Unifi Protect rules on PFSense

Looking for some input of the proper rulesets for Unifi Protect and cameras, on a VLAN, that is behind a PFSense box.

Allow the NVR/Protect system to have internet and the cameras should not need any access other than to the NVR/Protect which should be on the same network.

1 Like

@LTS_Tom , I watch alot of your reviews and how-to’s, mostly in relation to either PFS or UniFi as I’m a fluent user of both.

Until Ubnt pulled the plug on UniFi-Video in exchange for Protect all was great as I had built a network+NVR controller via Debian 9 VM (Proxmox), and it was easy being vanilla debian to employ Let’sencrypt to either controller (VM had it’s own public IP).

Anyhow, as you might guess, UniFi Video is obsolete, and you can’t pull the controller software any longer from Ubnt, so for any existing inferstructure, you’re forced to chaulk it up and buy their NVR from the “Protect” lineup, atleast that’s the conclusion I’ve arrived at (or UDM).

Is their a recommended way to employ SSL if I were to place their new Protect NVR (4-Bay) on its own public IP?

Further reading on the topic has hinted that it’s not yet possible, and as the years have progressed, I’ve noticed how USG’s and similar hardware (Linux based) have become less and less easily overidden by changes to the hardware’s OS like people have done in years past to yield certain features not possible from the controller UI.

The aforementioned reasons above were why I loved running the video controller with plain debian (with webmin).


PS… on a side note, I’ve tried placing both UniFi-Network and UniFi-Video behind PFS with HAProxy to handle SSL and ofcourse this took care of the SSL issue so either controller was reachable via HTTPS, but I ran into communication issues with all the other ports needed for ingress com to the controller no matter which NAT (port forwarding) mode configured, and would imagine if the NVR were placed behind PFS+HAP it would result in the same outcome.

The scenario is all cameras are from remote WAN addresses vs the controller.

I’ll post back on the results after trying the steps mentioned here –


Model – UniFi Protect Network Video Recorder – Ubiquiti Inc.

After logging into the NVR via SSH, I noticed I was placed into the “root” shell as oppose to a general user, and located (what appears to be) the files pertaining to SSL at


I was able to update (overwrite) the existing .crt and .key files, and these survived a reboot intact with what was previously saved (used WinSCP).

More to come on this because as of yet, I’m awaiting drives before placing this into production, so I can’t say I’ve confirmed this to be working with valid SSL for HTTPS over WAN as of yet fully, however it looks promising, but I will also point out that I have not yet configured the NVR (via GUI/wizard), nor has it had the latest firmware update even though it was sourced from Ubiquiti Store directly.

Another interesting thing I noticed (not sure if this is subject to change) is that unlike unifi-os, normal plain debian commands for reboot worked where as unifi-os specific commands were not recognized (of what was tried for rebooting).

I’m hoping this remains the case vs proprietary changes to the kernel but will update on the final outcome in days to come.



After provisioning the NVR, and placing it on its own public IP, I was to get HTTPS encrypted via SSL/TLS using a Let’sencrypt cert.

The path for the cert files changed once provisioned after the first update post the setup wizard, so the aforementioned certificate path previously mentioned no longer existed, however the directory used was


I used a temp VM to run Certbot then copied the cert.pem and privkey.pem to notepad (SSH using “cat” CMD).

Then SSH’d into the NVR using WINSCP and overwrote the “unifi-core.crt” and “unifi-core.key” files.

Note* the “unifi-core.key” file is originally written in RSA format, but dropping the PEM formatted contents from “privkey.pem” worked.

After rebooting the NVR post editing, we had green padlocks!

Hope this helps anyone curious to embark on this with similar hardware of what’s a forced transition for many I’m sure thanks to Ubnt.

1 Like

Protect works fine behind traefik. How are you managing this cert on an ongoing basis?