This article explains where and how to configure firewall rules in the UniFi controller and offers some suggestions for managing the firewall using the UniFi Security Gateway (USG).
Table of Contents
The UniFi Security Gateway (USG) offers administrators many useful features to manage their UniFi network, including the ability to create and manage firewall rules that help ensure the security of the network. This guide will explain how to configure firewall rules in the UniFi controller and offer some suggestions for managing the firewall using the USG.
Understanding Firewall Rules in UniFi
The rules are currently grouped by network type in three groups: WAN, LAN, and GUEST. Corporate-type networks defined in the controller use the LAN rules, Guest-type networks the GUEST rules, and WANs defined in the USG Configuration (Devices > Select USG to open Properties panel > Config) use the WAN rules. The same ruleset applies to all the interfaces of that type. That can be somewhat confusing to those accustomed to one ruleset per specific interface, but you can accomplish the same things in either methodology. The IN/OUT/LOCAL approach provides more overall granularity.
Local, In, and Out Rules
Pre-defined LAN, Guest, and WAN Rules
- LAN_IN: The pre-defined rules will allow all traffic outbound traffic without restrictions: LANs to other LANs, LANs to Internet, even LAN to "Guest" type networks.
- LAN_LOCAL: The pre-defined rules will allow any host on a "Corporate" type network to access services on the USG itself (e.g. SSH, DNS, RADIUS, etc).
- LAN_OUT: The pre-defined rule will allow all inbound traffic destined to hosts on "Corporate" type networks.
NOTE: Though not visible in the controller each of the three LAN rulesets has a default action of accept. UniFi admins may have to create a drop rule and place accordingly for increased security and/or compliance.
- Guest_IN: The pre-defined rules allow traffic needed for the guest portal to function; but will block traffic destined to corporate networks, all the restricted networks defined in "Guest Control", and remote user VPN subnets. It will allow all else (for Internet traffic).
- Guest_LOCAL: The pre-defined rules allow DNS, ping, and traffic destined to the redirector to the USG itself.
NOTE: Rules are automatically added to GUEST_LOCAL to permit traffic for RADIUS authentication and accounting.
- Guest_OUT: The pre-defined rule will allow all inbound traffic destined to hosts on "Guest" type networks.
NOTE: Though not visible in the controller the GUEST_IN and GUEST_OUT rulesets have a default action of accept. GUEST_LOCAL has a default action of drop.
- WAN_IN: The pre-defined rules only allow established/related reply traffic (e.g. replies to traffic initiated from an internal network).
NOTE: Rules are automatically added to WAN_IN to permit traffic for configured port forwards.
- WAN_LOCAL: The pre-defined rules only allow established/related traffic inbound to the USG itself.
NOTE: Rules are automatically added to WAN_LOCAL to permit traffic for configured remote user VPN networks.
- WAN_OUT: The pre-defined rule is a hidden default-action of accept.