Required Ports for UniFi
Summary
This guide outlines the default UDP and TCP ports that power UniFi’s remote management, Network, Protect, Connect and Access services. It’s meant for self‑hosted deployments or environments with restrictive firewalls and covers how to change default ports on a UniFi Network server.
Overview
UniFi applications rely on specific network ports to communicate with devices, deliver remote management and provide services like the guest portal or video streaming. In typical deployments with UniFi gateways these ports are opened automatically. Administrators using third‑party gateways, self‑hosting or hardened firewalls should ensure the ports listed below remain accessible.
Remote Management
Remote management allows administrators to monitor and manage UniFi devices over the internet. The following ports are required to support remote access, DNS resolution and secure communication.
| Protocol & Port | Direction | Usage |
|---|---|---|
| TCP/UDP 53 | Both | DNS lookups for remote access, updates and Guest Portal redirection; also used by UniFi Network |
| UDP 123 | Egress | NTP time synchronization needed to establish secure connections |
| UDP 3478 | Both | STUN service used for remote access; also used by UniFi Network |
| TCP 443 | Both | Remote Access service and web‑based GUI/API; also used by UniFi Network |
| TCP 8883 | Egress | Remote Access service |
| TCP 5349 | Ingress | Remote access support |
UniFi Network
UniFi Network is the central management platform for UniFi switches, routers and Wi‑Fi access points. These ports handle device adoption, controller communication and management tasks.
| Protocol & Port | Direction | Usage |
|---|---|---|
| TCP/UDP 53 | Both | DNS lookups for Guest Portal redirection and updates; also used by Remote Management |
| UDP 3478 | Both | STUN service for device adoption and communication; also used by Remote Management |
| TCP 8080 | Ingress | Device and application communication |
| TCP 8443 | Ingress | Application GUI/API on the UniFi Console |
| TCP 8880–8882 | Ingress | Hotspot portal redirection over HTTP |
| TCP 8843 | Ingress | Hotspot portal redirection over HTTPS |
| TCP 8444 | Ingress | Secure portal for Hotspot |
| TCP 6789 | Ingress | UniFi mobile speed test |
| TCP 27117 | Ingress | Local database communication |
| UDP 10001 | Ingress | Device discovery during adoption |
| UDP 1900 | Ingress | Layer‑2 discovery (the “Make application discoverable on L2 network” setting) |
| UDP 5514 | Ingress | Remote syslog capture |
| TCP/UDP 22 | Both | SSH access used for manual management (disabled by default) |
| TCP 443 | Both | Application GUI/API via web browser; also used by Remote Management |
UniFi Protect
UniFi Protect handles video streaming and device communication for cameras and network video recorders (NVRs). Ensure the following ports are open.
| Protocol & Port | Direction | Usage |
|---|---|---|
| TCP 7441 | Ingress | Outgoing RTSPS streams |
| TCP 7442 | Both | WebSocket server for device communication |
| TCP 7443 | Both | REST API (HTTPS) |
| TCP 7444 | Both | WebSocket server for camera communication |
| TCP 7445 | Ingress | Outgoing Protect streams |
| TCP 7447 | Ingress | Outgoing RTSP streams |
| TCP 7550 | Ingress | Camera streams |
| TCP 7552 | Both | SSL camera connections |
| TCP 7888 | Both | TCP bridge |
Stacked NVRs (MSR/MSP)
The following additional ports are only required for physically stacked network video recorders. They should be opened in addition to the base Protect ports.
| Protocol & Port | Direction | Usage |
|---|---|---|
| TCP 7446 | Both | Protect streams between consoles |
| TCP 7451 | Both | Protect streams between consoles |
| TCP 7600 | Both | Protect application communications |
UniFi Connect
UniFi Connect integrates with Lutron lighting processors and other automation devices. These ports support device discovery, WebSocket communication and proxies.
| Protocol & Port | Direction | Usage |
|---|---|---|
| UDP 2647 | Ingress | Lutron Processor discovery for HomeWorks QSX, HomeWorks Wireless and RadioRA3 |
| UDP 5353 | Ingress | Lutron Processor discovery for HomeWorks QS and RadioRA2 |
| TCP 18080 | Ingress | Application GUI/API on the UniFi Console |
| TCP 18443 | Both | WebSocket server for device communication (HTTPS) |
| TCP 18884 | Both | MQTT server for device communication |
| TCP 18888 | Both | Internal Lutron proxy between the Lutron Processor and UniFi Connect |
UniFi Access
UniFi Access manages door controllers and readers. The following ports enable secure communication between devices and the server.
| Protocol & Port | Direction | Usage |
|---|---|---|
| TCP 12812 | Both | MQTT server for device communication |
| TCP 12442 | Both | WebSocket server (UCP4) for device communication |
| TCP 12443 | Both | HTTPS server for device communication |
| TCP 12445 | Both | Open API |
| TCP 12478 | Both | WebRTC TURN server for device communication |
Changing Default Ports on a UniFi Network Server
Default port assignments can be modified on self‑hosted UniFi Network servers running on Windows, macOS or Linux. UniFi Consoles (Cloud Keys, Dream Machines or other embedded controllers) do not allow port changes.
- Shut down any running UniFi Network application.
- Locate and edit the
system.propertiesfile inside<unifi_base>/data/system.properties.- For example, to change the shutdown port from 8081 to 8089, add or modify the line
unifi.shutdown.port=8089.
- For example, to change the shutdown port from 8081 to 8089, add or modify the line
- Restart the UniFi Network application.
Ensure there are no extra spaces, comments (#) or stray characters on the modified line; otherwise the change will be ignored.
About MKController
Hope the insights above helped you navigate your Mikrotik and Internet universe a little better! 🚀
Whether you’re fine-tuning configs or just trying to bring some order to the network madness, MKController is here to make your life simpler.
With centralized cloud management, automated security updates, and a dashboard that anyone can master, we’ve got what it takes to upgrade your operation.
👉 Start your free 7-day trial now at mkcontroller.com — and see what effortless network control really looks like.