I'd normally post this on reddit...but I thought I'd give the Tildes Tech Support Team a try.

I have a Ubiquiti Unifi Cloud Gateway Ultra and I'm trying to better understand zone firewall management and VLANs and all that.

I'll start with a screenshot. I'm only changing the two settings highlighted in red.

I'm trying to understand the difference between two firewall policy settings:

1. Action = Allow ONLY, AND Connection State = Return Traffic
2. Action = Allow AND Auto Allow Return Traffic checked, AND Connection State = All

I have two VLANs -- "Internal" and "Lab." Each is in their own policy zone, also called "Internal" and "Lab." The "Internal" VLAN does not have the "Isolate Network" option checked, but "Lab" does.

What I want is devices in "Internal" able to initiate and maintain connections with devices in "Lab." But I don't want devices in "Lab" able to initiate connections to devices in "Internal."

With Policy 1, "Internal" can't reach "Lab" nor vice versa. Hmm.

With Policy 2, "Internal" can ping and SSH into devices in "Lab," but not the other way around. Perfect; that's what I want.

And now my question(s): What is the difference between these two policies? To me, they look the same. But clearly the end results say they're not. So what's actually going on here? Additionally, assuming I could get Policy 1 to do what I want, is Policy 2 more vulnerable from a cybersecurity perspective than Policy 1?

If it helps, here's a screenshot of my zone matrix, with focus on source "Internal" and destination "Lab."

Thanks!

I come in search for somebody who knows a thing or two about VLANs or, if possible, had set it up for themselves at home (or work).

I have Mikrotik router and Ubiquiti Unifi APs. My goal is to have three separate SSIDs on my APs to differentiate clients. One group would be closest family (group 1), another friends (2) and the last one would be QR-setup guest wifi (3).

The reason is security. I run 24/7 server at home with many services that I don't want other people than #1 to see. But I also run ie. DNS there that I would like all to see (all three groups; or make them use other DNS via DHCP-set-DNS, ie. 1.1.1.1).

So far I believe everything from that list is doable with the right knowledge (that I have yet to achieve). But I would also like some other things and that's part of why I'm asking here.

• Is it possible to initiate connection from #1 to device in #2? Ie. from server to Raspberry that serves as temperature sensor for Home Assistant? Is it some built-in functionality like "higher number VLAN can access all lower numbers" or do I have to setup some exception on my router for speciric IP and port? Or specific LAN port (I have 24 port router, yet not everything is connected via ethernet)
• Do I have to set it all up in specific order? I have read that I can cut myself off from accessing my router if I setup VLAN incorrectly and that's what I don't want to do :-)

If you know how to setup VLAN and could provide some points to kinda carve the path I could stick to, I would be really grateful! I do not want manual of step-by-step instructions, rather some points to follow so I don't fall for something important I missed.

I will of course read up on it myself and will experiment a bit (I have old RB133 or maybe even RB433 around that I can use for learning), but it would be great to have some pointers.

Thanks in advance for any advices or recommendations.