Host OverRide for UnFi APs
-
Either SSHing into the access point and setting the inform url or setting a host override in pfSense for 'unifi' should work there. I have done both, neither was especially difficult.
Steve
-
This post is deleted! -
Guys,
LAN: 10.0.1.1
HTPC: 10.0.1.2
Asus: 10.0.2.1
UniFi: 10.0.3.1SSH
- Can't even ssh to the device. I could see U6 in dhcp leases in has an ip of 10.0.3.5. Turned ssh in pfsense. on I can ssh my pfsense box
- Doesn't respond to ping
- Firewall Rule all ports open, any protocol, any source and any destination
DNS
- I have Adguard installed. Is there an effect?
DNS Resolver Entry
- Host: unifi
- Domain: HTPC.pfSense.mylocal
- IP add: 127.0.0.1 or 10.0.1.1 or 10.0.1.2
DHCP Option 43:
- Set this under Unfi Interface
Number: 43
DCHP Option: 43
Type; String
Value: 01:04:0a:00:01:01 (10.0.1.1)
01:04:7f:00:00:01 (127.0.0.1)
Light still steady white. Can't be discovered by the controller
Maybe I missed something? Perhaps rule? -
If you connect anything else to the same subnet does it pull a valid dhcp lease?
The AP could be unable to respond for some reason.
Steve
-
Yes I used to have Netgear / Asus and working fine. Trying to upgrade to Wif6 enterprise grade. Chose Unfi
I thought maybe some configuration since U6 is fairly new
I have echo reply blocked in floating rules. Dunno if it has some effect
The rest of my Floating rules are:
Blocked Ips from Firehol
I have QOS / limiter running as well
-
Can we see screenshots of those rules and firewall logs?
-
For the firewall log:
Its kinda long. It only shows blocking ipv6 on my wirelesslan (asus)
-
@magikmark so you run all your rules in floating.. So there is really no way to know even what direction they are in? Other than your description there saying outgoing or incoming
So in what possible scenario would wirelesslan be an outgoing interface towards whatever is in firehol level 1?
First thing I would suggest is get rid of ALL of those... You understand use of "this firewall" is every IP of the firewall right? But in what scenario would these interfaces be used in the out direction htpc and wirelesslan? Or how would these what I assume are external sources in your aliases be inbound into those interfaces?
What are the rules on your actual interfaces.. Please delete all those rules and show us the rules on your actual interfaces.. You can put your whatever those are suppose to be and do back after you actual have stuff working..
Most of those rules don't even have any hits.. they are all 0/0
Value: 01:04:0a:00:01:01 (10.0.1.1)
01:04:7f:00:00:01 (127.0.0.1)Those are not how you do option 43.. For option 43 you put in the IP of your controller..
-
Ok Will delete those
-
@magikmark what interfaces are those rules on? I can guess that the antilock out is your lan, but you have it named htpc ?
-
Ethernet 1 Wan 192.168.1.2 (ISP)
Ethernet 2 Lan (HTPC) 10.0.1.1
Ethernet 3 Asus 10.0.2.1
Ethernet 4 Unfi 10.0.3.1. -
Floating Rule
Host Override
DhcP Option 43 under the Unifi IP 10.0.3.2
-
@magikmark where did you come up with that hex? I show that converting to 0.0.0.1
That should be the IP of your controller..
-
From
https://www.browserling.com/tools/ip-to-hexUnifi Controller Ip:
10.1.2 -> 0a.00.01.02According to
https://network.unifi.ui.com/
my Controller IP is 10.0.1.2
-
where is that 10.13.128.97 coming from - you make no mention of this 10 network..
-
I have no idea. Unifi just included that,.
Maybe when I was installing the controller I was using the VPN? -
@magikmark regardless - can you ssh to your AP yet? Can you ping it even?
You were using a vpn on the actual unifi controller host, or is this some VM that your natting on the host..
-
- No vm. Not using any
- Last time I checked Ssh timed out. No ping either
- Vpn on my desktop only not in pfsense
Will try again later. Will be calling the night off shortly
If it's OK can you pm me where to send the config file?Thanks
-
@magikmark again I have no real desire to comb through your config file.. Just show your rules in a manner that can be understood..
What interface they are on.. etc..
Remove ALL your floating nonsense.. That are almost impossible to interpret, since you can not tell if they are inbound or outbound or both.. What description you put on the rule, doesn't mean you correctly put in the description for what direction the rules are being evaluated.
Post up the rules for your interfaces, listing the interface they are on..
See how easy that is to see that is on my TEST interface ;) See how easy you can see that is ALL my rules on that interface..
Now look at what you posted..
what interfaces are those on, are they all the rules on the interface? I assume those are the top rules? But really can not tell since do not see the top or the bottom.. I assume the rules are the top rules if they also show the column headers.. But are they actually on the correct interface? See all the time were users have source as some network that is not the interface the rule is on..
These rules unless you were logging specific access don't make a lot of sense. What is the point of allow specific rules above a any any rule, without any block rules between, etc.
Those rules above the any any are there why, you have an any any that would allow what you have above it. So unless you specific wanted to log traffic to those ports, but you don't have those rules set to log? So why do you have them split like that?
If the source interface has a rule that allows ssh or ping, doesn't matter what the rules on the other destination network interface are.. You would be able to ssh and ping to stuff on that dest network.. As long as what your trying to access is not running some firewall, or not using some other gateway than pfsense.
-
Mmm, you have a rule to allow access to the AP specifically between HTPCnet and UNIFInet but it shows 0/0. It has never matched any traffic.
So either not traffic has tried to use it sicne the counters were last reset or you have a floating rule blocking it. It doesn't look like you do have a rule that would block it though.Can you ping the AP from the firewall itself?
Steve
