Truly at a loss here on where this security policy is failing - or rather why its failing
Backgroud: Switched from pfsense to UDM-SE. No hiccups during the migrations as i already had a self hosted unifi controller. Fast forward I’m running into two issues.
As part of external monitoring, i ping my WAN address. On pfsense it is as simple as going under your WAN interface, source is my Linode instance, destination is my WAN address. For some reason this is proving extremely difficult on Unifi
As you can see, its a simple rule. My Internet is in the External zone.I am allowing ICMPs from a specific source. Yet when i check graylog, i see connection attempts hitting the default deny system rule.
The second issue is my DNATs. I created my DNAT and there is a security rule for this, yet, connection attempts fail from the internet.
EDIT:
I managed to solve the ICMP problem. I believe the zones were EXTERNAL to EXTERNAL but because its traffic directed to the firewall itself its EXTERNAL to GATEWAY.
Hey Tom, i thought i was clear in my issue description but never the less the problem is solved. I think it was related to the wrong zone placement. So it was a problem between the keyboard and chair.
My set up is a bit more complicated as the pfsense is in the mix only as a VPN concentrator for the network. Additional zone (dmzVPN) created with some static routing, etc..Needless to say it was complexity working through this migration that got me in the end. Just too tired to properly tshoot things.
@LTS_Tom The one thing i dont like about Unifi is that every network you create will by default have access to the Unifi controller (UDM in my case) where as in pfsense there was just the LAN interface only that had management access. Other than creating a Block rule for each network, is there a setting that can be enabled on the controller that designates a single interface as the management plane?
