WAN
Port forwarding
Firewall rules
In addition to default rules.
| Name | Action | Source Zone | Destination Zone |
|---|
| Allow UniFi remote access | Allow | External | Gateway |
Local network
VLANs
| Name | Subnet | Description | Isolate network |
|---|
| Default | 192.168.1.0/24 | Default local network for laptops, family phones and tablets | No |
| Pub | 192.168.50.0/24 | An isolated VLAN for public services | No |
| Guest | 192.168.5.0/24 | An isolated VLAN for guest WiFi access | No |
| IoT | 192.168.6.0/24 | An isolated VLAN for connected home appliance | No |
- Device Isolation is disabled for all networks
Firewall zones
Zones access rules
Additional Firewall rules allowing or blocking zone-to-zone or subnet-to-subnet communications.
| Source Zone | Destination Zone | Source | Destination | Action | Description |
|---|
| Internal | VLAN 50 | All | All | Allow with return | Allow all traffic from Default network to Pub |
| Internal | VLAN 6 | All | All | Allow with return | Allow all traffic from Default network to IoT |
| VPN | Internal | VPS subnet | All | Allow only return | Allow return traffic from VPS subnet to Default |
| VPN | Internal | VPS subnet | All | Block | Block VPS VPN clients from accessing the Default network |
| VPN | Hotspot | VPS subnet | All | Block | Block VPS VPN clients from accessing the Guest network |
| VPN | DMZ | VPS subnet | All | Block | Block VPS VPN clients from accessing the DMZ zone |
| VPN | VLAN 50 | All | Hearthstone | Allow all | Allow Hearthstone VPN clients access to Pub network |
| VPN | VLAN 6 (IoT) | All | Hearthstone | Allow all | Block Hearthstone VPN clients access to IoT network |
| VLAN 50 | VLAN 50 | All | All | Allow all | Allow Pub network clients accessing each other |
VPN
There are two Wireguard servers configured:
- Hearthstone. Subnet 192.168.3.0/24. For external access to all local networks.
- VPS. Subnet 192.168.4.0/24. For accessing VPS servers as local network devices.