[FEATURE] Guidance to configure Domain in Unifi OS

[marceldarvas]

Is your feature request related to a problem? Please describe. I'm using CloudFlare DDNS, I end up having issues with actually using (accessing) this add-on. Would also be nice to find a way to use CloudFlare Access for authentication purposes.

Describe the solution you'd like Please provide instructions on how to configure our sub-domain or wildcard within Unifi, to access the admin UI via the Domain we issued a certificate for.

Describe alternatives you've considered I'm not sure what keeps going wrong, as DuckDNS (running off an RPi worked just fine, but that's missing IP masking.

[kchristensen]

There's a lot to unwind here, I'm not quite sure what your issue is. Questions:

• What exactly is the issue you're having regarding using Cloudflare DDNS? Can you paste the error (sanitized if need be)
• What do you mean by use Cloudflare Access for authentication? Cloudflare Access is their VPN offering, which has nothing to do with generating LetsEncrypt SSL certificates for your UDM?
• What do you mean by "how to configure our sub-domain or wildcard within Unifi"? If you set the hostname on the UDM to the hostname you generate the SSL certificate for, you're done, that's all you have to do.

[marceldarvas]

Yes indeed, it's somewhat related to the CF DDNS module as well, but I thought I'd post it here, due to the DDNS IP update seems to be working and it's either an SSL issue or some kind of firewall misconfig.

1. I've tested different subdomains and a duckDNS pointing to my public IP via the CF DDNS package, your package only issues one of my 2 SSL certificates, which seems to also be working just fine. But out of all domains, only the duckDNS was working which was updating from my RPi. However, I kept getting an Error 522 Timed Out from CloudFlare for my own 2 subdomains. So after some extensive troubleshooting between ports and CF Zone settings, I've come to the conclusion, that if I have Pihole running inside my network, my browsers don't want to open the Unifi Login Panel if they are routed through the Pihole DNS servers (running on UDMP & RPi Docker), which I definitely double-checked to not have the unifi.lan hostname on a blocklist, but it still didn't want to work (out of the 2 installs, one of them is running with Unbound). Probably still has something to do with the Ports?
2. Indeed I really put 2 independent services together, my concept was to use CF Access to resolve this port conflict that was causing my timeouts. I've since run a couple different troubleshootings, but it's still not exactly how I would hope for it to be.
3. I just couldn't get my domain working, I've tried several things, such as whitelisting all of the CF IPs they publish but really bypassing Pihole was my only way to get by. When you say, just set the hostname, do you mean to set the domain within VLAN network: Domain Name field, which basically will make it show up in Client Device Network Setting under "Search Domains"? Because at some point, I remember trying to override the controller host name, which then led to AP adoption issues, even though I tried following the guides around that.

All of this tweaking has definitely made me learn a lot more about networking, but it seems to be endless with complexity 😆

[kchristensen]

For the record, I too use pihole but do not have my UDMP use it for DNS because it was causing mDNS storms. Instead I have my UDMP set to use Cloudflare, but use the pihole on my vlan configs for internal client use.

As for the hostname, if you log into the Unifi portal, go into the controller and go to Advanced there's a "Console Name" setting that I set to the name I use with my SSL certificate.

[marceldarvas]

So by not having your UDMP use Pihole, so you mean the WAN network and not all individual VLANs using Pihole running on the UDM? I have a backup Pihole running on the Raspberry, it seems to have worked fine. In the past days, I've reviewed the query logs on the Pihole, it looks like unifi.lan gets called, which is also cached via unbound. However, I found out about Conditional Forwarding, but couldn't really confirm.

Since you mentioned mDNS, I've followed the tutorial on setting up the multicast-relay container, which seems to have made HomeKit devices quicker in the short-term, but by now, they seem to be struggling (I also tried moving my Homebridge install to the UDM).

However, I may be trying to do too much, with fundamentals not being in place.

I tried following and looking for the "Console Name" but I was not able to find that. My Firmware is on 1.9.3 and my Controller Version is 6.1.71

Now, I only find the "Domain Name" under Networks > VLAN # > Advanced Not sure if they changed anything here, but Unifi likes changing things around and then combining them... It seems like this has worked now. Now while doing all of this, I put back my Pihole on my Main VLAN and even that works. I guess I'm not so good at troubleshooting all of this. I believe it will most likely be Firewall related.

[marceldarvas]

Ok I am back to where I started. So the clear cut-off point where my SSL issued controller subdomain stops working is when I enable the CF DDNS updater and also have the records proxied through CF. Any ideas why I am getting 522 TImed Out errors when masking my A record?

[marceldarvas]

So I after troubleshooting some more, I refined several security several settings, but the key setting I was missing to make Port 443 accessible: https://help.ui.com/hc/en-us/articles/360042156774-UniFi-UDM-Pro-How-to-Access-the-UniFi-Network-Application-by-WAN-IP-or-Hostname