This article explains where and how to configure firewall rules in the UniFi Network Controller and offers some suggestions on how to manage the firewall with the UniFi Security Gateway (USG). This article is applicable to all UniFi Security Gateway and UniFi Dream Machine (UDM and UDM-Pro) models.
Table of Contents
- Understanding Firewall Rules in UniFi
- Local, In, and Out Rules
- Pre-Defined LAN, Guest, and WAN Rules
- Related Articles
The UniFi Security Gateway (USG) offers administrators many useful features to manage their UniFi network, including the ability to create and manage firewall rules that help ensure the security of the network. This guide will explain how to configure firewall rules in the UniFi Network Controller and offer some suggestions for managing the firewall using the USG.
Understanding Firewall Rules in UniFi
The rules are currently grouped by network type in three groups: WAN, LAN, and GUEST. Corporate-type networks defined in the controller use the LAN rules, Guest-type networks the GUEST rules, and WAN-type networks use the WAN rules. The same ruleset applies to all the interfaces of that type. That can be somewhat confusing to those accustomed to one ruleset per specific interface, but the same things can be accomplished with either methodology. The IN/OUT/LOCAL approach provides more overall granularity.
Local, In, and Out Rules
WAN LOCAL/LAN LOCAL/GUEST LOCAL
WAN IN/LAN IN/GUEST IN
WAN OUT/LAN OUT/GUEST OUT
Pre-Defined LAN, Guest, and WAN Rules
Though not visible in the Controller, each of the three LAN rulesets has a default action of "Accept". UniFi admins may have to create a drop rule and place accordingly for increased security and/or compliance.
- LAN_IN: The pre-defined rules will allow all traffic outbound traffic without restrictions: LANs to other LANs, LANs to the Internet, even LAN to "Guest" type networks.
- LAN_LOCAL: The pre-defined rules will allow any host on a "Corporate" type network to access services on the USG itself (e.g. SSH, DNS, RADIUS, etc).
- LAN_OUT: The pre-defined rule will allow all inbound traffic destined to hosts on "Corporate" type networks.
Though not visible in the controller the GUEST_IN and GUEST_OUT rulesets have a default action of "Accept". GUEST_LOCAL has a default action of "drop".
- Guest_IN: The pre-defined rules allow traffic needed for the guest portal to function; but will block traffic destined to corporate networks, all the restricted networks defined in "Guest Control", and remote user VPN subnets. It will allow all else (for Internet traffic).
- Guest_LOCAL: The pre-defined rules allow DNS, ping, and traffic destined to the redirector to the USG itself. Rules are automatically added to GUEST_LOCAL to permit traffic for RADIUS authentication and accounting.
- Guest_OUT: The pre-defined rule will allow all inbound traffic destined to hosts on "Guest" type networks.
Rules are automatically added to WAN_IN to permit traffic for configured port forwards and DPI blocking configuration. Rules are automatically added to WAN_LOCAL to permit traffic for configured remote user VPN networks.
- WAN_IN: The pre-defined rules only allow established/related reply traffic (e.g. replies to traffic initiated from an internal network).
- WAN_LOCAL: The pre-defined rules only allow established/related traffic inbound to the USG itself.
- WAN_OUT: The pre-defined rule is a hidden default-action of accept.