Unifi Express Firewall rules

Hello everyone,

I hope you all are doing well. I’m not sure if this is possible, but I wanted to ask for your help. Personally, I’ve worked more with pfSense and less with UniFi. Here’s my situation: my friends live in another country and they want to watch some OTT content from our country, so I set up a WireGuard server on UniFi Express for them. Additionally, I have another WireGuard server for my small business, which we use to access a specific software (mandatory by software that requires static IP).

I know some may suggest asking my ISP for a static IP for my business, but unfortunately, they don’t offer static IPs. So, the only option I had was to use my home internet’s static IP to access the software using VPN at my business.

Now, here’s my question: I have a 200 Mbps internet plan, and I want to divide the bandwidth in such a way that devices connected locally to the UniFi Express can use up to 70 Mbps, one WireGuard server can use up to 50 Mbps, and the remaining bandwidth can be allocated to the other WireGuard server. Additionally, I want to keep all three networks separate and block access to the software’s IP from other networks.

Has anyone done something similar or can provide some guidance on this? Also, will UniFi Express be able to handle these kinds of rules? The total number of devices, including the VPN server devices, will be fewer than 50 at most.

I don’t know of any way to create rules for the bandwidth limiting as that is not part of their rule creation options. Their firewall & policy routing rules should work for the rest of the setup.

1 Like

I do have the same question for pfsense. Can I do bandwidth limiting with pfsense ?

Yes.

1 Like

UniFi just added their “Enhanced QoS Rules” for version 9.1 that does have traffic limiters.

https://community.ui.com/releases/UniFi-Network-Application-9-1-118/e7de00f7-fcca-44b4-8d0b-3300d2a6ec51

1 Like

Oh, great. Now I have to wait for UniFi to release the update for UniFi Express. There haven’t been any updates from UniFi on it for so long. Considering it’s a very low-spec device, let’s see if they’ll even include this feature, or if I’ll need to upgrade.

Hello everyone,

I haven’t set up any QoS rules yet, but what I want to do now is block access for the clients connected to my two WireGuard servers. Specifically, I want to:

Prevent them from accessing the UniFi Console WebUI.

Prevent them from accessing each other.

Prevent them from accessing the home network.

I tried creating firewall rules for this, but they didn’t work.

However, I was able to block access to certain external IPs on the WAN successfully. Here’s what I did:

I created a network object containing the IP addresses of my VPN servers’ subnets.

I used that object to block access to specific business-related software, and that works as expected.

But when I try to use the same network object to block access to the local network and the UniFi WebUI, it doesn’t work.

Can someone help me figure out what I’m missing?

Screenshots attached.

This rules works perfectly fine :

Objects Created for VPN Servers Client’s:

But when I create a rule to block Local network access on LAN side, still I am able to ping the devices on Local network from my VPN.