Need some assistance with unifi USG firewall rules

jbates58 · May 26, 2024, 11:34am

hi all, i need some assistance on configuring a USG with firewall rules for an IPsec tunnel.

For the life of me, i cant work this stupid thing out.

I have an IPsec tunnel between 2 sites, one end is a USG-3G and the other is PFsense.

I have the tunnel up and operational. However i have a specific need to clamp down the access of IPs at each end.

On the pfsense end, i have blocked all traffic except for the IP that needs to be reachable from the USG end of the tunnel into the pfsense network.

However, i for love nor money cant work out how to do this in the USG so that only the 2 hosts can access the required host behing the USG. i have tried WAN, Lan In, Lan Out; but nothing.

So, i need to put in a firewall rule that meets the criteria below.

Site A (Pfsense) 192.168.100.100 → Site B (USG) 192.168.10.3:22

Site A (Pfsense) 192.168.100.75 → Site B (USG) 192.168.10.3:443

Block all other traffic Site A → Site B.

I could put a rule in PFsense to do this, but thats dumb as all the security resides on one end. where the inbound security should be on the inbound device.

firewall {

   group {

       address-group 660bfa247e234600a28fc911 {

           address 192.168.100.0/24

           description customized-jason_lan

       }

       address-group 660ea5657e234600a2a84855 {

           address 192.168.100.100

           description customized-jason_truenas

       }

       address-group 660ea5807e234600a2a848ab {

           address 192.168.100.79

           description customized-jason_truecommand
       }
  }
name LAN_OUT {
        default-action accept
        description "packets forward to intranet"
        enable-default-log
        rule 2000 {
            action accept
            description "allow jason ipsec inbound to truenas"
            destination {
                address 192.168.10.3
            }
            log enable
            protocol all
            source {
                group {
                    address-group 660ea5657e234600a2a84855
                }
            }
        }
        rule 2001 {
            action accept
            description "allow truecommand inbound to truenas from jason ipsec"
            destination {
                address 192.168.10.3
            }
            log enable
            protocol all
            source {
                group {
                    address-group 660ea5807e234600a2a848ab
                }
            }
        }
        rule 2002 {
            action drop
            description "block all other jason ipsec traffic"
            log enable
            protocol all
            source {
                group {
                    address-group 660bfa247e234600a28fc911
                }
            }
        }
}

To re-iterate, i have tried configuring it for Lan In, Lan Out, Match IPsec Traffic checked and unchecked.

So i have come to see if im just a potato, or these things are just crap

Many thanks, Jason

EniGmA1987 · May 26, 2024, 5:28pm

You need to make a LAN Out rule to allow the specific Site A IP to the specific Site B IP, and then another LAN Out rule below it to deny all the rest of the Site A IPs to be blocked from all Site B IPs

jbates58 · May 27, 2024, 9:50am

Thats exactly what is shown in the config from the cli above is it not??

Thats why I just done get it. My read on that config us that only 1 IP should be getting through now.

But, all pfsense subnets can get to the USG side…

This is what has me perplexed.

jbates58 · June 3, 2024, 12:35pm

bump. I still cant work this out so would really appreciate some assistance on where im going wrong if possible.

Many thanks,

Jbates58