modified on 9 February 2012 at 17:54 ••• 14,954 views

UniFi FAQ

From Ubiquiti Wiki

Jump to: navigation, search

Contents

General Questions

Controller Installation

Is there a user guide?

Yes, check http://www.ubnt.com/unifi and select Downloads tab. You will find the latest Datasheet, Quick Start Guide, and User Guides, and softwares.

Supported Platforms for UniFi Controller software

Currently UniFi can be installed on Windows XP, 2003, Vista, 7, and Intel Mac 10.5 and after. For Linux, we release debian packages (APT). A generic zipped package is also introduced since 1.3.2

Do UniFi APs require the controller to be running all the time?

UniFi APs can run by themselves without the controller unless features like guest portal is enabled (as UniFi controller also functions as a captive portal). Restarting the controller won't restart your APs.

How do I install the controller on another PC/machine?

The best way is to backup your original configuration (Admin->Backup), shutdown the original controller and restore it into the new controller. Your access points will be seamlessly managed by the new controller.

Is there anyway to automatically backup the configurations?

Here's an script that you can use: [1]

I saw "Start-up failed" or "Server taking too long to start". What happened?

Mostly likely one or more ports needed by UniFi are being used by other programs. Take a look at <unifi_base>/logs/server.log and you'll spot something like: 

[2011-06-01 22:09:14,145] <UniFi> ERROR StandardServer  - StandardServer.await: create[8081]: 
java.net.BindException: Address already in use: JVM_Bind
        at java.net.PlainSocketImpl.socketBind(Native Method)
        ...

Please follow the instructions below to change the ports and fix the issue.

How can I run UniFi Controller on different ports

1. Make sure UniFi is not running 2. modify <unifi_base>/data/system.properties and make sure all ports needed by UniFi are available 3. restart UniFi

Can I run UniFi Controller as a Windows Service?

Yes, we added the support since 2.2.0.

  1. make sure UniFi is not running
  2. run a command prompt (as an Administrator)
  3. locate your java installation directory. On 64-bit, it's usually at "C:\Program Files (x86)\Java\jre6\bin"; otherwise "C:\Program Files\Java\jre6\bin"
  4. add the dir above to the PATH (from Computer->Properties->Advanced system settings)
  5. cd <unifi_base>
  6. java -jar lib\ace.jar installsvc

Note: there's a known bug against 2.2.X. The service shuts down the the administrator logs out.

Where is UniFi installed (or where is the <unifi_base>)?

  • Mac -- /Applications/UniFi.app, the <unifi_base> is at /Applications/UniFi.app/Contents/Resources
  • Windows -- "%userprofile%/Ubiquiti Unifi", which is the same as <unifi_base>
  • Linux -- /usr/lib/unifi

On Windows, can I choose another installation directory?

We chose to install it under user profile for Auto Upgrade to work across all Windows platforms. You can move it anywhere you'd like, though, by stopping UniFi, move it, and fix the shortcut.

Operation and Deployment

How do I start from scratch? (i.e. re-install the controller, re-discover the AP)

In some scenarios (e.g. restarting a demo to prospective customers), you can easily press the reset button of the AP for more than 5 seconds and it will be restored to factory default.

In the case where AP is inaccessible, you may SSH into the AP (with the same username/password as the controller) and issue Code: 

syswrapper.sh restore-default

Cannot see / adopt my device anymore? What should I do?

As there's a binding between controller and AP. A newly installed UniFi controller will not adopt a non-default AP. You an either:

  1. use the backup feature of the original controller and restore it to the new controller
  2. remove the AP (AP dialog > Config > Remove) when the AP is in Connected state. Controller will help you restore the AP to default state, then remove it from the DB. You'll see AP reboots and comes back up with amber/orange LED.

AP status stucks at "adopting". What do I do?

  1. make sure AP has access to Internet (e.g. SSH into the AP and ping unifi, it should come back right away, even if it fails)
  2. install 2.2.0 or after
  3. go through the wizard and use ubnt/ubnt as admin's username/password
  4. connect UniFi APs and laptop (with controller installed) to the same router
  5. check the router and write down the IPs of the APs. Most home routers have it listed under DHCP client table
  6. SSH into each problematic AP and issue 'syswrapper.sh restore-default'

If above doesn't help and your AP always show IP as 192.168.1.20. Check your DHCP server or router, if it did assign an IP to the AP yet the AP still shows 192.168.1.20, you may have a faulty AP. If all attempt fails, try the following:

  1. from the UI, make sure AP does obtain the IP from DHCP, note the IP
  2. from Controller PC, SSH into the AP (using the IP, default username/password is ubnt/ubnt)
  3. tail -f /var/log/messages
  4. copy the text along with your support info (Admin->Support Info) to support@ubnt.com

How do I create floorplan images?

The map accepts many common image formats like png, jpg, gif, ... (but it does NOT support .bmp) I've seen people doing all kinds of things to create the floorplans:

  • taking screenshots from Google Map
  • draw on a napkin and take picture using cellphone

If you're up to some art work, try this online floorplan creator

How does vlan traffic get tagged?

UniFi AP tags packets when it goes out from WLAN to wire. When tagged traffic comes in from the wire, it will untag it and forward it to WLAN.

How does VLAN tagging work with guest portal?

  1. traffic initiated from AP is untagged (sent through br0)
    1. AP <-> Controller (management traffic)
    2. AP <-> RADIUS (if WPA-Enterprise is used)
  2. traffic from WLAN without vlan configured is untagged (the athX is bridged to br0)
  3. traffic from WLAN with vlan configured is always tagged (athX bridged to br0.VLAN to eth0.VLAN)

Whether it's redirected (to the guest portal) doesn't matter. When WLAN is configured with VLAN, the traffic will be tagged when it leaves the AP. However, how to forward the tagged traffic to where it should go is something you'll have to figure out.

Here's an example: 

My management network: 10.0.0.0/24
Guest VLAN network: 15.0.0.0/24

Switch:
AP connected to port 5 (vlan1-untagged and vlan5-tagged)
Ubuntu connected to port 1 (vlan1-untagged and vlan5-tagged)
Controller connected to port 8 (vlan1-untagged)

Ubuntu (act as a Router)
eth0: 10.0.0.2/24, routable to the Interet (gateway 10.0.0.1)
eth0.5: 15.0.0.1/24, NATed to eth0

Controller is at 10.0.0.26

How do I use WPA-Enterprise?

Usually this involves

  • set up RADIUS server (Windows IAS, FreeRADIUS, etc)
  • tell RADIUS server where the RADIUS request may come from (i.e. the IP address/subnet/range of the APs)
  • set up wireless clients with configuration and, if necessary, certificates (e.g. EAP-TLS)

You can configure the type of EAP you'd like to use and UniFi APs do not get involved.

How do I configure WPA1 / WPA2

By default, when WPA is used, UniFi will enable WPA1/WPA2 (or mixed mode) as well as TKIP/CCMP(AES). Release 2.2.0 and after enables you to limit/force specific security settings.

I cannot get Google Map API key to work, what's wrong?

For "My web site URL:", make sure you use https://unifi_ip/


Specifications

What Hareware Models Are Available

For detailed information, please see UniFi AP Datasheets

UniFi AP - Standard

  • Two integrated antennas -- supports 2x2 MIMO with spatial diversity
  • 1 Passive PoE port
  • 20dBm Max transmit power
  • Antenna radiation targets a dome-shaped coverage area where the height is slightly shorter than the radius

UniFi AP - Long Range Similar to UniFi Standard, with these differences:

  • 27dBm Max transmit power
  • 2-3dB higher receive gain

UniFi AP - Outdoor Rugged outdoor AP with two omni antenna (included) - 2x2 MIMO

  • 28dBm Max transmit power

UniFi AP - Professional (Under Development)

  • 2 GigE Ports
  • 802.3af PoE
  • Concurrent dual-band radio (two separate radios)

How Many SSIDs / VLANs are supported

4 SSIDs (and corresponding VLAN IDs)

Do you support roaming?

Yes. Roaming is supported per 802.11. UniFi doesn't do anything to assist or influence the station's roaming decision.

In our testing using WPA-PSK, we send flood ping from the laptop to a PC on the wired side:

  • from the last ping to the original AP until association completion to the new AP is 45-155ms
  • from the last ping to the original AP until the first ping to the new AP is ~ 1s

For most internet applications, it should be seamless. For VoIP, observable delays may be noticed.

Do you support WMM?

Yes, and WiFi-certified.

Why do I never see 300Mbps even if HT40 is enabled?

I don't want to bore you with technical details but check the Data Rates Table here. UniFi APs are capable of 300Mbps _if_ the client can and want to use it. Here are common numbers you can see (all assuming good signal)

  • 65Mbps (client only has 1 receiving antenna, MCS7)
  • 130Mbps/144Mbps (client has 2 receiving antenna, MCS15. 40Mhz not supported or disabled)
  • Macbook does have multiple antennas; however, it only supports HT20 on 2.4Ghz and by default enables HT40 on 5Ghz

Do you support auto channel selection?

By default AP will find a best channel when it powers up. You can overwrite it in the per-AP config. Background-scanning and automatic runtime channel change is on the road map.

What's the maximum number of clients can an AP support

This is a question that's hard to answer. The implementation supports 100+ client simultaneously but in reality it depends on what these clients do (just email/web/chats? streaming? downloading?) In our office, we constantly have 20+ (30+ at times) various kind of devices without any issues. We had reports about problems with more than 60 clients but haven't reproduced it yet. Currently in our lab, we have ~100 clients stressing one AP.

What does the icon next to the signal strength mean?

The (b), (g), (n) icon indicates the type of client/connection (11b, 11g, 11n) When it turns gray with a lightening bolt, it means the device is currently in power-saving mode

What are the different LED state

  • Blinking Amber/Orange - initializing
  • Steady Amber/Orange - factory defaults
  • Steady Green - ddopted
  • Steady green with occasional dims - isolated

What mobile devices have you tested?

We recognised that mobile devices in a wireless network is a big thing and we've been constantly working on testing and fixing issues. In our lab, we had iPads, iPod 3G/4G's, Andriod phones (HTC Desire, DesireHD, Driod X).

People also bring their mobile devices to connect our UniFi wireless networks: iPhones (all generations), iPads, Android (Samsung GalaxyS, i9000, Epic, Motorola Driod, Droid2...), and Andriod tablets (Galaxy Tab)

Features

Many of the features are well-documented in UniFi User Guide.

Wireless Uplink

Overview

Instead of offering WDS (difficult to setup and change) or Mesh (unpredictable uplink selection), we simply provide a feature called 'Wireless Uplink'.

It allows you to well, use wireless as AP's uplink. And more importantly, it allows you to change your topology on the fly. This design provides:

  • easy to setup/change: you don't see configuration about Mac addresses, passphrase as it's all done by UniFi. Therefore, you can focus on topology, etc.
  • predictable: once you've picked the uplink and satisfied with the quality, it will work today, tomorrow, and thereafter
Setup

Note: For a video walkthrough of configuring a wireless uplinks, see this video tutorial.

The Wireless Uplink is designed to be reliable rather than quick/dynamic. Please be patient for the isolated state change, the discovery, and the link setup. To enable wireless uplink:

  • adopt all APs (wired or those intended to use wireless uplink)
  • put the island AP (AP that is not wired) in place
  • after the island AP is up, it will _not_ service any configured WLANs but becomes "Isolated" (AP enters this state much earlier than it's known by the controller)
  • Wait until the AP becomes Disconnected (about 5 minutes)
  • Go to AP dialog->Configure->Wireless Uplink, select the uplink AP of your choice (click on "Find more" if no uplink AP is shown)
Technical details - Isolated AP

A new status, Isolated, is introduced. When the AP is unable to reach the gateway, it goes into Isolated state. In this state,

  • all servicing WLANs are disabled (if we cannot reach the gateway, wireless clients won't either)
  • has different LED pattern - steady green (managed) with occasional dims
  • AP will send out beacon over the air and can be found by nearby APs
  • Only the wired APs under the same controller can establish a downlink to this isolated AP
  • by default, wired APs don't go off-channel to look for isolated APs. "Find more" trigger wired APs to do so. And after wireless uplink is set up, the isolated AP will always find and follow the same channel use by its uplink AP

L3 (Layer 3) Management

Overview

In many deployments where it's not possible/desired to have controller running at the premise, you can run the controller in the cloud or your NOC.

Say we got an new project, we could

  • on amazon, create a Ubuntu controller instance on Amazon
  • configure/stage a few APs in our lab and customize the guest portals
  • when we're at the customer's site, open a browser to the cloud-based controller
  • either configure DHCP server, DNS server, or simply use the UniFi Discovery Utility to make all local APs inform back to the controller
  • on-going management/monitoring can be done anywhere and Amazon would provide us with great firewall configurations

Setup

Please make sure you're familiar with how UniFi works (e.g. where AP and Controller is in the same L2) before you attempting L3 Management. L3 management adds many moving parts in the mix (i.e. added complexity).

UniFi AP has a default inform URL http://unifi:8080/inform. Thus, the purpose of using DHCP option 43 or DNS is to allow the AP to know the IP of the controller.

To use DHCP Option 43

To use DHCP Option 43 You'll need to configure your DHCP Server. For example: Linux's ISC DHCP server: dhcpd.conf 

# ...
option space ubnt;
option ubnt.unifi-address code 1 = ip-address;

class "ubnt" {
        match if substring (option vendor-class-identifier, 0, 4) = "ubnt";
        option vendor-class-identifier "ubnt";
        vendor-option-space ubnt;
}

subnet 10.10.10.0 netmask 255.255.255.0 {
        range 10.10.10.100 10.10.10.160;
        option ubnt.unifi-address 201.10.7.31;  ### UniFi Controller IP ###
        option routers 10.10.10.2;
        option broadcast-address 10.10.10.255;
        option domain-name-servers 168.95.1.1, 8.8.8.8;
        # ...
}


Cisco CLI 


# assuming your UniFi is at 192.168.3.10

ip dhcp pool <pool name>
network <ip network> <netmask>
default-router <default-router IP address>
dns-server <dns server IP address>
option 43 hex 0104C0A8030A # 192.168.3.10 -> CO A8 03 0A

Cisco has a good write-up for DHCP option 43 setup.


To use DNS

You'll need to configure your DNS server to resolve 'unifi' to your controller's IP address.


To use UniFi Discovery Utility

Not many environments can have a DHCP server that's configurable, even less likely with a DNS server.

That's where UniFi Discovery Utility comes in. It listens to the multicast/broadcast packets from UniFi APs and allow you to tell the AP to inform any URL you'd like. (only APs in default state or not in contact with any controller will be displayed)

UniFi Discovery utility is installed along with your UniFi controller.

  • On Windows, it's in Start Menu->Ubiquiti UniFi->UniFi-Discover
  • On Mac, /Applications/UniFi-Discover.app (or use Spotlight to find it)

To perform L3 adoption with the discovery utility:

  1. wait until the AP shows up
  2. if the AP is not in default state. click "reset", specify the SSH username/password and click "Apply"
  3. click on "manage", modify the inform URL and leave the SSH username/password as ubnt/ubnt and click "Apply"
  4. open a browser to your remote UniFi controller and you should see it being "Pending Approval"
  5. Click on "approve". You'll see it going to "Adopting" state, ignore it as it'll eventually become "Adoption Failed" or "Disconnected"
  6. perform [3] again (no need to wait for [5] to finish)
  7. AP is now managed by the controller

Discovery Utility works with APs with firmware 1.2.3 and 1.3.2 as well. Once adopted by the 2.0 Controller, it will upgrade these units automatically.


To use SSH

If you can SSH into the AP, it's possible to do L3-adoption via a under-construction CLI command: 

# 1. make sure the AP is running 2.1.0
#    if it's not, do
#    syswrapper.sh upgrade http://ip-of-controller:8080/dl/firmware/BZ2/2.1.0.942/firmware.bin
# 2. make sure the AP is in factory default state
#    if it's not, do
#    syswrapper.sh restore-default
# 3. ssh into the device and type
mca-cli
# the CLI interface:
set-inform http://ip-of-controller:8080/inform

Guest Access

Overview

We understand guest access is an important part of wireless system offering. In release 1.x, we're targeting a few groups of users. In release 2.x, we'll provide a customizable guest portal with billing system integrated.

Here are the targeted scenarios for 1.x:


I just want to provide free and simple guest access

Recommendation: In Wireless Configuration, enable "Apply Access Policies".

This turns on guest isolation and subnet restrictions (which can be customized in Settings->Guest Control), etc. - making sure guest cannot access your corporate network. If you choose Open for security, it's pretty much a connect-and-go, no guest portal, no "Terms of Use" or anything. UniFi controller doesn't even have to be running! You still have the option to choose WPA-Personal - just need to have a way to tell the guests the Passphrase.


I think I need to show "Terms of Use"... just to play safe

Recommendation: In Wireless Configuration, enable "Apply Access Policies". In Settings-> Guest Control, enable Guest Portal and choose "No authentication".

Enabling "Guest Portal" puts the guest in a walled garden. In plain English, the connected guest can get an IP, do DNS lookup; however, all other traffic is blocked. The HTTP/HTTPS traffic will be redirected to the guest portal (in this case, the UniFi controller) _before_ they're authorized. After they get authorized, they'll have access to the networks not restricted by the "Restricted Subnets" configuration.

This works very much like what you usually see in Starbucks or Airports. You connect to a open wireless network, open a browser and go to www.google.com, gets redirected, accepts Terms of Use, and you go! You may get redirected to a Promotional URL or the original URL you intended. Moreover, you get a few hours of free access depending on the operators' policies.

  • After 1.3.2, you also have the option of specifying the Expiration time. After the 'authorization' expires, the guest will be prompted with the Guest Portal again.


I don't want just anyone to get in. How do I limit the access?

Recommendation: In Wireless Configuration, enable "Apply Access Policies". In Settings-> Guest Control, enable Guest Portal and choose "Simple Password".

When the guest is prompted with the guest portal, s/he will not only need to accept the Terms of Use but provide a password. There's nothing fancy/flexible but we see this is a quick-and-easy way.

Another way is to use WPA-Personal and disable guest portal all together as you need to tell the guests a password anyway.


I need to customize the portal page and use my own way to authorize the user (e.g. making the user pay)

Recommendation: In Wireless Configuration, enable "Apply Access Policies". In Settings-> Guest Control, enable Guest Portal and choose "External Portal Server". Then take a look at portal_sample.zip (if running 1.3.2) or portal_sample.zip (if running 2.2.0)

Out of the gate we know our guest portal feature is limited. External Portal Server is for advanced integrators who can install/program their portal web server. UniFi will set up the policies so guests will be redirected to the specified External Portal Server (traffic-wise, port 80 and 443 will be forwarded). An API is provided to tell the controller something like "authorize guest[00:15:34:93:e3:f2] for 4 hours". UniFi controller will take it from here.


I already have my own L3 implementations for this

Recommendation: well... some may opt to use UniFi AP to serve WiFi and have their own walled-garden/guest portal implementation already. I believe this folks know what they're doing.

VLAN

It's more than natural to think of VLAN when guest access is mentioned. However, there are a few technical details to talk about.

Let's start with the basic VLAN deployment where guest portal is not enabled: 

1. UniFi AP tags wlan->wire traffic
2. AP-controller is untagged
3. controller is likely running on untagged interface
4. configured inside the AP:

guest --- br0.3 --- eth0.3 --3--+
          br0 ------------------+--u,3---port1
corp  -----+

Deployment example:

  • port8 connecting to router's DMZ port, add port8 as member of vlan3 and untagging. enable DHCP server on your DMZ
  • port5 connecting to internal network, have port5 untagged.


What happens when Guest portal enabled with VLAN

When guest portal is enabled, the controller acts as a portal server and the guests will be redirected to http://unifi_ip:unifi_http_portal_port/guest/. This is where the issues may arise - guest is on vlan3, bridged to DMZ, there's no way it can reach unifi_ip:unifi_http_portal_port.

In the scenario above, one solution to the problem is to add rules to your router

  1. add route for traffic from DMZ->unifi_ip
  2. allow DMZ->unifi_ip:unifi_http_portal_port

Another solution, where we envision this moving up in scale, is to have the controller running at NOC or cloud.

Hotspot

Overview

UniFi's hotspot system is a self-contained, full-featured and fully-customizable solution that you can deploy easily.

Setup
  1. Settings->Guest Control, enable Guest Portal
  2. Select "Hotspot" for authentication and you'll see a new section for Hotspot config
  3. Two authorization scheme can be used (at least one has to be selected)
Hotspot Manager

Hotspot Manager is for people like hotel receptionists to service the wireless guests in case any issue comes up. It's also used for voucher creation/maintenance.

The hotspot manager is at https://<unifi-ip>:<port>/hotspot

Try creating a hotel operator account:

  • click on the Hotspot Manager link
  • in Operator Accounts tab, add operator account
  • logout and login again with the operator account you just created
  • this is the view hotel operators can see
  • hotel operators won't be able to access UniFi admin interface

Hotspot - Portal Customization

Overview

Many guest portal implementations allow you to change logo, text, and maybe styles. Some allow you to do more but with their mediocre UI and you can only hope it will come out OK after each modification. Some have disk space limitations, fixed directory structures, and all sorts of restrictions.

Not with UniFi! We pretty much open up the whole portal/ directory (i.e. put as much or as little graphics, videos as you'd like), use plain .html format (i.e. use any editor of your choice), and allow instant testing (i.e. once the file is saved, reload the page from the guest's browser and you see how it looks).

Moreover, you can create multiple hotspot packages - each with different payment, name, duration of use, bandwidth limit.

Setup
  1. In Settings->Guest Control, enable Guest Portal and Portal Customization, Apply
  2. a copy of the portal pages (ones that's being served) will be copied to <unifi_base>/data/portal
  3. use another PC to connect to the guest network and and use the browser to go to any website
  4. you will see the default portal pages
  5. modify the pages (e.g. the <title>) and reload the browser on the client

<unifi_base> is at

  • Mac:/Applications/UniFi.app/Contents/Resources
  • Windows:"%userprofile%/Ubiquiti Unifi",
  • Linux:/usr/lib/unifi.
Sample Portal

The sample portal is, while useful by itself, written in a way that it demonstrates most features in the simplest format. 

# directory structure
index.html    : the main landing page
bundle/messages.properties: for localization and hotspot package specification
payment.html  : for credit card information submission. requires https, also served as an example of additional .html page
fail.html     : default page when there's error handling guest login

supporting files: 
images/
js/
reset-min.css
styles.css

Notes:

  1. all .html pages goes through the rendering engine and can be a target of form's POST action
  2. all the supporting files are not required and you can roll your own

And to explain further, let's go through some scenarios:

Scenarios

Scenario: can I just modify something and see if it works?

  1. on controller: enable Guest Portal, select No Authentication
  2. modify index.html: find 
    "<h2>Terms of Use</h2>"
    and change it to 
    "<h2>Welcome to Joe's Guest Portal!</h2>"
  3. have another device connects to the guest wireless network and open the browser to any URL


Scenario: I just need to show a Terms of Use with customized portal

on controller: enable Guest Portal, select No Authentication

  1. look at the bottom portion of index.html and you can delete everything not related
  2. all that's required is the form POST to /guest/login to authorize the user
  3. the sample page requires the user to accept Terms of Use by disabling the submit button if they don't check the "I accept the Terms of Use"


Scenario: How do I do the password authentication

on controller: enable Guest Portal, select Simple Password

  1. Find the section enclosed by <unifi if="auth_password"> ... </unifi>
  2. requires the form POST ("password")
  3. the hidden "page_error" indicates which page will render the error, in the sample, index.html
  4. that leads us to look at the secion of <unifi if="has_error"> where either the localized error <unifi error="error" /> or a welcome title <unifi txt="PasswordRequiredForWirelessAccess" /> will be shown
portal page syntax and variables
unifi tags
  • if: e.g. <unifi if="var"> ... <unifi else="var" /> ... </unifi>
  • param: <unifi param="var" default="value" />
  • txt: <unifi txt="InvalidPassword" />
  • include: <unifi include="header.html" />
  • url: <unifi url="payment.html" https="true" />
Authentication URL: /guest/login

/guest/login is the single URL that trigger the backend authentication. The outcome is either success (and redirect) or fail (and showing error page).

bundle/messages.properties:package definitions
## package 1
# amount is in US dollars
package.1.amount=5.99
package.1.hours=8
# what's shown in the Hotspot Manager
package.1.name=Basic 8HR
# what's shown on the credit card statement
package.1.charged_as=Hotspot 8-hour WiFi

## package 2
package.2.amount=8.99
package.2.hours=24
package.2.name=Premium Daypass
package.2.charged_as=Hotspot 1-day WiFi

## package 3
# this is a free trial package (with amount 0)
package.3.amount=0
package.3.hours=2
package.3.name=Free Trial
# whether to overwrite the user group policy per WLAN/User, default is false
# only available in release-2.1.0
package.3.limit_overwrite=true
# kbps, default is unlimited
package.3.limit_down=4096
# kbps, default is unlimited
package.3.limit_up=1024
# Mbytes, default is unlimited
package.3.limit_quota=1024
I see "Certificate Error" when redirected to PayPal website. What's wrong?

Paypal.com has references to paypalobjects.com and, unfortunately, resolves to different IP/subnets in different countries.

  1. do a "nslookup www.paypalobjects.com", you'll get something like "184.51.102.85"
  2. add "184.51.102.85/24" to Allowed Subnets in Settings->Guest Control

Install the controller in "the cloud" -- Amazon Web Services (AWS)

Overview

With L3 Manageability, we've essentially enabled the capability of running the controller in the cloud. We believe this makes UniFi the most versatile enterprise WiFi system in terms of deployment options.

This post will be describing how you can run your controller on AWS (Amazon's Web Service) and how you can get your APs managed by the controller hosted on it.

Setup

It's assuming that you have some understanding about AWS and have tried it. If not, don't worry, go to the end and get a quick tutorial.


Create the controller instance

There's a AMI created for you - ami-9f68a8f6 (or you can search for UniFi 2.1.0-beta). This is pretty much a Ubuntu 10.04 + unifi-beta.

Note: this AMI is current available only in US-East region, will copy it over to others soon.

  1. launch AWS Management Console
  2. Images->AMI, search for the ami by 'ami-9f68a8f6'
  3. Click "Launch", a micro instance will do. Click "Continue"
  4. In "Instance Details", use the default options. Click "Continue"
  5. for keys/values, do nothing, Click "Continue"
  6. Select a Key Pair you'd like to use or create a new one
  7. Create a new Security Group, UniFi, with
    1. TCP 8080
    2. TCP 8443
    3. TCP 8880
    4. TCP 8843
    5. TCP 22
    6. UDP 3478
  8. Click Launch
  9. Go to Instances->Instances, after the instance is Up, select the instance find the "Public DNS" at the lower panel. This is the hostname that you can use to manage the controller and the one that APs will use for inform (something like ec2-50-19-7-124.compute-1.amazonaws.com)


AP Adoption and management

  1. Open a browser to URL like "https://ec2-50-19-7-124.compute-1.amazonaws.com:8443/", go through the wizard
  2. With your 2.0.0 AP in their default state in the same L2, launch the UniFi Discovery Utility
  3. Click Manage and change the inform URL to something like "http://ec2-50-19-7-124.compute-1.amazonaws.com:8080/inform". Click "Apply"
  4. You'll see the device showing up as pending on the controller UI. Click "Adopt".
  5. (Controller will attempt to SSH right away and fail, ignore the status)
  6. On the Discovery Utility, you should still see the AP showing up as Pending, perform (3) again
  7. This time the AP will be adopted successfully.


Where to go from here?

Note that the AMI is for testing purpose, for production, you may want to:

  1. get a domain name and/or elastic IP - as the public DNS will change once you stop/start the instance
  2. reinstall unifi-beta (to at least remove the certificate already in place) 
apt-get remove unifi-beta
rm -rf /var/lib/unifi
apt-get install unifi-beta

Amazon AWS Amazon AWS is probably the most versatile hosting platform you can ask for. They're even offering a free tier for people to try for a year. Signing up is easy and you can use the amazon.com account you're using (http://aws.amazon.com/free/)

After sign up, go to https://console.aws.amazon.com/ec2 and follow the steps mentioned above.

Advanced

Custom SSL certificate

On Linux using apt: 


sudo su -
cd /usr/lib/unifi

# create new certificate (with csr)
java -jar lib/ace.jar new_cert <hostname> <company> <city> <state> <country>

# your CSR can be found at /var/lib/unifi
# - unifi_certificate.csr.der
# - unifi_certificate.csr.pem

# have this CSR signed by a CA, you'll get a few certificates back...

# import the signed certificate and other intermediate certificates
java -jar lib/ace.jar import_cert <signed_cert> [<other_intermediate_root_certs>...]

UniFi Controller API

While we offered a few scripts for people to use API to perform some actions against the controller, we haven't publicly announced yet.

However, we think it's time to start something. Be aware, though:

  • backup your DB often and stay with those we included. At the current state, not all parameters are checked.
  • Treat the APIs experimental and subject to change
Overview

To perform API operations, downloadunifi_sh_api and here's a sample script to authorize a guest for X amount of time 

#!/bin/sh

## define required variables
username=admin
password=admin
baseurl=https://localhost:8443

## include the API library
. unifi_sh_api

unifi_login
# unifi_authorize_guest <mac> <minutes> [up=kbps] [down=kbps] [bytes=MB]
unifi_authorize_guest $1 $2
unifi_logout

Under The Hood

AP - Controller Management Protocol

Overview

AP discovery is done with L2 multicast/broadcast in order for controller to see it. The adoption is done by controller SSH into AP to tell the AP where the controller is. After that, it's all AP calling home to perform tasks controller asks it to do. All the AP-controller management traffic goes un-tagged.

The design has L3-management in mind where you can set up controller in the clouds.

Adoption

Initial Handshake

  • When an AP is in factory default (LED shows steady amber/orange), it will obtain an IP from DHCP server and send out beacons - "I'm at factory default settings. Who can manage me?"
  • Controller hears the beacon. As this device is in default state, shows the AP as PENDING.
  • When the user decides to adopt the AP, controller will adopt the AP via SSH (using the IP information in the beacon and the default username/password)
  • AP sends initial inform to http://controller_ip:8080/inform, the binding of controller-AP is now completed


When the AP is already adopted

  • When an AP has been adopted (LED shows steady green) but the controller is not present, the AP sends a slightly different beacon - "I'm here. When you (the controller) are up/ready. Come pick me up."
  • When the original controller comes up, it hears the AP's beacon and finds that the AP is under its management. It will readopt the AP automatically via SSH (using the IP information in the beacon and with the non-default credential).

Management

The Controller manages the AP using a proprietary TR-069-like management protocol. The main idea, for scalability, is for AP to phone home periodically via L3. And to support instant notifications from controller->AP, STUN is also used.

Is the proprietary communication between APs and the Controller encrypted?

Yes, the protocol is encrypted.

Can I put the controller in a different subnet?

See L3 Management

Retrieved from "http://wiki.ubnt.com/UniFi_FAQ"