User Manual

ManualsBrandsUbiquiti Networks ManualsNetworkingUS-24-250W

UniFi Controller User Guide

Ubiquiti Networks, Inc.

Chapter 3: Using the UniFi Controller Software

Firewall Tab

The Firewall tab displays user-defined firewall information,

organized into two sub-tabs: Rules and Groups.

Firewall > Rules

The Rules sub-tab displays existing firewall rules. There are

three instances per network type: In, Out, and Local. The

interfaces currently are defined as WAN, LAN, and GUEST.

WAN This is your Internet connection.

LAN This is in reference to all corporate networks.

Guest This is in reference to any guest subnets.

In Filters packets that enter the interface and traverse the

router.

Out Filters packets that leave the interface. This applies to

traffic that traverses the system or from the router itself.

Local Filters packets that are destined for the router.

Note: There are predefined firewall rules for most

interfaces. For detailed information on these

predefined rules, refer to “Predefined Firewall

Rules” on page 30.

The following information is displayed for each rule:

Rule Index Displays an automatically generated index

number associated with the rule.

Enabled Displays a check mark if the rule is enabled, or

nothing if the rule is disabled.

Name Displays the name of the rule.

Action Displays the action to take if the rule criteria are

satisfied: Drop, Reject, or Accept.

Protocol Displays the protocol(s) that apply to the rule. If

Except: precedes the listed protocol(s), all protocols except

those listed are applicable.

Source Displays the source to which the rule applies.

Destination Displays the destination to which the rule

applies.

Actions Click a button to perform the desired action:

• Edit Click

EDIT

to make changes to the firewall rule. Go

to “Create or Edit a Firewall Rule” on page 31.

• Delete Click

to remove the firewall rule.

To create a firewall rule, click

CREATE NEW RULE

and go to

“Create or Edit a Firewall Rule” on page 31.

Predefined Firewall Rules

The following firewall rules are predefined (cannot be

edited or deleted):

Interface Rule Name Action Protocol

WAN IN Allow established/related sessions Accept All

Drop invalid state Drop All

WAN OUT None* - -

WAN

LOCAL

Allow established/related sessions Accept All

Drop invalid state Drop All

Allow ICMP Accept ICMP

LAN IN Packets from UniFi to VoIP Accept All

Packets from Intranet to VoIP Drop All

Accounting defined network

192.168.1.0/24

Accept All

LAN OUT Accounting defined network

192.168.1.0/24

Accept All

LAN LOCAL None - -

GUEST IN Allow DNS packets to external

name servers

Accept UDP

Allow packets to captive portal Accept TCP

Allow packets to allow subnets Accept All

Drop packets to restricted subnets Drop All

Drop packets to intranet Drop All

Drop packets to voip Drop All

Drop packets to remote user Drop All

Authorized guests white list Drop All

GUEST

OUT

None - -

GUEST

LOCAL

Allow DNS Accept UDP

Allow ICMP Accept ICMP

* The WAN_OUT ruleset is not deployed by default until controller

version 5.5.2 and newer. To deploy WAN_OUT in earlier versions, set

config.ugw.deploy_firewall_wan_out=true in config.properties.

Firewall > Groups

The Groups sub-tab displays the following information:

Name Displays the name of the group.

Type Displays the group type: Address or Port.

Count Displays the total addresses or ports in the group.

Actions Click a button to perform the desired action:

• Edit Click

EDIT

to make changes to the group. Go to

“Create or Edit a Firewall Group” on page 32.

• Delete Click

to remove the group.

To create a group, click

CREATE NEW GROUP

and go to “Create

or Edit a Firewall Group” on page 32.