Dual Lan Setup - block access between lans minus 1 server

Hi. Just configured my RB951G-2HnD for dual lan setup and now i need a little help configuring the firewall rules to block some traffic.

This is my setup:
Port1 - Wan Connection
Port 2 and 3 - Guest Network - 192.168.10.0/24 - DHCP Server running
Port 4 and 5 - Internal Network - 192.168.1.0/24 - DHCP Server running

In the guest network i have 3 Unifi AP’s with static leases on the DHCP. ( 192.168.10.251 , 192.168.10.252 and 192.168.10.253 )

Have everything working, i have internet on both networks, can connect perfectly between the 2 networks.

The Unifi AP’s need to comunicate with the controller that’s on the Internal Network on address 192.168.1.50


What i need to do is allow only the 3 AP’s to talk to the controller on the Unifi Controller ports and block all other traffic.

For information the ports needed are

TCP ports:
unifi.shutdown.port=8081 (for management purpose)
unifi.http.port=8080 (device inform)
unifi.https.port=8443 (controller UI / API)
portal.http.port=8880 (portal redirect port for HTTP)
portal.https.port=8843 (portal redirect port for HTTPs)
unifi.db.port=27117 (local-bound port for DB server)

UDP port 3478.


what’s the best way to do this?


Thx in advance.

Simplest way because you know the AP’s need to talk to the controller only, is to block access from anything other than the AP’s destined to that LAN. Such as:

/ip firewall address
add name=AP address=192.168.10.251
add name=AP address=192.168.10.252
add name=AP address=192.168.10.253

/ip firewall filter
add action=drop chain=forward comment=“Drop all traffic destined to controller except AP’s” disabled=no in-interface=!ether1 src-address=192.168.10.0/24 src-address-list=!AP dst-address=192.168.1.0/24

You can get a little more granular by adding the ports in, so on.

tks. will try it when i get to work.

How did this work out for you, were you able to try it out?