<> = USW Flex Mini with a static IP address via DHCP = So apparently it's common for the Flex Mini to fail a firmware update if you're not using DHCP. But the only way you can set a static IP address, which is good for a nicely planned and pleasing network, is to put it out of DHCP mode in the Unifi controller - what's a network admin to do? Here's one idea, you can create a new end-user client device without it being online, give it a DHCP-static address linked to its MAC, then let your Flex Mini reboot and it'll get the assigned address: https://www.markschabacker.com/blog/2020/10/17/unifi-device-assign-ip/ I had to flip back to the Classic UI in order to find the client after the initial add, so I could put it into Fixed IP mode, but that was no big deal afterwards. It seemed to work nicely. = Issues with inform address = {{{ SWITCH: 192.168.1.89 b4:fb:e4:c9:06:be # Login and run: set-inform http://192.168.1.24:8080/inform }}} = IPv6 PD issues = There are well-documented problems with the way Prefix Delegation behaves with ISPs that do/don't support a certain option, Internode in particular does seem to crop up a fair bit. Symptoms: USG CPU usage is pegged at ~50% when IPv6 and Prefix Delegation is in use, the PD client perl script keeps crashing/restarting in a tight loop. Cause: The client sends/requests IA_NA, and the ISP doesn't support it, so it bombs out. Fix: A Unifi CLI setting can be done on the USG that reconfigures the client to not request IA_NA, thus avoiding this problem until it's rebooted/reprovisioned. The permanent fix is to make a json config file on the ''controller'', which is provisioned to the USG. Diagnosis and solutions are documented here: * https://community.ui.com/questions/Multiple-dhcpv6-pd-response-pl-processes/b737ab57-d723-4975-aaac-00ba7376ba21 * https://community.ui.com/questions/High-CPU-usage-when-enabling-IPv6/9db6b746-9c91-4087-8c1b-7797d291bf11 More explanation of the IA_NA feature and how it works alongside IA_PD: https://www.juniper.net/documentation/en_US/release-independent/nce/topics/concept/subscriber-management-ds-dhcpv6-iana-plus-pd.html In Unifi's internal config tree representation, we're looking at: `show interfaces ethernet eth0 pppoe 0 dhcpv6-pd prefix-only` Guidance on doing the advanced json config is here: https://help.ui.com/hc/en-us/articles/215458888-UniFi-USG-Advanced-Configuration {{{ # /var/lib/unifi/sites/default/config.gateway.json # On the containerised controller this would be at /config/data/sites/x7nr1ya6/config.gateway.json { "interfaces": { "ethernet": { "eth0": { "pppoe": { "0": { "dhcpv6-pd": { "prefix-only": "''" } } } } } } } }}} This change will update the provisioned config on the USG here: `/var/run/dhcp6c-pppoe0-pd.conf` Once this is done, USG CPU usage should drop to pretty much zero. More about what's going on: here's what Internode says about their IPv6 setup: {{{ Here's what you get when your connection is set up for IPv6: Your existing IPv4 address (if static) and any existing framed route(s). A dual-stack IPv4/IPv6 PPP session. A dynamic /64 IPv6 prefix for your PPP session. A static /56 IPv6 prefix for your LAN (if you are using a router with Prefix Delegation). }}} The two endpoints we need to care about are the ends of the PPP session (technically PPPoE). I think our end gets an IPv6 address as a result of the PPP negotiation, but other functionality is added by using DHCPv6 to configure more client-side stuff, like DNS resolvers and stuff. One of those is getting a delegated prefix to serve up with radvd, and another option looks to be `IA_NA`, by which our side can get an IPv6 address for itself. But we don't need that, because we already have a local-end (ie. the router and PPPoE client) address thanks to the PPP negotiation, as Internode promised (a dynamic /64 prefix for your PPP session). By setting prefix-only in the Unifi config, we don't ask for IA_NA, and we just ask for prefix delegation, which is all we need. = PPPoE logging = It is pretty much non-existent, sadly. :( General log viewing: https://help.ui.com/hc/en-us/articles/204959834-UniFi-How-to-View-Log-Files#3 I went ahead and raised the global log level as suggested here, it kinda helps now: https://community.ui.com/questions/ppp-logging/d81578bc-c34d-4a01-931e-2c52a7354480 `set system syslog global facility all level debug` It comes through as pppd messages in syslog, this kinda works to read it on the USG: `show log | egrep -v 'WAN_IN|sudo:|mcad:'| less` NB: as of 2020-11-10 this doesn't seem to work any more. The setting exists in the config, but this command doesn't work. = SSL cert = Huge pain in the arse to get right, the system will regenerate a default SSL cert if your keystore is broken. I used directions from these sites, but eventually found something on the Unifi forums that sorted out the issue. I think. * https://www.ssls.com/knowledgebase/installing-an-ssl-certificate-on-ubiquiti-unifi/ * https://www.namecheap.com/support/knowledgebase/article.aspx/10134/33/installing-an-ssl-certificate-on-ubiquiti-unifi {{{ # on the controller cd /var/lib/unifi mkdir -m 0750 ssl_staging chown -R unifi. ssl_staging/ # from your machine with the cert rsync -vrt STAR_thighhighs_top_key.txt STAR_thighhighs_top.crt STAR_thighhighs_top.ca-bundle root@controller:/var/lib/unifi/ssl_staging/ # Export key+cert+chain to p12 file openssl pkcs12 -export -out STAR_thighhighs_top.pfx -inkey STAR_thighhighs_top.key -in STAR_thighhighs_top.crt -name unifi -certfile STAR_thighhighs_top.ca-bundle -password pass:123 # Check it keytool -list -storetype pkcs12 -keystore STAR_thighhighs_top.pfx -v -storepass 123 # Fix ownership, it's all meant to be unifi:unifi in /var/lib/unifi chown -R unifi:unifi /var/lib/unifi/ssl_staging # Import the p12 into the keystore, overwriting the existing "unifi" alias keytool -importkeystore -srckeystore STAR_thighhighs_top.pfx -srcstoretype PKCS12 -srcstorepass 123 -deststorepass aircontrolenterprise -destkeypass aircontrolenterprise -destkeystore ../keystore -alias unifi # Restart to take effect, watch the log for any failure service unifi restart tail -f /var/log/unifi/server.log # Test it, look for cert chain being verified during connection openssl s_client -connect unifi.controller.com:8443 }}} = Unifi Ubiquiti IPv6 PD with SLAAC = I think this is for an Edgerouter and similar. Quoted from https://www.manitonetworks.com/networking/2017/8/5/ubiquiti-ipv6-prefix-delegation-with-slaac On Ubiquiti routers with eth0 facing the ISP and switch0 facing the LAN. Here is my tested configuration: {{{ ubnt@ubnt# show interfaces ethernet eth0 address dhcp description Internet dhcpv6-pd { pd 0 { interface switch0 { service slaac } prefix-length 64 } } ipv6 { address { autoconf } } [edit] ubnt@ubnt# _ }}} The `eth0` IPv6 address is configured for automatic address configuration. The `dhcpv6-pd` option is currently configured to only request a single prefix (pd 0) since it's only for a home network. The `prefix-length 64` option requests a /64 network be provisioned by the ISP, and /64 is the smallest recommended prefix. Despite being the smallest prefix recommended it still has 18,446,744,073,709,551,616 total addresses. The `service slaac` option set for `switch0` configures the router to hand out addresses in the /64 prefix to local hosts on the LAN. With the configuration in place be sure to run the `commit` and `save` commands. The `show ipv6 route` command shows local IPv6 addresses, the /128 host address on the WAN, and the first /64 prefix address on switch0. Configuring IPv6 for automatic addressing on Windows and Mac hosts assigns addresses in the /64 prefix and now you're online with IPv6! = Ubiquiti NTP Configuration = Also for Edgerouter and other devices running EdgeOS. {{{ configure set system ntp server 0.pool.ntp.org set system ntp server 1.pool.ntp.org set system ntp server 2.pool.ntp.org set system ntp server 3.pool.ntp.org # Recommended in enterprise, and especially if you have devices in more than one timezone set system time-zone UTC commit save }}} = Fiddling with VLANs = Not something I've setup yet, but I really should put the IOT stuff into its own secure segment. https://arstechnica.com/information-technology/2018/07/enterprise-wi-fi-at-home-part-two-reflecting-on-almost-three-years-with-pro-gear/5/ = Custom local DNS records = This needed to be pushed to the gateway, because somehow it's not resolving the DNS properly. I think because it expects to know of the controller as a DHCP-assigned device, but in my case it's not. Or something. Anyway here's how to do it with custom gateway config again, on my controller it goes in `/config/data/sites/x7nr1ya6/config.gateway.json` then get's provisioned to the gateway. {{{ { "service": { "dns": { "forwarding": { "options": [ "host-record=unifi.thighhighs.top,192.168.1.13" ] } } } } }}}