Firewall¶
The UDM uses UniFi's zone-based firewall model introduced in Network 8+.
Zones¶
| Zone | Status | Description |
|---|---|---|
| Internal | Active | LAN (192.168.1.0/24) |
| External | Active | WAN / internet |
| Gateway | Active | The UDM device itself |
| VPN | Active | WireGuard VPN clients |
| DMZ | Configured, unused | Isolated zone — no devices assigned |
| Hotspot | Configured, unused | Guest portal zone — no devices assigned |
Port forwards¶
Traffic arriving on the WAN interface is forwarded as follows:
| Protocol | External port | Internal destination | Purpose |
|---|---|---|---|
| TCP | 80 | 192.168.1.249:80 | nginx reverse proxy (HTTP) |
| TCP | 443 | 192.168.1.249:443 | nginx reverse proxy (HTTPS) |
| TCP | 32400 | 192.168.1.230:32400 | Plex direct access |
| TCP+UDP | 42420 | 192.168.1.235:42420 | Vintage Story dedicated server (direct, no proxy — see service page) |
Note
nginx at 192.168.1.249 fronts all web services. Plex and Vintage Story have direct port forwards — Plex for remote streaming performance, VS because it's a raw TCP/UDP game protocol that nginx-streams can't proxy without breaking source-IP visibility.