Unifi guest portal strange behavor, need help please

I try to explain the problem as structured as I can but upfront the whole thing feels “strange”.

I convinced my boss that we revamp our WiFi infrastructure and so we bought 2 Unifi AP LR (33 more will be ordered when the test is successful).

I setup a Ubuntu 20.04.1 LTS server (2 CPU, 4 GB RAM, 25 GB HDD) on our VMWare infrastructure. Installed the latest unifi controller (6.0.45). I created one site with the two APs inside and setup two wireless networks. One for our VLAN1 and one for the new VLAN140 (guest’s).

  1. Company-internal: radius authentication → Only Domain computers (GPO, certificate) can authenticate.
  2. Company-external: guest portal → voucher or domain user can authenticate.

After the setup I tested the guest portal and it didn’t open on external laptops or mobile devices. After a long search for the error, I just disabled the guest setting in the wireless network and the guest portal itself. Waited 5 minutes and re-enabled everything, and suddenly it worked. Today (one they after setup) the problems started again. Mobile device (gets or still has an IP) but no guest portal will open. So the user can’t authorize them self and therefore the device is not authorized and not seen by the hotspot manager.

I triple checked the setup, and the network infrastructure and I don’t know where to look next. Oh, I also see messages on the dashboard (Wifi Anomalies, which I am only able to see on the dashboard)
Message: Client is having trouble resolving a domain name to an IP address (DNS timeout).

DHCP Server for VLAN140 is our Cisco router. Which hands out DHCP with as DNS server.

Parties involved:

  1. Cisco router
  2. Cisco Switch WS-C4506-E (APs port is set to trunk vlan 1,140)
  3. Ubuntu Server 20.04.1 on VMWare with Unifi controller 6.0.45
  4. Unifi AP-LR
  5. Mobile Device

I uploaded some setup pictures to my cloud → TGCloud

We never use the UniFi guest portal because it always seems much more buggy than letting a another device handle it such as pfsense. Might want to check the UniFi forums.

1 Like

Thanks for your answer - sadly we don’t have a pfsense in the company…

maybe this is also my solution. I just upgraded my two AP’s to version 4.3.26 (no early access) and will test it tomorrow. Finger crossed.

Firmware updated didn’t help… and the Dashboard still shows DNS timeouts.

I figured out why I have DNS timeouts. The mobile device gets complete IP address information:
Default GW:

Because the splash screen from the portal never appears I am still in the pre-Authorization phase where
only the IP from the controller is allowed. I know this because when I add to the pre-Authorization part I can immediately access the internet.

So my problem is: The splash screen is not showing up and therefore no authorization is possible.

I guess I have to create a user at the unifi forums.

Problem solved.

After a lot of setting changes, firmware up and downgrades the problem still existed. I am working 2 decades in IT and have quite some experience but I never dived deep into networking. But encouraged by Tom’s Videos I installed a Pop! OS virtual machine and did a live tcpdump via Wireshark from the access points.

So I could figure out that the problem is really a DNS Problem. I then found a post on the unifi forum and suddenly everything was clear.

(copied from the unifi forum and modified by me:)
Guests (VLAN140) are set to have and as DNS and the firewall has a rule to allow DNS to external for our internal DNS servers, as well as the Guest subnet (VLAN140). However the APs are intercepting and forwarding the DNS requests under their own (VLAN1) IP, which results in the firewall blocking packages from AP IPs to and Therefore, for example, captive.apple.com couldn’t be resolved and so no portal.

My solution is now to add the AP IPs into the DNS outgoing rule, although I’m not all to happy with that.