CaptiFi

UniFi Gateway - Port Forwarding

Configure external access to your UniFi controller for CaptiFi integration

Essential setup for remote controller access

Port Forwarding allows external devices or services to access specific resources within your UniFi networkβ€”such as a web server, security camera, or gaming consoleβ€”by forwarding incoming traffic from your public IP to a designated internal IP and port.

For CaptiFi integration, port forwarding enables our system to authenticate guests, manage network settings, and provide real-time analytics by making your UniFi controller remotely accessible.

For highly customizable NAT configuration, refer to the UniFi Network Application documentation.
For a full overview of UniFi's Traffic and Policy Management capabilities, see the official UniFi documentation.
For a full overview of UniFi's Network and Cyber Security capabilities, see the official UniFi documentation.

Your Public IP Address

Automatically detected for your convenience

Detecting...

🚨 Prerequisites: Critical Setup Steps

Before configuring port forwarding, you must verify these essential requirements. If these prerequisites aren't met, port forwarding will not work.

1. πŸ” Verify Your WAN Has a True Public IP

Log into your UniFi Gateway and check its WAN IP address.

❌ If your WAN IP starts with any of these ranges, port forwarding will NOT work:

10.x.x.x
Private Network
192.168.x.x
Private Network
172.16-31.x.x
Private Network
100.64-127.x.x
CGNAT Range
⚠️ Your ISP is using Double NAT / CGNAT

Port forwarding cannot work in this configuration. You need to:

  • β€’ Put the ISP modem/router into bridge mode, so your UniFi gets the public IP directly
  • β€’ Ask your ISP for a static public IP or DMZ option
  • β€’ For Starlink users: Purchase the Static IP add-on (Β£8-10/month)
  • β€’ Contact CaptiFi support for alternative solutions if these options aren't available

βœ… If your WAN IP looks like this, you're good to proceed:

92.40.205.84
True Public IP
145.224.67.79
True Public IP
82.xxx.xxx.xxx
True Public IP

2. βš™οΈ Configure Port Forwarding Correctly

πŸ”‘ For Cloud Key Gen2:

WAN Port: 443
Forward IP: 192.168.1.30
Forward Port: 8443
Protocol: TCP

Result: https://your-public-ip:443 β†’ Cloud Key's web interface

🌐 For UDM / UDM Pro / UDM SE:

WAN Port: 443
Forward IP: 192.168.1.1
Forward Port: 443
Protocol: TCP

Result: https://your-public-ip:443 β†’ UDM's web interface

3. πŸ§ͺ Test From Outside Your Network

Important: You must test from outside your network (not on your WiFi). Use mobile data or ask someone external to test.

For Cloud Key Gen2:

https://YOUR_PUBLIC_IP:8443

For UDM/UDM Pro/UDM SE:

https://YOUR_PUBLIC_IP:443

βœ… Success: If you see the UniFi login page, port forwarding is working correctly.

Configuring a Port Forward

πŸ“ Navigate to Policy-Based Routing Rules

Follow the path depending on your UniFi Network version:

Network 9.4:
Settings > Policy Engine > Port Forwarding
Network 9.3:
Settings > Policy Table > Create New Policy > Port Forwarding

βš™οΈ Port Forward Rule Configuration

Basic Settings:
CaptiFi Controller Access

Assign a descriptive name to the rule

All WANs

Choose to use only one, or all WANs

Specify Incoming Traffic:
443

For Cloud Keys: use 443
For UDM/UDM Pro: use 443

Anywhere

All incoming traffic or specified IPs

Both (TCP/UDP)

Choose TCP, UDP, or Both

Forward IP Address and Port:

This should correspond to the device you are forwarding traffic to:

πŸ”‘ Cloud Key:
192.168.1.30

Your Cloud Key's LAN IP

8443
🌐 UDM:
192.168.1.1

Your UDM's LAN IP

443
⚑ UDM Pro:
192.168.1.1

Your UDM Pro's LAN IP

443
Optional Settings:

βœ… Test Your Configuration

After saving the port forward rule, test access using:

Cloud Key:

https://YOUR_PUBLIC_IP:8443

UDM/UDM Pro:

https://YOUR_PUBLIC_IP:443

Troubleshooting

There are a few common reasons why a Port Forwarding rule may not seem to work as expected.

🚨 Your UniFi Gateway does not have a public IP address (Double NAT or CGNAT)

This happens if your UniFi Gateway is located behind another router/modem that uses NAT. You are likely affected by this if your UniFi Gateway has a WAN IP address in one of the following ranges:

10.0.0.0/8
172.16.0.0/12
192.168.0.0/16
100.64.0.0/10
Solutions:
  • β€’ Re-configure your ISP modem/router into bridge mode so your UniFi Gateway can obtain a public IP
  • β€’ Forward ports on both the upstream router/modem AND your UniFi Gateway
  • β€’ Contact your ISP for DMZ option or port forwarding assistance
  • β€’ Note: Hairpin NAT will not work when behind NAT

⚠️ Your UniFi Gateway is already forwarding the port to another device or has UPnP enabled

A given WAN port can only be forwarded to a single device within your network. For example, TCP port 443 can only be forwarded to one LAN port.

Solutions:
  • β€’ Check for existing port forward rules for the same port
  • β€’ Try disabling UPnP in your UniFi Network Application's Internet Settings
  • β€’ Note: Multiple WAN ports CAN be forwarded to the same LAN port

🌐 Incoming traffic is not reaching the WAN interface of your UniFi Gateway

In this case, the traffic is most likely blocked somewhere upstream, such as at the ISP modem/router, or a third party firewall.

Solutions:
  • β€’ Disable any upstream firewalls for testing
  • β€’ Contact your ISP for assistance
  • β€’ Use online port checkers to verify port accessibility

πŸ”’ The LAN host is blocking the port with a local firewall, or does not have the correct route configured

In this case, the host/server on the LAN is not allowing outside connections to access the port.

Common Causes:
  • β€’ Windows Firewall rules blocking connections
  • β€’ Linux iptables firewall restrictions
  • β€’ UniFi controller firewall settings
  • β€’ Consult your device manufacturer's documentation

πŸ”„ There is an incorrect route configured on the LAN host

It is possible that the LAN host does not know how to reach the IP address of the Internet client. This can result if the default gateway is not configured correctly.

Solution:

Verify your routing settings on the local host to resolve this situation. Ensure the default gateway points to your UniFi Gateway.

πŸ†˜ Need Additional Help?

πŸ“§ CaptiFi Support

Our technical support team specializes in UniFi integrations and can help with complex networking setups.

Email Support

πŸš€ Ready to Integrate?

Once your controller is accessible, you can connect it to CaptiFi for powerful guest management.

CaptiFi Dashboard

© 2025 CaptiFi Limited. All rights reserved. | This guide follows official Ubiquiti documentation structure.