Hi Guys,
I have a unifi controller installed in a jail on my freenas server managing multipul sites. in general all working well just couple of things didnt manage to fix.
when i installed unifi controller i managed to open ports 8080, 8443, 8880, 8843 TCP on my ERL router but when trying to open port 3478 UDP for STUN it wont work show closed. it didn't bother me till now as i didn't get any errors. since upgrading to version 5.6.24 unifi controller was programmed to show STUN error "STUN Communication Failed" to anyone who has issues with that port or other related.
running netstat -a shows the following output
i can see port udp46 3478 state is not listening and port 8080 show both waiting and closed state.
system. properties output show the following
as you can see i only uncommented 3478 as all the others was working as expected as far as i know
First does anyone have an idea why i cant open port 3478 and secound how to fix the STUN error?
do i need to add new firewall or NAT rules? (see config below)
i must also mention the other issue i'm unable to use the unifi mobile app cloud access remotely, on the app i can see the server online but when i try to go in it hangs on "requesting SDP offer" no problem using the unifi app when i'm on my LAN
Other information that might be related
- i'm able to log in remotley to the unifi controller via browser and adopt AP via L3
- ERL Config
Thank you
I have a unifi controller installed in a jail on my freenas server managing multipul sites. in general all working well just couple of things didnt manage to fix.
when i installed unifi controller i managed to open ports 8080, 8443, 8880, 8843 TCP on my ERL router but when trying to open port 3478 UDP for STUN it wont work show closed. it didn't bother me till now as i didn't get any errors. since upgrading to version 5.6.24 unifi controller was programmed to show STUN error "STUN Communication Failed" to anyone who has issues with that port or other related.
running netstat -a shows the following output
Code:
XXXX@UniFi:/ # netstat -a Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address Foreign Address (state) tcp4 0 0 UniFi.8080 xxxxxxxxxxxxxxx..52234 TIME_WAIT tcp4 0 0 UniFi.8080 xxxxxxxxxxxxxxx-.42833 TIME_WAIT tcp4 0 0 UniFi.8080 xxxxxxxxxxxxxxx..41664 TIME_WAIT tcp4 0 0 UniFi.8080 xxxxxxxxxxxxxxx..52829 TIME_WAIT tcp4 0 0 UniFi.8080 xxxxxxxxxxxx.50699 TIME_WAIT tcp4 0 0 UniFi.8080 xxxxxxxxxxxxxxx-.52620 TIME_WAIT tcp4 0 0 UniFi.8080 xxxxxxxxxxxxxxx-.44089 TIME_WAIT tcp4 0 0 UniFi.8080 xxxxxxxxxxxxxxx..48916 TIME_WAIT tcp4 0 0 UniFi.8080 xxxxxxxxxxxxxxx-.38351 TIME_WAIT tcp4 0 0 UniFi.8080 xxxxxxxxxxxxxxx-.35432 TIME_WAIT tcp4 0 0 UniFi.8080 xxxxxxxxxxxx.42696 TIME_WAIT tcp4 0 0 UniFi.8080 xxxxxxxxxxxxxxxx.48963 TIME_WAIT tcp4 0 0 UniFi.ssh xxxxxxxxxxxxx.61382 ESTABLISHED tcp4 0 0 UniFi.8443 xxxxxxxxxxxxx.61254 ESTABLISHED tcp4 0 0 UniFi.8443 xxxxxxxxxxxxx.61217 ESTABLISHED tcp4 0 0 localhost.27117 localhost.10243 ESTABLISHED tcp4 0 0 localhost.27117 localhost.60915 ESTABLISHED tcp4 0 0 localhost.10243 localhost.27117 ESTABLISHED tcp4 0 0 localhost.60915 localhost.27117 ESTABLISHED tcp4 0 0 localhost.27117 localhost.64528 ESTABLISHED tcp4 0 0 localhost.64528 localhost.27117 ESTABLISHED tcp4 0 0 localhost.27117 localhost.51572 ESTABLISHED tcp4 0 0 localhost.51572 localhost.27117 ESTABLISHED tcp4 0 0 localhost.27117 localhost.33415 ESTABLISHED tcp4 0 0 localhost.33415 localhost.27117 ESTABLISHED tcp4 0 0 localhost.27117 localhost.40737 ESTABLISHED tcp4 0 0 localhost.40737 localhost.27117 ESTABLISHED tcp4 0 0 UniFi.57802 xxxxxxxxxxxxxxxx.https ESTABLISHED tcp46 0 0 *.6789 *.* LISTEN tcp4 0 0 localhost.27117 localhost.41459 ESTABLISHED tcp4 0 0 localhost.41459 localhost.27117 ESTABLISHED tcp4 0 0 localhost.27117 localhost.14021 ESTABLISHED tcp4 0 0 localhost.14021 localhost.27117 ESTABLISHED tcp4 0 0 localhost.27117 localhost.28914 ESTABLISHED tcp4 0 0 localhost.28914 localhost.27117 ESTABLISHED tcp4 0 0 localhost.27117 localhost.16313 ESTABLISHED tcp4 0 0 localhost.16313 localhost.27117 ESTABLISHED tcp4 0 0 localhost.27117 *.* LISTEN tcp4 0 0 UniFi.8080 xxxxxxxxxxxxxxx..41274 CLOSED tcp46 0 0 *.8880 *.* LISTEN tcp46 0 0 *.8843 *.* LISTEN tcp46 0 0 *.8443 *.* LISTEN tcp46 0 0 *.8080 *.* LISTEN tcp4 0 0 *.ssh *.* LISTEN tcp6 0 0 *.ssh *.* LISTEN udp46 0 0 *.3478 *.* udp46 0 0 *.10001 *.* udp4 0 0 UniFi.26905 *.* udp4 0 0 *.syslog *.* udp6 0 0 *.syslog *.*
i can see port udp46 3478 state is not listening and port 8080 show both waiting and closed state.
system. properties output show the following
Code:
GNU nano 2.8.7 File: /usr/local/share/java/unifi/data/system.properties ## system.properties # # each unifi instance requires a set of ports: # ## device inform # unifi.http.port=8080 ## controller UI / API # unifi.https.port=8443 ## portal redirect port for HTTP # portal.http.port=8880 ## portal redirect port for HTTPs # portal.https.port=8843 ## local-bound port for DB server # unifi.db.port=27117 ## UDP port used for STUN # unifi.stun.port=3478 # ## the IP devices should be talking to for inform # system_ip=a.b.c.d ## disable mongodb journaling # unifi.db.nojournal=false ## extra mongod args # unifi.db.extraargs # ## HTTPS options # unifi.https.ciphers=TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA # unifi.https.sslEnabledProtocols=TLSv1,SSLv2Hello # unifi.https.hsts=false # unifi.https.hsts.max_age=31536000 # unifi.https.hsts.preload=false # unifi.https.hsts.subdomain=false # # Ports reserved for device redirector. There is no need to open # firewall for these ports on controller, however do NOT set # controller to use these ports. # # portal.redirector.port=8881 # portal.redirector.port.wired=8882 # # Port used for throughput measurement. # unifi.throughput.port=6789 # #Wed Nov 22 13:37:16 UTC 2017 is_default=false unifi.stun.port=3478
as you can see i only uncommented 3478 as all the others was working as expected as far as i know
Code:
unifi.stun.port=3478
First does anyone have an idea why i cant open port 3478 and secound how to fix the STUN error?
do i need to add new firewall or NAT rules? (see config below)
i must also mention the other issue i'm unable to use the unifi mobile app cloud access remotely, on the app i can see the server online but when i try to go in it hangs on "requesting SDP offer" no problem using the unifi app when i'm on my LAN
Other information that might be related
- i'm able to log in remotley to the unifi controller via browser and adopt AP via L3
- ERL Config
Code:
firewall { all-ping enable broadcast-ping disable group { network-group BOGONS { description "Invalid WAN networks" network 10.0.0.0/8 network 100.64.0.0/10 network 127.0.0.0/8 network 169.254.0.0/16 network 172.16.0.0/12 network 192.0.0.0/24 network 192.0.2.0/24 network 192.168.0.0/16 network 198.18.0.0/15 network 198.51.100.0/24 network 203.0.113.0/24 network 224.0.0.0/3 } } ipv6-receive-redirects disable ipv6-src-route disable ip-src-route disable log-martians enable name LAN_IN { default-action accept description "Wired network to other networks." } name LAN_LOCAL { default-action accept description "Wired network to router." } name WAN_IN { default-action drop description "Internet to internal networks" enable-default-log rule 1 { action accept description "allow established/related" log disable state { established enable related enable } } rule 2 { action drop description "drop invalid" log enable state { invalid enable } } rule 3 { action drop description "drop BOGON source" log enable protocol all source { group { network-group BOGONS } } } } name WAN_LOCAL { default-action drop description "Internet to router" enable-default-log rule 1 { action accept description "allow established/related" log disable state { established enable related enable } } rule 2 { action drop description "drop invalid" log enable state { invalid enable } } rule 3 { action drop description "drop BOGON source" log enable protocol all source { group { network-group BOGONS } } } rule 4 { action accept description "rate limit ICMP 50/m" limit { burst 1 rate 50/minute } log enable protocol icmp } } name WLAN_IN { default-action accept description "Wireless network to other networks" } name WLAN_LOCAL { default-action accept description "Wireless network to router." } receive-redirects disable send-redirects enable source-validation disable syn-cookies enable } interfaces { ethernet eth0 { address A.B.C.D/24 description LAN duplex auto firewall { in { name LAN_IN } local { name LAN_LOCAL } } speed auto } ethernet eth1 { address A.B.C.D/24 description "Wireless LAN" duplex auto firewall { in { name WLAN_IN } local { name WLAN_LOCAL } } speed auto } ethernet eth2 { address dhcp description WAN duplex auto firewall { in { name WAN_IN } local { name WAN_LOCAL } } speed auto } loopback lo { } } port-forward { auto-firewall enable hairpin-nat enable lan-interface eth0 rule 1 { description "Unifi Controller" forward-to { address A.B.C.D port 8080 } original-port 8080 protocol tcp } rule 2 { description "Unifi Controller" forward-to { address A.B.C.D port 8443 } original-port 8443 protocol tcp } rule 3 { description "Unifi Controller" forward-to { address A.B.C.D port 8880 } original-port 8880 protocol tcp } rule 4 { description "Unifi Controller" forward-to { address A.B.C.D port 8843 } original-port 8843 protocol tcp } rule 5 { description "Unifi Controller" forward-to { address A.B.C.D port 3478 } original-port 3478 protocol udp } wan-interface eth2 } service { dhcp-server { disabled false hostfile-update disable shared-network-name wired-eth0 { authoritative enable description "Wired Network - Eth0" subnet A.B.C.D/24 { default-router A.B.C.D dns-server 8.8.8.8 dns-server 8.8.4.4 lease 86400 ntp-server A.B.C.D start A.B.C.100 { stop A.B.C.240 dns { dynamic { interface eth2 { service dyndns { host-name XXXXXXXXXXXX login XXXXXXXXXXXX password **************** protocol noip server dynupdate.no-ip.com } } } forwarding { cache-size 150 listen-on eth0 listen-on eth1 system } } gui { http-port 80 https-port 443 listen-address A.B.C.D listen-address A.B.C.D older-ciphers enable } nat { rule 5010 { description "WAN MASQ" log disable outbound-interface eth2 protocol all type masquerade } } upnp { listen-on eth0 { outbound-interface eth2 } } } system { conntrack { expect-table-size 4096 hash-size 4096 table-size 32768 tcp { half-open-connections 512 loose enable max-retrans 3 } } host-name EdgeRouter ipv6 { disable } login { banner { post-login "Welcome to EdgeMAX" pre-login "\n\n\t UNAUTHORIZED USE OF THE SYSTEM\n\n\t IS PROHIBITED! \n\n " } name-server 8.8.8.8 name-server 8.8.4.4 ntp { server 0.ubnt.pool.ntp.org { } server 1.ubnt.pool.ntp.org { } server 2.ubnt.pool.ntp.org { } server 3.ubnt.pool.ntp.org { } } offload { hwnat disable ipsec enable ipv4 { forwarding enable } ipv6 { forwarding disable } } package { } syslog { global { facility all { level notice } facility protocols { level debug } } }
Thank you