====== Ubiquiti Unifi ======

**Optimize Your Network**: https://help.ui.com/hc/en-us/articles/360012947634-UniFi-Network-Optimizing-Wireless-Speeds

**User Guide**: http://dl.ubnt.com/guides/UniFi/UniFi_Controller_V4_UG.pdf

**Web Site**: http://www.ubnt.com/unifi

**Wiki**: http://wiki.ubnt.com/UniFi

**KnowledgeBase**: http://community.ubnt.com/t5/tkb/communitypage

**Blogs**: https://community.ubnt.com/t5/custom/page/page-id/Blogs

**Videos**: http://www.youtube.com/results?search_query=unifi

Unifi is a controller-based wireless networking platform:

  * Cost-effective
  * Software controller (free)
  * Various APs
    * Indoor
    * Outdoor
    * 2.4GHz and 5GHz
    * Single and dual radio
  * Controller can be local or cloud based
  * Multiple sites supported
    * Version 3.0+
  * Integrated billing system available

<note tip>Consider using a Docker-based configuration.</note>

====== Server Prep ======

[[internet:mail:zimbra:zimbra_ose#server_preparation|Server Prep]]  

===== Controller Installation =====

:!: Unifi Controller seems to be easy to install, run and update under **Docker**.  See below.

https://pimylifeup.com/ubuntu-unifi-controller/

:!: This is for a minimal **Ubuntu 22.04** LTS Server with **2 vCPU**, **2GB RAM** and a **20GB vHD**.

<file>
apt install curl haveged gpg openjdk-8-jre-headless

# This library is not in the default repos
wget http://archive.ubuntu.com/ubuntu/pool/main/o/openssl/libssl1.1_1.1.0g-2ubuntu4_amd64.deb
dpkg -i ./libssl1.1_1.1.0g-2ubuntu4_amd64.deb
rm -f libssl1.1_1.1.0g-2ubuntu4_amd64.deb

curl https://dl.ui.com/unifi/unifi-repo.gpg | sudo tee /usr/share/keyrings/ubiquiti-archive-keyring.gpg > /dev/null

echo 'deb [signed-by=/usr/share/keyrings/ubiquiti-archive-keyring.gpg] https://www.ui.com/downloads/unifi/debian stable ubiquiti' | sudo tee /etc/apt/sources.list.d/100-ubnt-unifi.list > /dev/null

curl https://pgp.mongodb.com/server-3.6.asc | gpg --dearmor | tee /usr/share/keyrings/mongodb-org-server-3.6-archive-keyring.gpg > /dev/null

echo 'deb [signed-by=/usr/share/keyrings/mongodb-org-server-3.6-archive-keyring.gpg] https://repo.mongodb.org/apt/ubuntu bionic/mongodb-org/3.6 multiverse' | tee /etc/apt/sources.list.d/mongodb-org-3.6.list > /dev/null

apt update && apt install -y mongodb-org-server && systemctl enable mongod && systemctl start mongod

apt install unifi -y
</file>

==== Firewall ====

^TCP Ports| 22, 8080, 8443, 8880, 8843 |
^UDP Ports| 3478                       |

<file>
ufw allow 22/tcp
ufw allow 8080/tcp
ufw allow 8443/tcp
ufw allow 8880/tcp
ufw allow 8843/tcp
ufw allow 3478/udp

ufw --force enable

ufw status numbered
</file>

==== Management ====

=== Browser ===

https://ip.of.controller:8443

^Default Username |''Admin''    |
^Default Password |''123456''   |

=== SSH ===

^Default Username |''ubnt''     |
^Default Password |''ubnt''     |

===== Add New Site =====

:!: Once an AP is managed, you configure the SSH username and password for the APs using the web interface.

:!: Be aware that under **Settings -> Networks -> Edit** you will find a **DHCP Server enabled**.

**Select the site -> Settings -> Site**

  * ''Site Name''
  * ''Country''
  * ''Time Zone''
  * ''Device Authentication''

**Select the site -> Settings -> Wireless Networks**

  * ''Name/SSID''
  * ''Enabled''
  * ''Security'' -> ''WPA2''
  * ''Security Key''

===== Show/Change Passphrase =====

  * Log into Unifi Controller and select correct client/site
  * Bottom left select ''settings''
  * Select ''Wireless Networks''
  * Click ''Edit''
  * Click in ''Security Key'' field to expose the current password

===== Channel Selection =====

==== RF Scan ====

:!:  Perform as part of installation or during scheduled down-time.  An **RF Scan will disconnect all users**.  

:!: Re-provisioning after **changing settings will disconnect all users**.

:!: Available on newer 802.11ac APs.

https://youtu.be/Vi_6YvQ4tNg

**Unifi Controller -> Devices -> <AP> -> Tools -> RF Environment -> Scan**

===== Guest Networks =====

Simple guest access uses single DHCP server and restricts access to Internet only.

<note tip>These steps are no longer correct for Controller V8. Guest networks are now created by selecting ''Manual'' configuration and enabling ''Hotstop Portal''.  You configure the user experience by managing the Hotspot Portal.</note>

  * To **restrict bandwidth of guests**, create a "Guests" User Group
    * **Unifi -> Settings -> User Groups**
    * Set bandwidth restrictions
  * Create and enable a Wireless Network
    * **Unifi -> Settings -> Wireless Networks**
    * Set **SSID**
    * Set **Security authentication protocol** to ''WPA Personal''
    * Assign your desired **Security Key**
  * Tick **Apply Guest Policy** option
    * Restricts guest access to Internet only
  * Under **Advanced Options**
    * **Select** the User Group you created previously
    * **Deselect** ''Block LAN to WLAN Multicast and Broadcast Data'' to permit DHCP

:!: Click in ''Security Key'' field to expose the current password.

===== Site Administrators =====

Add an end-user (site) administrator:

  * **Unifi -> <site> -> Settings -> Admins -> Create New Admin**
  * Enter Users email and Users first name (first name is used for greeting in invite email)
  * Select Role, read only or Admin
  * Click Invite

:!: End user will receive and email with a link that will allow them to select a password and login name.



===== Layer 3 AP Management =====

http://wiki.ubnt.com/UniFi_FAQ#L3_.28Layer_3.29_Management

==== L3 Adoption ====

http://www.youtube.com/watch?v=y5tkToD_nds

  - Install AP
  - Configure networking to controller (Internet, DHCP)
  - Determine IP address of the AP (DHCP log)
  - SSH into the AP
  - Default configuration
  - Drop into mca-cli
  - Set inform URL to cloud controller
  - Adopt the AP at the controller (after selecting site and configuring map) 
  - Reset the Inform URL again at the AP
  - Controller should show the AP as Connected

<file>
gcooper@snoopy:~$ ssh -l ubnt 192.168.0.72
ubnt@192.168.0.72's password: 


BusyBox v1.11.2 (2013-03-22 03:26:44 PDT) built-in shell (ash)
Enter 'help' for a list of built-in commands.

BZ.v2.4.1# help
UniFi Command Line Interface - Ubiquiti Networks

   info                      disaplay AP information
   set-default               restore to factory default
   set-inform <inform_url>   attempt inform URL (e.g. set-inform http://192.168.0.8:8080/inform)
   upgrade <firmware_url>    upgrade firmware (e.g. upgrade http://192.168.0.8/unifi_fw.bin)
   reboot                    reboot the AP

BZ.v2.4.1# info

Model:       UniFi_AP-AC
Version:     2.4.1.2004
MAC Address: dc:9f:db:fc:0e:a1
IP Address:  192.168.0.72
Uptime:      3096 seconds

Status:      Unable to resolve (http://unifi:8080/inform)

BZ.v2.4.1# syswrapper.sh restore-default

BZ.v2.4.1# mca-cli

UniFi# set-inform http://"ip or url of unifi controller":8080/inform 

Adoption request sent to 'http://"ip or url of unifi controller":8080/inform'.
 
1. please adopt it on the controller
2. issue the set-inform command again
3. <inform_url> will be saved after device is successfully managed
</file>

:!: Adopt the AP at the controller. Go to the site that you want the device in and click Devices.  The device should show.  Click the Adopt option to the right.  After the device comes back online SSH and re-run the inform command.  

<file>
BZ.v2.4.1# mca-cli

UniFi# set-inform http://"ip or url of unifi controller":8080/inform

Adoption request sent to 'http://"ip or url of unifi controller":8080/inform'.
 
1. please adopt it on the controller
2. issue the set-inform command again
3. <inform_url> will be saved after device is successfully managed
</file>

:!: After the AP is adopted at the controller, SSH into it using the same credentials specified at the controller.

:!: The password is configurable via the controller at **Settings -> Site -> Device Password**.  If you change the password and click apply, it will reboot and provision the APs.

====Change the inform url==== 

  - You must ssh into the AP. Use login/pass specified in the controller
  - Default the AP using set-default
  - Let the unit disconnect (it will take a few minutes) from the controller.
  - SSH back into the AP (using ubnt ubnt for login/pass).
  - Set inform url with set-inform.  The AP will reconnect.

:!: The set-default command does not change some of the settings.  A wireless uplink configured AP reconnected to the controller after changing the inform url and being disconnected from the wired connection without any reconfiguration.

==== VLANs ====

http://wiki.ubnt.com/UniFi_and_switch_VLAN_configuration

===== Wireless Uplinks =====

http://wiki.ubnt.com/UniFi_FAQ#Wireless_Uplink

http://www.youtube.com/watch?v=oA6m0P-NDnA

http://community.ubnt.com/t5/UniFi-Configuration-Examples/UniFi-Set-up-UAPs-in-wireless-uplink-topology/ta-p/529779

<file>
Switch -----(wired)----- Uplink AP (((((wireless))))) Island AP
</file>

===== SSL Certificate =====

http://community.ubnt.com/t5/UniFi-Wireless/Your-own-SSL-key-and-cert/m-p/862990#M64454

===== Traffic Shaping =====

https://help.ubnt.com/hc/en-us/articles/204911354-UniFi-Set-traffic-bandwidth-limits

  * To impose limits on bandwidth used at the **WAN interface**, you should consider traffic-shaping policies at the **gateway**
  * **Limits** are applied at the **UAP**
  * Layer-2 **traffic shaping policies** can be **applied** for either:
    * **Groups** -  SSID, VLAN
      * Can be **applied automatically as users join a particular WLAN** when configured at the WLAN itself
    * **Individuals** - Individual WLAN clients

===== Troubleshooting =====

==== Disconnected ====

If you have an AP showing as ''Disconnected'' in the console, try this:

  - Log into the problem AP using SSH
    - The username and password are at **Unifi Controller Console -> Settings -> Device Authentication**
  - Issue the ''inform'' command twice in quick succession
    - ''set-inform http://unifi.virtualarchitects.com:8080/inform''
    - The AP will reboot and show as ''Connected''

If wireless clients connect but do not have network access for example NLA shows unidentified:

  - Disable the uplink connectivity monitor. (Disable this if not using wireless uplink) **System -> Uplink Connectivity Monitor**
  - Enable the Multicast Enhancement. **WIFI -> SSID -> Advanced**
  - Enable Fast Roaming. **WIFI -> SSID -> Advanced -> Enable Fast Roaming**

===== Docker =====

<note warning>This example uses an unsupported Docker image.  You probably want to use "linuxserver/unifi-network-application:latest" now.</note>

Unifi Controller seems to be easy to install, run and update under Docker.

==== docker-compose.yml ====

=== Simple Version ===

<file>
version: "2.1"
services:
  unifi-controller:
    image: lscr.io/linuxserver/unifi-controller:latest
    container_name: unifi-controller
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Arizona/Phoenix
      - MEM_LIMIT=1024 #optional
      - MEM_STARTUP=1024 #optional
    volumes:
      - /root/docker/unifi/config:/config
    networks:
      - unifi-net
    ports:
      - 8443:8443
      - 3478:3478/udp
      - 10001:10001/udp
      - 8080:8080
#      - 1900:1900/udp #optional
#      - 8843:8843 #optional
#      - 8880:8880 #optional
#      - 6789:6789 #optional
#      - 5514:5514/udp #optional
    healthcheck:
      test: curl --fail -k https://localhost:8443/ || exit 1
      interval: 5m
      timeout: 15s
    restart: unless-stopped

networks:
  unifi-net:
    name: unifi-net
</file>