Step 5 - UniFi

To ensure real-time voice and video function correctly, you must forward the LiveKit ports from your UniFi Security Gateway (USG) or Dream Machine (UDM) to your Spokes Docker host.

Creating Port Forwarding Rules

1. Log into your UniFi Network Controller.
2. Navigate to Settings (Gear Icon) > Routing & Firewall (or Settings > Security > Port Forwarding in newer UIs).
3. Click Create New Port Forwarding Rule.

Rule 1: UDP Range

• Name: Spokes LiveKit UDP
• Enable: Checked
• Interface: WAN
• From: Any
• Port: 50000-50499 (or the UDP Range you decided on in Step 1)
• Forward IP: The internal IP of your Spokes server (e.g., 192.168.1.50)
• Forward Port: 50000-50499 (must match the Port)
• Protocol: UDP
• Logging: (Optional)

Save the rule.

Rule 2: TCP Fallback

Click Create New Port Forwarding Rule again:

• Name: Spokes LiveKit TCP Fallback
• Enable: Checked
• Interface: WAN
• From: Any
• Port: 7881 (or the TCP Fallback port you decided on in Step 1)
• Forward IP: The internal IP of your Spokes server (e.g., 192.168.1.50)
• Forward Port: 7881 (must match the Port)
• Protocol: TCP
• Logging: (Optional)

Save the rule. Your UniFi console will provision the new rules to your gateway automatically.

Local Network Voice Chat & Double NAT

Behind an ISP Router?

If your UniFi gateway is plugged into an ISP modem/router that cannot be put into bridge mode (a Double NAT scenario), UniFi’s automatic Hairpin NAT will fail when internal clients try to connect to your public DDNS domain.

Because the UniFi GUI does not allow you to manually map rules to an external DDNS alias, you must put your ISP modem into Bridge Mode so your UniFi gateway receives the true public IP directly.