Ubiquiti console security module definitely tries to block Tor by default even when you specifically disable Tor in "detection types" - only way around this in the end was to put my node's LAN IP in the "security detection allow list" on the security page, then it instantly started working right after.

I hope this doesn't mean it's excluded from the network firewall though. Doesn't seem like it should be from what I can see, but then from what I can see it shouldn't be blocking Tor traffic either...