UniFi Firewall Rule Index dump?

EnthusiastXYZ

Weaksauce
Joined
Jun 26, 2020
Messages
104
UniFi website is quite vague about UniFi Dream Machine firewall capabilities. None of the reviews cover the specifics I need to know. UniFi Dream Machine has nice GUI, options to select SPI/DPI, and SSH access, but I definitely need to:
0. Write my own Netfilter IPTables rules
1. Force strict Layer-2 VLAN isolation for about 20 clients (both LAN and WLAN)
2. Prevent those with Guest access from accessing router GUI
3. Fully disable inbound and outbound ICMP (not just echo request)
4. Fully disable IPv6
5. Fully disable Multicast, IGMP Snooping/Quering, and/or IGMP HTTP Proxy
7. Prevent Dream Machine from "calling home" (to prevent it from establishing any constant connections to UniFi cloud services)
8. Use custom NTP server
 

Vengance_01

Supreme [H]ardness
Joined
Dec 23, 2001
Messages
6,272
2: you can just give your guest wifi another IP subnet and add a restriction to the Unifi IP
7: setup pi-hole
8: You can set your own NTP server: Under your Settings with new UI, you can add a NTP server under DHCP options. Under system settings, controller settings you can change the NTP pool to something else
 

EnthusiastXYZ

Weaksauce
Joined
Jun 26, 2020
Messages
104
Thanks, but what about others? If I only for sure that UniFi Dream Machine firewall syntax was fully capable of Netfilter IPTables syntax...
 

ZeqOBpf6

Gawd
Joined
Aug 24, 2014
Messages
704
Im no expert but I just got my dream machine non-pro tonight so I'd you have any questions you want me to check feel free to ask
 

EnthusiastXYZ

Weaksauce
Joined
Jun 26, 2020
Messages
104
Some reviews say that UDM does not have NAT firewall rule settings present in USG and doesn't allow to block SSH access, but the video posted in this thread shows that UDM does provide ways to edit WAN rules. WAN rules = NAT rules, aren't they? UniFi needs to create a virtualized online GUI tour of UDM to allow people to check out all of its capabilities. I also want to make sure UDM can allow me to fully block inbound, outbound, IGMP, ICMP, and specific TCP, UDP ports on all interfaces - LAN, WAN, WiFi.

EDIT: The guy in the video keeps using ping command to verify traffic access between groups and devices, but that's only ICMP.
 
Last edited:

ZeqOBpf6

Gawd
Joined
Aug 24, 2014
Messages
704
You can definitely turn SSH on or off.

Astonishingly, there is no way to block websites by name. The random all in ones your ISP pawns off on you has this feature, but in the ten billion settings menus there's no way to simply block facebook.com
W
T
F
?
 

EnthusiastXYZ

Weaksauce
Joined
Jun 26, 2020
Messages
104
That's expected because most routers can't decrypt HTTPS traffic and can only block un-encrypted HTTP traffic or ports. Even IPS/IDS can't block specific websites AFAIK. That is why blocking should be done via domain resolution with awesome toys like Pi-Hole or even a better one - AdGuard Home, both of which can run on a $20 Raspberry Pi.
 

EnthusiastXYZ

Weaksauce
Joined
Jun 26, 2020
Messages
104
I care the most about network isolation, WiFi coverage + strength and writing my own rules. Is it possible to block a specific range of ports for LAN and WAN? In that review all I see is ability to select protocols, connection type (NEW, ESTABLISHED, RELATED), but not specific ports.
 

EnthusiastXYZ

Weaksauce
Joined
Jun 26, 2020
Messages
104
Reviews say UniFi Dream Machine does not allow you to clone MAC addresses, but does it allow you to change WAN or LAN/WLAN addresses to random administrative ones? My ISP doesn't care for router MAC and accepts any, which is good because I like to change it once in a while. Can I do the same with UDM?
 

EnthusiastXYZ

Weaksauce
Joined
Jun 26, 2020
Messages
104
Firmware file size for the latest UniFi Dream Machine is 435MB. That's insane... Is it GUI or is UDM firewall that robust?
 

Vengance_01

Supreme [H]ardness
Joined
Dec 23, 2001
Messages
6,272
Meh.... Its all the other stuff like dash board, config gui, and other items. Its coming along nicely. Miles ahead of the old 5.X days. This is still a prosumer device. Do not expect enterprise performance or config options. Hell it just got mac cloning added to the firmware :)
 

Vengance_01

Supreme [H]ardness
Joined
Dec 23, 2001
Messages
6,272
Reviews say UniFi Dream Machine does not allow you to clone MAC addresses, but does it allow you to change WAN or LAN/WLAN addresses to random administrative ones? My ISP doesn't care for router MAC and accepts any, which is good because I like to change it once in a while. Can I do the same with UDM?
Upgrade to the public beta 1.90 which has mac cloning now.
 
Top