Ubiquiti UniFi Setup At Home — Impressions From a Non-Pro on Building Perfect Wi-Fi. For users whom a solid Wi-Fi/internet connection is important, or a challenge — telecommuters, owners of larger homes, people who have a growing number of devices AKA nearly everyone — a Ubiquiti UniFi system can be a high-performance alternative to a mesh system.
I have a UAP-AC-PRO gen 2 and run the controller on Fedora26/RPi 2b+. I am running controller version 5.6.20. If i start from scratch, i can get the AP to be 'connected', but i need to modify network settings for VLANs, etc. As soon as i touch the default LAN network (the one that cannot be deleted), the AP goes into an endless provisioning loop.
When i ssh to the AP, i see that the bridge is created, but the VLANs are not broken out onto separate virtual interfaces. I can see mac addresses from all the VLANs on the one bridge. I have started over from scratch with the controller software, and reset the AP back to default settings a myriad of times, to no avail. I simply cannot get things working on this version of controller software.
Mind you, everything works on version 5.4.16, with absolutely no changes to anything. The problem is that i can't get my hands on that version of code anymore. Does anyone know of some super secret tweaks that kick over the provisioning process? I have posted to the wireless forum and opened a case with ubiquiti, but am looking to move things along faster than that process seems to be taking. I have no wifi and its a pain to drag all my port replicators all around to get laptops on the network, etc. Do you have all appropriate ports on whatever is hosting the controller open? (If using a Cloud Key, you can probably ignore this) I have my controller on a Windows server.
I noticed if I do anything that has a major network change, for example adding a new AP, while I have the requisite ports forwarded I still have to fully turn off the firewall for the provisioning process to complete. Once that's done I can turn the firewall back on and everything works fine. Obviously there's a port or two I'm likely missing despite having all the listed ports forwarded.
You may want to give that a try. So i have VLAN 248 untagged, and VLANs 24 and 56 tagged. The third octet in my ip scheme matches the VLAN. The AP picks up the DHCP reserved IP of 192.168.248.2. The controller is 192.168.248.1. The controller also have VLAN 248 untagged and VLANs 24 and 56 tagged. There are no firewalls preventing the AP from talking to the controller, since everything is locally connected or is on the same layer 2.
I am trying to set the VLANs in the settings section of the controller web UI (the lower left side, gear icon) and am not setting the VLANs on per-AP basis, either. Sg500#sh run int gi1/1/36 interface gigabitethernet1/1/36 dot1x authentication 802.1x mac description 'Living Room S Wall - 4 / wifi-ac' switchport general pvid 248 lldp notifications enable lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size lldp management-address automatic switchport mode general switchport general allowed vlan add 24,56 tagged switchport general allowed vlan add 248 untagged! Looks like the SG500 uses syntax as the SG300 and you're only wanting/needing one untagged VLAN, so I'd do. What I found while searching, as I had not encountered 'general' mode prior to this, was: If using general you can have multiple tagged and untagged. You still have to specify a PVID for the untagged.
Trunk is multiple tagged, single untagged. And if you want untagged traffic to flow, you have to add your untagged VLAN to the allowed list for the trunk.
So tagged traffic goes into whatever VLAN it's supposed to and non-tagged gets allowed as the native. And a recommendation that you should just use Trunk mode unless you really know that you need to use general.
Edit to add: General mode seems to be something for the SG series. It's not an option on my 2960S with IOS 15.
Overall, I'm not sure what the point of General mode even is, seems like a solution looking for a problem, and causing them. I can say that my Unifi APs play perfectly nice with a straight trunk port, with VLAN 4 for the management backend and the SSID tagged for VLAN 5. Not in front of my gear right now, but i do have a bunch of trunking going on. My linux router has 9 vlans, but all are tagged. I run those same 9 vlans between my router, sg500-52 and sg300-28. The fedora/rpi controller has the same config as the ap, and i see it's mac address on all 3 vlans. The mac addr shows up on the untagged vlan 248, as well as the tagged vlans 24 and 56.
The ap's mac address only shows up on the untagged vlan 248, and if i list the mac addresses seen by the ap, using 'brctl showmacs br0', i can see mac addresses from all the vlans, not just those on vlan 248. The ap can ping the controller, the controller can ping the ap. I can ssh from a different network, to both devices. The controller finds the ap at layer two, and starts the adoption process. It uses layer 3 to move through the provisioning process and i see tcp connections establish between the controller and ap, but they are short lived and the provisioning process fails and starts over.
The AP should grab a DHCP address if it has no config. You don't assign IP addresses to the SSIDs, they are purely Layer 2. It's coming back to me now, the AP will do untagged for it's management network (via DHCP by default). For your SSID's you just pick the VLAN tag to stick on that SSID.
Just saw this thread - would have saved a bunch of time. Currently, UAPs cannot be managed via tagged VLAN. For the port the UAP is on, set the management network as the PVID for that port, tag the VLANs you want to assign to your SSIDs.
So, on your switch, set port to trunk, untagged VLAN 248, tagged 24 and tagged 56. Use DHCP to reserve a static for your APs or use dynamic. Stuff works happily on dynamic as well. No need to create dummy SSIDs. From Ubiquiti's website. You can have upwards of one tagged VLAN per SSID, and 4 SSIDs per radio. You can set the VLAN that a SSID users by going to SettingsWireless NetworksAdvanced Options.
The advanced options area is shown either when you create a new wireless network (SSID), or when you edit an existing SSID. You can use VLANs on standard or guest SSIDs. Currently the only VLAN you can’t tag to a SSID is 1, although that may change in the future, once we expand the ability to define a management VLAN to all UAPs. (emphasis mine) I've set up a bunch of UAPs this way with no problems, specifically on SG300 switches.
Reset the UAP and start from scratch - might be easier. The ap's mac address only shows up on the untagged vlan 248, and if i list the mac addresses seen by the ap, using 'brctl showmacs br0', i can see mac addresses from all the vlans, not just those on vlan 248. The ap can ping the controller, the controller can ping the ap.
I can ssh from a different network, to both devices. Not sure what's going on here. Looks like you have broadcasts leaking across your VLANs?
Or you have a switch somewhere that is stripping VLAN tags? This could cause all sorts of weirdness. Sg500#sh run int gi1/1/15 interface gigabitethernet1/1/15 description 'Attic N Wall - 1 / unifi' lldp notifications enable lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size lldp management-address automatic switchport trunk allowed vlan add 24,56 switchport trunk native vlan 248!
Sg500#sh run int gi1/1/36 interface gigabitethernet1/1/36 description 'Living Room S Wall - 4 / wifi-ac' lldp notifications enable lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size lldp management-address automatic switchport trunk allowed vlan add 24,56 switchport trunk native vlan 248!the mac addresses from all VLANs showing up on the AP's bridge interface is entirely an AP issue, in my opinion. The AP is connected to my sg500-52, via patch panel and in-wall CAT5 terminated on modular plugs then to a POE adapter and patch cable. No intermediate switch(es) to strip VLAN tags.