UniFi Zone-Based Firewall Wi-Fi Network Device Restrictions

Networking & Firewalls
1

I recently installed a UDM Pro and configured the zone-based firewall with two VLANs: a Secured (Internal) zone and an Unsecured (IoT) zone, each with its own Wi-Fi network.

I have a TrueNAS SCALE server on the Internal network and want to allow access to a shared folder only from specific devices (phones, laptops, PCs) on the Secured Wi-Fi, while allowing internet access for all devices.

Goals:

  1. All Secured Wi-Fi devices β†’ internet access

  2. Only approved devices β†’ file server access

  3. All other devices β†’ blocked from file server

  4. File access still requires user authentication

What is the best practice for implementing this with UniFi’s zone-based firewall?
Should access be controlled using IP-based device groups, MAC-based rules, or another method?

Any guidance is appreciated. Thank you.

2

Are the approved devices managed by you? If not, it’s hard to reliably control them with low effort (not using certificates or radius).

As a low key solution, I would create an additional zone with its own wifi network for file server access.

3

I would put the devices that you approve on the same network as the TrueNAS as routing storage through the firewall is less ideal. I have a video on how to set up TrueNAS with user permissions here

1 Like
4

Hi Tom, thanks for taking the time to read and reply to my post. Below is the plan I originally came up with, although I like your recommendation better.

My plan was to place the TrueNAS SCALE server in its own network (192.168.50.0/24) within the Secured zone, while keeping all Wi-Fi clients in the existing internal network (192.168.101.0/24). For only the specific devices that should be allowed to access the TrueNAS SMB share, I will create DHCP reservations in UniFi using Fixed IPs (not static IPs configured on the devices) so their addresses remain stable. I will then create one address group containing only the approved client IPs, another address group for the TrueNAS server IP, and a port group for SMB (TCP 445). Using the new UniFi zone-based firewall format (Secured β†’ Secured), I will create exactly two firewall rules: first, an Allow rule permitting TCP 445 from the approved client address group to the TrueNAS server; second, a Drop rule blocking all other traffic from any client to the TrueNAS server. This approach ensures that only selected devices on Wi-Fi can access the shared folder, while all other Wi-Fi clients retain normal internet access and no manual network configuration is required on user devices.

After reading your reply, I will reconsider. Have a good rest of your week. Thank you!

1 Like
5

Hi gaijin. Thanks for your reply and recommendation! That is a good option as well.

1 Like