Unifi Dream Machine and PFSense
-
@tyler-montney-0 said in Unifi Dream Machine and PFSense:
However, it is indeed a router and cannot get rid of that aspect.
Sure you can.. Just don't use its routing features.. It runs its own controller.. Setup whatever networks you want to use for wifi.. Tag them.. Now all that is being done is bridge the wifi the wired L2.. Connect it to your wired network via either multiple ports as uplinks on the respective vlans. Or just trunk 1 and carry all your wireless vlans on it, and whatever management vlan your using on the UDM.
Just like you would do with any other soho wifi router that you just want to use as AP.. Connect it to network via one of its lan ports, turn off its dhcp server = AP..
Just because something can route - doesn't mean you have to use it as that or it needs to be used to function. Its a smart 4 port switch, and 4x4 AP that does vlans.. There is nothing saying you have to let it route..
Taken to basics all an AP Is bridge between wifi and wired.. Sure there is some authing to connect to the wifi side. But after that happens it just bridges traffic from the wifi to the wire.. And either puts tag on it, or doesn't when it puts it on the wire.
If you google to use UDM as AP you run into you can't because it runs its own controller and can not be adopted by another controller as just an AP.. But there is nothing saying you can not just use it as AP in your own network.. When it comes down to it - its a fancy soho wifi router. It has some routing features, it has a 4 port switch and AP.. Since it runs the controller software on itself. You don't need to adopt it by anything. Just setup wifi networks how you want, turn off its dhcp server and connect it to your network via one of its lan ports, or multiple if you want to use the different ports as uplinks for specific vlans, vs doing trunking..
The controller software is nothing more than the web gui you see on any other wifi router..
edit:
Only problem you might have is if wan is not connected, the UDM might not be able to download updates when you want to update the controller software or firmware on the AP? But I would hope there would be other ways to put the firmware on the thing without having to pull it from the internet. I can put firmware on my AP by just pointing it to URL to grab it from other than the unifi urls..But you could always just create a new vlan on pfsense, and use that for the UDMs wan network - and just not do anything with it other than letting the UDM talk to the internet to grab updates.
If I had one to play with - be happy to walk you through a setup.. But was never a fan of such a device.. AP should mounted correctly in the area to provide wifi coverage for the area your trying to provide wifi for.. Why would I want that in the same box that is doing my routing/firewalling.. Other option is sell the thing you really have no use for other than AP, and just get actual AP ;) And mount it in the area that best provides wifi coverage for what you want to cover in wifi, or get multiple APs, etc.
edit2: I just looked if I could find a used one on ebay for low enough price to play with it.. They seem to be going for retail price or higher... Sell it and just get an AP or 2 or 3 of them ;)
-
UDM does actually have an interface on the management VLAN.
@johnpoz I'll review your comment tomorrow.
-
Ah, well you should be able to connect to the UDM using it's IP in the management VLAN from that host in the same VLAN without issue. That traffic would not go through pfSense at all.
Steve
-
"Or just trunk 1 and carry all your wireless vlans on it, and whatever management vlan your using on the UDM."
I could've sworn this didn't work, just based how wacky Ubiquiti is. No harm in trying again.
"Only problem you might have is if wan is not connected, the UDM might not be able to download updates when you want to update the controller software or firmware"
WAN is required at set up and to download updates.
"and just not do anything with it other than letting the UDM talk to the internet to grab updates."
Yep, whitelisting works wonders here.
"If I had one to play with - be happy to walk you through a setup.. But was never a fan of such a device."
Same here, but unfortunately nothing rivals it (that I know of). You're forced to use it if you want to use access control or the NVR. I would've gone with Axis, but it's like triple the cost. It's a shame there's such a disconnect between development and real-world. There's not even a way to automatically back up the recorded video (not officially).
-
So running off just one interface, on the UDM, won't work (just tested). You have to define a "Network" (aka an Interface) to tell it which VLAN/subnet it's on. Otherwise, it won't know what to do with the tagged traffic.
-
Nonsense... You do not have to assign the network to an interface.. It would be impossible to do vlans then..
Or just assign them all to the same port.. Putting in a vlan tag..
-
@tyler-montney-0 said in Unifi Dream Machine and PFSense:
You're forced to use it if you want to use access control or the NVR
You could of just gotten their NVR.. Or just run their nvr software on anything you already had.. You sure don't need a UDM, their little cloudkey can be the NVR..
Oh it seems they might have changed that you do need one of their products to use "protect".. That didn't use to be the case back... But you made no mention of camera's before. But the little cloudkey ck+ would work for that..
When it was unifi video you could run it on your own hardware..
-
It's that new interface that's the problem. It doesn't show that as an option unless you switch to the legacy interface (which "will impact performance"). I figured I had to since I saw no other option.
"You could of just gotten their NVR."
Since I want to use all 4, I can't. Unifi Video is deprecated.
-
@tyler-montney-0 said in Unifi Dream Machine and PFSense:
legacy interface (which "will impact performance")
What? You can switch back and forth between the legacy and new UI, I do it all the time on mind.. And using legacy sure doesn't impact performance ;) heheh
-
Referring to this:
-
Its BS ;)
It also shows you this - when something is missing.
-
Right. Spend enough time in the new settings, I forget to check.
What's also amazing is now that I've done this, the new UI no longer shows the VLAN-only networks. Only will if I switch back.
Go figure, I get UDM help in the PFSense forum. I posted about this on their forum and got no help.
Although I didn't fix the asymmetric routing issue, changing my networks to VLAN-Only has removed that option and makes it irrelevant. Consider this solved, thanks for everyone's help.
-
There are many a unifi user here.. Just normally the AP.. I was thinking of getting some of their camera's - but if they have pulled the ability to run their software on my own hardware.. Have to rethink that..
I got a cheap PTZ camera a couple of weeks back to help someone on another forum - and use as test for my own use.. It works with my NAS surveillance software..
I have no problem buying hardware to play with - as long as its not too expensive ;)
There are plenty of options out their for cameras, you sure do not need to use unifi, or lock yourself into their software/hardware.
edit: Yeah you can leave your udm with a wan, I would put that on its own vlan for pfsense - and then just don't use it for any routing of your networks. Leave that up to pfsense ;)
-
"There are plenty of options out their for cameras, you sure do not need to use unifi, or lock yourself into their software/hardware."
True but it's a bit of a rabbit hole. I'm very happy with their wireless. Then I notice they have cameras. And then I see access control. And, oh, VOIP looks interesting I might try that. It's a balance among ecosystem, price point, and quality. Ubiquiti could be better, but I don't know of anyone else who does what they do in this range. If there was something reasonable between that of Ubiquiti and Axis, I'd certainly love to hear about it (even if it meant doing wireless/VOIP with ubiquiti, and camera/access control with another vendor).
-
Very true about the rabbit hole ;)
edit: The cheap camera I got was from amcrest.. I sure don't have enough play time with it or any of their software.. To say one way or the other if any good.. But got it to work with my nas software. And it seems to be ok for picture. And it was cheap ;)
The reason I had gotten it was user having issue with delay in RTSP, etc. I have not seen any of that - he has a really messed up network.. Which I told him from the get go, but to prove it to him I got a shit camera capable of RTSP and has sub 1 second delay (few ms really).. Showed him that with video of a clock running on my ipad, etc.. ;) heheh
-
"Yeah you can leave your udm with a wan, I would put that on its own vlan for pfsense"
First thing I did, actually.