Firewall
The source material this page replaces is a bare list of two sub-pages covering port forwarding for specific services. There is no explanation of the firewall model, the default policies, or the reasoning behind the rules. This introduction covers all of that before getting into specific rules.
UniFi firewall model
UniFi’s firewall is a stateful packet filter. It tracks the state of each connection and applies rules based on direction and origin, not just source and destination addresses. Understanding the direction model is the most important thing to get right before writing any rules.
Traffic is classified into three zones:
WAN: the internet-facing interface. Traffic from the WAN is untrusted by default. Incoming connections from the internet are blocked unless explicitly permitted by a port forwarding rule or firewall allow rule.
LAN: any internal network. Traffic between LAN zones follows inter-VLAN routing rules. By default, all VLANs can communicate with each other unless blocked by a firewall rule.
Guest: networks marked as Guest type in UniFi. Traffic from Guest networks is automatically restricted from reaching LAN networks.
Rule directions
UniFi firewall rules apply to traffic in one of four directions:
WAN In: traffic entering the router from the WAN, destined for a LAN host. This is where rules permitting inbound services (port forwarding targets) are placed.
WAN Out: traffic leaving the router toward the WAN, originating from a LAN host. Rarely modified; most outbound internet traffic is permitted by default.
WAN Local: traffic entering from WAN destined for the router itself (e.g. management access to the UniFi interface from the internet). Restrictive by default and should remain so.
LAN In: traffic entering the router from any LAN network, destined for another LAN network or the WAN. This is where inter-VLAN blocking rules and specific service restrictions are placed.
LAN Local: traffic from any LAN network destined for the router itself (e.g. DNS queries, NTP, management access). Generally permissive from trusted VLANs, restrictive from Guest VLANs.
Default policies
UniFi’s default firewall behaviour without any custom rules:
| Direction | Default policy |
|---|---|
| WAN In | Block all (stateful: return traffic for established connections is allowed) |
| WAN Out | Allow all |
| WAN Local | Block all (except established/related) |
| LAN In | Allow all between VLANs |
| LAN Local | Allow all from LAN to router |
| Guest In | Block (Guest to LAN is automatically blocked) |
The default policy means:
- Internal devices can reach the internet freely. No rules needed for outbound access.
- Internet cannot reach internal devices uninvited. Port forwarding rules create controlled exceptions.
- All VLANs can communicate with each other by default. Inter-VLAN isolation requires explicit blocking rules.
- Guest VLAN is isolated from LAN automatically. No rules needed for basic guest isolation.
The inter-VLAN routing question
The default of allowing all inter-VLAN traffic is the most important thing to review and tighten for this network. The VLAN structure in the network design page uses multiple VLANs for different purposes, and unrestricted communication between all of them defeats the purpose of the segmentation.
The rules that matter most:
Visitor VLAN isolation: the Visitor VLAN should not be able to reach any internal VLAN. UniFi’s Guest network type handles this automatically when the network is created as Guest. Verify this is in place.
IoT VLAN isolation: if an IoT VLAN is deployed, it should not be able to initiate connections to the trusted Core VLAN. IoT devices should be able to reach the internet and specific internal services (such as an MQTT broker) but nothing else.
Testnet VLAN: the Testnet VLAN should be isolated from production VLANs. Testing should not affect production services or be able to reach production data.
Firewall rule structure
A UniFi firewall rule consists of:
- Action: Accept, Drop, or Reject. Drop silently discards the packet. Reject sends an ICMP unreachable response. Accept passes the packet.
- Protocol: All, TCP, UDP, TCP and UDP, ICMP, or specific
- Source: Any, specific network, IP address, port group, or IP group
- Destination: same options as source
- Direction: which rule table the rule goes in
Rules are evaluated in order from top to bottom. The first matching rule wins. UniFi numbers rules and evaluates lower numbers first within each direction.
What the firewall sub-pages cover
The firewall section covers rules for specific services as they are deployed:
Inter-VLAN rules: blocking rules to enforce VLAN isolation, particularly for the Visitor, Testnet, and IoT VLANs.
Port forwarding: rules to expose specific internal services to the internet. Each service that needs to be reachable from outside gets its own port forwarding entry and a corresponding WAN In allow rule.
Services published externally for this network include:
- Mail server: SMTP (port 25), SMTP submission (port 587), IMAPS (port 993)
- Web server: HTTPS (port 443) for any publicly accessible web services
- WireGuard VPN: UDP port for roaming client access
Each of these is covered in the relevant service section of the series. The firewall rules for each service are documented alongside the service configuration rather than in a single monolithic firewall page, since the rules only make sense in the context of the service they permit.
Security posture
The firewall is one layer of a defence-in-depth approach. The other layers:
- Services bind only to the interfaces and ports they need
- Internal services use TLS with certificates from the private CA
- The WireGuard VPN provides encrypted access to internal services from outside
- IPS/IDS (Intrusion Prevention System) on the UDM-SE monitors for known attack patterns
No firewall is perfect. A compromised device inside the network bypasses the WAN firewall entirely. VLAN segmentation limits the blast radius of a compromised device, but only if inter-VLAN rules actually enforce the isolation.
The firewall defaults are not wrong, but they are permissive where the VLAN structure implies segmentation. Spend time on the inter-VLAN rules before worrying about inbound rules from the internet. The internet is less likely to be your problem than an IoT device on your own network.
What this section covers
- Inter-VLAN rules — enforcing the isolation the VLAN structure implies
- Mail server — port forwarding and firewall rules for SMTP and IMAP
- Web services — HTTPS port forwarding for publicly accessible services
- WireGuard VPN — the rules that make roaming client access work
- IPv6 firewall — a separate but equally important rule set