Understand UniFi gateways, NAT, default policies, and how to add port forwards and inter-VLAN rules safely.
Gateway and Firewall Basics
Your UniFi gateway is the border between the internet and your LANs/VLANs.
What the gateway does
- NAT — private IPs to one public IP
- DHCP/DNS — often per-VLAN
- Firewall — allow/deny between zones
- Port forwarding — publish internal services (use sparingly)
The hosted controller does not replace a gateway — you still need on-site UniFi (or other) routing hardware for each site.
Default posture
- LAN → Internet: usually allowed
- Internet → LAN: denied by default (good)
- Guest → LAN: should be deny (configure explicitly)
Adding a port forward (carefully)
- Settings → Security → Port forwarding (or NAT rules).
- Map external port → internal IP:port (e.g. NVR or mail server).
- Restrict source IPs when possible — avoid exposing RDP/admin ports to
0.0.0.0/0. - Prefer VPN over wide-open port forwards for admin access.
Inter-VLAN rules
Example policies:
| Rule | Action |
|---|---|
| Corporate → IoT (for management) | Allow specific ports only |
| IoT → Corporate | Deny |
| Guest → Corporate | Deny |
| Corporate → Guest | Deny (usually) |
Use groups or network objects as UniFi OS evolves — principle stays the same: least privilege.
DNS and content filtering
- Enable UniFi content filter or third-party DNS if policy requires it.
- Document bypass for guest portals or captive portals.
Double NAT warning
If the ISP modem also routes (not bridged), you may have double NAT — breaks port forwards, VPN, and sometimes adoption. See Double NAT and ISP Modem Setup.
Maintenance
- Export gateway config via UniFi backup before major rule changes.
- Review rules quarterly — old “temporary” permits accumulate.