Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Host OverRide for UnFi APs

    Scheduled Pinned Locked Moved General pfSense Questions
    47 Posts 6 Posters 8.2k Views 7 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • stephenw10S Offline
      stephenw10 Netgate Administrator
      last edited by

      Mmm, you have a rule to allow access to the AP specifically between HTPCnet and UNIFInet but it shows 0/0. It has never matched any traffic.
      So either not traffic has tried to use it sicne the counters were last reset or you have a floating rule blocking it. It doesn't look like you do have a rule that would block it though.

      Can you ping the AP from the firewall itself?

      Steve

      johnpozJ 1 Reply Last reply Reply Quote 0
      • johnpozJ Online
        johnpoz LAYER 8 Global Moderator @stephenw10
        last edited by johnpoz

        @stephenw10 said in Host OverRide for UnFi APs:

        allow access to the AP specifically between HTPCnet and UNIFInet but it shows 0/0

        But that is not where his AP and controller are..

        Unifi controller is located in my LAN (10.0.1.1:8443) and my U6 is located in another interface "Wireless" (10.0.2.1)

        He lan is called HTPC, but he says his AP is on the wireless, So really not sure what is on unifi net?

        The inform default port is 8080, and he has some hits on that rule from wireless net..

        Then in another post he calls what I assume is he wireless network asus.. But then he calls out lan and htpc

        LAN: 10.0.1.1
        HTPC: 10.0.1.2

        But from his rules posted lan is clearly the htpc net - since that is where the the antilock rule is listed..

        So to be honest I have no idea how to make heads or tails of this.. Then his controller shows some 10.13 address..

        Its a mess to be honest.. All kinds of floating rules and not sure what interfaces those other rules are on..

        he states

        DhcP Option 43 under the Unifi IP 10.0.3.2

        But thought his AP was on the wireless 10.0.2 network..

        Post up some a diagram showing what is where, and what your calling what.. And post up the rules on the interfaces so they can be easily read.. etc..

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • stephenw10S Offline
          stephenw10 Netgate Administrator
          last edited by

          Mmm, I had assumed that's where the host is he it trying to ssh to the AP from.

          But has allow all rules there he should be able to connect to the AP anywhere. The 'feels' more like the AP cannot reply because it has no default route for example.

          johnpozJ 1 Reply Last reply Reply Quote 0
          • johnpozJ Online
            johnpoz LAYER 8 Global Moderator @stephenw10
            last edited by johnpoz

            @stephenw10 said in Host OverRide for UnFi APs:

            able to connect to the AP anywhere.

            Concur - if there is a any any rule from where his ssh client is, then doesn't matter what rules are on the AP interface.. Unless he has some outbound rule in floating. But since his AP should be getting an IP from dhcp, its not really possible to have it use anything other than dhcp until its adopted..

            So unless he also dicked with the default dhcpd setting, the AP would be pointing back to pfsense as it gateway.

            But since this forest is so overgrown with weed trees, its hard to pick out the specific oak your looking for.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • M Offline
              MagikMark
              last edited by

              Guys,

              Thank you for your patience. I cleaned my Floating Rules and Reset the state table.

              Everything now is working. FireHol was giving a lot of false positive. So I removed them all

              johnpozJ 1 Reply Last reply Reply Quote 0
              • johnpozJ Online
                johnpoz LAYER 8 Global Moderator @MagikMark
                last edited by

                @magikmark said in Host OverRide for UnFi APs:

                FireHol was giving a lot of false positive

                Its not false if the IP range is included... A simple look to that firehol level 1, and it includes all the bogons, which would include rfc1918.

                So yeah with those rules you wouldn't be talking between your rfc1918 vlans ;)

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 1
                • M Offline
                  MagikMark
                  last edited by

                  Just found out you need to disable your vpn when configuring APs. You will get disconnected status if you don't at least for Layer 3 adoptions.

                  1 Reply Last reply Reply Quote 0
                  • stephenw10S Offline
                    stephenw10 Netgate Administrator
                    last edited by

                    A VPN in pfSense? If you are policy routing traffic across it then, yeah, it could well prevent local connections. You should probably have rules to allow it above policy routing though if that is the case.

                    Steve

                    M 1 Reply Last reply Reply Quote 0
                    • M Offline
                      MagikMark @stephenw10
                      last edited by

                      @stephenw10

                      VPN is not in pfsense. Its in my desktop where the controller is also installed

                      1 Reply Last reply Reply Quote 0
                      • stephenw10S Offline
                        stephenw10 Netgate Administrator
                        last edited by

                        Ah, well similar deal if the VPN client is routing all your traffic over the VPN.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.