UniFi Zone-Based Firewall: A Practical Setup Guide

Starting with UniFi Network 9.0, Ubiquiti introduced a zone-based firewall that replaces the old per-rule model with something closer to what enterprise firewalls (Palo Alto, Fortinet) have used for years. Instead of writing individual allow/deny rules between networks, you group networks into zones and define policies between zones.

If you've ever hand-crafted dozens of LAN In rules to isolate an IoT VLAN from your trusted network, you already know why this matters. Zones scale better, are easier to audit, and dramatically reduce the chance of a misconfigured rule.

This guide walks you through setting up a clean zone-based firewall from scratch — including how to migrate if you're coming from the legacy rules system.

What Is a Zone?

A zone is a logical grouping of one or more networks (VLANs) that share the same trust level. Instead of writing rules between every VLAN pair, you put each VLAN in a zone, then write a single policy between zones.

UniFi ships with these default zones:

• Internal — your main trusted networks
• Gateway — the UniFi gateway itself
• External — WAN / internet
• DMZ — for externally-reachable servers
• VPN — VPN client networks
• Hotspot — guest captive portal networks

You can also create custom zones — and this is where the real power lives.

Prerequisites

• A UniFi gateway running Network 9.0 or newer (UDM, UDM Pro, UDM SE, UXG, UCG, Cloud Gateway, etc.)
• At least two VLANs already configured (if you haven't set those up yet, start with our VLAN setup guide)
• A device you can test with on each VLAN

Step 1: Enable the Zone-Based Firewall

Navigate to Settings → Security → Zone-Based Firewall. If you're on a fresh install with Network 9.0+, this is already the default. If you're upgrading from an older firmware, you'll see an option to enable it.

Important: Enabling zones converts your existing legacy rules automatically, but the auto-conversion isn't always perfect. Before flipping the switch, export your current config or take screenshots of your existing rules so you can verify nothing is missing afterward.

Step 2: Plan Your Zones

Before you click anything, sketch out what zones you actually need. For a typical small business or home network, something like this works well:

• Trusted — your main LAN, work devices, servers
• IoT — smart home gear, cameras, smart TVs
• Guest — the network your guests' phones land on
• Management — your UniFi controller, switches, APs (optional but recommended)

The golden rule: group networks by how much you trust them, not by what they do. Two networks that should have identical firewall treatment belong in the same zone.

Step 3: Create Your Custom Zones

In Settings → Security → Zone-Based Firewall → Zones, click Create Zone:

1. Give the zone a clear name (e.g., IoT, Guest, Trusted)
2. Assign the VLANs that belong in this zone
3. Save

Each network can only belong to one zone at a time. UniFi enforces this — you can't accidentally double-assign.

Step 4: Define Policies Between Zones

This is where the zone model shines. Click Policies and you'll see a matrix: rows are source zones, columns are destination zones. Each cell represents the traffic flow between them.

For a typical home/SMB setup, you want something like:

From → To	Trusted	IoT	Guest	External
Trusted	Allow	Allow	Block	Allow
IoT	Block	Allow	Block	Allow
Guest	Block	Block	Allow	Allow

Trusted can reach IoT (so you can control your smart lights), but IoT can't reach Trusted (so a compromised smart plug can't pivot to your laptop). Guest can reach the internet and other Guests, and nothing else.

Click any cell to edit that policy. You can add exceptions within a block — for example, Block IoT → Trusted, except allow IoT to reach 192.168.1.50 on port 80 (for a shared printer).

Step 5: Test Each Zone

Connect a device to each VLAN and verify:

1. Trusted devices can still reach IoT devices (your phone controls the lights)
2. IoT devices cannot ping Trusted devices
3. Guest devices can reach the internet but nothing internal
4. Everything can still reach the internet (External)

If a device can't get online, check whether its zone has an Allow policy to External. That's the #1 mistake during migration.

Migrating From Legacy Firewall Rules

If you had a lot of existing rules before enabling zones, here's the process I recommend:

1. Screenshot everything. Every legacy rule, every group. You'll thank yourself later.
2. Enable zones in a maintenance window. Don't do this on a Friday afternoon when the office is trying to leave.
3. Let UniFi auto-convert your rules into zone policies. Then open each policy and verify it matches your intent.
4. Consolidate redundant rules. A lot of legacy rules become unnecessary under zones — you were often writing the same rule 3 times for 3 different VLANs that could've been in one zone.
5. Keep the exception rules. Anywhere you had a specific "allow X device to reach Y" rule, that needs to live on as a specific allow inside the zone policy.

Common Mistakes to Avoid

• Too many zones. If you have 12 zones for 14 VLANs, you're back to per-rule territory. Aim for 3–5 zones max in most environments.
• Forgetting the Gateway zone. DNS and DHCP run on the gateway — if you block everything to the Gateway zone, devices can't resolve names. Always allow traffic to Gateway for services like DNS, DHCP, and NTP.
• Blocking mDNS and then being confused why AirPlay doesn't work. If you want cross-VLAN AirPlay or Chromecast, enable Multicast DNS between the relevant zones.
• Not locking down Management. If you put your controller and switches in a Management zone, only allow Trusted → Management. Don't leave it reachable from IoT.

When to Call a Professional

Zone-based firewalls are a huge improvement, but they're still a firewall — and a misconfiguration can leave you exposed or locked out. If you're running a business network, dealing with compliance requirements (HIPAA, PCI), or trying to migrate a complex legacy ruleset without downtime, it's worth having a second set of eyes.