Cleaning Up My Network

I spent the majority of my tinkering time this week creating and solving various network problems. I moved my UniFi devices to a management VLAN, and I also moved my controller again. This time, I moved it to a fresh minimal Ubuntu installation from my old Kubuntu mining rig. Both had pitfalls.

Management VLAN

This was a generally painless experience, but there were a few gotchas.

First, I created a new VLAN with a DHCP server from my prior instructions. Once I had it built, I mapped a port to the VLAN and plugged a laptop into it and verified that it could reach the internet. Then I tried to ping the computer, but it turns out that by default, you can’t ping Windows 10 computers. That too me a bit to work out.

Once I figured that I could, in fact, reach devices on my network, I moved one AP to the management VLAN:

Setting the management VLAN
Setting the management VLAN

It restarted, and joined the new VLAN. I used a DHCP reservation to set a static IP address, and I was good to go. So I went through the rest of the APs, and they all worked, except one.

Make sure you are using DHCP when you do this!

It took a while to figure this out, but I has assigned a static IP address to the  AP, and when I moved it to the management VLAN, on a different subnet, it became completely unreachable.

So I had to change the configuration of the AP to use DCHP in controller, and factory reset the controller. Then it re-adopted and I could reach it again.

I think that network topology changes are the toughest thing to do with UniFi, even with a small network. I don’t know how I’d do this if I had my APs and devices in inaccessible places.

Further, the reason why I had set a static IP address was also due to topology issues. If you reset a switch that an AP is connected to, it seems that the PoE will come back on, and it might power up the AP before the switch is fully initialized. What I think happens is that the AP senses that its downlink isn’t available, and tries to mesh with another AP, causing the status of the AP to be ‘Connected (Wireless)’, rather than ‘Connected’.

Imagine this says 'Connected (Wireless)'
Imagine this says ‘Connected (Wireless)’

When the link re-establishes, it causes an STP loop, and the switch the AP port to ‘RSTP Discarding’. And for whatever reason (different mac address?) if got a different IP address. So I had set it to have a static IP.

The solution seems to be to disable the mesh feature:

Disabling the Mesh
Disabling the Mesh

This seems to prevent the race condition.

So that was a lot of work for a minor change. Long story short, make sure to switch your devices to DHCP if you are changing their VLAN.

Now that I had my devices on the management VLAN, I needed to put my controller there, but since it was living in a skeleton style mining chassis, I figured I’d put it in a cheap rack case. However… my motherboard didn’t fit in the case I bought, so I ended up moving a different server into the new case and my controller server into my old case.

Installing the UniFi Controller on a bare Ubuntu installation

Then I installed a new, minimal installation of Ubuntu Server 18.04, and figured that the install would be as easy as before. As above, not as easy as expected.

Here are the commands I had to run once I had installed the bare minimal OS:

Add the Java Repo. Unifi Needs Oracle Java 8.

sudo add-apt-repository ppa:webupd8team/java

It gives you several warnings:

Oracle Java (JDK) Installer (automatically downloads and installs Oracle JDK8). There are no actual Java files in this PPA.

Important -> Why Oracle Java 7 And 6 Installers No Longer Work: http://www.webupd8.org/2017/06/why-oracle-java-7-and-6-installers-no.html

Update: Oracle Java 9 has reached end of life: http://www.oracle.com/technetwork/java/javase/downloads/jdk9-downloads-3848520.html

The PPA supports Ubuntu 18.10, 18.04, 16.04, 14.04 and 12.04.

More info (and Ubuntu installation instructions):
- http://www.webupd8.org/2012/09/install-oracle-java-8-in-ubuntu-via-ppa.html

Debian installation instructions:
- Oracle Java 8: http://www.webupd8.org/2014/03/how-to-install-oracle-java-8-in-debian.html

For Oracle Java 11, see a different PPA -> https://www.linuxuprising.com/2018/10/how-to-install-oracle-java-11-in-ubuntu.html
More info: https://launchpad.net/~webupd8team/+archive/ubuntu/java
Press [ENTER] to continue or Ctrl-c to cancel adding it.

Just press enter.

sudo apt install oracle-java8-installer

That installs Java.

Then you need to install jsvc to run java as a service, and it’s not in the available repos. So I downloaded it directly, but it, too, has a dependency, so:

wget http://ftp.br.debian.org/debian/pool/main/c/commons-daemon/libcommons-daemon-java_1.0.15-7_all.deb

then:

dpkg -i libcommons-daemon-java_1.0.15-7_all.deb

And finally:

wget http://archive.ubuntu.com/ubuntu/pool/universe/c/commons-daemon/jsvc_1.0.15-8_amd64.deb

dpkg -i jsvc_1.0.15-8_amd64.deb

then you can run the steps from the Ubiquiti link:

echo 'deb http://www.ubnt.com/downloads/unifi/debian stable ubiquiti' | sudo tee /etc/apt/sources.list.d/100-ubnt-unifi.list
sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv 0C49F3730359A14518585931BC711F9BA15703C6
echo "deb http://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/3.4 multiverse" | sudo tee /etc/apt/sources.list.d/mongodb-org-3.4.list
sudo apt update
sudo wget -O /etc/apt/trusted.gpg.d/unifi-repo.gpg https://dl.ubnt.com/unifi/unifi-repo.gpg
sudo apt update
sudo apt install unifi

And then it works.

Firewall

For good measure, you ought to have turned on the Ubuntu firewall, ufw:

sudo apt install ufw
sudo apt allow ssh
sudo ufw enable

This will prevent access to the controller though. Then you need to allow the firewall ports that the UniFi Controller Needs.

sudo ufw allow 3478/udp
sudo ufw allow 8080/tcp
sudo ufw allow 8443/tcp
sudo ufw allow 8880/tcp
sudo ufw allow 8843/tcp
sudo ufw allow 6789/tcp
sudo ufw allow 27117/tcp
sudo ufw allow 10001/udp
sudo ufw allow 1900/udp

This will allow the controller to be accessed. Then restore your config from your prior controller (if applicable) and you can get started.

A few warnings:

Disable the controller service on the machine you are sunsetting. If you turn it back on (or, say, it turns back on when you power up the server to grab a few files you missed) , it will re-adopt your devices and mess everything up.

When you switch from one server to another, close all the browser tabs using the old controller on the pc you’re using. It’s most likely a caching issue, I think, but it causes lots of errors to just hit ‘refresh’.

Done

Now my network is more organized, and my network infrastructure is on its own VLAN and subnet, which is a lot cleaner. Next I think I’ll do the Radius part to see if I can make my trusted SSID use username/password for the logins.

What I’m listening to as I do this:

Iron Butterfly’s In-A-Gadda-Da-Vida on an LP my mom gave me. My previous listening samples an organ-heavy riff by the Turtles, and I thought to myself that more organ would be better. I generally like music with unusual instruments, such as Powerwolf, or The Real McKenzies, so I’ve always likes this track (or side of the record – it’s 17 mins long). Also, I fondly recall the Simpsons episode that featured this.