Unifi

The automagic way

With this way Unifi's will find the controller automagically.

First make sure that these ports of the PC running the controller S/W are open: TCP/8080, TCP/8843, UDP/3478

Then:

1. If the controller is on the same subnet/physical network you don't need to do anything at all
2. If not you must do either of these:
   1. By configuring DHCP option 43 for unifi. If you are using windows DHCP follow this howto. If you are using pfsense follow this howto but for the specific HEX bytes enter 0104aabbccdd (where aabbccdd is the IP of the controller in hex -- see again this link for a way to convert the IP to hex).
   2. If not configure your DNS server so that unifi resolves to the IP of the controller. Test with ping unifi which should start pinging the IP of the PC running the controller S/W. Note that in a windows domain you better test the ping from a PC or other device (e.g. smartphone) that does not belong to the domain (because the unifi's will not be part of the domain).

That's it

Example of DNS server configuration for pfsense:

---

---

---

The manual way

With this method you connect with ssh to each unifi and force it to get adopted by a controller it can not detect automaticaly

First make sure that these ports of the PC running the controller S/W are open: TCP/8080, TCP/8843, UDP/3478

Command to force adoption

ssh administrator@192.168.2.23
BZ.v3.7.19# set-inform http://192.168.2.2:8080/inform

Adoption request sent to 'http://192.168.2.2:8080/inform'.
...

Command to check adoption

BZ.v3.7.19# info

Model: UAPv2
Version: 3.7.19.5372
MAC Address: 78:8a:20:92:ef:71
IP Address: 192.168.2.23
Hostname: UBNT
Uptime: 101110 seconds

Status: Connected (http://192.168.2.2:8080/inform)

Device Adoption Methods for Remote UniFi Controllers

see https://help.ubnt.com/hc/en-us/articles/204909754-UniFi-Device-Adoption-Methods-for-Remote-UniFi-Controllers

Unifi adoption via a CLI command

<<resetunifi to factory defaults >>
You can factory default a unifi with this command:
ssh admin@10.30.0.19
syswrapper.sh restore-default

<<find the new IP (e.g. by looking for open port 22 with nmap>>
sshubnt@ip-of-unifi # default pass is ubnt
mca-cli
set-inform http://10.30.0.5:8080/inform

Firewall settings at the controller PC
Open these ports: TCP 8080, 8880, 8843 -- UDP 3478

About Uplink / Mesh

This is uplinking:

LAN-----wired-AP )))- - - - uplink - - -((( wireless-AP

Unless your network needs to use wireless Uplink, we recommend you disable [it]. Disabling this setting can offer some improved speed and is often suggested when network speeds with UniFi are less than ideal. To do so, in your UniFi Controller:

Settings -> Site Settings. -> Under "Uplink Connectivity Monitor", uncheck the box next to “Enable connectivity monitor and wireless uplink.

This is meshing:

LAN-----wired-AP )))- - - - uplink - - -((( wireless-AP ))) - - - mesh - - - ((( wireless-AP

Best way to change IP address and subnet of Unifi AP and controller

In the controller, change the AP's IP address. Let it provision (you'll probably lose it in the controller), then change the controller's IP address.

AP should pop up in a minute or three.

DISABLE the uplink and connectivity monitor, and ensure any / all SSID VLAN tagging is correct BEFORE switching the AP's IP. It should then fall into "solo mode" until it re-attaches to a controller.

UniFi - username / password for UAPs and controller

A UniFi Access Point (as well as the UniFi controller) in its factory-default state can have two possible default username / password combinations: EITHER root / ubnt OR ubnt / ubnt

After adoption, the device username and password (to be used to SSH for example) can be found and changed under the UniFi Controller Settings > Site > Services section [make sure you have checked [v] display advanced options] > Device Authentication.

[OLD:] In firmware versions prior version 3 (when the multi-sites feature came along), the username and password (post adoption) corresponded to the administrator username / password as was configured in the UniFi controller.

Ports Used

UDP	3478	Port used for STUN.
TCP	8080	Port used for device and controller communication.
TCP	8443	Port used for controller GUI/API as seen in a web browser
TCP	8880	Port used for HTTP portal redirection.
TCP	8843	Port used for HTTPS portal redirection.
TCP	6789	Port used for UniFi mobile speed test.
TCP	27117	Port used for local-bound database communication.
UDP	5656-5699	Ports used by AP-EDU broadcasting.
UDP	10001	Port used for AP discovery
UDP	1900	Port used for "Make controller discoverable on L2 network" in controller settings.
TCP	22	SSH access to UniFi.

Only a small subset of these ports are required to be port forwarded, and only where remote UniFi devices will connect to your Controller over the Internet. This is because, by default, router/firewalls block all communication initiated from outside the local network (i.e Internet). A port forward will essentially allow a "hole" to be poked in the firewall and forward packets matching the configured destination port to the Controller's IP address.

• TCP 8080: used for device/controller communication.
• UDP 3478: STUN
• TCP 8880 and 8843: if using Guest Portal from remote locations
• TCP 8443: Only needed if remote management of the controller over the Internet is required. Enabling Cloud Access and accessing via unifi.ubnt.com instead does not require opening this port, and is safer since no direct Internet access is permitted to your controller's management.
• TCP 6789: TCP port used for UniFi mobile speedtest

Setup Wireless AP Mesh steps

1. Factory reset if you have already been trying to get them to work

2. Adopt the APs on a wired ethernet connection. Upgrade them if required to latest firmware.

3. Manually set the Radio Channels (both frequency bands) to be the same on the AP you want to wirelessly uplink and the AP you want to downlink from to be the same. Note that the wireless uplink takes place in the 5GHz band and according to release notes uplinking on a DFS channel is being removed imminently (which somewhat limits options).

4. Do NOT set a static IP address on the AP(s) you want to be wirelessly connected - undocumented quirk it seems!

5. Make sure that in Settings>Site the Uplink Connectivity Monitor is Enabled

6. Remove the wired connection from the AP(s) you want to be wireless and connect just the PoE power and wait for it to reboot.

7. The device to be wirelessly connected should go heartbeat missed, disconnected, isolated - let it do it in its own time

8. In the AP Configuration go to Wireless Uplink and select the link icon on the AP to uplink to. If this box is blank give it a minute or two. if it stays blank something above has probably gone wrong!

9. There will short delay while the AP acting as downlink is provisioned and then within a minute or two the AP being wirelessly connected should come out of Isolation and report Connected (Wirelessly)

10. Resist the temptation to now try setting a static AP or you'll have to start over!

About Broadcast traffic

Example of too much broadcast traffic: 400 packets/second of broadcast traffic on a WLAN network with 5 APs is not abnormal but it is bad. Although it creates 393 just kbps, it can consume 80% of airtime.

UniFi - Methods for Capturing Useful Debug Information

How to Configure Remote Logging

In the UniFi Network application, navigate to Settings > Site to enable Netconsole on UAPs and UniFi Switches (USWs).

Capturing traffic from a Unifi Switch (USW)

The best method is to use port mirroring in conjunction with Wireshark on a connected PC.

UniFi Access Points (UAP)

iwconfig

tcpdump -i <iface i.e. br0 or athX> -w /tmp/<descriptivefilename.pcapng>

The athX can be found by SSHing into the UAP and executing the iwconfig command.

ssh <user>@<ip of AP> 'tcpdump -i <iface> src not <ip of computer> and dst not <ip of computer> -w -' > somefile.pcapng

Network Loops

A network loop is a network configuration where there is more than one path between two computers or devices, which causes packets to be constantly repeated. You can detect network loops by running the tcpdump command on the affected UAP and/or UniFi Switches, and by viewing the output in Wireshark.

Detect network loops by following these steps:

1. SSH into the affected UAP and issue the following command:

tcpdump -i br0 -n -v -s 0 -w /tmp/capture.pcap

2. Copy the resulting pcap file to your laptop for viewing in Wireshark.

scp admin@192.168.1.X:/tmp/capture.pcap /tmp

3. Open the file in Wireshark.

Typical networks will have less than 100 kbps of multicast/broadcast traffic, totalling only dozens of packets per second.

If there are thousands of multicast/broadcast packets per second, then you likely have a network loop somewhere that needs to be resolved. Try disconnecting infrastructure devices until the number of multicast/broadcast packets goes down to a reasonable number.

If you have IPTV on your network, this may manifest as a “network loop” due to the high volume of multicast traffic. In this environment, Multicast Enhance is recommended, since it will convert these packets to unicast, and only transmit them to the desired devices.

DHCP configuration

Some older or misconfigured routers and DHCP servers do not transmit the DHCP offer & ack messages as unicast packets but as broadcast ones. These are much more likely to be dropped. Note that it's perfectly normal for the discover packet from the client to be broadcast.

Determine if Broadcast Packets are Reaching the UAP

1. SSH on UAP, run tcpdump on the athX interface on the UAP:

tcpdump -i athX -n -v -s 0 -w /tmp/broadcast.pcap 

2. Send some broadcast packets using ping from your laptop (terminal on laptop):

ping 192.168.1.255

3. Stop the capture, and start another capture named /tmp/unicast.pcap:

tcpdump -i athX -n -v -s 0 -w /tmp/unicast.pcap

4. Next, try to send unicast packets to your router (terminal on laptop):

ping 192.168.1.1 (replace with your router’s IP)

5. If broadcast packets aren’t being transmitted or received, then the unicast packets won’t go out (due to a missing ARP entry in the OS), either, and you’ll need to force a static ARP entry into your laptop (terminal on laptop):

sudo arp -s 192.168.1.1 00:00:00:00:00:01 ifscope en0 (Mac OS X)

arp -s 192.168.1.1 00-00-00-00-00-01 (from Administrator Command Line in Windows

6. Try the ping again, and see if the 00:00:00:00:00:01 unicast packets arrive at the athX interface on the UAP.