# UDM Pro Firewall Manual Configuration Guide **Last Updated:** 2025-01-20 **Status:** Active Documentation **Purpose:** Manual configuration guide for firewall rules that cannot be automated via API --- ## Overview This guide provides step-by-step instructions for configuring firewall rules via the UniFi Network web interface. Some firewall rules (particularly those with overlapping source/destination networks) cannot be automated via the API and require manual configuration. --- ## Accessing Firewall Configuration 1. Open web browser and navigate to: `https://192.168.0.1` 2. Log in with your admin account 3. Navigate to **Settings** → **Firewall & Security** → **Firewall Rules** (or **Traffic Rules**) --- ## Sovereign Tenant Isolation (VLANs 200-203) ### Goal Block east-west traffic between sovereign tenant VLANs (200-203) to ensure complete isolation between tenants. ### Configuration Steps 1. **Navigate to Firewall Rules:** - Go to **Settings** → **Firewall & Security** → **Firewall Rules** - Click **Create New Rule** or **Add Rule** 2. **Create Block Rule for Each Pair:** Since the API doesn't support overlapping network blocks, create individual rules for each direction: **Rule 1: Block VLAN 200 → VLANs 201-203** - **Name:** `Block VLAN 200 to Sovereign Tenants` - **Action:** Block - **Protocol:** All (or specific protocols as needed) - **Source Type:** Network - **Source Network:** PHX-SOV-SMOM (VLAN 200) - **Destination Type:** Network - **Destination Networks:** - PHX-SOV-ICCC (VLAN 201) - PHX-SOV-DBIS (VLAN 202) - PHX-SOV-AR (VLAN 203) - **Priority/Order:** Set appropriate priority (higher priority = evaluated first) **Rule 2: Block VLAN 201 → VLANs 200, 202-203** - **Name:** `Block VLAN 201 to Sovereign Tenants` - **Action:** Block - **Source Network:** PHX-SOV-ICCC (VLAN 201) - **Destination Networks:** PHX-SOV-SMOM, PHX-SOV-DBIS, PHX-SOV-AR - (Repeat for VLANs 202 and 203) **Alternative:** Create bidirectional rules (if the UI supports it): - Block VLAN 200 ↔ VLAN 201 - Block VLAN 200 ↔ VLAN 202 - Block VLAN 200 ↔ VLAN 203 - Block VLAN 201 ↔ VLAN 202 - Block VLAN 201 ↔ VLAN 203 - Block VLAN 202 ↔ VLAN 203 3. **Set Rule Priority:** - Ensure block rules have higher priority than allow rules - Block rules should be evaluated before general allow rules - Typical priority order: 1. Block rules (highest priority) 2. Management access rules 3. Monitoring rules 4. Default allow/deny (lowest priority) 4. **Enable Rules:** - Enable each rule after creation - Rules are typically enabled by default when created 5. **Verify Configuration:** - Review all rules in the firewall rules list - Verify rule order/priority - Test connectivity between VLANs to confirm isolation --- ## Additional Firewall Rules ### Management VLAN Access (if not automated) If the management VLAN access rules were not created via API, configure manually: **Rule: Allow Management VLAN → Service VLANs** - **Name:** `Allow Management to Service VLANs` - **Action:** Allow - **Protocol:** TCP - **Source Network:** MGMT-LAN (VLAN 11) - **Destination Networks:** All service VLANs - **Destination Ports:** 22 (SSH), 443 (HTTPS), 5432 (PostgreSQL), 8080 (Admin consoles), etc. - **Priority:** Medium (after block rules, before default) ### Monitoring Access (if not automated) **Rule: Allow Service VLANs → Management VLAN (Monitoring)** - **Name:** `Allow Monitoring to Management` - **Action:** Allow - **Protocol:** TCP, UDP - **Source Networks:** All service VLANs - **Destination Network:** MGMT-LAN (VLAN 11) - **Destination Ports:** 161 (SNMP), 9090-9091 (Prometheus), etc. - **Priority:** Medium --- ## Rule Priority Guidelines Firewall rules are evaluated in order of priority. Recommended priority order: 1. **Block Rules (Priority 100-199)** - Sovereign tenant isolation - Other security blocks - Highest priority 2. **Management Access (Priority 10-19)** - Management VLAN → Service VLANs - Critical administrative access 3. **Monitoring Access (Priority 20-29)** - Service VLANs → Management VLAN - Monitoring and logging 4. **Default Rules (Priority 1000+)** - Default allow/deny rules - Lowest priority --- ## Verification After configuring firewall rules: 1. **Review Rule List:** - Verify all rules are created and enabled - Check rule priorities/order - Confirm source/destination networks are correct 2. **Test Connectivity:** - Test connectivity between VLANs that should be blocked - Verify blocked VLANs cannot communicate - Confirm allowed VLANs can communicate as expected 3. **Monitor Logs:** - Check firewall logs for blocked connections - Verify rules are being applied correctly - Monitor for any unexpected blocks --- ## Network IDs Reference For reference, here are the network IDs for key VLANs: - **VLAN 11 (MGMT-LAN):** `5797bd48-6955-4a7c-8cd0-72d8106d3ab2` - **VLAN 200 (PHX-SOV-SMOM):** `581333cb-e5fb-4729-9b75-d2a35a4ca119` - **VLAN 201 (PHX-SOV-ICCC):** `6b07cb44-c931-445e-849c-f22515ab3223` - **VLAN 202 (PHX-SOV-DBIS):** `e8c6c524-b4c5-479e-93f8-780a89b0c4d2` - **VLAN 203 (PHX-SOV-AR):** `750d95fb-4f2a-4370-b9d1-b29455600e1b` --- ## Troubleshooting ### Rules Not Working - **Check Rule Priority:** Ensure block rules have higher priority than allow rules - **Verify Rule Order:** Rules are evaluated top-to-bottom in some interfaces - **Check Rule Status:** Ensure rules are enabled - **Review Logs:** Check firewall logs for blocked/allowed connections ### Connectivity Issues - **Test Each Rule:** Disable rules one-by-one to identify problematic rules - **Check Default Rules:** Ensure default allow/deny rules aren't overriding your rules - **Verify Networks:** Confirm source/destination networks are correct - **Protocol Matching:** Ensure protocol filters match the traffic type --- ## Related Documentation - [UDM_PRO_API_FIREWALL_ENDPOINTS.md](./UDM_PRO_API_FIREWALL_ENDPOINTS.md) - Firewall API endpoints - [UDM_PRO_FIREWALL_API_LIMITATIONS.md](./UDM_PRO_FIREWALL_API_LIMITATIONS.md) - API limitations - [UDM_PRO_STATUS.md](./UDM_PRO_STATUS.md) - Configuration status and remaining tasks --- **Last Updated:** 2025-01-20