Tuesday, January 21, 2025
HomePowershellUniFi Zone-Primarily based Firewall - What you might want to Know —...

UniFi Zone-Primarily based Firewall – What you might want to Know — LazyAdmin


Ubiquiti has modified its firewall administration system for UniFi work a few instances over the previous few years. And it’s altering once more, with the brand new Zone-Primarily based Firewall (ZBF), that’s with UniFi Community 9.x and newer.

The brand new Zone-Primarily based Firewall administration system not solely makes it simpler to create firewall guidelines, it additionally lets you group community interfaces into zones, making it simpler to use insurance policies to it.

On this article, we’re going to check out the ZBF, how you can migrate your current guidelines, and how you can use it.

UniFi Zone-Primarily based Firewall

In UniFi Community we all the time had the traditional (superior) firewall guidelines. The names of the fields have modified a few instances (and adjustments once more with model 9.x), however it lets you management entry primarily based on IP Addresses (or vary), networks, and port teams.

Site visitors guidelines had been added to make it simpler to create firewall guidelines and it additionally allowed us to simply block particular person units, apps, domains, and so on. However the visitors guidelines by no means absolutely changed the superior firewall guidelines.

The issue with the present firewall guidelines (in model 8.x and decrease) is the naming conference that’s used. Lots of people discovered it exhausting to get a grasp on the LAN In, LAN Out, WAN In, and so on, naming that’s used, which I completely get.

UniFi Zone-Based Firewall

That is the place the Firewall Zones are available, they will let you simply group the totally different community interfaces into logical teams. We are able to now have a zone, exterior, with all of the WAN connections, or a zone VPN the place all of the VPN connections reside.

Zones don’t have (firewall) guidelines anymore, however we are able to now apply insurance policies to the totally different zones. Identical to guidelines, the insurance policies will let you block or enable visitors between totally different zones. The coverage isn’t solely matched between zones, however you too can apply it to a selected gadget or IP vary in a zone.

Zone-Primarily based Firewall Benefits

The principle benefit of the brand new ZBF is that it offers you higher insights into the utilized firewall insurance policies with the brand new Zone Matrix. On this matrix, you simply see the zones listed as supply and vacation spot and the insurance policies utilized to them.

Zone Matrix UniFi

By default, a zone can’t entry every other zone, besides in fact the Gateway and established visitors is allowed to the exterior zone. You may click on on Insurance policies (n) to view and handle insurance policies which are utilized between the 2 zones.

Zones actually assist with segmenting your community and will let you simply set up clear boundaries between them.

If you allow ZBF, the next zones will robotically be created for you:

  • Inside – For regionally trusted visitors. Networks that you simply create are by default positioned within the Inside zone, aside from Visitor networks.
  • Exterior – Untrusted incoming visitors out of your WAN connections.
  • Gateway – Site visitors from and to your UniFi Gateway (DNS, DHCP, HTTPS/SSH Administration)
  • VPN – All VPN Site visitors, together with Teleport, Wireguard/OpenVPN/L2TP VPN server, Website-Magic, and so on
  • Hotspot – Visitor community
  • DMZ – Used to put a server on the sting of your community, making it accessible from the web.

A community interface, for instance, the WAN1 port, or your IoT Community, can solely be assigned to at least one zone. Now you’ll be able to’t take away the predefined zones, however you’ll be able to create customized zones and assign a community interface to it. This fashion you’ll be able to customise the assigned insurance policies.

Assigning Insurance policies Inside Zones

Inside one zone you’ll be able to have a number of networks (VLANS). Now these networks can all attain one another by default, there isn’t a inter-vlan blocking inside a zone.

We are able to, nonetheless, additionally create insurance policies to filter the visitors inside the identical zone. So we are able to block all inter-vlan visitors, and solely enable default to IoT for instance. Or create an exception for a selected gadget.

Easy App Blocking

The Zone-Primarily based Firewall additionally lets you create a coverage to dam particular apps or web sites, identical to we might do with Site visitors Guidelines. Nonetheless, to dam an app simply, now you can additionally use the brand new characteristic, Easy App Blocking.

This characteristic lets you choose a tool or community as a supply and rapidly block a selected app. It’ll then create the mandatory firewall insurance policies for you.

Enabling Zone-Primarily based Firewall

As talked about at first, ZBF is a part of the brand new UniFi Community 9.x model, which is at present in Early entry. Because of this if you wish to use it proper now, you have to to alter the discharge channel of UniFi Community to Early Entry:

  1. Open Settings > Management Aircraft
  2. Click on on Updates
  3. Choose Community and ensure Early Entry is chosen
UniFi Network Early Access

Subsequent, we might want to allow the zone-based firewall. Remember that you’ll be able to’t revert again. If you allow the ZBF, all of your current firewall and visitors guidelines can be robotically migrated to the brand new ZBF insurance policies.

And it’s good to know, that you’ll find yourself with far more insurance policies than you had. I ended up with round 100 insurance policies after having solely 5 customized firewall guidelines on this gadget.

  • Go to Settings and open Safety
  • Click on on Improve within the notification
Enable ZBF

Creating a brand new Zone

Creating a brand new zone is fairly simple, simply click on on Create Zone within the safety tab, give the zone a reputation, and choose the community and/or interface that you simply wish to assign to it.

Create new Zone

Take into accout, that you simply don’t must create zones for every VLAN. If you wish to block visitors between VLANs, then simply create a coverage for it within the inner zone.

Creating Insurance policies

Insurance policies will let you management what’s allowed and what’s not inside a zone or between zones. Making a coverage may be carried out by scrolling all the best way to the tip of the web page and deciding on Create Coverage. However I discover it extra handy to first choose the supply and vacation spot within the matrix, after which click on on Create Coverage.

This fashion, the supply and vacation spot are already stuffed in for you and also you don’t must scroll up to now down 😉. Vital to notice is that the choices that you simply get within the coverage depend upon the supply and vacation spot that you choose.

Blocking Inter-VLAN Site visitors

Let’s first create a coverage that may block all inter-vlan visitors within the inner zone.

  1. Within the zone matrix, click on on InsideInside (insurance policies, or Permit All)
  2. Click on on Create Coverage
Create new policy in zone based firewall

We’re going to use the identical precept as with the “previous” firewall guidelines. That signifies that we’re going to block all visitors primarily based on all personal IPv4 addresses. My community is operating on 192.168.x.x, so we’re going to create a Community Object (previously often known as IP Group) for that vary.

  • Title: Block Inter-VLAN
  • Supply Zone: Inside
    • Particular Supply: IP > Object
    • Click on New and enter the next:
      Title: All Non-public IPs
      Sort: IPv4 Deal with/Subnet
      Deal with: 192.168.0.0/16
    • Port: Any
  • Motion: Block
  • Vacation spot Zone: Inside
    • Particular Supply: IP > Object
    • Click on New and enter the next:
      Title: All Non-public IPs
      Sort: IPv4 Deal with/Subnet
      Deal with: 192.168.0.0/16
    • Port: Any
  • IP Model: IPv4
  • Protocol: All
  • Connection State: All
  • Schedule: All the time
  • Click on on Add Coverage
Block Inter-vlan

This coverage will block all visitors between the networks which are assigned to the interior zone. There are just a few extra insurance policies that we might want to create, identical to with the older firewall guidelines:

  • Permit established and associated connections
  • Drop invalid state connections
  • (elective) Permit the primary VLAN to entry all VLANs

Let’s first create the rule that enables all established and associated periods:

  • Permit established and associated periods
  • Supply Zone: Inside
    • Particular Supply: Any
    • Port: Any
  • Motion: Permit
  • Vacation spot Zone: Inside
    • Particular Supply: Any
    • Port: Any
  • IP Model: IPv4
  • Protocol: All
  • Connection State: Reply Solely (this matches established and associated visitors)
  • Schedule: All the time
  • Click on on Add Coverage
Allow established and related sessions

Subsequent, we’re going to create the rule that may drop all invalid visitors:

  • Title: Drop invalid State
  • Supply Zone: Inside
    • Particular Supply: Any
    • Port: Any
  • Motion: Block
  • Vacation spot Zone: Inside
    • Particular Supply: Any
    • Port: Any
  • IP Model: IPv4
  • Protocol: All
  • Connection State: Customized > Invalid
  • Schedule: All the time
  • Click on on Add Coverage
Drop invalid State

The final rule that we have to create is to permit visitors from our most important VLAN to entry gadget within the different VLANs. This fashion you’ll be able to handle your IoT units for instance. Within the instance under I’m going to offer entry to all VLANs from the primary (default) VLAN, however you’ll be able to in fact additionally restrict this to a selected VLAN.

  • Title: Permit Essential VLAN to all VLANs
  • Supply Zone: Inside
    • Particular Supply: Community
    • Community: Default
    • Port: Any
  • Motion: Permit
  • Vacation spot Zone: Inside
    • Particular Supply: IP
    • Object: All Non-public IPs
    • Port: Any
  • IP Model: IPv4
  • Protocol: All
  • Connection State: All
  • Schedule: All the time
  • Click on on Add Coverage
Allow main vlan to access all

We now have now separated the VLANS in our Inside zone, stopping undesirable inter-VLAN visitors.

Blocking Particular Apps or Web sites

Site visitors guidelines allowed us to simply block particular apps, web sites, and so on, for particular units or networks. We are able to nonetheless do that, however we must create a coverage for this now.

Till now we have now solely created insurance policies primarily based on networks, however we are able to additionally specify a selected gadget as a supply. In relation to the vacation spot, you will notice that when you choose the exterior zone, you’re going to get the choice to specify an App, IP, Web site, or Area, every with its personal choices.

For the instance, let’s create a coverage that may block apps primarily based on totally different classes for a selected gadget:

  • Title: Block undesirable apps
  • Supply Zone: Inside
    • Particular Supply: Gadget
    • Gadget: Choose a tool
    • Port: Any
  • Motion: Block
  • Vacation spot Zone: Exterior
    • Particular Supply: App
    • Class: Social Networks, Peer-to-Peer, On-line Video games
    • Port: Any
  • IP Model: IPv4
  • Protocol: All
  • Connection State: All
  • Schedule: All the time
  • Click on on Add Coverage
Block apps in zone-based firewall

Wrapping Up

The brand new Zone-Primarily based Firewall makes it a bit simpler to view the present insurance policies and to see on which supply they have an effect. There are nonetheless much more insurance policies (firewall guidelines) created than with the previous system, so that may be a bit overwhelming.

Additionally, the naming conference of the totally different coverage settings has modified as soon as once more however I’ve to say, all of it appears to make a bit extra sense now. The previous LAN In/ LAN Out and so on was all the time a bit exhausting to clarify.

I’ll do some extra testing coming weeks with the brand new ZBF, and replace this text with extra info if vital. As all the time, you probably have any questions, simply drop a remark under.

RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Most Popular

Recent Comments