UniFi OS consoles.

Configuring External Access to a UniFi OS-based Gateway: A Step-by-Step Guide

More and more of our captive portal customers have been asking for instructions on how to access the UniFi Network Application by the public IP address or hostname when using a UniFi Dream Machine, Dream Machine Pro, or Dream Router gateway.

For most cases where access from the outside to the web interface or API is needed, the following instructions apply: If you're not 100% sure, please contact your solution provider.

This updated guide assumes you are running a UniFi gateway with UniFi OS version 3.0 or higher with the new interface enabled. The instructions for previous UniFi OS versions can be found here.

With UniFi OS version 3.0 and higher, there are two possible approaches for allowing external access to port 443 on your UniFi OS-based gateway:

  1. Enable the new Direct Remote Connection option

    • Pros: easy to switch on and off; the firewall rule is created for you automatically

    • Cons: with the automatically generated firewall rules, there are no source restrictions, which means every device on the public internet can connect to port 443 on your UDM PRO

    • NOTE: this option is no longer available on UniFi Network Application versions 8.x and higher

  2. Create a custom firewall rule

    • Pros: full control over the firewall rule configuration options, for example, to apply source restrictions to only allow access from one or more specified IP addresses

    • Cons: takes more time to configure

If you wish to provide access to the API, you need to create a local admin account for both scenarios. Specific instructions for this can be found at the end of the article.

1. Enable the Direct Remote Connection option

  • Open the Network Application from the UniFi OS home page

  • Navigate to System > Advanced

  • Enable the Direct Remote Connection option

Enable Direct Remote Connection.
  • Click on Apply Changes

This results in the creation of a firewall rule that looks like this:

Firewall rule for Direct Remote Connection.

2. Create a custom firewall rule

  • Open the Network Application from the UniFi OS home page

  • Navigate to Settings > Firewall & Security > Firewall Rules > Internet

Firewall and Security panel.

Create a port group:

  • Click on Create Port/IP Group

Create Port Group.
  • Give the Profile an appropriate name

  • Type should be Port Group

  • Enter 443 as Port, then click on Add

  • Click on Apply Changes

Create the firewall rule:

  • Click on Create Entry

Create the new Firewall Rule.
  • Type: select Internet Local from the dropdown list

  • Give the Rule an appropriate description, making it easy to see what the purpose of this rule is

  • Rule Applied: select Before Predefined Rules

  • Action: select the Accept radio button

  • IPv4 Protocol: select TCP from the dropdown list

Define the Source:

  • Source Type: select IP Address from the dropdown list and enter the allowed IPv4 Address

  • Alternatively, select IP Group and create one that contains the allowed source IP address(es)

Define the Destination:

Configure the Destination and Advanced settings.
  • Destination Type: select Port/IP Group from the dropdown list

  • Port Group: select previously created Port Group

  • Click on Apply Changes

Optional:

  • Set Advanced > Manual > Logging to Enable before applying the changes

The new firewall rule for Internet Local should now look like this:

Completed Firewall Rule.

Access by hostname

In cases where the gateway has a dynamic public IP address, it may be necessary to use a dynamic hostname to access the UDM, UDM PRO, or UDR from the internet.

  • Navigate to Settings > Internet > Select WAN interface

  • Click on Create New Dynamic DNS

  • Select a service provider and follow their instructions

  • Click Save

  • Once set up correctly, you can access the web interface through a URL that is structured like this:

    • https://my-dynamic-hostname.ddns.net:443

Create local Account

To get API access on a UniFi OS device, a local admin account is required. Please follow these steps to create one:

  • Open the UniFi OS home page

  • Select Admins > Add Admin (using the + icon)

  • Create an Admin account similar to this example:

Create a local Admin user account.
  • Save the user account

For security reasons, we recommend that the password for this account be rotated on a regular basis. Don't forget to update the password in all external applications (captive portals, tooling, etc.) that use this local account.

Test & Verify

You should now be able to access the API using the local username and password that you just created for the account.

To verify that the firewall rule is properly configured, try to access the UniFi OS console by its WAN IP, its dynamic hostname, or the hostname associated with the IP address. If you do not see the UniFi OS login page, check for any source IP restrictions that are configured. If the firewall rule appears to have been applied properly, capturing and analyzing data using tcpdump or Wireshark will probably provide insights to resolve the issue.

Please open a topic in the Ubiquiti community if you need any help.

Suggestions/feedback

Please let us know if you have any comments or suggestions on how we can improve this guide.

Posted on: September 7th, 2023

On: UniFi

UniFi

UniFi OS

Firewalls

Share this on social media