Are Unifi Wireless AP's and pFsense compatible?

confiarus

We have 7 unifi LR APs and 1 unfi Mesh AP. Originally, they were connected via a small TPlink gigabit switch to an Untangle Firewall/Router. The Untangle also did DHCP and network was 192.168.15.x/24. No VLANs or any fancy setup on the Untangle or Unifi controller. The Untangle was running on a Dell Optiplex 3010 and the Unifi controller was running on an HP desktop PC. This setup had ran flawlessly with no issues at all with the AP's .

Recently, however, we were starting to run out of DHCP addresses and needed to expand the range. Also, we needed to have a solution for a 2nd WAN failover. pFsense had a better solution than Untangle, so, I setup a pFsense (version 2.4.5-p1) firewall with 2 WANs and 1 LAN. The LAN used pFsense for DHCP and network was 192.168.14.x/23 in order to get more IP addresses. pFsense firewall is running on a DELL Optiplex 790 (i7 processor, 8GB RAM, all Intel network cards).

When I connected the pFsense to the network, I disconnected power and reconnected power to all APs so they would get a new IP on the new network. Did the same for the PC which has the unifi controller software and then restarted the controller software. All the APs got a new IP and showed "Connected" for about 2 minutes.

Then, some of the APs showed "Connected (Limited)", some showed "Isolated" and they would intermittently show "Connected" but then go back to "Connected(Limited)". Reset power to APs and even tried defaulting one AP but after it came back online and got IP, it would exhibit the same intermittent behavior. PC which runs the unifi controller software is hardwired to the switch and it had no problems getting on the internet or pinging any of the APs and its connection was not intermittent.

I could log into the "Debug" terminal of one of the APs that was showing "Connected(Limited)" and ping "www.yahoo.com" from the terminal successfully so I know DNS and DHCP are working, so, I'm baffled at what's going on. I had a limited time window in which to install the pFsense and since it was not working with the APs, I had to reinstall the old Untangle firewall.

Once I installed the Untangle and reset power to the unifi APs, everything came back up and has been running perfectly for 3 days now. I'm also reaching out to the unifi community to resolve, but, thought I'd also check here to see if anyone has had any similar issues using unifi with pFsense firewall.

Gertjan

pfSense, or Untangle, are basically .... the same.
Both are firewall routers.

Be default, any device attached to the default LAN port will have access to the entire Internet.
Nothing is blocked.

I do not own Unifi A¨P's, but I guess these are just APs - give them a static (!) IP, gateway and DNS - the last 2 are the LAN IP of pfSEnse. If pfSense has the same LAN setup as your Untangled, then your network will be identical on an IP level.

Take note : Youtube has some (many ?) "pfSense and Unifi AP" videos.

@confiarus said in Are Unifi Wireless AP's and pFsense compatible?:

"Connected(Limited)

What does this mean ? (you have the doc, right ? ;) )

hescominsoon

@confiarus pfsense is my preferred router to use with unifi gear when i need more than just basic routing or high speed performance with ips enabled. it works just fine..i have quite a few of them deployed.,

johnpoz

Been using unifi AP with pfsense for years.. Not an issue, not how there could be.. They are just network devices like any other network device.

Your limited issue seems to come from issues with gateway possible. And link monitoring.. Can you actually ping the gateway you have set.. What is it on the device? Check you routing on the device via netstat -rn, etc.

Untangle atleast use to have a nasty habit of using arp poisoning for becoming the gateway. You could plug it in just on your network without actually being the gateway and it would arp poison itself as the gateway to route traffic through it.

I would validate that all your AP and the controller have the correct gateway set for your new network.. If you changed the mask especially.

Raffi_

I can add a third confirmation to running pfSense with a unifi ap. The combo has been working great and provides my full wan bandwidth over wifi. Solid performance.

There are quite a few suggestions on the unifi forums about those error messages you got.
I'm guessing you already read the descriptions of those messages.
https://help.ui.com/hc/en-us/articles/205231710-UniFi-UAP-Status-Meaning-Definitions
Seems like the limited connection and isolated could be related when there are multiple AP's involved. It points to what @johnpoz mentions about checking the gateway.

DAVe3283

The issues you are seeing in the UniFi controller is almost certainly from the controller changing IP addresses. The STUN configuration doesn't save the DNS name of the controller by default, it stores the IP address, and will fall back to a host name in certain situations.

The easiest solution is probably to "forget" (factory reset) the APs from the UniFi controller while you are on Untangle (original IP address). Switch to pfSense, assign a DHCP reservation to the UniFi controller, then re-adopt the APs.

I run UniFi APs at 3 sites, all using pfSense, and they work fine. The only gotcha is if you are using 802.1x RADIUS auth on one of your WiFi SSIDs, and sending that traffic through an OpenVPN tunnel, you need to add a network adapter for OpenVPN or fragmented packets can be lost. But it sounds like your setup is pretty standard, and your issue is entirely related to the re-IP of the network.

confiarus

Thanks for all the replies! Have been using Untangle for years, but, first time using pfSense. After setting up the pfSense on the network the other day, I factory reset one of the APs. It got an new IP from the new range and I was able to ping the pfSense gateway and ping "www.yahoo.com" even though the controller showed "Connected(Limited)".

Next, I will try defaulting all of the units while connected to Untangle, assign a DHCP reservation to Controller PC, switch to pfSense, and re-adopt as per DAVe3283. Will be a few days before I can schedule another attempt to install. Will update afterwards.

akuma1x

@confiarus It seems that the "Connected (Limited)" status message is either an IP address setting on the access point(s) itself, or a DNS problem. I've never actually seen this myself, and I've got 8 access points and a controller on site. They all setup and work now just fine with pfsense and smart switches.

https://www.google.com/search?client=firefox-b-1-e&q=unifi+connected+limited

This is Unifi's official explanation: This will appear when a UAP is connected and can reach the controller, but is unable to reach either the gateway or the custom IP defined for the uplink connectivity monitor. In this state downlink UAPs (wireless UAPs) will become Isolated.

Jeff

DAVe3283

@akuma1x said in Are Unifi Wireless AP's and pFsense compatible?:

@confiarus It seems that the "Connected (Limited)" status message is either an IP address setting on the access point(s) itself, or a DNS problem. I've never actually seen this myself, and I've got 8 access points and a controller on site. They all setup and work now just fine with pfsense and smart switches.

https://www.google.com/search?client=firefox-b-1-e&q=unifi+connected+limited

This is Unifi's official explanation: This will appear when a UAP is connected and can reach the controller, but is unable to reach either the gateway or the custom IP defined for the uplink connectivity monitor. In this state downlink UAPs (wireless UAPs) will become Isolated.

Jeff

Good call.

@confiarus be sure to update the LAN settings on the controller to match the new pfSense IP for the gateway before re-adopting the APs.

confiarus

Finally got a time window over the weekend to reinstall the pfSense. This time, I went through the process as suggested by DAVe3283 and akuma1x. The details are below.

0. First, on the pfSense, I setup DHCP static addresses for the AP's and the controller PC using their MAC addresses.

1. Next, prior to shutting down the Untangle Firewall, I factory defaulted all of the AP's from the Unifi Controller software. Once they were all defaulted, I removed power from the AP's and also removed power from the ethernet switch they were connected to. Not sure if removing power was necessary, but, wanted to make sure the AP's would boot up and get a new IP from the pfSense with no issues.

2. On the controller PC, In the Unifi Controller software, made sure the gateway setting and network settings reflected the new network information: 192.168.14.1 and 192.168.14.x/23. Powered down the Unifi Controller PC.

3. Shutdown the Untangle Firewall and connected the pfSense Firewall in its place and powered it and the ethernet switch up. Used my laptop to connect to the webUI of pfSense via the ethernet switch. After the pfSense Firewall powered up and I could see that all interfaces were up from my laptop, I powered up the Unifi Controller PC.

4. The Unifi Controller PC booted up and got its new IP. In the Unifi Controller software, I adopted all the AP's one by one and verified they received the correct IPs and were "Connected". They were consistently connected for over an hour with no further issues as I'd had in the previous install attempt.

5. Verified client PCs were connecting the the APs and passing traffic successfully.

6. Started fail-over testing by disconnecting WAN1. Made sure internet traffic was flowing through WAN2 and then back through WAN1 when I reconnected WAN1. It did, and I was impressed at how fast and seamless the transition was!

After a couple of days, everything is still working great. Thanks to all who submitted suggestions - this one is solved!