====== Ubiquity Unifi Controller ======

===== Allgemeine Doku =====

Troubleshooting [[https://help.ubnt.com/hc/en-us/sections/200887574-UniFi-Troubleshooting|https://help.ubnt.com/hc/en-us/sections/200887574-UniFi-Troubleshooting]]

config.properties:[[https://help.ubnt.com/hc/en-us/articles/205146040-UniFi-config-properties-File-Explanation|https://help.ubnt.com/hc/en-us/articles/205146040-UniFi-config-properties-File-Explanation]]

===== Betrieb in Docker Container =====

[[https://docs.linuxserver.io/images/docker-unifi-controller|https://docs.linuxserver.io/images/docker-unifi-controller]]

Docker Compose (V2, golang):
<code>

---
version: "2.1"
services:
  unifi-controller:
    image: lscr.io/linuxserver/unifi-controller:latest
    container_name: unifi-controller
    environment:
      - PUID=1000
      - PGID=1000
      - MEM_LIMIT=1024 #optional
      - MEM_STARTUP=1024 #optional
    volumes:
      - /mnt/data/unifi/:/config
    ports:
      - 8443:8443
      - 3478:3478/udp
      - 10001:10001/udp
      - 8080:8080
      - 1900:1900/udp #optional
      - 8843:8843 #optional
      - 8880:8880 #optional
      - 6789:6789 #optional
      - 5514:5514/udp #optional
    restart: unless-stopped

</code>

Danach

<code>
docker-compose up

</code>

Dauerbetreib

<code>
docker run -d \
  --name=unifi-controller \
  -e PUID=1000 \
  -e PGID=1000 \
  -e MEM_LIMIT=1024 `#optional` \
  -e MEM_STARTUP=1024 `#optional` \
  -p 8443:8443 \
  -p 3478:3478/udp \
  -p 10001:10001/udp \
  -p 8080:8080 \
  -p 1900:1900/udp `#optional` \
  -p 8843:8843 `#optional` \
  -p 8880:8880 `#optional` \
  -p 6789:6789 `#optional` \
  -p 5514:5514/udp `#optional` \
  -v <path to data>:/config \
  --restart unless-stopped \
  lscr.io/linuxserver/unifi-controller:latest

</code>

===== Aktuelle Config =====

<file>
cat /tmp/running.cfg

</file>

====== Ports ======

^Typ^Port^Zweck|
|TCP|22|SSH access (controller & devices)|
|UDP|3478|STUN communication (AWS)|
|TCP|8080|Device and controller communication|
|TCP|8443|controller GUI/API as seen in a web browser|
|TCP|8880|HTTP portal redirection.|
|TCP|8843|HTTPS portal redirection|
|TCP|6789|UniFi mobile speed tes|
|TCP|27117|local-bound database communication|
|UDP|5656-5699|AP-EDU broadcasting.|
|UDP|10001|AP discovery|
|UDP|1900|Make controller discoverable on L2 network" in controller settings.|

===== Custom SSH Keys =====

[[https://help.ubnt.com/hc/en-us/articles/235247068-UniFi-Add-Custom-SSH-Keys-to-Your-UniFi-Devices|https://help.ubnt.com/hc/en-us/articles/235247068-UniFi-Add-Custom-SSH-Keys-to-Your-UniFi-Devices]]

Auf den UAP per ssh anmelden (geht auch über den Controller, Werkzeuge, Debug

In /etc/dropbear/authorized_keys den pub Key per vi eintragen

Danach die Konfig mit

''cfgmtd -w -p /etc/ ''

neu einlesen und in den Flash schreiben lassen.

===== Adoption =====

[[https://help.ubnt.com/hc/en-us/articles/204909754-UniFi-Device-Adoption-Methods-for-Remote-UniFi-Controllers|https://help.ubnt.com/hc/en-us/articles/204909754-UniFi-Device-Adoption-Methods-for-Remote-Uni]]

Voraussetzungen:

DNS: "unifi" muss auf die Controller IP auflösen

DHCP: Option 43 muss die IP des Controllers liefern, siehe [[https://help.ubnt.com/hc/en-us/categories/200320654-UniFi-Wireless#To_use_DHCP_Option_43|https://help.ubnt.com/hc/en-us/categories/200320654-UniFi-Wireless#To_use_DHCP_Option_43]]\\
Diskussion zu Option 43: [[https://serverfault.com/questions/318292/linux-dhcp-server-option-43-vendor-encapsulated-options-how-to-format-encode|https://serverfault.com/questions/318292/linux-dhcp-server-option-43-vendor-encapsulated-options-how-to-format-encode]]

Beispiel für dnsmasq:
<file>

# unifi controller
dhcp-option=vendor:ubnt,43,"192.168.72.8"

</file>

Konsole: auf Werkszustand zurück setzen (holt sich die IP per DHCP)

''syswrapper.sh restore-default''

Adoption auf der AP Seite auslösen

<file>
''set-inform http://ip-of-controller:8080/inform ''

UBNT-BZ.v3.9.27# set-inform http://192.168.72.8:8080/inform

Adoption request sent to 'http://192.168.72.8:8080/inform'.  Use the controller to complete the adopt process.

</file>

===== Wireless Uplink =====

1. Factory reset if you have already been trying to get them to work

2. Adopt the APs on a wired ethernet connection. Upgrade them if required to latest firmware.

3. Manually set the Radio Channels (both frequency bands) to be the same on the AP you want to wirelessly uplink and the AP you want to downlink from to be the same. Note that the wireless uplink takes place in the 5GHz band and according to release notes uplinking on a DFS channel is being removed imminently (which somewhat limits options).

4. Do NOT set a static IP address on the AP(s) you want to be wirelessly connected - undocumented quirk it seems!

5. Make sure that in Settings>Site the Uplink Connectivity Monitor is Enabled

6. Remove the wired connection from the AP(s) you want to be wireless and connect just the PoE power and wait for it to reboot.

7. The device to be wirelessly connected should go heartbeat missed, disconnected, isolated - let it do it in its own time

8. In the AP Configuration go to Wireless Uplink and select the link icon on the AP to uplink to. If this box is blank give it a minute or two. if it stays blank something above has probably gone wrong!

9. There will short delay while the AP acting as downlink is provisioned and then within a minute or two the AP being wirelessly connected should come out of Isolation and report Connected (Wirelessly)

10. Resist the temptation to now try setting a static AP or you'll have to start over!

===== Cloud-Key: ordentliche Zertifikate =====

Cloud Key: Als primärer Webserver wird nginx benutzt, einfach die Zertifikate in /etc/nginx tauschen. Das Controller UI ist eine JVM mit einer Spring Boot Applikation ([[http://spring.io/projects/spring-boot|http://spring.io/projects/spring-boot]] und [[https://www.torsten-horn.de/techdocs/Spring-Boot.html|https://www.torsten-horn.de/techdocs/Spring-Boot.html]]). Die SSL Zertifikate liegen in einem Java Key Store in /etc/ssl/private/unifi.keystore.jks vor.

Doku [[https://scotthelme.co.uk/setting-up-https-on-the-unifi-cloudkey/|https://scotthelme.co.uk/setting-up-https-on-the-unifi-cloudkey/]]

1. UI stoppen:

''service unifi stop 2. Zertifikate und CA in P12 Format wandeln: openssl pkcs12 -export -in unifi.netzwissen.loc.crt -inkey unifi.netzwissen.loc.key -certfile ca_netzwissen_locutus.crt -out unifi.p12 -name unifi -password pass:aircontrolenterprise

3. Daraus einen jks erzeugen:

''keytool -importkeystore -srckeystore unifi.p12 -srcstoretype PKCS12 -srcstorepass aircontrolenterprise -destkeystore unifi.keystore.jks -storepass aircontrolenterprise name und password wie angegeben beibehalten! 4. UI wieder starten service unifi start

===== Admin Reset über Mongodb =====

<code>
User auflisten

''mongo --port 27117 ace --eval "db.admin.find().forEach(printjson);"''

Neuen hash "password" setzen

mongo --port 27117 ace --eval 'db.admin.update( { "name" : "<UserName>" }, { $set : { "x_shadow" : "$6$ybLXKYjTNj9vv$dgGRjoXYFkw33OFZtBsp1flbCpoFQR7ac8O0FrZixHG.sw2AQmA5PuUbQC/e5.Zu.f7pGuF7qBKAfT/JRZFk8/" } } )'

Hash erstellen

''# mkpasswd -m sha-512 password -s "ybLXKYjTNj9vv"

</code>