Unifi Network - Block Internet Access for Specific Devices

I have a number of devices that I no longer want to give access to the internet. For example, the smart TV and a P1 reader that tries to call ‘home’ every second.
Fortunately, it is very easy to create a firewall rule within the Unifi Network Application (formerly called Unifi Controller).

Since I replaced my old Unifi Security Gateway (USG) with a Unifi Dream Machine Pro (UDM-Pro), the setup below is based on the newest user interface (v7).

Create IP Group

1. Go to Settings and Profiles
2. Scroll down to Port and IP Groups and click Create New Group:
   • Profile Name: for example BlockInternet
   • Type: IPv4 Address/Subnet
   • Address: add the IP addresses of the devices that are not allowed to connect to the internet
3. Click Apply Changes

You can now use this group when creating the firewall rule.

Create Firewall Rule

1. Go to Settings and Firewall & Security
2. Scroll down to Firewall Rules and click Create New Rule:
   • Type: Internet Out
   • Description: for example drop group block internet
   • Rule Applied: Before Predefined Rules
   • Action: Drop
   • IPv4 Protocol: All
     Source
   • Source Type: Port/IP Group
   • IPv4 Address Group: BlockInternet - this the IP group you created earlier
   • Port Group: Any
     Leave Destination and Advanced at the default settings
3. Click Apply Changes

The Firewall Rules now look like this:

Testing

Test if it works, for example with your mobile phone by temporarily putting the IP address in the IP group.

Read other notes