Unifi Network Controller & Pfsense

the other

@johnpoz hey there,
indeed, it is only needed for changing settings, setting up vlans, captive portal and such...
I handle it the same way: I got it running 24/7 anyways, cause it is nice to have that specific "extra" dashboard and possibilities.
And it does look quite nice :)

I never bothered with vm or letting it run on a separate pc as many do, I went for the boxed version at once, lazy as I am. It does not need much power, runs well from day one and (knock on wood) did not break so far (around 3 years now).

Some of unifi's stuff is not really well implemented imho: using your own https/ssl certificate is rather complicated...moving away from default management vlan is a little tricky (it took some time to adopt my APs again).

As to the topic of this thread...no, I do not need it integrated in pfsense (not to say, it does not feel good to imagine that).
It is imho the same as with modern NAS...people tend to activate every single service just because it is possible...well. It is a storage after all, not a full server, but that's jm2c
:)

johnpoz

@the-other said in Unifi Network Controller & Pfsense:

using your own https/ssl certificate is rather complicated

They for sure could make that easier - its sad really why they have not just added such a basic thing to the gui..

Setting up my printer to use a specific cert it easier than with the unifi controller..

the other

@johnpoz
I actually gave up along the way and set an exception to my browser...lazy me.
:D

johnpoz

@the-other its not all that hard, here I saved these instructions. But it is PITA

delete the old keystore and restart unifi to create an empty keystore:
rm /var/lib/unifi/keystore
service unifi restart

openssl pkcs12 -export -in server.domain.net.cert.pem -inkey server.domain.net.key.pem -certfile ca.cert.pem -out unifi.p12 -name unifi -password pass:aircontrolenterprise

keytool -importkeystore -srckeystore unifi.p12 -srcstoretype PKCS12 -srcstorepass aircontrolenterprise -destkeystore /usr/lib/unifi/data/keystore -storepass aircontrolenterprise

service unifi restart

Just use a ca in pfsense, and then download your cert and key file from your cert - but you have to join them all together with openssl, lets hope by next time I need to do this june of 2023 they have made it easier ;) but I doubt it.

the other

@johnpoz
Wow, thank you.
:)
I do all my certs with good old cert manager and pfsense. Before I used openssl under ubuntu indeed, which is okay after some learning. Went well for all kinds of devices (switches, raspberries...well everything here using https). With cert manager it's even fun, well, kinda...just the darned unifi stuff!

What I missed was to delete the default keystore...tried to put my own cert there, did not work, if I remember correctly...

Anyway, thanx for a new project for the time when the leaves are falling...

johnpoz

@the-other no problem, last time I didn't save instructions - and it was another PITA finding the instructions again, so this time I saved them off.

Now on the other hand, printer is just a gui you import the cert/key and ca with, etc.

But its only doing tls 1.0 so browser doesn't like that either and still warns that "not secure" ;)

Now if some crappy printer interface can have a gui for importing your cert, why can not the unifi controller do it..

Don't get me started on their behind the times busybox on their AP, and the antiquated sshd (dropbear v2020.81) on them. An update to securecrt broke access to them because securecrt had dropped support for old host keys.. And have to use a different library, that took a while to get sorted - but support from securecrt was great..

the other

@johnpoz said in Unifi Network Controller & Pfsense:, so this time I saved them off.

I hear you...
... done and bookmarked :)

Sorry btw for hijacking this thread @all

johnpoz

@the-other while true not actually pfsense related ;) lots of unifi users around here, hope someone else will find the info useful other than just you - hehe

the other

@johnpoz said in Unifi Network Controller & Pfsense:

hope someone else will find the info useful other than just you - hehe

I am pretty sure a lot of ppl will...haha, true.

BogusException

@tux4000 While your issue is solved, just wanted to add for those searching in the future that on all my customer sites, all unifi devices report to a digital ocean linux 'box' running the controller software. I have pfSense FWs and pfSense+ on netgate appliances, a varied mix. No tweaking of any kind ever needed on the firewall, as all traffic is outbound (from firewall's perspective).

The only exception was human error before I put the controller on DO when controller and device were on separate VLANs (w/out rules). After that, I no longer used local controllers.