UniFi OS consoles.

How to Access the UniFi Controller by WAN IP or hostname on a UDM (Pro), pre-UniFi OS 3.X

This blog post applies to UniFi OS consoles with versions lower than 3.X.

See this blog post for instructions based on the newer user interface that was introduced with UniFi OS 3.X.

More and more of our captive portal customers have been asking for instructions on how to access the UniFi Network Application by the public IP address or hostname when using a UniFi Dream Machine, Dream Machine Pro, or Dream Router gateway.

Most of the time, when access from the outside is needed to the web interface or API, the following instructions apply: if you're not sure, contact your solution provider.

These instructions assume you are using the classic or legacy interface. In the future, we plan on updating this post with instructions based on the new interface.

Create firewall rule

  • Open de UniFi Controller/Network Application

  • Navigate to Settings > Routing & Firewall > Firewall > WAN LOCAL

firewall rules.
  • Select Create New Rule

  • Apply the following values to the respective fields:

    • Name: apply a logical name, e.g. WAN access

    • Rule Applied: Before pre-defined rules

    • Action: Accept

    • IPv4 Protocol: TCP

    • Destination: Create and save a new port group with port 443 in the group

Create new port group.
  • Save the firewall rule

  • The firewall fuels for WAN LOCAL should now look like this:

Updated firewall rules.

Apply optional source restrictions

To restrict access, you can also apply a “source restriction” to this firewall rule to make access available only to certain external IP addresses. Create an IPV4 Address Group in the Source section containing the external IP addresses that are allowed access. All other addresses are denied access.

The port group and MAC address settings in the source section can remain untouched.

Access by hostname

In cases where the gateway has a dynamic public IP address or where WAN failover is used, it is necessary to use a dynamic hostname to access the UDM, UDM PRO, or UDR from the internet.

  • Navigate to Settings > Services > Dynamic DNS

  • Select Create New Dynamic DNS

  • Select a service provider and follow their instructions

  • Once set up correctly you can access the web interface through a URL structured like so:

    • https://my-dynamic-hostname.ddns.net:443

Create local Account

For API access to a UniFi OS device, a local admin account is required. Please follow these steps to create one:

  • Open the UniFi OS Console

UniFi OS main page.
  • Select Users > Add User

  • Create a user account similar to this example:

UniFi OS, local account example.
  • Save the user account

Test & Verify

You should now be able to access the API using the local username and password that you just created for the account.

To verify that the firewall rule is properly configured, try to access the UniFi OS console by its WAN IP, its dynamic hostname, or the hostname associated with the IP address. If you do not see the UniFi OS login page, check any source IP restrictions configured. If the firewall rule appears to have been applied properly, advanced troubleshooting with tcpdump may provide the clearest indication of the issue.

Please open a topic in the Ubiquiti community if you need any help.


Please let us know if you have any comments or suggestions on how we can improve these instructions.

Posted on: April 7th, 2022

On: UniFi


UniFi OS


Share this on social media