ACL Rules
Access Lists (ACLs) are rules used on UniFi Switches to block specific traffic between devices on the same or different virtual networks (VLANs). See Device and Network Isolation for creating these rules automatically.
Requirements
ACLs are supported on all UniFi Switch models with a few exceptions. ACLs are not supported on UniFi Gateways and Access Points, even those with integrated switches. The following devices do not support ACLs:
- USW-Flex
- USW-Flex-Mini
- US-8
- USW-Industrial
- USW-Ultra
- USW-Ultra-60W
- USW-Ultra-210W
- All UniFi Gateways
- All UniFi Access Points (including In-Wall models)
MAC and IP ACLs
ACL Rules provide customizable options for more advanced blocking scenarios. ACL rules consist of two categories:
- MAC ACL - Block traffic between devices inside the same network (VLAN).
- IP ACL - Block traffic between devices in different networks.
ACL Rules are applied in order from top to bottom. If specific traffic needs to be allowed before a more general block all rule, the allow rule should be created first and placed higher than the block rule. Exercise caution and first create allow rules before adding block rules with source Any to destination Any.
Note: MAC ACLs are applied before IP ACLs and it is not possible to add MAC ACLs to networks used to manage UniFi devices.
MAC ACL Rules can be configured to:
- Block or allow traffic
- Apply to all or specific switches
- Apply to a VLAN
- Match source devices or MAC addresses
- Match destination devices or MAC addresses
- Match specific parts of the MAC address using a netmask
Note: Exercise caution when adding MAC ACLs as you can accidentally block all communication from clients.
IPv4 ACL Rules can be configured to:
- Block or allow traffic
- Match on all or specific switches
- Match on all or specific protocols
- Match source networks or specific IPv4 addresses
- Match destination networks or specific IPv4 addresses
- Match a specific UDP/TCP port
Note: Exercise caution when adding IP ACLs when Remote Adoption is used to remotely connect UniFi devices to a Cloud Key or Network Server in a different local network. You can accidentally block all communication between the UniFi devices and the UniFi Network Application.
MAC ACL Example
In this scenario, a UniFi Gateway and clients are present on the Employees network. This set of four MAC ACLs blocks traffic between all clients on the same network with the following additions:
- Allow clients to communicate with the UniFi Gateway for internet access.
- Block clients from communicating with each other.
Rule 1 - Allow traffic from the UniFi Gateway to all devices on the Employees network.
- Action: Allow
- Switch: All Switches
- VLAN / Network: Employees
- Source Type: MAC Address
- Source: ab:cd:ef:12:34:56 (UniFi Gateway's MAC address)
- Destination Type: Any
Rule 2 - Allow traffic from all devices on the Employees network to the UniFi Gateway.
- Action: Allow
- Switch: All Switches
- VLAN / Network: Employees
- Source Type: Any
- Destination Type: MAC Address
- Destination: ab:cd:ef:12:34:56 (UniFi Gateway's MAC address)
Rule 3 - Block all other traffic on the Employees network.
- Action: Block
- Switch: All Switches
- VLAN / Network: Employees
- Source Type: Any
- Destination Type: Any
IP ACL Example
In this scenario, regular client devices are present on the Default network and there is an IoT network which contains other client devices. This set of two IP ACLs blocks traffic between all devices on the Default and IoT networks.
Rule 1 - Block traffic from all devices on the Default network to the IoT network.
- Action: Block
- Switch: All Switches
- Protocol: All
- Source Type: Network
- Source: Default
- Destination Type: Network
- Destination: IoT
Rule 2 - Block traffic from all devices on the IoT network to the Default network.
- Action: Block
- Switch: All Switches
- Protocol: All
- Source Type: Network
- Source: IoT
- Destination Type: Network
- Destination: Default