Unifi Network Controller & Pfsense

Tux4000 · Jul 28, 2022, 5:31 AM

Somewhat new to Pfsense & Unifi, so my question is what do I need to do it get Unifi to get passed Adopting status?

I know its Pfsense causing the issues, as if I remove my laptop off the pfsense network kinda via VPN service then the Adopting status changes to ready & everything is working?

I tried opening ports, firewall rules, nothing works.

Both the controller & AP is on the same network (subnet)

Pfblocker installed, & I checked all the logs & even disabled it to see if that was the cause, still no luck.

I noticed if use my phone as the controller on the same network its fine, but using the laptop as a controller it causes issues. My laptop is a Mac if that makes any difference.

Gertjan · Jul 28, 2022, 6:51 AM

@tux4000 said in Unifi Network Controller & Pfsense:

Both the controller & AP is on the same network (subnet)

I'm not using Unifi APs (yet), but if the controller and AP's are on the same network, like 192.168.1.0/24 then 'pfSense' isn't your issue.
You saw info like this ?

the other · Jul 28, 2022, 11:56 AM

@tux4000
hey there,
as stated before, in case all your unifi stuff (cloudkey/controller and APs) sit in the very same network, you should need to do anything with pfsense.

Here I use a cloudkey, 2 APs...all in the same subnet, so they adopt quite well without ANYthing configured in pfsense...

NogBadTheBad · Jul 28, 2022, 12:11 PM

@tux4000 Try setting DHCP option 43.

https://community.ui.com/questions/pfSense-DHCP-provision-option/b42003ce-7560-4680-8731-805e59459bfc

stephenw10 · Jul 28, 2022, 1:01 PM

@tux4000 said in Unifi Network Controller & Pfsense:

if I remove my laptop off the pfsense network kinda via VPN service

Probably going to need more details there. That's the opposite behaviour of what would be expected.

Steve

Tux4000 · Jul 28, 2022, 7:41 PM

Hmm ok as it sounds its not Pfsense. So maybe it's the Mac laptop causing the issues.

I keep working on it & if I find a solution I will post it.

Thx for everyone that responded

johnpoz · Jul 28, 2022, 8:02 PM

@tux4000 said in Unifi Network Controller & Pfsense:

I keep working on it & if I find a solution I will post it.

A solution to what exactly?

While curious to what your actual issue is, if the controller and AP on the same network then pfsense has nothing to do with conversations they would have between each other, be that unicast, broadcast or multicast..

I have been running unifi controller and AP for quite a few years now, and have even played with their little flex mini switch, both locally for my own network. And even managed my sons unifi network remotely using L3 adoption when he was using my old usgp3 as his router, and a flexHD AP.

Pfsense is a router to get off a network, and a firewall between networks attached to it but it has nothing to do with devices on the same network from talking to each other - no router does.

So unless your running a bridge on pfsense where your controller is on 1 side of the bridge and your AP on the other side pfsense has nothing to do with the traffic between your controller and the AP. Are you bridging in pfsense?

Tux4000 · Jul 28, 2022, 8:51 PM

@johnpoz The issue is the controller that's installed on my Mac Laptop won't go past "Adopting" unless I turn on the VPN (PIA) and then the controller communicates just fine to the AP.

Both the controller & AP is on the same network & subnet.

It makes no sense I know, thats why I am stumped on what's going on. It must be the Mac Laptop, but no clue why, the firewall is off etc?

stephenw10 · Jul 28, 2022, 9:04 PM

Yeah, it's the opposite of what you might expect so look at what actually changes when you enable the VPN. Different DNS? Different default route?
I assume it still has a route for locally connected subnets since it's able to respond to the APs

Steve

Tux4000 · Jul 29, 2022, 5:13 AM

@stephenw10 I got it finally, I followed your suggestion on finding what changes with the VPN on.

Problem was Split Tunnel in the VPN app PIA. Works even if PIA app is not running.

If the VPN is not Online the programs on the Split Tunnel List can't talk to the internet. The Unifi Network was NOT one of the apps on the Split Tunnel list but I thought maybe its blocking ports that those apps on the list might share with Unifi Network, as Pfsense was ruled out.

So I turned off Split Tunnel completely & now the Unifi Network works perfectly without needing the VPN on.

stephenw10 · Jul 29, 2022, 12:08 PM

Ah, good catch!

A Former User · Aug 10, 2022, 2:02 PM

UniFi on pfSense

johnpoz · Aug 10, 2022, 2:12 PM

@dobby_ while some people are ok with doing that - I would suggest against doing such a thing. If you really want to run your unifi an pfsense on the same box - prob better to run them both as VM on some VM host.. I would not think it a good idea to introduce 3rd party packages into the pfsense OS.. Unless the 3rd party stuff has been given atleast an ok from the pfsense devs by allowing it into pfsense package system.

Now this is just a guess on my part, and my opinion could be biased towards my own setup. But I would "think" that most people that have the want/desire to run pfsense would also have something else they could run the controller on, a VM on a nas, a docker on some other box they have on their network, or some pi or some other box, etc. I would again just "guessing" here that people that have decided to run pfsense also have a few other toys in their toybox, so should have something other than their firewall to mess around with when running stuff like controller software for APs.. But maybe that is just me? ;)

stephenw10 · Aug 10, 2022, 2:15 PM

Yup, I have to agree. It's impossible to recommend that. None of that is tested by us before release. Also... java.

Gertjan · Aug 10, 2022, 2:22 PM

@johnpoz said in Unifi Network Controller & Pfsense:

But maybe that is just me? ;)

+1

At the end of the month I'll have to fire up a VM to host that ynfi controller app, as I deploy my new AP's.
That is, if I really need that application, I'm not sure yet.
And if the VM isn't easy enough, I'll go for their box version.

johnpoz · Aug 10, 2022, 2:54 PM

@gertjan I believe the unifi app is only required if your going to be doing something with vlans, or you want to run a captive portal sort of thing.There may be some other things not aware of - but those 2 come to mind.

if vlans - you can fire it up, set it an then turn it off - so that could be just run on your PC or laptop when you "need" to make a change.

I do like it running, just for insight on what is going on with all the wifi clients - what speeds are they connected at, what specific AP they are connected to (I have 3) 4 if you count flexHD that is on and off the network.

It doesn't require a lot of resources - it sits pretty much idle as a vm on my nas. To be honest I mostly use it to make sure clients are connected to the AP I want them to be connected to ;) After I do a rolling update of firmware - clients tend to have moved to a different AP, and don't always jump back to the one I think they should be on right away. So after a rolling update has completed I will look at all the clients, and for example some of my smart lights might be connected to the hallway AP vs the one in the kitchen where they are. Sending a simple reconnect for that client normally has them pop right up on the correct AP. Now if I let it sit long enough maybe they would move on their own at some point.

But the info it provides can be handy - and for sure is pretty eye candy ;)

the other · Aug 10, 2022, 6:14 PM

@johnpoz hey there,
indeed, it is only needed for changing settings, setting up vlans, captive portal and such...
I handle it the same way: I got it running 24/7 anyways, cause it is nice to have that specific "extra" dashboard and possibilities.
And it does look quite nice :)

I never bothered with vm or letting it run on a separate pc as many do, I went for the boxed version at once, lazy as I am. It does not need much power, runs well from day one and (knock on wood) did not break so far (around 3 years now).

Some of unifi's stuff is not really well implemented imho: using your own https/ssl certificate is rather complicated...moving away from default management vlan is a little tricky (it took some time to adopt my APs again).

As to the topic of this thread...no, I do not need it integrated in pfsense (not to say, it does not feel good to imagine that).
It is imho the same as with modern NAS...people tend to activate every single service just because it is possible...well. It is a storage after all, not a full server, but that's jm2c
:)

johnpoz · Aug 10, 2022, 6:34 PM

@the-other said in Unifi Network Controller & Pfsense:

using your own https/ssl certificate is rather complicated

They for sure could make that easier - its sad really why they have not just added such a basic thing to the gui..

Setting up my printer to use a specific cert it easier than with the unifi controller..

the other · Aug 10, 2022, 6:42 PM

@johnpoz
I actually gave up along the way and set an exception to my browser...lazy me.
:D

johnpoz · Aug 10, 2022, 7:02 PM

@the-other its not all that hard, here I saved these instructions. But it is PITA

delete the old keystore and restart unifi to create an empty keystore:
rm /var/lib/unifi/keystore
service unifi restart

openssl pkcs12 -export -in server.domain.net.cert.pem -inkey server.domain.net.key.pem -certfile ca.cert.pem -out unifi.p12 -name unifi -password pass:aircontrolenterprise

keytool -importkeystore -srckeystore unifi.p12 -srcstoretype PKCS12 -srcstorepass aircontrolenterprise -destkeystore /usr/lib/unifi/data/keystore -storepass aircontrolenterprise

service unifi restart

Just use a ca in pfsense, and then download your cert and key file from your cert - but you have to join them all together with openssl, lets hope by next time I need to do this june of 2023 they have made it easier ;) but I doubt it.