UniFi Firewall Basics: DNS for a Guest Network
Originally Posted: April 18th, 2021
UniFi Firewall Basics: DNS for a Guest Network
Firewall Rule Interface and Direction
Now that I covered VLAN and subnet basics, I want to get a little more practical. Once you have your VLANs and subnets setup, the next big thing to look at is firewall rules. This allows us to use the network separations we made, and apply security and traffic policies to them.
UniFi Firewall rules are grouped by the interface, and the direction. In most cases, you want to apply firewall rules as close to the source of traffic as possible. This means you should normally apply firewall rules to the interface the traffic comes in on. You want to make rules that allow the smallest amount of traffic you can, and have a default deny rule at the bottom.
You have to think from the firewall's perspective. A common firewall rule to make is restricting traffic coming in from a guest network. Since you’re looking at the traffic that is coming in from the guest network, this rule would be placed on the “guest in” section of your firewall rules in the UniFi controller.
In = Traffic from this subnet and going to another subnet, either local or to the Internet.
Local = Traffic from this network and going to the firewall itself.
Out = Traffic from another subnet with this subnet as it’s destination.
Start at the source
Most of the firewall rules people need to make should be put on the source network, on the “in” direction. For rules that apply to the guest network, put your rules on the “Guest in“ section. For rules applying to your main LAN, put those under the “LAN in” section.
For local rules, you’re looking at the rules that apply to traffic destined for the firewall itself. This is mainly for controlling access to the UniFi web interface, and allowing for DHCP or DNS traffic. With UniFi, most of these local rules are automatically created and not shown when you create a network. You can manually create those rules and adjust them if you need to.
Common Guest Network Firewall Rules
Common guest in firewall rules
Allow DNS to a local DNS server, like a PiHole.
Allow HTTP and HTTPS traffic to the Internet.
Block all other traffic to other local subnets, such as a main LAN subnet.
Common Guest Local Firewall Rules
Allow to a guest portal splash page, if needed.
Allow to the firewall for DHCP.
Most of these local rules are automatically created by the UniFi Controller.
Common Guest Out Firewall Rules
Guest Out would be all the restrictions and specific allowed traffic for your networks to reach the guest network. You don’t need to worry about return traffic (DHCP answers, DNS query responses, etc), just new traffic destined for the guest network. For most people running a guest network, there isn’t much to put here. Always put your firewall rules as close to the source of the traffic as possible. You’d typically want to put restrictions or allow traffic on the “LAN in” or “Camera VLAN in” sections, not here.
Firewall Rule Example: Provide PiHole DNS to a Guest Network
Guest In would be the section to start in. This section is for restrictions for traffic coming from to guest traffic. Rules placed here specify allowed destinations for traffic from the guest network. In my example, I’m using IPv4, but the same apples to IPv6 traffic and rules. I’m showing the classic settings view.
Firewall Rule Components
Name: Be descriptive! That helps when you have more than a few rules.
Enabled: On, otherwise the firewall rule won’t be used.
Rule Applied: Use before predefined rules for specific rules, use after if making a broad rule. For our specific rule allowing DNS queries to a single destination, we’re applying before predefined rules.
Action: Accept.
Drop silently denies the traffic, and is what you normally want to use for most rules that deny traffic.
Reject sends a message back to the device, preventing timeouts. This can be a security risk in some cases, because it allows the user to know they are hitting a firewall rule which is blocking them.
IPv4 protocol: TCP/UDP. DNS is usually UDP, but longer queries over 512 bytes use TCP.
Enable logging: This is useful when setting up a rule or troubleshooting. Turn it off otherwise, to save on resources and disk space.
States: New, Established, and Related.
IPsec: Don’t match, unless this is a rule related to IPsec VPN traffic.
Starting our firewall rule for allowing DNS lookups to our local PiHole DNS server.
Source:
You have mutliple ways of specifying the source of the traffic. I chose to use an address and port group.
Address Group: If you have multiple networks that need to use this rule. I like using groups even if there’s a single subnet, but that’s a personal preference. In our example, I made a new group called GuestNets, and put the subnet of our guest network in it. This allows me to easily add another subnet later if needed.
Port Group: For this DNS rule, allow any port as a source. Most DNS queries are sent from a high numbered, randomized port.
Network: Allowing a single subnet, such as the subnet of our guest network.
IP address: Allowing traffic from a single device.
Destination:
You have multiple ways of specifying the destination of the traffic. I chose to use an address and port group.
Address group: Same as above. I made a new IPv4 address group called PiHole with the IP address of my PiHole server.
Port Group: I also made a new IPv4 port group called “DNS (53 + 853)” for ports 53 and 853. 853 is for DNS over TLS/HTTPS, so you can leave that out if not needed.
Network: Allowing traffic to a single subnet, such as the subnet of our guest network.
IP Address: Allowing traffic to a single device, like our PiHole DNS server. This doesn’t allow you to specify a port.
Next, hit save and test the rule. If you don’t have DNS queries working for guest clients, double check the rule and check the logs. Are there other firewall rule examples you want to see? Leave a comment or contact me and I’ll edit this page to add them.
