I’ve watched all of @LTS_Tom 's videos on HAProxy with pfSense and I’ve successfully set it up with a self hosted unifi controller and Invoice ninja behind it. Everything works great from outside the network (coming in from WAN). Client Unifi devices connect and work great.
I also have a Unifi switch and AP at my location that’s connected to the controller but the devices are constantly going up/down in the controller. They always work and are “online” as I have internet, just not connected with the controller. There are no fw rules blocking that I can find as I’m able to connect to the controller using the FQDN (from inside and outside the network thru HAProxy) as well as directly by IP (of the Unifi controller, not HAProxy).
Any ideas why the devices on the internal side are exhibiting these issues?
Are the devices on the same network as the controller ? If on the same network, the devices should be communicating directly to the controller using arp and not thru pfsense
What are you using for the inform command - ip address or fqdn.
The Unifi network controller uses different ports for the web UI (TCP 8443) and for the device communication (TCP 8080). AFAIK the device communication is also built on top of HTTP, so it might be possible to proxy. However, you can make your life much easier if you only proxy the web UI and use a port forward for the device communication port.
I meant to include that in the post. HAProxy is only doing TCP 8443 for the web UI. I have a regular port forward in pfsense for 8080 as well as Stun Port that directly forwards the ports to the actual IP address of the Unifi Controller.
@Paul , Controller is running on debian server VM on XCPNG, static IP, open fw, not on the same subnet as the devices but no fw rule blocking the traffic between subnets. Inform command is using FQDN.
So, just to make sure, the inform address is in the format of http://<FQDN>:8080/inform?
Do you use split DNS on the FQDN or NAT reflection for the devices connecting from inside your network?
To diagnose, SSH into a Unifi device and execute ping <FQDN> to check whether the name resolves correctly and whether you can reach the controller (provided the ping isn’t blocked by any firewall rules).
You would have had to set either one of them up deliberately. If you didn’t, you are using neither and that might be why the connection fails.
If you ping the FQDN and it shows the public address of your router, you’re not using split DNS. Split DNS would be if the FQDN of your Unifi controller resolved to a local address. You can achieve that by adding an override to your local DNS resolver (of course this only works if your devices actually use the local DNS server and not, say, 1.1.1.1 or 8.8.8.8).
If you don’t use split DNS, your Unifi devices will attempt to connect to your router’s WAN address from a LAN. The NAT rule on the WAN interface will not match there unless you enable NAT reflection (either globally or per NAT rule).
So the Unifi controller is at 10.122.30.20, HAProxy listens on 10.122.30.1. I have a host override for unifi pointing at 10.122.30.1 (per Tom’s videos). You’re saying I should set that host override for unifi.domain.com to 10.122.30.20, correct?