proxmox/docs/04-configuration/UDM_PRO_ZONE_BASED_FIREWALL_GUIDE.md

UDM Pro Zone-Based Firewall Guide

Last Updated: 2026-01-13
Status: Zone-Based Firewall Active

---

Overview

Zone-Based Firewall simplifies firewall management by grouping network areas into zones, allowing broader policies instead of numerous individual rules. This reduces complexity, enhances security, and eases traffic monitoring and management.

Migration Date: January 13, 2026 at 14:15
Backup: An automatic backup was created prior to migration, allowing for restoration if needed.

---

Zone Concepts

Key Rules

1. Single Zone Assignment:

   • Networks can only be placed in a single zone
   • A network cannot belong to multiple zones simultaneously

2. Default Zone Policies:

   • Newly created zones are blocked from accessing all other zones except:
     • External zone
     • Gateway zone
   • This provides additional segmentation for security

3. Zone-Based Policies:

   • Policies are defined between zone pairs (Source Zone → Destination Zone)
   • Rules apply to all networks within each zone
   • Simplifies management compared to individual network rules

---

Available Zones

Internal Zone

Purpose: Internal/trusted networks

Networks in Internal Zone:

• Default (192.168.0.0/24)
• MGMT-LAN (VLAN 11 - 192.168.11.0/24)
• BESU-VAL (VLAN 110)
• BESU-SEN (VLAN 111)
• BESU-RPC (VLAN 112)
• BLOCKSCOUT (VLAN 120)
• CACTI (VLAN 121)
• +12 additional networks

Policies:

• Internal → Internal: Allow All
• Internal → External: Allow All (2 rules)
• Internal → Gateway: Allow All (2 rules)
• Internal → VPN: Allow All
• Internal → Hotspot: Allow All
• Internal → DMZ: Allow All

External Zone

Purpose: Internet/external networks

Policies:

• External → Internal: Allow Return (3 rules)
• External → External: Allow Return (3 rules)
• External → Gateway: Allow Return (7 rules)
• External → VPN: Allow Return (3 rules)
• External → Hotspot: Allow Return (3 rules)
• External → DMZ: Allow Return (3 rules)

Gateway Zone

Purpose: Gateway/router interfaces

Policies:

• Gateway → Internal: Allow All
• Gateway → External: Allow All
• Gateway → VPN: Allow All
• Gateway → Hotspot: Allow All
• Gateway → DMZ: Allow All

VPN Zone

Purpose: VPN connections

Policies:

• VPN → Internal: Allow All (2 rules)
• VPN → External: Allow All (2 rules)
• VPN → Gateway: Allow All
• VPN → VPN: Allow All
• VPN → Hotspot: Allow All
• VPN → DMZ: Allow All

Hotspot Zone

Purpose: Guest/hotspot networks

Policies:

• Hotspot → Internal: Allow Return
• Hotspot → External: Allow All (2 rules)
• Hotspot → Gateway: Allow Return
• Hotspot → VPN: Allow Return
• Hotspot → Hotspot: Block All
• Hotspot → DMZ: Block All

DMZ Zone

Purpose: Demilitarized zone networks

Policies:

• DMZ → Internal: Allow Return
• DMZ → External: Allow All (2 rules)
• DMZ → Gateway: Allow Return
• DMZ → VPN: Allow Return
• DMZ → Hotspot: Block All
• DMZ → DMZ: Block All

---

Creating New Zones

When to Create a New Zone

Create a new zone when you need:

• Additional segmentation beyond the default zones
• Stricter isolation for specific networks
• Custom security policies for a group of networks

Default Behavior of New Zones

When you create a new zone:

• ✅ Can access External zone (internet access)
• ✅ Can access Gateway zone (router access)
• ❌ Blocked from all other zones by default
• You must explicitly create policies to allow access to other zones

Creating a Zone

1. Access UniFi Network Web Interface:

   • URL: https://192.168.0.1
   • Navigate to: Settings → Firewall & Security → Zones

2. Create New Zone:

   • Click Create Zone
   • Enter zone name (e.g., "Isolated", "Sensitive", "Production")
   • Add networks/interfaces to the zone
   • Save zone

3. Configure Zone Policies:

   • Go to Zone Matrix or Firewall Policies
   • Create policies for the new zone:
     • New Zone → Internal (if needed)
     • New Zone → Other zones (as required)
   • Set appropriate actions (Allow/Block)

---

Zone Matrix

The Zone Matrix shows all policies between zone pairs. Click on any zone pair to filter the Firewall Policies below.

Current Zone Matrix:

Source Zone	Destination Zone	Policy
Internal	Internal	Allow All
Internal	External	Allow All (2 rules)
Internal	Gateway	Allow All (2 rules)
Internal	VPN	Allow All
Internal	Hotspot	Allow All
Internal	DMZ	Allow All
External	Internal	Allow Return (3 rules)
External	External	Allow Return (3 rules)
External	Gateway	Allow Return (7 rules)
External	VPN	Allow Return (3 rules)
External	Hotspot	Allow Return (3 rules)
External	DMZ	Allow Return (3 rules)
Gateway	Internal	Allow All
Gateway	External	Allow All
Gateway	Gateway	(no policy)
Gateway	VPN	Allow All
Gateway	Hotspot	Allow All
Gateway	DMZ	Allow All
VPN	Internal	Allow All (2 rules)
VPN	External	Allow All (2 rules)
VPN	Gateway	Allow All
VPN	VPN	Allow All
VPN	Hotspot	Allow All
VPN	DMZ	Allow All
Hotspot	Internal	Allow Return
Hotspot	External	Allow All (2 rules)
Hotspot	Gateway	Allow Return
Hotspot	VPN	Allow Return
Hotspot	Hotspot	Block All
Hotspot	DMZ	Block All
DMZ	Internal	Allow Return
DMZ	External	Allow All (2 rules)
DMZ	Gateway	Allow Return
DMZ	VPN	Allow Return
DMZ	Hotspot	Block All
DMZ	DMZ	Block All

---

Troubleshooting Zone-Based Firewall

Issue: Networks in Same Zone Cannot Communicate

Possible Causes:

1. Routing issue (not firewall/zone issue)

   • Check routing configuration
   • Verify inter-VLAN routing is enabled
   • Check static routes if needed

2. Network not in expected zone

   • Verify network zone assignment
   • Check if network was moved to different zone

3. Custom firewall rules blocking traffic

   • Check ACL rules with higher priority
   • Review firewall policy order

Issue: Networks in Different Zones Cannot Communicate

Expected Behavior:

• If zones don't have explicit policies, traffic is blocked
• New zones are blocked from all zones except External and Gateway by default

Solution:

1. Check Zone Matrix for policy between zones
2. Create firewall policy if needed:
   • Source Zone → Destination Zone
   • Set action: Allow or Block
   • Configure protocol/port filters if needed

Issue: Cannot Access External/Internet

Check:

1. Zone has policy to External zone
2. External zone policy allows return traffic
3. No higher-priority blocking rules
4. Routing configuration is correct

---

Best Practices

1. Zone Planning:

   • Plan zones before creating networks
   • Group networks with similar security requirements
   • Keep zone count manageable

2. Zone Policies:

   • Use "Allow All" for trusted zones (Internal)
   • Use "Allow Return" for external/guest zones
   • Use "Block All" for isolated zones

3. Documentation:

   • Document which networks are in which zones
   • Document zone policies and their purposes
   • Keep zone matrix updated

4. Testing:

   • Test connectivity after zone changes
   • Verify policies work as expected
   • Check routing in addition to firewall policies

---

Migration and Backup

Migration Date: January 13, 2026 at 14:15

Backup:

• Automatic backup created prior to migration
• Can restore previous configuration if needed
• Access via: Settings → System → Backup & Restore

Restoration:

• If zone-based firewall causes issues, restore from backup
• Backup includes pre-migration firewall rules
• Restoration will revert to rule-based firewall

---

Related Documentation

• VLAN_11_SETTINGS_REFERENCE.md - VLAN 11 zone assignment
• UDM_PRO_ROUTING_TROUBLESHOOTING.md - Routing issues
• UDM_PRO_FIREWALL_MANUAL_CONFIGURATION.md - Firewall configuration

---

Last Updated: 2026-01-13