Hi all,
Being the Unifi setup i have here has proven it cannot cope with the load of traffic being pushed through it, i decided to slowly transition across to OPNSense.
Having said that, is there many things i should be aware of, transferring records across? I've got OPNSense running inside a VM now on my Proxmox server, and have quite a few things i need to work the best way to move them over:
Local DNS Records (LAN Access Only sites)
Port Forwards
IPv4/IPv6 Static Mappings
Site to Site VPN
Unifi Controller (I found rumours there's a plugin?), although I have a local container for it
QoS Mapping
Being that i still have to purchase the required network cards for this, it's going to be done in stages, so i can hopefully, once it's configured, just pull the UDM-Pro out, connect up to OPNSense, and away I go with minimal disruption
I have used PFSense/OPNSense quite a few years ago, so i'm a little rusty in where things are located. Once i get my head back around it, I'll be fine.
Any tips you guys can suggest are much appreciated
I would keep the Unifi Controller (or UOS server, the more modern version of it) as a VM on Proxmox, if you alread have it. For OpnSense under Proxmox, there is a guide you should consider in the tutorial section (https://forum.opnsense.org/index.php?topic=44159.0). That section holds some valuable information on various subjects.
For traffic shaping, the documentation already has some nice guidance.
The unifi controller i have in the container i may very well continue with
I never thought i would exhaust the capabilities of the UDM-Pro, but hey, here we are lol
It'll be like a trip down memory lane for me now lol.
I expect the Unifi Controller to get deprecated in the near future, because with the recent product initiave that Ubiquiti has launched, they cannot support multiple tools (their software support for several lines is way worse than ever before).
UOS server is a containerized version of Unifi Controller, where they can modulaize other applications like Protect, Access, etc. You can just export and import the configuration to UOS server. The GUI is basically identical, too.
I bit the bullet and installed UniFi OS on a Proxmox VM with the goal of replacing my current Network Application deployment in Docker. I haven't yet tried to import Network settings into UOS, so fingers crossed that will work...
For anyone looking to install UOS, the process was very straight forward. I started with a blank Debian 13 VM and installed podman, then ran the installer file from here:
https://community.ui.com/releases/UniFi-OS-Server-4-3-6/6203a43a-d19b-43ee-9cf9-835522f19eae
I used the 'host' CPU type in order to expose the AVX instruction set, in case MongoDB needs it (I'm not sure which Mongo version UOS bundles). It seems the installer is entirely self contained and there is no need to set up MongoDB or anything manually. It will add some system services in systemd and the containers will run under the 'uosserver' user/group. It also exposes a simple 'uosserver' CLI on the host.
$ uosserver
UOS Server: 4.3.6
Usage: uosserver <command>
Commands:
start Start the container
stop Stop the running container
status Display the status of the container and services
shell Open a shell session inside the container
support Generate support file
version Show current version
help Show this help message
Uninstall:
uosserver-purge Completely uninstall UOS Server (run as separate command)
I installed UFW and adapted a script that I found here (https://www.crosstalksolutions.com/complete-unifi-os-server-installation-on-linux-best-practices/) to add more specificity (such as protocols for the listed ports) and added the ingress ports needed for the Network and Protect apps as per the official port reference (https://help.ui.com/hc/en-us/articles/218506997-Required-Ports-Reference).
The only issue is that a few of the ports mentioned in the UniFi OS release notes are ambiguous. I couldn't find a solid reference for the specific protocol, direction, or purpose of them and I don't know where the author of this tutorial got their information from. Can anyone confirm or provide more details on the four ambiguous ports listed below?
#!/bin/bash
##
# setup-ufw-unifi.sh
#
# Configures host firewall (UFW) policies for UniFi OS Server and associated UniFi apps. Optionally resets UFW
# to clear existing rules.
#
# Port references (as of September 24th 2025):
# - https://community.ui.com/releases/UniFi-OS-Server-4-3-6/6203a43a-d19b-43ee-9cf9-835522f19eae
# - https://help.ui.com/hc/en-us/articles/218506997-Required-Ports-Reference
#
# Script adapted from main article and user comments at
# https://www.crosstalksolutions.com/complete-unifi-os-server-installation-on-linux-best-practices/
set -e
echo "Starting UFW configuration for UniFi..."
# Reset UFW (WARNING: This removes all existing rules)
read -r -p "Are you sure you want to reset UFW? This will remove all existing rules. [y/N]: " confirm
if [[ "$confirm" =~ ^[Yy]$ ]]; then
sudo ufw reset
else
echo "Aborted UFW reset."
exit 1
fi
## Set default policies
sudo ufw default deny incoming
sudo ufw default allow outgoing
## Host management ports
# SSH notes:
# 1) UniFi docs list 22/udp as required, but this is invalid and has no practical use case (source: ChatGPT)
# 2) If not enforcing with 'fail2ban', then consider using 'limit' with allowed IPs here
# Ex.: ufw limit in on enp3s0 from 192.168.1.0/24 to any port 22 proto tcp
sudo ufw allow 22/tcp comment 'SSH access'
#sudo ufw allow 22/udp comment 'SSH access (UDP)'
## Ports listed in UniFi OS release notes but lacking information (protocol, direction, or purpose)
sudo ufw allow 5005 comment 'UniFi OS - ambiguous (possibly controller discovery)'
sudo ufw allow 9543 comment 'UniFi OS - ambiguous (possibly API)'
sudo ufw allow 10003 comment 'UniFi OS - ambiguous (possibly AP/device monitoring)'
sudo ufw allow 11084 comment 'UniFi OS - ambiguous'
## UniFi OS ingress ports
sudo ufw allow 11443/tcp comment 'UniFi OS - management GUI (HTTPS)'
## UniFi Network ingress ports
sudo ufw allow 53/tcp comment 'UniFi Network - DNS for Guest Portal redirection, updates, and remote management (TCP)'
sudo ufw allow 53/udp comment 'UniFi Network - DNS for Guest Portal redirection, updates, and remote management (UDP)'
# Note: legacy Network port 443 is replaced by UniFi OS port 11443
#sudo ufw allow 443/tcp comment 'UniFi Network - Application GUI/API access via web browser'
sudo ufw allow 1900/udp comment 'UniFi Network - L2 discovery ("Make application discoverable on L2 network")'
sudo ufw allow 3478/udp comment 'UniFi Network - STUN for device adoption and communication (also remote mgmt.)'
sudo ufw allow 5514/udp comment 'UniFi Network - Remote syslog capture'
sudo ufw allow 6789/tcp comment 'UniFi Network - UniFi mobile speed test'
sudo ufw allow 8080/tcp comment 'UniFi Network - Device and application communication'
sudo ufw allow 8443/tcp comment 'UniFi Network - Application GUI/API (on UniFi Console)'
sudo ufw allow 8444/tcp comment 'UniFi Network - Secure portal for Hotspot'
sudo ufw allow 8843/tcp comment 'UniFi Network - Hotspot portal redirection (HTTPS)'
sudo ufw allow 8880:8882/tcp comment 'UniFi Network - Hotspot portal redirection (HTTP)'
sudo ufw allow 10001/udp comment 'UniFi Network - Device discovery during adoption'
sudo ufw allow 27117/tcp comment 'UniFi Network - Local database communication (MongoDB)'
## UniFi Protect ingress ports
#sudo ufw allow 7441/tcp comment 'UniFi Protect - Outgoing RTSPS streams'
#sudo ufw allow 7442/tcp comment 'UniFi Protect - WebSocket server for device communication'
#sudo ufw allow 7443/tcp comment 'UniFi Protect - REST API (HTTPS)'
#sudo ufw allow 7444/tcp comment 'UniFi Protect - WebSocket server for camera communication'
#sudo ufw allow 7445/tcp comment 'UniFi Protect - Outgoing Protect streams'
#sudo ufw allow 7447/tcp comment 'UniFi Protect - Outgoing RTSP streams'
#sudo ufw allow 7550/tcp comment 'UniFi Protect - Camera streams'
#sudo ufw allow 7552/tcp comment 'UniFi Protect - SSL camera connections'
#sudo ufw allow 7888/tcp comment 'UniFi Protect - TCP Bridge'
## Stacked NVRs Only (MSR/MSP)
## These ports only required if using physically stacked NVRs. They should be added in addition to the ports above.
#sudo ufw allow 7446/tcp comment 'UniFi Protect - Protect streams between consoles'
#sudo ufw allow 7451/tcp comment 'UniFi Protect - Protect streams between consoles'
#sudo ufw allow 7600/tcp comment 'UniFi Protect - Protect application communications'
# Enable UFW
sudo ufw --force enable
sudo ufw logging on # or medium/high/full/off
# Show current rules
sudo ufw status verbose
echo "UFW firewall configuration completed."
IDK about the specific ports, yet it would be easier to add a UFW "app" profile to /etc/ufw/applications.d/uos similar to this for Unifi Controller:
[unifi]
title=UniFi Controller (Standard)
description=The Ubiquiti UniFi Controller
ports=3478/udp|5514/udp|8080/tcp|8443/tcp|8880/tcp|8843/tcp|6789/tcp|27117/tcp|5656:5699/udp|10001/udp|1900/udp
And then enable that by ("OpenSSH" app profile already exists as indicated by "ufw app list"):
ufw allow OpenSSH
ufw app update unifi
ufw allow unifi
ufw enable
Oh, and BTW: You need not care about Protect ports - that application is limited to hardware only. Ubiquiti once had a software solution, which was discontinued. I doubt that it will ever be included within UOS again.
Thanks, that simplifies it. Here's a drop-in profile (untested):
[unifi-os]
title=UniFi OS (Standard)
description=The Ubiquiti UniFi OS ("UOS") Server with Network Application
ports=53/tcp|53/udp|1900/udp|3478/udp|5005|5514/udp|6789/tcp|8080/tcp|8443/tcp|8444/tcp|8843/tcp|8880:8882/tcp|9543|10001/udp|10003|11084|11443/tcp|27117/tcp
Your example listed ports 5656:5699/udp but those aren't listed in the documents that I have. A ChatGPT query claims those are needed for AP-to-AP communication in mesh mode?
1. I think that some of these ports are unneeded:
# netstat -nap
tcp 0 0 0.0.0.0:5671 0.0.0.0:* LISTEN 582056/slirp4netns
tcp 0 0 127.0.0.1:11002 0.0.0.0:* LISTEN 581908/discovery
tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN 582056/slirp4netns
tcp 0 0 0.0.0.0:11443 0.0.0.0:* LISTEN 582056/slirp4netns
tcp 0 0 0.0.0.0:9543 0.0.0.0:* LISTEN 582056/slirp4netns
tcp 0 0 0.0.0.0:8881 0.0.0.0:* LISTEN 582056/slirp4netns
tcp 0 0 0.0.0.0:8880 0.0.0.0:* LISTEN 582056/slirp4netns
tcp 0 0 0.0.0.0:8882 0.0.0.0:* LISTEN 582056/slirp4netns
tcp 0 0 0.0.0.0:6789 0.0.0.0:* LISTEN 582056/slirp4netns
tcp 0 0 127.0.0.54:53 0.0.0.0:* LISTEN 581410/systemd-reso
tcp 0 0 0.0.0.0:5005 0.0.0.0:* LISTEN 582056/slirp4netns
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 581410/systemd-reso
tcp 0 0 0.0.0.0:11084 0.0.0.0:* LISTEN 582056/slirp4netns
tcp 0 0 0.0.0.0:8443 0.0.0.0:* LISTEN 582056/slirp4netns
tcp 0 0 0.0.0.0:8444 0.0.0.0:* LISTEN 582056/slirp4netns
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 581381/sshd: /usr/s
tcp6 0 0 :::22 :::* LISTEN 581381/sshd: /usr/s
udp 0 0 192.168.6.20:54178 0.0.0.0:* 581908/discovery
udp 0 0 0.0.0.0:52203 0.0.0.0:* 581908/discovery
udp 0 0 0.0.0.0:5514 0.0.0.0:* 582056/slirp4netns
udp 0 0 0.0.0.0:3478 0.0.0.0:* 582056/slirp4netns
udp 0 0 0.0.0.0:10001 0.0.0.0:* 581908/discovery
udp 0 0 0.0.0.0:10003 0.0.0.0:* 582056/slirp4netns
udp 0 0 127.0.0.54:53 0.0.0.0:* 581410/systemd-reso
udp 0 0 127.0.0.53:53 0.0.0.0:* 581410/systemd-reso
udp 0 0 192.168.6.20:68 0.0.0.0:* 581446/systemd-netw
As you can see, port 53 listens only on 127.0.0.53, so it cannot be contacted from outside - I think that listing this is meant for inside-out access only.
Also, some other ports might fall under this as well. Since UFW only handles inbound connections, there are probably only those needed that pop up above.
2. That being said: There is nothing else but SSH and UOS running on this machine, anyway - and, it is on my separate management VLAN. Since there is nothing else running there to protect, I chose not to use UFW at all.
Quote from: meyergru on September 25, 2025, 12:22:03 PMAs you can see, port 53 listens only on 127.0.0.53, so it cannot be contacted from outside - I think that listing this is meant for inside-out access only.
Yeah, I thought that was odd. Their port reference (https://help.ui.com/hc/en-us/articles/218506997-Required-Ports-Reference) lists it as needed in both directions:
QuoteTCP/UDP 53 Both DNS lookups for Guest Portal redirection and updates (also required for Remote Management)
They could do a little better with the port documentation, IMO. Maybe they can start shipping profiles.
I doubt that they will, for the same reasons I do not use UFW at all for this and also, because they did UOS for the purpose of having a container abstraction layer that kepps them from having to deal with OS-specific tools like UFW.
Obviously, they wanted to have less work, not more.