Firewall is driving me crazy, can anyone help me please

[Lukkasss]

Hello. I've been wake all the night(serious) trying to get over this but I've no clue about what's going on. I just installed unifi controller and I'm trying to adopt my U6 AP but the firewall is blocking it.



Unifi Controller stays "adopting" and never does.





I made a test, turning off the firewall solves de issue but as soon as I turn it on again, the unifi AP changes from adopted to "adopting" and stops working

Can someone guide me over the firewall rule that I need to solve it? It doesn't makes sense for me at moment and I don't know why. I tried to open exactly the rule that I saw blocked but it just didn't work

[johnmcallister]

You need to be sure of two things:

1) That your WAPs know where your Controller is. They reference their set-inform stored value, which is typically https://unifi:8080 by default. But if they have been provisioned, that will be changed to whatever the Controller is that owns them. 

2) That your WAPs can contact your Unifi Controller on TCP ports 8080 and 5514.  (Set up whatever rule you need to ALLOW the WAPs to contact the Controller from the WAP subnet.  Note, it is the WAPs that initiate the contact with the controller, not the other way around.)

[Lukkasss]

Hello johnmcallister, thanks for your comment. Can you elaborate on it a bit more? I tried to do so many things back and fort that I think I'm still not doing it right... Let me post my FW rules here to see if helps

Currently, I only have floating rules



I use adguard and tried to point the unifi hostname to the controller IP (not sure what is the unifi.localdomain, it is going to my unbound DNS)



When I go and SSH unifi, the info command shows a Timeout but it's showing up on the unifi controller's list to adopt



Thanks in advanced! I really appraciate your help

[johnmcallister]

It's encouraging to see that you have a good grasp of other firewall concepts like aliases.

I don't use floating rules because I find them confusing at times. Probably there's a simple answer that will work fine with your floating rules but I don't know what it is

Here's how my network is set up:

"Admin" LAN, subnet 192.168.10.0/24 -- Unifi Controller host (running on Linux, in my case) lives here.
"General" LAN, subnet 192.168.20.0/24 -- WAPs (and their clients, like phones, laptops, etc.) live here.

General LAN x.x.20.0/24 policy is wide open, default ALLOW both directions. It send / receive any traffic it wants, to/from "Admin" LAN.

Admin LAN x.x.10.0/24 policy is wide open outbound to the General LAN (allows anything to go From the Admin LAN TO the General LAN) but restrictive (default DENY) for traffic coming FROM the General LAN.

On the Admin LAN's firewall interface (not in Floating rules), I have the following ALLOW exception configured:

ALLOW traffic from the WAPs (a Host-type alias containing multiple WAP static IP addresses) to contact the Controller (an alias containing a single static IP address) on Unifi Ports (a Port alias, containing the 2 main Unifi ports, 8080 and 5514.)

[johnmcallister]

Hello johnmcallister, thanks for your comment. Can you elaborate on it a bit more? I tried to do so many things back and fort that I think I'm still not doing it right... Let me post my FW rules here to see if helps

On further thought, I'm guessing that your Management Net has its own default DENY incoming traffic set in its own firewall Rules section.

So, all you should need to do is add an explicit rule to your Management Net firewall interface rules to allow ports 8080 and 5514 from the WAPs on your General LAN. This rule would go at the top of your Management Net firewall interface rules, not in Floating rules.

[johnmcallister]

Hello johnmcallister, thanks for your comment. Can you elaborate on it a bit more? I tried to do so many things back and fort that I think I'm still not doing it right... Let me post my FW rules here to see if helps

When I go and SSH unifi, the info command shows a Timeout but it's showing up on the unifi controller's list to adopt



Thanks in advanced! I really appraciate your help

I'm also glad to see you are familiar enough w/ the command line & SSH to get directly into your WAPs, and have enough understanding of DNS to do the smart thing, which is indeed to make a local DNS entry that points "unifi" to whatever your Unifi Controller's IP address is. (I do the same thing in my network, it makes it very easy if I need to change the Unifi Controller's IP or move it to some other subnet.)

If 10.0.99.4:8080 is the correct IP address for your Unifi controller, then this is definitely a firewall policy issue, and/or a routing problem. The WAPs are trying to reach 10.0.99.4:8080 but cannot, at present. 

(If 10.0.99.4 is not the IP of your Unifi Controller, then either reset it on the WAP command line using set-inform, or just hard-reset the WAPs using the paperclip method, and they will default back to using "unifi:8080" as their default inform host. If you have a local DHCP server active on your LAN, and also have a local DNS server, and you have DHCP configured to give out your local DNS server as the primary/first DNS server in DHCP assignments, then your locally-configured DNS override for the hostname "unifi" should point them to the correct Unifi Controller IP address. Just be sure your DHCP server is handing out your local DNS server to clients, as "unifi" will obviously not resolve correctly when queried against any DNS server that is not under your control.)

Test to be sure that you have basic IP-level connectivity between the two subnets, i.e. assuming correct firewall policies, can you ICMP-ping known-good hosts on both subnets, in both directions?

In my experience, once connectivity (via routing and firewall policy) is configured correctly, WAPs become properly available and ready-to-adopt (or reconfigure, etc.) within a matter of 5 to 15 seconds (at most,) without any need to reboot the WAPs or restart the Unifi Controller.

(The Unifi WAPs are always actively trying to reach out and find their Unifi Controller, they never "give up" and go silent, nor do I believe they do any kind of exponential back-off.)

[johnmcallister]

One other thing that comes to mind --

You didn't say what kind of host your Unifi Controller is running on, i.e. Mac, Windows, Linux, etc.

If the Unifi Controller host has its own local firewall policies, as many machines do these days, be sure that policy also allows the necessary incoming port 8080 and port 5514 traffic.

In particular, Windows would be most-likely to have default client-side firewall/security policies that might block the necessary ports, but Macs and Linux boxes could also have host-resident local firewall policies set as well.

[Lukkasss]

johnmcallister, I'm delighted with the quality of information you gave me in just a few posts, Thank you again in advance, I'm learning so much...

When I was reading your posts, I started to think more about the process that I made in order to install the Controller and I remembered that, at first, I just logged in with my ubiquiti's account to finalize the installation of the controller. Then I started to think that the requests were passing through the ubiquiti's external servers before heading to my network and this was causing issues although I didn't found easily at the firewall logs an external IP trying to comunicate with the AP or the controller... When I first installed the controller, I used a proxmox machine as I'm trying to setup my own homelab in baby steps... The controller was an LXC Container inside a proxmox machine. I didn't had issues with the connectivity of the machine itself or reaching the controller to finalize the initial configs, the first issue was adopting the device.

Then, reading your posts, I tried to install it on OPNSense itself, as a plugin, just to see what would happen if I had choosen to not sign in with my ubiquiti's account and for my surprise, it worked like a charm out of the box. I had to do some small configurations like setting up an access port on my switch just to connect the AP, grab an IP on the subnet that I needed and then using set-inform to be visible to the controller. set-inform worked this time at the first try.

Then I got deeper, trying to pass different VLANs to the ubiquiti's AP in order to have multiple WIFI networks for different purposes... This part was kind of trick but I could figure out eventually.

Despite installing controller on OPNSense as a plugin, my plan is to move it to a dedicated container on my proxmox machine now, that I just understood more about the process...

When I was reading your posts, two questions came up and I would like to ask you, if you allow me...


1 - Coming back to the scenario where I was logged in the controller with my ubiquiti's account, what steps could I have done in order to allow it in the FW? I'm always lost in those kind of configurations because I think I lack at the knowledge on how to debug those kind of things or which tools I should use. I know that I needed a rule to allow external access to a specific port, at least for a start, but where should I put it? each WAN? Only on the internal network? Also, I do need to fill Port Forward and add an Rule at Rules section?


2 - The second one have little sinergy with the first one... On the firewall submenu of opnsense, I see NAT, then I see Port Forward and Outbound inside of it.

But there's also a separated submenu Rules and then, rules for every network that I have. Then, it comes to me as the question: What means port forward / outbound / rules? If i want to open up a port for the outside world, I should open on port forward only or do I need to open in the others aswell, I don't know exactly...

I think get a little lost about where do I need to put the rule. To be honest, in my NAT -> Outbound there's only two 4 rules that were created automatically but I still changed it to a hybrid outbound nat in order to address something if I needed but to be fair, I just don't know when I need to put something there... Why it differs to the others?



The same questions stand for the Port Forward section and Rules, I mean, if I put a rule in the port forward, I need to put the same in Rules > specific network?

Before trying OPNSense, I just had experience with common routers and I just had one place to put Port Forward, for instance... I never needed to put it in other places aswell


Again, thank you so much for the kind of learning that you provided me

[johnmcallister]

Lukkasss, I read your latest reply a couple of times, carefully, and couldn't get a clear picture of how your overall network is set up.

It sounds like there could be some confusion going on regarding firewalling on bare-metal servers, virtual machines, VM containers, and the Opnsense firewall itself.

If you go back to my earlier posts describing what is required for WAPs to locate and communicate with their Controller, it's not  complicated.

A) the WAPs need to have the correct set-inform host set.

B) There needs to be full 2-way communication permitted, at the network routing & firewall policy levels, between the WAPs and the Unifi Controller.  Both sets of entities need to be able to initiate new connections with eachother on TCP ports 8080 and 5514. WAPs need to make connections to the Controller, and the Controller needs to be able to make connections with the WAPs.


In a complex network environment with lots of zones / subnets and lots of firewall rules, there are a lot of policy decisions that could prevent the requirements of B), above, from being fulfilled. You simply need to hunt down whatever rule(s), policies, network & routing configurations etc. may be interfering with this.

If you can't get it sorted out I suggest dividing up services as much as possible into simple and discrete chunks, e.g. run the Opnsense instance on its own dedicated bare-metal device, or a dedicated virtual machine.

Don't try to use a third-party-developed Unifi Controller "plugin" on top of Opnsense. Just set up a separate VM or Docker container or whatever you want, and then set up a standard, Unifi-developed, Unifi-maintained  linux-package-based Unifi Controller.

[johnmcallister]

One other note regarding using an Opnsense "plugin" to run a Unifi Controller instance ON the same host as the Opnsense firewall --

I respect this guy's efforts to create and maintain such a plugin, but it's clearly an uphill battle. I think at some point he is likely to drop the work involved, leaving those using the plugin without a viable upgrade path:

https://forum.opnsense.org/index.php?topic=36641.0

VM instances just aren't all that resource-intensive, at least for a Unifi Controller that is only managing a <20-30 WAPs. I strongly suggest just spinning up a new VM or Docker container and using a well-supported Linux package-based Unifi Controller setup.

[Lukkasss]

Hello John, I'll be doing that over the weekend. I was just experimenting with the options out there but my plan is exactly use proxmox to virtualize VMs and Containers. I've two baremetal machines, one is a protectly device that is running a dedicated OPNSense instance and the other is like a intel NUC that i'll be virtualizing some things (Home Assistant, Adguard, Unifi Controller and so...)

Thanks again for pointing me to the right direction, I understand more about networks and firewalls now