Overview
Readers will learn how to view and configure firewall rules on the UDM and USG models.
- Applicable to the latest firmware on the UDM and USG models.
- More information on firewall states can be found in the Intro to Networking - Network Firewall Security article.
Table of Contents
- Introduction
- Predefined WAN, LAN, and Guest Firewall Rules
- Automatically Created Firewall Rules
- Configuring Custom Firewall Rules
- Related Articles
Introduction
The UniFi Dream Machine (UDM) and UniFi Security Gateway (USG) models offer administrators many useful features to manage their UniFi network, including the ability to create and manage firewall rules that help ensure the security of the network. This guide will explain how to configure firewall rules in the UniFi Network application and offer some suggestions for managing the firewall settings.
It is important to note that firewall rules are processed based on the Rule Index number. A lower number (top of the list) means that the rule is processed before or after the other rules. When creating a new rule, you can choose to apply it before or after the predefined rules. The rule order is very important when deciding whether certain traffic needs to be blocked/allowed. If a rule that allows a certain type of traffic is added after another rule that drops the same traffic (higher rule index number), the traffic will be still blocked and the rule has no effect.
Predefined WAN, LAN, and Guest Firewall Rules
The predefined firewall rules on the UDM/USG are listed in the Settings > Internet Security > Firewall section of the New Web UI.

The rules are grouped based on the type of network that they apply to. The following network types are used:
WAN
Contains IPv4 firewall rules that apply to the WAN network.LAN
Contains IPv4 firewall rules that apply to the LAN (Corporate) network.Guest
Contains IPv4 firewall rules that apply to the Guest network.WAN v6
Contains IPv6 firewall rules that apply to the WAN network.LAN v6
Contains IPv6 firewall rules that apply to the LAN (Corporate) network.Guest v6
Contains IPv6 firewall rules that apply to the Guest network.
Besides the network type, the firewall rules also apply to a direction. The following directions are used:
Local
Applies to traffic that is destined for the UDM/USG itself.In
Applies to traffic that is entering the interface (ingress), destined for other networks.Out
Applies to traffic that is exiting the interface (egress), destined for this network.
For example, firewall rules configured under LAN In will apply to traffic from the LAN (Corporate) network, destined for other networks. Firewall rules configured under LAN Local will apply to traffic from the LAN (Corporate) network, destined for the UDM/USG itself.
In addition to a direction or network type, the firewall rules can also use a state:
new
The incoming packets are from a new connection.established
The incoming packets are associated with an already existing connection.related
The incoming packets are new, but associated with an already existing connection.invalid
The incoming packets do not match any of the other states.
For example, the predefined WAN Local and WAN In firewall rules ensure that outside connection attempts from the Internet cannot access the UDM/USG and the LAN network behind it. However, the UDM/USG and the LAN network can reach destinations on the Internet and the return traffic is allowed back. The predefined WAN Local and WAN In firewall rules are:
Rule Index: 3001
Enabled: Yes
Description: allow established/related sessions (see states above)
Action: Accept
Protocol: All
Type: WAN In and WAN Local
Rule Index: 3002
Enabled: Yes
Description: drop invalid state (see states above)
Action: Drop
Protocol: All
Type: WAN In and WAN Local
Note that there is also a default firewall rule for each network type. In the case of WAN In and WAN Local, the default action is drop. The default rule is not shown in the Network application. See the list below for the different firewall rules and the network types that they apply to:
WAN Network
WAN Local
Applies to IPv4 traffic that is destined for the UDM/USG itself on the WAN network (default drop).WAN In
Applies to IPv4 traffic that enters the WAN (ingress), destined for other networks (default drop).WAN Out
Applies to IPv4 traffic that exists the WAN (egress), destined for other networks (default accept).WAN v6 Local
Applies to IPv6 traffic that is destined for the UDM/USG itself on the WAN network (default drop).WAN v6 In
Applies to IPv6 traffic that enters the WAN (ingress), destined for other networks (default drop).WAN v6 Out
Applies to IPv6 traffic that exists the WAN (egress), destined for other networks (default accept).
LAN Network
LAN Local
Applies to IPv4 traffic that is destined for the UDM/USG itself on the LAN network (default accept).LAN In
Applies to IPv4 traffic that enters the LAN (ingress), destined for other networks (default accept).LAN Out
Applies to IPv4 traffic that exists the LAN (egress), destined for this network (default accept).LAN v6 Local
Applies to IPv6 traffic that is destined for the UDM/USG itself on the LAN network (default accept).LAN v6 In
Applies to IPv6 traffic that enters the LAN (ingress), destined for other networks (default accept).LAN v6 Out
Applies to IPv6 traffic that exists the LAN (egress), destined for this network (default accept).
Guest Network
Guest Local
Applies to IPv4 traffic that is destined for the UDM/USG itself on the Guest network (default drop). Allows certain services/such as DNS and DHCP.Guest In
Applies to IPv4 traffic that enters the Guest network (ingress), destined for other networks (default accept). Drops traffic to other LAN (Corporate) networks.Guest Out
Applies to IPv4 traffic that exists the Guest network (egress), destined for this network (default accept).Guest v6 Local
Applies to IPv6 traffic that is destined for the UDM/USG itself on the Guest network (default drop). Allows certain services/such as DNS and DHCP.Guest v6 In
Applies to IPv6 traffic that enters the Guest network (ingress), destined for other networks (default accept). Drops traffic to other LAN (Corporate) networks.Guest v6 Out
Applies to IPv6 traffic that exists the Guest network (egress), destined for this network (default accept).
Automatically Created Firewall Rules
Besides the predefined firewall rules, the UDM/USG will also automatically add the needed rules when configuring certain features. For example, when adding an L2TP VPN server, the required ports that need to be allowed through the WAN Local firewall are automatically added. When adding a Guest network through the Settings > Networks > Local Networks section, the Guest and Guest v6 rules will be automatically added as well. The rules applying to the Guest network will ensure that guests are able to obtain a DHCP address and are able to reach the Guest Portal for authentication.
Configuring Custom Firewall Rules
Other custom rules can be added by following the below steps. The example below adds an ICMP firewall rule to the WAN network that allows the UDM/USG to become reachable via ping.
Follow the steps below to add a custom firewall rule using either the New or Classic Web UI:
1. Navigate to the Settings > Internet Security > Firewall section of the UniFi Network application and select the WAN tab.
2. Select Create New Rule to add a WAN firewall rule.
3. Fill in the fields below:
Type: WAN Local
Description: ICMPv4
Enabled: Checked
Rule Applied: Before Predefined Rules
Action: Accept
IPv4 Protocol: ICMP
IPv4 ICMP Type Name: Echo Request
Match all protocols except for this: Unchecked
Source: Optional
Destination: Optional
Advanced: Optional
4. Apply the changes.
1. Navigate to the Settings > Routing & Firewall > Firewall > WAN LOCAL section.
2. Select Create New Rule to add a WAN firewall rule.
3. Fill in the fields below:
Name: ICMPv4
Enabled: On
Rule Applied: Before Predefined Rules
Action: Accept
IPv4 Protocol: ICMP
Match all protocols except for this: Unchecked
IPv4 ICMP Type Name: Echo Request
Source: Optional
Destination: Optional
Advanced: Optional
4. Apply the changes.
Related Articles
UniFi - UDM/USG Firewall: How to Enable ICMP on the WAN Interface