLANs that are right here. So like I said, that's another option But not the ideal one for how we're setting this up Now what we are going to do is go through here And Reassign all these so we'll check the boxes and there's a couple different ways you can do it. Actually, I like this feature So you can just check them by ports And these are all the extra ports we're going to plug our office computers into so you might want to edit all of them You can group them. But before I do that, let's create a custom profile. So we go over here profiles switch ports These are all just created on the fly as I created the networks. You're going to see these here So there's nothing you can only do to edit them you view them And this is where we're going to get a little bit fancier here So this is going to be the office profile Now native network is not LAN the office We want VLAN 100 and before you ask why you won't just assign VLAN 100 to those ports That's because we want to Create a phone network on there because we're going to use the pass through feature Oop not camera Phone there we go So by default enabled inside of unify is LLDP dash med and what this is is part of the demo when we get to the physical layer This is going to allow The ports to hand out natively when a computer plugs into them They're going to hand out that office network that 192 168 10 network But if we add a phone The phones will actually get a 30 address and be applied to the rules on that network the phones Pretty much all of them that i'm all common phones. I should say to someone point out some exception I'm sure but most of your common phones and we're in this case We're going to use a sysco one, but you're saying gomas your syscos Yalink etc They all have this built into the phone and they have a pass through option in there I'm with the pass through option is going to allow it to do is pass through because it works as a switch The office network the dot 10 network, but the phone goes on a different network Whatever voice network we assign which is 300 So what we do is the native to that port is give it a 10 address But if you're a phone you get a 30 address, but that 30 address Then you can pass back down and still get a 10 address on there It's actually A really great feature to have on here and we build it as a profile called the office Now you'll see why you build it as a profile because now we would go back over here to our device And we're going to edit it Edit the ports just pop this out make it a little bit easier And we're going to leave five and six different But we'll set the rest of them to be the office Clicky clicky get all these on there now It sometimes people make the mistake of clicking one thinking it edits all of them. You got to go down the bottom edit selected ports And we're going to change them to our custom profile the office And apply Now here's the funky stuff we're going to do with these ones here. So those are all called the office now Let's unselect those so we can edit these ports. You can see this is all profile the office. We're going to make port five a guest network This is where we allow our friend to plug his computer in And he plugs into this port and this port puts them on The guest network So it's pretty easy to do and it's nice that you can easily do these and switch these profiles around move them around later uh guest Or friend You know, I see if you're connecting them to a wi-fi that's easy enough, but sometimes they go, you know, I want to plug something in and Once you do that You know, you got to make sure they're plugged into the right port and assigns the right things That's why it's important to have all these. I've seen people say they disable all the ports Except for implicitly plugged in ones from a security standpoint It is great because this is frequently when there's a physical layer attack on your network One of the ways things happen is people will go in and plug things in and if the ports are live and assigned Well, they're on whatever network that port is assigned to so disabling until used not a bad way to start throwing it out there So that's the guest for a friend and we'll make this one iot thing And I One of the reasons I think this is important is your iot crap How does that work? Well the iot crap sometimes needs to be poe so you need to plug it in but you go Man, I don't want it wandering around my network because it's iot crap. So being an iot thing iot crap And apply and this will allow port six to be iot Now one of the other things you notice is we have the camera network, but the camera is not on the camera network It's on the other network. Well, let's go ahead here And we're going to change the camera network to be camera And now we hit apply not only thing different we have to do and like I said, this is a note of the cloud key And how the unify protect works with the unify protect We told it while it was on the five network to get adopted to where the unify protect lives is at the 5.5 address the nice thing is once you move it it's there So by changing this switch profile it moved now All he's got to do is reboot the camera. So we hit restart Switch port power cycle this yep because it's poe powered camera when we do this It's going to restart the camera and the camera is going to give the 30 address and be working So that's pretty easy for how you do the switch ports Now let's talk about how you do the wi-fi Now please note I did say that it has to be pushed to all that's an important aspect here So go to wireless networks And you can see how each of these works camera demo wpsk We got a password on it 200 this way if we had a camera and we wanted to put it on there. Well, you can put the camera on it. No problem Same thing could go with phones if you wanted to create one for phones Your guest network well a guest network is a 400 vlan and the office network is a 100 vlan So please note this will be handing out and the dhcp and everything will be working over these vlands and handing them out But nothing will be in the five range because like I said, that's our protected land Even though this device lives in there This is why sending all to the unify hd works because then it handles all the slicing up based on ssid And we can create one more network called iot crap stuff Make a password for it Advanced options and we know that is going to be vlan 500 In a way you go Now on the guest network, I have further added that the guest policies are on here Apply guest policies and what those do is create further restrictions. So there's isolation So things connecting to it can't talk laterally to other things on there That may break a lot of iot devices if they try if you try to make any communication with them because it sets them in isolation mode For guests, that's generally fine throwing it out there Now before we move over to the physical layer Being this is a small office setup. This question may come up of why I didn't create a separate network for printers And that's because that's a giant headache. Uh, some printers just don't work well When you put them on separate networks, they kind of expect to be on the same network as the office Your results may vary. Um, no guarantees. Sometimes they work. Sometimes they don't it varies a model And I don't have time to go into every printer model on there Um, you can decide whether or not you want your printer to be iot crap Or if you want it to be there and by the way when these rules were created just One more reiteration of this The office network because the firewall rules for the office network Say I can go wherever I want. I can hit things on guest It's a one-way street though. It's just like going out to the internet They can start here in office and if you know the ip address of something on iot crap You can get to that ip address you can route over to it. You can route over to phone But you can't initiate a connection from iot crap because of this block Back over to lan or the office network. So That's it's a one-way street. You have to initiate the connection from these networks to this network But they don't get to initiate connections the other way around But that is what causes printers to have a problem because a lot of the printers do look for local devices as part of the discovery method Especially those all-in-one scanning devices. I've seen a lot of them. They just don't like Crossing subnets in general. So your results may vary if you want to put your printers on a separate network Just be prepared to troubleshoot that I also didn't mention in any of this egress filtering like I said by default There's no egress which means filtering what out bump ports can be used It's up to you if you want to go that much further into it goes out of scope of this talk All right, now let's take a look at the physical layer and talk about how this looks in action So now we are at the physical layer We have the net gate sg-3100 sitting here the unified switch The cloud key which by the way is kind of cool the way it is just powered over poe I mean, it does have an option of power via usb-c But you know, it's nice that we got a poe switch and a poe cloud key Working on here now. This is the gen 2 plus that is managing this particular camera if I Do a motion event. Hey, there we go. It gets a cool spinny. I love that So we know it's recording a motion event that it just occurred and there's a little readout on here on the cloud key So The next step is you notice that coming in this is wan This just goes back to the switch over there provides the ip address from our network to this Network and then the orange cable goes into like we talked about port one on the unified switch that allows The everything to traverse nets orange is bringing all the vlands everything because that's an all port Now just a side note if you were to use the four port switch on the back of this There's probably I think there's a way you can divide out the vlands on it but by default anything plugged into this four port switch is going to just get the Standard five dot one address. We really want to put everything into This switch here as much as possible. That way we can control and Delegate access. So my computer's plugged in over here on port 24 And let's show you what ip address that I have So here's the ip address of my computer because I'm plugged in that port. It's 192 168 1010 First range in that office network. Now. What if we move my computer to another port? So let's just show something real quick here. We look at the Unify here We'll just I like popping this out as it looks better So we have the iot crap is six and we have Guest for friend Over here. So what happens is I should be able to get a different ip address when I plug in those ports so any of these ports will Just give me a standard ip address and this one right here should Give me the proper one here. So let's test that theory real quick and show you how that works So port six iot crap Okay connection established And we went from having a dot 10 address to a dot 10 dot 50 address pretty simple test the other port here This is the one that we called guest for a friend And now it's a 40 dot 10 address So you get the idea that that's how you assign that and when we look again at those assignments They're set guest now. Let's show how the office now. You notice that the office I get 192 168 1010 plugging my laptop into the port what if We plugged in a phone to it So we have a standard well old sysco phone spa 508 g and it's got the port and it's lighting up right now and booting It's got the port and it's got the pass to port now This is common a lot of office scenarios because in the offices We see where they don't want to run two lines to every workstation or they have existing infrastructure There's only a single line, but they want to go void and this is back to Why this is set up this way and why that the lldp works Really well in this scenario so we could just pass it through we pass it on over This needs poe so the poe switch will power it and links to the very common office set up And then we're going to take my computer Pull the network cable out of this plug it into here And this is blinking at me because it doesn't have a pbx to talk to So it's not happy, but it works And it has an address and we'll look at that in the pf sense here So now let's look at my computer which has an address again. So the last one was 40 So even though it's plugged in through the phone. I still have that 10 dot address What about the phone? What address did it get? So you go over here Firewall dcp server And there's our phone with the 30 dot 10. I just I know this is the actual host name of the phone But that's how the phone even though it's plugged into That segment of the network called the office. This is where that custom profile works and it passes along The 30 address to the phone and then the phone's basically going okay, but i'm a switch and the devices behind here Don't get that address. So my computer has no knowledge of vlan's a lot of your devices do not It goes no problem I'm just going to get whatever address this gives me and i'm back on that network And this sometimes creates confusion if you've not seen this before because a lot of times you go Wide are the phones in a different ip range, but it's only one physical cable Hopefully that sorts that out now one other note about like the camera right here So this is the unifier protect camera and I don't know that a lot of people have thought about this And this is a really interesting Physical layer attack on a lot of networks. Well, these are waterproof cameras, which means they go outside And someone wants to get inside your network What could happen? What could potentially go wrong? And uh, this is this is a problem where That can be solved with some of these firewalls And I just bring this up because I think it's kind of a novel thing But I've I've talked to companies about this and once in a demo Use this for a company to as to get into their network But if you go on the outside of the building and you plug into the camera This is just a reminder of why some of those cameras should be make sure they're on a specific port It's not always the camera you're worried about but if someone were to take down your camera and plug something else in Uh, they would have access to your network. Well in the case of this Look at the firewall rules again That's why the camera Only has access to this 5.5 address and by the way The camera now has that 192 would 6820. So let's go over here Look at the profile for it and you see we have The camera Go back here Customize columns Profiles so we see it easier It is set to camera And being on that camera 200 gives it that IP address there But if we go back over here and we want to do a live feed from it You can see the live feeds working So that's what that's actually what I look at behind the camera in case you're wondering there So the the live feed is working. It's routing through the firewall and over to This device here. So kind of novel, uh, that the cameras once you adopt them I this is a feature of the protect But for example, if you're using a bunch of cameras You put the nvr and everything on that same network And you wouldn't have to worry about this extra routing rule that we have But this routing rule is what keeps us protected from that edge case where someone Goes outside my building unplugs my camera and plugs in one or no a raspberry pi Which of course you could have powered over the poe. So you're actually providing Uh, whoever is attacking your network the power and Backend their way into your network, which is why you you know, it's not just the camera You have to worry about it's a little bit more thought that may need to go in there So a camera down could be just a camera down or a camera down could be a discovery of a device plugged in Anyways back to this network Um, that's pretty much all you need to do to get all this working So this is the network in a nutshell This is common for a lot of small businesses a lot of offices we set up We're going to see you know a phone going to what that we want them on a separate network And sometimes you do that too just because of how many ip addresses you have available And segmenting everything out this also allows you to do things for example When you have all the phones on a separate uh vlan in a separate network You can apply traffic shaping or priority to that particular segment of the network It's another good reason to break the phones out Having all the cameras once again a separate network So you can create rules in case someone attacks from the camera side or it's there's some type of Flaw found in a camera and they become an attack factor from whatever reason But having all these segmented out is what makes this much better of a network And this is frequently when we've covered this on different You know security videos that i've done is we talk about lateral movement through networks This helps segment out the lateral movement and gives you the ability to start applying rules to things Because sometimes we hear the term wormable all the time and that's a lot of times we're talking about it Just worms its way through your network. Well, if there's firewall rules We're literally blocking that access having this separated out helps a lot So that was it for this video We'll leave questions comments concerned below or jump over to our forums Where i very active or i'll be talking about this as well if you have other questions about different scenarios and setups But overall this is In a nutshell, this is like a basic office setup that we do All the time for small businesses, you know, even if you're a home-based business This is not a bad setup to use And which is actually with this is destined for someone who's a home user Where there's a couple people that run a design company Out of their house essentially, you know, it's going to give them the access they need They're going to add a few more things are going to add vpn to this and a few other features But for the basics of getting the network started and having everything nice and organized It's great And i think one of the networks i have to add for them is the kids network because they just want the kids stuff on there Which can also be handy because then you could just block access whenever you wanted to do the whole kids network and tell Me to go to bed not our option that you can do on there. All right Thanks Once again had order forums to further the discussion on this and you know talk about it more in depth If you got questions and concerns or if you want to tell me i got something wrong because there's always a chance of that I will make annotations for corrections if there's something i missed But i think i got everything may not spelled everything right i didn't check that yet But someone will point that out if i did thanks Thanks for watching If you like this video give it a thumbs up if you want to subscribe to this channel to see more content Hit that subscribe button and the bell icon and maybe youtube will send you a notice when we post If you want to hire us for a project that you seen or discussed in this video head over to laurance systems.com Where we offer both business it services and consulting services and are excited to help you with whatever project you I want to throw at us Also, if you want to carry on the discussion further head over to forums at laurance systems.com where we can keep the conversation going And if you want to help the channel out in other ways we offer affiliate links below Which offer discounts for you and a small cut for us that does help fund this channel And once again, thanks again for watching this video and see you next time