Pfsense Unifi Remote AP Adoption

jermcel · October 18, 2021, 2:33pm

Hi all. I am running a Pfsense unifi setup at home.

Here is my current setup.

Pfsense, running HAProxy, Let’s Encrypt with Dynamic DNS
unRaid for storage and dockers containing webservices and Unifi Controller

I am currently trying to setup a remote network at my brother in laws house. He purchased, upon my advice, several Unifi APs and Switches to support his network. I am also installing Pfsense at his house to handle firewall and local routing, etc.

Since I am the family defacto IT admin, I am setting this up for me to control remotely. My problem is that I have created a second site on my controller. However, I cannot get the domain name to connect for the 8080 port in Unifi.

I have set Firewall rules to allow. I created an alias with all unifi ports and created a NAT rule in Pfsense including that alias. I have confirmed with CanYouSeeMe that the Unifi Ports are available and open.

I am setting this up and testing this locally before delivering. In the past I have just used the local IP for the AP adoption, but now I am trying to do this with a url. I am using unifi.MyDomainName.com. I am able to browse to this over the internet and it is secured with Let’s Encrypt and all is well.
However, if I put this as the default url in the Unifi Controller and set the “Override inform host with controller hostname/IP”, the AP’s become disconnected and cannot adopt. I can SSH in and use set-inform to the local IP address and they work, but the
http://unifi.MyDomainName.com:8080/inform will not work.

I don’t know what I am missing. Can someone point me in the right direction?

Regards,

JC

LTS_Tom · October 18, 2021, 3:01pm

Don’t run port 8080 over HAPorxy. Ports 8080 TCP and 3478 UDP should be setup as a NAT rule going to the controller.

jermcel · October 18, 2021, 3:30pm

Let me clarify. I am not running 8080 over HAProxy. Only 443 with an http to https redirect for port 80.

I was just explaining that as a view of my setup. I created an Alias with all the Unifi TCP and UDP ports. I created a NAT rule with this alias pointing to the Unifi Controller IP, which resides as an Docker on my UnRaid. This allows all of the Unifi ports, including 8080 to be available.

So in my head it should work like this
https://unifi.MyDomainName.com points to HAProxy (This works)
http://unifi.MyDomainName.com:8080/inform should point to the NAT rule and redirect to the Local Controller IP (This does not work)

When I set this as the Set-Inform and run the Info cmd, it shows Timeout on the Inform and the AP’s are disconnected.

Do I need another DNS entry for the inform and other ports in Unifi? How would I configure that in the Controller while still using the Unifi subdomain name?

Can some one provide an example of the FW rules and controller setup they are running?

regards,
JC

LTS_Tom · October 18, 2021, 4:54pm

No special rules, just a NAT rule from 8080 and 3478 from my WAN IP to the internal UniFi controller. If you want the system to adopt AP’s while on the inside of the network make sure NAT reflection is turned on and also make sure the internal DNS name responds with the WAN or create a DNS override internally so it replies as the UniFi controller. Of note having the inform address and the web address pointing internally at HA Proxy will be much harder because the DNS entries would be the same, one of the controller and one for the HA Proxy IP.
https://docs.netgate.com/pfsense/en/latest/nat/reflection.html

jermcel · January 17, 2025, 4:21pm

Reviving this thread and adding a minor (maybe??) change to the setup.

Here’s the story. As stated above, I successfully created both networks and ran them properly from my home setup and the remote site connected to the unifi controller without issue.

Current situation:
I sold my house and I am preparing to build a new house. Temporarily, I am now living in my 5th wheel setup on my brother in laws property. His property was the remote site for the unifi setup.

Recently, he changed his ISP to another service and they provided him with a 2.5 GB connection. Since his pfSense setup I created only had 1 GB ports they told him he needed their new Dumb router to see the speeds. I tried to explain that it doesn’t matter because none of his devices run 2.5 GB so the router didn’t either, but I digress. I will eventually build a new router with 2.5 gb ports just because it is the new shiny thing.

At this point, I am now at his house but he does not have the ability to forward ports or have HAProxy on his router. So I have just plugged my network into his network. My pfSense behind his dumb router. Everything works except none of my domain name can come from outside the network. So his Unifi network cannot see the controller on mine because the domain is not routed forward.

I am considering using a recent setup that @LTS_Tom published on YouTube and this forum to setup Linode with Wireguard behind a CGNAT setup. That is essentially what I am working with now, a CGNAT setup with my Brother in laws dumb router as the ISP.

My thoughts are that I can use the Linode Public IP address to point my subdomain names to would be connected using Wire Guard to my pfsense box, thus making my HAProxy port forwards available etc.

My questions:

Would this work?
Is there a better way?
Is there an additional setup that needs to be done to make the Linode address show as the public IP available for that unifi traffic?

@LTS_Toms write up was pointing the public IP directly to the server. Do I need to do that or can I just setup Wireguard on the pfsense and then allow pfsense to direct the traffic to my Unif Controller the way it was done before.

TIA…I know this was a long drawn out post.

LTS_Tom · January 17, 2025, 7:55pm

The method from my video should work, having the controller in a cloud instance would be a better solution as there would be less complexity.