Yesterday I had the pleasure of setting up my first UDM device. After about a day of testing, I think I’m almost ready to start replacing my pfSense routers. I’m having a bit of trouble understanding something with the zone based firewall though
I have a dual-hub Wireguard site-to-site VPN setup, and those Wireguard tunnels appear in the External zone. I have different firewall rules I want to apply to the tunnels than I do the Internet connections, and I don’t see a way to move these tunnels to a different / custom zone. Is that not possible on Unifi? I want to allow certain RFC1918 subnets to certain applications, but it seems like doing this would also allow those connections if they managed to sneak in the WAN interface. What’s the best practice here?
You can not move them to another zone and you need to create rules that block the zones you do not want going there. I cover that in this video at the 20 minute mark.
I wasn’t even thinking about blocking outbound traffic from the guest VLAN - but thank you for that. Right now my concern is that in order to allow traffic from other sites (over the VPN) into the LANs, I have to add an allow policy to the external zone, which also applies to the internet interface. Yes, I’m limiting the source traffic to the RFC1918 space I expect to be on the other side of the tunnel, but this still feels like a gaping hole to me. Anyone at the ISP could drop a device in the same L2 domain as my router (WAN side) and poke around until finding something open. Even is there wasn’t anyone malicious at the ISP, a compromised ISP device could also be a potential threat. Am I off base here? I’d really appreciate it if someone could quell my concern. Thank you
I am not really clear on your concern as I don’t see a way that a malicious ISP could come into my network that way, here is my video where I go more in depth with VPN rules
