Wake On LAN Across the Internet with Unifi Kit

Written by James McDonald

January 31, 2022

Configuring a remote Unifi USG Firewall to broadcast WOL Packets from a remote site to wake a computer

+-----------------+                                    +-------------------------+
|    Site A       |                                    |          Site B         |
|                 |                                    |  LAN:     |
| [Linux or WSL   |-----It's The Internet Jen-----[Remote USG]                  |
|                 |                                      |
|    with         |                                    |  [device to wake        |
|   wakeonlan]    |                                    | MAC: 7b:45:59:71:ad:2f] |
|                 |                                    |                         |
+-----------------+                                    +-------------------------+
  • At Site A install wakeonlan on a Linux/WSL box
sudo apt install wakeonlan
  • Configure a Port Forward Rule – On the remote site configure the USG to port forward UDP port 9 to an UNUSED IP address e.g. if the remote subnet that computer that needs to be woken on is and an UNUSED ip address is then forward it to that. To make it more secure make sure the port forward rule is only triggered by traffic from the external IP of Site A. (You can use the Unifi Controller to configure this). When configuring the port forward configure logging so you can see the packets traverse the USG.
  • Login to the remote USG with SSH and then tell it that any traffic sent to should be forwarded to the broadcast address (ff:ff:ff:ff:ff:ff). (To SSH to the USG I usually start a terminal to another Unifi device on the network by clicking that device in the Unifi Controller and then SSH back to the USG)
# on the USG as root
arp -s ff:ff:ff:ff:ff:ff temp

# check it worked
arp -n
# output of arp
# ... other arp table entries            ether   ff:ff:ff:ff:ff:ff   C                     eth1
# ... other arp table entries continued
  • On a Site A Linux box run wakeonlan to target the external IP of the remote site. Pluggin in the remote external IP of Site B and the MAC address of the Ether Adaptor of the device you want to boot up.
wakeonlan -i 7b:45:59:71:ad:2f

How it works explained

The wakeonlan command sends a “Magic” Wake On LAN packet to the external interface of the remote site (in the above example that’s the port forward rule configured on the USG will forward the traffic to the unused LAN IP ( and because the ARP address configured for that LAN IP is ff:ff:ff:ff:ff:ff the Magic Wake On LAN packet will be broadcast to all the Ethernet adaptors on that subnet. The device with MAC address 7b:45:59:71:ad:2f, if it is configured for WakeOnLAN will see that the magic packet matches it’s MAC address boot up.

Checking for Successful Arrival of Magic WOL Packets

While logged into the USG via SSH you can check if the packets arrive. Here are two methods

Tailing the messages log
# In the USG SSH session 
# tail the messages log
tail -f /var/log/messages
#  look for the following output
Jan 31 21:51:38 USG-Firewall kernel: [WAN_IN-3003-A]IN=pppoe0 OUT=eth1 MAC= SRC= DST= LEN=130 TOS=0x00 PREC=0x00 TTL=53 ID=61121 DF PROTO=UDP SPT=34163 DPT=9 LEN=110

Checking for traffic with tcpdump
root@USG-Firewall:~# tcpdump -i eth1 udp port 9
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
# output example of successful broad cast
22:08:19.031929 IP unifi.40383 > UDP, length 102


Submit a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

The reCAPTCHA verification period has expired. Please reload the page.

You May Also Like…