Ubiquiti EdgeMax – Add Port Group

Port groups work great if you have a set of ports that you will need to police in your firewall together in different rulesets, for instance if you want to allow or block all web traffic in a firewall ruleset and also will need explicitly allow or block all web traffic in another firewall ruleset  versus making 2 rules in each ruleset, or adding multiple port entries in a single firewall rule individually you can create a port group and reference that port group in as many firewall rule sets as you like. If that sounds alittle confusing read the steps below and it will become more clear when you have a practical example.

Our Scenario: We want to be able to police all web traffic in at least 1 firewall rule set and possibly more.

First we will want to create a port group so we can reference all of the ports for web traffic in one statement later on, in this example the ports are 443 and 80.

Below is how to create a firewall group for all web traffic and add that to a firewall rule set.

 

You can view your newly created port group by issuing the command below.

Now we can reference the port group ‘all-web’ in as many firewall rule sets we choose and it will always reference port 443 and port 80.

 

Lets say we have a firewall rule set for our communications originating in our LAN going to our WAN called ‘lan-to-wan’ and we want to allow all web traffic through that firewall as rule 10. Below is an example of adding a rule that uses our new port group ‘all-web’.

 

Before we commit the changes, below is an example to show our rule as it will show in the running config.

 

We can see that all of our commands have been accepted as we expect and because each line has a ‘+’ in front of it, we know that it has not been applied and is pending a commit command. Now we can commit the change to make it take effect.

 

Since we did not get any errors we know the commit was successful, our rule is applied, and we can test. You can also re issue the  ‘show firewall name lan-to-wan rule 10’ command to see there is no longer any ‘+’ signs in the configuration.

 

Be the first to comment

Leave a Reply

Your email address will not be published.


*