F5F Stay Refreshed Power Users Networks The Unifi USG firewall isn't functioning properly.

The Unifi USG firewall isn't functioning properly.

The Unifi USG firewall isn't functioning properly.

V
vwgti2a
Member
Find
106
09-23-2016, 10:38 PM
#1
Hey everyone, I'm facing a problem with my firewall on the USG. I've configured two VLANs—10 and 40—and have a PC on VLAN 10 while a server runs on VLAN 40. The existing rules block cross-talk between the VLANs, which is functioning correctly. I tried setting up a rule to allow SSH and HTTP traffic between the PC and the server. Initially, I needed separate rules for both directions, but then I created a group containing both the server and the PC's IP addresses and applied a single rule across them. That resolved the issue smoothly. Next, I added a port group to restrict traffic to just SSH (port 22) and applied it to the firewall. However, when I changed the restrictions, everything stopped working. The screenshots are attached for your reference.
Reply
Reply
V
vwgti2a
09-23-2016, 10:38 PM #1

Hey everyone, I'm facing a problem with my firewall on the USG. I've configured two VLANs—10 and 40—and have a PC on VLAN 10 while a server runs on VLAN 40. The existing rules block cross-talk between the VLANs, which is functioning correctly. I tried setting up a rule to allow SSH and HTTP traffic between the PC and the server. Initially, I needed separate rules for both directions, but then I created a group containing both the server and the PC's IP addresses and applied a single rule across them. That resolved the issue smoothly. Next, I added a port group to restrict traffic to just SSH (port 22) and applied it to the firewall. However, when I changed the restrictions, everything stopped working. The screenshots are attached for your reference.

Reply
Reply
D
DoctorSergio15
Member
Find
189
09-28-2016, 06:09 AM
#2
It appears the system fails once port limitations are applied, indicating additional ports are needed beyond the three available.
Reply
Reply
D
DoctorSergio15
09-28-2016, 06:09 AM #2

It appears the system fails once port limitations are applied, indicating additional ports are needed beyond the three available.

Reply
Reply
D
dm5k
Member
Find
179
09-29-2016, 02:40 AM
#3
Testing via SSH on port 22 is straightforward—it's similar to how I handle external access by forwarding port 22. The other ports (80 and 443) are used for web traffic, which helps confirm the connection isn't just SSH. I also verified that web traffic stops working, reinforcing the setup.
Reply
Reply
D
dm5k
09-29-2016, 02:40 AM #3

Testing via SSH on port 22 is straightforward—it's similar to how I handle external access by forwarding port 22. The other ports (80 and 443) are used for web traffic, which helps confirm the connection isn't just SSH. I also verified that web traffic stops working, reinforcing the setup.

Reply
Reply
C
creaper2012
Member
Find
205
09-29-2016, 10:00 AM
#4
You might consider testing WireShark. Verify that only the standard ports are in use, possibly with traffic routed through port 8080 between server and client. Examine their protocols to understand their role.
Reply
Reply
C
creaper2012
09-29-2016, 10:00 AM #4

You might consider testing WireShark. Verify that only the standard ports are in use, possibly with traffic routed through port 8080 between server and client. Examine their protocols to understand their role.

Reply
Reply
K
kaka889010
Junior Member
Find
4
09-30-2016, 10:50 PM
#5
Establishing a link between your machine and the server involves SSH on port 22 from the server's perspective, while your device selects any random port above 1000 for communication. Unlike protocols such as FTP that rely on fixed ports even on the client side, most connections today use arbitrary ports on the client end. When defining port groups, you typically restrict traffic to only essential services like 22, 80, and 443. This explains why separate groups are often needed—one for incoming and one for outgoing connections. Edit: You might consider targeting just the destination rather than the source, as firewalls generally permit established sessions.
Reply
Reply
K
kaka889010
09-30-2016, 10:50 PM #5

Establishing a link between your machine and the server involves SSH on port 22 from the server's perspective, while your device selects any random port above 1000 for communication. Unlike protocols such as FTP that rely on fixed ports even on the client side, most connections today use arbitrary ports on the client end. When defining port groups, you typically restrict traffic to only essential services like 22, 80, and 443. This explains why separate groups are often needed—one for incoming and one for outgoing connections. Edit: You might consider targeting just the destination rather than the source, as firewalls generally permit established sessions.

Reply
Reply