Contents
USW Flex Mini with a static IP address via DHCP
So apparently it's common for the Flex Mini to fail a firmware update if you're not using DHCP. But the only way you can set a static IP address, which is good for a nicely planned and pleasing network, is to put it out of DHCP mode in the Unifi controller - what's a network admin to do?
Here's one idea, you can create a new end-user client device without it being online, give it a DHCP-static address linked to its MAC, then let your Flex Mini reboot and it'll get the assigned address: https://www.markschabacker.com/blog/2020/10/17/unifi-device-assign-ip/
I had to flip back to the Classic UI in order to find the client after the initial add, so I could put it into Fixed IP mode, but that was no big deal afterwards. It seemed to work nicely.
Issues with inform address
SWITCH: 192.168.1.89 b4:fb:e4:c9:06:be # Login and run: set-inform http://192.168.1.24:8080/inform
IPv6 PD issues
There are well-documented problems with the way Prefix Delegation behaves with ISPs that do/don't support a certain option, Internode in particular does seem to crop up a fair bit.
Symptoms: USG CPU usage is pegged at ~50% when IPv6 and Prefix Delegation is in use, the PD client perl script keeps crashing/restarting in a tight loop.
Cause: The client sends/requests IA_NA, and the ISP doesn't support it, so it bombs out.
Fix: A Unifi CLI setting can be done on the USG that reconfigures the client to not request IA_NA, thus avoiding this problem until it's rebooted/reprovisioned. The permanent fix is to make a json config file on the controller, which is provisioned to the USG.
Diagnosis and solutions are documented here:
More explanation of the IA_NA feature and how it works alongside IA_PD: https://www.juniper.net/documentation/en_US/release-independent/nce/topics/concept/subscriber-management-ds-dhcpv6-iana-plus-pd.html
In Unifi's internal config tree representation, we're looking at: show interfaces ethernet eth0 pppoe 0 dhcpv6-pd prefix-only
Guidance on doing the advanced json config is here: https://help.ui.com/hc/en-us/articles/215458888-UniFi-USG-Advanced-Configuration
# /var/lib/unifi/sites/default/config.gateway.json
# On the containerised controller this would be at /config/data/sites/x7nr1ya6/config.gateway.json
{
"interfaces": {
"ethernet": {
"eth0": {
"pppoe": {
"0": {
"dhcpv6-pd": {
"prefix-only": "''"
}
}
}
}
}
}
}This change will update the provisioned config on the USG here: /var/run/dhcp6c-pppoe0-pd.conf
Once this is done, USG CPU usage should drop to pretty much zero.
More about what's going on: here's what Internode says about their IPv6 setup:
Here's what you get when your connection is set up for IPv6: Your existing IPv4 address (if static) and any existing framed route(s). A dual-stack IPv4/IPv6 PPP session. A dynamic /64 IPv6 prefix for your PPP session. A static /56 IPv6 prefix for your LAN (if you are using a router with Prefix Delegation).
The two endpoints we need to care about are the ends of the PPP session (technically PPPoE). I think our end gets an IPv6 address as a result of the PPP negotiation, but other functionality is added by using DHCPv6 to configure more client-side stuff, like DNS resolvers and stuff. One of those is getting a delegated prefix to serve up with radvd, and another option looks to be IA_NA, by which our side can get an IPv6 address for itself.
But we don't need that, because we already have a local-end (ie. the router and PPPoE client) address thanks to the PPP negotiation, as Internode promised (a dynamic /64 prefix for your PPP session).
By setting prefix-only in the Unifi config, we don't ask for IA_NA, and we just ask for prefix delegation, which is all we need.
PPPoE logging
It is pretty much non-existent, sadly. 
General log viewing: https://help.ui.com/hc/en-us/articles/204959834-UniFi-How-to-View-Log-Files#3
I went ahead and raised the global log level as suggested here, it kinda helps now: https://community.ui.com/questions/ppp-logging/d81578bc-c34d-4a01-931e-2c52a7354480
set system syslog global facility all level debug
It comes through as pppd messages in syslog, this kinda works to read it on the USG: show log | egrep -v 'WAN_IN|sudo:|mcad:'| less
NB: as of 2020-11-10 this doesn't seem to work any more. The setting exists in the config, but this command doesn't work.
SSL cert
Huge pain in the arse to get right, the system will regenerate a default SSL cert if your keystore is broken.
I used directions from these sites, but eventually found something on the Unifi forums that sorted out the issue. I think.
# on the controller cd /var/lib/unifi mkdir -m 0750 ssl_staging chown -R unifi. ssl_staging/ # from your machine with the cert rsync -vrt STAR_thighhighs_top_key.txt STAR_thighhighs_top.crt STAR_thighhighs_top.ca-bundle root@controller:/var/lib/unifi/ssl_staging/ # Export key+cert+chain to p12 file openssl pkcs12 -export -out STAR_thighhighs_top.pfx -inkey STAR_thighhighs_top.key -in STAR_thighhighs_top.crt -name unifi -certfile STAR_thighhighs_top.ca-bundle -password pass:123 # Check it keytool -list -storetype pkcs12 -keystore STAR_thighhighs_top.pfx -v -storepass 123 # Fix ownership, it's all meant to be unifi:unifi in /var/lib/unifi chown -R unifi:unifi /var/lib/unifi/ssl_staging # Import the p12 into the keystore, overwriting the existing "unifi" alias keytool -importkeystore -srckeystore STAR_thighhighs_top.pfx -srcstoretype PKCS12 -srcstorepass 123 -deststorepass aircontrolenterprise -destkeypass aircontrolenterprise -destkeystore ../keystore -alias unifi # Restart to take effect, watch the log for any failure service unifi restart tail -f /var/log/unifi/server.log # Test it, look for cert chain being verified during connection openssl s_client -connect unifi.controller.com:8443
Unifi Ubiquiti IPv6 PD with SLAAC
I think this is for an Edgerouter and similar. Quoted from https://www.manitonetworks.com/networking/2017/8/5/ubiquiti-ipv6-prefix-delegation-with-slaac
On Ubiquiti routers with eth0 facing the ISP and switch0 facing the LAN. Here is my tested configuration:
ubnt@ubnt# show interfaces ethernet eth0
address dhcp
description Internet
dhcpv6-pd {
pd 0 {
interface switch0 {
service slaac
}
prefix-length 64
}
}
ipv6 {
address {
autoconf
}
}
[edit]
ubnt@ubnt# _The eth0 IPv6 address is configured for automatic address configuration. The dhcpv6-pd option is currently configured to only request a single prefix (pd 0) since it's only for a home network. The prefix-length 64 option requests a /64 network be provisioned by the ISP, and /64 is the smallest recommended prefix. Despite being the smallest prefix recommended it still has 18,446,744,073,709,551,616 total addresses.
The service slaac option set for switch0 configures the router to hand out addresses in the /64 prefix to local hosts on the LAN. With the configuration in place be sure to run the commit and save commands. The show ipv6 route command shows local IPv6 addresses, the /128 host address on the WAN, and the first /64 prefix address on switch0.
Configuring IPv6 for automatic addressing on Windows and Mac hosts assigns addresses in the /64 prefix and now you're online with IPv6!
Ubiquiti NTP Configuration
Also for Edgerouter and other devices running EdgeOS.
configure set system ntp server 0.pool.ntp.org set system ntp server 1.pool.ntp.org set system ntp server 2.pool.ntp.org set system ntp server 3.pool.ntp.org # Recommended in enterprise, and especially if you have devices in more than one timezone set system time-zone UTC commit save
Fiddling with VLANs
Not something I've setup yet, but I really should put the IOT stuff into its own secure segment.
Custom local DNS records
This needed to be pushed to the gateway, because somehow it's not resolving the DNS properly. I think because it expects to know of the controller as a DHCP-assigned device, but in my case it's not. Or something. Anyway here's how to do it with custom gateway config again, on my controller it goes in /config/data/sites/x7nr1ya6/config.gateway.json then get's provisioned to the gateway.
{
"service": {
"dns": {
"forwarding": {
"options": [
"host-record=unifi.thighhighs.top,192.168.1.13"
]
}
}
}
}