How to install a UniFi firewall
Published onby Iron
Installing a UniFi firewall can seem like a daunting task, but with this guide, you’ll have it up and running in no time. We’ll break down each step clearly, from understanding the basics of what a firewall does, to the nitty-gritty of configuring your firewall settings in the UniFi Controller.
Let's dive in!

Table of Contents
- What is a UniFi firewall?
- Before you start
- Step 1: Access the UniFi Controller
- Step 2: Navigate to the firewall settings
- Step 3: Create firewall rules
- Step 4: Add a new firewall rule
- Step 5: Configure firewall rule order
- Step 6: Test your firewall
- Step 7: Enable logging (optional)
- Common mistakes and how to avoid them
- Firewall troubleshooting
- Final Thoughts
What is a UniFi firewall?
A firewall acts as a gatekeeper for your network, controlling what data comes in and goes out. It protects your network from potential threats, limits access for certain devices, and ensures only trusted traffic can get through.
If you’re running a UniFi network, the firewall is typically built into UniFi gateway devices like the UniFi Dream Machine (UDM), Dream Router (UDR), or UniFi Security Gateway (USG). These devices make it simple to manage firewall rules from the UniFi Controller interface.
Before you start
Before diving into installation, make sure you have the following ready:
- UniFi Gateway Device (like UDM, UDM Pro, or USG).
- UniFi Controller (this can be on a Cloud Key, UniFi Dream Machine, or hosted using a service like UniHosted).
- Basic Networking Knowledge (don’t worry, we’ll guide you step-by-step).
- Admin Access to Your UniFi Controller (since you’ll be making system-wide changes).
Step 1: Access the UniFi Controller
- Open your web browser and access your UniFi Controller. This is typically done by entering the IP address of the controller in the address bar (e.g., "https://192.168.1.1").
- Log in using your admin username and password.
- If you’re using a cloud-hosted UniFi Controller (like one hosted by UniHosted), you can log in via unifi.ui.com.
Pro Tip: If you're hosting your UniFi Controller with a service like UniHosted, you don’t need to worry about local network configurations. Your controller is always accessible online.
Step 2: Navigate to the firewall settings
Once you’re inside the UniFi Controller, you’re just a few clicks away from the firewall settings.
- Click "Settings" (gear icon) on the lower-left side of the screen.
- Select "Security & Gateway" from the menu.
- Click on "Firewall & Traffic Rules" to see the available configuration options.
This is where you’ll add your firewall rules.
Step 3: Create firewall rules
Here’s where things get interesting. Firewall rules tell the system how to handle incoming, outgoing, and local network traffic. UniFi breaks down these rules into three key areas:
- LAN IN: Controls traffic coming into the local network.
- LAN OUT: Controls traffic going out from the local network.
- WAN IN: Controls traffic coming into your network from the internet (WAN side).
Note: You’ll typically work with WAN IN rules to protect your network from internet-based threats and LAN IN rules to control device-to-device communication within your network.
Step 4: Add a new firewall rule
- Click the "+ Create New Rule" button at the top of the Firewall page.
- Choose the type of traffic you want to control (LAN IN, LAN OUT, or WAN IN).
- Give the rule a descriptive name (e.g., “Block All Social Media”).
- Set Action to "Drop" (this blocks traffic) or "Accept" (this allows traffic).
- Set Source and Destination.
- Source could be "Any" or a specific IP or subnet.
- Destination can also be "Any" or a specific destination IP.
- Select Port/Protocol (optional) to only apply the rule to certain services like web browsing (port 80/443) or gaming ports.
- Click Apply Changes and Save.
Example Rule 1: Block TikTok on all devices
- Action: Drop
- Source: Any
- Destination: TikTok IPs (if known) or known TikTok URLs
- Port/Protocol: 80, 443 (HTTP and HTTPS)
Example Rule 2: Block incoming connections from a specific country
- Action: Drop
- Source: Select "Country" and choose the country to block
- Destination: Your network (LAN)
Example Rule 3: Allow only specific IPs to access the network remotely
- Action: Accept
- Source: List the IP addresses of devices you want to allow
- Destination: Your network (LAN)
- Port/Protocol: 22 (for SSH)
Pro Tip: If you’re new to firewalls, stick with WAN IN rules to protect your network from external threats. LAN rules are only needed if you want to limit traffic inside your home or office network.
Step 5: Configure firewall rule order
The order of rules matters! UniFi firewalls process rules from top to bottom, stopping once it finds a match. Here’s how to adjust rule priority:
- Hover over a rule, then drag and drop it to a new position.
- Place stricter, broader rules higher in the list to catch traffic early.
- Save your changes after reordering the rules.
Example: If you have a rule to "Allow Gaming Traffic" but later add a "Block All Outbound Traffic" rule, the "Block All" rule would override the "Allow Gaming" rule unless you move "Allow Gaming" to the top of the list.
Step 6: Test your firewall
Now that your rules are live, it’s time to test them.
- Use a device connected to your network.
- Try accessing a blocked website or service.
- If it’s blocked, congrats — your firewall is working.
- If it’s not working as expected, double-check the order of your rules and ensure the source/destination details are correct.
Pro Tip: Avoid blocking essential services like DHCP, DNS, or UniFi Cloud Access, or you might lock yourself out of the controller.
Step 7: Enable logging (optional)
To see if your rules are being applied correctly, enable logging.
- Edit a firewall rule.
- Look for the Log Traffic option and enable it.
- Check the Logs section in the UniFi Controller to see which traffic was allowed or blocked.
This is useful for troubleshooting.
Common mistakes and how to avoid them
-
Mistake 1: Blocking DHCP or DNS traffic. If you block DHCP, devices won’t get IP addresses.
Fix: Never block LAN IN traffic on UDP ports 67, 68 (DHCP) and 53 (DNS). -
Mistake 2: Incorrect rule priority. Rules further down the list may not get triggered.
Fix: Move broader, catch-all rules to the bottom. -
Mistake 3: Locking yourself out of the UniFi Controller.
Fix: Before making major changes, ensure you can access the UniFi Controller from another network or have a backup.
Firewall troubleshooting
If something goes wrong, here’s how to fix it:
- Check Rule Logs: Look for clues on what traffic is being blocked.
- Disable the Rule: If a rule is causing issues, disable it temporarily.
- Reset to Defaults: If all else fails, reset firewall rules to defaults.
- Factory Reset: If things are really bad, reset the UniFi device and restore from a backup.
Final Thoughts
Installing and configuring a UniFi firewall may seem complex, but once you get the basics down, it’s smooth sailing. You now have the power to block unwanted traffic, protect your network, and control how devices communicate.
If you'd rather skip the setup and focus on running your business or home network, consider hosting your UniFi Controller with UniHosted. We handle the backend so you can focus on what's important. If you would like me to personally walk you through UniHosted, you can schedule a call with me here.
We host UniFi Controllers in the Cloud
Are you ready to take your UniFi Network to the next level? Deploy a UniFi Cloud Controller in minutes and manage your network from anywhere.
Free tier available
Get the best support
Join 1660+ customers
No credit card required