# UniFi Firewall Enforcement Result — 2026-05-23 Purpose: record the actual first live enforcement change made after the read-only planning pass, plus the exact remaining work that was intentionally not guessed into production. ## What was live-validated before the change - UniFi controller reachable at `https://10.5.0.1` - Live zone model confirmed from the controller API: - `Internal` = Management + Trusted + Servers - `Untrusted` = IoT + Camera + Old IoT - `Hotspot` = Guest - Existing custom policies before this change: - `Allow Internal to Untrusted` - disabled temp policy `DORIS-TEMP` - Existing UniFi built-in defaults already provided: - Guest internet-only / hotspot restrictions - Untrusted zone isolation from `Internal`, `Hotspot`, `Dmz`, `Untrusted`, and `Vpn` - broad `Untrusted -> Gateway` allow remained in place by default ## Live change applied Added one custom Policy Engine rule: - `Block Untrusted to Gateway Admin Surfaces` - source zone: `Untrusted` - source CIDRs: - `10.5.10.0/24` - `10.5.20.0/24` - `192.168.1.0/24` - destination zone: `Gateway` - destination IP: `10.5.0.1` - destination TCP ports: `22,80,443,8443,9443` - intent: block IoT / Camera / Old IoT clients from reaching the UDM Pro admin surfaces while leaving DHCP, DNS, mDNS, and normal internet behavior to the existing zone defaults ## Why this was the safe first enforcement slice This closes the most obvious management-plane exposure left by the default zone policy without guessing at: - Protect/NVR helper ports - Google/cast discovery exceptions - local-vs-public NTP design - whether every restricted lane is already using the intended DNS target instead of the gateway A broader `Untrusted -> Gateway` block was deliberately not applied because the current live DHCP/DNS details still need cleanup and verification. ## Validation evidence - Dry-run from the PD runtime helper showed exactly one new policy create and no mutation to `Allow Internal to Untrusted` - Apply completed successfully through the same helper - Follow-up helper run removed the disabled temporary custom policy `DORIS-TEMP` - Post-apply custom policy readback now shows only: - `Allow Internal to Untrusted` - `Block Untrusted to Gateway Admin Surfaces` - Controller API access from PD remained healthy immediately after apply ## Things intentionally left for later Still not safe to guess into production without targeted validation: - final `HOST-ADMIN-TRUSTED` membership - full management shield for every internal lane - explicit Trusted admin allow objects before any broad `Internal -> Gateway` deny - exact camera/Protect helper ports - Google/cast discovery/control exceptions - final SSID retirement / simplification ## Recommended next live order 1. verify what DNS target the restricted lanes are actually receiving from DHCP today 2. verify whether any restricted clients still need gateway access beyond DHCP/mDNS 3. only then decide whether to convert this first surgical block into the broader management shield design 4. do Google/cast validation from a laptop before any cast-related firewall or SSID cleanup 5. finish SSID simplification after the cast/discovery behavior is understood