I have a scenario where an existing Unifi controller has been running on a Windows server. In which case, it’s important to locate the backup files at this common location: C:\Users\USERNAME\Ubiquiti UniFi\data\backup
On Ubuntu or Debian systems, backup files are normally found at: /usr/lib/unifi/data/backup/autobackup/ and /usr/lib/unifi/data/backup/
Here are some quick notes of my current understanding:
# Useful links:
https://account.ui.com/login?redirect=https%3A%2F%2Funifi.ui.com%2F
https://network.unifi.ui.com/
https://www.ui.com/download/unifi/
https://community.ui.com/questions/UniFi-Installation-Scripts-or-UniFi-Easy-Update-Script-or-UniFi-Lets-Encrypt-or-UniFi-Easy-Encrypt-/ccbc7530-dd61-40a7-82ec-22b17f027776
How to Install Ubiquiti Unifi Controller:
# Scripted install of Unifi Server App on Ubuntu - recommended!
apt-get update; apt-get install ca-certificates wget -y
rm unifi-latest.sh &> /dev/null; wget https://get.glennr.nl/unifi/install/install_latest/unifi-latest.sh && bash unifi-latest.sh
# Enable automatic startup of Unifi controller service
sudo systemctl enable unifi
# For reference: how to disable auto-start
# sudo systemctl disable unifi
# Check if it's now auto-started upon reboots
systemctl is-enabled unifi
systemctl is-active unifi
# Manual install of Unifi Server App on Ubuntu - not 100% reliable
sudo apt-get update && sudo apt-get install ca-certificates apt-transport-https
echo 'deb stable ubiquiti' | sudo tee /etc/apt/sources.list.d/100-ubnt-unifi.list
sudo wget -O /etc/apt/trusted.gpg.d/unifi-repo.gpg https://dl.ui.com/unifi/unifi-repo.gpg
sudo apt-get update
sudo apt-get update && sudo apt-get install unifi -y
sudo service unifi start
# Change default port 8443 to 443
sudo iptables -t nat -I PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports 8443
# sudo iptables -t nat -D PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 8443 # How to remove a firewall NAT rule
# Deal with port 80
#sudo iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080
# sudo iptables -t nat -D PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080 # In case of reversal
### Save configs with persistency upon reboots ###
# Install iptables persistence
sudo apt-get install iptables-persistent -y
# How to manually call iptables-persistent app
# sudo dpkg-reconfigure iptables-persistent
# Set iptables and persistence to autostart
sudo systemctl enable iptables
sudo systemctl enable netfilter-persistent
# Check firewall rules
iptables -L -n
# If not using ufw to add set firewall rules, iptables can be edited directly with these commands
# It's advisable to use ufw as that is easier to admin
# Note that -I appends rule at the start of chain, whereas -A attaches it at the end
sudo iptables -I INPUT -p tcp --dport 22 -j ACCEPT
sudo iptables -I INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -I INPUT -p tcp --dport 8080 -j ACCEPT # Prevent issue with devices showing "Disconnected" after controller reboots
sudo iptables -I INPUT -p tcp --dport 8880 -j ACCEPT
sudo iptables -I INPUT -p tcp --dport 8443 -j ACCEPT
sudo iptables -I INPUT -p tcp --dport 443 -j ACCEPT
sudo iptables -I INPUT -p udp --dport 3478 -j ACCEPT
sudo iptables -I INPUT -p udp --dport 10001 -j ACCEPT
sudo iptables -I INPUT -p udp --dport 6666 -j ACCEPT
sudo iptables -I INPUT -p udp --dport 47763 -j ACCEPT
# How to remove a rule
# sudo iptables -D INPUT -p tcp|udp --dport xxxx -j ACCEPT
# Save existing rules
# Dont do this: sudo /sbin/iptables-save > /etc/iptables/rules.v4
# ERROR: -bash: /etc/iptables/rules.v4: Permission denied
sudo sh -c "iptables-save > /etc/iptables/rules.v4"
sudo sh -c "ip6tables-save > /etc/iptables/rules.v6"
# Check status
rambo@Unifi-Controller:/home/rambo# systemctl status netfilter-persistent
● netfilter-persistent.service - netfilter persistent configuration
Loaded: loaded (/lib/systemd/system/netfilter-persistent.service; enabled; vendor preset: enabled)
Drop-In: /etc/systemd/system/netfilter-persistent.service.d
└─iptables.conf
Active: failed (Result: exit-code) since Tue 2020-11-24 15:48:27 PST; 14min ago
Docs: man:netfilter-persistent(8)
Process: 494 ExecStart=/usr/sbin/netfilter-persistent start (code=exited, status=1/FAILURE)
Main PID: 494 (code=exited, status=1/FAILURE)
Nov 24 15:48:28 Unifi-Controller netfilter-persistent[502]: run-parts: executing /usr/share/netfilter-persistent/plugins.d/15->
Nov 24 15:48:28 Unifi-Controller netfilter-persistent[504]: Another app is currently holding the xtables lock. Perhaps you wan>
Nov 24 15:48:28 Unifi-Controller netfilter-persistent[502]: run-parts: /usr/share/netfilter-persistent/plugins.d/15-ip4tables >
Nov 24 15:48:28 Unifi-Controller netfilter-persistent[502]: run-parts: executing /usr/share/netfilter-persistent/plugins.d/25->
Nov 24 15:48:28 Unifi-Controller netfilter-persistent[507]: Another app is currently holding the xtables lock. Perhaps you wan>
Nov 24 15:48:28 Unifi-Controller netfilter-persistent[502]: run-parts: /usr/share/netfilter-persistent/plugins.d/25-ip6tables >
# Fixing startup conflicts between iptables & netfilter-persistent
# sudo systemctl edit netfilter-persistent.service
vim /etc/systemd/system/netfilter-persistent.service.d/iptables.conf
### Verify this content ###
[Unit]
Conflicts=iptables.service ip6tables.service
### Modify content and save file ###
[Unit]
After=iptables.service ip6tables.service ufw.service
# Check firewall rules
sudo iptables -L
sudo ip6tables -L
# Optional: disable ufw as it may conflict with iptables-persistent / netfilter-persistent
sudo ufw disable
# Once done, Unifi controller is accessible at both of these URLs
#
#
How to Upgrade Controller:
sudo apt upgrade # that's it!
How To Adopt New Access Points:
How to Migrate AP From One Controller to Another
Optional: Configuring Alternative Firewall
# Alternative method to allow traffic through the firewall
# Also, avoid this error: "WARN Unable to load properties from '/usr/lib/unifi/data/system.properties' - /usr/li>"
sudo ufw enable
sudo ufw allow 8443/tcp
sudo ufw allow 443/tcp
sudo ufw allow 8080/tcp # This will prevent issue of devices showing as 'disconnected' within Unifi Controller UI
sudo ufw allow 6789/tcp
sudo ufw allow 8880/tcp
sudo ufw allow 3478/udp
sudo ufw allow 10001/udp
sudo ufw allow 6666/udp
sudo ufw allow 47763/udp
sudo service unifi restart
# Check firewall rules
sudo ufw status
# How to remove a firewall rule using ufw
sudo delete allow 80/tcp
sudo vim /etc/sysctl.conf
#### Add these lines at the bottom ###
DEFAULT_FORWARD_POLICY="ACCEPT"
net.ipv4.ip_forward=1
#net/ipv6/conf/default/forwarding=1 # optional
#net/ipv6/conf/all/forwarding=1 # optional
# Reload sysctl
sudo sysctl -p
sudo vim /etc/ufw/before.rules
#### Add these lines at the bottom, before the COMMIT section ###
# Port forwarding section:
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-F # flush rules before adding new ones
-A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 8443 # Needs to be followed by 'sudo ufw allow 443/tcp'
# setup routing
-A POSTROUTING -s 192.168.0.0/24 ! -d 192.168.0.0/24 -j MASQUERADE
COMMIT
# Reload and set ufw to autostart
sudo service ufw restart
sudo ufw enable
Check port and service associations
rambo@Unifi-Controller:~$ sudo netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 56433/cupsd
tcp 0 0 127.0.0.1:4711 0.0.0.0:* LISTEN 1078/pihole-FTL
tcp 0 0 127.0.0.1:27117 0.0.0.0:* LISTEN 1394/bin/mongod
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1020/lighttpd
tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN 1078/pihole-FTL
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 800/sshd: /usr/sbin
tcp6 0 0 ::1:631 :::* LISTEN 56433/cupsd
tcp6 0 0 :::8443 :::* LISTEN 1280/java
tcp6 0 0 :::6789 :::* LISTEN 1280/java
tcp6 0 0 ::1:4711 :::* LISTEN 1078/pihole-FTL
tcp6 0 0 :::8843 :::* LISTEN 1280/java
tcp6 0 0 :::8880 :::* LISTEN 1280/java
tcp6 0 0 :::8080 :::* LISTEN 1280/java
tcp6 0 0 :::80 :::* LISTEN 1020/lighttpd
tcp6 0 0 :::53 :::* LISTEN 1078/pihole-FTL
tcp6 0 0 :::22 :::* LISTEN 800/sshd: /usr/sbin
udp 0 0 0.0.0.0:68 0.0.0.0:* 752/dhcpcd
udp 0 0 0.0.0.0:631 0.0.0.0:* 56434/cups-browsed
udp 0 0 0.0.0.0:35959 0.0.0.0:* 594/avahi-daemon: r
udp 0 0 0.0.0.0:5353 0.0.0.0:* 594/avahi-daemon: r
udp 0 0 0.0.0.0:53 0.0.0.0:* 1078/pihole-FTL
udp6 0 0 :::6666 :::* 1311/qlipper
udp6 0 0 :::5353 :::* 594/avahi-daemon: r
udp6 0 0 :::3478 :::* 1280/java
udp6 0 0 10.10.10.10:38572 :::* 1280/java
udp6 0 0 :::10001 :::* 1280/java
udp6 0 0 :::53156 :::* 594/avahi-daemon: r
udp6 0 0 :::53 :::* 1078/pihole-FTL
Categories:
admmishina
How do I upgrade a controller from one version to another?
kimconnect
sudo apt upgrade 🙂