More and more of our captive portal customers have been asking for instructions on how to access the UniFi Network Application by the public IP address or hostname when using a UniFi Dream Machine, Dream Machine Pro, or Dream Router gateway.
For most cases where access from the outside to the web interface or API is needed, the following instructions apply: If you're not 100% sure, please contact your solution provider.
This updated guide assumes you are running a UniFi gateway with UniFi OS version 3.0 or higher with the new interface enabled. The instructions for previous UniFi OS versions can be found here.
If you wish to provide access to the API, you also need to create a local admin account. Specific instructions can be found at the end of the article.
Open the Network Application from the UniFi OS home page
Navigate to Settings > Security > Traffic & Firewall Rules (select Advanced) > Internet
Click on Create Port/IP Group
Give the Profile an appropriate name
Type should be Port Group
Enter 443 as Port, then click on Add
Click on Apply Changes
Click on Create Entry
Type: select Internet Local from the dropdown list
Give the Rule an appropriate description, making it easy to see what the purpose of this rule is
Rule Applied: select Before Predefined Rules
Action: select the Accept radio button
IPv4 Protocol: select TCP from the dropdown list
Define the Source:
Source Type: select IP Address from the dropdown list and enter the allowed IPv4 Address
Alternatively, select IP Group and create one that contains the allowed source IP address(es)
Define the Destination:
Destination Type: select Port/IP Group from the dropdown list
Port Group: select previously created Port Group
Click on Apply Changes
Optional:
Set Advanced > Manual > Logging to Enable before applying the changes
The new firewall rule for Internet Local should now look like this:
In cases where the gateway has a dynamic public IP address, it may be necessary to use a dynamic hostname to access the UDM, UDM PRO, or UDR from the internet.
Navigate to Settings > Internet > Select WAN interface
Click on Create New Dynamic DNS
Select a service provider and follow their instructions
Click Save
Once set up correctly, you can access the web interface through a URL that is structured like this:
https://my-dynamic-hostname.ddns.net:443
To get API access on a UniFi OS device, a local admin account is required. Please follow these steps to create one:
Open the UniFi OS home page
Select Admins > Add Admin (using the + icon)
Create an Admin account similar to this example:
Save the user account
For security reasons, we recommend that the password for this account be rotated on a regular basis. Don't forget to update the password in all external applications (captive portals, tooling, etc.) that use this local account.
You should now be able to access the API using the local username and password that you just created for the account.
To verify that the firewall rule is properly configured, try to access the UniFi OS console by its WAN IP, its dynamic hostname, or the hostname associated with the IP address. If you do not see the UniFi OS login page, check for any source IP restrictions that are configured. If the firewall rule appears to have been applied properly, capturing and analyzing data using tcpdump or Wireshark will probably provide insights to resolve the issue.
Please open a topic in the Ubiquiti community if you need any help.
Please let us know if you have any comments or suggestions on how we can improve this guide.
NOTE: these instructions were updated on November 11th, 2024 to reflect the fact that the Direct Remote Connection is no longer supported.
Copyright © 2023 Art of WiFi