Remote Connection to UDM #165
Replies: 3 comments 3 replies
-
|
You need to create a specific firewall rule for this, not a port forward. Please read this blog post on our web site for further details: |
Beta Was this translation helpful? Give feedback.
-
|
Thanks for the link. Makes perfect sense. However, am getting the same result. I've looked at the firewall a hundred times over. Have several port forwards (for camera streams). Have a couple of firewall rules (for ICMP echo for external status monitors). Only this attempt at 443 is not happening on this cloud managed UDM. Gotta be something else somewhere not allowing it. Running UniFi OS UDM SE 2.4.12. Nothing really spectacular about this particular site. Have a UniFi controller running on AWS with dozens of sites and this API works wonderfully, so thank you folks for that. Can anyone else validate and verify they're able to access 443 from a UDM that is cloud managed? |
Beta Was this translation helpful? Give feedback.
-
|
We manage several UDM PROs where we use the API. Do make sure you’re pointing to the public IP address of the UDM PRO’s WAN interface. When using WAN failover or a dynamic IP address you’ll need to use a Dynamic DNS service. Works like a charm here, even with Dynamic DNS. |
Beta Was this translation helpful? Give feedback.
-
|
Of course it's being accessed (attempted) via it's public IP. Something else is missing. Have opened a ticket with Ubiquiti and will report back the results here. |
Beta Was this translation helpful? Give feedback.
-
|
Ok, just checking😉 |
Beta Was this translation helpful? Give feedback.
-
|
Okay, here's the update... First, please update your instructions to show the new interface. The new interface is no longer the exception, it is the expectation. Even Ubiquiti themselves sent similar instructions but in the legacy interface, and yes I bit their head off for that too. :) When you declare a SOURCE Port Group, as I was, for port 443, it does not work. So what you would think to be a proper firewall rule: Inbound traffic FROM or via port 443 send to such and such destination. If you leave the SOURCE Port Group at Any, it works. You cannot declare a source port group or specific ports. Or, perhaps there are other ports in play here other than 443? Some redirect for Tomcat or whatever? So think about that for a second... The rule that works says that ANY request on ANY port send it ALL to port 443. That doesn't make sense to me. Why not be allowed to make it stronger by declaring a one-to-one rule? Additionally, using the same logic as above, and you give it a DESTINATION of: Does not work. Shouldn't it? If Ubiquiti is saying that the suggested firewall rule is to allow ALL traffic coming in and slinging it over to port 443? What's good for the goose is not good for the other gooses? The firewall rule currently needs to be (though I believe to be flawed) you must accept ALL TCP IP traffic (yes IP address filtering works) from ALL ports and send it to Port 443 (or even Any). It has to be unnecessarily more exposed to work. |
Beta Was this translation helpful? Give feedback.
-
I'm completely missing something somewhere... Attempting to connect to a UDM remotely which is cloud managed at unifi.ui.com as normal, at first just attempting a normal web UI connection via HTTPS 443 by opening up the port forward to the UDM's local LAN address to allow the connection in Firewall & Security. Pretty standard stuff, so I thought. It is not answering the call. Am not getting the web UI login. Though VPNing to the UDM can get it via the local LAN address.
What have I missed? The ultimate goal of course is to use the API coming from my web servers, which would be 'whitelisted' in the UDMs firewall to allow the connections. But currently stuck at just getting anything. Is there somewhere else in the UDM (or UniFi cloud) that is holding this up? Thanks.
Beta Was this translation helpful? Give feedback.
All reactions