Firewall Zones
How to setup firewall zones in Unifi
Intro
Prerequisites
VLANs are already created and configured like below:
| SSID | VLAN | Subnet | Gateway | Purpose |
|---|---|---|---|---|
| - | 1 | 192.168.1.0/24 | 192.168.1.1 | Default (abandoned) |
| - | 10 | 10.10.10.0/24 | 10.10.10.1 | Management |
| wifi4home | 20 | 10.20.20.0/24 | 10.20.20.1 | Home |
| wifi4work | 30 | 10.30.30.0/24 | 10.30.30.1 | Work |
| wifi4iot | 40 | 10.40.40.0/24 | 10.40.40.1 | IoT |
| wifi4guest | 50 | 10.50.50.0/24 | 10.50.50.1 | Guest |
| - | 60 | 10.60.60.0/24 | 10.60.60.1 | Homelab |
Profiles
Create 4 new Network Objects profiles for the firewall policies /network/default/settings/profiles/network-objects
The first one is called All Gateways and contains all the IPv4 gateways for each VLAN
- 192.168.1.1
- 10.10.10.1
- 10.20.20.1
- 10.30.30.1
- 10.40.40.1
- 10.50.50.1
- 10.60.60.1
The second one is called Unifi Management Ports and contains the ports
- 443
- 80
- 22
The third one is called RFC1918 and contains all private ip ranges
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
TODO: The fourth one is called Pihole DNS and contains the port
- 53
Firewall Zones
Next create a new firewall zone for each VLAN at /network/default/settings/security/firewall-zones
- Default
- Management
- Home
- Work
- IoT
- Guest
- Homelab
Then place each each network in its own zone (Work Network goes in Work Firewall Zone).
By default this will isolate all VLANs from eachother, as well as block/lock down almost everything and force you to open up and create new rules when needed.
Firewall Policies
In short we are after the following:
| VLAN | Purpose | Firewall Policies | TODO |
|---|---|---|---|
| 1 | Default (abandoned) | Isolated, Block Gateways, Block Internet | |
| 10 | Management | Isolated, Block Internet | |
| 20 | Home | Isolated, Block Gateways, mDNS, Allow IoT (Allow Return) | Allow access to IoT (ANY)??? |
| 30 | Work | Isolated, Block Gateways | |
| 40 | IoT | Isolated, Block Gateways, mDNS | Allow Return??? |
| 50 | Guest | Isolated, Block Gateways | |
| 60 | Homelab | Isolated, Block Gateways |
| Word | Meaning |
|---|---|
| Isolated | Cannot access other VLANs |
| Block Internet | No Internet Access |
| Block Gateways | No access to gateways and unifi management ports |
| mDNS | Enables mDNS reflector, allowing some multicast traffic (specifically, service discovery) to cross VLAN boundaries |
| Allow IoT (Allow Return) | Allow access to everything on IoT network and allow IoT to respond back |
mDNS
Multicast DNS is a UniFi Gateway feature that allows multicast traffic to transmit across different networks.
How does it work? Multicast DNS is active on the UniFi Gateway and forwards multicast traffic from devices between different networks (VLANs). Enable this feature when features like AirPlay, AirPrint, or Chromecast across different networks/VLANs.
Allow IoT (Allow Return)
TODO: why is Allow Return needed?
Default
Block Gateways:
Navigate to firewall matrix /network/default/settings/security/firewall-zones click on Default -> Gateway then Create Policy and name it Block Gateways and Unifi Management Ports
Under Destination Zone Select IP then Object and select All Gateways from the dropdown. Then under Port Select Object and select Unifi Management Ports from the dropdown. Leave rest ad default and click Apply
Block Internet:
This is a special case, usally you can go to Settings -> Networks then select the Default network and uncheck the Allow Internet Access checkbox. But beacuse this is the default network they will not allow it, beacuse people may lock themself out if they dont know what they are doing. So instead we need to create a new firewall policy for this.
Navigate to firewall matrix /network/default/settings/security/firewall-zones click on Default -> External then Create Policy and name it Block Internet Access
Under Source Zone Select Network then select Default from the dropdown and click save. Leave rest ad default and click Apply
Management
Next we are going to block all access to the gateways and unifi managment ports for each VLAN except for the Management network. (TODO should we allow the Home network to access the gateways). I expect this should force me to connect to the Management VLAN if I want to connect to the local unifi admin panel and change any setting, ofc it should be possible to connect online via the cloud as well.
Block Internet:
This is a special case, usally you can go to Settings -> Networks then select the Management network and uncheck the Allow Internet Access checkbox but beacuse we needed to do this for the Default network I wanted to do the same way for Management.
Navigate to firewall matrix /network/default/settings/security/firewall-zones click on Management -> External then Create Policy and name it Block Internet Access
Under Source Zone Select Network then select Management from the dropdown and click save. Leave rest ad default and click Apply
Home
Block Gateways:
Navigate to firewall matrix /network/default/settings/security/firewall-zones click on Home -> Gateway then Create Policy and name it Block Gateways and Unifi Management Ports
Under Destination Zone Select IP then Object and select All Gateways from the dropdown. Then under Port Select Object and select Unifi Management Ports from the dropdown. Leave rest ad default and click Apply
mDNS:
Navigate to Settings -> Networks click on mDNS then Edit and add Home network. You can also navigate to Home network and toggle on Multicast DNS.
Allow IoT (Allow Return):
Navigate to firewall matrix /network/default/settings/security/firewall-zones click on Home -> IoT then Create Policy and name it Allow access to IoT.
Under Action Select Allow then toggle Auto Allow Return Traffic to on. Leave rest ad default and click Apply
Work
Block Gateways:
Navigate to firewall matrix /network/default/settings/security/firewall-zones click on Work -> Gateway then Create Policy and name it Block Gateways and Unifi Management Ports
Under Destination Zone Select IP then Object and select All Gateways from the dropdown. Then under Port Select Object and select Unifi Management Ports from the dropdown. Leave rest ad default and click Apply
IoT
Block Gateways:
Navigate to firewall matrix /network/default/settings/security/firewall-zones click on IoT -> Gateway then Create Policy and name it Block Gateways and Unifi Management Ports
Under Destination Zone Select IP then Object and select All Gateways from the dropdown. Then under Port Select Object and select Unifi Management Ports from the dropdown. Leave rest ad default and click Apply
mDNS:
Navigate to Settings -> Networks click on mDNS then Edit and add IoT network. You can also navigate to IoT network and toggle on Multicast DNS.
Guest
Block Gateways:
Navigate to firewall matrix /network/default/settings/security/firewall-zones click on Guest -> Gateway then Create Policy and name it Block Gateways and Unifi Management Ports
Under Destination Zone Select IP then Object and select All Gateways from the dropdown. Then under Port Select Object and select Unifi Management Ports from the dropdown. Leave rest ad default and click Apply
Homelab
Block Gateways:
Navigate to firewall matrix /network/default/settings/security/firewall-zones click on Homelab -> Gateway then Create Policy and name it Block Gateways and Unifi Management Ports
Under Destination Zone Select IP then Object and select All Gateways from the dropdown. Then under Port Select Object and select Unifi Management Ports from the dropdown. Leave rest ad default and click Apply