Homelab
Firewall Rules
Configuring Zone-Based Firewall Policies in UniFi: Traffic Control Between Security Tiers
Overview
This article configures firewall policies to control traffic between zones. You'll create policies that allow specific traffic (admin access, Plex) while the zone defaults block all other cross-zone communication. UniFi's zone-based firewall1 simplifies policy management by grouping VLANs into security tiers.
Before You Begin
Prerequisites
- VLAN Architecture completed (4 zones, 10 VLANs configured)
What We're Setting Up
| Policy Group | Source | Destination | Policies |
|---|---|---|---|
| Admin Access | Core (Network) | Lab, Trusted, Isolated, Drive | 4 |
| Plex Access | Trusted | Lab | 1 |
| IoT Control | Trusted | Isolated | 1 |
How Zone Policies Work
In v3-01, we set zone-to-zone defaults to Block All (except intra-zone). Now we create specific policies to allow required traffic. We also tighten Core → Core from Allow All to specific policies - cameras don't need NAS access, and the NAS doesn't need camera access. Policies are evaluated top-to-bottom - first match wins1.
Zone recap from v3-01:
| Zone | VLANs |
|---|---|
| Core | Network (1), Protect (3), Drive (5) |
| Lab | Lab (10) |
| Trusted | Things-Trusted (20), Unrestricted-Trusted (30), Restricted-Trusted (40) |
| Isolated | Things-Isolated (25), Unrestricted-Isolated (35), Restricted-Isolated (45) |
Policy Design Notes
How is Lab protected? Lab is blocked by default from all zones (v3-01 zone defaults). Access requires explicit policies specifying zone, device, and port. Admin Devices from Core get full access (kubectl, talosctl, all ports), while Trusted only gets Plex (port 32400). A compromised Trusted device can stream media but can't touch cluster APIs.
Why Admin Access from Core? Your bastion (Mac Bastion Host) uses the Bastion port profile on the Network VLAN (Core zone). This policy allows on-site management of all VLANs without needing Tailscale.
Why Trusted → Lab for Plex? All Trusted VLANs need Plex - Apple TV and entertainment devices (Things-Trusted), phones and laptops (Unrestricted-Trusted), and filtered devices (Restricted-Trusted). Content filtering (article 02a) happens at DNS level, not firewall2.
Why tighten Core → Core? The Allow All policy from v3-01 kept your flat network functional while migrating devices. Once devices are in their designated VLANs (Phase 2), replace it with specific policies: Bastion to Drive (admin access) only. Camera → NVR traffic still works - it's local traffic to the UDM, not routed3.
Why Trusted → Isolated for IoT? Devices like Philips Hue bridges live on Things-Isolated because they shouldn't access your network. But your phone needs to control them locally (faster than cloud, works offline). Allowing Trusted → Isolated lets you initiate connections while Isolated devices still can't reach Trusted - they can only respond to your requests.
Source vs Destination Filters
UniFi policies have asymmetric filter options:
| Filter | Source | Destination |
|---|---|---|
| Any | ✓ | ✓ |
| Device | ✓ | ✗ |
| Network | ✓ | ✓ |
| IP | ✓ | ✓ |
| MAC | ✓ | ✗ |
Source = primary control. Use Device filter to restrict which devices can initiate traffic.
Destination = design around it. Since Device filter isn't available, we use:
- Single-device VLANs (Drive has only UNAS, so
Network: Drive= UNAS) - Port restrictions (only specific service ports allowed)
- Zone targeting (Gateway zone has only the UDM)
Return traffic is automatic. The "Auto Allow Return Traffic" checkbox (default: on) handles responses - no need for reverse rules on request/response protocols like HTTP or NFS.
Bidirectional protocols need explicit rules. mDNS discovery requires rules in both directions because both sides initiate new connections (not just responses).
Why does order matter? Policies are evaluated top-to-bottom - first match wins. Allow rules must be placed above the zone's Block All default, or traffic will be blocked before reaching your allow rule. Use the "Reorder" link to adjust policy order after creation.
What Zone Policies Don't Control
Zone policies only control routed inter-VLAN traffic4. Traffic to the UDM itself (local traffic) bypasses zone policies:
- Camera → NVR: Cameras talk to the UDM's interface on their VLAN (192.168.3.1) - local traffic, not routed
- DHCP/DNS: Built-in protections ensure these services work regardless of zone policies5
- UniFi Protect, Network, etc.: Services running on the UDM are accessed via local traffic
This is why cameras work without explicit firewall rules - they communicate with the NVR on the same subnet, not across zones.
Create Firewall Policies
Navigate to Settings → Policy Engine → Zones (table icon). Click a zone pair cell in the matrix, then Create Policy.
Admin Access
| Order | Zone Source | Zone Dest | Name | Src Filter | Action | Dst Filter | Dst Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 1 | Core | Core | Bastion to Drive | Device: Admin Devices | Allow | Network: Drive | Any | All |
| 1 | Core | Lab | Bastion Access | Device: Admin Devices | Allow | Any | Any | All |
| 1 | Core | Trusted | Bastion Access | Device: Admin Devices | Allow | Any | Any | All |
| 1 | Core | Isolated | Bastion Access | Device: Admin Devices | Allow | Any | Any | All |
From your bastion (Bastion port profile, Network VLAN), verify:
ping 192.168.5.10 # UNAS on Drive
ping 192.168.20.x # Device on Things-Trusted
ping 192.168.25.x # Device on Things-Isolated| Note: | Lab VLAN connectivity will be verified after Talos nodes are migrated in Phase 2. |
Plex Access
| Order | Zone Source | Zone Dest | Name | Src Filter | Action | Dst Filter | Dst Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 1 | Trusted | Lab | Plex Streaming | Any | Allow | Any | 32400 | TCP |
| Note: | Plex runs on the Lab VLAN. Access will be verified after Talos nodes are reachable in Phase 2. |
IoT Control
| Order | Zone Source | Zone Dest | Name | Src Filter | Action | Dst Filter | Dst Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 1 | Trusted | Isolated | IoT Control | Any | Allow | Any | Any | All |
This allows phones and laptops on Trusted VLANs to control IoT devices like Philips Hue on Things-Isolated. The Isolated zone's default (Block All + Allow Return) ensures IoT devices can only respond - they cannot initiate connections to Trusted devices.
From a device on Unrestricted-Trusted, verify:
ping 192.168.25.x # Device on Things-IsolatedVerify Default Deny
The zone defaults from v3-01 block all other cross-zone traffic. Verify from a device on Unrestricted-Trusted:
# Should fail (cross-zone blocked)
ping 192.168.5.10 # NAS on Drive VLAN (Core)
# Should succeed (gateway is local traffic)
ping 192.168.1.1 # UDM gateway - not routedFrom a device on Things-Isolated, verify full isolation:
# Should fail (cross-zone blocked + L2 isolation)
ping 192.168.20.x # Things-Trusted (different zone)
ping 192.168.25.x # Same VLAN (L2 isolation blocks)
ping 192.168.30.x # Unrestricted-Trusted (different zone)| Tip: | Enable logging on the zone's Block All default to detect unexpected traffic patterns during monthly firewall reviews. |
Next Steps
Firewall policies control cross-zone traffic. The cluster can now be migrated to the isolated Lab VLAN.
See: Talos Migration
Resources
Footnotes
Ubiquiti, "Zone-Based Firewalls in UniFi," help.ui.com. Accessed: Feb. 21, 2026. [Online]. Available: https://help.ui.com/hc/en-us/articles/115003173168-Zone-Based-Firewalls-in-UniFi ↩
Plex, "What network ports do I need to allow through my firewall?," support.plex.tv. Accessed: Feb. 21, 2026. [Online]. Available: https://support.plex.tv/articles/201543147-what-network-ports-do-i-need-to-allow-through-my-firewall/ ↩
Ubiquiti, "UniFi Gateway - Advanced Firewall Rules," help.ui.com. Accessed: Feb. 21, 2026. [Online]. Available: https://help.ui.com/hc/en-us/articles/27699646208279-UniFi-Gateway-Advanced-Firewall-Rules ↩
R. Mens, "UniFi Zone-Based Firewall - What you need to Know," lazyadmin.nl. Accessed: Feb. 21, 2026. [Online]. Available: https://lazyadmin.nl/home-network/unifi-zone-based-firewall/ ↩
Ubiquiti, "UniFi Device Adoption," help.ui.com. Accessed: Feb. 21, 2026. [Online]. Available: https://help.ui.com/hc/en-us/articles/360012622613-UniFi-Device-Adoption ↩