Skip to content

Instantly share code, notes, and snippets.

@coltenkrauter

coltenkrauter/blocking-traffic-between-vlans-unifi-router.md

Last active September 12, 2023 17:54
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save coltenkrauter/7a76207f58a226eaec4300085720664b to your computer and use it in GitHub Desktop.
Save coltenkrauter/7a76207f58a226eaec4300085720664b to your computer and use it in GitHub Desktop.
Download ZIP
This guide provides a detailed step-by-step walkthrough to help you enhance network security by blocking traffic between VLANs on Unifi routers including UDM, UDM-SE, and the Dream Router. Follow these guidelines to create an IP group representing the internal IP ranges according to RFC1918 and configure firewall rules that prioritize blocking t…
Raw
blocking-traffic-between-vlans-unifi-router.md

Blocking Traffic Between VLANs on Unifi Router (UDM, UDM-SE, Dream Router)

Greetings, network enthusiasts! Today, we are set to embark on an essential task: enhancing the security of your network by blocking traffic between VLANs on Unifi routers such as UDM, UDM-SE, and the Dream Router. Join us as we delve into the nuances of RFC1918 IP ranges and configure firewall rules to safeguard your network effectively.

Table of Contents

  1. Introduction
  2. Why is this Important for Security?
  3. Official Documentation and RFC Links
  4. Instructions
  5. Conclusion
  6. Collaboration
  7. Credits

Introduction

Before we dive in, let's acquaint ourselves with the RFC1918 which delineates the IP addresses reserved exclusively for private networks. These ranges are as follows:

  • 10.0.0.0 to 10.255.255.255
  • 172.16.0.0 to 172.31.255.255
  • 192.168.0.0 to 192.168.255.255

Armed with this knowledge, we are ready to forge ahead and create an IP group representing these ranges in the Unifi Controller.

Why is this Important for Security?

Blocking traffic between VLANs is not just a network organization strategy; it's a fundamental security practice. By isolating internal IP ranges, we effectively add a robust layer of security, preventing potential intruders from accessing sensitive areas of our network. It's all about keeping the fortress impenetrable, one firewall rule at a time.

Official Documentation and RFC Links

Instructions

1. Creating IP Group

  1. Navigate to Settings > Routing & Firewall > Firewall > Groups.
  2. Create a new group named "RFC1918 Subnets" and add the following IP ranges:
    • 10.0.0.0/8
    • 172.16.0.0/12
    • 192.168.0.0/16

2. Setting up Firewall Rules

  1. Head over to Settings > Routing & Firewall > Firewall > Rules IPv4 > LAN IN.
  2. Develop a new rule with the settings:
    • Action: Drop
    • Source: RFC1918 Subnets
    • Destination: RFC1918 Subnets
  3. Place this rule above any predefined rules to effectively block traffic from the RFC1918 IP group.

Conclusion

Well, that's all folks! You have now fortified your network by blocking traffic between VLANs on your Unifi router, safeguarding it with the mighty shield of RFC1918 IP ranges. Stay safe, and happy networking!

Collaboration

Your input and experiences are highly valued! Feel free to share your comments, thoughts, and links to other similar resources in the community. Together, we can build a knowledge base that benefits everyone.

Credits

This guide has been developed with assistance from gpt4, and was inspired by insights and walkthroughs from Crosstalk Solutions. You can watch their detailed walkthrough in this video.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment