Overview
Readers will learn how to forward UDP and TCP ports to an internal LAN device using the Port Forwarding feature on the UDM and USG models.
- Applicable to the latest firmware on all UDM and USG models.
- The Port Forwarding feature is designed to only work on WAN1 on the USG models, but it can use both WAN1 and WAN2 on the UDM-Pro.
- It is necessary to manually configure a Destination NAT (DNAT) + WAN firewall rule(s) to forward ports on the WAN2 interface on the USG models, see the section below.
Table of Contents
- Frequently Asked Questions (FAQ)
- Configuring a Port Forwarding Rule
- USG/USG-Pro: Forwarding Ports on WAN2 using Destination NAT
- Troubleshooting Port Forwarding Issues
- Related Articles
Frequently Asked Questions (FAQ)
Do I need to manually create firewall rules for Port Forwarding?
No, firewall rules are automatically created to allow the ports to be forwarded to the internal LAN devices. It is not necessary to manually add firewall rules for the forwarded ports. |
Can I forward ports on the WAN2 interface of the UDM/USG?
It is possible to use the Port Forwarding feature on the WAN2 interface UDM-Pro when using the Classic Web UI. Navigate to the |
How does the Port Forwarding feature interact with UPnP?
Automatic entries created by UPnP take precedence over manually created Port Forwarding rules. |
Do I need to manually configure Hairpin NAT?
No, Hairpin NAT is automatically enabled when configuring the Port Forwarding feature. |
Can I limit which remote devices are allowed to use the forwarded ports?
Yes, by using the from option when creating or modifying a Port Forwarding rule. The default option is to allow all remote clients to use the forwarded port. |
My Port Forwarding rule does not work, what should I do?
See the troubleshooting section below for more details. |
Configuring a Port Forwarding Rule
The diagram below shows an example setup where the ISP provided modem/router is running in a bridged mode and the UDM-Pro is using a public IP address on the WAN interface.
After configuring a Port Forwarding rule for a TCP or UDP port (TCP port 443 in this example), the remote clients on the Internet will be able to directly communicate with the Web Server on the internal LAN.
There are several options available when created a Port Forwarding rule:
From
The clients on the Internet that are allowed to use the Port Forwarding rule. Set to Anywhere by default, meaning all hosts. It is possible to limit the allowed hosts by specifying an IP address (for example 198.51.100.1) or subnet range (for example 198.51.100.0/24).Port
The WAN port that the clients on the Internet connect to, for example 443. This does not need to match the port used on the internal LAN host. You can forward TCP port 10443 to TCP port 443, for example.Forward IP
The IP address used by the internal LAN host, for example 192.168.1.10.Forward Port
The port used by the internal LAN host, for example TCP port 443.
Follow the steps below to configure the Port Forwarding rule on the USG/UDM models:
1. Navigate to the Settings > Gateway > Port Forwarding section to add a Port Forwarding rule.
2. Select Create New Port Forward Rule and fill in the settings:
Name: webserver
Enable Forward Rule: Checked
From: Anywhere or Limited
Port: 443
Forward IP: 192.168.1.10
Forward Port: 443
Protocol: TCP
Enable Logging: Optional
3. Apply the settings.
On the USG models, it is necessary to manually configure a Destination NAT (DNAT) + WAN firewall rule to forward ports on the WAN2 interface, see the section below.
4. The firewall rule(s) needed for the new Port Forwarding rule are automatically added.
5. You can verify the automatically created rules in the Settings > Internet Security > Firewall > WAN section.
1. Navigate to the Settings > Routing & Firewall > Port Forwarding section to add a Port Forwarding rule.
2. Select Create New Port Forward Rule and fill in the settings:
Name: webserver
Enabled: Enable this port forward rule
Interface: WAN / WAN2 / Both (UDM-Pro only)
From: Anywhere or Limited
Port: 443
Forward IP: 192.168.1.10
Forward Port: 443
Protocol: TCP
Enable Logging: Optional
3. Apply the changes.
4. The firewall rule(s) needed for the new Port Forwarding rule are automatically added.
5. You can verify the automatically created rules in the Settings > Routing & Firewall > Firewall section.
USG/USG-Pro: Forwarding Ports on WAN2 using Destination NAT
See the UniFi - USG/USG-Pro: Advanced Configuration Using JSON article for more information on using the JSON file.
Follow the steps below to forward ports on the WAN2 interface of the USG models (USG/USG-Pro). It is necessary to manually create a Destination NAT (DNAT) rule using the Command Line Interface (CLI) and a custom Firewall Rule using the Web UI. Afterwards, the config.gateway.json file needs to be created or updated to incorporate the custom configuration into the UniFi controller.
The first step is to create a new custom Firewall Rule using either the New or Classic Web UI:
1. Navigate to the Settings > Internet Security > Firewall > WAN section.
2. Create a new Firewall Port Group by selecting the Create New Group option.
3. Fill in the information and specify the port that needs to be allowed through the firewall (443 in this example).
Name: https
Type: Port Group
Port: 443
4. Navigate to the Settings > Internet Security > Firewall > WAN section.
5. Create a new WAN Firewall Rule by selecting the Create New Rule option.
6. Fill in the information and select the previously created Port Group.
Type: WAN In
Description: webserver
Enabled: Checked
Rule Applied: After Predefined Rules
Action: Accept
IPv4 Protocol: TCP
Match all protocols except for this: Unchecked
Source: Optional
Destination > Destination Type: Address/Port Group
Destination > IPv4 Address Group: Any
Destination > Port Group: https (previously created)
Advanced: Optional
7. Apply the changes.
1. Navigate to the Settings > Routing & Firewall > Firewall > Groups section.
2. Create a new Firewall Port Group by selecting the Create New Group option.
3. Fill in the information and specify the port that needs to be allowed through the firewall (443 in this example).
Name: https
Type: Port
Port: 443
4. Navigate to the Settings > Routing & Firewall > Firewall > Rules IPv4 > WAN IN section.
5. Create a new WAN IN Firewall Rule by selecting the Create New Rule option.
6. Fill in the information and select the previously created Port Group.
Name: webserver
Enabled: Checked
Rule Applied: After predefined rules
Action: Accept
IPv4 Protocol: TCP
Match all protocols except for this: Unchecked
Advanced > Logging: Optional
Advanced > States: Unchecked
Advanced > IPsec: Don't match on IPsec packets
Source: Optional
Destination > Destination Type: Address/Port Group
Destination > IPv4 Address Group: Any
Destination > Port Group: https (previously created)
7. Apply the changes.
The next step is to access the USG/USG-Pro using the Command Line Interface (CLI) and add a custom Destination NAT (DNAT) rule:
1. Enable SSH Authentication in the Settings > Network Settings > Device Authentication section and specify your username and password.
Enable SSH Authentication: Checked
SSH Username: <your-username>
SSH Password: <your-password>

Check and apply the

2. Apply the changes.
1. Download PuTTY and open the putty.exe executable file. Host Name (or IP address): IP of USG/USG-Pro (for example 192.168.1.1) NOTE: See the How to Establish a Connection Using SSH article for more information on how to connect to the USG using SSH.
Username: <ssh-username> |
1. Open the macOS Terminal by searching for Terminal in the Launcher or by navigating to the Finder > Applications > Utilities section. ssh <username>@<ip-address>
ssh unifiadmin@192.168.1.1 NOTE: See the How to Establish a Connection Using SSH article for more information on how to connect to the USG using SSH.
Username: <ssh-username> |
3. After logging into the USG/USG-Pro, verify that the WAN2 interface is UP and that it is assigned an IP address.
show interfaces ; sudo ipset list ADDRv4_eth2
unifiadmin@usg:~$ show interfaces Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down Interface IP Address S/L Description --------- ---------- --- ----------- eth0 203.0.113.1/24 u/u WAN eth1 192.168.1.1/24 u/u LAN eth2 192.0.2.1/24 u/u WAN2 lo 127.0.0.1/8 u/u ::1/128
unifiadmin@usg:~$ sudo ipset list ADDRv4_eth2 Name: ADDRv4_eth2 Type: hash:net Revision: 3 Header: family inet hashsize 1024 maxelem 65536 Size in memory: 16792 References: 1 Members: 192.0.2.1
On the USG-Pro, the WAN2 interface uses eth3 instead and thus the address group will be ADDRv4_eth3.
4. Enter configuration mode with the command below:
configure
5. Add the Destination NAT rule for the WAN2 interface of the USG/USG-Pro (replace eth2 with eth3 for the USG-Pro):
set service nat rule 4001 description 'webserver'
set service nat rule 4001 destination group address-group ADDRv4_eth2
set service nat rule 4001 destination port 443
set service nat rule 4001 inbound-interface eth2
set service nat rule 4001 inside-address address 192.168.1.10
set service nat rule 4001 inside-address port 443
set service nat rule 4001 protocol tcp
set service nat rule 4001 type destination
6. Commit the changes and exit back to operational mode.
commit ; exit
The image below shows an example of the process:
7. Use the mca-ctrl -t dump-cfg command to display the entire config in JSON format:
mca-ctrl -t dump-cfg
8. The Destination NAT section of the configuration in JSON format can then be used in the config.gateway.json file.
{ "service": { "nat": { "rule": { "4001": { "description": "webserver", "destination": { "group": { "address-group": "ADDRv4_eth2" }, "port": "443" }, "inbound-interface": "eth2", "inside-address": { "address": "192.168.1.10", "port": "443" }, "protocol": "tcp", "type": "destination" } } } } }
9. See the UniFi - USG/USG-Pro: Advanced Configuration Using JSON article for more information on how to create and modify the config.gateway.json file.
Troubleshooting Port Forwarding Issues
Refer to the troubleshooting steps below if the Port Forwarding or custom Destination NAT rule is not working. Either of the following options can be the cause:
In this scenario, the UDM/USG is located behind another router/modem that uses NAT. A sign of this setup is that the device is using a private (RFC1918) or CGNAT (RFC6598) IP address on the WAN1 or WAN2 interface. Your UDM/USG is located behind NAT if it is using an IP address on the WAN interface that is inside one of the ranges below:
|
In this case, the UDM/USG already has an existing port forwarding rule that is forwarding the port to another device. The same WAN port (for example TCP port 443) can only be forwarded to a single device, but you can forward multiple different WAN ports to the same port on the LAN (for example TCP port 10443 to 443 and TCP port 8443 to 443). |
In this case, the traffic is either blocked upstream at the ISP modem/router or there is an issue affecting the client device. CLI: Access the Command Line Interface on the UDM/USG using SSH.
After logging in with SSH, run the following command to capture the traffic. This command will print the traffic output directly to the screen when an Internet client tries to access the port (cancel with CTRL+C).
# tcpdump -n -i eth8 tcp port 443 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth8, link-type EN10MB (Ethernet), capture size 262144 bytes IP 198.51.100.1.1609 > 203.0.113.1.443: Flags [S], seq 1979002112, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 IP 203.0.113.1.443 > 198.51.100.1.1609: Flags [S.], seq 2749614086, ack 1979002113, win 65535, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 IP 198.51.100.1.1609 > 203.0.113.1.443: Flags [.], ack 1, win 256, length 0 IP 198.51.100.1.1609 > 203.0.113.1.443: Flags [F.], seq 1, ack 1, win 256, length 0 IP 203.0.113.1.443 > 198.51.100.1.1609: Flags [.], ack 2, win 1026, length 0 IP 203.0.113.1.443 > 198.51.100.1.1609: Flags [F.], seq 1, ack 2, win 1026, length 0 IP 198.51.100.1.1609 > 203.0.113.1.443: Flags [.], ack 2, win 256, length 0g # tcpdump -n -i eth9 tcp port 443 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth9, link-type EN10MB (Ethernet), capture size 262144 bytes IP 198.51.100.1.1679 > 192.0.2.1.443: Flags [S], seq 987770491, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 IP 192.0.2.1.443 > 198.51.100.1.1679: Flags [S.], seq 4189175926, ack 987770492, win 65535, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 IP 198.51.100.1.1679 > 192.0.2.1.443: Flags [.], ack 1, win 256, length 0 IP 198.51.100.1.1679 > 192.0.2.1.443: Flags [F.], seq 1, ack 1, win 256, length 0 IP 192.0.2.1.443 > 198.51.100.1.1679: Flags [.], ack 2, win 1026, length 0 IP 192.0.2.1.443 > 198.51.100.1.1679: Flags [F.], seq 1, ack 2, win 1026, length 0 IP 198.51.100.1.1679 > 192.0.2.1.443: Flags [.], ack 2, win 256, length 0 UDM WAN (eth4) # tcpdump -n -i eth4 tcp port 443 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth8, link-type EN10MB (Ethernet), capture size 262144 bytes IP 198.51.100.1.1609 > 203.0.113.1.443: Flags [S], seq 1979002112, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 IP 203.0.113.1.443 > 198.51.100.1.1609: Flags [S.], seq 2749614086, ack 1979002113, win 65535, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 IP 198.51.100.1.1609 > 203.0.113.1.443: Flags [.], ack 1, win 256, length 0 IP 198.51.100.1.1609 > 203.0.113.1.443: Flags [F.], seq 1, ack 1, win 256, length 0 IP 203.0.113.1.443 > 198.51.100.1.1609: Flags [.], ack 2, win 1026, length 0 IP 203.0.113.1.443 > 198.51.100.1.1609: Flags [F.], seq 1, ack 2, win 1026, length 0 IP 198.51.100.1.1609 > 203.0.113.1.443: Flags [.], ack 2, win 256, length 0g USG WAN1 (eth0) and WAN2 (eth2) unifiadmin@usg:~$ sudo tcpdump -n -i eth0 tcp port 443 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth8, link-type EN10MB (Ethernet), capture size 262144 bytes IP 198.51.100.1.1609 > 203.0.113.1.443: Flags [S], seq 1979002112, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 IP 203.0.113.1.443 > 198.51.100.1.1609: Flags [S.], seq 2749614086, ack 1979002113, win 65535, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 IP 198.51.100.1.1609 > 203.0.113.1.443: Flags [.], ack 1, win 256, length 0 IP 198.51.100.1.1609 > 203.0.113.1.443: Flags [F.], seq 1, ack 1, win 256, length 0 IP 203.0.113.1.443 > 198.51.100.1.1609: Flags [.], ack 2, win 1026, length 0 IP 203.0.113.1.443 > 198.51.100.1.1609: Flags [F.], seq 1, ack 2, win 1026, length 0 IP 198.51.100.1.1609 > 203.0.113.1.443: Flags [.], ack 2, win 256, length 0g unifiadmin@usg:~$ sudo tcpdump -n -i eth2 tcp port 443 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth2, link-type EN10MB (Ethernet), capture size 262144 bytes IP 198.51.100.1.1562 > 192.0.2.1.443: Flags [S], seq 3731603662, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 IP 192.0.2.1.443 > 198.51.100.1.1562: Flags [S.], seq 67104030, ack 3731603663, win 65535, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 IP 198.51.100.1.1562 > 192.0.2.1.443: Flags [.], ack 1, win 256, length 0 IP 198.51.100.1.1562 > 192.0.2.1.443: Flags [F.], seq 1, ack 1, win 256, length 0 IP 192.0.2.1.443 > 198.51.100.1.1562: Flags [.], ack 2, win 1026, length 0 IP 192.0.2.1.443 > 198.51.100.1.1562: Flags [F.], seq 1, ack 2, win 1026, length 0 USG-Pro WAN (eth2) and WAN2 (eth3) unifiadmin@usg-pro:~$ sudo tcpdump -n -i eth2 tcp port 443 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth8, link-type EN10MB (Ethernet), capture size 262144 bytes IP 198.51.100.1.1609 > 203.0.113.1.443: Flags [S], seq 1979002112, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 IP 203.0.113.1.443 > 198.51.100.1.1609: Flags [S.], seq 2749614086, ack 1979002113, win 65535, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 IP 198.51.100.1.1609 > 203.0.113.1.443: Flags [.], ack 1, win 256, length 0 IP 198.51.100.1.1609 > 203.0.113.1.443: Flags [F.], seq 1, ack 1, win 256, length 0 IP 203.0.113.1.443 > 198.51.100.1.1609: Flags [.], ack 2, win 1026, length 0 IP 203.0.113.1.443 > 198.51.100.1.1609: Flags [F.], seq 1, ack 2, win 1026, length 0 IP 198.51.100.1.1609 > 203.0.113.1.443: Flags [.], ack 2, win 256, length 0g unifiadmin@usg-pro:~$ sudo tcpdump -n -i eth3 tcp port 443 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth2, link-type EN10MB (Ethernet), capture size 262144 bytes IP 198.51.100.1.1562 > 192.0.2.1.443: Flags [S], seq 3731603662, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 IP 192.0.2.1.443 > 198.51.100.1.1562: Flags [S.], seq 67104030, ack 3731603663, win 65535, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 IP 198.51.100.1.1562 > 192.0.2.1.443: Flags [.], ack 1, win 256, length 0 IP 198.51.100.1.1562 > 192.0.2.1.443: Flags [F.], seq 1, ack 1, win 256, length 0 IP 192.0.2.1.443 > 198.51.100.1.1562: Flags [.], ack 2, win 1026, length 0 IP 192.0.2.1.443 > 198.51.100.1.1562: Flags [F.], seq 1, ack 2, win 1026, length 0
sudo tcpdump -n -i eth8 udp port 10001 and host 192.168.1.50
|
In this case, the host/server on the LAN is not allowing outside connections to access the port. For example, the Web Server used in this example will need to allow connections to TCP port 443. You can verify if the traffic is arriving by accessing the UDM/USG using SSH and running a tcpdump packet capture on the WAN1 or WAN2 interface. See the UniFi - UDM/UDM-Pro: How to Login to the Dream Machine using SSH article for more information on how to access the UDM/UDM-Pro using SSH and the section above for the USG/USG-Pro steps. CLI: Access the Command Line Interface on the UDM/USG using SSH.
After logging in with SSH, run the following command to capture the traffic on the LAN interface of the UDM/USG. This command will print the traffic output directly to the screen when the port is forwarded to the internal LAN host (cancel with CTRL+C).
# tcpdump -n -i br0 tcp port 443 and host 192.168.1.10 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on br0, link-type EN10MB (Ethernet), capture size 262144 bytes IP 198.51.100.1.1611 > 192.168.1.10.443: Flags [S], seq 3590991252, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 IP 192.168.1.10.443 > 198.51.100.1.1611: Flags [S.], seq 3853666586, ack 3590991253, win 65535, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 IP 198.51.100.1.1611 > 192.168.1.10.443: Flags [.], ack 1, win 256, length 0 IP 198.51.100.1.1611 > 192.168.1.10.443: Flags [F.], seq 1, ack 1, win 256, length 0 IP 192.168.1.10.443 > 198.51.100.1.1611: Flags [.], ack 2, win 1026, length 0 IP 192.168.1.10.443 > 198.51.100.1.1611: Flags [F.], seq 1, ack 2, win 1026, length 0 IP 198.51.100.1.1611 > 192.168.1.10.443: Flags [.], ack 2, win 256, length 0 USG LAN (eth1) unifiadmin@usg:~$ sudo tcpdump -n -i eth1 tcp port 443 and host 192.168.1.10 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes IP 198.51.100.1.1611 > 192.168.1.10.443: Flags [S], seq 3590991252, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 IP 192.168.1.10.443 > 198.51.100.1.1611: Flags [S.], seq 3853666586, ack 3590991253, win 65535, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 IP 198.51.100.1.1611 > 192.168.1.10.443: Flags [.], ack 1, win 256, length 0 IP 198.51.100.1.1611 > 192.168.1.10.443: Flags [F.], seq 1, ack 1, win 256, length 0 IP 192.168.1.10.443 > 198.51.100.1.1611: Flags [.], ack 2, win 1026, length 0 IP 192.168.1.10.443 > 198.51.100.1.1611: Flags [F.], seq 1, ack 2, win 1026, length 0 IP 198.51.100.1.1611 > 192.168.1.10.443: Flags [.], ack 2, win 256, length 0 USG-Pro LAN1 (eth0) and LAN2 (eth1) unifiadmin@usg-pro:~$ sudo tcpdump -n -i eth0 tcp port 443 and host 192.168.1.10 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes IP 198.51.100.1.1611 > 192.168.1.10.443: Flags [S], seq 3590991252, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 IP 192.168.1.10.443 > 198.51.100.1.1611: Flags [S.], seq 3853666586, ack 3590991253, win 65535, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 IP 198.51.100.1.1611 > 192.168.1.10.443: Flags [.], ack 1, win 256, length 0 IP 198.51.100.1.1611 > 192.168.1.10.443: Flags [F.], seq 1, ack 1, win 256, length 0 IP 192.168.1.10.443 > 198.51.100.1.1611: Flags [.], ack 2, win 1026, length 0 IP 192.168.1.10.443 > 198.51.100.1.1611: Flags [F.], seq 1, ack 2, win 1026, length 0 IP 198.51.100.1.1611 > 192.168.1.10.443: Flags [.], ack 2, win 256, length 0 unifiadmin@usg-pro:~$ sudo tcpdump -n -i eth1 tcp port 443 and host 192.168.1.10 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes IP 198.51.100.1.1611 > 192.168.1.10.443: Flags [S], seq 3590991252, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 IP 192.168.1.10.443 > 198.51.100.1.1611: Flags [S.], seq 3853666586, ack 3590991253, win 65535, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 IP 198.51.100.1.1611 > 192.168.1.10.443: Flags [.], ack 1, win 256, length 0 IP 198.51.100.1.1611 > 192.168.1.10.443: Flags [F.], seq 1, ack 1, win 256, length 0 IP 192.168.1.10.443 > 198.51.100.1.1611: Flags [.], ack 2, win 1026, length 0 IP 192.168.1.10.443 > 198.51.100.1.1611: Flags [F.], seq 1, ack 2, win 1026, length 0 IP 198.51.100.1.1611 > 192.168.1.10.443: Flags [.], ack 2, win 256, length 0
sudo tcpdump -n -i br0 udp port 10001 and host 192.168.1.50
|
Related Articles
UniFi - UDM/UDM-Pro: How to Login to the Dream Machine using SSH
UniFi - USG/USG-Pro: Advanced Configuration Using JSON
Intro to Networking - How to Establish a Connection Using SSH