Closed dmaroulidis closed 6 years ago
mjp66
commented
6 years ago I only run my unifi controller when I need to reconfigure an AP. The controller (software) runs on a PC and the PC does not have a reserved IP address. I don't know what you mean by a guest portal appearing to guests. AFAIK only the AP(s) would communicate with the unifi controller, not the guests themselves.
dmaroulidis
commented
6 years ago Well I run the controller on a VM with a the static IP 192.168.3.10. The UAPs and the UniFi controller allow for guest restrictions to require login through a portal webpage, served by the controller, before being allowed to connect to the Internet. Even though I've added a firewall rule allowing new traffic from vlan 7 to 192.168.3.10, and after I've added, per the guide, 192.168.3.0/24 in the Pre-Authorization section in Guest Control, no client can connect to 192.168.3.10 (the controller's IP). The connection just times out.
I've tried disabling guest restrictions on the guest wi-fi network, and even then, with the firewall rule, clients on 192.168.7.0/24 cannot connect to 192.168.3.10, with the connection eventually timing out. So is there something I'm missing in the ER-X?
I have used the same setup in the guide, and I'm having issues getting the guest portal to appear to guests connecting to the Guest Net (192.168.6.0/24). The UniFi controller is on the Home Net (IP: 192.168.3.10) and I've tried adding a new rule in the HOME_OUT ruleset to allow packets originating from WIFI_GUEST_GROUP and destined for 192.168.3.10, with states INVALID, NEW, RELATED, ESTABLISHED like so:
firewall { all-ping enable broadcast-ping disable group { address-group DNS_SERVERS_GROUP { address 1.1.1.1 address 9.9.9.9 description "Cloudflare and Quad9 DNS Servers" } address-group HOME_GROUP { address 192.168.3.0/24 description "Home Group" } address-group MULTIPLE_GROUP { address 192.168.3.0/24 address 192.168.4.0/24 address 192.168.6.0/24 address 192.168.7.0/24 description "Multiple Groups" } address-group WIFI_GUEST_GROUP { address 192.168.6.0/24 description "Wi-Fi Guest Group" } address-group WIFI_IOT_GROUP { address 192.168.7.0/24 description "Wi-Fi IOT Group" } address-group WIRED_IOT_GROUP { address 192.168.4.0/24 description "Wired IOT Group" } } ipv6-receive-redirects disable ipv6-src-route disable ip-src-route disable log-martians enable name HOME_OUT { default-action accept description "Home Out" rule 10 { action accept description "Allow Wired Iot Replies" log disable protocol all source { group { address-group WIRED_IOT_GROUP } } state { established enable invalid disable new disable related enable } } rule 20 { action drop description "Drop Rest-Of Wired Iot Traffic" log disable protocol all source { group { address-group WIRED_IOT_GROUP } } } rule 30 { action accept description "Allow Wi-Fi Guest Hotspot" destination { address 192.168.3.10 } log enable protocol all source { group { address-group WIFI_GUEST_GROUP } } state { established enable invalid enable new enable related enable } } rule 40 { action accept description "Allow Wi-Fi Guest Replies" log disable protocol all source { group { address-group WIFI_GUEST_GROUP } } state { established enable invalid disable new disable related enable } } rule 60 { action accept description "Allow Wi-Fi Iot Replies" log disable protocol all source { group { address-group WIFI_IOT_GROUP } } state { established enable invalid disable new disable related enable } } rule 70 { action drop description "Drop Rest-Of Wi-Fi Iot Traffic" log disable protocol all source { group { address-group WIFI_IOT_GROUP } } } } name WAN_IN { default-action drop description "WAN to internal" rule 10 { action accept description "Allow established/related" state { established enable related enable } } rule 20 { action drop description "Drop invalid state" state { invalid enable } } } name WAN_LOCAL { default-action drop description "WAN to router" rule 10 { action accept description "Allow established/related" state { established enable related enable } } rule 20 { action accept description "Allow WireGuard" destination { port 5184 } log disable protocol udp } rule 30 { action drop description "Drop invalid state" state { invalid enable } } } name WIFI_GUEST_LOCAL { default-action drop description "Wi-Fi Guest Local" rule 1 { action accept description "Allow DHCP" destination { port 67-68 } log disable protocol udp } rule 2 { action accept description "Allow DNS" destination { port 53 } log disable protocol tcp_udp } } name WIFI_IOT_LOCAL { default-action drop description "Wi-Fi IOT Local" rule 1 { action accept description "Allow DHCP" destination { port 67-68 } log disable protocol udp } rule 2 { action accept description "Allow Only DNS_SERVERS_GROUP" destination { group { address-group DNS_SERVERS_GROUP } port 53 } log disable protocol tcp_udp } } name WIRED_IOT_LOCAL { default-action drop description "Wired IOT Local" rule 1 { action accept description "Allow DHCP" destination { port 67-68 } log disable protocol udp } rule 2 { action accept description "Allow Only DNS_SERVERS_GROUP" destination { group { address-group DNS_SERVERS_GROUP } port 53 } log disable protocol tcp_udp } } options { mss-clamp { mss 1412 } } receive-redirects disable send-redirects enable source-validation disable syn-cookies enable }
The connected clients get the correct url (ex.: http://192.168.3.10:8880/...) , but timeout on connecting to that url.