I spent the majority of my tinkering time this week creating and solving various network problems. I moved my UniFi devices to a management VLAN, and I also moved my controller again. This time, I moved it to a fresh minimal Ubuntu installation from my old Kubuntu mining rig. Both had pitfalls.
This was a generally painless experience, but there were a few gotchas.
First, I created a new VLAN with a DHCP server from my prior instructions. Once I had it built, I mapped a port to the VLAN and plugged a laptop into it and verified that it could reach the internet. Then I tried to ping the computer, but it turns out that by default, you can’t ping Windows 10 computers. That too me a bit to work out.
Once I figured that I could, in fact, reach devices on my network, I moved one AP to the management VLAN:
It restarted, and joined the new VLAN. I used a DHCP reservation to set a static IP address, and I was good to go. So I went through the rest of the APs, and they all worked, except one.
Make sure you are using DHCP when you do this!
It took a while to figure this out, but I has assigned a static IP address to the AP, and when I moved it to the management VLAN, on a different subnet, it became completely unreachable.
So I had to change the configuration of the AP to use DCHP in controller, and factory reset the controller. Then it re-adopted and I could reach it again.
I think that network topology changes are the toughest thing to do with UniFi, even with a small network. I don’t know how I’d do this if I had my APs and devices in inaccessible places.
Further, the reason why I had set a static IP address was also due to topology issues. If you reset a switch that an AP is connected to, it seems that the PoE will come back on, and it might power up the AP before the switch is fully initialized. What I think happens is that the AP senses that its downlink isn’t available, and tries to mesh with another AP, causing the status of the AP to be ‘Connected (Wireless)’, rather than ‘Connected’.
When the link re-establishes, it causes an STP loop, and the switch the AP port to ‘RSTP Discarding’. And for whatever reason (different mac address?) if got a different IP address. So I had set it to have a static IP.
The solution seems to be to disable the mesh feature:
This seems to prevent the race condition.
So that was a lot of work for a minor change. Long story short, make sure to switch your devices to DHCP if you are changing their VLAN.
Now that I had my devices on the management VLAN, I needed to put my controller there, but since it was living in a skeleton style mining chassis, I figured I’d put it in a cheap rack case. However… my motherboard didn’t fit in the case I bought, so I ended up moving a different server into the new case and my controller server into my old case.
Then I installed a new, minimal installation of Ubuntu Server 18.04, and figured that the install would be as easy as before. As above, not as easy as expected.
Here are the commands I had to run once I had installed the bare minimal OS:
Add the Java Repo. Unifi Needs Oracle Java 8.
It gives you several warnings:Oracle Java (JDK) Installer (automatically downloads and installs Oracle JDK8). There are no actual Java files in this PPA. Important -> Why Oracle Java 7 And 6 Installers No Longer Work: http://www.webupd8.org/2017/06/why-oracle-java-7-and-6-installers-no.html Update: Oracle Java 9 has reached end of life: http://www.oracle.com/technetwork/java/javase/downloads/jdk9-downloads-3848520.html The PPA supports Ubuntu 18.10, 18.04, 16.04, 14.04 and 12.04. More info (and Ubuntu installation instructions): - http://www.webupd8.org/2012/09/install-oracle-java-8-in-ubuntu-via-ppa.html Debian installation instructions: - Oracle Java 8: http://www.webupd8.org/2014/03/how-to-install-oracle-java-8-in-debian.html For Oracle Java 11, see a different PPA -> https://www.linuxuprising.com/2018/10/how-to-install-oracle-java-11-in-ubuntu.html More info: https://launchpad.net/~webupd8team/+archive/ubuntu/java Press [ENTER] to continue or Ctrl-c to cancel adding it.
Just press enter.
That installs Java.
Then you need to install jsvc to run java as a service, and it’s not in the available repos. So I downloaded it directly, but it, too, has a dependency, so:
then you can run the steps from the Ubiquiti link:echo 'deb http://www.ubnt.com/downloads/unifi/debian stable ubiquiti' | sudo tee /etc/apt/sources.list.d/100-ubnt-unifi.listsudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv 0C49F3730359A14518585931BC711F9BA15703C6 echo "deb http://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/3.4 multiverse" | sudo tee /etc/apt/sources.list.d/mongodb-org-3.4.list sudo apt updatesudo wget -O /etc/apt/trusted.gpg.d/unifi-repo.gpg https://dl.ubnt.com/unifi/unifi-repo.gpgsudo apt updatesudo apt install unifi
And then it works.
For good measure, you ought to have turned on the Ubuntu firewall, ufw:
This will prevent access to the controller though. Then you need to allow the firewall ports that the UniFi Controller Needs.
This will allow the controller to be accessed. Then restore your config from your prior controller (if applicable) and you can get started.
A few warnings:
Disable the controller service on the machine you are sunsetting. If you turn it back on (or, say, it turns back on when you power up the server to grab a few files you missed) , it will re-adopt your devices and mess everything up.
When you switch from one server to another, close all the browser tabs using the old controller on the pc you’re using. It’s most likely a caching issue, I think, but it causes lots of errors to just hit ‘refresh’.
Now my network is more organized, and my network infrastructure is on its own VLAN and subnet, which is a lot cleaner. Next I think I’ll do the Radius part to see if I can make my trusted SSID use username/password for the logins.
What I’m listening to as I do this:
Iron Butterfly’s In-A-Gadda-Da-Vida on an LP my mom gave me. My previous listening samples an organ-heavy riff by the Turtles, and I thought to myself that more organ would be better. I generally like music with unusual instruments, such as Powerwolf, or The Real McKenzies, so I’ve always likes this track (or side of the record – it’s 17 mins long). Also, I fondly recall the Simpsons episode that featured this.
I’m new to this forum and the UniFi-Controller. I used/tried Mikrotik at my home but saw the videos (youtube-channel) with all the UniFi devices and thought that it is a good idea to switch to UniFi.
But… Implementing a Management-VLAN is something that I cannot get to work and I kindly ask for your help/advice.
I’m running the UniFi-Controller 5.4.23 at a ubuntu-server (proxmox-VM). The VM has two network ports. The first one is configured to use a VLAN to have Internet access and the second one is configured as 192.168.1.10 (Linux bridge being vlan-aware).
This is the VLAN I created.
#1 I changed the Management VLAN to Mgmt-75 for the first switch to find out if this is going to work… and it doesn’t. The switch disconnected. -> reset
#2 I also changed the port profile to Mgmt-75 and the switch disconnected.
#3 I switched the port with the ethernet connection to another one (proflle = all) and the switch connected again. I checked that the Management VLAN was Mgmt-75 and that the other (first used) port had the profile ‘Mgmt-75’.
#4 I reconnected the ethernet-cable to the first used port at the switch and the switch connected!?
But the IP of the switch is still 192.168.1.20 -> not part of Mgmt-75!
I expected the IP to change to the dhcp-range of VLAN 75 (192.168.75.100 etc.).
Something is going wrong but I don’t know the reason…
My best wishes from Germany!
When deploying a new UniFi network using Ubiquiti UniFi hardware and the controller, you may wish to change the management VLAN, and/or the VLAN that the hardware uses to communicate with the UniFi Controller.
In this post, I’m going to go over how to do this, as well as troubleshoot if something should go wrong.
Please note that I’m focusing on the theory and understanding as to how communication is handled, instead of providing step by step instructions which is what readers are usually accustomed to on this blog.
Why would we do this?
Some users (myself included) like to avoid using the default management VLAN of 1. This can be for a number of reasons such as reducing the security vulnerability footprint, customizing for specific customers or environments, or we just like to change it from the default VLAN.
How do we do this?
When you choose to change the default management VLAN, typically you need to maintain a network/subnet on untagged VLAN1. This is because when you purchase or deploy new UniFi equipment, it will always try to obtain an IP on untagged VLAN 1, and try to contact the controller using this network.
By having a functioning “provisioning” network and subnet on VLAN 1, the devices can obtain their configuration, and provision from there.
Once the device is provisioned and attached to the UniFi controller, you can configure it to use a different VLAN as it’s management VLAN.
Keep in mind that you must make the controller available on both the untagged “provisioning” VLAN 1, as well as the new custom management VLAN as well. In my case, I make all the subnets routable so that the UniFi controller is available no matter what subnet and/or VLAN your on.
How do we secure this?
In my example above, I have very restrictive firewall rules on the firewall that is routing the different VLANs and subnets. The only traffic that is allowed to be routed to the untagged “provisioning” VLAN 1 is traffic destined for the UniFi controller, and only the ports that are required for provisioning. All other traffic is restricted, including internet access.
Essentially the only thing that functions on VLAN 1 is routing to the UniFi controller, and DNS for the lookup of the host record “unifi”.
What will happen if I’m doing this wrong?
If you’ve done this wrong, you may notice that original provisioning works, then the AP or switch disappear and go offline after the management VLAN change on the device. This is because it can’t contact the controller after it changes its default management VLAN to the new one you specified.
If the device never contacts the UniFi controller in the first place, then the device isn’t able to contact the controller on the untagged VLAN 1. You need to make sure that the various provisioning methods are available and functioning, and that the subnet is routable and firewall rules allow communication from that subnet to the UniFi controller.
How do we test this?
In my environment on untagged VLAN 1 as well as my custom management VLAN, you can open a browser and type in “unifi” and it will resolve and connect to the UniFi controller. This means it’s available on the default VLAN that the devices look for, as well as the custom management VLAN.
I find using the A host record the easiest way to do this. Please note that my UniFi controller only has one static IP address on the custom management VLAN.
For years now i have been looking at this issue on and off, without really finding how to fix it/work around it
When i first setup the unifi controller software (on a vm) i filled the network information of my admin network. It’s a dedicated wire off of my pfsense box, that get in a switch.
The issue i have is that, unlike other network added afterward, i can’t put a vlan tag to this network. That mean i can set port on my switch to work in direct access, but where i need this network to be send with other on the same cable, i can’t, or it have to be the native one.
I also can’t add a second network with the same CIDR.
Is this the workaround of unifi to a dedicated management port ?
I can’t believe there isn’t any other way, so what did i miss ?
Should i avoid ‘corporate’ type entirely and only use ‘vlan only’ type ?
Thank’s for reading
Vlan ubiquiti management
Twenty. three. Marina said with difficulty, we shudder with the blows of another lover. - We.Ubiquiti: Management VLANs on airMAX Radios Introduction
After that, they again lay down on the sofa and took the previous position, spreading their legs wide apart and opening their pussies and. Asking me to measure the depth of their vaginas with this ruler and helping to insert a ruler in turn. When I finished measuring, they asked me about the results.
- Tile strips metal
- Survivalcraft 2 day one
- Wedding welcome table design
- Www rescueme org login
- Building lifetime shed
- Roblox hub script
- Art collector horse pedigree
Unceremonious fingers immediately began to feel the elastic hemisphere with impunity, which served as a signal for the start of the assault for Vadik. Who until then sat motionlessly opposite and was fascinated by what was happening. With both hands, he began to greedily caress the other breast - especially the nipple, which did not take long to wait and began to harden right before our eyes, increasing.
Even more in size.