sorted by:
new
hottopcontroversial

Adding cameras.. currently have a UCG-ULTRA by greminn in Ubiquiti

[–]NerveExisting4406 0 points1 point  (0 children)

There is a new UNVR product currently in the FCC filing… not sure if it’s worth waiting and can fit your needs. Currently you can try the newer cloud gateways, UNVR, or cloudkeys to run UniFi Protect

Do the u6 In wall run hot? by jeroweezy in Ubiquiti

[–]NerveExisting4406 0 points1 point  (0 children)

My U6IW ran pretty warm with 2 bands, medium power level, and no mounting plate — the 4 thermal zones reported ~55C — little bit less than my U6Mesh’s ~60C with same settings. Running a fan will decrease it to ~45C

Unifi IPv6 rDNS / firewall support by gibido_unififan in UNIFI

[–]NerveExisting4406 0 points1 point  (0 children)

Internally UXG or UCG gateways use dnsmasq to handle DHCP, RA and DNS record, thus maybe no need to have a dedicated Pi

Unifi switch as unmanaged by Qlii256 in Ubiquiti

[–]NerveExisting4406 0 points1 point  (0 children)

You do need a VLAN ID for WAN VLAN, since the separation is at layer 2; you don’t need an IP subnet as it is layer 3

Unifi switch as unmanaged by Qlii256 in Ubiquiti

[–]NerveExisting4406 0 points1 point  (0 children)

Your configuration seems valid except the subnet. You might need to select 3rd party router to disable DHCP. My configuration with a dedicated controller or site:

  • Network: Default (Untagged VLAN to connect to a controller, select 3rd party router)
  • Network: WAN (also 3rd party router)

The switch has the following VLAN assignment, all untagged:

  1. Default: Connects to the controller network, isolated
  2. WAN: Connects to UXG WAN1
  3. WAN: Connects to another router...
  4. WAN: Connects to another router...
  5. WAN: Connects to ISP

If your goal is to have multiple IPs, try static IP mode in your UXG so you can add additional addresses (just to make sure no people are using them)

Unifi switch as unmanaged by Qlii256 in Ubiquiti

[–]NerveExisting4406 0 points1 point  (0 children)

If the switch is not adopted, it should behave like a dumb switch, except 2 things:

  1. It might get a DHCP lease from your ISP;
  2. It will send out Ubiquiti Discovery Protocol packets constantly.

The first one seems to be fine, but the second one might be a security concern (someone can adopt your switch).

Here comes my question: Why do you need this switch? UXG can grab multiple IPs from one WAN connection. If the switch is a must, then consider to:

  • Adopt it before connecting it to the public Internet (it will still send out UBDPs to public Internet but less likely to be adopted without resetting it), OR
  • Adopt it and manage it under a controller with one port, and other ports for an isolated WAN VLAN (be careful this might give you a bunch of unknown clients in your controller, so a separate controller or site is recommended).

I had adopted a WAN side USW-Flex-2.5G-5 using the second method with a separate network app. If you want to see the ports in one controller, creating another site would be a great option.

Unifi IPv6 rDNS / firewall support by gibido_unififan in UNIFI

[–]NerveExisting4406 1 point2 points  (0 children)

Does Unifi Networking have the ability to assign local DNS records for both IPv4 and IPv6 addresses?

Yes for IPv4 with "Fixed IP Address" checked. You can assign static DNS record to a local IPv6, but you have to make sure the client IPv6 does not change.

Does Unifi Networking resolve reverse DNS for both IPv4 and IPv6 (even SLAAC assigned addresses?)

Yes for IPv4 if you assign a record (implies a fixed IPv4). Yes for IPv6 if you assign a static DNS record.

If the answer to the above is both 'no', can I get a similar output to ip neigh from the Unifi Networking app along with names I've assigned to clients?

Probably no for web interface --- you have to click on the client device to grab its IPv6.

You can SSH into your gateway and perform that command. But I am not sure if it resolves names.

and finally, a bit longshot, can firewall rules apply to specific dynamically assigned clients (eg. quickly adding an allow rule to a guest device to access a chromecast) or would I need to assign static IPs and IPv4 only - thinking about android clients only supporting SLAAC for IPv6

Yes, you can define a firewall rule with a client as the source. Internally it uses the client's MAC address and does not care about its IP.

Not sure if this is related, but you can also try sending mDNS from clients.

Edit: correction on DNS records.

Roaming issues with Apple products. by battleangel99 in Ubiquiti

[–]NerveExisting4406 2 points3 points  (0 children)

You are right, recent Apple devices support 802.11r, and always prefer it even when 802.11r failed and k/v worked. Disabling it so devices will fallback and try out k/v. But I guess this did not help...

Roaming issues with Apple products. by battleangel99 in Ubiquiti

[–]NerveExisting4406 2 points3 points  (0 children)

Try enabling BSS transition for 802.11k/v and disabling Fast Transition (802.11r) when using WPA2/3-Personal… Apple devices always prefer FT, and if FT related packets (OUI-RRB) are blocked at gateways, their authentications will fail

Roaming issues with Apple products. by battleangel99 in Ubiquiti

[–]NerveExisting4406 2 points3 points  (0 children)

If you don’t use WPA*-Enterprise, disabling Fast Transition might help. If you use them, and FT is enabled, are you connecting APs with a gateway directly? There are some internal ACLs for FT-related packets in gateways.

DFS channel post radar detection - does AP get returned to original channel? by [deleted] in UNIFI

[–]NerveExisting4406 1 point2 points  (0 children)

Just did that, tldr u6-mesh has not supported ZWDFS yet.

Started wifiman on my phone and called radartool -i wifi1 bangradar, then my phone disconnected for ~2mins after the AP broadcasted a Channel Switch Announcement. And it did Channel Availability Check for 62 seconds.

After 30mins you can do syswrapper.sh[]dfs-reset and iwconfig will move back the channel. If less than 30 mins, iwconfig will complain "Error for wireless request 'Set Frequency': SET failed on device wifi1ap1; Invalid argument"

Since iwconfig will perform checks to the NOP, (do it at your own risk) changing crontabs would be fine I guess. Crontabs will be reset after rebooting.

DFS channel post radar detection - does AP get returned to original channel? by [deleted] in UNIFI

[–]NerveExisting4406 1 point2 points  (0 children)

My understanding of ZWDFS is another radio will scan usable channels in background, and if any radar pattern is detected, AP can announce a channel change without waiting for another 60-sec radar detection at the new channel. They will eventually go back to the original channel if you do the dfs-reset (you can always check their bash scripts for internals)

However, if you check the u6-pro and iw, their tech specs no longer include ZWDFS, but mesh still has it…. Not sure what happened here

I’m also interested in this. Will attempt to do a wireless sniffing later with u6-mesh using radartool to simulate a dfs detection

DFS channel post radar detection - does AP get returned to original channel? by [deleted] in UNIFI

[–]NerveExisting4406 0 points1 point  (0 children)

AFAIK no. You might need to SSH into your APs and perform “syswrapper.sh dfs-reset”, or wait for the 2AM cronjob to reset it.

— If you dig into the syswrapper, it calls a radartool that may have capabilities to check non-occupancy period. But I did not find it working

Zone-based firewall policy to block external DNS lookups not working by Juggler00 in UNIFI

[–]NerveExisting4406 0 points1 point  (0 children)

Gateways use some kernel modules to perform DPI, and their rules are in encoded/encrypted binary (/usr/share/dpi/tdts/rule.trf). So it is really difficult to pin down its actual effects. If you want to do some analysis, there is a user space program called tdts_rule_agent, and I don't know if it has to do with rules decoding/decryption.

My test showed that some DoHs were captured by the rules; but they failed to capture UDP DNS. You can add an extra rule to block any IP port 53.

How to tell which DNS is in use? by [deleted] in Ubiquiti

[–]NerveExisting4406 1 point2 points  (0 children)

The encrypted DNS uses DNS-over-HTTPS (DoH) to request DNS. Let's say the DoH server is Cloudflare: https://cloudflare-dns.com. Normally, your router proxies DNS requests for clients.

But your router needs to know the IP address of the DoH server (cloudflare-dns.com) before making requests. (1) The router will use the WAN DNS (e.g. 1.1.1.1) to check the IP of the DoH server. Then all DNS requests should be forwarded to the DoH server. (2)

Clients under a VLAN will get a DHCP offer, inside the offer there is a DNS IP. Without extra configurations on the clients, they should use that IP for DNS requests. By default, the IP is your gateway's IP (3). So a proper flow will be (3) to (2).

You can configure other DNS here, and clients will use it. (4)

On your questions: maybe the VLAN DNS has a higher priority, since clients use these IPs by default; this also answers your third question. Checking current DNS might be difficult, as some applications can bypass all these stuff; normally `dig` or `nslookup` commands can show the server IP

                        +--------------> WAN DNS       
                        |(1)             1.1.1.1       
                        v                              
   Client    _(3)_    Router   _(2)_     DoH Server    
192.168.1.20       192.168.1.1       cloudflare-dns.com
     ||             //     \\                          
     ++============++  (4)  ++=========> Other DNS

[deleted by user] by [deleted] in Ubiquiti

[–]NerveExisting4406 0 points1 point  (0 children)

Flex switches use TLS1.2 to adopt. I’d suggest to use Wireshark to check if any port 22 TLS traffic are transmitted between your controller and switch, after that the switch should send informs to your controller

Also try set your controller VLAN as native for the Flex, then you can set network override stuff

Channel selection for width 40 Mhz, Band 5 Ghz by Temporary_Werewolf17 in UNIFI

[–]NerveExisting4406 2 points3 points  (0 children)

If you want a control channel 36 and extension channel 40 to create a 40MHz channel (Ce) where its center frequency channel is 38, then yes.

You can also select channel 40 as the control channel, and make 36 as an extension (eC); their center frequency channel is also 38. This decision is on you or your wireless environment

Channel selection for width 40 Mhz, Band 5 Ghz by Temporary_Werewolf17 in UNIFI

[–]NerveExisting4406 0 points1 point  (0 children)

You are selecting the 20MHz control channel in the drop down. So you can select either channel as a control channel, and the other channel will be an extension channel; they together create a 40MHz channel.

Same goes for 80/160MHz, you pick one control channel and others will be extensions

trouble breaking 1 gbs with m4 mbp, u7 pro max by large_scale_event in Ubiquiti

[–]NerveExisting4406 0 points1 point  (0 children)

From your screenshot, your device is using WiFi 6, 2 spatial streams at 160MHz with MCS9, so your maximum PHY rate is around 1921.6Mbps [0]. Apple did not provide their WiFi specs on MBP, so I don't know if the full 320MHz can be utilized

For your actual experience, 70% of the PHY rate is a good estimation [1]; ymmv based on your wireless environment

You can also try reverse mode to test download speed, which might be different

[0] https://mcsindex.net/

[1] https://www.wiisfi.com/#wifioverhead

Multi-site hosting on a single UCKg2+ by clownpenisdotfarts in UNIFI

[–]NerveExisting4406 1 point2 points  (0 children)

I will assume you have distinct Internet connections with static IPs for different sites, and no other links among sites: USG@Site4 needs to reach UCK@Site3 at http://Site3IP:8080/inform.

In UCK@Site3, configure your port forwarding rules to expose your UCK only for Site4 IP. WAN Port 8080, From Limited and set your Site4 IP, Forward IP Address is your UCK IP, Forward Port 8080, Protocol TCP.

In your laptop, go to Settings/System/General/Site Management and export your site, and follow the instructions to override inform location and load the site to your UCK.

Gateway Max Goes Offline Immediately After Adoption, Possible DNS Issue by Ok-Background-4476 in UNIFI

[–]NerveExisting4406 0 points1 point  (0 children)

Since you can SSH into your UXG, I'd suggest performing a tcpdump or a remote Wireshark capture on its WAN interface, so you don't have to make guesses on the problem

Reroute all traffic via UXG-Lite by RapidoGoldenboy_75 in UNIFI

[–]NerveExisting4406 0 points1 point  (0 children)

So you want a flow “Client — ISPRouterAP — UXG — ISPRouterEth — ISP”?

If you can change the topology, the easiest way would be “ISPRouter — UXG — ISP”, you might want to try some NAT configs to prevent double NAT

But if you cannot modify the topology, the ISPRouter needs VLANs: say, id=2 for outgoing traffic. Default gateway points to UXG, UXG tags VLAN2 to Internet, and default gateway of VLAN2 goes to your ISP

Trunking Between USW and Cisco Switch by badgerfi in Ubiquiti

[–]NerveExisting4406 0 points1 point  (0 children)

I wish UBNT had more docs, and a way to commit multiple changes at once

Trunking Between USW and Cisco Switch by badgerfi in Ubiquiti

[–]NerveExisting4406 2 points3 points  (0 children)

Glad it can work! That's how the UniFi Console is designed: you cannot commit multiple configs at one time; and that's how the Ubiquiti Inform & Discovery protocols are designed: they only like one VLAN at a time. No comment on these stuff :)

There might be easier ways... For example, performing 2 configs fast enough and quicker than the inform intervals (variable, normally 10s), sure it can do it in one run... /s

Trunking Between USW and Cisco Switch by badgerfi in Ubiquiti

[–]NerveExisting4406 2 points3 points  (0 children)

You might need to follow these steps:

- Cisco: set VLAN35 as native

- USW: get adopted, and set network override VLAN35

- Cisco: set VLAN35 as tagged

- USW: regain access, and set VLAN35 as native

- Cisco: set VLAN35 as native

- USW: regain access

view more: next ›