LW IT Solutions
«« Blog Overview « IT & Networks
This post in other languages:

Public Servers in a private UniFi LAN: A Network Separation Guide

Hosting a public accesible server—like a Raspberry Pi running a web server, Nextcloud, or a custom application—is a great way to take control of your data. However, exposing a device on your local network to the internet introduces significant security risks. If that Raspberry Pi gets compromised, a flat network architecture gives the attacker a free pass to access your personal computers, NAS, and smart devices.

The solution is Network Separation using VLANs (Virtual Local Area Networks). In a proper Demilitarized Zone (DMZ) architecture, your Raspberry Pi should be accessible from the internet and your trusted internal network, but the Pi itself must be completely blocked from initiating connections to your trusted devices.

Here is a technical deep dive into setting up this architecture using Ubiquiti’s UniFi ecosystem, highlighting the differences between the legacy firewall approach and the modern Zone-based setup.

The Objective

Before diving into the configuration, let’s define the exact traffic flow requirements for your Raspberry Pi (RPI) residing on a dedicated VLAN (e.g., VLAN 50 – DMZ):

  • Internet to RPI: Allowed (restricted to specific forwarded ports like 80/443).
  • Internal LAN to RPI: Allowed (so you can manage it via SSH or access internal dashboards).
  • RPI to Internet: Allowed (for software updates and outbound API calls).
  • RPI to Internal LAN: Strictly Blocked (to contain any potential breaches).

The “Old” Setup: Legacy Firewall Rules (LAN IN)

Before Ubiquiti revamped its firewall interface, network separation required a deep understanding of iptables-style packet flow—specifically the LAN IN, LAN OUT, and LAN LOCAL chains.

To isolate your Raspberry Pi VLAN using the old method, you had to manually stack rules in the LAN IN tab (which governs traffic entering the router from a local network before it gets routed elsewhere).

Here is how the legacy rule sequence looked:

  1. Rule 1: Allow Established and Related Traffic
    • Action: Accept
    • Protocol: All
    • States: Checked “Established” and “Related”
    • Source: Any
    • Destination: Any
    • Why? This ensures that when your trusted PC initiates an SSH connection to the RPI, the RPI’s reply traffic is allowed back through the firewall.
  2. Rule 2: Drop DMZ to Trusted LAN
    • Action: Drop
    • Protocol: All
    • Source: Network -> DMZ VLAN (Your RPI’s network)
    • Destination: Network -> Trusted LAN (or an RFC1918 IP Group containing all private subnets)
    • Why? This is the kill switch. Because it sits below Rule 1, the RPI can reply to your requests, but it will forcefully drop any new connection the RPI attempts to make to your private network.

While effective, this method was prone to user error. A simple mistake in rule ordering or misunderstanding the difference between LAN IN and LAN LOCAL often resulted in broken setups or false senses of security.

The “New” Setup: Zone-Based Traffic Rules

With recent updates to the UniFi Network Application, Ubiquiti introduced Traffic Rules and a modern Zone-based firewall. This shift abstracts away the complex routing chains (LAN IN/OUT) and focuses on intent-based networking.

Instead of thinking about how packets traverse the router’s internal interfaces, you simply define policies between designated Zones (Networks).

Here is how you achieve the exact same isolation using the modern UniFi interface:

  1. Navigate to Security > Traffic & Firewall Rules.
  2. Create a New Rule.
  3. Action: Block
  4. Category: Local Network
  5. Source: Network -> DMZ VLAN (Your Raspberry Pi)
  6. Destination: Network -> Trusted LAN (or select all internal networks you want to protect)
  7. Direction: Traffic from Source to Destination.

The Magic of Zones: Under the hood, the UniFi controller automatically handles the stateful inspection. It inherently knows to allow “Established and Related” traffic without requiring you to build a dedicated rule for it. Your trusted devices can still talk to the Raspberry Pi, but if the Pi gets compromised and tries to ping your NAS, the Zone rule acts as a brick wall. This makes the configuration significantly cleaner, highly readable, and much less error-prone.

A Note on Port Forwarding

Once your Raspberry Pi is securely isolated in its own VLAN, you need to make it accessible to the outside world. Historically, enterprise firewalls required you to manually create a Destination NAT (DNAT) rule and a corresponding WAN IN firewall rule to allow the traffic through.

Ubiquiti makes this incredibly streamlined.

To expose your web server:

  • Go to Settings > Port Forwarding.
  • Click Create New Port Forwarding Rule.
  • Define your Port (e.g., 443 for HTTPS).
  • Input the Forward IP (the static IP of your Raspberry Pi).

That is it. The UniFi controller automatically provisions the necessary NAT translations and dynamically injects the WAN IN firewall rules to allow external traffic to reach that specific port on your isolated VLAN. Your public-facing server is now online and safely compartmentalized from your private life.

Lukas Wojcik

Lukas Wojcik

Systems architect and technology enthusiast specializing in scalable tracking solutions, GMP Stack (GA4 & GTM), and robust backend architectures. Advocate for clean code and privacy-first design.

Leave a Reply

Your email address will not be published. Required fields are marked *

ALL ARTICLES & CATEGORIES

Data Privacy

Digital Analytics

Digital Marketing

IT & Networks

Smart Home