Hello, Tildes Tech Support Team,

I'm doing some Homelab stuff. And I'm looking for a way to set up an inexpensive back-up Internet connection. Less about having a connection when I'm home and Internet goes out (Phone hotspot works in a pinch), but more about getting in and getting statuses of stuff when I'm not home and Internet drops.

For background, I have a Ubiquiti Unifi Dream Machine Pro that can do WAN failover. My primary Internet connection is through Verizon Fios. The UDM and the Fios ONT are directly connected via ethernet; I'm not using Verizon's crappy home router. Also, I rarely lose Internet connectivity. This really is just a Homelab experiment to see if it can be done.

I've seen some stuff about getting a cheap, refurb smartphone and a cheap MVNO plan like Google Fi that nets me a handful of GB a month, and then tethering the UDM to the phone somehow (maybe through some cheap router in bridge/passthrough mode like a GLinet travel router). Has anyone had any experience doing this?

But...I actually have a secondary Internet connection already. My apartment complex has WiFi across the complex and for each unit. That I unfortunately have to pay for, even though I don't use it -- I want FULL control over my home network. But since I do have it, is there a way I can take advantage of this? I'm thinking something like a reverse AP, if that exists. But it has to pass through the IP from the apartment WiFi.

I know there will likely be issues with double NATing. But depending on the services/things I'm trying to access or keep access to, that may not be a factor. Like my Unifi hardware talking with the Unifi cloud access stuff. I think double NAT shouldn't matter.

Anyway, appreciate whatever you all got!

I'd normally post this on reddit...but I thought I'd give the Tildes Tech Support Team a try.

I have a Ubiquiti Unifi Cloud Gateway Ultra and I'm trying to better understand zone firewall management and VLANs and all that.

I'll start with a screenshot. I'm only changing the two settings highlighted in red.

I'm trying to understand the difference between two firewall policy settings:

1. Action = Allow ONLY, AND Connection State = Return Traffic
2. Action = Allow AND Auto Allow Return Traffic checked, AND Connection State = All

I have two VLANs -- "Internal" and "Lab." Each is in their own policy zone, also called "Internal" and "Lab." The "Internal" VLAN does not have the "Isolate Network" option checked, but "Lab" does.

What I want is devices in "Internal" able to initiate and maintain connections with devices in "Lab." But I don't want devices in "Lab" able to initiate connections to devices in "Internal."

With Policy 1, "Internal" can't reach "Lab" nor vice versa. Hmm.

With Policy 2, "Internal" can ping and SSH into devices in "Lab," but not the other way around. Perfect; that's what I want.

And now my question(s): What is the difference between these two policies? To me, they look the same. But clearly the end results say they're not. So what's actually going on here? Additionally, assuming I could get Policy 1 to do what I want, is Policy 2 more vulnerable from a cybersecurity perspective than Policy 1?

If it helps, here's a screenshot of my zone matrix, with focus on source "Internal" and destination "Lab."

Thanks!