Block IP Addresses and Subnets with Unifi Network Firewall

475 words ยท 3 minutes

Identifying Abusive IPs

If you're like me and use Unifi network equipment at the edge of the network you manage, you may know that Unifi is only somewhat decent at identifying and blocking IPs that represent abusive or threat actors.

While Unifi has a threat management tool inside their Network application, it can be lacking in functionality and identification. For example, I have my UDM Pro set to identify and block almost all categories of threats available within the Unifi settings. However, I regularly identify abusive actors on my web server via the server logs.

In addition, I have identified IP addresses and subnets directly within Unifi's logs that the UDM did not block for whatever reason.

This guide is meant to be another step in the process to manually block abusive IP addresses or subnets that you have identified but are not being automatically blocked yet.

Create an IP Group Profile

To start, login to the Unifi machine's web GUI and navigate to the Network app > Settings > Profiles.

Within this page, choose the IP Groups tab and click Create New.

Network Profiles

Each IP Group profile can be used as one of three options:

  1. Port Group
  2. IPv4 Address/Subnet
  3. IPv6 Address/Subnet

In this example, I'm creating an IPv4 Address/Subnet group and adding a few different IP addresses and a subnet. Once you've added all IP addresses and subnets, click the Apply button that should appear at the bottom.

Network Profile IPs

At this point, the IPv4 Address/Subnet has been created but not yet used.

Drop IP Group Profile via the Unifi Firewall

To instruct the Unifi machine to block the profile we just created, we need to navigate to the Network app > Settings > Firewall & Security.

Within this screen, find the Firewall Rules table and click Create Entry. This entry should contain the following settings:

Customize the remaining configurations to your liking, and then save and enable the firewall rule.

Firewall Rule

Once enabled, the Unifi machine will be able to drop all incoming connections from the defined IP addresses and subnets within the created profile.

As a personal aside to this topic, I'm looking for a convenient way to update the firewall rules or profiles remotely (within the LAN) from the web server to accelerate this process. If you have an idea on how to automatically update Unifi IP groups or firewall rules, let me know!