Whitelist Cloudflare proxy IPs (PortForward) on Unifi Dream Machine (UDM)

If you use Cloudflare proxy servers to secure your web services I recommend you to allow external traffic only from Cloudflare. Otherwise you expose your web servers to attackers from the external network.

Unfortunately Ubiquiti team did not implemented any easy solution on UDM for us:

  • Option 1: (not applicable for UDM): Advanced Configuration Using config.gateway.json
    • This option is not applicable because Ubiquiti does not allow to create gateway config on the UDM devices: The UDM line does not support configurations done outside of the UniFi Network application.
  • Option 2: Create firewall Internet in rules allowing only group of IP addresses from cloudflare (not working either even lot of articlesrecommends this):
    • This option is not applicable either. Even you create WAN_IN / Internet in rules this won’t create DNAT rules which are not available through the UI to be configured (only via gateway.json which is not available for UDM as well)
  • Option 3: Create PortForward rules one-by-one:
    • This is the only working solution right now (UDM firmware 1.10). You must manually create the port forward rule
    • UDM Cloudflare Firewall rules - Port forwarding 2
    • This is annoying but you must create each port-forward rule based on this list https://www.cloudflare.com/ips-v4
    • Once configured your traffic will be allowed only to go via CF proxy servers and by this you avoid anonymous attacks from the internet. This reduced my IPS alerts from ~10-20 per day to 0-1.
    • Never allow PortForward from Any > 80,443, make sure always to have list of allowed subnets.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.