Zone Based Firewalls vs Interface Based

Forums › LAN (ethernet/Wifi/routers/Bluetooth) › Zone Based Firewalls vs Interface Based

Earbanean

1110 posts

Uber Geek
+1 received by user: 377

#324382 2-Apr-2026 11:02

I'm just migrating from an old Edgerouter Lite to a new Unifi UCG Ultra. All setup config on the UCG Ultra was pretty quick and easy. The last thing I need to do is the inter-VLAN firewall rules. On the ERL, these were all interface based rules, but I see Unifi do zone based rules (and also interface based?). Has anyone had experience with the Unifi ZBF? Also, what are people's thoughts on the relative merits of the two approaches?

SpartanVXL

1498 posts

Uber Geek
+1 received by user: 666

#3477206 2-Apr-2026 16:04

It add another level for policy based approach. If you don’t need it then you don’t have to use it. Interface based can be sufficient for your needs.

fe31nz

1295 posts

Uber Geek
+1 received by user: 423

#3477417 3-Apr-2026 01:54

ERLs can do zone firewalls too. I have always done my firewalls as zone firewalls in my ERLs and ER4 and my OpenWRT router as I have a relatively complicated network. The tradeoff is that setting up a zone firewall system initially is a bit more work. But later I was able to just add new vlans to the correct zone and that was all I needed to do for a firewall. With per-interface firewalls, you have to do new firewall rules for each interface.

Earbanean

1110 posts

Uber Geek
+1 received by user: 377

#3478391 6-Apr-2026 10:51

Thanks for the replies. I'd assumed that zone based were actually going to be easier - and thought that was one of the reasons they set them up. I might have a play and see how they go.