Home

General Info
Connecting your WiFi networks
WiFi Brand integration guides
Integrations

Overview

UniFi’s Zone-Based Firewall (ZBF) simplifies rule management by organizing networks into logical zones such as:

  • Internal (LAN)
  • External (Internet)
  • Gateway (the UDM itself)
  • VPN
  • Hotspot (guest Wi-Fi)
  • DMZ

The Hotspot zone is used to isolate and manage guest traffic through dedicated firewall rules. This is essential for captive portals to function correctly.

How Captive Portals Work with Zones

When a guest device connects to a Hotspot-enabled SSID or VLAN, it’s automatically placed in the Hotspot zone. The UniFi gateway intercepts the first HTTP or HTTPS request and redirects it to an external captive portal (like MyPlace).

For the redirection and authentication to succeed, several firewall rules must be in place to allow DNS resolution and web traffic.

Required Firewall Ports

To allow portal redirection and guest authorization, make sure the following ports are allowed:

PortProtocolPurpose
53UDP/TCPDNS resolution
80TCPHTTP portal access
443TCPHTTPS portal access
8880TCPUniFi HTTP redirection
8843TCPUniFi HTTPS redirection

Setting Up a Hotspot Network

You can configure a hotspot zone either for an individual Wi-Fi SSID or for an entire VLAN network.

Option 1: Hotspot for Wi-Fi Only

  1. Go to UniFi Network > Settings > WiFi.
  2. Select an existing SSID or create a new one.
  3. Enable Hotspot Portal > Captive Portal.
  4. Save changes.

Option 2: Hotspot for Entire VLAN Network

  1. (Optional) Create a new network in Settings > Networks.
  2. Navigate to Settings > Security > Firewall.
  3. Ensure Zone-Based Firewalling is enabled (available from Network v9.0+).
  4. Assign the VLAN to the Hotspot Zone.
  5. Save and apply changes.

Tip: You can customize the guest experience in Insights > Hotspot > Landing Page, including logos, colors, and welcome messaging.

Step-by-Step: Firewall Configuration for Hotspot Zones

  1. Enable Hotspot on your Guest SSID or VLAN.
  2. Assign the network to the Hotspot Zone under Settings > Security > Firewall.
  3. Add a DNS Rule:
    • Source: Hotspot
    • Destination: Gateway
    • Allow port 53 (UDP/TCP)
  4. Add a Web Access Rule:
    • Source: Hotspot
    • Destination: External
    • Allow ports 80, 443, 8880, 8843 (TCP)
  5. Ensure Auto-allow return traffic is enabled in your firewall settings.
  6. Avoid assigning guest VLANs to Internal or DMZ zones.
  7. Save and apply all rules.

Troubleshooting Tips

  • Captive portal not appearing?
    • Confirm DNS (UDP/TCP 53) is allowed.
    • Ensure 8880/8843 are open to External.
    • Place Allow rules above any Block rules.
  • Incorrect portal behavior?
    • Double-check zone assignments and network mappings.
    • Use Pre-Authorization Access Lists for required domains (e.g., for assets, fonts, or custom scripts).
    • Don’t forward TCP 443 if your UDM uses it for remote management.
    • Test using a plain HTTP site like http://neverssl.comAttachment.tiff.
  • Still not working?
    • Temporarily allow all Hotspot → External traffic for debugging.