UniFi Firewall Rule Index dump?

EnthusiastXYZ

Limp Gawd
Joined
Jun 26, 2020
Messages
221
UniFi website is quite vague about UniFi Dream Machine firewall capabilities. None of the reviews cover the specifics I need to know. UniFi Dream Machine has nice GUI, options to select SPI/DPI, and SSH access, but I definitely need to:
0. Write my own Netfilter IPTables rules
1. Force strict Layer-2 VLAN isolation for about 20 clients (both LAN and WLAN)
2. Prevent those with Guest access from accessing router GUI
3. Fully disable inbound and outbound ICMP (not just echo request)
4. Fully disable IPv6
5. Fully disable Multicast, IGMP Snooping/Quering, and/or IGMP HTTP Proxy
7. Prevent Dream Machine from "calling home" (to prevent it from establishing any constant connections to UniFi cloud services)
8. Use custom NTP server
 
2: you can just give your guest wifi another IP subnet and add a restriction to the Unifi IP
7: setup pi-hole
8: You can set your own NTP server: Under your Settings with new UI, you can add a NTP server under DHCP options. Under system settings, controller settings you can change the NTP pool to something else
 
Thanks, but what about others? If I only for sure that UniFi Dream Machine firewall syntax was fully capable of Netfilter IPTables syntax...
 
Im no expert but I just got my dream machine non-pro tonight so I'd you have any questions you want me to check feel free to ask
 
Some reviews say that UDM does not have NAT firewall rule settings present in USG and doesn't allow to block SSH access, but the video posted in this thread shows that UDM does provide ways to edit WAN rules. WAN rules = NAT rules, aren't they? UniFi needs to create a virtualized online GUI tour of UDM to allow people to check out all of its capabilities. I also want to make sure UDM can allow me to fully block inbound, outbound, IGMP, ICMP, and specific TCP, UDP ports on all interfaces - LAN, WAN, WiFi.

EDIT: The guy in the video keeps using ping command to verify traffic access between groups and devices, but that's only ICMP.
 
Last edited:
You can definitely turn SSH on or off.

Astonishingly, there is no way to block websites by name. The random all in ones your ISP pawns off on you has this feature, but in the ten billion settings menus there's no way to simply block facebook.com
W
T
F
?
 
That's expected because most routers can't decrypt HTTPS traffic and can only block un-encrypted HTTP traffic or ports. Even IPS/IDS can't block specific websites AFAIK. That is why blocking should be done via domain resolution with awesome toys like Pi-Hole or even a better one - AdGuard Home, both of which can run on a $20 Raspberry Pi.
 
I care the most about network isolation, WiFi coverage + strength and writing my own rules. Is it possible to block a specific range of ports for LAN and WAN? In that review all I see is ability to select protocols, connection type (NEW, ESTABLISHED, RELATED), but not specific ports.
 
Reviews say UniFi Dream Machine does not allow you to clone MAC addresses, but does it allow you to change WAN or LAN/WLAN addresses to random administrative ones? My ISP doesn't care for router MAC and accepts any, which is good because I like to change it once in a while. Can I do the same with UDM?
 
UniFi Dream Machine is sold everywhere I look, except eBay! Any ideas of where to get one now in US?
 
Firmware file size for the latest UniFi Dream Machine is 435MB. That's insane... Is it GUI or is UDM firewall that robust?
 
Meh.... Its all the other stuff like dash board, config gui, and other items. Its coming along nicely. Miles ahead of the old 5.X days. This is still a prosumer device. Do not expect enterprise performance or config options. Hell it just got mac cloning added to the firmware :)
 
Reviews say UniFi Dream Machine does not allow you to clone MAC addresses, but does it allow you to change WAN or LAN/WLAN addresses to random administrative ones? My ISP doesn't care for router MAC and accepts any, which is good because I like to change it once in a while. Can I do the same with UDM?
Upgrade to the public beta 1.90 which has mac cloning now.
 
Got a link to it? Ubiquiti Early Access program Join button is not sticking for me...
 
Last edited:
Got it! So far results were mixed. I couldn't get Firestick 4K to connect to UDM with security settings I set for all other WiFi devices and I didn't like that my UDM router login had to be stored in the cloud... MAC cloning didn't work either. The UI was nice, but I prefer 20MB worth of simple UI (like in DD-WRT) than 450MB of flashy UI...
 
Got it! So far results were mixed. I couldn't get Firestick 4K to connect to UDM with security settings I set for all other WiFi devices and I didn't like that my UDM router login had to be stored in the cloud... MAC cloning didn't work either. The UI was nice, but I prefer 20MB worth of simple UI (like in DD-WRT) than 450MB of flashy UI...
Well that sucks. I do know that people recommend trying the latest beta for APs when running beta for UDM/pro. Thankfully all my wifi devices connected on my APs using the current release FW. Have not tried the Mac cloning.
 
My cat LOVED this new toy so much that it knocked it off a shelf 4-feet high. There was no physical external/cosmetic damage and the unit did continue to function as usual. Was there a way to run full diagnostics to make sure there was no internal damage?
 
Back
Top