Unifi Controller

Manage Ubiquity Unifi APs & Switches.

See Unifi Docker and Documentation.

Read Example Unifi VLAN for detailed configuration instructions on an example network.

Ports

Unifi Controller Ports

Port

Protocol

Type

Purpose

3478

UDP

PUBLIC

STUN

8080

TCP

PUBLIC

Device and controller communication

8443

TCP

PUBLIC

Controller GUI/API webface

8880

TCP

PUBLIC

HTTP portal redirection

8843

TCP

PUBLIC

HTTPS portal redirection

6789

TCP

DISABLE

UniFi mobile speed test

27117

TCP

DISABLE

local-bound database communication

5656-5699

UDP

DISABLE

AP-EDU broadcasting

10001

UDP

DISABLE

AP discovery

1900

UDP

DISABLE

“Make controller discoverable on L2nnetwork” in controller setting

Updated: None

Files

Unifi Controller Files

Location

Purpose

/config

Unifi main service directory

Updated: None

Docker Creation

You can copy your existing configuration to docker /config directory adjusting for paths.

  • unstable is the current release branch. latest is 5.6.x branch.

Docker Compose
unifi:
  image: linuxserver/unifi:unstable
  restart: unless-stopped
  ports:
    - '3478:3478/udp'
    - '8080:8080'
    - '8443:8443'
    - '8880:8880'
    - '8843:8843'
  environment:
    - PGID=1001
    - PUID=1001
    - TZ=America/Los_Angeles
  volumes:
    - /data/services/unifi:/config
    - /etc/localtime:/etc/localtime:ro

Reverse Proxy Setup

Allows you to isolate your containers as well as wrap connections in SSL. See NGINX for more details. See Setup Base Proxy Control for basic proxy configuration.

Using Subdomains

0644 root root nginx/conf.d/reverse-proxy.conf
# Websockets: remap http_upgrade to 'upgrade' or 'close' based on
# connection_upgrade being set.
map $http_upgrade $connection_upgrade {
    default upgrade;
    ''      close;
}

server {
  listen                               443 ssl http2;
  server_name                          unifi.{DOMAIN} unifi;

  location / {
    proxy_pass                         https://unifi:8443;

    proxy_cache                        off;
    proxy_store                        off;
    proxy_buffering                    off;
    proxy_http_version                 1.1;
    proxy_read_timeout                 36000s;

    proxy_set_header Host              $http_host;
    proxy_set_header Upgrade           $http_upgrade;
    proxy_set_header Connection        $connection_upgrade;
    proxy_set_header X-Real-IP         $remote_addr;
    proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header Referer           '';

    client_max_body_size               0;
  }
}

Using Subpaths

0644 root root nginx/conf.d/reverse-proxy.conf
# Websockets: remap http_upgrade to 'upgrade' or 'close' based on
# connection_upgrade being set.
map $http_upgrade $connection_upgrade {
    default upgrade;
    ''      close;
}

server {
  location /unifi/ {
    proxy_pass                         https://unifi:8443/;

    proxy_cache                        off;
    proxy_store                        off;
    proxy_buffering                    off;
    proxy_http_version                 1.1;
    proxy_read_timeout                 36000s;

    proxy_set_header Host              $http_host;
    proxy_set_header Upgrade           $http_upgrade;
    proxy_set_header Connection        $connection_upgrade;
    proxy_set_header X-Real-IP         $remote_addr;
    proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header Referer           '';

    client_max_body_size               0;
  }
}

Configuration

Ensure DNS/hosts are setup for Unifi controller.

Read Example Unifi VLAN for a in-depth walkthrough.

Router Configuration

Forward traffic to Unifi Controller for AP to be managed - will be located slightly differently for each router.

Note

These are only needed if not using VLAN separation.

Allow AP management to controller.

Firewall/NAT › Firewall Policies › WIFI_IN › Actions › Edit Ruleset › Add New Rule

Description

AP Management

Source

IP

Destination

CONTROLLER

Destination Port

8443 8080

Protocol

TCP

Action

ACCEPT

Updated: None

Allow AP STUN to controller.

Firewall/NAT › Firewall Policies › WIFI_IN › Actions › Edit Ruleset › Add New Rule

Description

AP STUN

Source

IP

Destination

CONTROLLER

Destination

3478

Protocol

UDP

Action

ACCEPT

Updated: None

Enable Unifi Controller Assignment in EdgeOS or DHCP Option 43

This should be enabled for subnets in which the AP will reside. This will allow the AP to be auto-detected by the controller.

See Setup DHCP & DNS for VLANs for setting up the Unifi Controller option for DHCP on EdgeOS.

For non-EdgeOS routers, this can be enabled in using option 43.

0644 root root dhcpd.conf
option space ubnt;
option ubnt.unifi-address code 1 = ip-address;

class "ubnt" {
        match if substring (option vendor-class-identifier, 0, 4) = "ubnt";
        option vendor-class-identifier "ubnt";
        vendor-option-space ubnt;
}

subnet 10.10.10.0 netmask 255.255.255.0 {
        range 10.10.10.100 10.10.10.160;
        option ubnt.unifi-address {UNIFI CONTROLLER IP};
        option routers 10.10.10.2;
        option broadcast-address 10.10.10.255;
        option domain-name-servers 168.95.1.1, 8.8.8.8;
        # ...
}

References

  1. Unifi Ports

  2. Unifi controller DHCP option 43