10-25-2016 11:39 AM
I've got a full Unifi stack (USG Pro 4, two (2) 24P-250W switches and several UAP-AC-PROs) and have been able to configure all the necessary networks/VLANs and WLANs easily in the new controller. One thing that I've noticed though is that when I connect to a specific WLAN or switch port that is set to be a particular VLAN, I can still ping and see addresses in other VLANs. My question is this:
Using the new Controller firewall GUI, what rules do I need to create (and in which area... ie LAN IN, LAN Local, etc) to isolate these VLANs from seeing one another? I thought, natively, that the VLANs would already be segregated from traffic, but that does not seem to be the case.
This is for a retail production environment that will have public wifi, management, employees, POS (point of sale) and surveillance all on separate VLANs, so I need to be able to keep them from seeing one another. The public wifi is easy, as the guest policies enabled on the WLAN take care of it for me. It is the other networks that I need help with in terms of firewall rules via the GUI. I am not familiar with using the CLI and am looking exclusively for answers on how to do this in the new Firewall GUI introduced in version 5.1.x of the Controller.
Thank you for your time!
10-25-2016 11:43 AM
Im working on the same thing right now. Im not sure if this will work the way I want it to but Im making an address group called "All" and dropping All -> All under the LAN IN section. If someone could chime in on this further to correct it, if wrong, it would be great.
10-25-2016 03:56 PM
11-04-2016 07:15 PM
I hope this thread doesn't die. I am looking for EXACTLY the same information as op. If anyone can shead some light on what the different rule types are (eg, guest in, guest local, guest out, lan in, lan local, lan out, wan in, and wan local), that would be awesome. Some of them are obvious like WAN IN, but which one would I use for controlling traffic between corporate VLANs? I would think it would be the LAN LOCAL, but I made a rule to completely deny all traffic between two corporate networks, but I could still access a DNS server on the supposidly restricted VLAN.
11-04-2016 11:22 PM
so, the official line from Ubiquiti is that, because this feature is beta, there is no existing documentation or support available for administrating rules via controller UX. Having said that, being the stubborn person I am, I was determined to solve this issue and managed to find a solution that seems to work.
• All rules should be created in LAN IN and be sorted "before" all other rules (sorting them in "after" priority causes them to be ignored)
• Creating pre-made "groups" in the firewall UX (Routing & Firewall -> Firewall -> Groups) causes the rules to fail for whatever reason. Entries within the group are ignored. Create a "group" on the fly when drafting the rules (explained below).
• Using "Network" in the source and destination sections never seemed to work and the rule went unenforced. No idea why.
Here's what I did (this assumes you have all your networks created already):
• Routing & Firewall -> Firewall -> Rules -> LAN IN
• Create a new rule, title it something like "DROP 10.0.0.0 to 10.0.1.0" or "ISOLATE LAN to Mgmt"
• Rule Applied: "before predefined rules"
• Action: Drop
• Protocol: All
• Under source, choose source type "address/port group"
• click "create new group"
• label it something referring to the first ipv4 scope (10.0.0.0) (ie: "network - LAN")
• Type: address
• Address: use CIDR notation for the network (ie: 10.0.0.0/24)
• save group
• Under destination, choose source type "address/port group"
• click "create new group"
• label it something referring to the second ipv4 scope (10.0.1.0) (ie: "network - Mgmt")
• Type: address
• Address: use CIDR notation for the network (ie: 10.0.1.0/24)
• save group
• save rule
Repeat this for each VLAN to VLAN isolation that you need. For instance, I have 4 networks. LAN, Mgmt, Point of Sale and Public Access. So, I have rules blocking LAN to Mgmt, Mgmt to LAN, Mgmt to PoS, PoS to LAN, PoS to Mgmt and then Public takes care of itself with the integrated guest policies (said policies institute isolation already).
NOTE: Once you've created the "address group" with CIDR notation on-the-fly the first time, you can then repurpose it when creating subsequent rules.
Let your USG reprovision after each rule save and isolation should be working effectively now.
11-08-2016 01:41 PM
I have my VLans isolated (I found that using the NETv4 setting in Network for source and destination worked without having to make a group) now but I want to allow a connection to one device on the the lan (a large format printer).
I added another rule above the rule that drops traffic from one network to another. I set the source to the VLAN I want to have access to the printer (VLAN_10) and I set the destination to a group with the IP Address of my computer for testing purposes. I still can't ping from the VLAN to my computer while I could before adding the blocking rules.
Has anyone had success doing this? Anyone had success adding a single IP Address to a group? I am not sure how it is supposed to work so I just put in the IP as usual (192.168.10.100). Not sure if there is some other information that is necessary or not.
04-24-2017 09:43 AM - edited 04-24-2017 09:51 AM
1. go to settings > routing & firewall > firewall > groups.
2. Create a group. Name it printers. Put the address of your printers, could be a range, a subnet or a IP.
3. Click save
4. Go to rules. Pick LAN IN.
5. Create a rule.
6. Name it allow printers.
7. Under rule applied, choose before predefined rules.
8. Under actions, choose accept.
9. Under destination, select printers.
10. Click save.
04-25-2017 10:42 AM
This did not work. Something is wrong with the USG honoring "Allow" rules when they are placed before the "Deny" rules in the firewall.
06-04-2017 02:06 PM
I have Controller 5.4.16
I am trying to do the same sort of isolation except between WAN and VLAN's, want to isolate one VLAN from the WAN/Internet (cannot use the guest portal). I tried the existing post except substituting the idea into the WAN IN, with no luck. Your examples work fine in VLAN to VLAN. Cannot get WAN to specific VLAN to work. Thoughts
06-13-2017 06:44 PM - edited 06-13-2017 11:04 PM
@gpoole83- Did you ever find a solution to the USG not honouring Accept rules that are placed before Drop rules? I have the same issue.
Edit: My mistake, I figured out that my rule wasnt correct.
06-14-2017 10:27 AM - edited 06-14-2017 10:27 AM
I had the rules setup incorrectly. The source port is random so it needs to be all possible ports.
08-31-2017 06:14 PM
I'm in the same situation here. I used the "address group" strategy, but it's far from ideal. Does anyone know if this is planned to be fixed?
12-08-2017 01:12 PM
Is this still an issue with the USG? If so, has anyone concluded if it's just a product of using the whole Unifi family? For instance, is the network switch not being updated with VLAN port assignments resulting in devices being able to talk to each other?
I use a Netgear switch, and I've test my security VLAN using the subnet 192.168.10.1, but I also attempted to change the IP on my connected laptop and tried pinging 192.168.1.1, which didn't result with a response.
So my question: Is it a result of the ports not being assigned to VLAN under unifi? And if so, what difference does it make whether I assign ports to specific VLAN with a netgear switch or if I use the Unifi system. Does this mean I can't intercommunicate with other VLANs? I still use the Unifi USG and APs, so I assume to route 2 truly separated VLANs I would just need to set up a firewall setting.
12-14-2017 07:45 PM - edited 12-14-2017 07:51 PM
Has it been resolved? I would like to isolate my IoT network from other VLAN in the network only allow IoT to go to the Internet. Also have full stack of Unifi; Controller, AP-AC-Pro, AP-AC-M, USW, USG.
Also what it the definition between LAN IN and LAN OUT.
AP-AC-Pro AP-AC-M AP-LR
12-14-2017 09:36 PM
First off, here's a great video to help resolve the IoT separation you're looking for: https://youtu.be/baj3747yfos
So to conclude, I have been able to isolate my VLAN groups. I was able to put Security isolated to it's own network by blocking internet access, and any access from my other VLAN and regular LAN networks. I was also able to isolate IoT devices to not have any network access, but to have internet access.
To do this I used the firewall settings. To better understand the firewall, you need to think of the router like a building building. To get in one door of the building you pass through a door(WAN or LAN port), and each port has a set of policies for the specific direction you are going. That is: Leaving "Out" or entering "In" the building(Router).
So for example: On my router I have eth0 as my WAN (internet access), eth1 is my local LAN access. WAN in, refers to something coming into the router from the internet on the WAN port (or eth0). WAN out would be anything going out to the internet via the WAN(eth0) port. The same goes for LAN in and out. LAN in refers to anything entering the router through the LAN(eth1) port, and LAN out refers to anything leaving the LAN(Eth1) port.
SO this can be confusing if you haven't wrapped your mind around it.
Think of a building, it has 4 walls, this is your router. outside one side of the building there is the internet, and on the other side is your network. On the internet side there is a door called eth0(WAN). When you "WAN In" you are coming from the internet to the inside of the router. If your WAN In policy allows you to enter the building(router), then you can be routed. On the opposite side of the building you have another door called eth1(LAN) and this connects to your local network. So when you get past the WAN IN policy, you get routed and sent to the network. So you are leaving the building through the eth1(LAN) door so you are essentially leaving the building(router) so this is "LAN Out" traffic. In this situation your WAN policy took care of the connection coming in, so there is no need to tweak any LAN Out policy (although you could by creating one if you wanted to). The majority of any policy you make will be LAN IN or WAN IN.
I'll give you another example for your local network which pertains to IoT setups. Let's say you have a VLAN and your regular LAN. They are all connected to a switch and a single cable is run to your USG. You want to stop all traffic from your VLAN to LAN, and LAN to VLAN. To do this, you want to stop them at the "door" or eth1(LAN) port. So to do this, you want to stop them from coming in. This is where you would then use the "LAN In" policy to stop or "drop" connections from your source "VLAN" network, to your destination "LAN" network.
Here's a diagram that really helped me understand the whole concept: https://community.ubnt.com/t5/EdgeMAX/Layman-s-firewall-explanation/td-p/1436103
Essentially LAN IN, LAN Out, and all the others refer the traffic going to the physical router. Once you can comprehend that, then it's easier to understand what your doing with firewall policies.
I'm pretty new to this, but this was a huge leap forward when I finally understood firewall traffic.