UniFi OS consoles.

Configuring External Access to a UniFi OS-based Gateway: A Step-by-Step Guide

More and more of our captive portal customers have been asking for instructions on how to access the UniFi Network Application by the public IP address or hostname when using a UniFi Dream Machine, Dream Machine Pro, or Dream Router gateway.

For most cases where access from the outside to the web interface or API is needed, the following instructions apply: If you're not 100% sure, please contact your solution provider.

This updated guide assumes you are running a UniFi gateway with UniFi OS version 3.0 or higher with the new interface enabled. The instructions for previous UniFi OS versions can be found here.

If you wish to provide access to the API, you also need to create a local admin account. Specific instructions can be found at the end of the article.

Create a custom firewall rule

  • Open the Network Application from the UniFi OS home page

  • Navigate to Settings > Security > Traffic & Firewall Rules (select Advanced) > Internet

.

Create a port group:

  • Click on Create Port/IP Group

Create Port Group.
  • Give the Profile an appropriate name

  • Type should be Port Group

  • Enter 443 as Port, then click on Add

  • Click on Apply Changes

Create the firewall rule:

  • Click on Create Entry

Create the new Firewall Rule.
  • Type: select Internet Local from the dropdown list

  • Give the Rule an appropriate description, making it easy to see what the purpose of this rule is

  • Rule Applied: select Before Predefined Rules

  • Action: select the Accept radio button

  • IPv4 Protocol: select TCP from the dropdown list

Define the Source:

  • Source Type: select IP Address from the dropdown list and enter the allowed IPv4 Address

  • Alternatively, select IP Group and create one that contains the allowed source IP address(es)

Define the Destination:

Configure the Destination and Advanced settings.
  • Destination Type: select Port/IP Group from the dropdown list

  • Port Group: select previously created Port Group

  • Click on Apply Changes

Optional:

  • Set Advanced > Manual > Logging to Enable before applying the changes

The new firewall rule for Internet Local should now look like this:

Completed Firewall Rule.

Access by hostname

In cases where the gateway has a dynamic public IP address, it may be necessary to use a dynamic hostname to access the UDM, UDM PRO, or UDR from the internet.

  • Navigate to Settings > Internet > Select WAN interface

  • Click on Create New Dynamic DNS

  • Select a service provider and follow their instructions

  • Click Save

  • Once set up correctly, you can access the web interface through a URL that is structured like this:

    • https://my-dynamic-hostname.ddns.net:443

Create local Account

To get API access on a UniFi OS device, a local admin account is required. Please follow these steps to create one:

  • Open the UniFi OS home page

  • Select Admins > Add Admin (using the + icon)

  • Create an Admin account similar to this example:

Create a local Admin user account.
  • Save the user account

For security reasons, we recommend that the password for this account be rotated on a regular basis. Don't forget to update the password in all external applications (captive portals, tooling, etc.) that use this local account.

Test & Verify

You should now be able to access the API using the local username and password that you just created for the account.

To verify that the firewall rule is properly configured, try to access the UniFi OS console by its WAN IP, its dynamic hostname, or the hostname associated with the IP address. If you do not see the UniFi OS login page, check for any source IP restrictions that are configured. If the firewall rule appears to have been applied properly, capturing and analyzing data using tcpdump or Wireshark will probably provide insights to resolve the issue.

Please open a topic in the Ubiquiti community if you need any help.

Suggestions/feedback

Please let us know if you have any comments or suggestions on how we can improve this guide.

NOTE: these instructions were updated on November 11th, 2024 to reflect the fact that the Direct Remote Connection is no longer supported.

Posted on: September 7th, 2023

On: UniFi

UniFi

UniFi OS

Firewalls

Share this on social media