configure unifi with pfsense

zaibi12345

Hello sir,
Here is a setup of 1 unifi dream machine pro controller with 20 access points connected with it, In lab if more than 400 users get connect, it got crashed all connected users faced disconnectivity. 1200 users is actual limit as advised by unifi support team.
actually we need to connect more than 2000 users at a time and 5 controllers is not a solution
Is it possible to configure pfsense (software based firewall) with that controller and unifi APs utilize cpu and ram of pfsense (instead of unifi-controller) or something like that, because I expect pfsense is a stabled Firewall and may handle 5000 users easily.
Please suggest how to overcome this issue , I am new to unifi so please share a little detailed instructions
Your kind response will be highly appreciated.

johnpoz

@zaibi12345 I wouldn't look to running the controller software on your firewall. But you sure don't need their device to run the controller, the controller can run on anything really.

Just fire it up on something - maybe with a bit more umph then their dream machine that only has 4GB of ram..

You don't really need their anything device for routing, you have pfsense.. Just fire up some box, even a VM.. But wouldn't do it on your firewall box. Unless you already have pfsense running on some VM host - you could add another VM on that box to run the controller.

While my network size is no where close to what your talking about - but I just run the controller on a VM on my very low power nas and have had no issues with it.. My only complaint currently is my nas does not support AVX, so can not run the new mongo 7 db for the controller.. limited to 4.4

stephenw10

pfSense cannot be a Unifi controller directly like that.

But, yes, you can run the controller as a VM and that can then be far more powerful than the UDM.

mcury

My two cents here, I run my controller in a raspberry pi 4b, it runs perfectly.
Low power usage, just set and forget, update from time to time and that is it.

stephenw10

How many users though?

mcury

@stephenw10 said in configure unifi with pfsense:

How many users though?

hello stephenw10, 30 devices maximum.
I have a nanoHD and a unifi mini.

ubuntu@rpi4:~$ mongod --version
db version v3.6.8
git version: 8e540c0b6db93ce994cc548f000900bdc740f80a
OpenSSL version: OpenSSL 1.1.1f  31 Mar 2020
allocator: tcmalloc
modules: none
build environment:
    distarch: aarch64
    target_arch: aarch64

ubuntu@rpi4:~$ cat /etc/lsb-release 
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=20.04
DISTRIB_CODENAME=focal
DISTRIB_DESCRIPTION="Ubuntu 20.04.6 LTS"

ubuntu@rpi4:~$ sudo systemctl status unifi.service 
● unifi.service - unifi
     Loaded: loaded (/lib/systemd/system/unifi.service; enabled; vendor preset: enabled)
     Active: active (running) since Fri 2024-05-31 14:55:47 -03; 3 days ago

I'm running samba-ad-dc, apache with SSL and php and freeradius in this rpi4.
unifi controller with SSL too.

Gblenn

@zaibi12345 Since you have all those access points and you have the UDM Pro set up already, you can still use it to manage your AP's and perhaps Unifi Switches if you have any.

Turn of DHCP on the UDM, and make sure that it's UI-IP is not conflicting with the pfsense machine and that's pretty much it. Move the WAN cable over to the pfsense machine and let it handle everything except AP management...
I suppose the UDM will want a WAN connection to be able to perform updates, but you could simply provide that via a VLAN from the pfsense machine.

johnpoz

@mcury Yeah for small networks the controller could most likely run on any potato you have about.. But he is talking quite a large amount of clients and devices.. If the DMP is failing on this sort of network, I doubt some little pi would would work ;)

But I would "guess" if got some network where there could be 2000 some clients - I would "guess" they prob have some sort of pretty beefy VM host they could just pop a VM on and give more than the 4GB of ram that DMP has ;)

Gblenn

@stephenw10 said in configure unifi with pfsense:

How many users though?

@johnpoz said in configure unifi with pfsense:

@mcury Yeah for small networks the controller could most likely run on any potato you have about.. But he is talking quite a large amount of clients and devices.. If the DMP is failing on this sort of network, I doubt some little pi would would work ;)

But I would "guess" if got some network where there could be 2000 some clients - I would "guess" they prob have some sort of pretty beefy VM host they could just pop a VM on and give more than the 4GB of ram that DMP has ;)

It's not handling users at all, only managing Unifi devices, like AP's, Managed Switches etc. There is no firewall in the controller...

But as I wrote above, why complicate things... just make the UDM "dumb" and limit it to handle only the devices. And add pfsense for the users

JKnott

@zaibi12345

As @johnpoz says, you don't need the controller. I run my controller software on my Linux desktop, though you could also run it on Windows. If you want a separate device, you could get a small computer, such as a Rasberry Pi and install Linux on it. I believe Unifi likes Ubuntu.

johnpoz

@Gblenn said in configure unifi with pfsense:

It's not handling users at all

It is in the sense its logging the stats.. That data would be managed, this would be put into the DB, etc.. If I had to guess this is where its falling down.. the stats generated for 400 some users can be a quite a bit, let alone 1000 or 2k..

edit: Is there some way to turn off client stats in the controller?

mcury

@johnpoz said in configure unifi with pfsense:

Yeah for small networks the controller could most likely run on any potato you have about.. But he is talking quite a large amount of clients and devices.. If the DMP is failing on this sort of network, I doubt some little pi would would work ;)

But I would "guess" if got some network where there could be 2000 some clients - I would "guess" they prob have some sort of pretty beefy VM host they could just pop a VM on and give more than the 4GB of ram that DMP has ;)

How I didn't read the part about the 2000 clients in the op's post ? I may be getting old and tired
You are entirely correct about that, should I erase my post, it is too big and it may be polluting this topic ?

stephenw10

It's been a while but last time I used Unifi in anger there were some services that required an always on controller such as captive portal. My understanding was that those would be always using the controller and 2000 users could put significant load on it.

Gblenn

@johnpoz said in configure unifi with pfsense:

@Gblenn said in configure unifi with pfsense:

It's not handling users at all

It is in the sense its logging the stats.. That data would be managed, this would be put into the DB, etc.. If I had to guess this is where its falling down.. the stats generated for 400 some users can be a quite a bit, let alone 1000 or 2k..

Hmm, that sounds plausible, and if so it's under Settings > System > Advanced

You can set timing and granularity as well as turn data collection off completely

johnpoz

@JKnott where did I say you don't need the controller? While you don't actually if not using some feature like captive portal or something. What I said was he doesn't need the router/firewall features of that DMP.. he has pfsense that can provide that functionality.

But my guess is he wants the info provided by the controller for the clients.. this sort of info can be quite useful in troubleshooting issues or for just keeping an eye on your devices.. Is there some wifi device using a misappropriate amount of data compared to other clients.. What are the signal strengths being seen.. How often are clients roaming from one AP to another, etc.

The stats provided by leaving the controller running can be quite handy!! But yeah its going to have to be appropriate sized to handle the amount of clients you have.. Now this is just a gut feeling, shooting from the hip sort of reaction.. But 1000, 2k clients with 4GB of ram for the DB is prob going to be problematic.. Maybe if you disable the DMP from handling the other aspects of the network, routing and assume its natting as well, maybe they have IDS enabled on it - maybe it could handle that sized network if just acting as controller?

Might be worth testing for sure..

johnpoz

@Gblenn that might worth trying as well - but its possible that is the data he is most interested in? But sure turning that off, and just using the DMP as just the controller and not firewall and router could maybe get to the 1000 clients unifi mentions ;) but his goal is 2k some clients.. So he prob needs a bigger box ;)

Gblenn

@johnpoz said in configure unifi with pfsense:

@Gblenn that might worth trying as well - but its possible that is the data he is most interested in? But sure turning that off, and just using the DMP as just the controller and not firewall and router could maybe get to the 1000 clients unifi mentions ;) but his goal is 2k some clients.. So he prob needs a bigger box ;)

Perhaps a bit of tuning the data collection could do it as well, and not turning it completely off. There is plenty you can change there...

zaibi12345

No routing no firewall
actually there is a page link for candidates to access and submit their paper at the end which is stored somewhere located in other city.

JKnott

@johnpoz said in configure unifi with pfsense:

@JKnott where did I say you don't need the controller?

I should have said the Unifi controller box. As I mentioned, you can run the software on a separate computer. There's even a "cloud" version. I run mine on my desktop Linux system.

zaibi12345

@stephenw10
sir is it be possible that users utilize whole memory and cpu of pfsense instead of unifi controller whatif I disable dhcp of unifi controller and turned on from pfsense or something like that in order to mitigate the load from unifi controller.
actually my main concern is to handle more than 2000 users at a time in any case