Ralf Rottmann Angel Investor & Retired Founder. Passionate about the Internet, the social effects of new technology, net politics and digital culture. Prolight & Sound enthusiast. Mastodon · Threads · Threema · LinkedIn · Home 🇩🇪

Adopting Ubiquiti UniFi Access Points on the WAN port of UniFi Dream Machine Pro

2 min read

Ubiquiti Dream Machine Pro Appliance

Recently, I had to expand an existing small business network with Ubiquiti WiFi components. I’ve been using the UniFi Dream Machine Pro at home for years and have come to love Ubiquitis products.

In a standard setup you connect UDMs WAN port to the existing network and the access points to UDMs LAN ports. In essence, UDM Pro itself becomes a client on the existing network (e.g. 192.168.200.0/24) and creates an additional network on its LAN ports (e.g. 192.168.1.0/24). All access points will then become clients of the LAN network. In order to have access points join UDM, they have to be adopted. Adoption tends to work seamlessly in a standard setup. You physically connect a new access point, the new device auto-magically pops up in UDMs web interface and you click “Adopt”.

Things get a bit more complicated, if you want your access points to sit on the WAN side of UDM, effectively joining the pre-existing network (192.168.200.0/24).

Here is my configuration for UniFi OS 1.12.30, Network 7.2.94 (September 2022):

Do all of the below on Settings > Firewall & Security.

Add a firewall rule allowing traffic from the WAN port to be routed to the LAN network:

  • Type: Internet In
  • Description: WAN to LAN
  • Rule Applied: Before Predefined Rules
  • Action: Accept
  • IPv4 Protocol: TCP and UDP
  • Source Type: Port/IP Group
  • IPv4 Address Group: Any
  • Port Group: Any
  • Destination Type: Network
  • Network: Default
  • Network Type: IPv4 Subnet

Add a firewall rule allowing traffic from ports required for adoption to be routed from the local WAN side to the LAN side (which hosts the controller software):

  • Type: Internet Local
  • Description: Access Points 80, 8080, 443, 3478
  • Rule Applied: Before Predefined Rules
  • Action: Accept
  • IPv4 Protocol: TCP and UDP
  • Source Type: Port/IP Group
  • IPv4 Address Group: Any
  • Port Group: Any
  • Destination Type: Port/IP Group
  • IPv4 Address Group: Any
  • Port Group: Adoption 80, 8080, 443, 3478 (you have to create this port group and add the four ports respectively)

Add two Port Forwarding rules:

  • Forward port 8080 from the WAN interface to the UDM PROs network controller on the local LAN side. In my case this equals to:
    • Name: Adoption 8080 WAN to LAN
    • Interface: WAN
    • From: Any
    • Port: 8080
    • Forward IP: 192.168.1.1
    • Forward Port: 8080
    • Protocol: Both

Doo the above for port 3478 (STUN), also.

Next make sure your access point has been factory reset. This is important. UniFi access points have a tendency to not adopt if they have been adopted before. Always start with a blank, factory reset configuration.

Connect the access point to the WAN network (192.168.200.0/24). Find out its IP address. If you don’t have other means to do so, Ubiquiti offers a free Discovery Tool.

SSH into the access point. The factory default username and password are ubnt/ubnt. Tell the access point to adopt via the CLI command: set-inform http://[UDM-WAN-IP-ADDRESS]:8080/inform – in my case: set-inform http://192.168.200.150:8080/inform. Accept the incoming adoption request in UDMs web interface.

If you plan to use the Guest Hotspot feature with the Captive Portal, you have to add port forwarding for 8880 and 8843 to 192.168.1.1 respectively and firewall rules that allow traffic for Internet Local and these ports.

Final remarks: The firewall rules above could be setup more restricted, specifically you could limit source IP addresses and ports and even protocols. I’ve given a less restrictive configuration that always works. Once you’ve successfully adopted your access points, you can reconfigure the rules to be more restrictive and make sure nothing breaks.

I’m also still not sure, whether the port forwarding is a hard requirement. When I remove the forwarding, adoption sometimes seemed to fail. So I keep it for now.

Ralf Rottmann Angel Investor & Retired Founder. Passionate about the Internet, the social effects of new technology, net politics and digital culture. Prolight & Sound enthusiast. Mastodon · Threads · Threema · LinkedIn · Home 🇩🇪