Cloud Gateways WiFi Switching Camera Security Door Access New Integrations Accessory Tech Identity
UISP
Support Dropdown arrow
Store
User
Help Center UniFi Help Articles UISP Help Articles Community UniFi Design Center UISP Design Center Contact Support Tech Specs Large Project Assistance Professional Phone Support
Sign Up UniFi Site Manager
Ubiquiti Logo Ubiquiti Logo
User User
Sign Up UniFi Site Manager
Cloud Gateways WiFi Switching Cameras & Security Door Access New Integrations Accessory Tech Identity UISP Store

Support

Help Center UniFi Help Articles UISP Help Articles Community Contact Support Tech Specs Large Project Assistance Professional Phone Support

Social

Facebook Twitter Youtube Instagram

Company

Careers Contact Us Investors

Training

Courses Calendar Trainers Become a Trainer

Tools

WiFiman UniFi Design Center UISP Design Center
  1. Ubiquiti Support and Help Center
  2. UniFi
  3. Gateway & Routing
Help Center
Back to Top

UniFi Gateway - Introduction to Firewall Rules

2023-12-03 17:21:45 UTC

UniFi Gateways include a powerful Firewall engine to provide maximum network security. We recommend most users configure the Firewall using Traffic Rules. They provide an incredibly intuitive interface that streamlines rule creation for common use-cases such as network isolation, parental controls, or even bandwidth limiting. See Traffic Rules to learn more.

Preconfigured Rules

UniFi pre-configures certain rules to optimize local network traffic, while preventing certain potentially dangerous internet traffic. Additionally, UniFi will configure similar rules for each additional network you add.

Rule Indexing

Firewall rules are executed in order of the Rule Index. A lower number (top of the list) means that the rule is processed before the other rules. When creating a new rule, you can choose to apply it before or after the predefined rules. It is important to be aware of this index because incorrect placement may create the perception of a rule "not working".

Rule Types

The rules are grouped based on the type of network that they apply to. The following network types are used:

  • Internet: Contains IPv4 firewall rules that apply to the Internet network.
  • LAN: Contains IPv4 firewall rules that apply to the LAN (Corporate) network.
  • Guest: Contains IPv4 firewall rules that apply to the Guest network.
  • Internet v6: Contains IPv6 firewall rules that apply to the Internet network.
  • LAN v6: Contains IPv6 firewall rules that apply to the LAN (Corporate) network.
  • Guest v6: Contains IPv6 firewall rules that apply to the Guest network.

Rule Directionality

Besides the network type, the firewall rules also apply to a direction. The following directions are used:

  • Local: Applies to traffic that is destined for the UDM/USG itself.
  • In: Applies to traffic that is entering the interface (ingress), destined for other networks.
  • Out: Applies to traffic that is exiting the interface (egress), destined for this network.

For example, firewall rules configured under LAN In will apply to traffic from the LAN (Corporate) network, destined for other networks. Firewall rules configured under LAN Local will apply to traffic from the LAN (Corporate) network, destined for the UDM/USG itself.

Rule State

In addition to a direction or network type, the firewall rules can also be matched to a state:

  • New: The incoming packets are from a new connection.
  • Established: The incoming packets are associated with an already existing connection.
  • Related: The incoming packets are new, but associated with an already existing connection.
  • Invalid: The incoming packets do not match any of the other states.

For example, the predefined Internet Local and Internet In firewall rules ensure that outside connection attempts from the Internet cannot access the UDM/USG and the LAN network behind it. However, the UDM/USG and the LAN network can reach destinations on the Internet and the return traffic is allowed back. The predefined Internet Local and Internet In firewall rules are:

Rule Index: 3001
Enabled: Yes
Description: allow established/related sessions (see states above)
Action: Accept
Protocol: All
Type: Internet In and Internet Local
Rule Index: 3002
Enabled: Yes
Description: drop invalid state (see states above)
Action: Drop
Protocol: All
Type: Internet In and Internet Local

IPsec Rule

Firewall rules can also match on traffic that is encrypted with IPsec. This is useful when filtering traffic that is passed over an IPsec Site-to-Site VPN. 

  • Do not match -  Matches all traffic and not specifically IPsec or non-IPsec traffic (default). 
  • IPsec - Match traffic that is encrypted by IPsec, e.g. passing over a Site-to-Site VPN.
  • Non-IPsec - Match specifically on unencrypted traffic.

An example when IPsec matching firewall rules are used is when configuring a Policy-Based IPsec Site-to-Site VPN. The UniFi Gateway will match encrypted traffic from the remote network destined to the local network.

Was this article helpful?
941 out of 1741 found this helpful