Configuring External Access to a UniFi OS-based Gateway using the new Zone-Based Firewall: A Step-by-Step Guide

This latest version of the guide assumes you are running a UniFi gateway with UniFi OS version 4.0 or higher with Network Application version 9.0.x with the new Zone-Based Firewall enabled. The instructions for previous UniFi OS versions can be found here and for the classic firewall here.

More and more of our captive portal customers have been asking for instructions on how to access the UniFi Network Application by the public IP address or hostname when using a UniFi Dream Machine, Dream Machine Pro, or Dream Router gateway with the latest Zone-Based Firewall enabled.

For most cases where access from the outside to the web interface or API is needed, the following instructions apply: If you're not 100% sure, please contact your solution provider.

To allow access to the API, you also need to create a local admin account. Specific instructions for this can be found at the end of this article.

Create a custom Firewall policy

• Open the Network Application from the UniFi OS home page

• Navigate to Settings > Security > Firewall

• If you have enabled the Zone-Based Firewall you should see something similar to this:

Create a new Policy:

• Click on the Create Policy link below the list of existing policies

• Follow the example provided in the screenshot below

• Give the Policy a Name

Configure the Source Zone:

• Select External as the Source Zone

• To only allow access for specific external IP addresses, select the IP option

• Select Object

• Click on New to create a new Network Object

• Give the Object a name

• Add one or more IP addresses or subnets that should be allowed access, then click on Create

• Make sure to select the newly created Object ("Allowed servers" in the above example)

• Under Port select Any

• Once the Source Zone is configured select Allow under Action.

Configure the Destination Zone:

• Select Gateway as the Destination Zone

• Select Any

• Under Port select Object

• Create a New Object

• Give the Object a name ("Port 443" in the above example)

• Enter 443 as Port, then click on Add

• Click on Create

Configure options for the New Policy

• IP Version should be set to IPv4

• Protocol can be set to All or TCP (recommended)

• Connection State should be set to All

• Schedule should be set to Always

• Optionally add a description to the Policy

• Click on Apply Changes to save the new Policy

Access by hostname

In cases where the gateway has a dynamic public IP address, it may be necessary to use a dynamic hostname to access the UDM, UDM PRO, or UDR from the internet.

• Navigate to Settings > Internet > Select WAN interface

• Click on Create New Dynamic DNS

• Select a service provider and follow their instructions

• Click Save

• Once set up correctly, you can access the web interface through a URL that is structured like this:

  • https://my-dynamic-hostname.ddns.net:443

Create local Account

To get API access on a UniFi OS device, a local admin account is required. Please follow these steps to create one:

• Open the UniFi OS home page

• Select Admins > Add Admin (using the + icon)

• Create an Admin account similar to this example:

• Save the user account

For security reasons, we recommend that the password for this account be rotated on a regular basis. Don't forget to update the password in all external applications (captive portals, tooling, etc.) that use this local account.

Test & Verify

You should now be able to access the API using the local username and password that you just created for the account.

To verify that the firewall rule is properly configured, try to access the UniFi OS console by its WAN IP, its dynamic hostname, or the hostname associated with the IP address. If you do not see the UniFi OS login page, check for any source IP restrictions that are configured. If the firewall rule appears to have been applied properly, capturing and analyzing data using tcpdump or Wireshark will probably provide insights to resolve the issue.

Please open a topic in the Ubiquiti community if you need any help.

Suggestions/feedback

Please let us know if you have any comments or suggestions on how we can improve this guide.

NOTE: these instructions were updated on November 11th, 2024 to reflect the fact that the Direct Remote Connection is no longer supported.