Unifi USG Firewall Rules - blocking devices from internet

✨ Samsung | AliExpress | Wise | Sharesies | GoodSync | Free white papers

Welcome Guest.

You haven't logged in yet. If you don't have an account you can register now.

Forums › LAN (ethernet/Wifi/routers/Bluetooth) › Unifi USG Firewall Rules - blocking devices from internet

davidcole

6034 posts

Uber Geek

Trusted

#245317 29-Jan-2019 10:42

Send private message

I've followed https://community.ubnt.com/t5/UniFi-Routing-Switching/USG-How-to-block-internet-access-for-a-single-... and have a group for insecure devices that are blocked from the internet.

I can tell they're blocked as I'll go to their apps and they wont show up, or my camera will stop sending out ios notifications.

The only way I can get it to work is to put it at the very top of the LAN IN list:

The rule is set up as:

Before Predefined Rules
Drop
New, Established, Related
Source - InsecureDevices Group
Source Port : Any

Destination: Any

Destination Port: Any

If I move that rule to anywhere other than the very top, it stops working, as in I see traffic coming out from the insecure devices (but then my vpn access works)

But with it in this configuration the LAN to insecure access is working. But any traffic from my VPN LAN (192.168.50.x) seems to fail to get to the insecure devices which are in my regular lan (192.168.10.x)

I did try an explicit 192.168.50.x rule to InsecureGroup Accept. But that didn't seem to help either.

Previously known as psycik

Home Assistant: Gigabyte AMD A8 Brix, Home Assistant with Aeotech ZWave Controller, Raspberry PI, Wemos D1 Mini, Zwave, Shelly Humidity and Temperature sensors
Media:Chromecast v2, ATV4 4k, ATV4, HDHomeRun Dual
Server Host Plex Server 3x3TB, 4x4TB using MergerFS, Samsung 850 evo 512 GB SSD, Proxmox Server with 1xW10, 2xUbuntu 22.04 LTS, Backblaze Backups, usenetprime.com fastmail.com Sharesies Trakt.TV Sharesight

davidcole

6034 posts

Uber Geek

Trusted

#2188281 27-Feb-2019 16:04

Send private message

Anyone with an answer?

Previously known as psycik

Home Assistant: Gigabyte AMD A8 Brix, Home Assistant with Aeotech ZWave Controller, Raspberry PI, Wemos D1 Mini, Zwave, Shelly Humidity and Temperature sensors
Media:Chromecast v2, ATV4 4k, ATV4, HDHomeRun Dual
Server Host Plex Server 3x3TB, 4x4TB using MergerFS, Samsung 850 evo 512 GB SSD, Proxmox Server with 1xW10, 2xUbuntu 22.04 LTS, Backblaze Backups, usenetprime.com fastmail.com Sharesies Trakt.TV Sharesight

michaelmurfy

meow
13242 posts

Uber Geek

Moderator

ID Verified

Trusted

Lifetime subscriber

#2188288 27-Feb-2019 16:23

Send private message

Because you've got an allow all 2nd from the top - rules run from top to bottom until a match is made so the allow all will take preference over everything else.

Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.

chevrolux

4962 posts

Uber Geek
Inactive user

#2188293 27-Feb-2019 16:33

Send private message

Yea rule 2001 doesn't look like it is specifying source/destination. So that needs to be below the specific allow rules else or it will just catch everything.

davidcole

6034 posts

Uber Geek

Trusted

#2188294 27-Feb-2019 16:34

Send private message

So that is why it needs to be at the top to work?

I get that. But what change do I need to make to allow access from the vpn vlan?

Or does this rule need to move further down (the others are related to mqtt access from another vlan)

Previously known as psycik

Home Assistant: Gigabyte AMD A8 Brix, Home Assistant with Aeotech ZWave Controller, Raspberry PI, Wemos D1 Mini, Zwave, Shelly Humidity and Temperature sensors
Media:Chromecast v2, ATV4 4k, ATV4, HDHomeRun Dual
Server Host Plex Server 3x3TB, 4x4TB using MergerFS, Samsung 850 evo 512 GB SSD, Proxmox Server with 1xW10, 2xUbuntu 22.04 LTS, Backblaze Backups, usenetprime.com fastmail.com Sharesies Trakt.TV Sharesight

davidcole

6034 posts

Uber Geek

Trusted

#2188295 27-Feb-2019 16:35

Send private message

Hmm I need to check that 2001 It should be allow almost anything from my main lan to the iot lan (and rule below only allows 1883 - mqtt out)

Previously known as psycik

Home Assistant: Gigabyte AMD A8 Brix, Home Assistant with Aeotech ZWave Controller, Raspberry PI, Wemos D1 Mini, Zwave, Shelly Humidity and Temperature sensors
Media:Chromecast v2, ATV4 4k, ATV4, HDHomeRun Dual
Server Host Plex Server 3x3TB, 4x4TB using MergerFS, Samsung 850 evo 512 GB SSD, Proxmox Server with 1xW10, 2xUbuntu 22.04 LTS, Backblaze Backups, usenetprime.com fastmail.com Sharesies Trakt.TV Sharesight

chevrolux

4962 posts

Uber Geek
Inactive user

#2188298 27-Feb-2019 16:45

Send private message

Yea so shift that 2001 to the bottom. Then test everything again.

The easiest way to approach a firewall is stick a "Drop all" rule at the bottom, and then work your way up from there just allowing what you need.

Just don't lock yourself out of the router! Although, if you are using the GZ cloud unifi controller that shouldn't be a problem i suppose.

hairy1

3332 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#2188299 27-Feb-2019 16:47

Send private message

I've simply disabled the device in insights. Not sure if it was the right thing to do. Still functions correctly on the lan. Not sure if it was the right thing to do or not though!

My views (except when I am looking out their windows) are not those of my employer.

Sharesies

Trade NZ and US shares and funds with Sharesies (affiliate link).

hairy1

3332 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#2188302 27-Feb-2019 16:49

Send private message

Sorry. Correct terminology is Blocked.

My views (except when I am looking out their windows) are not those of my employer.

davidcole

6034 posts

Uber Geek

Trusted

#2188318 27-Feb-2019 17:16

Send private message

hairy1:
I've simply disabled the device in insights. Not sure if it was the right thing to do. Still functions correctly on the lan. Not sure if it was the right thing to do or not though!

That’s another approach. I keep a range of devices in there. But I’m going to move a couple to my iot network (dodgy Chinese xiaomi gateways that report your gps coords now that i have another way of talking to it).

But at a push I like your idea.

Previously known as psycik

Home Assistant: Gigabyte AMD A8 Brix, Home Assistant with Aeotech ZWave Controller, Raspberry PI, Wemos D1 Mini, Zwave, Shelly Humidity and Temperature sensors
Media:Chromecast v2, ATV4 4k, ATV4, HDHomeRun Dual
Server Host Plex Server 3x3TB, 4x4TB using MergerFS, Samsung 850 evo 512 GB SSD, Proxmox Server with 1xW10, 2xUbuntu 22.04 LTS, Backblaze Backups, usenetprime.com fastmail.com Sharesies Trakt.TV Sharesight

hairy1

3332 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#2188333 27-Feb-2019 18:01

Send private message

I've done it with Dahua cameras. I use Blue Iris and Home Assistant so don't need remote access. I assign them a static IP and block them in insights.

I guess a VLAN is a good way to go but not enough time in the day.

Interestingly I couldn't find any info on what blocking *actually* does on Unifi.

My views (except when I am looking out their windows) are not those of my employer.

davidcole

6034 posts

Uber Geek

Trusted

#2188344 27-Feb-2019 18:25

Send private message

hairy1:
I've done it with Dahua cameras. I use Blue Iris and Home Assistant so don't need remote access. I assign them a static IP and block them in insights.

I guess a VLAN is a good way to go but not enough time in the day.

Interestingly I couldn't find any info on what blocking *actually* does on Unifi.

Yeah I have my dahua nvr in there as well. Technically I think I can release it as I’ve flashed it with official English firmware

Previously known as psycik

Home Assistant: Gigabyte AMD A8 Brix, Home Assistant with Aeotech ZWave Controller, Raspberry PI, Wemos D1 Mini, Zwave, Shelly Humidity and Temperature sensors
Media:Chromecast v2, ATV4 4k, ATV4, HDHomeRun Dual
Server Host Plex Server 3x3TB, 4x4TB using MergerFS, Samsung 850 evo 512 GB SSD, Proxmox Server with 1xW10, 2xUbuntu 22.04 LTS, Backblaze Backups, usenetprime.com fastmail.com Sharesies Trakt.TV Sharesight

davidcole

6034 posts

Uber Geek

Trusted

#2188409 27-Feb-2019 19:30

Send private message

What is this FW log record telling me?

Feb 27 19:25:29 USG kernel: [LAN_IN-2005-D]IN=eth1 OUT=pppoe2 MAC=234234 SRC=192.168.10.66 DST=17.188.156.31 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=39466 DF PROTO=TCP SPT=48733 DPT=2195 WINDOW=14600 RES=0x00 SYN URGP=0

This is accepted? or dropped?

Is the LAN_IN-2005-D mean LAN In rule 2005 and drop? So it's dropping that machine 192.168.10.66 (which is my nvr, the machine I couldn't access from the vpn) going to 17.188.156.31 (which seems to be apple).

Can these logs go into something for dumbed down users for visualising rules in action? something like ntop, but for fw rules.

Previously known as psycik

Home Assistant: Gigabyte AMD A8 Brix, Home Assistant with Aeotech ZWave Controller, Raspberry PI, Wemos D1 Mini, Zwave, Shelly Humidity and Temperature sensors
Media:Chromecast v2, ATV4 4k, ATV4, HDHomeRun Dual
Server Host Plex Server 3x3TB, 4x4TB using MergerFS, Samsung 850 evo 512 GB SSD, Proxmox Server with 1xW10, 2xUbuntu 22.04 LTS, Backblaze Backups, usenetprime.com fastmail.com Sharesies Trakt.TV Sharesight

chevrolux

4962 posts

Uber Geek
Inactive user

#2188418 27-Feb-2019 19:45

Send private message

That's a fairly clear log entry.

It's on the 'LAN_IN' chain and matches rule 2005. The packet came in on eth1 interface and was headed for pppoe2. From there you have the layer 3 info about IP's and ports involved.

If that rule is a drop rule, then it was dropped.

News and reviews »

Air New Zealand Starts AI adoption with OpenAI
Posted 24-Jul-2025 16:00

eero Pro 7 Review
Posted 23-Jul-2025 12:07

BeeStation Plus Review
Posted 21-Jul-2025 14:21

eero Unveils New Wi-Fi 7 Products in New Zealand
Posted 21-Jul-2025 00:01

WiZ Introduces HDMI Sync Box and other Light Devices
Posted 20-Jul-2025 17:32

RedShield Enhances DDoS and Bot Attack Protection
Posted 20-Jul-2025 17:26

Seagate Ships 30TB Drives
Posted 17-Jul-2025 11:24

Oclean AirPump A10 Water Flosser Review
Posted 13-Jul-2025 11:05

Samsung Galaxy Z Fold7: Raising the Bar for Smartphones
Posted 10-Jul-2025 02:01

Samsung Galaxy Z Flip7 Brings New Edge-To-Edge FlexWindow
Posted 10-Jul-2025 02:01

Epson Launches New AM-C550Z WorkForce Enterprise printer
Posted 9-Jul-2025 18:22

Samsung Releases Smart Monitor M9
Posted 9-Jul-2025 17:46

Nearly Half of Older Kiwis Still Write their Passwords on Paper
Posted 9-Jul-2025 08:42

D-Link 4G+ Cat6 Wi-Fi 6 DWR-933M Mobile Hotspot Review
Posted 1-Jul-2025 11:34

Oppo A5 Series Launches With New Levels of Durability
Posted 30-Jun-2025 10:15

Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

RSS feeds: Main feed; Forums feed
Copyright: ©2002-2025 Geekzone®

Site features: Geekzone BI dashboard; Geekzone Badges; Geekzone Status Page

Affiliate links: Samsung; AliExpress; Wise; Sharesies; GoodSync

Site Information: Subscribe to Geekzone; Privacy Statement; Forum Usage Guidelines (FUG); Advertising; Trademark and copyright