Pfsense Unifi Remote AP Adoption

Hi all. I am running a Pfsense unifi setup at home.

Here is my current setup.

Pfsense, running HAProxy, Let’s Encrypt with Dynamic DNS
unRaid for storage and dockers containing webservices and Unifi Controller

I am currently trying to setup a remote network at my brother in laws house. He purchased, upon my advice, several Unifi APs and Switches to support his network. I am also installing Pfsense at his house to handle firewall and local routing, etc.

Since I am the family defacto IT admin, I am setting this up for me to control remotely. My problem is that I have created a second site on my controller. However, I cannot get the domain name to connect for the 8080 port in Unifi.

I have set Firewall rules to allow. I created an alias with all unifi ports and created a NAT rule in Pfsense including that alias. I have confirmed with CanYouSeeMe that the Unifi Ports are available and open.

I am setting this up and testing this locally before delivering. In the past I have just used the local IP for the AP adoption, but now I am trying to do this with a url. I am using I am able to browse to this over the internet and it is secured with Let’s Encrypt and all is well.
However, if I put this as the default url in the Unifi Controller and set the “Override inform host with controller hostname/IP”, the AP’s become disconnected and cannot adopt. I can SSH in and use set-inform to the local IP address and they work, but the will not work.

I don’t know what I am missing. Can someone point me in the right direction?



Don’t run port 8080 over HAPorxy. Ports 8080 TCP and 3478 UDP should be setup as a NAT rule going to the controller.

Let me clarify. I am not running 8080 over HAProxy. Only 443 with an http to https redirect for port 80.

I was just explaining that as a view of my setup. I created an Alias with all the Unifi TCP and UDP ports. I created a NAT rule with this alias pointing to the Unifi Controller IP, which resides as an Docker on my UnRaid. This allows all of the Unifi ports, including 8080 to be available.

So in my head it should work like this points to HAProxy (This works) should point to the NAT rule and redirect to the Local Controller IP (This does not work)

When I set this as the Set-Inform and run the Info cmd, it shows Timeout on the Inform and the AP’s are disconnected.

Do I need another DNS entry for the inform and other ports in Unifi? How would I configure that in the Controller while still using the Unifi subdomain name?

Can some one provide an example of the FW rules and controller setup they are running?


No special rules, just a NAT rule from 8080 and 3478 from my WAN IP to the internal UniFi controller. If you want the system to adopt AP’s while on the inside of the network make sure NAT reflection is turned on and also make sure the internal DNS name responds with the WAN or create a DNS override internally so it replies as the UniFi controller. Of note having the inform address and the web address pointing internally at HA Proxy will be much harder because the DNS entries would be the same, one of the controller and one for the HA Proxy IP.