Register for the iXsystems Community to get an ad-free experience and exclusive discounts in our eBay Store.

Ubiquiti Unifi Controller on FreeNAS

Western Digital Drives - The Preferred Drives of FreeNAS and TrueNAS CORE

Patrick M. Hausen

Dedicated Sage
Joined
Nov 25, 2013
Messages
2,757
No. VNET means your jail has got a completely independent network interface. And if you don't enable NAT, nothing is interfering with the packets. Time to get out tcpdump/Wireshark ...
 

Netdewt

Member
Joined
Jan 19, 2021
Messages
98
I've now also found that ssh connection to the controller does not work. I wonder if they are related. Port 22 gets no response:

Code:
$ ssh admin@192.168.1.3
ssh: connect to host 192.168.1.3 port 22: Connection refused

$ nc -vz 192.168.1.3 22
nc: connectx to 192.168.1.3 port 22 (tcp) failed: Connection refused
 

Netdewt

Member
Joined
Jan 19, 2021
Messages
98
Oh check this out:
Looks like ports needed for WebRTC to work are:
TCP 80
TCP 443
UDP 443
Code:
macmini$ nc -vz 192.168.1.3 8080
Connection to 192.168.1.3 port 8080 [tcp/http-alt] succeeded!
macmini$ nc -vz 192.168.1.3 22
nc: connectx to 192.168.1.3 port 22 (tcp) failed: Connection refused
macmini$ nc -vz 192.168.1.3 443
nc: connectx to 192.168.1.3 port 443 (tcp) failed: Connection refused
macmini$ nc -vz 192.168.1.3 80
nc: connectx to 192.168.1.3 port 80 (tcp) failed: Connection refused


Patrick, you posted this in another thread. I probably got this wrong, but here is the output.

Code:
root@unifi:~ # netstat -na | grep LISTEN
tcp46      0      0 *.8843                 *.*                    LISTEN     
tcp46      0      0 *.8443                 *.*                    LISTEN     
tcp46      0      0 *.6789                 *.*                    LISTEN     
tcp4       0      0 127.0.0.1.27117        *.*                    LISTEN     
tcp46      0      0 *.8880                 *.*                    LISTEN     
tcp46      0      0 *.8080                 *.*                    LISTEN     


I'm wondering if perhaps I need to manually open up ports 22 and 443 inside the jail?
 
Last edited:

Patrick M. Hausen

Dedicated Sage
Joined
Nov 25, 2013
Messages
2,757
I'm wondering if perhaps I need to manually open up ports 22 and 443 inside the jail?
No. By default all ports are open. There is no firewall in TrueNAS. You need to manually do unsupported FreeBSD things to configure one.

Do a netstat -na without the filter for LISTEN and check if the controller is bound to the UDP port, too. Should be 8443 UDP I guess because the forum post you found refers to their cloud solution. Which seems to be reachable at 80 and 443 instead of 8080 and 8443.

Can you configure the controller to use 80 and 443 via builtin settings?

For ssh - you need to enable and start that. Why should there be ssh running in a fresh blank jail? So not related.
Code:
sysrc sshd_enable=YES
service sshd start

To enable login as root edit the file /etc/sshd/sshd_config before you do the above. Look for the PermitRootLogin line, remove the comment in the first column and change No to Yes. And set a root password for the jail, of course.

To get to a shell in the jail before ssh is available you can use iocage console <jailname> in a root shell on your NAS.
 
Last edited:

Netdewt

Member
Joined
Jan 19, 2021
Messages
98
To get to a shell in the jail before ssh is available you can use iocage console <jailname> in a root shell on your NAS.
Now that I think about it, maybe I don't even need SSH on the controller like usual. I just iocage console (I have even done this already) into the jail and it's the same thing. I was hung up on it being "broken" I guess. I did try to activate it as you instructed, but the password does not let me in and I do not see PermitRootLogin in this file /etc/ssh/ssh_config. An "sshd" version of the same does not exist.

The only UDP entries on netstat -na are:
Code:
root@unifi:~ # netstat -na | grep udp
udp46      0      0 *.3478                 *.*                    
udp46      0      0 *.5514                 *.*                    
udp46      0      0 *.10001                *.*                    
udp4       0      0 192.168.1.3.44390      *.*  

I'm looking into the controller ports suggestion.
 
Last edited:

Patrick M. Hausen

Dedicated Sage
Joined
Nov 25, 2013
Messages
2,757
Code:
root@freenas[~]# iocage console cloud
[...]
root@cloud:~ # grep PermitRoot /etc/ssh/sshd_config
PermitRootLogin prohibit-password
root@cloud:~ #
 

Netdewt

Member
Joined
Jan 19, 2021
Messages
98
Still not working. I'm sure it's something dumb I am doing.

None of these work. They ask for a password but the password never passes. "admin" is the name of the SSH account on the controller. The IP and domain both ping.
Code:
ssh admin@unifi.local
ssh root@192.168.1.3
ssh root@unifi.local

Screen Shot 2021-03-12 at 12.03.15 PM.png
 

Patrick M. Hausen

Dedicated Sage
Joined
Nov 25, 2013
Messages
2,757
You need to add the "admin" user manually in the jail ... did you do that?
 

Netdewt

Member
Joined
Jan 19, 2021
Messages
98
You guessed it, nope.

Maybe it would be easier to make the ssh username "root"?
 

Patrick M. Hausen

Dedicated Sage
Joined
Nov 25, 2013
Messages
2,757
There's an adduser command that you can use in the jail. That will guide you through the process interactively. I would not use root.

But possibly the user needs to share data with the Unifi controller software somehow. So it could be necessary to have a certain user ID and a certain home directory - sorry, I don't know. We are again leaving the FreeBSD terrain and entering the Unifi one ;)
 

Netdewt

Member
Joined
Jan 19, 2021
Messages
98
There's an adduser command that you can use in the jail. That will guide you through the process interactively. I would not use root.

But possibly the user needs to share data with the Unifi controller software somehow. So it could be necessary to have a certain user ID and a certain home directory - sorry, I don't know. We are again leaving the FreeBSD terrain and entering the Unifi one ;)
Right, I'll stick with iocage console. At least I know it's not related to the WebRTC issue.
 

Netdewt

Member
Joined
Jan 19, 2021
Messages
98
I'm about to give this up. It's not super important, it just bugs me that WebRTC doesn't work. My other installs of Unifi have all worked with no hassle.

This item in netstat is interesting. WAN IP (AWS) on port 443 going to the jail IP.
Code:
tcp4      31      0 192.168.1.3.51227      52.38.238.169.443      CLOSED 


This article, looks like the ports in netstat -na are right. I don't know how they flow from LAN to WAN though.

Otherwise, the default ports are listed below:
  • unifi.shutdown.port=8081 # for management purpose
  • unifi.http.port=8080 # device inform
  • unifi.https.port=8443 # controller UI / API
  • portal.http.port=8880 # portal redirect port for HTTP
  • portal.https.port=8843 # portal redirect port for HTTPs
  • unifi.db.port=27117 # local-bound port for DB server
  • unifi.stun.port=3478 # UDP port used for STUN
Unfortunately, the Unifi forum people are not as helpful as you all.

Where can I call tcpdump from? Do I call it from my client terminal or from iocage console?
 
Last edited:

Patrick M. Hausen

Dedicated Sage
Joined
Nov 25, 2013
Messages
2,757
After iocage console you can call e.g. tcpdump -n -i epair0b to live watch the packets. You can use -w IIRC to write to a file that you can import into Wireshark on your desktop machine for easier and assisted analysis. man tcpdump will give you the full documentation.

tcp4 31 0 192.168.1.3.51227 52.38.238.169.443 CLOSED
This is an outbound connection. Your Unifi controller (probably) downloaded $something from that IP address via HTTPS.

What is WebRTC supposed to do with Unifi, anyway? I run a controller on Ubuntu for half a dozen of access points and that's that. I mean, why is this a problem and who is supposed to talk WebRTC to your controller? Your browser? The managed devices?

My other installs of Unifi have all worked with no hassle.
Which platform? You can still run a Linux VM instead of a jail on TrueNAS and run Unifi the way you used to do if that was the way.
 

Netdewt

Member
Joined
Jan 19, 2021
Messages
98
What is WebRTC supposed to do with Unifi, anyway? I run a controller on Ubuntu for half a dozen of access points and that's that. I mean, why is this a problem and who is supposed to talk WebRTC to your controller? Your browser? The managed devices?

Which platform? You can still run a Linux VM instead of a jail on TrueNAS and run Unifi the way you used to do if that was the way.
From what I understand, it's what enables remote management without a VPN or port forwards. In the past I have run a controller on 2 different macs and I have used the older style of Cloud Key. Not a lot of experience, but just saying it's never been an issue. A few other people seem to have had the issue in my Googling.

Here is a sequence I did while doing a tcpdump. I started with Remote Access off, turned it on, then attempted to access via WebRTC at network.unifi.ui.com.

Screen Shot 2021-03-12 at 6.48.43 PM.png
 
Last edited:

Netdewt

Member
Joined
Jan 19, 2021
Messages
98
I'm not really sure how to show you this information. There's a whole bunch of "port unreachable" ICMP stuff between my mac and my router. There's also a bunch of retransmission and out of order stuff on tcp port 443 between a CloudFront IP and my Mac.

Screen Shot 2021-03-12 at 8.32.44 PM.png

Screen Shot 2021-03-12 at 8.43.10 PM.png
 

Patrick M. Hausen

Dedicated Sage
Joined
Nov 25, 2013
Messages
2,757
Does the cloud service need to actively reach your controller on any ports? You would need to setup a port forward on your router then.

But with the cloud thing in the setup I'm out, sorry. No clue. I would never use anything like this.
 
Top