Regarding the Adoption of AP's over layer 3, you can also setup a DHCP option 43 to set the inform to a remote Unifi controller without having to setup a temporary controller to complete the adoption. In addition any newly added AP's get routed to the correct controller without having to have one on the network with the AP's, much easier in my experience. The only challenge is that you need to convert your controller IP to hex and prefix with 01 04 as this dhcp option is stored in Hex. Another option is to set a CNAME record on the DNS server serving the APs for "unifi" to point to the inform domain name.
option 43 works well and solves a lot of issues. Note how to enter and format the prefix / ip on DHCP varies widely so one will need to research their particular dhcp server. Also don't expect a cheap consumer level router to support option 43, but prosumer or better will (pfsense, sophos, mikrotik, dd-wrt, palo alto, etc all support it).
I agree with both of you. I moved my controller to a linux cloud instance months ago, and well actually I have a Unifi Edgerouter that has a field for Unifi Controller in the DHCP Server config. My understanding is that is their way of implementing Option 43 on the ER. Just put in the IP Address of the Cloud Controller. Works perfectly. I pre-configure all new devices by simply connecting to my network, it gets the correct Inform URL, and I adopt it in the correct tenant. Couldn't be more smooth. Thanks Unifi! 🥰
Great video as usual! You can make auuto discovery work over L3 by having a cname record on your local dns of unifi pointing to your real inform url. Thanks for the great content!
We go one extra step, set a port on the switch untagged on the DMZ vlan (you did DMZ the controller right?), L2 adoption works and then sets inform to the external url, we can then take the device on-site and drop it into whatever network needs it.
@@dyerseve3001 It's certainly a good idea to boot up and test the device before sending it off. One still would want L3 adoption working thought at the remote site in case for some reason the device gets reset or the inform url gets messed up after deployment, which can happen.
@@dyerseve3001 you don't need a local controller with my suggestion, as long as you have a local dns entry on both sites! Remember, you won't be changing the default inform url on the device with this suggestion! We've been using it for years and it works flawlessly
I definitely screwed it up when I installed some unifi devices at my sisters. I used my IP at my controller in my house then when the ISP changed my IP I lost connection with all the devices. Still haven’t fixed it and it’s been like 6 months. Some day I’ll have time to go over there and fix it.
Wish this video came out like a day ago! We have like 15 locations with Unifi APs and 2 different controllers, so this afternoon I spent some time setting up new sites on our newer controller, forgetting the APs from the old controller, and adopting them to the new one. That migration option you showed would have saved some time! 😂 Great video as always though, and now I know!
Looks like this method doesn't apply to MS Windows infrastructure with a local DNS server. Where and how should I deal with DNS records since I don't want access points to rely on local DNS?
Hello great video, I have followed your video and in installed the controller in AWS ec2, I’m able to login using my domain and ip, but I am not able to adopt a device, the device has the right inform URL and I have the same url in the settings, ports you mentioned are open but not luck, any ideas? Thanks
Hello, how many sites can the Unifi Site Manager support? We are a single tenant but have about 100 sites, all are basically cut copies for firewall rules etc. We are re-considering our network requirements and the price for unifi is such an eye candy.
Great video. On my controller I have a site called Staging to get a lot of devices setup quickly or at least work on getting online and updated. Then once they are setup or near setup move them to their site. I also have a Unifi VM on my laptop for this as well for quick setups.
@lawrencesystems I have UniFi system running on a mac mini, with main router being a netgear with all the Wi-Fi turned off. My poe switch is a EdgeSwitch 8XP with 2 U6 access points. I have been told the Edgeswitch could be causing some network blips on this setup. If this is true, what could I to better to mitigate those issues.
Hello. Great video Tom! Do you or someone else maybe know how I can get a 2FA like on the Unifi Account page? Would be a great security feature. My server is also behind a reverse proxy.
Thank you for all the usefull and fun video's over the years, one question: How do you monitor all the UniFi equipment since Ubiquiti has removed the "Sites overview" panel in the newer versions of the controller, do you intergratie this with a external software for monitoring? Or do you think the panel will eventually move the the "new" interface? Kind regards!
How do you allow the ports you mentioned in pfSense? Do you create a “Unifi allowed ports” alias and add some rules? What would those rules look like? Appreciate your thoughts!
Since it's only two ports and one UDP and one TCP I am not using an alias. Here is a video on how to port forward in pfsense ruclips.net/video/1YDVebJlGbM/видео.html
We’re trying to move away from this now. For the most part it’s great and convenient. But every so often a software update will hose one our customer sites. For small clients that’s fine and not huge job to fix, but have had experience of a school site with 30 plus devices where it falls over. Only real fix is to remove all aps reset and re adopt them. Had to do this twice in last couple of years. In these cases we are putting a cloud key in. Every update to UniFi controller is a scary affair with this site so much so we’ve started holding back unless there is a critical vuln
My issue at the moment I’ll be looking at us we want to get customers into our cloud controller for some more simply management. Testing at my home on a UDM pro SE there’s no way to export sites and import them into a multi site controller.
I have a problem here in my company. When I install a new controller on another IP and restore my backup onto it, my switches become unreachable for one or two seconds, and the devices connected to them lose connection as well. Is there any way to prevent this from happening?
Before I even saw this tut, I had everything working the way you spoke about for Tunnels, however the inform URL sends an adoption loop when using CF tunnels for the inform URL. Should I not be using a tunnel for that and simply exposing a firewall port for 8080? Defeats the purupose I'm going for, can you shed some light on this Tom?
@@LAWRENCESYSTEMSHi Tom, Thank you all you do. So are you saying , the inform URL is exposed, but all other ports can be tunneled? (Through CF?) Trying to set up a secure method to control family access points.
@@LAWRENCESYSTEMS I've added one user to one site only and it actually added the user to each one of the sites. If I remove the user, it will be just for a single site so it will be still present in all the other sides
I am assuming that each site is running its own self hosted controller yes? The big issue I have running a self hosted controller is that each of my sites (7) are running a software package that requires port 80(hard coded and can't be changed) and the controller also requires 80. So the controller won't start. I can't run Linux because that software package does not support it. I could put it on a separate mini PC, but then why not just buy a UDM-SE. Thoughts?
Per my latest comment, where would the inform URL go? I have it on my cloudflare tunnel at 8080, but I get an adoption loop. Is there something I'm doing wrong? I have to use the local IP for the server as the override because it won't take the DNS record I have for the tunnel on CF. Management works great on a tunnel, but the inform URL just doesn't seem to work, what could I be missing?@@LAWRENCESYSTEMS
I had issues with this in the past, "dhcp option 43" worked well to solve this. Do a google search on how to set it for your particular router (pfsense, cisco, dd-wrt, mikrotik etc).
Thanks Tom, that is really relevant to me right now. I'm a bit confused about the different DNS names you used. Maybe a diagram would help to clarify why you used two different names? Thanks
You can have multiple DNS pointed at one IP. I bring that up because many people don't seem aware of that which leads to them being stuck when they wan to setup certificates for SSL. Also for the management interface I used Cloudflare tunnel which does not even point at that IP which is explained in my Cloudflare tunnel video.
I've never seen Tom with his hair down, wild
Very Dave Grohl-ish 😂
Regarding the Adoption of AP's over layer 3, you can also setup a DHCP option 43 to set the inform to a remote Unifi controller without having to setup a temporary controller to complete the adoption. In addition any newly added AP's get routed to the correct controller without having to have one on the network with the AP's, much easier in my experience. The only challenge is that you need to convert your controller IP to hex and prefix with 01 04 as this dhcp option is stored in Hex.
Another option is to set a CNAME record on the DNS server serving the APs for "unifi" to point to the inform domain name.
option 43 works well and solves a lot of issues. Note how to enter and format the prefix / ip on DHCP varies widely so one will need to research their particular dhcp server. Also don't expect a cheap consumer level router to support option 43, but prosumer or better will (pfsense, sophos, mikrotik, dd-wrt, palo alto, etc all support it).
I agree with both of you. I moved my controller to a linux cloud instance months ago, and well actually I have a Unifi Edgerouter that has a field for Unifi Controller in the DHCP Server config. My understanding is that is their way of implementing Option 43 on the ER. Just put in the IP Address of the Cloud Controller. Works perfectly. I pre-configure all new devices by simply connecting to my network, it gets the correct Inform URL, and I adopt it in the correct tenant. Couldn't be more smooth. Thanks Unifi! 🥰
Great video as usual! You can make auuto discovery work over L3 by having a cname record on your local dns of unifi pointing to your real inform url. Thanks for the great content!
We go one extra step, set a port on the switch untagged on the DMZ vlan (you did DMZ the controller right?), L2 adoption works and then sets inform to the external url, we can then take the device on-site and drop it into whatever network needs it.
@@dyerseve3001 It's certainly a good idea to boot up and test the device before sending it off. One still would want L3 adoption working thought at the remote site in case for some reason the device gets reset or the inform url gets messed up after deployment, which can happen.
@@dyerseve3001 you don't need a local controller with my suggestion, as long as you have a local dns entry on both sites! Remember, you won't be changing the default inform url on the device with this suggestion! We've been using it for years and it works flawlessly
This is awesome Tom! I always wondered how this worked!
The word "controller" is spelled wrong in your intro slide. I really enjoy your videos.
I definitely screwed it up when I installed some unifi devices at my sisters. I used my IP at my controller in my house then when the ISP changed my IP I lost connection with all the devices. Still haven’t fixed it and it’s been like 6 months. Some day I’ll have time to go over there and fix it.
Wish this video came out like a day ago! We have like 15 locations with Unifi APs and 2 different controllers, so this afternoon I spent some time setting up new sites on our newer controller, forgetting the APs from the old controller, and adopting them to the new one. That migration option you showed would have saved some time! 😂
Great video as always though, and now I know!
Like
First
Was the Contorller word at the beginning of the video a joke? Or it's just me 😂
Looks like this method doesn't apply to MS Windows infrastructure with a local DNS server. Where and how should I deal with DNS records since I don't want access points to rely on local DNS?
Not completely clear on your question, perhaps you need to set the access point to use external DNS.
Tom, you could also do DHCP option 43 to send newly adoptable devices to your hosted controller.
I just found out that my fairly new UDM doesn’t support multiple sites. What a joke!! 👎
Hello great video, I have followed your video and in installed the controller in AWS ec2, I’m able to login using my domain and ip, but I am not able to adopt a device, the device has the right inform URL and I have the same url in the settings, ports you mentioned are open but not luck, any ideas? Thanks
Hello, how many sites can the Unifi Site Manager support? We are a single tenant but have about 100 sites, all are basically cut copies for firewall rules etc. We are re-considering our network requirements and the price for unifi is such an eye candy.
Where did you get your linux theme? Been trying to find the skulls for months and have been unsuccessful
I used this method but I now get Cloudflare does not allow direct IP on the Unifi guest portal landing page, Guest ports are open on the controller.
Wow. That hair! Also just noticed controller spelled wrong in the opening title screen. But great stuff as always!
thank you !!!! great tutorial and this really helped me out.
With hosting the controller in the cloud, is it still smart to take advantage of the UDM Pro or alike for routing on prem.
Your methods and explanations are awesome! Thank you!
i like the way you are morphing into Jeff Tweedy
Great video. On my controller I have a site called Staging to get a lot of devices setup quickly or at least work on getting online and updated. Then once they are setup or near setup move them to their site. I also have a Unifi VM on my laptop for this as well for quick setups.
Your hair looks cool
Funny, others would say, get more real/professional please.
SSH script to automatically adopt all devices at once since they all have the same default logon credentials
Didn't know that, TIL
I had to pause a few seconds in to say, sweet hair Tom.
Thanks
Funny, others would say, get more real/professional please.
What L3 device do you use at each site?
Great video by the way
Glad you enjoyed it
@lawrencesystems
I have UniFi system running on a mac mini, with main router being a netgear with all the Wi-Fi turned off. My poe switch is a EdgeSwitch 8XP with 2 U6 access points. I have been told the Edgeswitch could be causing some network blips on this setup. If this is true, what could I to better to mitigate those issues.
Speed tests are always in excess of 500Mbps on a gig/40 connection.
Hello. Great video Tom! Do you or someone else maybe know how I can get a 2FA like on the Unifi Account page? Would be a great security feature. My server is also behind a reverse proxy.
Not publicly exposing it and putting it behind a reverse proxy and creating rules for how it is accessed is a form of 2FA
Thank you for all the usefull and fun video's over the years, one question: How do you monitor all the UniFi equipment since Ubiquiti has removed the "Sites overview" panel in the newer versions of the controller, do you intergratie this with a external software for monitoring? Or do you think the panel will eventually move the the "new" interface?
Kind regards!
You can have the system send you notices when things are down or you could use a third party tool such as Auvik
How do you allow the ports you mentioned in pfSense? Do you create a “Unifi allowed ports” alias and add some rules? What would those rules look like? Appreciate your thoughts!
Since it's only two ports and one UDP and one TCP I am not using an alias. Here is a video on how to port forward in pfsense ruclips.net/video/1YDVebJlGbM/видео.html
Does anything change now that wifiman for desktops has been released?
Not really
We’re trying to move away from this now. For the most part it’s great and convenient. But every so often a software update will hose one our customer sites. For small clients that’s fine and not huge job to fix, but have had experience of a school site with 30 plus devices where it falls over. Only real fix is to remove all aps reset and re adopt them. Had to do this twice in last couple of years. In these cases we are putting a cloud key in.
Every update to UniFi controller is a scary affair with this site so much so we’ve started holding back unless there is a critical vuln
Not sure what you are doing wrong as we don't have such issues and we have a lot of large deployments.
What if you set the unifi stuff using Public IP instead of DNS would love to see how to convert this over.
change the override and it should push it to the connected devices.
My issue at the moment I’ll be looking at us we want to get customers into our cloud controller for some more simply management. Testing at my home on a UDM pro SE there’s no way to export sites and import them into a multi site controller.
Correct the UDM can not be managed via the Multi-site controller.
I have a problem here in my company. When I install a new controller on another IP and restore my backup onto it, my switches become unreachable for one or two seconds, and the devices connected to them lose connection as well. Is there any way to prevent this from happening?
If you are moving and re-provisioning the devices they restart services to point to the new controller.
What about dream machines? You can’t put a dream machine on a on-site controller
No
Before I even saw this tut, I had everything working the way you spoke about for Tunnels, however the inform URL sends an adoption loop when using CF tunnels for the inform URL. Should I not be using a tunnel for that and simply exposing a firewall port for 8080? Defeats the purupose I'm going for, can you shed some light on this Tom?
Don't use a tunnel for the inform URL
@@LAWRENCESYSTEMSHi Tom,
Thank you all you do.
So are you saying , the inform URL is exposed, but all other ports can be tunneled? (Through CF?)
Trying to set up a secure method to control family access points.
Can you address unifi-video? How can I use cloud access without cloudkey? Can a unifi-video web controller be built?
UniFi video ONLY works with their hardware and their NVR system.
@@LAWRENCESYSTEMS not a happy answer. But thanks for being frank! I really enjoy and look forward to your videos and knowledge
Where did you get your shirt man?
Https://lawrence.video/swag
Thank you a lot for the tutorial! Just wondering if you noticed any glitching - issues on setting up multiple users for each site?
Not that I know of abd we have been running this for years
@@LAWRENCESYSTEMS I've added one user to one site only and it actually added the user to each one of the sites. If I remove the user, it will be just for a single site so it will be still present in all the other sides
I am assuming that each site is running its own self hosted controller yes? The big issue I have running a self hosted controller is that each of my sites (7) are running a software package that requires port 80(hard coded and can't be changed) and the controller also requires 80. So the controller won't start.
I can't run Linux because that software package does not support it. I could put it on a separate mini PC, but then why not just buy a UDM-SE.
Thoughts?
We manage all our client sites on one controller.
@@LAWRENCESYSTEMS So you have nothing at the remote site other than the devices themselves?
Correct, only the devices.@@pcleats
Im not sure how your inform and management URLs are different. Are there 2 hosts infolved or just 2 different URLs pointing to the same host?
You can have more than one domain pointed at an IP address. Also, my management URL is a cloudflare tunnel
@@LAWRENCESYSTEMS oh, the CF part is what got me confused. Thanks.
Per my latest comment, where would the inform URL go? I have it on my cloudflare tunnel at 8080, but I get an adoption loop. Is there something I'm doing wrong? I have to use the local IP for the server as the override because it won't take the DNS record I have for the tunnel on CF. Management works great on a tunnel, but the inform URL just doesn't seem to work, what could I be missing?@@LAWRENCESYSTEMS
Noob here. Could you use duck DNS instead of static ip?
Should work
Contorller ?
That is what UniFi calls their software that manages the devices.
It's not supposed to be controller ?@@LAWRENCESYSTEMS
@@jj-icejoe6642 Ohh, the typo, that happens.
On the opening scene it's written "Contorller" instead of "Controller".
I found the Flex Mini switch is a pain to adopt without a local controller.
I had issues with this in the past, "dhcp option 43" worked well to solve this. Do a google search on how to set it for your particular router (pfsense, cisco, dd-wrt, mikrotik etc).
Thanks Tom, that is really relevant to me right now. I'm a bit confused about the different DNS names you used. Maybe a diagram would help to clarify why you used two different names? Thanks
You can have multiple DNS pointed at one IP. I bring that up because many people don't seem aware of that which leads to them being stuck when they wan to setup certificates for SSL. Also for the management interface I used Cloudflare tunnel which does not even point at that IP which is explained in my Cloudflare tunnel video.
@@LAWRENCESYSTEMS Thanks. I will only be accessing the controller from our internal network.