I just converted over to unifi zone based firewall rules and in an attempt to block gateways from different vlans from being able to talk, I put in a block rule that says a VLAN can only talk to its gateway, mdns and its broadcast.
Everything is working fine but I noticed a lot of blocked attempts from my UNVR and iPhones trying to hit my public IP address. I used wireshark and found it was from STUN.
My question is, should I be allowing the devices to hit my public IP for STUN or just leave them blocked? Thanks
I was just trying to keep the networks separate, I didn’t want one vlan to see the others gateway. previous to zone based, I would keeps lists of gateway ip’s and add block rules for each vlan.
I didn’t like the management of keeping lists of gateway ip’s to block. so I used the match opposite and only specified the gateway, broadcast and mdns of itself (not my design, someone on reddit showed me what they did). I didn’t realize how many blocks were going to come through.
Everything is working fine but I’m curious (and probably over thinking it) as to whats being blocked and what its doing. I was talking to cyber folks at work and they said things typically phone home for telemetry and knowing where they are.
I am assuming I am overdoing it with the block rule and I just want to make sure everything is working properly. thanks!
Routes get processed before rules which is why you have to create extra rules for it not to be able to see the other gateways. Since the gateways are all the same device there is not really any risk being mitigated by blocking the other gateways which is why I asked.
Thanks for the information, so just blocking management access to the gateway is sufficient? Maybe I am just overthinking it. I didn’t like the other gateways even knowing about my default or other gateway IP’s. I’m more concerned about my untrusted networks. thanks
I find it sufficient. The only thing you gain is a host using something such as ping to go through the RFC1918 list and discovering that other networks exist which is really low risk.
Thanks for the info, so my current rule pretty much blocking everything except for gateway, mdns and broadcast is a bit overkill i guess. Since implementation, i saw tons of blocks, STUN, my gateway to 255.255.255.255, etc… Everything seems to work fine but I’m just curious if i should or shouldn’t be doing it this way.