UniFi - USG Firewall: How to Disable InterVLAN Routing


Overview


This article reviews three different scenarios for blocking LAN to VLAN2 routing, as well as some other techniques to fine-tune the interVLAN communication.

NOTES & REQUIREMENTS: Applies to our UniFi Security Gateway v4.3.41+. We recommend to upgrade to the newest version, downloadable here.

Table of Contents


  1. Introduction
  2. Option 1: Disable interVLAN routing between LAN and VLAN2
  3. Option 2: Block all VLANs to one another
  4. Option 3: Block LAN to VLAN2, but allow VLAN2 to LAN
  5. Related Articles

Introduction


Back to Top

Inter-VLAN routing is enabled by default between all Corporate LAN networks. In this article, blocking LAN to VLAN2 will be demonstrated, as well as some other techniques to fine-tune your inter-VLAN communication on corporate networks.


Option 1: Disable inter-VLAN routing between LAN and VLAN2


Back to Top

1. To disable inter-VLAN routing between LAN and VLAN2, head to the UniFi Controller and go to Settings > Routing & Firewall > Firewall > Rules > LAN IN1

2. Create a new rule that Drops or Rejects2 with the configuration shown below.

Name: to your liking.
Enabled: ON
Rule Applied: before Predefined Rules
Action: Drop or Reject2
Protocol: All
Logging: to your liking
States: all unchecked (assumes all states)
Don't match on IPsec packets
Source Type: Network
Network: LAN - NETv43
Destination Type: Network
Network: VLAN2 - NETv4

 

NOTE:

1. LAN IN is where you want to filter all of your LAN/VLAN traffic, as IN is the first point of entry to the firewall, no matter the interface. The OUT ruleset will only be used in rare special cases.

2. "Drop" will completely drop the traffic resulting in a "request timed out" message on the client; "Reject" will send back a connection refused packet to the client.

3. NETv4 includes the entire network, ADDRv4 only includes the USG's interface address for that network (ex 192.168.1.1-192.168.1.254 vs 192.168.1.1)


Option 2: Block all VLANs to one another


Back to Top

1. First create a firewall group containing the RFC1918 private address range 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. This is done in Settings > Routing & Firewall > Firewall > Groups > Create New Group and then click Save. See the screenshot below:

2. Still within Firewall Settings, move from the Groups tab to the Rules IPv4 tab, select LAN IN1 and click Create New Rule, filling in the following configuration data:

CREATE NEW RULE
Name
: to your liking
Enabled: ON
Rule Applied: Before redefined rules
Action: Drop or Reject2
IPv4 Protocol: all

ADVANCED

Logging: to your liking
States: all unchecked
IPsec: Don't match on IPsec packets

SOURCE
Source Type
: Address/Port Group
IPv4 Address group: RFC1918 (the name of the group created in step 1)
Port Group: Any
MAC Address: Leave blank

DESTINATION
Destination Type:
Address/Port Group
IPv4 Address Group: RFC1918
Port Group: Any

Using the above rule will block all private network communication between VLANs, however, same-subnet/VLAN traffic will be allowed as expected because it will never be sent to the default gateway (USG). The data will traverse the layer 2 network and be transmitted via frames by the switches in between.


Option 3: Block LAN to VLAN2, but allow VLAN2 to LAN


Back to Top

If you the objective is to block LAN to VLAN2, but allow VLAN2 to LAN, follow Option 1 first, then proceed with creating a rule at the top (first rule) of LAN_IN like the below screenshot. Adding this rule at the top of the ruleset will allow all established and related stateful firewall traffic to be able to pass, which is basically all "reply" traffic.

Name: to your liking
Enabled: ON
Rule Applied: before Predefined Rules
Action: Accept
Protocol: Any
Logging: to your liking
States: Established and Related
Don't match on IPsec packets
Source Type: leave blank 
Destination Type: leave blank 

NOTE:
When adding new rules, take into account that they won't take immediate effect on existing stateful connections. To solve this, perform one of the following options:
  • Wait for the states to fall off (close all connections and wait for the state timeout which is roughly 30 seconds)
  • SSH to the USG and type clear connection-tracking. This wipes the entire state table of the USG
  • Reboot the USG

Related Articles


Back to Top

UniFi - USW: Using VLANs with UniFi Wireless, Routing & Switching Hardware

UniFi - VLAN Traffic Tagging


We're sorry to hear that!