Pre-Zone-Based Support: VLAN Isolation not considering generic rule

[kmlucy]

I have VLAN isolation set via a firewall rule that blocks all traffic from RFC1918 to RFC1918 at the bottom of my firewall rules. This serves to block all firewall traffic between VLANs without having to create individual rules for each, but I have dozens of issues flagged for missing VLAN isolation.

[tvancott42]

Can you enable debug logging and send me the relevant chunk of the output? This is probably hitting an edge case as there's coverage for generic inter-VLAN blocking, but it is probably looking over the rules you have set.

Some screenshots of the rules in play would be great too. Thanks!

edit: disregard, I'm pretty sure I found the root cause and fixed it. This one lingering audit rule wasn't correctly doing CIDR destination checks.

[tvancott42]

@kmlucy fixed and tested on my test sites. Will be included in upcoming release v1.4.4 (probably available within an hour) - thank you for reporting this!

edit: release is ready here https://github.com/Ozark-Connect/NetworkOptimizer/releases/tag/v1.4.4

[kmlucy]

I updated to v1.4.4 and reran the audit, but I'm still seeing all the missing VLAN isolation alerts.

Here is the rule I use:

With the address group:

Here are my logs with debug logging enabled. They include restarting the app and running an audit:

Binding to all interfaces (0.0.0.0:8042)
[16:34:13 INF] Loaded 38887 OUI entries from cache
[16:34:13 WRN] The query uses the 'First'/'FirstOrDefault' operator without 'OrderBy' and filter operators. This may lead to unpredictable results.
[16:34:14 INF] Admin authentication enabled using database-stored password
[16:34:14 WRN] The query uses the 'First'/'FirstOrDefault' operator without 'OrderBy' and filter operators. This may lead to unpredictable results.
[16:34:14 INF] Loaded saved UniFi configuration for https://[REDACTED]
[16:34:14 INF] iperf3 server mode is disabled. Enable via Iperf3Server:Enabled=true
[16:34:14 WRN] Overriding HTTP_PORTS '8042' and HTTPS_PORTS ''. Binding to values defined by URLS instead 'http://0.0.0.0:8042'.
[16:34:14 INF] Now listening on: http://0.0.0.0:8042
[16:34:14 INF] Application started. Press Ctrl+C to shut down.
[16:34:14 INF] Hosting environment: Production
[16:34:14 INF] Content root path: /app
[16:34:15 INF] Enhanced device detection enabled for audit rules
[16:34:15 INF] PDF storage directory: /app/data/report_pdfs
[16:34:16 INF] Authenticating with UniFi controller at https://[REDACTED]
[16:34:16 INF] Successfully authenticated with UniFi controller
[16:34:16 INF] Detected UniFi OS device (UDM/UCG) - using /proxy/network path
[16:34:16 WRN] The query uses the 'First'/'FirstOrDefault' operator without 'OrderBy' and filter operators. This may lead to unpredictable results.
[16:34:17 INF] Loading dashboard data
[16:34:17 INF] Starting UniFi device discovery via API
[16:34:17 INF] Saved UniFi connection settings for https://[REDACTED]
[16:34:17 INF] Successfully connected to UniFi controller (UniFi OS: True)
[16:34:17 INF] Retrieved 5 devices
[16:34:17 INF] Retrieved 13 network configs
[16:34:17 INF] Discovered 5 UniFi devices
[16:34:17 INF] Gateway-class device: beluga (UDMPRO) - API type=udm, IP=[REDACTED], UplinkMac=, UplinkToUniFi=False, HasConfigNetworkLan=True
[16:34:17 INF] Dashboard loaded: 5 devices
[16:34:17 INF] Restored report data: 9 networks, 2 switches, 20 wireless clients, DNS=True
[16:34:17 WRN] The query uses the 'First'/'FirstOrDefault' operator without 'OrderBy' and filter operators. This may lead to unpredictable results.
[16:34:17 INF] Loaded 5 dismissed issues from database
[16:34:18 INF] Enhanced device detection enabled for audit rules
[16:34:18 INF] Loading dashboard data
[16:34:18 INF] Dashboard loaded: 5 devices
[16:34:22 INF] Restored report data: 9 networks, 2 switches, 20 wireless clients, DNS=True
[16:34:24 INF] Running security audit with options: {"IncludeFirewallRules": true, "IncludeVlanSecurity": true, "IncludePortSecurity": true, "IncludeDnsSecurity": true, "AllowAppleStreamingOnMainNetwork": false, "AllowAllStreamingOnMainNetwork": false, "AllowNameBrandTVsOnMainNetwork": false, "AllowAllTVsOnMainNetwork": false, "AllowMediaPlayersOnMainNetwork": false, "AllowPrintersOnMainNetwork": true, "DnatExcludedVlanIds": null, "PiholeManagementPort": null, "UnusedPortInactivityDays": 15, "NamedPortInactivityDays": 45, "$type": "AuditOptions"}
[16:34:25 INF] Retrieved 58 clients
[16:34:25 INF] Fetched 58 connected clients for device detection
[16:34:25 INF] Retrieved 41 historical clients
[16:34:25 INF] Fetched 41 historical clients for offline device detection
[16:34:25 INF] Fetching fingerprint database from UniFi controller...
[16:34:25 INF] Loaded fingerprint database: 274 device types, 1209 vendors, 48240 devices
[16:34:25 INF] Fingerprint database loaded: 274 device types, 1209 vendors, 48240 specific devices
[16:34:25 INF] Fetched site settings for DNS security analysis
[16:34:25 INF] Retrieved 22 firewall groups
[16:34:25 INF] Fetched 22 firewall groups for rule flattening
[16:34:26 INF] v2 firewall policies API returned no data, falling back to legacy API
[16:34:26 INF] Retrieved 35 legacy firewall rules (raw)
[16:34:26 WRN] Group 646388c97decb90448fc0301 (RFC1918) is type 'address-group', expected port-group
[16:34:26 WRN] Group 646388c97decb90448fc0301 (RFC1918) is type 'address-group', expected port-group
[16:34:26 WRN] Group 646389a37decb90448fc030c (Gateways (-Cameras)) is type 'address-group', expected port-group
[16:34:26 WRN] Group 6463895e7decb90448fc030a (Gateways (-Guest)) is type 'address-group', expected port-group
[16:34:26 WRN] Group 646389847decb90448fc030b (Gateways (-IoT)) is type 'address-group', expected port-group
[16:34:26 WRN] Group 646389377decb90448fc0309 (Gateways (-LAN)) is type 'address-group', expected port-group
[16:34:26 WRN] Group 646388f77decb90448fc0307 (Gateways (All)) is type 'address-group', expected port-group
[16:34:26 WRN] Group 646388f77decb90448fc0307 (Gateways (All)) is type 'address-group', expected port-group
[16:34:26 WRN] Group 646388f77decb90448fc0307 (Gateways (All)) is type 'address-group', expected port-group
[16:34:26 WRN] Group 646388f77decb90448fc0307 (Gateways (All)) is type 'address-group', expected port-group
[16:34:26 WRN] Group 6463a3037d94c91eef55bf22 (barreleye) is type 'address-group', expected port-group
[16:34:26 WRN] Group 6463a2b97d94c91eef55bf1f (manta) is type 'address-group', expected port-group
[16:34:26 WRN] Group 6463a2b97d94c91eef55bf1f (manta) is type 'address-group', expected port-group
[16:34:26 WRN] Group 6463a2b97d94c91eef55bf1f (manta) is type 'address-group', expected port-group
[16:34:26 WRN] Group 6466e2d280c43b0e26e17f24 (VPN) is type 'address-group', expected port-group
[16:34:26 WRN] Group 656f97638cd3f45e6eea5ddc (Gateways (-DMZ)) is type 'address-group', expected port-group
[16:34:26 WRN] Group 646388f77decb90448fc0307 (Gateways (All)) is type 'address-group', expected port-group
[16:34:26 WRN] Group 6463a2b97d94c91eef55bf1f (manta) is type 'address-group', expected port-group
[16:34:26 WRN] Group 658ddddd577f6626f2a7343e (Gateways (Sea)) is type 'address-group', expected port-group
[16:34:26 WRN] Group 6590f971577f6626f2a7f92e (Sea) is type 'address-group', expected port-group
[16:34:26 WRN] Group 6463a2b97d94c91eef55bf1f (manta) is type 'address-group', expected port-group
[16:34:26 WRN] Group 6463a2b97d94c91eef55bf1f (manta) is type 'address-group', expected port-group
[16:34:26 WRN] Group 677f012e8de1332d9ea7eee3 (Gateways (-Media)) is type 'address-group', expected port-group
[16:34:26 WRN] Group 646388f77decb90448fc0307 (Gateways (All)) is type 'address-group', expected port-group
[16:34:26 INF] Parsed 35 firewall rules from legacy v1 API (ruleset-based)
[16:34:26 INF] Fetched NAT rules for DNAT DNS analysis
[16:34:26 INF] Running audit engine on device data (246210 bytes)
[16:34:26 INF] Retrieved 5 network devices and 13 Protect devices (v2 API)
[16:34:26 INF] Found 13 Protect devices requiring Security VLAN
[16:34:26 INF] Fetched 13 UniFi Protect cameras for priority detection
[16:34:26 INF] Retrieved 1 port profiles
[16:34:26 INF] Fetched 1 port profiles for port configuration resolution
[16:34:26 INF] Retrieved 5 port forwarding rules (0 UPnP, 5 static)
[16:34:26 INF] Fetched UPnP status (Enabled=False) and 5 port forwarding rules (0 UPnP)
[16:34:26 INF] Retrieved 13 network configs
[16:34:26 INF] Fetched 13 network configs (2 WAN) for zone ID detection
[16:34:26 INF] Retrieved 0 firewall zones
[16:34:26 INF] Starting network configuration audit for Network Audit
[16:34:26 INF] Client data available for enhanced detection: 58 clients
[16:34:26 INF] Client history available for offline detection: 41 historical clients
[16:34:26 INF] Fingerprint database available: 48240 devices
[16:34:26 INF] UniFi Protect cameras available for priority detection: 13 cameras
[16:34:26 INF] Loaded 13 UniFi Protect devices for priority detection
[16:34:26 INF] Loaded 41 client history entries for offline device detection
[16:34:26 INF] Enhanced device detection enabled for audit rules
[16:34:26 INF] Firewall zone data available: 0 zones
[16:34:26 INF] Phase 1: Extracting network topology
[16:34:26 INF] Found network_table on udm device
[16:34:26 INF] Found 9 networks
[16:34:26 INF] Phase 2: Extracting switch configurations
[16:34:26 INF] Discovered switch: octopus with 52 ports (15 with client data, 7 with history)
[16:34:26 INF] Discovered switch: beluga with 11 ports (6 with client data, 1 with history)
[16:34:26 INF] Found 2 switches with 63 total ports
[16:34:26 INF] Phase 3: Analyzing port security
[16:34:27 INF] UnusedPortRule flagging beluga port 4: forward='native', isUp=False, lastSeenDaysAgo=none, threshold=45d
[16:34:27 INF] UnusedPortRule flagging octopus port 30: forward='native', isUp=False, lastSeenDaysAgo=none, threshold=45d
[16:34:27 INF] UnusedPortRule flagging octopus port 50: forward='native', isUp=False, lastSeenDaysAgo=none, threshold=45d
[16:34:27 INF] Found 22 issues across 2 switches
[16:34:27 INF] Found 22 port security issues
[16:34:27 INF] Phase 3b: Analyzing wireless clients
[16:34:27 INF] Extracted 3 access points for lookup
[16:34:27 INF] Extracted 20 wireless clients for audit analysis
[16:34:27 INF] Found 0 wireless client issues
[16:34:27 INF] Found 0 wireless client issues from 20 detected devices
[16:34:27 INF] Phase 3c: Analyzing offline clients
[16:34:27 INF] Found 17 offline clients with detection, 0 VLAN placement issues
[16:34:27 INF] Phase 4: Analyzing network configuration
[16:34:27 INF] Found 0 DNS issues, 0 gateway issues, 0 management VLAN issues, 0 infrastructure VLAN issues
[16:34:27 INF] Phase 5: Analyzing firewall rules
[16:34:27 INF] Extracted 0 firewall rules from device data
[16:34:27 INF] Analyzing 35 firewall rules
[16:34:27 INF] Found 97 firewall issues
[16:34:27 INF] Found 97 firewall issues, 0 management network firewall issues, 1 internet access issues, 3 network isolation issues (5G device: False)
[16:34:27 INF] Phase 5b: Analyzing DNS security
[16:34:27 INF] WAN interface detected: wan (name=Port 9, media=GE, up=True, ip=[REDACTED])
[16:34:27 INF]   DNS config: hasDnsProperty=True, arrayLength=2
[16:34:27 INF]   Found DNS server: 1.1.1.2
[16:34:27 INF]   Found DNS server: 1.0.0.2
[16:34:27 INF] DNS53 blocking provides partial coverage. Covered: , Uncovered: Admin, LAN, Guest, IoT, Cameras, DMZ, Media, Sea, [REDACTED]
[16:34:27 INF] DoT blocking provides partial coverage. Covered: , Uncovered: Admin, LAN, Guest, IoT, Cameras, DMZ, Media, Sea, [REDACTED]
[16:34:27 INF] DoQ blocking provides partial coverage. Covered: , Uncovered: Admin, LAN, Guest, IoT, Cameras, DMZ, Media, Sea, [REDACTED]
[16:34:27 INF] Checking 9 networks for third-party DNS servers
[16:34:27 INF] Found 4 DNS security issues
[16:34:27 INF] Phase 5c: Analyzing UPnP security
[16:34:27 INF] Analyzing UPnP security: GlobalEnabled=False, UPnP rules=0, Networks with UPnP=0 (Home=0, Non-Home=0)
[16:34:27 INF] Found 2 UPnP security issues, 1 hardening notes
[16:34:27 INF] Phase 6: Analyzing hardening measures
[16:34:27 INF] Found 5 hardening measures in place
[16:34:27 INF] Phase 7: Calculating security score
[16:34:27 INF] Security Score: 25/100 (Critical: -50, Recommended: -30, Informational: -0, Hardening Bonus: +5)
[16:34:27 INF] Audit complete: Critical (Score: 25/100, 29 critical, 98 recommended)
[16:34:27 INF] Filtered Security Score: 25/100 (Critical: -50, Recommended: -30, Informational: -0, Bonus: +5)
[16:34:27 INF] Saved audit result 3 for device network-audit
[16:34:27 INF] Persisted audit result to database with ID 3, 129 issues, 43990 bytes report data
[16:34:27 INF] Generating PDF for audit 3 at /app/data/report_pdfs/audit_3.pdf
[16:34:28 INF] Saved PDF for audit 3: 296518 bytes
[16:34:28 INF] Audit complete: Score=25, Critical=29, Recommended=98
[16:34:45 WRN] The query uses the 'First'/'FirstOrDefault' operator without 'OrderBy' and filter operators. This may lead to unpredictable results.

[tvancott42]

Ah, pre Zone-Based. That's the core issue here. I'm flying blind there on implementing any and all fixes and enhancements that I have made since launching the app. All of my test sites are on Zone-Based firewall rules, and I had couple people right when we launched provide sample API responses from their legacy firewall rule networks, to which I adapted the code, but here you can see it's really faltering on more comprehensive and advanced rules.

I'll do my best. It could be a handful of easy fixes, but this may take a few iterations.

Out of curiosity, what keeps you on the old UniFi firewall rule engine?

[kmlucy]

The two main reasons are that I switched to the zone based firewall when I was on an EdgeRouter and ended up hating it as it meant a lot more rules and wasn't as intuitive to me, and my rules are all setup, debugged, and working, and I don't have a real incentive to change.