proxmox/docs/04-configuration/UDM_PRO_FIREWALL_MANUAL_CONFIGURATION.md

UDM Pro Firewall Manual Configuration Guide

Last Updated: 2025-01-20
Status: Active Documentation Purpose: Manual configuration guide for firewall rules that cannot be automated via API

---

Overview

This guide provides step-by-step instructions for configuring firewall rules via the UniFi Network web interface. Some firewall rules (particularly those with overlapping source/destination networks) cannot be automated via the API and require manual configuration.

---

Accessing Firewall Configuration

1. Open web browser and navigate to: https://192.168.0.1
2. Log in with your admin account
3. Navigate to Settings → Firewall & Security → Firewall Rules (or Traffic Rules)

---

Sovereign Tenant Isolation (VLANs 200-203)

Goal

Block east-west traffic between sovereign tenant VLANs (200-203) to ensure complete isolation between tenants.

Configuration Steps

1. Navigate to Firewall Rules:

   • Go to Settings → Firewall & Security → Firewall Rules
   • Click Create New Rule or Add Rule

2. Create Block Rule for Each Pair:

   Since the API doesn't support overlapping network blocks, create individual rules for each direction:

   Rule 1: Block VLAN 200 → VLANs 201-203

   • Name: Block VLAN 200 to Sovereign Tenants
   • Action: Block
   • Protocol: All (or specific protocols as needed)
   • Source Type: Network
   • Source Network: PHX-SOV-SMOM (VLAN 200)
   • Destination Type: Network
   • Destination Networks:
     • PHX-SOV-ICCC (VLAN 201)
     • PHX-SOV-DBIS (VLAN 202)
     • PHX-SOV-AR (VLAN 203)
   • Priority/Order: Set appropriate priority (higher priority = evaluated first)

   Rule 2: Block VLAN 201 → VLANs 200, 202-203

   • Name: Block VLAN 201 to Sovereign Tenants
   • Action: Block
   • Source Network: PHX-SOV-ICCC (VLAN 201)
   • Destination Networks: PHX-SOV-SMOM, PHX-SOV-DBIS, PHX-SOV-AR
   • (Repeat for VLANs 202 and 203)

   Alternative: Create bidirectional rules (if the UI supports it):

   • Block VLAN 200 ↔ VLAN 201
   • Block VLAN 200 ↔ VLAN 202
   • Block VLAN 200 ↔ VLAN 203
   • Block VLAN 201 ↔ VLAN 202
   • Block VLAN 201 ↔ VLAN 203
   • Block VLAN 202 ↔ VLAN 203

3. Set Rule Priority:

   • Ensure block rules have higher priority than allow rules
   • Block rules should be evaluated before general allow rules
   • Typical priority order:
     1. Block rules (highest priority)
     2. Management access rules
     3. Monitoring rules
     4. Default allow/deny (lowest priority)

4. Enable Rules:

   • Enable each rule after creation
   • Rules are typically enabled by default when created

5. Verify Configuration:

   • Review all rules in the firewall rules list
   • Verify rule order/priority
   • Test connectivity between VLANs to confirm isolation

---

Additional Firewall Rules

Management VLAN Access (if not automated)

If the management VLAN access rules were not created via API, configure manually:

Rule: Allow Management VLAN → Service VLANs

• Name: Allow Management to Service VLANs
• Action: Allow
• Protocol: TCP
• Source Network: MGMT-LAN (VLAN 11)
• Destination Networks: All service VLANs
• Destination Ports: 22 (SSH), 443 (HTTPS), 5432 (PostgreSQL), 8080 (Admin consoles), etc.
• Priority: Medium (after block rules, before default)

Monitoring Access (if not automated)

Rule: Allow Service VLANs → Management VLAN (Monitoring)

• Name: Allow Monitoring to Management
• Action: Allow
• Protocol: TCP, UDP
• Source Networks: All service VLANs
• Destination Network: MGMT-LAN (VLAN 11)
• Destination Ports: 161 (SNMP), 9090-9091 (Prometheus), etc.
• Priority: Medium

---

Rule Priority Guidelines

Firewall rules are evaluated in order of priority. Recommended priority order:

1. Block Rules (Priority 100-199)

   • Sovereign tenant isolation
   • Other security blocks
   • Highest priority

2. Management Access (Priority 10-19)

   • Management VLAN → Service VLANs
   • Critical administrative access

3. Monitoring Access (Priority 20-29)

   • Service VLANs → Management VLAN
   • Monitoring and logging

4. Default Rules (Priority 1000+)

   • Default allow/deny rules
   • Lowest priority

---

Verification

After configuring firewall rules:

1. Review Rule List:

   • Verify all rules are created and enabled
   • Check rule priorities/order
   • Confirm source/destination networks are correct

2. Test Connectivity:

   • Test connectivity between VLANs that should be blocked
   • Verify blocked VLANs cannot communicate
   • Confirm allowed VLANs can communicate as expected

3. Monitor Logs:

   • Check firewall logs for blocked connections
   • Verify rules are being applied correctly
   • Monitor for any unexpected blocks

---

Network IDs Reference

For reference, here are the network IDs for key VLANs:

• VLAN 11 (MGMT-LAN): 5797bd48-6955-4a7c-8cd0-72d8106d3ab2
• VLAN 200 (PHX-SOV-SMOM): 581333cb-e5fb-4729-9b75-d2a35a4ca119
• VLAN 201 (PHX-SOV-ICCC): 6b07cb44-c931-445e-849c-f22515ab3223
• VLAN 202 (PHX-SOV-DBIS): e8c6c524-b4c5-479e-93f8-780a89b0c4d2
• VLAN 203 (PHX-SOV-AR): 750d95fb-4f2a-4370-b9d1-b29455600e1b

---

Troubleshooting

Rules Not Working

• Check Rule Priority: Ensure block rules have higher priority than allow rules
• Verify Rule Order: Rules are evaluated top-to-bottom in some interfaces
• Check Rule Status: Ensure rules are enabled
• Review Logs: Check firewall logs for blocked/allowed connections

Connectivity Issues

• Test Each Rule: Disable rules one-by-one to identify problematic rules
• Check Default Rules: Ensure default allow/deny rules aren't overriding your rules
• Verify Networks: Confirm source/destination networks are correct
• Protocol Matching: Ensure protocol filters match the traffic type

---

Related Documentation

• UDM_PRO_API_FIREWALL_ENDPOINTS.md - Firewall API endpoints
• UDM_PRO_FIREWALL_API_LIMITATIONS.md - API limitations
• UDM_PRO_STATUS.md - Configuration status and remaining tasks

---

Last Updated: 2025-01-20