Guides Most Popular Topics Networking

Ubiquiti EdgeRouterX Zone Based Firewall

A Professional Router at a Consumer Price

I really enjoy working on and improving my home network and I am regularly looking for the next thing to tweak or try on my network. So it was a natural progression for me to move from the standard router that my ISP provides, to a more professional piece of equipment like the Ubiquiti EdgeRouterX. This is a pretty in-depth guide compared with some of my other guides so take your time and ask questions if the need arises!

Ubiquiti has a variety of IT products and devices that are perfect for small or medium business but can also work great at home without breaking the bank. The EdgeRouter-X is probably one of the best entry points into the EdgeRouter line of products by Ubiquiti. What you get for the sub $100 price point is a highly configurable router that is perfect for home use whether you have a few devices or hundreds.

ubiquiti edgerouter-x

Where the ER-X really shines is in its ability to be configured in different ways to support more than one flat network topology. Your run-of-the-mill ISP router / AP combo can be limited in this area. In my home network, I have both wired and wireless clients, smart devices, a virtual lab for testing and some infrastructure services and servers. The ER-X allows me to configure my network in the best possible way so that my network is properly organized and segregated where necessary. I could just dump all of my devices on to one subnet, but where’s the fun in that? (Not to mention, where’s the security?)

I will definitely have additional posts highlighting different parts of my home network and the equipment I use there, but for now, let’s dive into my setup and guide for creating a three-zone firewall on the ER-X.

Common sense disclaimer – the information below relates to configuring a firewall on an internet-facing device. Follow this guide at your own risk and use common sense and disconnect from the internet before working on your firewall. Also, since this is a long guide and since no one is perfect, please leave a comment if you encounter any errors. Thanks!

Ports and Interface-Based Firewall

Before I do a quick run-down of zone-based vs. interface-based firewalls, there is some nomenclature worth mentioning.

The ports on the router are named eth0 through eth4 which gives you a total of 5 physical ports. Since these ports are dynamic, the software actually manages switching functions and groups them under “switch0”. For the purposes of this article, I will refer to switch0 as the LAN side of the router.

In the basic WAN + LAN setup, eth0 is set as the WAN and the remaining ports (eth1 – eth4) are added to switch0 (LAN group). The firewall that is automatically created is a based on those interfaces, eth0 and switch0 and the subsequent rules added are standard “DENY ALL” from WAN > LAN except for established and related traffic. This allows clients to initiate a connection from the LAN, to the WAN but not the other way around. This standard rule is what keeps your LAN safe from intrusion from the WAN side.

The thing to remember here is that this firewall configuration is based solely on those two interfaces, eth0, and switch0.

Zone-Based Firewall

If we want to take our firewall a step further, we can create firewall rules and zones, and then add interfaces to them. This allows us to create separate areas where specific network ports, subnets or VLANs can exist with their own firewall rules while having all of this manageable through the ER-X web interface. One caveat though, the setup is best done through command line interface, or CLI since it would be time-consuming to enter all of these changes through the web interface.

In my case, my network is setup with three zones: WAN, LAN (trusted), and DMZ. The reason for wanting a DMZ and regular trusted LAN was originally to segregate my lab environment but it also works perfectly to separate my IoT VLAN and Guest WiFi VLAN, which I’ll explain later in this article. Although my DMZ does not contain any externally-facing services that a traditional DMZ might hold (like a web server) for simplicity’s sake and for this guide it will still be called the DMZ.

One more thing worth mentioning, if you want to assign an interface that is already part of the switch0 group, you will need to remove that interface from the group before you can assign it to a zone. In my example I set eth3 as my DMZ zone’s interface but I had to take eth3 out of the switch0 group before assigning it to the DMZ zone. This is because switch0 is part of the LAN zone, so eth3 can’t be part of switch0 (in the LAN) and also part of the DMZ zone, at the same time. Visit this thread for more info on this topic.

Create The Firewall Rulesets

Before we create zones, we need to create the rulesets that will be used with the zones. Essentially, we need to create a rule for every possible direction that traffic might flow between zones. Also, a three-zone firewall actually has four zones since the router itself is considered the “LOCAL” zone.

Technically we could write twelve firewall rulesets, but we can can simplify this to just six by lumping together some of the rulesets.

We can do this because the LOCAL zone (the router) should always be able to communicate to any other zone, otherwise it wouldn’t be functioning as a router.

So right away, lets condense:


To just:


Also, since the LAN is going to be our trusted zone, we can allow traffic to flow from it to any other zone. Just remember, we will still have other rulesets that restrict flow into the trusted LAN.

So again we can condense the LAN rules from:


To just:


Same thing for the WAN rules:


To just:


So here are our six firewall rulesets:


These rulesets cover all possible traffic flows and now that we have them named, we can create the individual rules within each ruleset.

Individual Rules

To get started, log into your ER-X and open the terminal from the top right (CLI button). You’ll be prompted to log in again. You can also do this through an SSH client like PuTTy, just make sure SSH is enabled on your router.

At the terminal, type configure and press enter to enter edit mode. Any changes you make here will be queued but not yet applied until you type commit and press enter.

The commands to create the rulesets and individual rules are as follows:

edit firewall name WAN_IN
set default-action drop
set rule 1 action accept
set rule 1 description Established and related
set rule 1 log disable
set rule 1 protocol all
set rule 1 state established enable
set rule 1 state related enable
**NOTE** - if you used the default setup wizard you may already have a ruleset called WAN_IN. 
You will need to remove this ruleset before entering the commands above and obviously 
make sure your router is physically disconnected from the internet!

This sets the following basic firewall separting the internet from our network:

  • Creates the WAN_IN ruleset
  • Sets the default action to “drop”
  • Creates an individual rule titled “Established and related”
  • Turns off logging (optional)
  • Specifies all protocols
  • Sets the rule states to established and related

With these commands set, we need to exit this firewall ruleset, so we can start on the next one. Type “exit” and press enter.

Enter the remaining firewall ruleset commands, remembering to exit after each block to start the next one.

edit firewall name LOCAL_TO_ALL
set default-action accept
edit firewall name LAN_TO_ALL
set default-action accept
edit firewall name DMZ_TO_WAN
set default-action accept
edit firewall name DMZ_TO_LAN
set default-action drop
edit firewall name DMZ_TO_LOCAL
set default-action drop
set rule 1 action accept
set rule 1 description dns
set rule 1 log disable
set rule 1 protocol udp
set rule 1 destination port 53
set rule 2 action accept
set rule 2 description dhcp
set rule 2 log disable
set rule 2 protocol udp
set rule 2 destination port 67-68

Take note of how DMZ TO LOCAL is different. This ruleset allows DNS and DHCP through to the router. This is assuming the router is providing these functions, so if you have another server doing DNS and/or DHCP, you will need to put these rules in the DMZ TO LAN ruleset (assuming your server is in the LAN).

Now would be a good time to check our work, so after exiting the last firewall ruleset, type commit and hit enter. If all goes well, you should not get any error messages. However, we also need to save these to the boot config so they aren’t lost after a reboot. Type “save” and hit enter.

You can then log into your router’s web interface and view the rulesets you just created.

Create The Zones

With our rulesets created we can now create the zones and apply interfaces and rulesets to them.

See below these commands for a description of what they do.

set zone-policy zone WAN interface eth0
set zone-policy zone WAN default-action drop
set zone-policy zone WAN from LAN firewall name LAN_TO_ALL
set zone-policy zone WAN from DMZ firewall name DMZ_TO_WAN
set zone-policy zone WAN from LOCAL firewall name LOCAL_TO_ALL

set zone-policy zone LAN interface switch0
set zone-policy zone LAN default-action drop
set zone-policy zone LAN from DMZ firewall name DMZ_TO_LAN
set zone-policy zone LAN from WAN firewall name WAN_IN
set zone-policy zone LAN from LOCAL firewall name LOCAL_TO_ALL
set zone-policy zone DMZ interface eth3
set zone-policy zone DMZ default-action drop
set zone-policy zone DMZ from WAN firewall name WAN_IN
set zone-policy zone DMZ from LAN firewall name LAN_TO_ALL
set zone-policy zone DMZ from LOCAL firewall name LOCAL_TO_ALL
set zone-policy zone LOCAL local-zone
set zone-policy zone LOCAL default-action drop
set zone-policy zone LOCAL from DMZ firewall name DMZ_TO_LOCAL
set zone-policy zone LOCAL from LAN firewall name LAN_TO_ALL
set zone-policy zone LOCAL from WAN firewall name WAN_IN

The first line in each block creates the zone and applies the specified interface to that zone. So the first command in the list creates a zone called “WAN” and adds the eth0 interface to it.

The second line sets the default action for the zone, which should always be “drop”.

The next three lines for each zone specify what firewall rulesets should be applied to the traffic coming into the zone, based on where that traffic is coming from. For example, traffic coming into the LAN from the WAN would be subject to the firewall ruleset “WAN_IN”. These are the rulesets we created earlier.

Once you’ve entered these commands, type “commit”, then “save” if you didn’t get any error messages.

At this point, the three zone firewall is configured as follows:

Clients that you connect to switch0 (eth1, 2 and 4) will be in the LAN zone and will be able to get out the web. Clients connected to eth3 are in the DMZ and can get out to the web, can send DNS and DHCP requests to the router but can’t talk to clients in the LAN or open a management session with the router. Lastly, of course, your network is safely behind the WAN_IN firewall rule.

You can view all of these zones in the Config Tree tab in the router’s web interface. Drill down to zone-policy > zone to see the list of zones you created. You can also make individual changes here if needed.

You can stop here if you don’t need VLANs, but you still need to do two more things for the zones to work.

1) Assign an IP address to eth3. It must be a unique address, not already in use. If your LAN is using, eth3 can use something else like, etc. Select actions > config to set the IP.

2) Create a DHCP server for the eth3 network that matches it’s interface. This can be done under the Services tab. Enter the information based on the network you entered for the interface. Also enter the interface address (router) and enter your upstream DNS. Save and test by connecting a client to eth3 and verifying it gets an IP and has internet access.

What About VLANs?

You may be wondering about the VLANs I mentioned earlier so let’s go over that topic. The zone-based firewall we just set up is only tied to the physical interfaces on the router itself. Eth0 is in the WAN zone, eth3 is the DMZ zone and the other switch ports are in the LAN zone. That gives us only three ports for LAN clients and one DMZ client so we’ll need to create VLANs on the router and use VLAN tagging on a device like a managed switch or access point that supports it, if we want to segregate more devices.

An easily approchable device that supports VLAN tagging is the Ubiquiti Unifi Access Point. I have the UAP-AC-Lite version and I run three SSIDs on it: LAN, IoT and Guest. If I want to segregate traffic three ways, I need to use VLAN tagging to achive this since the physical access point can only be plugged into one port.

Create the VLAN

It is simple to create a new VLAN on the EdgeRouter-X, just click the add interface button near the top left of the dashboard screen (just below the graphs). Enter a VLAN ID and interface. The interface you choose depends on where your access point or managed switch will be plugged into. So in my example network, I would plug my AP into eth4, which is part of switch0, so my VLAN should be on switch0.

Specify a name and manually enter the address that you’d like the VLAN to have (similar to what I mentioned above for the DMZ example). It must be different than any other interface’s address. Click save and the VLAN will appear at the bottom of the dashboard list.

Add the VLAN to a Zone

We need to add our newly created VLAN to a zone. In this example, I am adding the VLAN to the DMZ zone. This has the effect of isolating the VLAN traffic from the DMZ but also applies the DMZ zone’s firewall rules to the VLAN so we can be sure the traffic isnt able to reach the LAN.

Open the Config Tree tab and drill down to the DMZ zone. You should see one interface listed if you followed this guide: eth3. Click the add button and enter the VLAN ID you just created (switch0.18 in this example). This adds VLAN 18 to the DMZ zone. Click preview then apply to make the changes.

In my case, my IoT and Guest VLANs are added to the DMZ so I can be sure they are isolated and firewalled.


Finally, you will want to create a new DHCP server under the Services tab (as mentioned above for the eth3/DMZ network) for this VLAN.

Final Notes

Now you can tag one or more of your wireless networks on the Unifi AP, with the VLAN ID you just set up. Traffic coming in on that SSID will be tagged and isolated to it’s VLAN only and will also be restricted by the DMZ firewall rules. One of the great things about this setup is that you can create any number of VLANs and add them to the DMZ and it will keep you from having to completely re-write your firewall rules each time. If you created a new zone each time you needed to isolate traffic, you would greatly increase the number of to-and-from rules that would need to be set up.

I hope you’ve found this guide helpful and as always, thanks for reading!

Edgerouter-X on Amazon
Unifi UAP-AC-Lite on Amazon

Products mentioned are available through affiliate links at no extra cost to you. Using these affiliate links to purchase helps support the blog and allows me to bring you new content. Thank you!

Amazon Associate Program: As an Amazon Associate I earn from qualifying purchases.

Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Inline Feedbacks
View all comments
Frands Tjagvad

Hello HomeTechBlogger   Thanks for this awesome guide! AFAIK this is the only guide on the web, that takes the EdgeRouter and configure it as a three-zone firewall! Thanks! I am running an EdgeRouter X v1.10.11 and, following your blog post, I discovered one error. When configuring the ruleset “DMZ_TO_LOCAL”, I was not allowed to commit dur to the following error: Firewall config error: ports can only be specified when protocol is 'tcp'or 'udp' (currently '') That was fixed by adding to the ruleset: set rule 2 protocol udp It was the only issue I encountered. 😊 Thanks again. This… Read more »


Like Frands I have read several articles on firewalls with the EdgeRouterX and this is by far the best out there. I have two EdgeRouterX’s. One for production and the other in my lab for experimentation. Keep peace in the family when I’m playing. I have a large lab area and really like the way you have segmented the traffic. Will be using you article for sure in the very near future….Thanks for all the effort that goes into these.


Thanks for the guide. I worked through setting up a four zone config with 14 short rule sets (7 IP, 7 IPv6). The concise configuration that this enables is great, but it is worth noting that a multizone config increases the ERX boot time considerably. I haven’t measured it, but it feels like a reboot now takes two minutes.

Douglas Sandoval

Thank you very much for the informative tutorial. Nothing I found was as comprehensive as this.

All the best,


Very useful – thanks for putting this together.
Have you considered posting a version of the resulting config.boot file, with any identifying info removed of course?


Hi, found your site as I needed a firewall. I’d like to ask for your recommendation. I have xfinity with this new super cable modem/router/wifi they forced on me. I have a 16 port switch behind it going to various hardwired devices. I was looking at the ubiquiti ERX so I can put zone firewalls in place. I need to dmz a remote access device that I use for my consulting work (it has a port forward currently that is getting hit constantly by outside bad actors/scanners), and then I figure I’ll have a zone for my office computers/devices, the… Read more »

Marco Mattei

I’m not sure if you considered this but for my config I needed to add an additional rule to get it working. If I set it up like you did I could not access the DMZ from the LAN. I had to add an additional rule like the following: name DMZ_TO_LAN {     default-action drop     rule 1 {       action accept       description “Accept Established and Related Private”       destination {         group {           network-group RFC1918         }       }       log disable       protocol all       state {         established enable         invalid disable         new disable         related enable       }     }   } For that I set up the NAT Group RFC1918 which… Read more »

Marco Mattei

Ah right, I was just assuming that this was what you wanted because you stated in the article
Also, since the LAN is going to be our trusted zone, we can allow traffic to flow from it to any other zone. Just remember, we will still have other rulesets that restrict flow into the trusted LAN.”


Hi – excellent blog I’ve ever read. I’m somewhat a noobie there. A quick question. do I really need to use DMZ? What does it stand for and the purpose to use it? it’s just a learning curves.


Thank you for your times and explaining it. I will like you to request to write a new article that you mention that there are better way for setup than using this specific setup. I’m very curious; Thank you Dave

John M


This is EXACTLY what I am looking to do, so i can host my website / kubernetes at home, and safe a few bucks.

How difficult is it to NAT 80/443 into the DMZ?