Unable to run UniFi Controller on FWG

Follow

Jan Baniewicz

• October 28, 2022 11:35

Hello,

I've found a topic created over 2yrs ago but acutally issues described over there weren't simillar to mine.

https://help.firewalla.com/hc/en-us/community/posts/360051987813-Trying-to-install-Unifi-Controller

I'm trying to run my first docker on FWG and i'm not a pro IT person.

Please confirmt did i understand that correctly:

1. A network as your docker network, we will use 172.16.1.0/24 in this tutorial.
2. A static IP for your unifi controller instance, we will use 172.16.1.2 in this tutorial.

Point 1 is network where i will put my Unifi APs - it is named as LAN and under Network Menager (in APP) it exists as 192.168.88.1/24 - as i understand nevertheless it has 1 on the end i should use 192.168.88.0/24 as docker network

Point 2 is static ip of ... ? FireWalla Gold box ? same as this where i am going thru ssh ? so it will be 192.168.88.1

So now... I successfully done  Step 1 point 1 and 2 of guild (where i changed proper ip addresses) like this:

version: "3"

services:
  unifi:
    container_name: unifi
    image: jacobalberty/unifi:latest
    volumes:
      - '/data/unifi/:/unifi'
    restart: unless-stopped
    networks:
      default:
        # static IP address for unifi controller
        ipv4_address: 192.168.88.1
networks:
  default:
    driver: bridge
    ipam:
     config:
       # your chosen docker network here
       - subnet: 192.168.88.0/24

then point 3 with no errors.

Step 2 gave me errors, whenever i try to execute commands:

sudo ip route add 192.168.88.0/24 dev br-$(sudo docker network ls | awk '$2 == "unifi_default" {print $1}') table lan_routable

or

sudo ip route add 192.168.88.0/24 dev br-$(sudo docker network ls | awk '$2 == "unifi_default" {print $1}') table wan_routable

Im getting same info:

RTNETLINK answers: File exists

Then step 4 with corrected FWG ip address with no errors... Besides unify controller is not reachable under unify 8080, 8443 or 192.168.88.1 with those ports...

When im trying to check status i get:

 docker-compose@unifi.service - unifi service with docker compose
   Active: activating (auto-restart) (Result: exit-code) since Fri 2022-10-28 13:12:10 CEST; 3s ago
  Process: 1139 ExecStopPost=/bin/rm -rf $TMPDIR (code=exited, status=0/SUCCESS)
  Process: 25335 ExecStop=/usr/local/bin/docker-compose down -v (code=exited, status=0/SUCCESS)
  Process: 984 ExecStart=/bin/bash -c /usr/local/bin/docker-compose pull; /usr/local/bin/docker-compose up (code=exited, status=1/FAILURE)
  Process: 312 ExecStartPre=/usr/local/bin/docker-compose rm -fv (code=exited, status=0/SUCCESS)
  Process: 311 ExecStartPre=/bin/mkdir -p $TMPDIR (code=exited, status=0/SUCCESS)
 Main PID: 984 (code=exited, status=1/FAILURE)

May someone lead me with it, becouse of i moved to Ubiquiti APs now i want to have control over it... As far as i understand buying Cloud Key or UDM is not nesessary while i got FWG.

0

• 

  Jan Baniewicz

  • October 28, 2022 11:36

  Btw i did once sudo reboot somewhere between commands... FWG has rebooted propelry with no loss - yes i know i should rebot thru app - that was my mistake

  0

  Comment actions Permalink
• 

  Michael Bierman

  • October 28, 2022 15:19
  • Edited

  Unless you are an expert, stick with the tutorial exactly. It will work.

   

  you can also use this script to install for you. Url: github.com/mbierman/unifi-installer-for-Firewalla

  0

  Comment actions Permalink
• 

  David Rothenberger

  • October 28, 2022 17:57

  Please confirm did i understand that correctly:

  1. A network as your docker network, we will use 172.16.1.0/24 in this tutorial.
  2. A static IP for your unifi controller instance, we will use 172.16.1.2 in this tutorial.

  Point 1 is network where i will put my Unifi APs - it is named as LAN and under Network Menager (in APP) it exists as 192.168.88.1/24 - as i understand nevertheless it has 1 on the end i should use 192.168.88.0/24 as docker network

  Point 2 is static ip of ... ? FireWalla Gold box ? same as this where i am going thru ssh ? so it will be 192.168.88.1

  The "Docker Network" is not a network will you see in the Firewalla app. It is the network containing all your docker container's static IP addresses. Those docker containers will also not be visible as clients in the Firewalla app.
  
  You should use the addresses mentioned in the tutorial, not the 192.168.88.0/24 addresses you mentioned.
  
  Your Unifi APs can go into any other network. You can use your main LAN, or if you are segmenting your networks, any other network.

  To adopt your APs, you'll need to do a manual L3 adoption with the IP address 172.16.1.2. Alternatively, you can add a custom DNS entry for "unifi" (no domain) that maps to 172.16.1.2, so your APs will auto-discover your controller. If you're using the latest EA version of the Firewalla software, you can now customize DNS in the app. Otherwise, see https://help.firewalla.com/hc/en-us/articles/360056024294-Guide-How-to-customize-Firewalla-DNS-service.

  0

  Comment actions Permalink
• 

  Jan Baniewicz

  • October 29, 2022 22:53

  Alternatively, you can add a custom DNS entry for "unifi" (no domain) that maps to 172.16.1.2, so your APs will auto-discover your controller.
  May i ask to elaborate? In case i would use specified in guild IPs. What should I add as dns entry 172.16.1.2 ? Can you provide me customized command ?

  0

  Comment actions Permalink
• 

  David Rothenberger

  • October 30, 2022 00:33

  Yes, create an entry for "unifi" with address 172.16.1.2.

  The easiest way to do this is to switch to the Early Access program for your box and your phone app. You can find out how to join EA here: https://help.firewalla.com/hc/en-us/community/posts/360046872134-Early-Access-Onboarding. You can find out more about adding the new DNS entry with the 1.52 EA app version here: https://help.firewalla.com/hc/en-us/articles/10221985597331-Firewalla-Box-Release-1-975-App-Release-1-52

  Otherwise, you'll have to SSH in to your box and follow the directions here: https://help.firewalla.com/hc/en-us/articles/360056024294-Guide-How-to-customize-Firewalla-DNS-service. You'd want to create a file with one line:

  address=/unifi/172.16.1.2

  0

  Comment actions Permalink
• 

  Jan Baniewicz

  • November 07, 2022 21:44

  after adding this as posted in guide i still get

  DNS_PROBE_FINISHED_NXDOMAIN

  *stopped and started firerouter_dns as i should but didnt get effect ? what am i missing ?

  0

  Comment actions Permalink
• 

  David Rothenberger

  • November 07, 2022 22:40

  From which device are you getting that error? Is the DNS Booster enabled for that device?

  If it's on, I have no idea why this isn't working for you.

  0

  Comment actions Permalink
• 

  Michael Bierman

  • November 08, 2022 00:36

  @David, in the app you can't add "unifi" you can only add "unifi.lan". I hope that Firewalla will fix this. Seems like just an app thing because you can, as you said, do this over SSH. 

  0

  Comment actions Permalink
• 

  Michael Bierman

  • November 08, 2022 00:41

  @Jan I'm confused where you are stuck. Is the controller not running or are you having trouble adopting the unifi devices? 

  0

  Comment actions Permalink
• 

  David Rothenberger

  • November 08, 2022 00:45

  @Michael, the EA version allows you to add custom DNS entries, similar to what you can do over SSH. This setting is under DNS Services, though, not under the devices themselves.

  0

  Comment actions Permalink
• 

  Michael Bierman

  • November 08, 2022 00:55

  I have the EA version. But you cannot enter a hostname. it requires a FQDN. 

   

  

  0

  Comment actions Permalink
• 

  David Rothenberger

  • November 08, 2022 01:05

  The Android version allows it.

  

  1

  Comment actions Permalink
• 

  Jan Baniewicz

  • November 08, 2022 01:11

  @Michael I'm not in ea.so i try to do this thru ssh i already added files and address=/unifi/172.16.1.2 in it but still enters only thru ip address not unify:8443

  0

  Comment actions Permalink
• 

  David Rothenberger

  • November 08, 2022 01:15
  • Edited

  The file you added will make unifi:8443 work, not unify:8443.

  1

  Comment actions Permalink
• 

  Jan Baniewicz

  • November 08, 2022 01:16

  You're right.
  Under unifi:8443 i got
  Bad Request
  This combination of host and port requires TLS.

  0

  Comment actions Permalink
• 

  David Rothenberger

  • November 08, 2022 01:27

  Sounds like it's working. Try https://unifi:8443

   

  1

  Comment actions Permalink
• 

  Michael Bierman

  • November 08, 2022 01:45
  • Edited

  @David, oy! Hope the iOS app gets fixed. 

  0

  Comment actions Permalink
• 

  Michael Bierman

  • November 08, 2022 01:47

  If https://unifi:8443 doesn't work, try the IP address. Always good to start with the basics to see if it is really accessible vs some DNS issue. 

  0

  Comment actions Permalink
• 

  Jan Baniewicz

  • November 08, 2022 08:12

  Your right with https added it works... Is there any workaround not to get red crossed https beocuse of not confirmed certification ? When it's red it doesn't autofill or even show password and login

  0

  Comment actions Permalink
• 

  Michael Bierman

  • November 08, 2022 09:46

  @Jan

  https://community.ui.com/questions/Unifi-controller-certificate-installation/913451d9-2095-43cd-9e6b-fc1a77807f87 

  0

  Comment actions Permalink
• 

  Jan Baniewicz

  • November 08, 2022 11:45

  @Michael i got 404 when try to enter this post

  0

  Comment actions Permalink
• 

  Michael Bierman

  • November 08, 2022 17:42

  @jan You need a Unifi community account. 

  0

  Comment actions Permalink
• 

  Jan Baniewicz

  • February 03, 2023 19:19

  Ok i want to pump this up again.
  I have another problem now, but it's related to that one...
  I want to turn on Guest Hotspot (Unifi option with landing page with authorisation) instead of FireWalla quarantine zone. But when i turn that on i got info:
  Nie można załadować strony http://172.16.1.2:8880/guest/s/default/?ap=60:22:32:3a:a0:7c&id=0c:c4:13:29:be:11&t=1675451506&url=http://connectivitycheck.gstatic.com%2Fgenerate_204&ssid=MiniMix%20Guest, ponieważ:

  net::ERR_CONNECTION_REFUSED

  I've already tired options in Unifi - HTTPS Redirection, Secure Portal, Encrypted redirect URL. No success still blank page with error on landing.
  I guess I should do something in FireWalla setting, may someone help?

  0

  Comment actions Permalink
• 

  Michael Bierman

  • February 03, 2023 21:50

  Looks like the wrong URL to me if you are running the controller on Firewalla follow this guide https://help.firewalla.com/hc/en-us/articles/360053441074-Guide-How-to-run-UniFi-Controller-on-the-Firewalla-Gold. In which case you need https://172.16.1.2:8443/

  2

  Comment actions Permalink
• 

  Jan Baniewicz

  • February 04, 2023 00:23

  Found it.
  It's not about port address but rule witch I've set for guest VLAN not to traffic to local networks and no to from internet. Is it possible to create rule... "Except 172.16.1.2" or accept one connection to 172.16.1.2?

  0

  Comment actions Permalink
• 

  Michael Bierman

  • February 04, 2023 01:00

  I don’t follow. What are you trying to block?

  0

  Comment actions Permalink
• 

  Jan Baniewicz

  • February 04, 2023 01:11

  I'm trying to block traffic to whole local network devices

  0

  Comment actions Permalink
• 

  swampy2b

  • February 04, 2023 03:48

  ALLOW rules function as exceptions to BLOCK rules

  1

  Comment actions Permalink
• 

  Jan Baniewicz

  • February 04, 2023 14:09

  So i should allow address 172.16.1.2 and block all Trafic to local yes?

  0

  Comment actions Permalink
• 

  Michael Bierman

  • February 05, 2023 09:38

  But if you block access, DNS won't work. I suppose you could only allow port 53 and nothing else. 

  0

  Comment actions Permalink

Please sign in to leave a comment.