Unifi USG Firewall not working as intended

Forums › LAN (ethernet/Wifi/routers/Bluetooth) › Unifi USG Firewall not working as intended

pomtom44

128 posts

Master Geek

#242191 15-Oct-2018 16:12

Hey all
I have a issue with my firewall on my USG

I have two vlans setup, Vlan 10 and 40
I have a PC on vlan 10 and a server on vlan 40

I have a rule setup to stop cross talk between the vlans, which works fine.
I then went to set a rule to allow ssh and http between the PC and the server.

First I found that I had to set a rule for both directions, PC->Server and then a reply back from Server -> PC
So I created a group with both the server and the PC's IP addresses and set a single rule from group to group
Rather than having two rules for each direction.
This worked fine.

I then went to add a port group to the rule to limit it to just ssh (22), and applied it to the firewall.
Broken.

If I allow any traffic it works fine, but the moment I add a port restrction it breaks.

Screenshots attached for reference.

dfnt

1511 posts

Uber Geek

Lifetime subscriber

#2108303 15-Oct-2018 16:35

I think the problem is due to the fact that the source port is usually a random high port, as opposed to being the same as the destination port so the return traffic is being blocked. You want to allow related and established packets through your vlan in/local interface.

I use an edgerouter, and the below is how I have setup my vlan's:

The default action on both GWN_IN and GWN_LOCAL is drop, so you'll see I allow specific things like DNS and DHCP. In addition I allow GWN to talk to anything apart from 192.168.0.0/16 so that it can access the internet, but not access anything in other vlans unless I've specified it above.

Not sure how that translates to USG but hopefully that'll help

pomtom44

128 posts

Master Geek

#2108310 15-Oct-2018 16:49

dfnt:

I think the problem is due to the fact that the source port is usually a random high port, as opposed to being the same as the destination port so the return traffic is being blocked. You want to allow related and established packets through your vlan in/local interface.

I use an edgerouter, and the below is how I have setup my vlan's:

The default action on both GWN_IN and GWN_LOCAL is drop, so you'll see I allow specific things like DNS and DHCP. In addition I allow GWN to talk to anything apart from 192.168.0.0/16 so that it can access the internet, but not access anything in other vlans unless I've specified it above.

Not sure how that translates to USG but hopefully that'll help

I already have related and established enabled on the rule
Could it be getting confused as the fact its only one rule for both directions?
Trying to be clever and reduce the number of rules, but trying to do too much

vulcannz

436 posts

Ultimate Geek
Inactive user

#2108324 15-Oct-2018 17:15

With a "normal" firewall we usually only talk about stateful connections. The firewall usually maintains a state table, so any returning traffic is automatically allowed. So only a single rule is required. That whole new/related/established stuff is quite odd from a 100% firewall point of view.

I'd wager its to do with your "Test IP" using both addresses in the source and destination parts of the rule. Then that weird ass statefulness check is screwing the return traffic up (due to it being on a port > 1024).

Make your address objects individual, that or get a real firewall :D

dfnt

1511 posts

Uber Geek

Lifetime subscriber

#2108421 15-Oct-2018 19:24

Have you got any firewall rules on your main lan interface? I don't.

Also, you don't specify source ports, just leave that as ANY and the destination ports will be whatever you want

And put the established/related as its own rule at the very top as having it combined with your attempted rule isnt going to match any reply traffic

e.g.: