Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Host OverRide for UnFi APs

    Scheduled Pinned Locked Moved General pfSense Questions
    47 Posts 6 Posters 8.2k Views 7 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • stephenw10S Offline
      stephenw10 Netgate Administrator
      last edited by

      Either SSHing into the access point and setting the inform url or setting a host override in pfSense for 'unifi' should work there. I have done both, neither was especially difficult.

      Steve

      1 Reply Last reply Reply Quote 0
      • M Offline
        MagikMark
        last edited by MagikMark

        This post is deleted!
        1 Reply Last reply Reply Quote 0
        • M Offline
          MagikMark
          last edited by

          Guys,

          LAN: 10.0.1.1
          HTPC: 10.0.1.2
          Asus: 10.0.2.1
          UniFi: 10.0.3.1

          SSH

          1. Can't even ssh to the device. I could see U6 in dhcp leases in has an ip of 10.0.3.5. Turned ssh in pfsense. on I can ssh my pfsense box
          2. Doesn't respond to ping
          3. Firewall Rule all ports open, any protocol, any source and any destination

          DNS

          1. I have Adguard installed. Is there an effect?

          DNS Resolver Entry

          1. Host: unifi
          2. Domain: HTPC.pfSense.mylocal
          3. IP add: 127.0.0.1 or 10.0.1.1 or 10.0.1.2

          DHCP Option 43:

          1. Set this under Unfi Interface
            Number: 43
            DCHP Option: 43
            Type; String
            Value: 01:04:0a:00:01:01 (10.0.1.1)
            01:04:7f:00:00:01 (127.0.0.1)

          Light still steady white. Can't be discovered by the controller
          Maybe I missed something? Perhaps rule?

          1 Reply Last reply Reply Quote 0
          • stephenw10S Offline
            stephenw10 Netgate Administrator
            last edited by

            If you connect anything else to the same subnet does it pull a valid dhcp lease?

            The AP could be unable to respond for some reason.

            Steve

            M 1 Reply Last reply Reply Quote 0
            • M Offline
              MagikMark @stephenw10
              last edited by MagikMark

              @stephenw10

              Yes I used to have Netgear / Asus and working fine. Trying to upgrade to Wif6 enterprise grade. Chose Unfi

              I thought maybe some configuration since U6 is fairly new

              I have echo reply blocked in floating rules. Dunno if it has some effect

              The rest of my Floating rules are:

              Blocked Ips from Firehol

              I have QOS / limiter running as well

              1 Reply Last reply Reply Quote 0
              • stephenw10S Offline
                stephenw10 Netgate Administrator
                last edited by

                Can we see screenshots of those rules and firewall logs?

                M 1 Reply Last reply Reply Quote 0
                • M Offline
                  MagikMark @stephenw10
                  last edited by

                  @stephenw10

                  Floating Blocked.JPG Floating Allow.JPG

                  For the firewall log:

                  Its kinda long. It only shows blocking ipv6 on my wirelesslan (asus)

                  johnpozJ 1 Reply Last reply Reply Quote 0
                  • johnpozJ Offline
                    johnpoz LAYER 8 Global Moderator @MagikMark
                    last edited by johnpoz

                    @magikmark so you run all your rules in floating.. So there is really no way to know even what direction they are in? Other than your description there saying outgoing or incoming

                    So in what possible scenario would wirelesslan be an outgoing interface towards whatever is in firehol level 1?

                    First thing I would suggest is get rid of ALL of those... You understand use of "this firewall" is every IP of the firewall right? But in what scenario would these interfaces be used in the out direction htpc and wirelesslan? Or how would these what I assume are external sources in your aliases be inbound into those interfaces?

                    What are the rules on your actual interfaces.. Please delete all those rules and show us the rules on your actual interfaces.. You can put your whatever those are suppose to be and do back after you actual have stuff working..

                    Most of those rules don't even have any hits.. they are all 0/0

                    Value: 01:04:0a:00:01:01 (10.0.1.1)
                    01:04:7f:00:00:01 (127.0.0.1)

                    Those are not how you do option 43.. For option 43 you put in the IP of your controller..

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    1 Reply Last reply Reply Quote 0
                    • M Offline
                      MagikMark
                      last edited by

                      Ok Will delete those

                      Wireless Rule.JPG UniFi Rule.JPG HTPC Rule.JPG

                      johnpozJ 1 Reply Last reply Reply Quote 0
                      • johnpozJ Offline
                        johnpoz LAYER 8 Global Moderator @MagikMark
                        last edited by

                        @magikmark what interfaces are those rules on? I can guess that the antilock out is your lan, but you have it named htpc ?

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                        M 1 Reply Last reply Reply Quote 0
                        • M Offline
                          MagikMark @johnpoz
                          last edited by

                          @johnpoz

                          Ethernet 1 Wan 192.168.1.2 (ISP)
                          Ethernet 2 Lan (HTPC) 10.0.1.1
                          Ethernet 3 Asus 10.0.2.1
                          Ethernet 4 Unfi 10.0.3.1.

                          1 Reply Last reply Reply Quote 0
                          • M Offline
                            MagikMark
                            last edited by

                            Floating Rule
                            New Floating Rule.JPG

                            Host Override
                            Host OverRide.JPG

                            DhcP Option 43 under the Unifi IP 10.0.3.2
                            DHCP Option.JPG

                            johnpozJ 1 Reply Last reply Reply Quote 0
                            • johnpozJ Offline
                              johnpoz LAYER 8 Global Moderator @MagikMark
                              last edited by johnpoz

                              @magikmark where did you come up with that hex? I show that converting to 0.0.0.1

                              That should be the IP of your controller..

                              An intelligent man is sometimes forced to be drunk to spend time with his fools
                              If you get confused: Listen to the Music Play
                              Please don't Chat/PM me for help, unless mod related
                              SG-4860 24.11 | Lab VMs 2.8, 24.11

                              M 1 Reply Last reply Reply Quote 0
                              • M Offline
                                MagikMark @johnpoz
                                last edited by MagikMark

                                @johnpoz

                                From
                                https://www.browserling.com/tools/ip-to-hex

                                Unifi Controller Ip:
                                10.1.2 -> 0a.00.01.02

                                According to
                                https://network.unifi.ui.com/
                                my Controller IP is 10.0.1.2

                                Network Unifi.JPG

                                johnpozJ 1 Reply Last reply Reply Quote 0
                                • johnpozJ Offline
                                  johnpoz LAYER 8 Global Moderator @MagikMark
                                  last edited by

                                  where is that 10.13.128.97 coming from - you make no mention of this 10 network..

                                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                                  If you get confused: Listen to the Music Play
                                  Please don't Chat/PM me for help, unless mod related
                                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                                  M 1 Reply Last reply Reply Quote 0
                                  • M Offline
                                    MagikMark @johnpoz
                                    last edited by MagikMark

                                    @johnpoz

                                    I have no idea. Unifi just included that,.
                                    Maybe when I was installing the controller I was using the VPN?

                                    johnpozJ 1 Reply Last reply Reply Quote 0
                                    • johnpozJ Offline
                                      johnpoz LAYER 8 Global Moderator @MagikMark
                                      last edited by johnpoz

                                      @magikmark regardless - can you ssh to your AP yet? Can you ping it even?

                                      You were using a vpn on the actual unifi controller host, or is this some VM that your natting on the host..

                                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                                      If you get confused: Listen to the Music Play
                                      Please don't Chat/PM me for help, unless mod related
                                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                                      M 1 Reply Last reply Reply Quote 0
                                      • M Offline
                                        MagikMark @johnpoz
                                        last edited by

                                        @johnpoz

                                        1. No vm. Not using any
                                        2. Last time I checked Ssh timed out. No ping either
                                        3. Vpn on my desktop only not in pfsense

                                        Will try again later. Will be calling the night off shortly
                                        If it's OK can you pm me where to send the config file?

                                        Thanks

                                        johnpozJ 1 Reply Last reply Reply Quote 0
                                        • johnpozJ Offline
                                          johnpoz LAYER 8 Global Moderator @MagikMark
                                          last edited by johnpoz

                                          @magikmark again I have no real desire to comb through your config file.. Just show your rules in a manner that can be understood..

                                          What interface they are on.. etc..

                                          Remove ALL your floating nonsense.. That are almost impossible to interpret, since you can not tell if they are inbound or outbound or both.. What description you put on the rule, doesn't mean you correctly put in the description for what direction the rules are being evaluated.

                                          Post up the rules for your interfaces, listing the interface they are on..

                                          test.jpg

                                          See how easy that is to see that is on my TEST interface ;) See how easy you can see that is ALL my rules on that interface..

                                          Now look at what you posted..

                                          what.jpg

                                          what interfaces are those on, are they all the rules on the interface? I assume those are the top rules? But really can not tell since do not see the top or the bottom.. I assume the rules are the top rules if they also show the column headers.. But are they actually on the correct interface? See all the time were users have source as some network that is not the interface the rule is on..

                                          These rules unless you were logging specific access don't make a lot of sense. What is the point of allow specific rules above a any any rule, without any block rules between, etc.

                                          rules.jpg

                                          Those rules above the any any are there why, you have an any any that would allow what you have above it. So unless you specific wanted to log traffic to those ports, but you don't have those rules set to log? So why do you have them split like that?

                                          If the source interface has a rule that allows ssh or ping, doesn't matter what the rules on the other destination network interface are.. You would be able to ssh and ping to stuff on that dest network.. As long as what your trying to access is not running some firewall, or not using some other gateway than pfsense.

                                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                                          If you get confused: Listen to the Music Play
                                          Please don't Chat/PM me for help, unless mod related
                                          SG-4860 24.11 | Lab VMs 2.8, 24.11

                                          1 Reply Last reply Reply Quote 0
                                          • stephenw10S Offline
                                            stephenw10 Netgate Administrator
                                            last edited by

                                            Mmm, you have a rule to allow access to the AP specifically between HTPCnet and UNIFInet but it shows 0/0. It has never matched any traffic.
                                            So either not traffic has tried to use it sicne the counters were last reset or you have a floating rule blocking it. It doesn't look like you do have a rule that would block it though.

                                            Can you ping the AP from the firewall itself?

                                            Steve

                                            johnpozJ 1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.