Securing UniFi/Omada/UISP with Cloudflare Zero Trust and pfSense

Hi everyone,

I have been running my own VPS appliances for UniFi, UISP and recently Omada for a few years now. Tom’s video about Cloudflare Zero Trust made me want to use them, instead of using my Pritunl server to get access when I’m not home.

Currently busy migrating from Digital Ocean to Hetzner. Hetzner is cheaper but also provides a bit more freedom when it comes to stuff like pfSense in the cloud.

The issue I’m trying to tackle is making stuff like UniFi, UISP and Omada work with Cloudflare Zero Trust. Accessing the web UI won’t be a problem at all. Making the informs work would be possible too I guess, since it’s HTTP based. But stuff like STUN is gonna be an issue, I assume.

So this leaves me with 2 options:

  • Leave these ports open to the internet and only use the tunnels for the web interface.
  • Find a way to make this more secure.

So I’ve been tinkering with pfSense on a Hetzner VPS and it works quitte well. My test UniFi server is being routed through, and doesn’t even need a public IP4 by itself. As UniFi, Omada and UISP all use different ports, I could use 1 firewall for them, using the same IP.

I’m not really experienced with pfSense, but what can I do to make this more secure? Some restrictions based on Geographical location? Maybe some IPS/IDS? Anything else?

Or maybe this would be a bad idea overall? Perhaps there’s another way to not have any ports open on the controllers?

Really curious what other people think.

Opening the ports directly on the controller will always put you at risk because there is always a chance there is a flaw in the tool, such as the Log4J exploit. You mitigate the risk as best as possible by blocking things with tools but you can never really eliminate the risk. Using pfblocker to filter out TOR sites is a good measure.

1 Like

I have been a bit busy, but thanks a lot Tom!
Haven’t found time yet to experiment with this, but this sure looks like great info!