For adopting Unifi Flex switches to remote controllers, I can fully recommend Hostifi app for Android/Windows. DHCP option 43 is pretty useless when you use different port than the default 8080.
@@vlcekmlcek3393Sure changing the port reduces the logs from scriptkiddies playing around, but any serious threat actors that actually want to get in, wouldnt only be hitting "common" ports, they'd do a port scan.
@@vlcekmlcek3393 I would assume he has a FW ACL in place to only permit traffic from customer WAN addresses. Businesses I support typically have static IPs.
Filter your firewall traffic to just allow the IPs of your clients you're hosting for the ports you have open. Then, nothing else will see the open ports. @vlcekmlcek3393
Why is this needed? I don't run Unifi anymore, but when I did, I recall new devices just showing up in the controller for adoption automatically. Don't they just get an IP, and send a broadcast to which the controller responds?
That works when they're on the same subnet, but if the controller is remote or on another subnet, you need to tell it where it is because the broadcast won't get there.
I have a Unifi NVR and a couple of cameras. I was trying to put them on an isolated VLAN but had communication problems; might this video's fix help here? It's been a minute since I've set it all up, but I think it was communication from our phones to the NVR that wasn't working, even though the phone VLAN had permissions to communicate with the security VLAN. The Protect app wasn't able to find a local NVR to connect to.
this is especially important for some of the Ubiquiti devices that don't have SSH. Unfortunately I went to set this up, and my Pfsense box has the Kea backend setup which for some reason doesn't support custom DHCP options 🙄 Thanks Netgate....
Yes. There is a lot of documentation on this within ISC's DHCP server documentation. How you do it on your specific hardware is an exercise left to the reader.
@@radar9358 Yep, but Netgate have said that they will not fully retire/remove ISC until the KEA implementation is complete, so hopefully that includes Option 43.
@@LAWRENCESYSTEMS figured that was the case, I was really confused when I didn't see the "Custom DHCP" option. Thank god for Perplexity, saved me a rabbit hole trip. I was hoping to shed some light on the others that might run into this issue.
I'm experiencing a strange issue. I configured option 43 for my self hosted Unifi controller, but if I change my server vlan to the IP address configured in option 43 setting, my USW Flex Mini switches go offline in the controller. I'm running Pfsense firewall and all firewall rules are configured correctly. What can be the cause?
Nice tutorial - unfortunately only works with ISC DHCP which has reached end-of-life and will be removed from a future version of Netgate pfSense Plus. It suppose to be replaced with Kea DHCP distribution but so far this doesn't support Custom DHCP Options and for now I'm not aware of any way how to pass this Option 43 to the clients using Kea DHCP server. If anyone have some info, would be nice to share. ;-) Have great day everyone.
regarding the i wanna provide the FQDN instead of the IP. According to the RFC, at this point DNS is not UP. Thats why you can simply not use DNS. Cause the DNS Server is coming after the DHCP handshake between client/server when all data is shared 🙂
insane, just posted three days ago?! I just needed this today. Love your videos
This is cool! I recently got a couple new unifi devices & had to use SSH to get them adopted, which was a pain since it's been a couple years.
I just created a dns A entry for unifi and pointed that where I wanted. works fine.
Thank you! Great tip. I already knew about it, but never tried it. So now it is time 🙂
You ready my mind....3 days ago I was looking for this video... And now it here!
I read in the unifi community that you can also make a dns record unifi with the ip of the controller.
For adopting Unifi Flex switches to remote controllers, I can fully recommend Hostifi app for Android/Windows. DHCP option 43 is pretty useless when you use different port than the default 8080.
We have all our controllers at port 8080
@@LAWRENCESYSTEMSThat isn't really optimal because of security, I notice so much less attacks on the custom ports.
@@vlcekmlcek3393Sure changing the port reduces the logs from scriptkiddies playing around, but any serious threat actors that actually want to get in, wouldnt only be hitting "common" ports, they'd do a port scan.
@@vlcekmlcek3393 I would assume he has a FW ACL in place to only permit traffic from customer WAN addresses. Businesses I support typically have static IPs.
Filter your firewall traffic to just allow the IPs of your clients you're hosting for the ports you have open. Then, nothing else will see the open ports. @vlcekmlcek3393
Or just set "unifi" to resolve to the controller...
Or just don't use Unifi. :)
@@dylancorrales8321laughs in the headaches that is TPlink Omada…
Great video, as always. I see you use the deprecated ISC DHCP server, where is this opinion on the Kea DHCP server?
Same, I switched to Kea when they did the ISC deprecation notice. Don't have an option to do Custom.
I am still using the older ISC server until Kea is feature complete.
@@Logicalidea-ni2zv Hi, which DNS record do you mean exactly?
Why is this needed? I don't run Unifi anymore, but when I did, I recall new devices just showing up in the controller for adoption automatically. Don't they just get an IP, and send a broadcast to which the controller responds?
That works when they're on the same subnet, but if the controller is remote or on another subnet, you need to tell it where it is because the broadcast won't get there.
I have a Unifi NVR and a couple of cameras. I was trying to put them on an isolated VLAN but had communication problems; might this video's fix help here?
It's been a minute since I've set it all up, but I think it was communication from our phones to the NVR that wasn't working, even though the phone VLAN had permissions to communicate with the security VLAN. The Protect app wasn't able to find a local NVR to connect to.
this is especially important for some of the Ubiquiti devices that don't have SSH. Unfortunately I went to set this up, and my Pfsense box has the Kea backend setup which for some reason doesn't support custom DHCP options 🙄 Thanks Netgate....
Use the ISC, that is what I do.
@@LAWRENCESYSTEMS I need to look at how to add that, plus I suppose all of my configuration won't carry over, either. UGH.
Can you have multiple option 43s for diffrent vendors?
Yes. There is a lot of documentation on this within ISC's DHCP server documentation. How you do it on your specific hardware is an exercise left to the reader.
Yea, probably neater to have a static IP reservation and set the Option 43 per device instead of globally on the DHCP scope.
Great tutorial only 1 thing my pfsense is using Kea DHCP with no option 43 ?
I still use the ISC one because Kea is not feature complete yet.
It's pretty simple to switch back to ISC. If you go to System > Advanced > Networking, you can find the option to pick the DHCP backend
@@TimmyTimmyTimmyC Thanks guys, but ISC will be depreciated so hopefully it will be integrated into Kea DHCP in the future
@@radar9358 Yep, but Netgate have said that they will not fully retire/remove ISC until the KEA implementation is complete, so hopefully that includes Option 43.
@@LAWRENCESYSTEMS Was about to ask the same question but Tom you are on it! Thank you!
Hey Tom, love your show and everything that you do! However, Custom DHCP option isn't available for the new Kea DHCP service... ;
That's why I am using the older ISC till the new one becomes feature complete
@@LAWRENCESYSTEMS figured that was the case, I was really confused when I didn't see the "Custom DHCP" option. Thank god for Perplexity, saved me a rabbit hole trip. I was hoping to shed some light on the others that might run into this issue.
I'm experiencing a strange issue. I configured option 43 for my self hosted Unifi controller, but if I change my server vlan to the IP address configured in option 43 setting, my USW Flex Mini switches go offline in the controller. I'm running Pfsense firewall and all firewall rules are configured correctly. What can be the cause?
My assumption is that the rules are not setup correctly.
Sounds like the switches informed to the IP address of the controller instead of the FQDN, so when the IP changed, the switches stopped checking in.
Nice tutorial - unfortunately only works with ISC DHCP which has reached end-of-life and will be removed from a future version of Netgate pfSense Plus. It suppose to be replaced with Kea DHCP distribution but so far this doesn't support Custom DHCP Options and for now I'm not aware of any way how to pass this Option 43 to the clients using Kea DHCP server. If anyone have some info, would be nice to share. ;-)
Have great day everyone.
I keep using ISC until Kea becomes feature complete.
regarding the i wanna provide the FQDN instead of the IP. According to the RFC, at this point DNS is not UP. Thats why you can simply not use DNS. Cause the DNS Server is coming after the DHCP handshake between client/server when all data is shared 🙂
first