UniFi - Introduction to USG Firewall Rules

 Overview


This article explains where and how to configure firewall rules in the UniFi controller and offers some suggestions for managing the firewall using the UniFi Security Gateway (USG).


Table of Contents


1. Introduction

2. Understanding Firewall Rules in UniFi

2.1 Local, In and Out Rules

2.2 Default LAN, WAN and Guest Rules

2.3 Other Considerations

3. Related Articles


 Introduction


Back to Top

The UniFi Security Gateway (USG) offers administrators many useful features to manage their UniFi network, including the ability to create and manage firewall rules that help ensure the security of the network. This guide will explain how to configure firewall rules in the UniFi controller and offer some suggestions for managing the firewall using the USG.


Understanding Firewall Rules in UniFi


Back to Top

To configure Firewall Rules in the UniFi controller, open your controller and go to Settings > Routing & Firewall > Firewall as shown:
 
Click on the image to see in large.

The rules are currently grouped by network type in three groups: WAN, LAN, and GUEST. Corporate-type networks defined in the controller use the LAN rules, Guest-type networks the GUEST rules, and WANs defined in the USG Configuration (Devices > Select USG to open Properties panel Config) use the WAN rules. The same ruleset applies to all the interfaces of that type. That can be somewhat confusing to those accustomed to one ruleset per specific interface, but you can accomplish the same things in either methodology. The IN/OUT/LOCAL approach provides more overall granularity. 

Local, In and Out Rules


Back to Top

The LOCAL rules are for traffic destined to USG's interface addresses themselves. So for instance where you have LAN IP 192.168.1.1/24, traffic from 192.168.1.x to 192.168.1.1 has the LAN LOCAL rules applied.
 
The IN rules apply to traffic entering the interface(s) in question and destined out a different interface. LAN IN, for example, applies to traffic initiated by hosts on your LAN which is destined to any other network (most often the Internet, but also traffic routed between VLANs and LAN/LAN2).
 
The OUT rules apply to traffic leaving the interface(s) in question. The default OUT rules allow all traffic out, filtering should happen in the IN direction. There's no need to pass traffic on the IN path if it's just going to be blocked on the OUT, you generally want to drop the traffic as soon as possible and not have it consume resources any more than is necessary. There are rare edge cases where an OUT rule might better suit a specific goal, but 99% of the time, the IN ruleset should be used.
 
For direction, think of it from the perspective of the USG: IN traffic is traffic entering the interface (and destined to leave out a different interface). LOCAL is traffic entering the interface that is destined to the USG's interface address. OUT is traffic leaving that interface and destined to a device on that network.

Default LAN, WAN and Guest Rules


Back to Top

The default LAN rules allow all traffic everywhere, no restrictions: LANs to other LANs, LANs to Internet, everything is permitted. The default GUEST rules allow DNS, ping, and traffic destined to the redirector to the USG itself via GUEST LOCAL. GUEST IN allows traffic needed for the guest portal to function; but will block traffic destined to corporate networks, all the restricted networks defined in Guest Control, remote user VPN subnets. It will allow all else (for Internet traffic). Default WAN IN allows established/related reply traffic (e.g. replies to traffic initiated from an internal network) only. Rules are automatically added to WAN_IN to permit traffic in accordance with configured port forwards.  

Final Considerations


Back to Top

When you create a new rule, you must decide if you will place it before or after the predefined rules. Keep in mind that the first matching rule wins. If you create a rule and place it after the predefined rules that you intend to apply to traffic that the predefined rules match, that rule will never be matched. With this in mind, "block" or "drop" rules on LAN IN must always come above the predefined rules to match, since the predefined "allow" rules will match everything.
 
If you wish to configure firewall rules to block inter-VLAN routing, take a look at our UniFi - How to Disable InterVLAN Routing on the UniFi USG article.

Related Articles


Back to Top

UniFi - How to Disable InterVLAN Routing on the UniFi USG