Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Host OverRide for UnFi APs

    Scheduled Pinned Locked Moved General pfSense Questions
    47 Posts 6 Posters 8.2k Views 7 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M Offline
      MagikMark
      last edited by

      Ok Will delete those

      Wireless Rule.JPG UniFi Rule.JPG HTPC Rule.JPG

      johnpozJ 1 Reply Last reply Reply Quote 0
      • johnpozJ Offline
        johnpoz LAYER 8 Global Moderator @MagikMark
        last edited by

        @magikmark what interfaces are those rules on? I can guess that the antilock out is your lan, but you have it named htpc ?

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        M 1 Reply Last reply Reply Quote 0
        • M Offline
          MagikMark @johnpoz
          last edited by

          @johnpoz

          Ethernet 1 Wan 192.168.1.2 (ISP)
          Ethernet 2 Lan (HTPC) 10.0.1.1
          Ethernet 3 Asus 10.0.2.1
          Ethernet 4 Unfi 10.0.3.1.

          1 Reply Last reply Reply Quote 0
          • M Offline
            MagikMark
            last edited by

            Floating Rule
            New Floating Rule.JPG

            Host Override
            Host OverRide.JPG

            DhcP Option 43 under the Unifi IP 10.0.3.2
            DHCP Option.JPG

            johnpozJ 1 Reply Last reply Reply Quote 0
            • johnpozJ Offline
              johnpoz LAYER 8 Global Moderator @MagikMark
              last edited by johnpoz

              @magikmark where did you come up with that hex? I show that converting to 0.0.0.1

              That should be the IP of your controller..

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              M 1 Reply Last reply Reply Quote 0
              • M Offline
                MagikMark @johnpoz
                last edited by MagikMark

                @johnpoz

                From
                https://www.browserling.com/tools/ip-to-hex

                Unifi Controller Ip:
                10.1.2 -> 0a.00.01.02

                According to
                https://network.unifi.ui.com/
                my Controller IP is 10.0.1.2

                Network Unifi.JPG

                johnpozJ 1 Reply Last reply Reply Quote 0
                • johnpozJ Offline
                  johnpoz LAYER 8 Global Moderator @MagikMark
                  last edited by

                  where is that 10.13.128.97 coming from - you make no mention of this 10 network..

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  M 1 Reply Last reply Reply Quote 0
                  • M Offline
                    MagikMark @johnpoz
                    last edited by MagikMark

                    @johnpoz

                    I have no idea. Unifi just included that,.
                    Maybe when I was installing the controller I was using the VPN?

                    johnpozJ 1 Reply Last reply Reply Quote 0
                    • johnpozJ Offline
                      johnpoz LAYER 8 Global Moderator @MagikMark
                      last edited by johnpoz

                      @magikmark regardless - can you ssh to your AP yet? Can you ping it even?

                      You were using a vpn on the actual unifi controller host, or is this some VM that your natting on the host..

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                      M 1 Reply Last reply Reply Quote 0
                      • M Offline
                        MagikMark @johnpoz
                        last edited by

                        @johnpoz

                        1. No vm. Not using any
                        2. Last time I checked Ssh timed out. No ping either
                        3. Vpn on my desktop only not in pfsense

                        Will try again later. Will be calling the night off shortly
                        If it's OK can you pm me where to send the config file?

                        Thanks

                        johnpozJ 1 Reply Last reply Reply Quote 0
                        • johnpozJ Offline
                          johnpoz LAYER 8 Global Moderator @MagikMark
                          last edited by johnpoz

                          @magikmark again I have no real desire to comb through your config file.. Just show your rules in a manner that can be understood..

                          What interface they are on.. etc..

                          Remove ALL your floating nonsense.. That are almost impossible to interpret, since you can not tell if they are inbound or outbound or both.. What description you put on the rule, doesn't mean you correctly put in the description for what direction the rules are being evaluated.

                          Post up the rules for your interfaces, listing the interface they are on..

                          test.jpg

                          See how easy that is to see that is on my TEST interface ;) See how easy you can see that is ALL my rules on that interface..

                          Now look at what you posted..

                          what.jpg

                          what interfaces are those on, are they all the rules on the interface? I assume those are the top rules? But really can not tell since do not see the top or the bottom.. I assume the rules are the top rules if they also show the column headers.. But are they actually on the correct interface? See all the time were users have source as some network that is not the interface the rule is on..

                          These rules unless you were logging specific access don't make a lot of sense. What is the point of allow specific rules above a any any rule, without any block rules between, etc.

                          rules.jpg

                          Those rules above the any any are there why, you have an any any that would allow what you have above it. So unless you specific wanted to log traffic to those ports, but you don't have those rules set to log? So why do you have them split like that?

                          If the source interface has a rule that allows ssh or ping, doesn't matter what the rules on the other destination network interface are.. You would be able to ssh and ping to stuff on that dest network.. As long as what your trying to access is not running some firewall, or not using some other gateway than pfsense.

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 24.11 | Lab VMs 2.8, 24.11

                          1 Reply Last reply Reply Quote 0
                          • stephenw10S Offline
                            stephenw10 Netgate Administrator
                            last edited by

                            Mmm, you have a rule to allow access to the AP specifically between HTPCnet and UNIFInet but it shows 0/0. It has never matched any traffic.
                            So either not traffic has tried to use it sicne the counters were last reset or you have a floating rule blocking it. It doesn't look like you do have a rule that would block it though.

                            Can you ping the AP from the firewall itself?

                            Steve

                            johnpozJ 1 Reply Last reply Reply Quote 0
                            • johnpozJ Offline
                              johnpoz LAYER 8 Global Moderator @stephenw10
                              last edited by johnpoz

                              @stephenw10 said in Host OverRide for UnFi APs:

                              allow access to the AP specifically between HTPCnet and UNIFInet but it shows 0/0

                              But that is not where his AP and controller are..

                              Unifi controller is located in my LAN (10.0.1.1:8443) and my U6 is located in another interface "Wireless" (10.0.2.1)

                              He lan is called HTPC, but he says his AP is on the wireless, So really not sure what is on unifi net?

                              The inform default port is 8080, and he has some hits on that rule from wireless net..

                              Then in another post he calls what I assume is he wireless network asus.. But then he calls out lan and htpc

                              LAN: 10.0.1.1
                              HTPC: 10.0.1.2

                              But from his rules posted lan is clearly the htpc net - since that is where the the antilock rule is listed..

                              So to be honest I have no idea how to make heads or tails of this.. Then his controller shows some 10.13 address..

                              Its a mess to be honest.. All kinds of floating rules and not sure what interfaces those other rules are on..

                              he states

                              DhcP Option 43 under the Unifi IP 10.0.3.2

                              But thought his AP was on the wireless 10.0.2 network..

                              Post up some a diagram showing what is where, and what your calling what.. And post up the rules on the interfaces so they can be easily read.. etc..

                              An intelligent man is sometimes forced to be drunk to spend time with his fools
                              If you get confused: Listen to the Music Play
                              Please don't Chat/PM me for help, unless mod related
                              SG-4860 24.11 | Lab VMs 2.8, 24.11

                              1 Reply Last reply Reply Quote 0
                              • stephenw10S Offline
                                stephenw10 Netgate Administrator
                                last edited by

                                Mmm, I had assumed that's where the host is he it trying to ssh to the AP from.

                                But has allow all rules there he should be able to connect to the AP anywhere. The 'feels' more like the AP cannot reply because it has no default route for example.

                                johnpozJ 1 Reply Last reply Reply Quote 0
                                • johnpozJ Offline
                                  johnpoz LAYER 8 Global Moderator @stephenw10
                                  last edited by johnpoz

                                  @stephenw10 said in Host OverRide for UnFi APs:

                                  able to connect to the AP anywhere.

                                  Concur - if there is a any any rule from where his ssh client is, then doesn't matter what rules are on the AP interface.. Unless he has some outbound rule in floating. But since his AP should be getting an IP from dhcp, its not really possible to have it use anything other than dhcp until its adopted..

                                  So unless he also dicked with the default dhcpd setting, the AP would be pointing back to pfsense as it gateway.

                                  But since this forest is so overgrown with weed trees, its hard to pick out the specific oak your looking for.

                                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                                  If you get confused: Listen to the Music Play
                                  Please don't Chat/PM me for help, unless mod related
                                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                                  1 Reply Last reply Reply Quote 0
                                  • M Offline
                                    MagikMark
                                    last edited by

                                    Guys,

                                    Thank you for your patience. I cleaned my Floating Rules and Reset the state table.

                                    Everything now is working. FireHol was giving a lot of false positive. So I removed them all

                                    johnpozJ 1 Reply Last reply Reply Quote 0
                                    • johnpozJ Offline
                                      johnpoz LAYER 8 Global Moderator @MagikMark
                                      last edited by

                                      @magikmark said in Host OverRide for UnFi APs:

                                      FireHol was giving a lot of false positive

                                      Its not false if the IP range is included... A simple look to that firehol level 1, and it includes all the bogons, which would include rfc1918.

                                      So yeah with those rules you wouldn't be talking between your rfc1918 vlans ;)

                                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                                      If you get confused: Listen to the Music Play
                                      Please don't Chat/PM me for help, unless mod related
                                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                                      1 Reply Last reply Reply Quote 1
                                      • M Offline
                                        MagikMark
                                        last edited by

                                        Just found out you need to disable your vpn when configuring APs. You will get disconnected status if you don't at least for Layer 3 adoptions.

                                        1 Reply Last reply Reply Quote 0
                                        • stephenw10S Offline
                                          stephenw10 Netgate Administrator
                                          last edited by

                                          A VPN in pfSense? If you are policy routing traffic across it then, yeah, it could well prevent local connections. You should probably have rules to allow it above policy routing though if that is the case.

                                          Steve

                                          M 1 Reply Last reply Reply Quote 0
                                          • M Offline
                                            MagikMark @stephenw10
                                            last edited by

                                            @stephenw10

                                            VPN is not in pfsense. Its in my desktop where the controller is also installed

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.