Host OverRide for UnFi APs
-
Mmm, you have a rule to allow access to the AP specifically between HTPCnet and UNIFInet but it shows 0/0. It has never matched any traffic.
So either not traffic has tried to use it sicne the counters were last reset or you have a floating rule blocking it. It doesn't look like you do have a rule that would block it though.Can you ping the AP from the firewall itself?
Steve
-
@stephenw10 said in Host OverRide for UnFi APs:
allow access to the AP specifically between HTPCnet and UNIFInet but it shows 0/0
But that is not where his AP and controller are..
Unifi controller is located in my LAN (10.0.1.1:8443) and my U6 is located in another interface "Wireless" (10.0.2.1)
He lan is called HTPC, but he says his AP is on the wireless, So really not sure what is on unifi net?
The inform default port is 8080, and he has some hits on that rule from wireless net..
Then in another post he calls what I assume is he wireless network asus.. But then he calls out lan and htpc
LAN: 10.0.1.1
HTPC: 10.0.1.2But from his rules posted lan is clearly the htpc net - since that is where the the antilock rule is listed..
So to be honest I have no idea how to make heads or tails of this.. Then his controller shows some 10.13 address..
Its a mess to be honest.. All kinds of floating rules and not sure what interfaces those other rules are on..
he states
DhcP Option 43 under the Unifi IP 10.0.3.2
But thought his AP was on the wireless 10.0.2 network..
Post up some a diagram showing what is where, and what your calling what.. And post up the rules on the interfaces so they can be easily read.. etc..
-
Mmm, I had assumed that's where the host is he it trying to ssh to the AP from.
But has allow all rules there he should be able to connect to the AP anywhere. The 'feels' more like the AP cannot reply because it has no default route for example.
-
@stephenw10 said in Host OverRide for UnFi APs:
able to connect to the AP anywhere.
Concur - if there is a any any rule from where his ssh client is, then doesn't matter what rules are on the AP interface.. Unless he has some outbound rule in floating. But since his AP should be getting an IP from dhcp, its not really possible to have it use anything other than dhcp until its adopted..
So unless he also dicked with the default dhcpd setting, the AP would be pointing back to pfsense as it gateway.
But since this forest is so overgrown with weed trees, its hard to pick out the specific oak your looking for.
-
Guys,
Thank you for your patience. I cleaned my Floating Rules and Reset the state table.
Everything now is working. FireHol was giving a lot of false positive. So I removed them all
-
@magikmark said in Host OverRide for UnFi APs:
FireHol was giving a lot of false positive
Its not false if the IP range is included... A simple look to that firehol level 1, and it includes all the bogons, which would include rfc1918.
So yeah with those rules you wouldn't be talking between your rfc1918 vlans ;)
-
Just found out you need to disable your vpn when configuring APs. You will get disconnected status if you don't at least for Layer 3 adoptions.
-
A VPN in pfSense? If you are policy routing traffic across it then, yeah, it could well prevent local connections. You should probably have rules to allow it above policy routing though if that is the case.
Steve
-
VPN is not in pfsense. Its in my desktop where the controller is also installed
-
Ah, well similar deal if the VPN client is routing all your traffic over the VPN.
