Reply
New Member
Posts: 3
Registered: ‎10-06-2016
Kudos: 1

firewall rules (via new GUI) for isolating VLAN traffic (using Controller 5.2.9)

I've got a full Unifi stack (USG Pro 4, two (2) 24P-250W switches and several UAP-AC-PROs) and have been able to configure all the necessary networks/VLANs and WLANs easily in the new controller. One thing that I've noticed though is that when I connect to a specific WLAN or switch port that is set to be a particular VLAN, I can still ping and see addresses in other VLANs. My question is this:

 

Using the new Controller firewall GUI, what rules do I need to create (and in which area... ie LAN IN, LAN Local, etc) to isolate these VLANs from seeing one another? I thought, natively, that the VLANs would already be segregated from traffic, but that does not seem to be the case.

 

This is for a retail production environment that will have public wifi, management, employees, POS (point of sale) and surveillance all on separate VLANs, so I need to be able to keep them from seeing one another. The public wifi is easy, as the guest policies enabled on the WLAN take care of it for me. It is the other networks that I need help with in terms of firewall rules via the GUI. I am not familiar with using the CLI and am looking exclusively for answers on how to do this in the new Firewall GUI introduced in version 5.1.x of the Controller.

 

Thank you for your time!

Regular Member
Posts: 489
Registered: ‎12-18-2015
Kudos: 213
Solutions: 37

Re: firewall rules (via new GUI) for isolating VLAN traffic (using Controller 5.2.9)

Im working on the same thing right now. Im not sure if this will work the way I want it to but Im making an address group called "All" and dropping All -> All under the LAN IN section. If someone could chime in on this further to correct it, if wrong, it would be great.

New Member
Posts: 38
Registered: ‎08-20-2016
Kudos: 12
Solutions: 1

Re: firewall rules (via new GUI) for isolating VLAN traffic (using Controller 5.2.9)

Greetings, @cordercabling@AADIP:

 

Just a point of clarification, under Settings --> Networks, are the networks setup as "corporate" or "guest"?  It should show in the purpose.  I assume they're configued as "corporate", but wanted to confirm.

 

Thank you.

New Member
Posts: 3
Registered: ‎10-06-2016
Kudos: 1

Re: firewall rules (via new GUI) for isolating VLAN traffic (using Controller 5.2.9)

yes, they are 'corporate'

New Member
Posts: 11
Registered: ‎11-04-2015

Re: firewall rules (via new GUI) for isolating VLAN traffic (using Controller 5.2.9)

I hope this thread doesn't die. I am looking for EXACTLY the same information as op. If anyone can shead some light on what the different rule types are (eg, guest in, guest local, guest out, lan in, lan local, lan out, wan in, and wan local), that would be awesome. Some of them are obvious like WAN IN, but which one would I use for controlling traffic between corporate VLANs? I would think it would be the LAN LOCAL, but I made a rule to completely deny all traffic between two corporate networks, but I could still access a DNS server on the supposidly restricted VLAN.

New Member
Posts: 3
Registered: ‎10-06-2016
Kudos: 1

Re: firewall rules (via new GUI) for isolating VLAN traffic (using Controller 5.2.9)

so, the official line from Ubiquiti is that, because this feature is beta, there is no existing documentation or support available for administrating rules via controller UX. Having said that, being the stubborn person I am, I was determined to solve this issue and managed to find a solution that seems to work.

 

• All rules should be created in LAN IN and be sorted "before" all other rules (sorting them in "after" priority causes them to be ignored)

 

• Creating pre-made "groups" in the firewall UX (Routing & Firewall -> Firewall -> Groups) causes the rules to fail for whatever reason. Entries within the group are ignored. Create a "group" on the fly when drafting the rules (explained below).

 

• Using "Network" in the source and destination sections never seemed to work and the rule went unenforced. No idea why.

 

Here's what I did (this assumes you have all your networks created already):

 

• Routing & Firewall -> Firewall -> Rules -> LAN IN

• Create a new rule, title it something like "DROP 10.0.0.0 to 10.0.1.0" or "ISOLATE LAN to Mgmt" 

• Rule Applied: "before predefined rules"

• Action: Drop

• Protocol: All

• Under source, choose source type "address/port group"

• click "create new group"

• label it something referring to the first ipv4 scope (10.0.0.0) (ie: "network - LAN")

• Type: address

• Address: use CIDR notation for the network (ie: 10.0.0.0/24)

• save group

• Under destination, choose source type "address/port group"

• click "create new group"

• label it something referring to the second ipv4 scope (10.0.1.0) (ie: "network - Mgmt")

• Type: address

• Address: use CIDR notation for the network (ie: 10.0.1.0/24)

• save group

• save rule

 

Repeat this for each VLAN to VLAN isolation that you need. For instance, I have 4 networks. LAN, Mgmt, Point of Sale and Public Access. So, I have rules blocking LAN to Mgmt, Mgmt to LAN, Mgmt to PoS, PoS to LAN, PoS to Mgmt and then Public takes care of itself with the integrated guest policies (said policies institute isolation already).

 

NOTE: Once you've created the "address group" with CIDR notation on-the-fly the first time, you can then repurpose it when creating subsequent rules.

 

Let your USG reprovision after each rule save and isolation should be working effectively now.

 

 

New Member
Posts: 1
Registered: ‎11-08-2016

Re: firewall rules (via new GUI) for isolating VLAN traffic (using Controller 5.2.9)

I have my VLans isolated (I found that using the NETv4 setting in Network for source and destination worked without having to make a group) now but I want to allow a connection to one device on the the lan (a large format printer).  

 

I added another rule above the rule that drops traffic from one network to another.  I set the source to the VLAN I want to have access to the printer (VLAN_10) and I set the destination to a group with the IP Address of my computer for testing purposes.  I still can't ping from the VLAN to my computer while I could before adding the blocking rules.

 

Has anyone had success doing this?  Anyone had success adding a single IP Address to a group?  I am not sure how it is supposed to work so I just put in the IP as usual (192.168.10.100).  Not sure if there is some other information that is necessary or not.

 

Thanks!

Emerging Member
Posts: 54
Registered: ‎04-18-2017
Kudos: 11

Re: firewall rules (via new GUI) for isolating VLAN traffic (using Controller 5.2.9)

I am seeing this same issue.... does anyone have any idea?

Regular Member
Posts: 453
Registered: ‎07-22-2016
Kudos: 185
Solutions: 27

Re: firewall rules (via new GUI) for isolating VLAN traffic (using Controller 5.2.9)

[ Edited ]

Try this:

 

1. go to settings > routing & firewall > firewall > groups.
2. Create a group. Name it printers. Put the address of your printers, could be a range, a subnet or a IP.
3. Click save
4. Go to rules. Pick LAN IN.
5. Create a rule.
6. Name it allow printers.
7. Under rule applied, choose before predefined rules.
8. Under actions, choose accept.
9. Under destination, select printers.
10. Click save.

Emerging Member
Posts: 54
Registered: ‎04-18-2017
Kudos: 11

Re: firewall rules (via new GUI) for isolating VLAN traffic (using Controller 5.2.9)

This did not work.  Something is wrong with the USG honoring "Allow" rules when they are placed before the "Deny" rules in the firewall.

 

Capture.JPG

Emerging Member
Posts: 54
Registered: ‎04-18-2017
Kudos: 11

Re: firewall rules (via new GUI) for isolating VLAN traffic (using Controller 5.2.9)

Even tried adding a rule going the other direction as well....

 

Capture.JPG

New Member
Posts: 4
Registered: ‎09-18-2015

Re: firewall rules (via new GUI) for isolating VLAN traffic (using Controller 5.2.9)

I have Controller 5.4.16

I am trying to do the same sort of isolation except between WAN and VLAN's, want to isolate one VLAN from the WAN/Internet (cannot use the guest portal). I tried the existing post except substituting the idea into the WAN IN, with no luck.  Your examples work fine in VLAN to VLAN.  Cannot get WAN to specific VLAN to work. Thoughts

Dan

New Member
Posts: 8
Registered: ‎04-27-2016
Kudos: 1

Re: firewall rules (via new GUI) for isolating VLAN traffic (using Controller 5.2.9)

[ Edited ]

@gpoole83- Did you ever find a solution to the USG not honouring Accept rules that are placed before Drop rules? I have the same issue.

 

-------------------------

 

Edit: My mistake, I figured out that my rule wasnt correct.

Emerging Member
Posts: 54
Registered: ‎04-18-2017
Kudos: 11

Re: firewall rules (via new GUI) for isolating VLAN traffic (using Controller 5.2.9)

[ Edited ]

I had the rules setup incorrectly. The source port is random so it needs to be all possible ports.

Capture.JPG
New Member
Posts: 8
Registered: ‎06-19-2016

Re: firewall rules (via new GUI) for isolating VLAN traffic (using Controller 5.2.9)

I'm in the same situation here. I used the "address group" strategy, but it's far from ideal. Does anyone know if this is planned to be fixed?

New Member
Posts: 10
Registered: ‎11-30-2016
Kudos: 1

Re: firewall rules (via new GUI) for isolating VLAN traffic (using Controller 5.2.9)

Is this still an issue with the USG?  If so, has anyone concluded if it's just a product of using the whole Unifi family?  For instance, is the network switch not being updated with VLAN port assignments resulting in devices being able to talk to each other?

 

I use a Netgear switch, and I've test my security VLAN using the subnet 192.168.10.1, but I also attempted to change the IP on my connected laptop and tried pinging 192.168.1.1, which didn't result with a response. 

 

So my question:  Is it a result of the ports not being assigned to VLAN under unifi?  And if so, what difference does it make whether I assign ports to specific VLAN with a netgear switch or if I use the Unifi system.  Does this mean I can't intercommunicate with other VLANs?  I still use the Unifi USG and APs, so I assume to route 2 truly separated VLANs I would just need to set up a firewall setting.

Member
Posts: 168
Registered: ‎12-01-2015
Kudos: 17
Solutions: 1

Re: firewall rules (via new GUI) for isolating VLAN traffic (using Controller 5.2.9)

[ Edited ]

Has it been resolved?  I would like to isolate my IoT network from other VLAN in the network only allow IoT to go to the Internet.  Also have full stack of Unifi; Controller, AP-AC-Pro, AP-AC-M, USW, USG.

 

Also what it the definition between LAN IN and LAN OUT.

 

Regards,

Controller: RPi
Router: USG
USW-16-150W USW-8-150W
AP-AC-Pro AP-AC-M AP-LR
New Member
Posts: 10
Registered: ‎11-30-2016
Kudos: 1

Re: firewall rules (via new GUI) for isolating VLAN traffic (using Controller 5.2.9)

Hey PDY

First off, here's a great video to help resolve the IoT separation you're looking for: https://youtu.be/baj3747yfos

So to conclude, I have been able to isolate my VLAN groups. I was able to put Security isolated to it's own network by blocking internet access, and any access from my other VLAN and regular LAN networks. I was also able to isolate IoT devices to not have any network access, but to have internet access.

To do this I used the firewall settings. To better understand the firewall, you need to think of the router like a building building. To get in one door of the building you pass through a door(WAN or LAN port), and each port has a set of policies for the specific direction you are going. That is: Leaving "Out" or entering "In" the building(Router).

So for example: On my router I have eth0 as my WAN (internet access), eth1 is my local LAN access. WAN in, refers to something coming into the router from the internet on the WAN port (or eth0). WAN out would be anything going out to the internet via the WAN(eth0) port. The same goes for LAN in and out. LAN in refers to anything entering the router through the LAN(eth1) port, and LAN out refers to anything leaving the LAN(Eth1) port.

SO this can be confusing if you haven't wrapped your mind around it.

Think of a building, it has 4 walls, this is your router. outside one side of the building there is the internet, and on the other side is your network. On the internet side there is a door called eth0(WAN). When you "WAN In" you are coming from the internet to the inside of the router. If your WAN In policy allows you to enter the building(router), then you can be routed. On the opposite side of the building you have another door called eth1(LAN) and this connects to your local network. So when you get past the WAN IN policy, you get routed and sent to the network. So you are leaving the building through the eth1(LAN) door so you are essentially leaving the building(router) so this is "LAN Out" traffic. In this situation your WAN policy took care of the connection coming in, so there is no need to tweak any LAN Out policy (although you could by creating one if you wanted to). The majority of any policy you make will be LAN IN or WAN IN.

I'll give you another example for your local network which pertains to IoT setups. Let's say you have a VLAN and your regular LAN. They are all connected to a switch and a single cable is run to your USG. You want to stop all traffic from your VLAN to LAN, and LAN to VLAN. To do this, you want to stop them at the "door" or eth1(LAN) port. So to do this, you want to stop them from coming in. This is where you would then use the "LAN In" policy to stop or "drop" connections from your source "VLAN" network, to your destination "LAN" network.

Here's a diagram that really helped me understand the whole concept: https://community.ubnt.com/t5/EdgeMAX/Layman-s-firewall-explanation/td-p/1436103

Essentially LAN IN, LAN Out, and all the others refer the traffic going to the physical router. Once you can comprehend that, then it's easier to understand what your doing with firewall policies.

I'm pretty new to this, but this was a huge leap forward when I finally understood firewall traffic.
Reply