unifi controller cant adopt

[sikhest]

Hello,

New to OpnSense, the firewall is working great but my Unifi controller, running on a PC can't seem to adopt or manage my AP's.  I can log into unifi, but that's about it   Looking at the firewall logs, it appears I need to allow port..just wondering how this is done.  My current firewall rule on the LAN is allow * to *...

[Koldnitz]

I run unifi controller in a docker container on my NAS.

I did not have to do any extra configuration when I switched to opnsense for firewall / routing.

If the computer with unifi controller on it works (can access network, see internet, you can ssh into whatever unifi gear you have from it, or you can ssh into it from with in your network), I would not think opnsense is blocking anything.  Generally it firewalls that which comes from outside your network unless you did some crazy firewall configuration (easy to do I have hosed everything a few times).

I think you should troubleshoot elsewhere first unless you can find in the firewall logs where it is explicitly blocking your controller, or if you can somehow take opnsense out of the equation and prove that it works without it.

I have had some really random experiences with adoption of my wifi AP and this is well documented on reddit and the unifi website.

Cheers,

[mimugmail]

When controller an ap are in same network is has nothing to do with the Firewall

[sikhest]

Please see the attached image.  The ports that are being denied are the ones used by UniFi.   Thoughts?

[tong2x]

is your Unifi controller on LAN? and so is your APs?

[sikhest]

is your Unifi controller on LAN? and so is your APs?

Yes, Both on the same LAN

[mimugmail]

I dont see relevant communication?

[good-for-nothing]

Hi,

and if you manually set the controller IP on your AP's ? To do so, SSH into the AP's and then:

mca-cli
set-inform http://<mgmt_ip>:8080/inform

to skip the entire auto-detection thing completely. Unlike the documentation states, I highly recommend to not run the AP's with DHCP and auto channel disabled as that's a pain in the arse, better use static IP's for both the AP's and the controller and, if you wish, you may enable auto channel.

[glasi]

As pointed out by mimugmail it has nothing to do with the firewall when controller an AP are in same network.

When the AP and controller are running in different networks, then you need to setup at least two firewall rules for the AP:

Code: [Select]

Protocol Source Port Destination Port Gateway Schedule Description
IPv4 TCP vlan_xx net * 1xx.xxx.xxx.xxx 8080 * * Allow internal inform traffic to UniFi controller
IPv4 UDP vlan_xx net * 1xx.xxx.xxx.xxx 3478 (STUN) * * Allow internal STUN traffic to UniFi controller 
Destination is the IP address of the computer where the controller software is running.

Generally, I would suggest a static IP for the computer where the controller software is running. As the Unifi default inform URL is http://unifi:8080/inform you might have to change the inform URL via SSH as mentioned by good-for-nothing.

Alternatively, you can also setup a host override in OPNsense's unbound. Hence, OPNsense knows where to direct traffic for host unifi.

[sikhest]

Thank you, I will give it a try and report back. 

It's odd - When devices are on Wifi, some don't seem to work eg. Sonos Speaker, Unifi..but once they are hardwired, everything works fine? 

[kalebass]

Alternatively, you can also setup a host override in OPNsense's unbound. Hence, OPNsense knows where to direct traffic for host unifi.

Could you please give an example on how to add a override for unifi domain to a specific IP. When I try to add a override my DNS stops working for all domains.

[tong2x]

you could instead write what you are trying to add