Overview

Readers will learn how to view and configure firewall rules on the UDM and USG models.

Table of Contents

1. Introduction
2. Predefined WAN, LAN, and Guest Firewall Rules
3. Automatically Created Firewall Rules
4. Configuring Custom Firewall Rules
5. Related Articles

Introduction

The UniFi Dream Machine (UDM) and UniFi Security Gateway (USG) models offer administrators many useful features to manage their UniFi network, including the ability to create and manage firewall rules that help ensure the security of the network. This guide will explain how to configure firewall rules in the UniFi Network Controller and offer some suggestions for managing the firewall settings.

It is important to note that firewall rules are processed based on the Rule Index number. A lower number (top of the list) means that the rule is processed before or after the other rules. When creating a new rule, you can choose to apply it before or after the predefined rules. The rule order is very important when deciding whether certain traffic needs to be blocked/allowed. If a rule that allows a certain type of traffic is added after another rule that drops the same traffic (higher rule index number), the traffic will be still blocked and the rule has no effect.

Predefined WAN, LAN, and Guest Firewall Rules

The predefined firewall rules on the UDM/USG are listed in the    Settings > Internet Security > Firewall section of the New Web UI. 

NOTE: Navigate to the    Settings > Routing & Firewall > Firewall section instead when using the Classic Web UI.

The rules are grouped based on the type of network that they apply to. The following network types are used:

• WAN Contains IPv4 firewall rules that apply to the WAN network.
• LAN Contains IPv4 firewall rules that apply to the LAN (Corporate) network.
• Guest Contains IPv4 firewall rules that apply to the Guest network.
• WAN v6 Contains IPv6 firewall rules that apply to the WAN network.
• LAN v6 Contains IPv6 firewall rules that apply to the LAN (Corporate) network.
• Guest v6 Contains IPv6 firewall rules that apply to the Guest network.

 Besides the network type, the firewall rules also apply to a direction. The following directions are used:

• Local Applies to traffic that is destined for the UDM/USG itself.
• In Applies to traffic that is entering the interface (ingress), destined for other networks.
• Out Applies to traffic that is exiting the interface (egress), destined for this network.

For example, firewall rules configured under LAN In will apply to traffic from the LAN (Corporate) network, destined for other networks. Firewall rules configured under LAN Local will apply to traffic from the LAN (Corporate) network, destined for the UDM/USG itself.

In addition to a direction or network type, the firewall rules can also use a state:

• new The incoming packets are from a new connection.
• established The incoming packets are associated with an already existing connection.
• related The incoming packets are new, but associated with an already existing connection.
• invalid The incoming packets do not match any of the other states.

For example, the predefined WAN Local and WAN In firewall rules ensure that outside connection attempts from the Internet cannot access the UDM/USG and the LAN network behind it. However, the UDM/USG and the LAN network can reach destinations on the Internet and the return traffic is allowed back. The predefined WAN Local and WAN In firewall rules are:

Rule Index: 3001
Enabled: Yes
Description: allow established/related sessions (see states above)
Action: Accept
Protocol: All
Type: WAN In and WAN Local

Rule Index: 3002
Enabled: Yes
Description: drop invalid state (see states above)
Action: Drop
Protocol: All
Type: WAN In and WAN Local

Note that there is also a default firewall rule for each network type. In the case of WAN In and WAN Local, the default action is drop. The default rule is not shown in the Controller UI. See the list below for the different firewall rules and the network types that they apply to:

WAN Network

• WAN Local Applies to IPv4 traffic that is destined for the UDM/USG itself on the WAN network (default drop).
• WAN In Applies to IPv4 traffic that enters the WAN (ingress), destined for other networks (default drop).
• WAN Out Applies to IPv4 traffic that exists the WAN (egress), destined for other networks (default accept).
• WAN v6 Local Applies to IPv6 traffic that is destined for the UDM/USG itself on the WAN network (default drop).
• WAN v6 In Applies to IPv6 traffic that enters the WAN (ingress), destined for other networks (default drop).
• WAN v6 Out Applies to IPv6 traffic that exists the WAN (egress), destined for other networks (default accept).

LAN Network

• LAN Local Applies to IPv4 traffic that is destined for the UDM/USG itself on the LAN network (default accept).
• LAN In Applies to IPv4 traffic that enters the LAN (ingress), destined for other networks (default accept).
• LAN Out Applies to IPv4 traffic that exists the LAN (egress), destined for this network (default accept).
• LAN v6 Local Applies to IPv6 traffic that is destined for the UDM/USG itself on the LAN network (default accept).
• LAN v6 In Applies to IPv6 traffic that enters the LAN (ingress), destined for other networks (default accept).
• LAN v6 Out Applies to IPv6 traffic that exists the LAN (egress), destined for this network (default accept).

Guest Network

• Guest Local Applies to IPv4 traffic that is destined for the UDM/USG itself on the Guest network (default drop). Allows certain services/such as DNS and DHCP.
• Guest In Applies to IPv4 traffic that enters the Guest network (ingress), destined for other networks (default accept). Drops traffic to other LAN (Corporate) networks.
• Guest Out Applies to IPv4 traffic that exists the Guest network (egress), destined for this network (default accept).
• Guest v6 Local Applies to IPv6 traffic that is destined for the UDM/USG itself on the Guest network (default drop). Allows certain services/such as DNS and DHCP.
• Guest v6 In Applies to IPv6 traffic that enters the Guest network (ingress), destined for other networks (default accept). Drops traffic to other LAN (Corporate) networks.
• Guest v6 Out Applies to IPv6 traffic that exists the Guest network (egress), destined for this network (default accept).

Automatically Created Firewall Rules

Besides the predefined firewall rules, the UDM/USG will also automatically add the needed rules when configuring certain features. For example, when adding an L2TP VPN server, the required ports that need to be allowed through the WAN Local firewall are automatically added. When adding a Guest network through the    Settings > Networks > Local Networks section, the Guest and Guest v6 rules will be automatically added as well. The rules applying to the Guest network will ensure that guests are able to obtain a DHCP address and are able to reach the Guest Portal for authentication.

Configuring Custom Firewall Rules

Other custom rules can be added by following the below steps. The example below adds an ICMP firewall rule to the WAN network that allows the UDM/USG to become reachable via ping.

Follow the steps below to add a custom firewall rule using either the New or Classic Web UI:

Type: WAN Local
Description: ICMPv4
Enabled: Checked
Rule Applied: Before Predefined Rules
Action: Accept
IPv4 Protocol: ICMP
IPv4 ICMP Type Name: Echo Request
Match all protocols except for this: Unchecked
Source: Optional
Destination: Optional
Advanced: Optional

Name: ICMPv4
Enabled: On
Rule Applied: Before Predefined Rules
Action: Accept
IPv4 Protocol: ICMP
Match all protocols except for this: Unchecked
IPv4 ICMP Type Name: Echo Request
Source: Optional
Destination: Optional
Advanced: Optional

Related Articles

UniFi - UDM/USG Firewall: How to Enable ICMP on the WAN Interface

Intro to Networking - Network Firewall Security