6.9 KiB
UniFi Firewall Gap List
Purpose: compare the intended segmentation design against the current staged UniFi firewall artifacts without making any live traffic changes.
Evidence used:
- Desired design:
home/doris-dashboard/docs/network-firewall-rule-order.md - Current groups baseline:
home/doris-dashboard/docs/baselines/unifi-firewallgroup-baseline-2026-05-22-post-stage.json - Current custom policy baseline:
home/doris-dashboard/docs/baselines/unifi-firewall-policies-custom-2026-05-22-post-ui-probe.json
Executive summary
Current state is scaffolding, not finished enforcement.
What exists now:
- network/address groups for the major lanes
- a handful of port groups
- one enabled custom outbound-style policy:
Allow Internal to Untrusted - one disabled temp policy:
DORIS-TEMP
What does not yet exist in the captured custom-policy baseline:
- the actual inter-VLAN segmentation matrix
- the management shield
- the quarantine posture for Legacy CIA
- the lane-specific allow/deny structure described in the design doc
So the honest answer is:
- groups/objects: mostly present
- real custom segmentation policy: largely still missing
1. Present in the current staged baseline
Network groups present
NET-MGMTNET-TRUSTEDNET-SERVERSNET-IOTNET-GUESTNET-CAMERASNET-LEGACY-CIANET-RFC1918-ALL
Port groups present
PORT-DNSPORT-DHCPPORT-NTPPORT-WEB-ADMINPORT-SSHPORT-MDNS
Custom policies present
Allow Internal to Untrusted- enabled
- effectively basic internal -> internet/outside allowance scaffolding
DORIS-TEMP- disabled
- temporary/non-production artifact, not part of the final design
2. Missing object inventory compared to the design
The rule-order design expects these host/device groups, but they do not appear in the captured firewall-group baseline:
HOST-ADMIN-TRUSTEDHOST-CORE-SERVICESHOST-PROTECT-SERVICESHOST-DNSHOST-NTPHOST-IOT-HELPERSHOST-CAMERA-HELPERSHOST-LEGACY-EXCEPTIONS
The design also mentions port groups not seen in the captured baseline:
PORT-PROTECTPORT-CAST
Impact:
- exact narrow allow rules for management, Protect, helper traffic, and Google/cast exceptions cannot be cleanly expressed yet using the intended group model
3. Missing rule sections compared to the design
Section A: Core state handling
Missing or not evidenced in the captured custom-policy baseline:
ALLOW Established/RelatedDROP Invalid
Section B: Management protection
Missing or not evidenced:
ALLOW Trusted Admin -> Management Admin SurfacesALLOW Trusted Admin -> Gateway Infra UtilitiesDROP IoT -> ManagementDROP Cameras -> ManagementDROP Guest -> ManagementDROP Legacy CIA -> ManagementDROP Any Internal -> Management
Meaning:
- the intended management shield is not yet represented in the captured custom-policy set
Section C: Trusted human lane
Missing or not evidenced:
ALLOW Trusted -> Servers Approved AccessALLOW Trusted -> Cameras Admin/Viewer AccessALLOW Trusted -> IoT Control Exceptions
Meaning:
- the design’s explicit human/operator access model is not yet staged in a visible way
Section D: Server/helper traffic
Missing or not evidenced:
ALLOW Servers -> IoT Approved HelpersALLOW Cameras -> Protect ServicesALLOW IoT -> Approved Server HelpersALLOW Legacy CIA -> Approved One-Off Exception
Meaning:
- no captured evidence yet of the narrow internal service exceptions the design wants
Section E: DNS/NTP baseline for restricted lanes
Missing or not evidenced:
ALLOW IoT -> DNSALLOW Cameras -> DNSALLOW Legacy CIA -> DNSALLOW IoT -> NTPALLOW Cameras -> NTPALLOW Legacy CIA -> NTP
Meaning:
- the restricted-lane minimum-function posture is not yet fully expressed in custom rules
Section F: Internet access for constrained lanes
Partially present at best:
- there is one broad custom policy,
Allow Internal to Untrusted
Still missing as lane-specific explicit policy:
ALLOW Guest -> InternetALLOW IoT -> InternetALLOW Cameras -> Internet UpdatesALLOW Legacy CIA -> Internet
Meaning:
- outbound access is only evidenced in a broad/global way, not in the lane-specific shape called for by the design
Section G: Broad internal denies for restricted lanes
Missing or not evidenced:
DROP Guest -> RFC1918/InternalDROP IoT -> TrustedDROP IoT -> ServersDROP IoT -> CamerasDROP Cameras -> TrustedDROP Cameras -> ServersDROP Cameras -> IoTDROP Legacy CIA -> TrustedDROP Legacy CIA -> ServersDROP Legacy CIA -> CamerasDROP Legacy CIA -> IoT
Meaning:
- the core segmentation barriers between the restricted lanes and the rest of the network are not yet evidenced in the captured policy set
Section H: Optional discovery exceptions
Correctly absent for now:
- no evidence of broad Google/cast discovery exception rules
- this is good; the design explicitly says these should only appear after real failure testing
4. Practical interpretation
If the captured baselines are still current, then the environment appears to be in this state:
- The naming/object foundation is mostly there.
- The network has at least one custom outbound-style policy.
- The actual inter-VLAN enforcement plan is still largely unimplemented.
- The current state is safer than random ad-hoc rules, but it is not yet the finished segmentation design.
5. Safe next implementation order
Before any live firewall apply, the safest order is:
-
Create the missing host groups
HOST-ADMIN-TRUSTEDHOST-DNSHOST-NTPHOST-PROTECT-SERVICES- helper/exception groups as needed
-
Add the minimum safe rule skeleton first
ALLOW Established/RelatedDROP Invalid- management shield block set
- explicit Trusted admin -> Management allows
- Trusted -> Servers allow
-
Add the restricted-lane minimum-function rules
- DNS
- NTP
- outbound internet as appropriate
-
Add the broad internal deny matrix for Guest / IoT / Camera / Legacy CIA
-
Only after that, consider narrow discovery exceptions if the Google/cast pilot proves they are actually needed
6. What is safe to say right now
Accurate phrasing:
- firewall scaffolding exists
- the object/group layer is mostly staged
- a basic outbound custom policy exists
- the full inter-VLAN segmentation matrix is not yet fully implemented
Inaccurate phrasing to avoid:
- “the firewall is done”
- “inter-VLAN isolation is fully in place”
- “Legacy CIA is already fully quarantined by policy”
7. Recommended next operator action
Next safe action, still non-disruptive:
- define the missing host groups and map real devices/services into them on paper or in staging notes first
Next live-action phase after that:
- apply the minimum safe rule skeleton in a rollback-friendly order, validating management reachability after each step