Ubiquiti Unifi Controller on FreeNAS

[Patrick M. Hausen]

No. VNET means your jail has got a completely independent network interface. And if you don't enable NAT, nothing is interfering with the packets. Time to get out tcpdump/Wireshark ...

 

[Netdewt]

Thanks I'll look into those tools.

 

[Netdewt]

I've now also found that ssh connection to the controller does not work. I wonder if they are related. Port 22 gets no response:

Code:

$ ssh admin@192.168.1.3
ssh: connect to host 192.168.1.3 port 22: Connection refused

$ nc -vz 192.168.1.3 22
nc: connectx to 192.168.1.3 port 22 (tcp) failed: Connection refused

 

[Netdewt]

Oh check this out:

https://community.ui.com/questions/Cloud-Key-WebRTC/0f5f3951-40d8-477b-b850-b00175b23354

Looks like ports needed for WebRTC to work are:
TCP 80
TCP 443
UDP 443

Code:

macmini$ nc -vz 192.168.1.3 8080
Connection to 192.168.1.3 port 8080 [tcp/http-alt] succeeded!
macmini$ nc -vz 192.168.1.3 22
nc: connectx to 192.168.1.3 port 22 (tcp) failed: Connection refused
macmini$ nc -vz 192.168.1.3 443
nc: connectx to 192.168.1.3 port 443 (tcp) failed: Connection refused
macmini$ nc -vz 192.168.1.3 80
nc: connectx to 192.168.1.3 port 80 (tcp) failed: Connection refused

Patrick, you posted this in another thread. I probably got this wrong, but here is the output.

Advice needed - how to set firewall rules for a jail?

Hi all, I've been using FreeNAS for some time, mainly as a backup server for my main system. However, over the last couple of weeks I have installed the nextcloud plugin and have been testing it out. At the moment I've got the jail configured for DHCP, and not NAT, so it gets it's own IP...

www.truenas.com

Code:

root@unifi:~ # netstat -na | grep LISTEN
tcp46      0      0 *.8843                 *.*                    LISTEN     
tcp46      0      0 *.8443                 *.*                    LISTEN     
tcp46      0      0 *.6789                 *.*                    LISTEN     
tcp4       0      0 127.0.0.1.27117        *.*                    LISTEN     
tcp46      0      0 *.8880                 *.*                    LISTEN     
tcp46      0      0 *.8080                 *.*                    LISTEN     

I'm wondering if perhaps I need to manually open up ports 22 and 443 inside the jail?

 

[Patrick M. Hausen]

I'm wondering if perhaps I need to manually open up ports 22 and 443 inside the jail?

No. By default all ports are open. There is no firewall in TrueNAS. You need to manually do unsupported FreeBSD things to configure one.

Do a netstat -na without the filter for LISTEN and check if the controller is bound to the UDP port, too. Should be 8443 UDP I guess because the forum post you found refers to their cloud solution. Which seems to be reachable at 80 and 443 instead of 8080 and 8443.

Can you configure the controller to use 80 and 443 via builtin settings?

For ssh - you need to enable and start that. Why should there be ssh running in a fresh blank jail? So not related.

Code:

sysrc sshd_enable=YES
service sshd start

To enable login as root edit the file /etc/sshd/sshd_config before you do the above. Look for the PermitRootLogin line, remove the comment in the first column and change No to Yes. And set a root password for the jail, of course.

To get to a shell in the jail before ssh is available you can use iocage console <jailname> in a root shell on your NAS.

 

[Netdewt]

To get to a shell in the jail before ssh is available you can use iocage console <jailname> in a root shell on your NAS.

Now that I think about it, maybe I don't even need SSH on the controller like usual. I just iocage console (I have even done this already) into the jail and it's the same thing. I was hung up on it being "broken" I guess. I did try to activate it as you instructed, but the password does not let me in and I do not see PermitRootLogin in this file /etc/ssh/ssh_config. An "sshd" version of the same does not exist.

The only UDP entries on netstat -na are:

Code:

root@unifi:~ # netstat -na | grep udp
udp46      0      0 *.3478                 *.*                    
udp46      0      0 *.5514                 *.*                    
udp46      0      0 *.10001                *.*                    
udp4       0      0 192.168.1.3.44390      *.*  

I'm looking into the controller ports suggestion.

 

[Patrick M. Hausen]

Code:

root@freenas[~]# iocage console cloud
[...]
root@cloud:~ # grep PermitRoot /etc/ssh/sshd_config
PermitRootLogin prohibit-password
root@cloud:~ #

 

[Netdewt]

Code:

root@freenas[~]# iocage console cloud
[...]
root@cloud:~ # grep PermitRoot /etc/ssh/sshd_config
PermitRootLogin prohibit-password
root@cloud:~ #

Ah, missed it.

 

[Netdewt]

Still not working. I'm sure it's something dumb I am doing.

None of these work. They ask for a password but the password never passes. "admin" is the name of the SSH account on the controller. The IP and domain both ping.

Code:

ssh admin@unifi.local
ssh root@192.168.1.3
ssh root@unifi.local

 

[Patrick M. Hausen]

You need to add the "admin" user manually in the jail ... did you do that?

 

[Netdewt]

You guessed it, nope.

Maybe it would be easier to make the ssh username "root"?

 

[Patrick M. Hausen]

There's an adduser command that you can use in the jail. That will guide you through the process interactively. I would not use root.

But possibly the user needs to share data with the Unifi controller software somehow. So it could be necessary to have a certain user ID and a certain home directory - sorry, I don't know. We are again leaving the FreeBSD terrain and entering the Unifi one ;)

 

[Netdewt]

There's an adduser command that you can use in the jail. That will guide you through the process interactively. I would not use root.

But possibly the user needs to share data with the Unifi controller software somehow. So it could be necessary to have a certain user ID and a certain home directory - sorry, I don't know. We are again leaving the FreeBSD terrain and entering the Unifi one ;)

Right, I'll stick with iocage console. At least I know it's not related to the WebRTC issue.

 

[Netdewt]

I'm about to give this up. It's not super important, it just bugs me that WebRTC doesn't work. My other installs of Unifi have all worked with no hassle.

This item in netstat is interesting. WAN IP (AWS) on port 443 going to the jail IP.

Code:

tcp4      31      0 192.168.1.3.51227      52.38.238.169.443      CLOSED 

This article, looks like the ports in netstat -na are right. I don't know how they flow from LAN to WAN though.

UniFi - Explaining the system.properties File

Overview This article describes what the system.properties file is used for and how to edit it. NOTES & REQUIREMENTS:This article includes some advanced configurations that should only be...

help.ui.com

Otherwise, the default ports are listed below:

• unifi.shutdown.port=8081 # for management purpose
• unifi.http.port=8080 # device inform
• unifi.https.port=8443 # controller UI / API
• portal.http.port=8880 # portal redirect port for HTTP
• portal.https.port=8843 # portal redirect port for HTTPs
• unifi.db.port=27117 # local-bound port for DB server
• unifi.stun.port=3478 # UDP port used for STUN

Unfortunately, the Unifi forum people are not as helpful as you all.

Where can I call tcpdump from? Do I call it from my client terminal or from iocage console?

 

[Patrick M. Hausen]

After iocage console you can call e.g. tcpdump -n -i epair0b to live watch the packets. You can use -w IIRC to write to a file that you can import into Wireshark on your desktop machine for easier and assisted analysis. man tcpdump will give you the full documentation.

tcp4 31 0 192.168.1.3.51227 52.38.238.169.443 CLOSED

This is an outbound connection. Your Unifi controller (probably) downloaded $something from that IP address via HTTPS.

What is WebRTC supposed to do with Unifi, anyway? I run a controller on Ubuntu for half a dozen of access points and that's that. I mean, why is this a problem and who is supposed to talk WebRTC to your controller? Your browser? The managed devices?

My other installs of Unifi have all worked with no hassle.

Which platform? You can still run a Linux VM instead of a jail on TrueNAS and run Unifi the way you used to do if that was the way.

 

[Netdewt]

What is WebRTC supposed to do with Unifi, anyway? I run a controller on Ubuntu for half a dozen of access points and that's that. I mean, why is this a problem and who is supposed to talk WebRTC to your controller? Your browser? The managed devices?

Which platform? You can still run a Linux VM instead of a jail on TrueNAS and run Unifi the way you used to do if that was the way.

From what I understand, it's what enables remote management without a VPN or port forwards. In the past I have run a controller on 2 different macs and I have used the older style of Cloud Key. Not a lot of experience, but just saying it's never been an issue. A few other people seem to have had the issue in my Googling.

Here is a sequence I did while doing a tcpdump. I started with Remote Access off, turned it on, then attempted to access via WebRTC at network.unifi.ui.com.

 

[Netdewt]

I'm not really sure how to show you this information. There's a whole bunch of "port unreachable" ICMP stuff between my mac and my router. There's also a bunch of retransmission and out of order stuff on tcp port 443 between a CloudFront IP and my Mac.

 

[Patrick M. Hausen]

Does the cloud service need to actively reach your controller on any ports? You would need to setup a port forward on your router then.

But with the cloud thing in the setup I'm out, sorry. No clue. I would never use anything like this.

 

[Netdewt]

Thanks again for your insight.

 

[ChrisChros]

HI guys, is there a way to install unifi controller 6.1 via pkg?
When I follow the instruction I am only able to install 6.0.45.
Thanks for you support.

Chris