UniFi - How to Disable InterVLAN Routing on the UniFi USG

 Overview


This article will go over scenarios on how to block LAN to VLAN2 routing as well as some other techniques to fine tune the interVLAN communication. 

book_25x25.png    NOTES & REQUIREMENTS: USG 4.3.41+ is recommended for this article. 

Table of Contents


  1. Introduction
  2. Option 1: Disable interVLAN routing between LAN and VLAN2
  3. Option 2: Block all VLANs to one another
  4. Option 3: Block LAN to VLAN2, but allow VLAN2 to LAN
  5. Related Articles

Introduction


Back to Top

Inter-VLAN routing is enabled by default between all Corporate LAN networks. In this article, blocking LAN to VLAN2 will be demonstrated, as well as some other techniques to fine-tune your inter-VLAN communication on corporate networks.


Option 1: Disable interVLAN routing between LAN and VLAN2


Back to Top

1. To disable interVLAN routing between LAN and VLAN2, head to the UniFi Controller and go to Settings > Routing & Firewall > Firewall > Rules > LAN_IN1

2. Create a new rule that Drops or Rejects2 with the configuration shown below.

Name: to your liking.

Enabled: ON

Rule Applied: before Predefined Rules

Action: Drop or Reject2

Protocol: All

Logging: to your liking

States: all unchecked (assumes all states)

Don't match on IPsec packets

Source Type: Network

Network: LAN - NETv43

Destination Type: Network

Network: VLAN2 - NETv4


 


info_i_25x25.png Notes

1. LAN_IN is where you want to filter all of your LAN/VLAN traffic, as IN is the first point of entry to the firewall, no matter the interface. The OUT ruleset will only be used in rare special cases.

2. "Drop" will completely drop the traffic resulting in a "request timed out" message on the client; "Reject" will send back a connection refused packet to the client.

3. NETv4 includes the entire network, ADDRv4 only includes the USG's interface address for that network (ex 192.168.1.1-192.168.1.254 vs 192.168.1.1)


Option 2: Block all VLANs to one another


Back to Top

There's a lot of flexibility on how to achieve blocking interVLAN routing. If there is a high number of VLANs and all of them should be blocked to one another, this can be accomplished with one rule:

Name: to your liking

Enabled: ON

Rule Applied: before Predefined Rules

Action: Drop or Reject2

Protocol: all
Logging: to your liking
States: all unchecked
Don't match on IPsec packets
Source Type: Address
Address group: RFC1918
Destination Type: Address
Address group: RFC1918



Using the above rule will block all private network communication between VLANs, however, same-subnet/VLAN traffic will be allowed as expected because it will never be sent to the default gateway (USG). The data will traverse the layer 2 network and be transmitted via frames by the switches in between.


Option 3: Block LAN to VLAN2, but allow VLAN2 to LAN


Back to Top

If you the objective is to block LAN to VLAN2, but allow VLAN2 to LAN, follow Option 1 first, then proceed with creating a rule at the top (first rule) of LAN_IN with:

Name: to your liking

Enabled: ON

Rule Applied: before Predefined Rules

Action: Accept

Protocol: Any

Logging: to your liking

States: Established and Related

Don't match on IPsec packets

Source Type: leave blank 

Destination Type: leave blank 


Adding this rule at the top of the ruleset will allow all established and related stateful firewall traffic to be able to pass, which is basically all "reply" traffic.

info_i_25x25.png Note:

When adding new rules, take in account that they won't take immediate effect on existing stateful connections. To solve this, perform one of the following options:

  • Wait for the states to fall off (close all connections and wait for the state timeout which is roughly 30 seconds)
  • SSH to the USG and type clear connection-tracking. This wipes the entire state table of the USG
  • Reboot the USG

 


Related Articles


Back to Top

UniFi - Using VLANs with UniFi Wireless, Routing & Switching Hardware

UniFi - How does VLAN traffic get tagged?