Scheduled maintenance: Community will be offline Monday June 17th, 1:00 AM - 6:00 AM (PT)
New Member
Posts: 9
Registered: ‎12-15-2017
Accepted Solution

Isolate LAN2 on USG

Okay, I've been searching all morning, and I can't find help on how to do this.

 

I've got a USG. No managed switch.  I want to use LAN2 port for a server that I need to give remote access to, but I don't want that server to have access to the corporate network.  Currently I can access resources from LAN1 on LAN 2 and vice versa.  Ideally LAN2 would be totally isolated.  

 

I've tried:

- VLANS (I think because I don't have a managed switch, this won't work)

- Guest network

- Looking at firewall rules, but I don't know enough to feel comfortable messing with our corporate network, without some direction.  I've done a lot of firewall rules but most of it is inbound WAN, not local rules.

 

Any help would be great, I've been searching google all morning and am pulling my hair out.

 

2018-07-30_11-41-32.png


Accepted Solutions
Ubiquiti Employee
Posts: 781
Registered: ‎02-13-2018
Kudos: 302
Solutions: 115

Re: Isolate LAN2 on USG

Since you don't have a managed switch you will have to plug the server directly into LAN 2. Otherwise, you will no have control over which hosts receive DHCP offer from the LAN 1 or LAN 2 network being that they need to be untagged. 

 

Other than that all you will need are two firewall rules in LAN_IN:

 

Action: Drop

IPv4 Protocol: All

Source: LAN 1 Corporate Network

Destination: LAN 2 Network

 

On your second rule just invert the source and destination. You can either use the LAN 1 corporate network or make a network group and include more networks manually. Up to you if you have more networks on LAN 1. 

 

Let me know if you have any questions about the firewall rules above. 

 

https://help.ubnt.com/hc/en-us/articles/115003173168-UniFi-Introduction-to-USG-Firewall-Rules <-- A helpful guide on firewall rules if you need it. 

 

 

Adam Dipple | Security

View solution in original post


All Replies
Ubiquiti Employee
Posts: 781
Registered: ‎02-13-2018
Kudos: 302
Solutions: 115

Re: Isolate LAN2 on USG

Since you don't have a managed switch you will have to plug the server directly into LAN 2. Otherwise, you will no have control over which hosts receive DHCP offer from the LAN 1 or LAN 2 network being that they need to be untagged. 

 

Other than that all you will need are two firewall rules in LAN_IN:

 

Action: Drop

IPv4 Protocol: All

Source: LAN 1 Corporate Network

Destination: LAN 2 Network

 

On your second rule just invert the source and destination. You can either use the LAN 1 corporate network or make a network group and include more networks manually. Up to you if you have more networks on LAN 1. 

 

Let me know if you have any questions about the firewall rules above. 

 

https://help.ubnt.com/hc/en-us/articles/115003173168-UniFi-Introduction-to-USG-Firewall-Rules <-- A helpful guide on firewall rules if you need it. 

 

 

Adam Dipple | Security
New Member
Posts: 9
Registered: ‎12-15-2017

Re: Isolate LAN2 on USG

Wow that was a lot easier than I thought.  THANK YOU! Man Happy

New Member
Posts: 9
Registered: ‎12-15-2017

Re: Isolate LAN2 on USG

[ Edited ]

Question, is it possible to allow specific ports through? For example, can LAN1 access port 80 at LAN2?

 

I tried deleting the LAN>LAN2 rule but no go. If I delete both it works.

Ubiquiti Employee
Posts: 781
Registered: ‎02-13-2018
Kudos: 302
Solutions: 115

Re: Isolate LAN2 on USG

You sure can allow specific ports through. All you will need is two other rules sitting on top of those rules you made earlier.

Rule #1:
Action: Accept
IPv4 Protocol: TCP
Source: LAN 1 Network
Destination: LAN 2 Network
Port Group: (make a new HTTP port group for port 80)

Rule#2:
Action: Accept
IPv4 Protocol: All
State: Established/Related
Source: LAN 2
Destination: LAN 1

With these two rules, LAN 1 can access LAN 2 with HTTP (port 80). The return traffic is accepted back to LAN 1 from LAN 2 only when traffic is initiated from LAN 1. That's where the states come into play. If you want bi-directional HTTP access then you should not check any of the states.

Based on which protocols you want to open between networks will also dictate your IPv4 protocol selection. That's why rule #2 is left so open-ended.
Adam Dipple | Security
New Member
Posts: 9
Registered: ‎12-15-2017

Re: Isolate LAN2 on USG

Thanks, this is great info. I think I'm confused though, when creating rule 1, I can choose a port group OR network as the destination, but not both. So I can't select both LAN2 and the new port group as the destination
Ubiquiti Employee
Posts: 781
Registered: ‎02-13-2018
Kudos: 302
Solutions: 115

Re: Isolate LAN2 on USG

I forgot about that part you're talking about there. You will have to create an address group and use that. An address group and port group can be used together. 

Adam Dipple | Security
New Member
Posts: 9
Registered: ‎12-15-2017

Re: Isolate LAN2 on USG

This appears to have worked. I setup 192.168.1.0/24 (lan1) as an address group. Thank you!
New Member
Posts: 4
Registered: ‎03-31-2018

Re: Isolate LAN2 on USG

Hello,

 
I separated my Lan1 also with this firewall rule from the Lan2. That works pretty well.
I still have one problem:
Lan1 192.168.178.1
Lan2 192.168.1.1
 
How can I lock access from Lan2 to the 192.168.178.1?
Highlighted
New Member
Posts: 9
Registered: ‎02-04-2019

Re: Isolate LAN2 on USG

if this is still relevant:

 

I assume that "LAN Local" would be the place to put a rule "Block ALL from LAN2 to 192.168.178.1" (if this is the ip of the USG)