pfsense firewall rules for Ubiquiti Cloud Key

My default pfsense rule is to block everything and only allow specific protocols outward (internet bound) eg.. Port 80 443 etc are allowed. So, this is a reminder to myself of the ports need to allow my Ubiquiti Cloud Key and my Ubiquiti AP AC Lite to communicate with the unifi website. This allows me to control my home network via the internet or use the Ubiquiti phone app when I’m on the move.

You can of course set this up on your pfsense LAN setup (assuming that your network has a similar setup to mine). I’m having to make the assumption that you only allow certain protocols from your network to the internet.

  • Navigate to Firewall > Aliases > IP
  • Click “+Add”
  • Name = Ubiquiti_OUT_Host_WAN
  • Description = Ubiquiti OUT Host Wan
  • Type: Host(s)
  • IP or FQDN = unifi.ubnt.com
  • Description =  Unifi FQDN
  • Click [Save]

  • Navigate to Firewall > Aliases > Ports
  • Click “+Add”
  • Name = Ubiquiti_OUT_Ports_WAN
  • Description = Ubiquiti OUT Ports WAN
  • Type Port(s)
  • Port 3478 : STUN Protocol
  • Port 8443 : Ubuquiti Cloud 
  • Port 8543 : Ubiquiti Cloud Access
  • Port 11143 : Ubiquiti Cloud Access
  • Click [Save]

  • Navigate to Firewall > Rules
  • Select the Interface you want to apply the rule to the default is LAN (In my case it’s VL10_MGNT)
  • Click “ ⇑Add”
  • Action: Pass
  • Disabled:  [ ]
  • Interface: LAN (Mine is VL10_MGNT)
  • Address Family: IPv4
  • Protocol: TCP/UDP
  • Source: LAN net (Mine is VL10_MGNT net)
  • Destination:
    • Single Host or alias
    • Ubiquiti_OUT_Host_WAN
  • Destination Port Range:
    • Other
    • Ubiquiti_OUT_Ports_WAN
    • Other
    • Ubiquiti_OUT_Ports_WAN
  • Click [Save]

Updated 14/08/2017 (Last piece of the puzzle)
I was having some difficulty with my Ubiquiti Unifi Cloud Key (I only open up ports explicitly on my firewall, everything is denied by default), every time I rebooted, updated the firmware or software on the device, it would lose its connection to the Unifi Website and I wouldn’t be able to control the devices online or from a mobile device.

After having a discussion on the Unifi Community Website, I came to the conclusion that both the Cloud Key and the Wireless Access Point rely on external time servers (external NTP servers) to update their time and date, and if the time and date was incorrect, it stopped the Cloud Key from authenticating to the Unifi Website.

I do run NTP on my pfSense firewall appliance and this information is passed to most of the devices on my network via DHCP, unfortunately, not the Ubiquiti devices apparently.

So, in the end, I opened up port 123 outward (NTP Time Protocol) on my management VLAN and now everything is working fine.

  • Navigate to Firewall > Rules
  • Select the Interface you want to apply the rule to the default is LAN (In my case it’s VL10_MGNT)
  • Click “ ⇑Add”
  • Action: Pass
  • Disabled:  [ ]
  • Interface: LAN (Mine is VL10_MGNT)
  • Address Family: IPv4
  • Protocol: UDP
  • Source: LAN net (Mine is VL10_MGNT net)
  • Destination:
    • any
  • Destination Port Range:
    • From NTP (123)
    • To NTP (123)
  • Click [Save]

pfSense NTP rule.References
Ubiquiti Community Forum
Cloud Key Port Requirements

Leave a Reply