UniFi Controller

[Wyrm]

I have to agree with jjanzz.
I have very good experiences with opnsense and it is mainly focused on security.
I do not recommend any use of UNIFI or any technology from Ubiquiti. I have very very bad experiences with their devices. There is no possibility to prevent any unifi device to send connections to China.
Just look at the connections it makes from itself. Their whole concept is blackbox - you do not have any chance to see what ubnt or unifi devices are really doing.
When you restart them, they have very big tendency to lose configuration. After power outages there is usually every time needed to configure all again. So you spend 1 hour per device for settings.

I know lots of IT admins and IT professionals, that use unifi devices. It is for their easy use - just clicking and all is "OK". They do not need to think much and "all" is "OK" and solved by unifi 
I think it is better to use your brain then to be controlled by comfort and by others...
From security view unifi is something which communicates to third party clouds in China and how do you know what really unifi controller does? For easy use of unifi devices connected to cloud which is "cool" is OK. But how secure it is. Just think it very carefully - it is sending your communication to China or another third party servers...it is really secure ?

I am using Mikrotik Hardware and it is one of the best manufacturer of network devices in world. You have total control on it and see directly what is in network. There is nothing comparable to their devices and you get them for very very good price. You need to use your brain to set Mikrotik HW correctly - there is no "click and OK".
Same princip is for opnsense - you have to know what you want and use brain to prepare network and configure whole appliance correctly.
I am using opnsense as security appliance and it is critical point in network. So it is better to not implement technologies which lower security for the comfort.

[the-mk]

I agree that a firewall is a firewall is a firewall - so no other software/services should run on that device that you use for your network security. I would not run anything else on a firewall which does not have the purpose of firewalling my network!

but I do not agree that UniFi devices from Ubiquiti like switches and accesspoints talk to chinese servers! the only connection to the internet of such devices are (based on Sensei reports for the last 7 days): NTP service for time and connecting to the webserver hosting firmware update binaries. That is what I can say about my devices that are controlled by the UniFi network controller running on a ubuntu box.

so under which circumstances do your Ubiquiti devices talk to chinese servers?

[Wyrm]

I am talking about situation when you have some new unifi devices and they need to be connected to cloud to change settings. You also need some account on unifi cloud to access controller.
If you have device with controller SW you need to connect to cloud to set it.
If there is closed network or is not access to internet....it is not easy
Lots of customers simply do not easily want to allow any cloud (3rd party) access from their networks.
You do not see into unifi controller device or directly to unifi devices as for example Mikrotik allows.
I am not using unifi for my bad experiences and their requirements for cloud...it is just my experience.

[tong2x]

if it is a "plugin" then it will serve both, those that like or those that dont want it...

it is a choice
id bet there are probably alot of Ubiquiti owners using opnsense instead of USG

[donatom3]

if it is a "plugin" then it will serve both, those that like or those that dont want it...

it is a choice
id bet there are probably alot of Ubiquiti owners using opnsense instead of USG

Yes we exist but moving to Opnsense also makes me want to move to Aruba or something else on the switching end. I'm tired of my cloud key needing its firmware reset. I won't put that buggy software anywhere near my firewall.

[tong2x]

that would be your or anyone's choice

[stefanpf]

I am talking about situation when you have some new unifi devices and they need to be connected to cloud to change settings. You also need some account on unifi cloud to access controller.
If you have device with controller SW you need to connect to cloud to set it.
If there is closed network or is not access to internet....it is not easy

Never had to connect something of my unifi gear to the cloud.
Install the controller or use a cloud Key (which doesn't mean that you have to Connect it to the cloud.

And they never connected to china servers.
They use aws servers for update checks.

But I would never Install the controller on a opnsense because:
- General Security
- afaik they use outdated packages (mongodb, Java)

[kapara]

I tend to agree that deploying this on an OpnSense makes very little sense.  You can spin up a very inexpensive VPS in OVH for less than $10.00 a month and deploy the Unifi controller on it.  It will be far more reliable than on an OpnSense box.  If you are doing this at home then I might understand but for business, a cheap VPS is the way to go and allows for multi-tenant as I use with over 50 companies.

[tong2x]

Sorry for opening a new "issue"
I just wanted to report that I've been successful installing Unifi Beta 5.13.10.0-g7664a3c6 on OPNsense 20.1.3.
The link I used was: https://dl.ubnt-ut.com/teunis/wpa3/5.13.10/UniFi.unix.zip
Thanks for your hard work!!

https://github.com/gozoinks/unifi-pfsense/issues/170

OPNsense 20.1.3

could be great
have not tried though, need more instruction, not really familiar with the console

[tong2x]

https://github.com/gozoinks/unifi-pfsense

the latest commit is tested to latest opnsense
OPNsense 20.7.1-amd64
FreeBSD 12.1-RELEASE-p8-HBSD
OpenSSL 1.1.1g 21 Apr 2020

Unifi version 5.14.23

just follow the installation instruction

for upgrades, you must stop Unifi first before reinstalling
settings will not be affected by re installation of updated version

This is for those who would like Unifi Controller on their Opnsense machine. We understand the risk, we appreciate your concern.

[tong2x]

original project site
https://github.com/gozoinks/unifi-pfsense

fork typically with newer firmware build
(dev is much more active than in main branch)
https://github.com/gnkidwell/unifi-pfsense

OPNsense 20.7.7_1-amd64
FreeBSD 12.1-RELEASE-p11-HBSD

I have installed and run both script with issue on latest OPNsense build(even on older builds)

[rhambus]

original project site
https://github.com/gozoinks/unifi-pfsense

fork typically with newer firmware build
(dev is much more active than in main branch)
https://github.com/gnkidwell/unifi-pfsense

OPNsense 20.7.7_1-amd64
FreeBSD 12.1-RELEASE-p11-HBSD

I have installed and run both script with issue on latest OPNsense build(even on older builds)

I'd really like to run my unifi controller on opnsense. Any guidance on how to do it? I am new to BSD and OPNsense, though I am OK at linux generally.

[Gauss23]

I tend to agree that deploying this on an OpnSense makes very little sense.  You can spin up a very inexpensive VPS in OVH for less than $10.00 a month and deploy the Unifi controller on it.  It will be far more reliable than on an OpnSense box.  If you are doing this at home then I might understand but for business, a cheap VPS is the way to go and allows for multi-tenant as I use with over 50 companies.

So you have a Unifi Controller on a VPS completely open on the Internet? Sounds scary.

I would use a Linux VM for the Unifi Controller in my HQ datacenter and only serve one company with it. This software is so lightweight every company can have its own Unifi Controller for their networks running as a VM in a closed network.

[Gauss23]

I'd really like to run my unifi controller on opnsense. Any guidance on how to do it? I am new to BSD and OPNsense, though I am OK at linux generally.

Don't do it. It'll cause a lot of headaches especially if you're new to the topic. Spin up a small Linux VM and let it run there. Much better solution.
https://help.ui.com/hc/en-us/articles/220066768-UniFi-How-to-Install-and-Update-via-APT-on-Debian-or-Ubuntu

[rhambus]

There's no way to do VMs through OPNsense itself, is there? Just wanted to check. The hardware could probably handle it...