• UnifiNetworkFaffery

Issues with inform address

SWITCH: 192.168.1.89   b4:fb:e4:c9:06:be

# Login and run:
set-inform http://192.168.1.24:8080/inform

IPv6 PD issues

There are well-documented problems with the way Prefix Delegation behaves with ISPs that do/don't support a certain option, Internode in particular does seem to crop up a fair bit.

Symptoms: USG CPU usage is pegged at ~50% when IPv6 and Prefix Delegation is in use, the PD client perl script keeps crashing/restarting in a tight loop.

Cause: The client sends/requests IA_NA, and the ISP doesn't support it, so it bombs out.

Fix: A Unifi CLI setting can be done on the USG that reconfigures the client to not request IA_NA, thus avoiding this problem until it's rebooted/reprovisioned. The permanent fix is to make a json config file on the controller, which is provisioned to the USG.

Diagnosis and solutions are documented here:

• https://community.ui.com/questions/Multiple-dhcpv6-pd-response-pl-processes/b737ab57-d723-4975-aaac-00ba7376ba21

• https://community.ui.com/questions/High-CPU-usage-when-enabling-IPv6/9db6b746-9c91-4087-8c1b-7797d291bf11

More explanation of the IA_NA feature and how it works alongside IA_PD: https://www.juniper.net/documentation/en_US/release-independent/nce/topics/concept/subscriber-management-ds-dhcpv6-iana-plus-pd.html

In Unifi's internal config tree representation, we're looking at: show interfaces ethernet eth0 pppoe 0 dhcpv6-pd prefix-only

Guidance on doing the advanced json config is here: https://help.ui.com/hc/en-us/articles/215458888-UniFi-USG-Advanced-Configuration

# /var/lib/unifi/sites/default/config.gateway.json
{
    "interfaces": {
        "ethernet": {
            "eth0": {
                "pppoe": {
                    "0": {
                        "dhcpv6-pd": {
                            "prefix-only": "''"
                        }
                    }
                }
            }
        }
    }
}

This change will update the provisioned config on the USG here: /var/run/dhcp6c-pppoe0-pd.conf

Once this is done, USG CPU usage should drop to pretty much zero.

More about what's going on: here's what Internode says about their IPv6 setup:

Here's what you get when your connection is set up for IPv6:

Your existing IPv4 address (if static) and any existing framed route(s).
A dual-stack IPv4/IPv6 PPP session.
A dynamic /64 IPv6 prefix for your PPP session.
A static /56 IPv6 prefix for your LAN (if you are using a router with Prefix Delegation).

The two endpoints we need to care about are the ends of the PPP session (technically PPPoE). I think our end gets an IPv6 address as a result of the PPP negotiation, but other functionality is added by using DHCPv6 to configure more client-side stuff, like DNS resolvers and stuff. One of those is getting a delegated prefix to serve up with radvd, and another option looks to be IA_NA, by which our side can get an IPv6 address for itself.

But we don't need that, because we already have a local-end (ie. the router and PPPoE client) address thanks to the PPP negotiation, as Internode promised (a dynamic /64 prefix for your PPP session).

By setting prefix-only in the Unifi config, we don't ask for IA_NA, and we just ask for prefix delegation, which is all we need.

PPPoE logging

It is pretty much non-existent, sadly.

General log viewing: https://help.ui.com/hc/en-us/articles/204959834-UniFi-How-to-View-Log-Files#3

I went ahead and raised the global log level as suggested here, it kinda helps now: https://community.ui.com/questions/ppp-logging/d81578bc-c34d-4a01-931e-2c52a7354480

set system syslog global facility all level debug

It comes through as pppd messages in syslog, this kinda works to read it on the USG: show log | egrep -v 'WAN_IN|sudo:|mcad:'| less

NB: as of 2020-11-10 this doesn't seem to work any more. The setting exists in the config, but this command doesn't work.

SSL cert

Huge pain in the arse to get right, the system will regenerate a default SSL cert if your keystore is broken.

I used directions from these sites, but eventually found something on the Unifi forums that sorted out the issue. I think.

• https://www.ssls.com/knowledgebase/installing-an-ssl-certificate-on-ubiquiti-unifi/

• https://www.namecheap.com/support/knowledgebase/article.aspx/10134/33/installing-an-ssl-certificate-on-ubiquiti-unifi

# on the controller
cd /var/lib/unifi
mkdir -m 0750 ssl_staging
chown -R unifi. ssl_staging/

# from your machine with the cert
rsync -vrt STAR_thighhighs_top_key.txt STAR_thighhighs_top.crt STAR_thighhighs_top.ca-bundle root@controller:/var/lib/unifi/ssl_staging/

# Export key+cert+chain to p12 file
openssl pkcs12 -export -out STAR_thighhighs_top.pfx -inkey STAR_thighhighs_top.key -in STAR_thighhighs_top.crt -name unifi -certfile STAR_thighhighs_top.ca-bundle -password pass:123

# Check it
keytool -list -storetype pkcs12 -keystore STAR_thighhighs_top.pfx -v -storepass 123

# Fix ownership, it's all meant to be unifi:unifi in /var/lib/unifi
chown -R unifi:unifi /var/lib/unifi/ssl_staging

# Import the p12 into the keystore, overwriting the existing "unifi" alias
keytool -importkeystore -srckeystore STAR_thighhighs_top.pfx -srcstoretype PKCS12 -srcstorepass 123 -deststorepass aircontrolenterprise -destkeypass aircontrolenterprise -destkeystore ../keystore -alias unifi

# Restart to take effect, watch the log for any failure
service unifi restart
tail -f /var/log/unifi/server.log

# Test it, look for cert chain being verified during connection
openssl s_client -connect unifi.controller.com:8443