I have a Ubiquiti Dream Machine SE. I’m working on setting up a VLAN for my publicly exposed web and game servers. I’m calling this VLAN the “DMZ”. The DMZ will be isolated from my private VLAN. The web and game servers will have ports such as 443 and 25565 forwarded from the WAN to the servers in the DMZ. I have configured port 6 on the Dream Machine SE to be dedicated to the DMZ network.
So far I have followed this tutorial (Securing your Unifi network 2022 - YouTube) and made some modifications of my own. Here are all of the rules I’ve added:
- LAN In - Accept - Established / Related
- LAN In - Drop - Invalid State
- LAN In - Drop - From RFC1918 to RFC1918
- LAN Local - Accept - DMZ Network to DMZ Gateway DNS (192.168.3.1 port 53)
- LAN Local - Drop - DMZ Network to All Gateways (192.168.1.1, 192.168.3.1)
With this setup, my servers can still connect to the internet and they can’t ping the NAS on my private VLAN. My DMZ network cannot navigate to the UniFi console webpage either. My PC cannot ping my servers. This is what I was hoping for and it appears to be working.
Now, I have a few questions:
If one of the servers is compromised, are these rules enough to isolate the DMZ network and protect my private VLAN and UniFi gateway? Or is there something more advanced that I’m missing?
Do I need to create any LAN v6 (IPv6) rules? As far as I know, all the rules I’ve created are IPv4. I’m not familiar with IPv6 so I’m not sure what I might be missing.
(slightly unrelated) Does UniFi have a default DROP policy? Does any traffic not matching a rule in Internet or LAN get dropped?