01 Zone model
The UDR7 uses a zone-based firewall model. Rather than writing rules per-interface, each VLAN is assigned to a zone, and rules govern traffic flowing between zones. This is more scalable than per-VLAN rule lists — adding a new VLAN means assigning it to an existing zone, and all zone rules apply automatically.
| Zone | VLANs | Default posture |
|---|---|---|
| WAN | Internet uplink | Deny inbound. NAT outbound for all internal VLANs. |
| Management | VLAN 1 | Reachable only from Trusted zone. No outbound to other VLANs. |
| Trusted | Personal (10), VPN (15) | Full LAN access to Servers. Full internet access. Blocked from IoT and Isolated zones outbound. |
| Servers | Servers (20) | Accepts inbound from Trusted and VPN. Allows outbound to internet (for package updates, DDNS, etc.). |
| IoT | IoT (100) | Internet only. Selective outbound to specific Servers IPs (e.g. Home Assistant). No inbound from any zone. |
| Isolated | Guest (200), Work (30) | Internet only. No LAN access. No inter-VLAN communication — not even between Guest and Work. |
| AREDN | AREDN-WAN (40), AREDN-LAN-1 (41) | Isolated from all homelab VLANs. AREDN mesh traffic only. |
02 Key rules
Full rule documentation lives in the UDR7 rebuild guide in Notion. The table below documents the intent of each key rule — not a raw ACL dump.
| Direction | Source zone | Destination | Action | Reason |
|---|---|---|---|---|
| → | Trusted → Servers | 172.20.20.0/24 | Allow | Personal and VPN devices can reach all servers |
| → | Trusted → WAN | Any | Allow | Internet access for personal devices |
| → | IoT → WAN | Any | Allow | IoT devices need internet for cloud services |
| → | IoT → Servers | Allow (selective) | IoT devices can reach specific services (e.g. Home Assistant, MQTT broker) | |
| → | IoT → LAN | 172.20.0.0/16 | Deny | IoT cannot reach any device not explicitly whitelisted |
| → | Isolated → WAN | Any | Allow | Guest / Work devices get internet |
| → | Isolated → LAN | 172.20.0.0/16 | Deny | Guest and Work are completely isolated from local network |
| → | WAN → LAN | Any | Deny | Default deny inbound from internet |
| → | Servers → Servers | 172.20.20.0/24 | Allow | Server-to-server communication (k3s → NAS NFS, Proxmox VMs, etc.) |
03 k3s-specific rules
The k3s API server runs on port 6443. kubectl access from the Personal VLAN requires this port to be open from 172.20.10.0/24 → k3s server IP. UFW on the node itself opens these ports as a second layer after the UDR7 perimeter.
UFW open ports on the k3s node (172.20.20.3)
text
22/TCP — SSH (remote access to the cluster node)
80/TCP — HTTP (web traffic — redirected to HTTPS by ingress-nginx)
443/TCP — HTTPS (ingress-nginx — all cluster services)
5432/TCP — PostgreSQL (connections from services on VLAN 20)
6443/TCP — Kubernetes API server (kubectl, ArgoCD webhooks)UFW is a second layer, not the only layer. The UDR7 firewall is the perimeter. UFW on the node enforces the same rules locally. Those ports are not exposed on the UDR7 WAN interface, so these services are not accessible from the internet — but they are open on the LAN side to allow access from devices on the trusted networks (Personal VLAN 10, VPN VLAN 15). If any service times out, run
sudo ufw status verbose on the server and check the corresponding UDR7 LAN zone rule.
last updated 2026-06-08