I’ve been lax in firealling my VLANs at home, but with the recent controversy over UniFi devices phoning home without consent, this has taken on renewed importance. I’m also taking on a new tenant in my detached apartment and would like to keep all their stuff segregated from mine.
Fortunately it’s all pretty easy.
For my network, I’m keeping my Cloud Key and Pi-Hole on the main LAN. I have additional Corporate VLANs created for Management, Cameras, and the Apartment.
In the Firewall rules, for WAN_OUT I’ve created two rules to Drop all traffic from the Management and Cameras networks. They cannot reach the Internet at all.
To allow and deny particular cross-VLAN traffic, the first step is to create a group of all the Private IP address ranges:
- 10.0.0.0/8
- 192.168.0.0/16
- 172.16.0.0/12
- 100.64.0.0/10 (this is CGNAT, might be a bad idea if your ISP uses them)
Back in the Rules area, LAN_IN needs a series of rules:
- Allow (Management | Cameras) networks access to the CloudKey.
- Allow (Management | Cameras | Apartment) networks access to the Pi-Hole.
- Drop (Management | Cameras | Apartment) networks access to the Private IP ranges group.
The Allow rules must be before the Deny rules for each Network.
The gotcha with denying devices access to the Internet is that they cannot directly obtain firmware updates. For UniFi Networking products this can be worked-around by having the UniFi Controller cache the firmware prior to upgrading — see Settings -> Maintenance -> Firmware.
I’m not sure whether Protect can distribute firmware updates to the Cameras. Guess I’ll find out the next time there’s an update available. Once my UniFi Protect NVR arrives I will place that in the Cameras VLAN so that traffic doesn’t have to cross the router and figure out the WAN_OUT / LAN_IN firewall rules needed to keep it happy.