configure unifi with pfsense
-
How many users though?
-
@stephenw10 said in configure unifi with pfsense:
How many users though?
hello stephenw10, 30 devices maximum.
I have a nanoHD and a unifi mini.ubuntu@rpi4:~$ mongod --version db version v3.6.8 git version: 8e540c0b6db93ce994cc548f000900bdc740f80a OpenSSL version: OpenSSL 1.1.1f 31 Mar 2020 allocator: tcmalloc modules: none build environment: distarch: aarch64 target_arch: aarch64ubuntu@rpi4:~$ cat /etc/lsb-release DISTRIB_ID=Ubuntu DISTRIB_RELEASE=20.04 DISTRIB_CODENAME=focal DISTRIB_DESCRIPTION="Ubuntu 20.04.6 LTS"ubuntu@rpi4:~$ sudo systemctl status unifi.service ● unifi.service - unifi Loaded: loaded (/lib/systemd/system/unifi.service; enabled; vendor preset: enabled) Active: active (running) since Fri 2024-05-31 14:55:47 -03; 3 days ago
I'm running samba-ad-dc, apache with SSL and php and freeradius in this rpi4.
unifi controller with SSL too.
-
@zaibi12345 Since you have all those access points and you have the UDM Pro set up already, you can still use it to manage your AP's and perhaps Unifi Switches if you have any.
Turn of DHCP on the UDM, and make sure that it's UI-IP is not conflicting with the pfsense machine and that's pretty much it. Move the WAN cable over to the pfsense machine and let it handle everything except AP management...
I suppose the UDM will want a WAN connection to be able to perform updates, but you could simply provide that via a VLAN from the pfsense machine. -
@mcury Yeah for small networks the controller could most likely run on any potato you have about.. But he is talking quite a large amount of clients and devices.. If the DMP is failing on this sort of network, I doubt some little pi would would work ;)
But I would "guess" if got some network where there could be 2000 some clients - I would "guess" they prob have some sort of pretty beefy VM host they could just pop a VM on and give more than the 4GB of ram that DMP has ;)
-
@stephenw10 said in configure unifi with pfsense:
How many users though?
@johnpoz said in configure unifi with pfsense:
@mcury Yeah for small networks the controller could most likely run on any potato you have about.. But he is talking quite a large amount of clients and devices.. If the DMP is failing on this sort of network, I doubt some little pi would would work ;)
But I would "guess" if got some network where there could be 2000 some clients - I would "guess" they prob have some sort of pretty beefy VM host they could just pop a VM on and give more than the 4GB of ram that DMP has ;)
It's not handling users at all, only managing Unifi devices, like AP's, Managed Switches etc. There is no firewall in the controller...
But as I wrote above, why complicate things... just make the UDM "dumb" and limit it to handle only the devices. And add pfsense for the users
-
As @johnpoz says, you don't need the controller. I run my controller software on my Linux desktop, though you could also run it on Windows. If you want a separate device, you could get a small computer, such as a Rasberry Pi and install Linux on it. I believe Unifi likes Ubuntu.
PfSense running on Qotom mini PC
i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
UniFi AC-Lite access pointI haven't lost my mind. It's around here...somewhere...
-
@Gblenn said in configure unifi with pfsense:
It's not handling users at all
It is in the sense its logging the stats.. That data would be managed, this would be put into the DB, etc.. If I had to guess this is where its falling down.. the stats generated for 400 some users can be a quite a bit, let alone 1000 or 2k..
edit: Is there some way to turn off client stats in the controller?
-
@johnpoz said in configure unifi with pfsense:
Yeah for small networks the controller could most likely run on any potato you have about.. But he is talking quite a large amount of clients and devices.. If the DMP is failing on this sort of network, I doubt some little pi would would work ;)
But I would "guess" if got some network where there could be 2000 some clients - I would "guess" they prob have some sort of pretty beefy VM host they could just pop a VM on and give more than the 4GB of ram that DMP has ;)
How I didn't read the part about the 2000 clients in the op's post ? I may be getting old and tired
You are entirely correct about that, should I erase my post, it is too big and it may be polluting this topic ? -
It's been a while but last time I used Unifi in anger there were some services that required an always on controller such as captive portal. My understanding was that those would be always using the controller and 2000 users could put significant load on it.
-
@johnpoz said in configure unifi with pfsense:
@Gblenn said in configure unifi with pfsense:
It's not handling users at all
It is in the sense its logging the stats.. That data would be managed, this would be put into the DB, etc.. If I had to guess this is where its falling down.. the stats generated for 400 some users can be a quite a bit, let alone 1000 or 2k..
Hmm, that sounds plausible, and if so it's under Settings > System > Advanced
You can set timing and granularity as well as turn data collection off completely
-
@JKnott where did I say you don't need the controller? While you don't actually if not using some feature like captive portal or something. What I said was he doesn't need the router/firewall features of that DMP.. he has pfsense that can provide that functionality.
But my guess is he wants the info provided by the controller for the clients.. this sort of info can be quite useful in troubleshooting issues or for just keeping an eye on your devices.. Is there some wifi device using a misappropriate amount of data compared to other clients.. What are the signal strengths being seen.. How often are clients roaming from one AP to another, etc.
The stats provided by leaving the controller running can be quite handy!! But yeah its going to have to be appropriate sized to handle the amount of clients you have.. Now this is just a gut feeling, shooting from the hip sort of reaction.. But 1000, 2k clients with 4GB of ram for the DB is prob going to be problematic.. Maybe if you disable the DMP from handling the other aspects of the network, routing and assume its natting as well, maybe they have IDS enabled on it - maybe it could handle that sized network if just acting as controller?
Might be worth testing for sure..
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 24.11 | Lab VMs 2.8, 24.11 -
@Gblenn that might worth trying as well - but its possible that is the data he is most interested in? But sure turning that off, and just using the DMP as just the controller and not firewall and router could maybe get to the 1000 clients unifi mentions ;) but his goal is 2k some clients.. So he prob needs a bigger box ;)
-
@johnpoz said in configure unifi with pfsense:
@Gblenn that might worth trying as well - but its possible that is the data he is most interested in? But sure turning that off, and just using the DMP as just the controller and not firewall and router could maybe get to the 1000 clients unifi mentions ;) but his goal is 2k some clients.. So he prob needs a bigger box ;)
Perhaps a bit of tuning the data collection could do it as well, and not turning it completely off. There is plenty you can change there...
-
No routing no firewall
actually there is a page link for candidates to access and submit their paper at the end which is stored somewhere located in other city. -
@johnpoz said in configure unifi with pfsense:
@JKnott where did I say you don't need the controller?
I should have said the Unifi controller box. As I mentioned, you can run the software on a separate computer. There's even a "cloud" version. I run mine on my desktop Linux system.
-
@stephenw10
sir is it be possible that users utilize whole memory and cpu of pfsense instead of unifi controller whatif I disable dhcp of unifi controller and turned on from pfsense or something like that in order to mitigate the load from unifi controller.
actually my main concern is to handle more than 2000 users at a time in any case -
Sure you can off-load DHCP though I'm not sure how that might affect data collection in the controller.
It really depends what features you are using in Unifi.
-
@stephenw10 said in configure unifi with pfsense:
might affect data collection in the controller.
I don't use dhcp on the controller or box the controller is running on - and it gets all the data just fine. I doubt dhcp would be the reason its falling down.. I mean dhcp doesn't use more ram the more clients that get a lease or anything. And its not a memory hungry or cpu intensive process either.
If I had to guess its the issue of writing data to the db for more and more clients.
What version of mongo is running on it? Is it still the old like 3.6, has it been upgraded to 4.4 or 7 even which the new controller supports - but it does require AVX, which is quite possible the DMP doesn't even support?
I would be curious if turning off history has any effect, like 600 clients before it falls down, etc.. SSH to the thing and do a mongo -version
user@UC:~$ mongo -version MongoDB shell version v4.4.29 Build Info: { "version": "4.4.29", "gitVersion": "f4dda329a99811c707eb06d05ad023599f9be263", "openSSLVersion": "OpenSSL 1.1.1f 31 Mar 2020", "modules": [], "allocator": "tcmalloc", "environment": { "distmod": "ubuntu2004", "distarch": "x86_64", "target_arch": "x86_64" } } user@UC:~$I am curious if their own devices for the controller, like their cloudkey and or their DMs support the ability to run mongo 7.. Since 4.4 has been end of life since feb of this year. If running on your own hardware, that is on you. But haven't look to see even if you run their hardware if you can run 7 of mongo.
-
@johnpoz said in configure unifi with pfsense:
I am curious if their own devices for the controller, like their cloudkey and or their DMs support the ability to run mongo 7.. Since 4.4 has been end of life since feb of this year. If running on your own hardware, that is on you. But haven't look to see even if you run their hardware if you can run 7 of mongo.
Dream Machine Pro can't, it uses Quad-core ARM
Cortex-A57 at 1.7 GHz.
https://www.mongodb.com/community/forums/t/core-dump-on-mongodb-5-0-on-rpi-4/115291/14That is the reason, I think, that they will be supporting mongod 3.6 for a long time..
https://techspecs.ui.com/unifi/unifi-cloud-gateways/udm-pro
Edit: raspberry pi 5 can go up to mongod 6, it has a 64-bit Arm Cortex-A76 CPU, but can't install mongod 7.
Unless you use this method: https://github.com/themattman/mongodb-raspberrypi-binaries -
@zaibi12345 said in configure unifi with pfsense:
1 unifi dream machine pro controller with 20 access points connected with it, In lab if more than 400 users get connect, it got crashed all connected users faced disconnectivity. 1200 users is actual limit as advised by unifi support team.
actually we need to connect more than 2000 users at a time and 5 controllers is not a solutionI use a self hosted controller https://help.ui.com/hc/en-us/articles/360012282453-Self-Hosting-a-UniFi-Network-Server
Easily installed via this script https://community.ui.com/questions/UniFi-Installation-Scripts-or-UniFi-Easy-Update-Script-or-UniFi-Lets-Encrypt-or-UniFi-Easy-Encrypt-/ccbc7530-dd61-40a7-82ec-22b17f027776
Which I run on a Debian VM under Proxmox on a Mini PC also running pfsense as a VM.
For your application, being more generous with the hardware would be sensible. https://lazyadmin.nl/home-network/unifi-controller/ and https://techspecs.ui.com/unifi/cloud-keys-gateways/cloud-key-enterprise
