UniFi Gateway - Port Forwarding
Create Port Forwarding rules within UniFi Network in the Settings > Firewall & Security section. Refer to the troubleshooting steps below if your Port Forwarding rule is not working.
Your UniFi Gateway does not have a public IP address (Double NAT).
This happens if your UniFi Gateway is located behind another router/modem that uses NAT. You are likely affected by this if your UniFi Gateway has a WAN IP address in one of the following ranges:
- 10.0.0.0/8 (10.0.0.0 - 10.255.255.255)
- 172.16.0.0/12 (172.16.0.0 - 172.31.255.255)
- 192.168.0.0/16 (192.168.0.0 - 192.168.255.255)
- 100.64.0.0/10 (100.64.0.0 - 100.127.255.255)
To fix this issue, try to re-configure your ISP modem/router into bridge mode so that your UniFi Gateway can obtain a public IP address on the WAN interface.
If that is not supported, you will need to first forward the port(s) on the upstream router/modem to the WAN address of your UniFi Gateway in addition to forwarding them from your UniFi Gateway to the desired location. You may wish to contact your ISP to assist with port forwarding or providing a DMZ option that allows you to automatically forward the ports.
Note: When behind NAT and forwarding ports on the upstream router/modem, accessing the upstream router/modem's public IP from a client on the LAN (Hairpin NAT) will not work.
Your UniFi Gateway is already forwarding the port to another device or has UPnP enabled.
A given WAN port can only be forwarded to a single device within your network. For example, TCP port 443 can only be forwarded to one LAN port.
Note: It is possible to forward multiple WAN ports to the same LAN port.
Another possible cause is that UPnP is enabled and is already using the port. Try disabling UPnP in your UniFi Network Application’s Internet Settings.
Incoming traffic is not reaching the WAN interface of your UniFi Gateway.
In this case, the traffic is most likely blocked somewhere upstream, such as at the ISP modem/router, or a third party firewall. We recommend disabling any upstream firewalls for testing, and then contacting your ISP for more details.
The LAN host is blocking the port with a local firewall, or does not have the correct route configured.
In this case, the host/server on the LAN is not allowing outside connections to access the port. On Windows computers, this may be a result of the Windows Firewall rules. On Linux machines, this could be a result of the connection not being allowed in the iptables firewall. We recommend consulting with the particular client’s manufacturer for more information.
There is an incorrect route configured on the LAN host.
It is possible that the LAN host does not know how to reach the IP address of the Internet client. This can result if the default gateway is not configured correctly. You should verify your routing settings on the local host to resolve this situation.