OPTION 1
1. To disable inter-VLAN routing between LAN and VLAN2, head to the UniFi Network Controller and go to Settings > Routing & Firewall > Firewall > Rules > LAN IN1
2. Create a new rule that Drops or Rejects2 with the configuration shown below.
Name: to your liking.
Enabled: ON
Rule Applied: before Predefined Rules
Action: Drop or Reject2
Protocol: All
Logging: to your liking
States: all unchecked (assumes all states)
Don't match on IPsec packets
Source Type: Network
Network: LAN - NETv43
Destination Type: Network
Network: VLAN2 - NETv4
1.LAN IN is where you want to filter all of your LAN/VLAN traffic, as IN is the first point of entry to the firewall, no matter the interface. The OUT ruleset will only be used in rare special cases.
2. "Drop" will completely drop the traffic resulting in a "request timed out" message on the client; "Reject" will send back a connection refused packet to the client.
3. NETv4 includes the entire network, ADDRv4 only includes the USG's interface address for that network (ex 192.168.1.1-192.168.1.254 vs 192.168.1.1)
OPTION 3
If you the objective is to block LAN to VLAN2, but allow VLAN2 to LAN, follow Option 1 first, then proceed with creating a rule at the top (first rule) of LAN_IN like the below screenshot. Adding this rule at the top of the ruleset will allow all established and related stateful firewall traffic to be able to pass, which is basically all "reply" traffic.
Name: to your liking
Enabled: ON
Rule Applied: before Predefined Rules
Action: Accept
Protocol: Any
Logging: to your liking
States: Established and Related
Don't match on IPsec packets
Source Type: leave blank
Destination Type: leave blank
- Wait for the states to fall off (close all connections and wait for the state timeout which is roughly 30 seconds)
- SSH to the USG and type
clear connection-tracking.
This wipes the entire state table of the USG - Reboot the USG