Recommended Unifi Firewall Settings
Understand the firewall settings for USG-series Unifi devices and learn how to optimize them for your network.
Written by Thomas Gipson
Updated at May 23rd, 2025
Table of Contents
WARNING: Configuring the settings of your USG may result in a restart. It is recommended to perform these changes outside of your normal office hours.
Create a Smart Queue
A Smart Queue option is available with UniFi Security Gateway that prioritizes traffic and minimizes delays when the router/bandwidth becomes overloaded.
WARNING: Activating the Smart Queue option may reduce the maximum throughput. It is strongly recommended to monitor the available speed with and without Smart QoS enabled.
If you have connection speeds greater than 300Mbps, then it is recommended to NOT enable smart queues.
To activate this option…
- Log into your UniFi's web interface.
- Navigate to Settings → Networks → Internet.
- In the Networks list, click the Internet 1 option listed.
- In the Advanced section, select Smart Queues and set the Downrate and Uprate to match 80% of your network's speeds.
- Click the Save button.
Create a Firewall Rule for VoIP Traffic
To make sure the traffic from your SpectrumVoIP phones, softphones, and web applications do not experience any issues, a new firewall rule will need to be created. This rule would be set up to recognize and allow traffic coming from IP addresses used by SpectrumVoIP services. This rule would also ensure the ports used by our services are open for use.
Step 1: Create a New Rule
To create a new rule for your Unifi router…
- Access your UniFi's web interface.
- Navigate to Settings → Security.
- Create a new rule.
- In the top section, do the following:
- Type - Select Internet In.
- Name - Type an identifiable name, such as SpectrumVoIP
- Action - Select Accept.
- Protocol - Select TCP and UDP.
Step 2: Create an Address Group
For the Source section, an Address Group and Port Object will need to be created to ensure the IP addresses and ports used by SpectrumVoIP services are allowed.
- For the Address Group option of the Source section, click New.
- In the New Object menu, click Add Multiple.
-
Type in the following IP addresses:
- 199.71.209.0/24
- 24.227.249.0/25
- 72.249.136.32/28
- 206.123.122.32/27
- 212.69.157.32/27
- 40.143.31.64/27
-
Text To Speech Services - TCP and UDP
- 54.149.243.27:8000
- 35.175.185.150:8000
- 54.149.243.27:3001
- 35.175.185.150:3001
-
StratusMEETING - TCP and UDP
- 54.188.133.147:3443
- 3.130.158.184:3443
- 35.183.150.146:3443
- Click the Add button.
- In the New Object menu, click the Create button.
Step 3: Create a Port Group
- For the Port Object option of the SOURCE section, click New.
- In the New Object menu, type an identifiable Name, such as VoIP Ports.
- In the Port section, input the following ports:
-
Main Utilized Ports
- 5060-5062 UDP - SIP
- 20,000-40,000 UDP - RTP
- 80, 443 TCP - HTTP/HTTPS
-
Portal Dynamic Updates
- 8001 - TCP
-
Google's Firebase Cloud Messaging (FCM)
- 443, 5228, 5229, 5230 - TCP
-
Apple's Push Notification Service (APNs)
- 5223, 443, 2197 - TCP
-
StratusWEB PHONE
- 9002 - TCP - websockets
-
Main Utilized Ports
- Click the Create button.
Step 4: Finish Configuring the Source of the Rule
Once you have created the “VoIP” Address Group and the “VoIP Object” Port Object, be sure to select these in the Source section of the new rule.
Step 4: Configure the Destination of the Rule
- In the Destination section, use the Network dropdown to select the network or VLAN the phones will be connected to.
- Click the Add Rule button.
✔ You should now see a new Rule created that will protect SpectrumVoIP traffic.
UniFi Access Points and Switches
By default, The UniFi access points and switches will automatically map the DSCP value to a Wi-Fi Multimedia (WMM) priority. Voice is then automatically given highest priority on these devices, so no further changes are needed.