Sometimes its necessary to work on a UniFi networking issue directly on the Security Gateway, but what if you don't have a jump box on the network to connect to it through? Enable SSH from the controller!

Before you start, you'll want to know your public IP address, so as to not open SSH from just anyone. The easiest way is to run curl ifconfig.me from PowerShell or Terminal (on Mac/Linux).

> curl ifconfig.me
75.150.117.35

Now with that, you can start building the firewall rule on the UniFi controller. In the Site settings under Routing & Firewall -> Firewall, the rules are broken down by zone. The one we care about is "WAN Local" which are rules relating to traffic from WAN to the gateway. Now let's create a new rule in the WAN Local zone:

UniFi Firewall Rule
  • Name: Allow SSH
  • Enabled: On
  • Rule Applies: Before predefined rules
  • Action: Accept
  • IPv4 Protocol: TCP
  • Logging: Enable logging
  • States: New, Established, Related
  • Source Type: IP Address
  • IPv4 Address: Your public address
  • Destination Type: Address/Port Group
  • Port Group: Create a new port group named "SSH" with the port set to "22"

After you save your rule, you'll be able to SSH into your security gateway through the WAN IP of the appliance.