Unifi AC Pro, Multiple VLAN, Controller software, Fixed IP for AP



  • I have struggled with trying to get my Unifi AC Pro controller software to be easily accessible. I am not quite sure my AP is optimized after configuring, despite VLANs working.

    I have resorted to configuring my Unifi AC Pro via a direct connection to my Macbook for initial VLAN configuration, I don't change any default settings on the Unifi AC Pro, get a lease on pfSense for the Unifi AC Pro (the "parent interface" for the VLANs), I get individual leases on pfSense for each VLAN client on the correct VLAN interface.

    Everything appears to be working after having to wipe the Unifi AC Pro with every major change I make to my wireless network(The phone app doesn't allow VLAN changes).

    I rarely go to the Unifi AC controller as all the visibility is in pfSense, however I am really struggling when I do need to access the controller. I am sure thier is a right way to do this.

    Questions:

    1. I have read I am supposed to turn DHCP lease off on the AP(use as a "dumb device"), haven't needed to with Unifi AC Pro. How do I do this?
    2. How do I then access the Unifi AC Pro on an ongoing basis, since I cannot control Unifi AC Pro(via the software controller) on a VLAN(all SSIDs are VLANs) easily/effeciently with out major configuration changes?

    I am trying to understand how to be on what I understand to be the same IP as the controller…

    Thanks,
    V3lcr0


  • LAYER 8 Global Moderator

    Where are you running the controller software?  What network?

    Where do you have your AP connected - what network.  Normally your AP and controller need to be on the same L2 so that controller can adopt them.  The management of the AP would be on a untagged network.  While your SSIDs can have vlans assigned to them.  Be them static or dynamically assigned via radius.

    You can use L3 adoption - that is listed on their website if you want to run your AP on a different network than you controller.  But its best to just have them on the same network which shouldn't really be a problem normally.  Only when you run the controller in a different location than your AP does the L3 adoption make sense - or if you run the controller in the cloud, etc.

    What version of the controller software are you running?  Some details of your network layout and we can figure out your problem.  As to dhcp - these are just AP they would never run the dhcp server.  I run the controller on my 192.168.2.0/24 segment, with AP having 192.168.2.2, .3 and .4 addresses ( I have 3) while there are multiple SSID that are different vlans for the wireless clients.



  • To add to what John said, for management simplicity I would also highly recommend getting a separate device/machine to act as your controller.  Ubiquity actually makes a Cloud key that you can buy (should be less than $100) or I've also seen people setup a controller using a Raspberry Pi.  I think it will be somewhat difficult to use the same machine (in your case the Macbook) for the controller and for wireless access unless you plan to put both of those on the same subnet.  If you buy/build a controller you can get put the controller and AP's on one subnet (maybe your main LAN or a separate management LAN) and then connect with your Macbook to your wireless VLAN.  If you want to be able to control/configure the AP's, just enable the necessary rules in your firewall for your Wireless VLAN (or just one wireless device) to be able to talk to the Ubquity Unifi controller that is located on a different subnet.

    Hope this helps.


  • LAYER 8 Global Moderator

    ^exactly!

    lets say you have lan network 192.168.0/24 where you macbook sits, and then you have a opt network 192.168.1/24 where you AP sit and lets say some ssid vlans 192.168.3 and .4, etc.  If your going to be moving your macbook around from the lan to wifi networks you would have a problem running the controller on that for sure..

    If your box your running the controller is just always on a different network then use the L3 adoption methods.
    https://help.ubnt.com/hc/en-us/articles/204909754-UniFi-Device-Adoption-Methods-for-Remote-UniFi-Controllers
    This article describes several different layer-3 methods for deploying UAPs

    If you do not have a box you can run on your opt network where your AP sit at the layer 2 level… I run mine on a VM, or that stays put on some other network so you can use L3 management.  Then as tman222 suggest their little cloud key as they call it would be a nice solution..
    https://www.ubnt.com/unifi/unifi-cloud-key/
    The UniFi Cloud Key is an integrated computer and software controller minus the bulk. It features a quad-core processor with 2 GB RAM, operating the latest version of the UniFi Controller with built-in hybrid cloud technology.

    Its $79 on the unifi store..
    https://store.ubnt.com/products/unifi-cloud-key

    Or you can get on amazon as well, so if prime have it couple of days.
    https://www.amazon.com/Ubiquiti-Unifi-Cloud-Key-Control/dp/B017T2QB22



  • Thank you both,

    To answer your questions:

    I have some options in terms of where I can run the software, but I used my Macbook.

    To set the AP up, I reset the Unifi AP(hold the reset on the unit with a paper clip for 20 seconds) and then direct connect the controler to my Macbook i.e. network cable directly into my Macbook(Firewall off). I manually configured my Macbook to the default Unifi AP (192.168.1.20) and assigned a manual IP address for my Macbook to 192.168.1.28).

    Using the Unifi AP controller software, in the "Settings" -> "Wireless Networks" sectionI set up my VLAN's SSIDs i.e. name ssid, create password, enter a VLAN # that corresponds with my VLAN interface I created in pfSense.

    I literally do not change any of the other settings in the Unifi controller software….I then unplug the AP, plug it into the "opt1" jack of my 4 port pfSense box("opt1" is also the parent interface of my VLANs).

    I see a lease on "opt1". The VLANs all work with the rules I want...yet I never can access my controller again.

    I use "5.5.20 Controller for Mac" set up above.

    My "opt1" interface is 192.168.1.5(also the parent to the VLAN SSIDs), dedicated interface on my pfSense box
    VLAN Interfaces are: 192.168.5.4 , 192.168.9.4 , 192.168.10.4, 192.168.20.4

    What I would like to do is:
    I also downloaded "UniFi 5.5.20 Controller for Debian/Ubuntu Linux" and have it running on a fedora VM(Not my Macbook)
    My first choice would be to connect this VM, maybe via a dedicated  SSID for Unifi controller configuration.
    I would use this VM only for Unifi Controller stuff.

    Seems like the above would keep my isolated interfaces, isolated...my initial thoughts are not to go with the L3 adoption.

    Follow up questions:

    1. Very intrigued about accessing the controller using my VM host(not the Macbook) using my VLAN wireless SSID. What would those strict rules look like? Is L3 adoption required for this?

    2. I like the Unifi Cloud Key...but have a massive distrust of anything cloud, especially for my wireless network controller. Seems very cool, but as a security fanatic...can this be trusted? Do you just plug a jack into your computer and the Cloud Key and log into a current VLAN? I need to learn to trust...so very open to this solution.

    3. Can I not simply broadcast a SSID, with the same IP as the controller, keeping me on the same L2, from the AP dedicated to a VM that runs the Controller software?

    Thank you again for thoughts...

    My preference is for a secure, trusted, super easy solution with limited configuration(dumby proof) and I not constrained by an additional $80 device.


  • LAYER 8 Global Moderator

    "I manually configured my Macbook to the default Unifi AP (192.168.1.20) and assigned a manual IP address for my Macbook to 192.168.1.28)."

    huh??  This really makes no sense..  You mean you saw your AP available for adoption?

    "My first choice would be to connect this VM, maybe via a dedicated  SSID for Unifi controller configuration."

    Your wanting to run your controller on a box connected via wireless???  It doesn't work that way ;)

    "2) I like the Unifi Cloud Key…but have a massive distrust of anything cloud"

    They really did give that a bad name..  Its not cloud anything.. You do not have to enable the hybrid cloud access.  Just means you can hit a url in the cloud that will control your controller software.. You do not have to enable that, you can do the same exact thing with the controller software you run on your hardware.

    "3) Can I not simply broadcast a SSID, with the same IP as the controller,"

    Huh??  SSID do not have IPs.. you mean a network that your SSID connects too?

    Ok so your opt interface is is network 192.168.1/24 - this is untagged network

    you then have vlans..

    .5
    .9
    .10
    .20

    That run on your physical interface opt1. All great what IDs did you set.. lets make them for this discussion.

    50
    90
    100
    200

    to somewhat matchup..

    So your opt1 interface would be connected to a managed switch set as trunk port for the port connected to opt1, your default untagged vlan (lets call it 1 since this is switches default vlan.. would be your 192.168.1/24 network..

    now in this port you would tag 50,90,100 and 200..

    On your port connected to your AP.. you would have untagged vlan 1, and tagged 50,90,100 and 200.

    Somewhere else on this switch, or vm host for your untagged vlan 1 network you would have your controller set on this 192.168.1/24 network..  So now the L2 of vlan 1 your controller can see your AP and manage it.. sure the AP will have some IP on the 192.168.1 network as well that you can assign static in the controller or let the AP get via dhcp, etc.

    On the controller you would could create a SSID that is untagged, ie no vlan that would be on the vlan 1 network.

    You could then create different SSIDs that would be on your 50,90,100 and 200 vlans.

    This is the dummy proof basic setup for setting up vlans on your wifi...

    What switch are you using?  What do you have your lan connected too?  Are you wanting to directly connect your AP to your opt1 on pfsense?  If so your not really going to be able to do L2 management..  Since you would have no way of putting your controller on this 192.168.1/24 network - unless you have another port on pfsense that you could bridge. But I really do not recommend that.

    To play with vlans - you really need a vlan capable switch!!!



  • @johnpoz:

    "I manually configured my Macbook to the default Unifi AP (192.168.1.20) and assigned a manual IP address for my Macbook to 192.168.1.28)."

    huh??  This really makes no sense..  You mean you saw your AP available for adoption?

    Just to clarify, in order to adopt the AP I connected the AP network cable directly to my Macbook, then on my Mac went to System Preferences -> Network -> then manualy configured the IPv4 connection on my Macbook to:

    IP Address -  192.168.1.28
    Subnet Mask - 255.255.0.0
    Router - 192.168.1.20 (Unifi AP default)

    I was then able to adopt the AP on my Macbook using the Unifi software.

    @johnpoz:

    "My first choice would be to connect this VM, maybe via a dedicated  SSID for Unifi controller configuration."

    Your wanting to run your controller on a box connected via wireless???  It doesn't work that way ;)

    Darn…

    @johnpoz:

    "2) I like the Unifi Cloud Key…but have a massive distrust of anything cloud"

    They really did give that a bad name..  Its not cloud anything.. You do not have to enable the hybrid cloud access.  Just means you can hit a url in the cloud that will control your controller software.. You do not have to enable that, you can do the same exact thing with the controller software you run on your hardware.

    I'll research this more…it looks like a devices that will dangle off my AP? or Admin computer?

    @johnpoz:

    "3) Can I not simply broadcast a SSID, with the same IP as the controller,"

    Huh??  SSID do not have IPs.. you mean a network that your SSID connects too?

    Ok so your opt interface is is network 192.168.1/24 - this is untagged network

    you then have vlans..

    .5
    .9
    .10
    .20

    That run on your physical interface opt1. All great what IDs did you set.. lets make them for this discussion.

    50
    90
    100
    200

    to somewhat matchup..

    So your opt1 interface would be connected to a managed switch set as trunk port for the port connected to opt1, your default untagged vlan (lets call it 1 since this is switches default vlan.. would be your 192.168.1/24 network..

    now in this port you would tag 50,90,100 and 200..

    On your port connected to your AP.. you would have untagged vlan 1, and tagged 50,90,100 and 200.

    Somewhere else on this switch, or vm host for your untagged vlan 1 network you would have your controller set on this 192.168.1/24 network..  So now the L2 of vlan 1 your controller can see your AP and manage it.. sure the AP will have some IP on the 192.168.1 network as well that you can assign static in the controller or let the AP get via dhcp, etc.

    On the controller you would could create a SSID that is untagged, ie no vlan that would be on the vlan 1 network.

    You could then create different SSIDs that would be on your 50,90,100 and 200 vlans.

    This is the dummy proof basic setup for setting up vlans on your wifi…

    What switch are you using?  What do you have your lan connected too?  Are you wanting to directly connect your AP to your opt1 on pfsense?  If so your not really going to be able to do L2 management..  Since you would have no way of putting your controller on this 192.168.1/24 network - unless you have another port on pfsense that you could bridge. But I really do not recommend that.

    To play with vlans - you really need a vlan capable switch!!!

    My default LAN is currently connected directly to a admin computer via wire to my pfSense, I was hoping to use this to access the AP, but now understand a bridge is not recommended.

    My 4 port pfSense box is connected as follows:

    port#1 - WAN(Connected to my modem)
    port #2 - opt1(Connected directly to AP), parent to 4 VLANs which I use to segment all wireless devices
    port #3 - LAN (Admin access…strict rules)
    port #4 - Apple TV

    I had a smart switch connected to my network but today my AP is directly connected to my pfSense box(4 ports are available).

    While the extra ports a switch provides is great for the future...I would only be buying a switch to manage the Unifi controller, that I rarely use, for initial setup and changing passwords.

    I was really trying to avoid a switch but point taken...wishful thinking I could change a password without a switch, L3 configuration or a bridge. I need to do some more work...

    While I have been happy with my Unifi...is there a possible AP you might recommend that doesn't require this kind of configuration and can support VLANs?

    Thank you both! I really appreciate the advice...


  • LAYER 8 Global Moderator

    IP Address -  192.168.1.28
    Subnet Mask - 255.255.0.0
    Router - 192.168.1.20 (Unifi AP default)

    That is just utterly BORKED… Where would you get the idea that you would set the mac book gateway to your AP??  Its an Access Point not a router...

    "While I have been happy with my Unifi...is there a possible AP you might recommend that doesn't require this kind of configuration and can support VLANs?"

    Huh??  The AP from unifi are drop dead simple.. No matter what AP you get the infrastructure that connects it to your network has to support vlans.

    If your admin computer sits on your LAN, then just use the L3 adoption I linked too..  Run the controller there.

    So you have a smart switch that has extra ports??  If so your all set.. As long as your box your going to run controller on is wired you can run it any any network and just put the AP management on that L2..  Give me a bit and I will draw you a picture.  Not saying you can not move this box to wireless when you want to use wireless.  Just that when you want to admin the AP it would be wired..  The controller software does not have to be running all the time.  Unless you want to use fancy features like Captive Portal or something, and you want to have all the stats on wireless use and connected clients, etc.

    edit:
    Here you go - with a smart switch you can put ports on whatever L2 network you want.  So your mac book that is on the LAN can run the controller software.  The AP can be on the LAN network and your SSID can be on whatever vlans you want, etc.

    Color coded the ports for different vlans they are on.  Black is a trunk port that would carry tagged and or 1 untagged vlan.  The only requirement for the AP management IP has to be untagged..  So on the trunk port just carry whatever vlan you setup on your smart switch for your lan network to the AP as untagged.. It really is that simple!  Now your mac (running the controller) and your AP are all on the same L2.

    In this setup any ssid you run that do not have a vlan associated with them would be on the LAN network.




  • Thank you Johnpoz….this is awesome! I am going to need some time to try these options out...this is really helpful.


  • LAYER 8 Global Moderator

    Great glad could help, sometimes it just takes a bit to get all the info together so everyone on the same page.  Any questions on this sort of setup - just ask.

    What specific smart switch do you have.. Hope its not the tp-link gs10(5,8)e line – you can not remove vlan 1 from ports on those..



  • My old switch is a an old DSG-1100-05….was going to tackle that configuration last if needed.

    Some good news, although Johnpoz you might call it "borked", but I managed to plug my Macbook into the secondary network jack on my Unifi AP Pro. Then on my Mac went to System Preferences -> Network -> then manually configured the IPv4 connection on my Macbook connection to:

    IP Address -  192.168.1.8
    Subnet Mask - 255.255.0.0
    Router - 192.168.1.40 (The Unifi AP IP) - This is the same fixed IP showing on my pfSense for the AP

    I believe this put me on the same L2 network as my AP. It worked(allowed me to adopt my AP), allowed me to change passwords, add VLANs, etc. i.e. provision my AP. Saves me wiping my AP for every change.

    Still seems like a hack though...as I still need to physically connect to the AP.

    I was looking through the ubnt link posted here: https://help.ubnt.com/hc/en-us/articles/204909754-UniFi-Device-Adoption-Methods-for-Remote-UniFi-Controllers

    and thought L3 adoption via "DHCP Option 43" was a good option(however I don't have a "Ubiquiti's EdgeMax routers"), there was a screen shot of a pfSense setting that needs to be changed for this solution(I have attached the screenshot) but no other details about what other configurations are needed or steps to take(No love for pfSense!). I managed to find wher this setting is through my GUI by following:

    Services -> DHCP Server -> The interface you want to give access -> "Additional BOOTP/DHCP Options"

    However I was hoping for some specific answers:

    1. Do I need a "Ubiquiti's EdgeMax routers"?
    2. Is using the "DHCP Option 43" option best?
    3. In the screenshot it shows a "value", is this the MAC address for the Unifi AP that shows up in my leases on pfSense?
    4. What other configurations are needed on pfSense?

    Tell me it is this simple!!

    Any recommended L3 adoption option?

    Thanks again...

    ![Screen Shot 2016-10-14 at 12.59.17 PM.png](/public/imported_attachments/1/Screen Shot 2016-10-14 at 12.59.17 PM.png)
    ![Screen Shot 2016-10-14 at 12.59.17 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2016-10-14 at 12.59.17 PM.png_thumb)



  • While DCHP Option 43 is one way to go about this, I've actually used the DNS method in a situation where I've had a Unifi compatible device on a different subnet than the subnet the controller was on.  It was very quick and simple to setup/configure.  All you really have to do is to make sure that the device (AP, switch, etc.) can resolve 'unifi' to your controller's IP address.  By way of example, let's say your controller is on subnet 1 and a Unifi compatible device is on subnet 2.  Once you add the DNS configuration so unifi resolves to your controller's IP on your local network, all you would have to do is add a pass rule in the firewall allowing traffic from the unifi compatible device in subnet 2 to flow to the controller in subnet 1 (i.e. allowing the device in subnet 2 to talk to the controller in subnet 1) - assuming these two subnets aren't already allowed to pass traffic between them.  If that's all setup properly, once you log into the controller in subnet 1 you should then see the device in subnet 2 show up as being ready to be adopted.

    Also, I want to reiterate on something that John mentioned already above:

    The only requirement for the AP management IP has to be untagged

    This is very important to keep in mind, otherwise you'll run into problems with configuration/adoption (it likely won't work at all).

    Hope this helps.

    Edit:  I just saw the network diagram that John drew above - this explains the setup very well.


  • LAYER 8 Global Moderator

    The secondary port is a bridged port, and sure you could do that.. But seems like a hack, when you could set it up correctly.

    "Router - 192.168.1.40 (The Unifi AP IP) - This is the same fixed IP showing on my pfSense for the AP"

    Again - seems you don't understand basic networking at all.  In no case would your router on your mac book do anything good pointing to the AP IP.. there is no point to this ever!  The AP is not a router.. In such a setup your mac book would not have internet access or access to any of your other segments.. If anything your going t connect your mac to the 2nd port on the AP, then its gateway/router would be pfsense IP on that network.


Log in to reply