Skip to content

Allowing mDNS traffic to UniFi Protect NVR on FortiGate

Overview

This guide will show you how to allow mDNS traffic to UniFi NVR on FortiGate so that the UniFi Protect app can discover the NVR sitting on another VLAN/network.

Procedure

  1. Turn on Multicast Policy in System > Feature Visibility or in CLI (optional):
Terminal window
config system settings
set gui-multicast-policy enable
end
  1. Create a Multicast address object for the mDNS multicast address:
Terminal window
config firewall multicast-address
edit "mDNS"
set start-ip 224.0.0.251
set end-ip 224.0.0.251
next
end
  1. Create a Multicast Policy to allow mDNS traffic from the network where you want the UniFi NVR to be discovered:
Terminal window
config firewall multicast-policy
edit 0
set name "VLAN104 mDNS to VLAN108"
set srcintf "vlan104"
set dstintf "vlan108"
set srcaddr "all"
set dstaddr "mDNS"
set protocol 17
set logtraffic all
set start-port 5353
set end-port 5353
next
end
  1. Create a firewall policy to allow the network to access the UniFi NVR on the required ports:
Terminal window
config firewall service custom
edit "UniFi-Protect-HTTPS-tcp-443"
set tcp-portrange 443
next
edit "UniFi-Protect-RTSP-tcp-7441"
set tcp-portrange 7441
next
edit "UniFi-Video-HTTP-tcp-7080"
set tcp-portrange 7080
next
edit "UniFi-Video-HTTPS-tcp-7443"
set tcp-portrange 7443
next
edit "UniFi-Protect-WebMedia-tcp-7446"
set tcp-portrange 7446
next
edit "UniFi-Protect-SRTSP-tcp-7447"
set tcp-portrange 7447
next
edit "UniFi-Protect-Streaming-tcp-7550"
set tcp-portrange 7550
next
end
config firewall service group
edit "UniFi-Protect-Client-to-NVR-Services"
set member "UniFi-Protect-HTTPS-tcp-443" "UniFi-Protect-RTSP-tcp-7441" "UniFi-Video-HTTP-tcp-7080" "UniFi-Video-HTTPS-tcp-7443" "UniFi-Protect-WebMedia-tcp-7446" "UniFi-Protect-SRTSP-tcp-7447" "UniFi-Protect-Streaming-tcp-7550"
set comment "Client (phone/tablet/PC) access to Protect NVR"
next
end
config firewall policy
edit 0
set name "VLAN104 -> NVR"
set uuid ccdb3710-61f7-51f1-ddf0-f9e05781f341
set srcintf "vlan104"
set dstintf "vlan108"
set action accept
set srcaddr "all"
set dstaddr "host-NVR"
set schedule "always"
set service "UniFi-Protect-Client-to-NVR-Services"
set logtraffic all
next
end

Replace your VLAN/interface names, address object names, and service group members as needed.

Troubleshooting

Ensure that Multicast Forwarding is enabled on the FortiGate.

Terminal window
config system settings
set multicast-forward enable
end

By default, this should be enabled, but could be disabled if an administrator explicitly disabled it.