• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Help with rules to block UniFi Cloudkey Gen2+

Scheduled Pinned Locked Moved Firewalling
16 Posts 3 Posters 1.2k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • S
    SwissSteph
    last edited by Dec 17, 2023, 10:17 AM

    Hello everyone,

    I need your advice so that I can block all communication from my "UniFi Cloudkey Gen2+" to the Internet, so that I can open the gateway only when an update is proposed.

    However, it must still be able to communicate on my LAN and on my VLAN_200 (where my cameras are located).

    I've "invented" these two rules, but I'm not really sure I've got it right!

    e9cdeed9-7f23-4cf3-af52-6b989831cb34-image.png

    Another question: do I need another rule to block the "https://account.ui.com/login" that allows access from anywhere on "UniFi Cloudkes Gen2 +"?

    What do you think?

    Thanks in advance for your help and advice 😊

    I started with two "no-name" pfsense, one for use at home and the other as a backup in case of problems (which can happen when you're new to pfsense).
    ... And now I'm living with a Netgate 8200
    ... And sorry for my bad English...

    J 1 Reply Last reply Dec 17, 2023, 1:40 PM Reply Quote 0
    • J
      johnpoz LAYER 8 Global Moderator @SwissSteph
      last edited by johnpoz Dec 17, 2023, 1:53 PM Dec 17, 2023, 1:40 PM

      @SwissSteph those rules are not going to work.. For starters the wan subnet is not the internet, its just the network your wan is connected to. The isp network that is a transit network to the internet - your clouldkey is never going to want to go to this network in the first place - its going to go to some IP out on the internet, ie 5.6.7.8 while your wan subnet is say 1.2.3.0/21 or whatever..

      And the bottom rule there is not going to ever do anything ever because rules are evaluated as traffic enters an interface from the network its attached too.. There is no scenario where traffic entering your lan interface from your lan network would ever have a source IP of your wan address.

      If you want to stop your cloudkey from going to the internet create rule(s) that allows what you want it to go to either on the internet or your other local networks. Then below that create a any rule that blocks its ip from going anywhere else, ie the internet.

      Rules are evaluated as the traffic enters the interface, first rule to trigger wins, no other rules are evaluated.

      Out of curiosity - where do you think your clouldkey is going that you want to prevent? You can turn off remote management in the controller settings. If you don't want to be able to control it that way.

      remote.jpg

      Either by just not allowing it, or you could click the remove remote access.

      edit: notice my controller is not listed anywhere on the site manager

      unifi.jpg

      An intelligent man is sometimes forced to be drunk to spend time with his fools
      If you get confused: Listen to the Music Play
      Please don't Chat/PM me for help, unless mod related
      SG-4860 24.11 | Lab VMs 2.7.2, 24.11

      S 1 Reply Last reply Dec 17, 2023, 3:56 PM Reply Quote 0
      • S
        SwissSteph @johnpoz
        last edited by SwissSteph Dec 17, 2023, 4:05 PM Dec 17, 2023, 3:56 PM

        @johnpoz

        Thanks for your explanation and screenshot. I searched my UCK Gen2 + online, but I couldn't find the same parameter.

        But I still think it's great to be able to access it in the event of a local problem and check things out.
        That's why I wanted to block this specific address from leaving my local network, while letting it go on my LAN (because I have my WiFi antennas) and on my VLAN_200 (where my cameras are).

        I'm sorry to bother you, but would you have an example of rules on Pfsense to be able to do exactly what you're explaining, i.e. blocking access to the Internet and only internal access.

        Right now, I'm a bit lost...🤕 🤒

        17708486-6694-4393-aa41-5894693d75ca-image.png

        ccd0c899-dca3-4417-b49a-aa14e79d4d70-image.png

        EDIT :
        Another attempt to play by the rules and be OK!

        f3f1334f-ecd3-4fb1-a66c-d150290ddc07-image.png

        I started with two "no-name" pfsense, one for use at home and the other as a backup in case of problems (which can happen when you're new to pfsense).
        ... And now I'm living with a Netgate 8200
        ... And sorry for my bad English...

        J 1 Reply Last reply Dec 17, 2023, 4:17 PM Reply Quote 0
        • J
          johnpoz LAYER 8 Global Moderator @SwissSteph
          last edited by johnpoz Dec 17, 2023, 4:20 PM Dec 17, 2023, 4:17 PM

          @SwissSteph so the cloudkey doesn't have an administration tab? Are you logged in with an admin account? Look under your advanced tab there might be this

          remote.jpg

          As to allowing local access.. So if you don't want your controller to have internet access, create a rule with its IP as source and blocking any..

          So here is my lan for example - it allows all outbound and to my other networks.

          lan.jpg

          If I wanted to allow say my controller on 192.168.9.42, my lan network is 192.168.9.0/24 to only go to local stuff, and not go to the internet I would say use rules like this.

          942.jpg

          Where I allow it to go to any rfc1918 network (alias you can create)..

          But then below that before the any any rule I say hey 192.168.9.42 trying to go anywhere would be blocked.. Rules are evaluated top down, first rule to trigger wins, no other rules are evaluated.

          So going to pfsense IP on say 192.168.1.1 would be allowed this is rfc1918.. 192.168.4.98 or 172.16.3.2 all allowed by the rfc1918 rule..

          But now say 192.168.9.42 was trying to go to 1.2.3.4 on the internet.. Well it doesn't trigger the anti-lock out rule, so next rule - well it doesn't match the any to rfc1918 because the destination is not rfc1918 so next rule. Oh hey 192.168.9.42 you trying to go anywhere - sorry buddy, blocked.

          There are many different ways to write rules to accomplish something.. By default if its not allowed the default deny would block it.. So all depends on what rule you currently have in place on how to add to either block or allow specific access. Just remember top down.. First rule to match wins..

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.7.2, 24.11

          S 2 Replies Last reply Dec 17, 2023, 4:38 PM Reply Quote 1
          • S
            SwissSteph @johnpoz
            last edited by Dec 17, 2023, 4:38 PM

            @johnpoz

            Yes-yes I'm admin (I have a local login and another through https://account.ui.com/login"

            ... but then, I feel like crap

            I started with two "no-name" pfsense, one for use at home and the other as a backup in case of problems (which can happen when you're new to pfsense).
            ... And now I'm living with a Netgate 8200
            ... And sorry for my bad English...

            J 1 Reply Last reply Dec 17, 2023, 4:40 PM Reply Quote 0
            • J
              johnpoz LAYER 8 Global Moderator @SwissSteph
              last edited by Dec 17, 2023, 4:40 PM

              @SwissSteph said in Help with rules to block UniFi Cloudkey Gen2+:

              another through https://account.ui.com/login"

              Well turn off the remote ability on your cloudkey - look under advanced for what I posted... I don't have a cloudkey to test with..

              Your best bet is to check on the unifi docs or forums.. While there are many here that use unifi AP, even switches and prob some that have the cloudkey.. There are way more users on their forums ;)

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.7.2, 24.11

              S 1 Reply Last reply Dec 17, 2023, 4:45 PM Reply Quote 0
              • S
                SwissSteph @johnpoz
                last edited by Dec 17, 2023, 4:45 PM

                @johnpoz

                Thanks, I'll keep digging into this "problem" 👍

                I started with two "no-name" pfsense, one for use at home and the other as a backup in case of problems (which can happen when you're new to pfsense).
                ... And now I'm living with a Netgate 8200
                ... And sorry for my bad English...

                1 Reply Last reply Reply Quote 0
                • S
                  SwissSteph @johnpoz
                  last edited by SwissSteph Dec 17, 2023, 4:51 PM Dec 17, 2023, 4:46 PM

                  @johnpoz

                  According to your explanations (THANK YOU!) I've created these rules, I think I'm "right"... do you think it's actually OK?

                  8ba0d091-9358-4018-8ea1-c0a84584c853-image.png

                  EDIT :

                  In any case, I have "activity" on these rules

                  29b270c6-54cf-41a0-88ec-406722cf412f-image.png

                  I started with two "no-name" pfsense, one for use at home and the other as a backup in case of problems (which can happen when you're new to pfsense).
                  ... And now I'm living with a Netgate 8200
                  ... And sorry for my bad English...

                  J 1 Reply Last reply Dec 17, 2023, 4:52 PM Reply Quote 0
                  • J
                    johnpoz LAYER 8 Global Moderator @SwissSteph
                    last edited by Dec 17, 2023, 4:52 PM

                    @SwissSteph yeah those rules would allow that 1.49 IP to go to any rfc1918 address (or whatever networks you have in that alias) and anywhere else would be blocked. Ie the internet..

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                    S 1 Reply Last reply Dec 17, 2023, 4:59 PM Reply Quote 0
                    • S
                      SwissSteph @johnpoz
                      last edited by Dec 17, 2023, 4:59 PM

                      @johnpoz

                      YES YES YES!!!

                      Thank you so much for your help and patience 😊

                      Now all I have to do is try to block entry into my UniFi Cloudkey Gen2+ from the outside, then it would be perfect. Because I could give or not this access ONLY when I want.

                      But I don't really understand how it works and how to block the Unify site from reaching my Cloudkey.

                      Now I can still do it...

                      If anyone has the "magic rule", I'd love to hear from you.

                      I started with two "no-name" pfsense, one for use at home and the other as a backup in case of problems (which can happen when you're new to pfsense).
                      ... And now I'm living with a Netgate 8200
                      ... And sorry for my bad English...

                      J 1 Reply Last reply Dec 17, 2023, 5:02 PM Reply Quote 0
                      • J
                        johnpoz LAYER 8 Global Moderator @SwissSteph
                        last edited by Dec 17, 2023, 5:02 PM

                        @SwissSteph said in Help with rules to block UniFi Cloudkey Gen2+:

                        how to block the Unify site from reaching my Cloudkey.

                        unfi is not "reaching" your cloudkey, your cloudkey is creating a connection to them. Unless you setup a port forward on pfsense, or something with a reverse proxy there is no way for unifi to create an unsolicited inbound traffic to talk to your cloudkey..

                        If you block its access to the internet, at some point their site will show your cloudkey offline.. Might take a bit before they reflect they are no longer talking to your clouldkey.. Make sure you kill any states as well once you created the block rule.

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                        S 2 Replies Last reply Dec 17, 2023, 5:11 PM Reply Quote 0
                        • S
                          SwissSteph @johnpoz
                          last edited by Dec 17, 2023, 5:11 PM

                          @johnpoz

                          I agree.

                          Thanks for these clarifications, I'll keep an eye on it and if there's still a connection, then I'm the one who authorized it directly in my "Cloudkey". This is possible because I'm not sure I've done everything "right" as soon as it's installed, so I'm going "step by step".

                          "Unless you setup a port forward on pfsense, or something with a reverse proxy there is no way for unifi to create an unsolicited inbound traffic to talk to your cloudkey"

                          I don't have a "reverse proxy" or "port specific redirection for unify" ... but I'll keep an eye on it.

                          Thanks again!

                          I started with two "no-name" pfsense, one for use at home and the other as a backup in case of problems (which can happen when you're new to pfsense).
                          ... And now I'm living with a Netgate 8200
                          ... And sorry for my bad English...

                          1 Reply Last reply Reply Quote 0
                          • S
                            SwissSteph @johnpoz
                            last edited by Jan 3, 2024, 8:45 AM

                            @johnpoz
                            A little feedback ... these two rules work perfectly. Thanks again for your help and happy new year!

                            I started with two "no-name" pfsense, one for use at home and the other as a backup in case of problems (which can happen when you're new to pfsense).
                            ... And now I'm living with a Netgate 8200
                            ... And sorry for my bad English...

                            1 Reply Last reply Reply Quote 0
                            • S
                              SwissSteph
                              last edited by SwissSteph Jan 29, 2024, 10:22 AM Jan 29, 2024, 10:17 AM

                              My new feedback, is that by not changing anything to the two rules explained in this topic, in 2024 and using the same applications (only the version is changed) on my phone it is impossible for me to connect as it worked perfectly with OpenVPN ... now nothing works anymore.

                              Of course, if I remove the two blocking rules above, it works again (probably Unify's "cloud").

                              In short, the blocking that was perfect in 2023, blocks so well that in 2024 and the changes made by Unify I can no longer connect remotely with my phone (while not at home) and with my OpenVPN on my Pfsense.

                              As I don't want to let Unify "see all my configurations", do you have a solution?

                              1. keep the rules above that block the "Unify sew".
                              2. find a solution so that Unify Android applications work as before (in 2023).

                              I find it very hard to understand why everything is blocked when I'm not at home using my Android phone + OpenVPN.

                              This same phone, on my WiFi at home, works very well with the applications installed on my phone.
                              If I test (still at home) with OpenVPN -> it no longer works ... so logically with the same OpenVPN from elsewhere it doesn't work.

                              Help!

                              I started with two "no-name" pfsense, one for use at home and the other as a backup in case of problems (which can happen when you're new to pfsense).
                              ... And now I'm living with a Netgate 8200
                              ... And sorry for my bad English...

                              JeGrJ 1 Reply Last reply Feb 7, 2024, 1:31 PM Reply Quote 0
                              • JeGrJ
                                JeGr LAYER 8 Moderator @SwissSteph
                                last edited by Feb 7, 2024, 1:31 PM

                                @SwissSteph said in Help with rules to block UniFi Cloudkey Gen2+:

                                As I don't want to let Unify "see all my configurations", do you have a solution?

                                Huh? Just disable the Cloudkey from connecting to Unifis Cloud for their remote admin stuff. That's a controller option. Done. Ubiquiti doesn't "read" your configuration. That's nonsense. Also blocking the cloud key from the internet won't show you any updates of your devices and the cloudkey itself, so it's a bit of strange move when you want the stuff to work and get updates but at the same time disabling it's ability to download updates from the official servers?

                                I simply disabled the remote connection stuff and don't have the option to connect to my cloudkey even when I log into their online portal thingy as it just doesn't connect there. That's more then enough for me.

                                As for your problem with your OpenVPN - those two things are simply not connected to each other. As we can't predict what rules and stuff you configured, there's no way we could see why your Android via OVPN wouldn't work anymore.

                                Cheers

                                Don't forget to upvote 👍 those who kindly offered their time and brainpower to help you!

                                If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

                                1 Reply Last reply Reply Quote 0
                                • S
                                  SwissSteph
                                  last edited by Feb 7, 2024, 1:42 PM

                                  Thank you for your message and your advice.

                                  "Protect" doesn't work anymore, and this without any configuration change on my Pfsense, it's actually a new version of the "Protect" application that broke this.

                                  On the Ubiquiti forum, there are other messages from members who have exactly the same problem. And no help from official Ubiquiti support.

                                  I'm talking about my configuration where my Pfsense blocks all connections from my "Cloudkey" to the outside and where I used to connect to it without any problem with my OpenVPN and the "Protect" application, now it's impossible (including while on my WiFi)

                                  Yes, updates are no longer offered. If I want them, I disable my two rules on my Pfsense and they come. The latest update https://community.ui.com/releases/UniFi-Switch-6-6-61/8f96bd97-d43b-4387-9b5e-6273f5db54bf seems to break a lot of things, and I'm glad I didn't put this new version on my appliances (anyway I don't leave the updates in "automatic mode" for security reasons ... which not everyone does, as several have had problems waking up).

                                  I started with two "no-name" pfsense, one for use at home and the other as a backup in case of problems (which can happen when you're new to pfsense).
                                  ... And now I'm living with a Netgate 8200
                                  ... And sorry for my bad English...

                                  1 Reply Last reply Reply Quote 0
                                  • First post
                                    Last post
                                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                                    [[user:consent.lead]]
                                    [[user:consent.not_received]]