Preface
- This is a technical doc for Pros. The purpose is to get the UniFi controller running. Refer to UniFI documentation about adopting devices and other configuration issues.
- This is for Firewalla Gold series boxes n Router Mode only.
- Installing Unifi Controller on Firewalla Purple series boxes is not recommended due to memory restriction.
- Incorrect settings of port forwarding will result in ports being opened on your WAN interface.
See Important Note: Preserve Resources below.
Step 1: Install Unifi Controller docker image
You have to choose:
- A network as your docker network, we will use 172.16.1.0/24 in this tutorial.
- A static IP for your unifi controller instance, we will use 172.16.1.2 in this tutorial.
Use the values recommended in this guide unless you know what you are doing and need to change these.
1. Create folder /data/unifi. This is where your docker container will reside.
sudo mkdir /data/unifi
Note that unifi takes nearly 800Mb of disk space in the current controller release.
2. Create the file, /home/pi/.firewalla/run/docker/unifi/docker-compose.yaml.
# make unifi storage directory mkdir /home/pi/.firewalla/run/docker/unifi/ # change directory cd /home/pi/.firewalla/run/docker/unifi/
# edit with your favorite editor
vi /home/pi/.firewalla/run/docker/unifi/docker-compose.yaml
Add the following to docker-compose.yaml
version: "3"
services:
unifi:
container_name: unifi
image: jacobalberty/unifi:latest
volumes:
- '/data/unifi/:/unifi'
restart: unless-stopped
networks:
default:
# static IP address for unifi controller
ipv4_address: 172.16.1.2
networks:
default:
driver: bridge
ipam:
config:
# your chosen docker network here
- subnet: 172.16.1.0/24
For detail, please refer to Unifi Controller docker image guide at https://hub.docker.com/r/jacobalberty/unifi
Also, once you have your YAML file, be sure to validate it with a service like https://www.yamllint.com/. It is very easy to have a small error that causes things to fail.
Note: You may choose your favorite docker image for Unifi Controller or build your own. The overall steps are the same.
3. Start the Unifi docker container.
sudo systemctl start docker-compose@unifi
Step 2: Add routing rule for docker network
Run the following commands:
sudo ip route add 172.16.1.0/24 dev br-$(sudo docker network ls | awk '$2 == "unifi_default" {print $1}') table lan_routable
sudo ip route add 172.16.1.0/24 dev br-$(sudo docker network ls | awk '$2 == "unifi_default" {print $1}') table wan_routable
This command may need to be run every time the docker container is started.
Step 3: Add DNS entry for Unifi Controller
Run the following commands to map Gold's IP to Unifi controller in dnsmasq.
echo address=/unifi/172.16.1.2 > ~/.firewalla/config/dnsmasq_local/unifi # Restart DNS Service sudo systemctl restart firerouter_dns
Note: The default inform URL for Unifi devices is http://unifi:8080. This is the reason why the above entry needs to be added to the dnsmasq configuration so that Unifi devices will inform the unifi controller in docker via this URL. If the inform URL is changed on devices, you may need to set the inform URL back or update the dnsmasq config to the right domain.
Step 4: Access Unifi Controller from Gold managed network
Access the following URL and login to check for Devices in your network. If you have any trouble reaching the device try these links to access your Unifi Controller.
You should be able to "adopt" UniFi devices as needed and then see all your devices in both Firewalla and the UniFi Controller.
Step 5: Persisting The Configurations
You must be on firewalla 1.971 or later for this
- If you have installed UniFi controller before 1.971, please change your docker-compose.yaml file accordingly and run the following commands
sudo docker-compose down
create folder /home/pi/.firewalla/config/post_main.d and the following file
/home/pi/.firewalla/config/post_main.d/start_unifi.sh
#!/bin/bash
sudo systemctl start docker sudo systemctl start docker-compose@unifi sudo ipset create -! docker_lan_routable_net_set hash:net sudo ipset add -! docker_lan_routable_net_set 172.16.1.0/24 sudo ipset create -! docker_wan_routable_net_set hash:net sudo ipset add -! docker_wan_routable_net_set 172.16.1.0/24
now change the permissions
chmod a+x /home/pi/.firewalla/config/post_main.d/start_unifi.sh
And you are ready to go.
If the docker service doesn't start, please follow this guide to reset your docker service. https://help.firewalla.com/hc/en-us/articles/360060535553
Updating the Unifi Network Application (Controller)
If you need to update the Unifi Network Application you can use these commands after using ssh to access your Firewalla.
cd /home/pi/.firewalla/run/docker/unifi
sudo docker pull jacobalberty/unifi:latest
sudo docker container stop unifi && sudo docker container rm unifi
sudo docker-compose up -d
sudo docker ps
sudo docker system prune
Important Note: Preserve Resources
Docker containers can range from small to fairly large and the upgrade process means downloading a new image before deleting the old container. UniFi Controller is a large docker image. So be sure to use docker prune to get rid of unused containers and images or you may easily run out of space on Firewalla.
Known Issue
On ubuntu 22.04 and later, when docker starts up, it may load a kernel module br_netfilter which conflicts with ubuntu 22.04 if you are using Smart Queue. Dockers managed by Firewalla will automatically handle this, but if you create docker instance, you may need to run:
sudo rmmod br_netfilterafter starting docker service or the firewalla routing function may break.
This is due to a Linux Kernel bug which we plan to fix in our 1.976 release.
All product names, logos, and brands are the property of their respective owners. All company, product and service names used in this website are for identification purposes only. Use of these names, logos, and brands does not imply endorsement.
Comments
96 comments
@Chris, I am not sure how you have configured your guest network. If it is a different VLAN then you can make a rule on Firewalla preventing the guest VLAN from reaching the LAN.
Ran into an issue that I think is related to the controller setup and the googles has let me down.
I created a separate network from my LAN for my WFH computers. When I try to assign the “Work” port profile to the switch uplink in my office the switch disconnects from the controller. I suspect that the controller can’t reach it on that network? Any ideas?
So if I wanted to change my controller to a different subnet for the purposes of using a management vlan different than my main lan, would it be faster to just start from scratch or should I update my Config with the new subnet?
Specifically I set this up on 192.168.30.1 and now would like to move my controller over to 192.168.20.1 so I can have my Unifi gear on a different network than my main lan.
Thanks for asking this @Blake. I was thinking about moving the management to another vlan but hadn’t taken the time to sort out the steps involved.
So here is what I was thinking (and apparently this isn't an easy thing to do based on my research). I want to create a separate network for my Unifi network equipment. This involves 2 switchs, the controller and the APs when I get them. Currently my controller is in docker and it has an IP of 172.16.1.2. I can also access it from 192.168.30.1, but I'm not sure why. I've created a MGMT VLAN in the FWG (192.168.20.1/24). I also made this a corporate network in the controller.
I first set the Management Network on the Flex Mini switch to MGMT VLAN and it disconnected from the controller. After fiddling a bit I discovered and checked the box in the controller settings for "make controller discoverable on L2 network" and after a few minutes the switch changed from Disconnected to Adding. It was stuck in Adding for a while and then surprisingly it finished provisioning and showed as connected in the controller. It has an IP address in my MGMT VLAN, and the connected devices still have IPs in their correct subnets. Sometime this weekend I'm going to attempt to move my main switch over as well. But I still don't know how to move my controller to that network yet. I also would love to know why I can access my controller from both the 172 and the 192 networks.
If anyone is interested, I wrote a script that I run on my firewalla (via cron) to turn on/off the LEDs of my Unifi APs every day. (One of the APs is in a bedroom.)
During step 1, when I try
I get the following error:
Error response from daemon: No such container: docker-compose@unifi
Error: failed to start containers: docker-compose@unifi
I have the file created, but it almost seems like Docker is not installed. Is it not installed on the Gold out of the box? I created the directories and saved the .yaml file, but I am wondering if I needed to install docker before starting this. Any help is appreciated, I'm pretty new to this.
To see if Docker is installed , you can check
or see what containers are running!
You could also have a look at https://github.com/oznu/docker-homebridge/wiki/Running-Homebridge-on-Firewalla-Gold although it is for a different Docker container.
Thank you for your help on this, I got through step 3 and everything appears to be working correctly, but when I try to access the controller through a browser I can't reach anything. So, a couple of questions here:
Step 2 says to Create the following file
/home/pi/.firewalla/run/docker/unifi/docker-compose.yaml
If I try to type "nano /home/pi/.firewalla/run/docker/unifi/docker-compose.yaml" and then pste the contents in it, then when I try to save, it says the file doesnt exists.
If I manually mkdir the unif folder in /home/pi/.firewalla/run/docker/ and then try to "nano docker-compose.yaml" , I get a permissions dnied error
@Abbas, if you are using nano you have to use the, “write out” command before exiting.
The controller runs fine but I see my devices as disconnected, do you have to set the controller ip under Settings > Controller > Controller Settings or leave it blank? and tick the "Override inform host with controller hostname/IP" box?
@StackIOI do not tick the, "Override inform host"
The IP for Controller Hostname/IP will be the Firewalla.
If you have never adopted the devices before you may need to the device where the controller is.
https://community.ui.com/questions/What-is-correct-command-to-set-inform-url-and-also-to-factory-reset-via-SSH/9d219587-76d5-4c8e-bc81-63a70a8bb212
Thanks @Michael Bierman, for some reason it seems that the devices are not finding the controller... I double checked my UniFi dnsmasq_local entry and is correct, also reconfigured the controller from scratch, as the previous time I restored the configuration from a backup of the working controller (running in my computer) into this new one... Which is why I saw the devices as disconnected... now, with the new controller running (the one in my computer is off) I can't see any of the devices, so obviously, I can't adopt them into this new controller.
Did reboot them manually hoping for a refresh, but still can't reach them. Any suggestions? I can reach them from the FWG, I can ping them just fine.
Have you tried resetting them to factory?
@Blake.. no, I have not.. Edit: I just did.. thought the issue laid else where... but that did it. Thanks for the help!
Yep. I’ve had to factory my switches several times as they often can’t adopt once I’ve monkeyed with the controller. Glad that worked!
Hello, excuse my ignorance and if this is more of a unifi question.
Basically I have recently been given 2 unifi uap-ac-pro access points. I have connected those via a POE switch on the gold, and they connected fine. I initially installed the unifi controller on my local device to be able to configure the APs, they connected to the network fine, and have been allocated IPs by the FWG. I have connected a device to the AP's given SSID and generated network traffic by going on youtube, etc, however when I connect to the controller page on my laptop, it does not show any traffic or any clients connected to either APs and they both show as Offiline?!?
, nor does it show any traffic going through the APs in the FWG.
My question are, is this standard behaviour from the way I have set it up? what is the unifi controller used for then? am I ok to carry on using as they are now they are connected? without running the controller on the FWG, or will the uap-ac-pros loose their config if the power goes out on either the fwg or the lot? and I will have no wireless connectivity in the future (post black out for instance) because of the lack of the unifi controller running on the FWG?
Besides the above, is there anything else beneficial from running the controller on the FWG, any great functionalities I am missing out on?
Hi @Ed,
I can share my experience with roughly the same setup.
I currently have the Unifi Controller running on a NAS instead of the Firewalla.
If you aren't seeing devices on the Unifi side, here are a few things to check:
Off the top of my head this should get things working unless I'm forgetting something. You didn't mention your network topology, but if you have VLANs set up (or a management VLAN for the APs things get a little more complicated. If the suggestions above don't resolve things, post back and we'll take it from there.
Thanks Michael, I will have a go when I get back. In the meanwhile, are you able to elaborate the reasons why the controller should always be running? Can't the UAP-AC-PRO access points just be running as access points attached to the switch/lan under the FWG? Thanks
Hi @Ed,
sorry for the delay. from Ubiquiti
Mmmm @ step 2 i get the message. RTNETLINK File exists. Not seeing any urls working after that. Any tips hints? Can you use an existing network for your docker images? Do you need to do anything else from de firewalla app? Create the network, lan/vlan etc?
I installed it on Purple, but after a short time, I had to uninstall it. The Unifi controller consumed nearly all of the memory in the small box.
Under Step 1 part 2, shouldn't it be Unifi, and not homebridge?
Fixed. Thanks, Jeff.
Question... If you are using all FWG ports for different networks, and want to run Unifi docker network, can this be set up using an existing network, or does the docker network have to run alongside of the network you want to run it on?
Example:
Port 1- 10.x = home use network
Port 2 - 172.x=IoT network
Port 3 - 192.x = Hardwired TVs
Port 4 = WAN
I'm replacing some older Eero's with Ubiquiti U6 APs for the 10.x network. I currently have 10.x.x.2-20 which is not in use on my Port 1, 10.x network. Can I set up the Unifi docker on the existing10.x network and assign the controller as 10.x.x.2? Or would this cause problems?
Any ideas when the FWB+ instructions will be ready? Currently I can get the docker Unifi container to run and I can access the GUI fine but because I cannot get the routing done the UniFi console shows my devices as disconnected.....
The unifi docker container is pretty heavy weight for FWB+. I would not recommend attempting that. You are best off running unifi on an rpi or NAS or something.
Yea that's not possible, I might be able to try a raspberry pi possibly in the future, anyway managed to solve Step 2.
ip route add 172.16.1.0/24 dev br-$(sudo docker network ls | awk '$2 == "unifi_default" {print $1}') table local
The BluePlus just isn't going to be able to do its job and run unifi docker. It is large and somewhat resource intensive. This is a bad idea.
Maybe try running the docker on a PC or Mac if you have no other choice?
Please sign in to leave a comment.