Carrying on from a previous post - Unifi & Sonos VLANs. If you are like me and you have your Sonos Devices segregated on an IoT VLAN and the Sonos Controllers (iPhone etc) on a different VLAN then you will probably need to do some intervlan routing/firewalling.
A little Background
VLANs are used for many reasons, segregating networks, preventing multicast packets traversing networks, security amongst other reasons. In this case I wanted all my IoT devices on its own network (VLAN) as there are many security risks with IoT devices and then a separate VLAN for my main LAN. With this I wanted to block all communication from IoT_VLAN to Main_VLAN, however I wanted my Main_VLAN to still be able to communicate with some devices on the IoT_VLAN i.e. Sonos Speakers.
So following on from the previous post where we setup the VLANs and IGMP-Proxying, we will now look at the Unifi Firewalls.
Firewalls work on rules and the rules work in descending order, i.e. if data hits the firewall it will check the rules from the top downwards until it finds a matching rule.
In Unifi there are various Rule headings, WAN, LAN and Guest and each has a IN, OUT and LOCAL. For this guide we will be working with LAN IN - the data is coming from the LAN INTO the USG.
Lets create some rules, these will be in order Top to Bottom.
The first rule is created because when the Controller on Main_VLAN creates a connection with the Speaker on IoT_VLAN we want the speaker to be able to talk back to the controller, hence we create a rule to allow established connections but do not allow it to open new connections.
Name - Allow Established Enabled - On Rule Applied - Before pre-defined rules Action - Accept IPv4 Protocol - All States - Established and Related Source - Address group - Any Destination - Address group - Any
Next Rule is to allow Sonos Speakers to contact Main_VLAN
Name - SONOS_To_Main_VLAN Enabled - On Rule Applied - Before predefined rules Action - Accept IPv4 Protocol - All Address Group - Create a group with all the Sonos Speaker IP addresses Destination - Network - Main_VLAN
Final rule is to block all other data from IoT_VLAN to Main_VLAN
Name - Block IoT_VLAN to Main_VLAN Enabled - On Rule Applied - Before predefined rules Action - Drop IPv4 protocol - All Source - Network - IoT_VLAN Destination - Network - Main_VLAN
And that's it. With these rules devices on IoT_VLAN shouldnt be able to contact devices on Main_VLAN, however Main_VLAN can still contact the Sonos Speakers.
This is what the Rule Page looks like