Pfsense and Unifi controller/AP on different subnets

notaduck · Dec 9, 2020, 12:51 PM

Hi guys. I have two subnets on my network

10.0.1.0/24 (LAN)
10.0.2.0/24 (DMZ)

I have AP connected to the LAN interface and the I have a proxmox host in DMZ with an LXC container hosting the UNIFI Controller.
However, the controller cannot see the AP the LAN subnet. Anyone, who knows if this is 100% impossible for the controller to adopt the AP since they arent on the same subnet?

stephenw10 · Dec 9, 2020, 12:55 PM

There are several ways to make that work. It's the access point that has to be able to connect to the controller.

The easiest way I have found is to set a host override for 'unifi' and point it at the controller IP. The AP will try to resolve that to connect to the controller.

You can also ssh into the AP and set the controller IP manually.

Steve

notaduck · Dec 9, 2020, 12:56 PM

@stephenw10 Thanks for the fast reply! I will try to give it a shot

johnpoz · Dec 9, 2020, 1:30 PM

This is just L3 adoption - here
https://help.ui.com/hc/en-us/articles/204909754-UniFi-Layer-3-Adoption-for-Remote-UniFi-Controllers

Be it your controller is just on another vlan locally or remotely doesn't really matter.. I manage my sons USG and flexHD remotely on my controller.

You do need to make sure the ports are open as well.. 8080, 3478 I do believe.

JKnott · Dec 9, 2020, 1:57 PM

@notaduck

I recently set up a Unifi AP. Part of the process is the controller has to be able to find the device. That likely won't happen if it's on the other side of the router. However, the controller should be reachable via it's IP address. So, you'll have to do some manual config, as described above.

JKnott · Dec 9, 2020, 2:00 PM

@johnpoz said in Pfsense and Unifi controller/AP on different subnets:

8080, 3478 I do believe.

I allowed 8080 through my firewall, but I didn't do 3478, as that's for STUN, which I don't need.

notaduck · Dec 9, 2020, 2:09 PM

@stephenw10 I managed to get it to work, I used ssh to connect to the AP with default ubnt:ubnt creds and used set-inform http://ip-of-controller:8080/inform to set the IP of the controller.

bingo600 · Dec 9, 2020, 2:58 PM

@notaduck said in Pfsense and Unifi controller/AP on different subnets:

@stephenw10 I managed to get it to work, I used ssh to connect to the AP with default ubnt:ubnt creds and used set-inform http://ip-of-controller:8080/inform to set the IP of the controller.

If you create a unifi dns entry or override , and let it point to the controller ip , that login shouldn't be needed.

But i seem to remember that my AP liked to have TCP 8080 and 22 opened.

Edit: Correct dns name

/Bingo

stephenw10 · Dec 9, 2020, 2:47 PM

Nice!

I always forget about using their phone app which makes it easy. For most people at least

Steve

johnpoz · Dec 9, 2020, 3:07 PM

@jknott said in Pfsense and Unifi controller/AP on different subnets:

as that's for STUN, which I don't need.

I wanted it because my son's devices at his house so there is nat between, etc.

JKnott · Dec 9, 2020, 4:36 PM

@johnpoz said in Pfsense and Unifi controller/AP on different subnets:

I wanted it because my son's devices at his house so there is nat between, etc.

That problem could be avoided, if the gear supported IPv6. As far as I can tell, my AP configuration only supports IPv4. On the other hand, the controller supports IPv6, if it's available on the host system. My cell phone is IPv6 only, using 464XLAT for IPv4 sites, so if I had my controller on it, it would have to use that on the phone and NAT at the remote site, when IPv6 would eliminate the need for both.