Allowing mDNS traffic to UniFi Protect NVR on FortiGate
Overview
This guide will show you how to allow mDNS traffic to UniFi NVR on FortiGate so that the UniFi Protect app can discover the NVR sitting on another VLAN/network.
Procedure
- Turn on Multicast Policy in System > Feature Visibility or in CLI (optional):
config system settings set gui-multicast-policy enableend- Create a Multicast address object for the mDNS multicast address:
config firewall multicast-address edit "mDNS" set start-ip 224.0.0.251 set end-ip 224.0.0.251 nextend- Create a Multicast Policy to allow mDNS traffic from the network where you want the UniFi NVR to be discovered:
config firewall multicast-policy edit 0 set name "VLAN104 mDNS to VLAN108" set srcintf "vlan104" set dstintf "vlan108" set srcaddr "all" set dstaddr "mDNS" set protocol 17 set logtraffic all set start-port 5353 set end-port 5353 nextend- Create a firewall policy to allow the network to access the UniFi NVR on the required ports:
config firewall service custom edit "UniFi-Protect-HTTPS-tcp-443" set tcp-portrange 443 next edit "UniFi-Protect-RTSP-tcp-7441" set tcp-portrange 7441 next edit "UniFi-Video-HTTP-tcp-7080" set tcp-portrange 7080 next edit "UniFi-Video-HTTPS-tcp-7443" set tcp-portrange 7443 next edit "UniFi-Protect-WebMedia-tcp-7446" set tcp-portrange 7446 next edit "UniFi-Protect-SRTSP-tcp-7447" set tcp-portrange 7447 next edit "UniFi-Protect-Streaming-tcp-7550" set tcp-portrange 7550 nextend
config firewall service group edit "UniFi-Protect-Client-to-NVR-Services" set member "UniFi-Protect-HTTPS-tcp-443" "UniFi-Protect-RTSP-tcp-7441" "UniFi-Video-HTTP-tcp-7080" "UniFi-Video-HTTPS-tcp-7443" "UniFi-Protect-WebMedia-tcp-7446" "UniFi-Protect-SRTSP-tcp-7447" "UniFi-Protect-Streaming-tcp-7550" set comment "Client (phone/tablet/PC) access to Protect NVR" nextend
config firewall policy edit 0 set name "VLAN104 -> NVR" set uuid ccdb3710-61f7-51f1-ddf0-f9e05781f341 set srcintf "vlan104" set dstintf "vlan108" set action accept set srcaddr "all" set dstaddr "host-NVR" set schedule "always" set service "UniFi-Protect-Client-to-NVR-Services" set logtraffic all nextendReplace your VLAN/interface names, address object names, and service group members as needed.
Troubleshooting
Ensure that Multicast Forwarding is enabled on the FortiGate.
config system settings set multicast-forward enableendBy default, this should be enabled, but could be disabled if an administrator explicitly disabled it.