How to Access the UniFi Controller by WAN IP or Hostname on a UDM (PRO)

How to Access the UniFi Controller by WAN IP or Hostname on a UDM (PRO)

More and more of our captive portal customers have been asking for instructions on how to access the UniFi controller/Network Application by the public IP address or hostname when using a UDM, UDM PRO, or UDR gateway.

The following instructions apply to most situations where external access to the web interface or API is required, when in doubt please make sure to contact your solution provider.

These instructions assume you are using the Classic/Legacy Interface. In the future, we plan on updating this post with instructions based on the New Interface.


Create firewall rule

  • Open de UniFi Controller/Network Application
  • Navigate to Settings > Routing & Firewall > Firewall > WAN LOCAL
  •  Select Create New Rule
  • Apply the following values to the respective fields:
    • Name: apply a logical name, e.g. WAN access
    • Rule Applied: Before pre-defined rules
    • Action: Accept
    • IPv4 Protocol: TCP
    • Destination: Create and save a new port group with port 443 in the group
  • Save the Firewall Rule
  • The Firewall Rules for WAN LOCAL should now look like this:

Optional source restrictions

To restrict access you can also apply a “source restriction” to this Firewall Rule to make the access only available to certain external IP addresses. Create an IPV4 Address Group in the Source section containing the external IP addresses that are allowed access. All other addresses are denied access.

The Port Group and MAC address settings in the Source section can remain untouched.


Access by hostname

In cases where the gateway has a dynamic public IP address or where WAN failover is used it is necessary to use a dynamic hostname to access the UDM, UDM PRO, or UDR from the internet.

  • Navigate to Settings > Services > Dynamic DNS
  • Select Create New Dynamic DNS
  • Select a service provider and follow their instructions
  • Once set up correctly you can access the web interface through a URL structured like so:
    • https://my-dynamic-hostname.ddns.net:443

Local Account

For API access to a UniFi OS device such as the UDM, UDM PRO, and UDR a local admin account is required. Please follow these steps to create one:

  • Open the UniFi OS Console
  • Select Users > Add User
  • Create a user account similar to this example:
  • Save the user account

You can then access the API using the Local Username and the Password you just created for the account.


Testing & Verification

To verify that the Firewall Rule has been properly configured, try to access the UDM/UDM PRO/UDR by its WAN IP, its dynamic hostname or the hostname associated with the IP address. If the test does not provide the desired results, check any source IP restrictions configured. If the Firewall Rule appears to be applied properly, advanced troubleshooting with tcpdump may provide the clearest indication of the issue. Please open a topic on the community if you need any help.


Suggestions/feedback

Please let us know if you have any comments or suggestions on how we can improve these instructions.

Erik is a seasoned IT professional with extensive experience in various IT-related fields including security, network management, and service management. He founded Art of WiFi in 2016 with the goal of enhancing the use of UniFi networks for organizations of all types, including businesses, non-profits, government agencies and more. With his wealth of knowledge and expertise, Erik is dedicated to helping clients optimize their UniFi infrastructure and achieve their goals.

1 Comment

  1. DAvid Plappert 2 months ago

    Been fighting this for a while. Finally, a good ol’ restart of my UDM-Pro (the UniFi-os) fixed the issue afte following the above steps, and adding the port fowarding for 443 to my udm-pro (192.168.1.1 in my case)

Leave a reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.