Adding Unifi device discovery policy

Hello

I have a site which has a Unifi switch talking to a cloud controller. I am having trouble with adding further unifi devices and suspect it is down to a firewall policy.

Port 8080 needs to be open for the unifi devices to speak to controller for adoption. When I select TCP on the policy type it doesn't give an option to change port from 0.

Just now I can SSH into AP and can apply inform command to point it to the cloud controller but its not getting through.

Can anyone advise the appropriate policy to allow this please?

I realise the WG uses port 8080 for web UI. Could this be a problem or can port be used for both?

Comments

  • "When I select TCP on the policy type it doesn't give an option to change port from 0."
    Where are you doing this ?
    Using Policy Manager or the Web UI ?
    What XTM version do you have ?

    Yes you can use TCP port 8080 for more than 1 thing.

  • Hi Bruce

    I'm using web UI and the "add firewall policy" page.

    Version showing as 12.5.2.B608341, device is M470.

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @Flexifi

    If you're seeing TCP port 0, that means -any- tcp port. You're likely using an Any policy of some type. Try making a new custom policy.
    (In policy manager under Edit -> add policy, and click NEW under custom. In WebUI, it's under firewall policies, click ADD, and under custom click NEW.)

    By default, the firewall allows port 8080 outbound -- so unless the UniFi devices need 8080 forwarded back to them (like a port forward, which likley isn't the case, because you can only do that from your external to one of them) that should be sufficient.

    If the UniFi devices are trying to use UPnP to open ports, that won't work on WatchGuard firewalls. You'll need to forward the ports manually via Static NAT.

    -James Carson
    WatchGuard Customer Support

  • edited March 2020

    EDIT: Ignore this message. I mis-read the original post.

    I change all of my Firebox web UI setting to port 8888 for this very reason. Then I create the necessary TCP 8080 and UDP 3478 (STUN) needed by UniFi access points.

    Gregg Hill

  • Gregg, can you explain the issue with keeping TCP port 8080 for the UniFi port?

  • @Greggmh123 said:
    I change all of my Firebox web UI setting to port 8888 for the is very reason. Then I create the necessary TCP 8080 and UDP 3478 (STUN) needed by UniFi access points.

    Hi Gregg, thanks for this.

    Could you share the policies you have added please?

  • Bruce,

    For basic connectivity to the UniFi controller, UniFi wireless access points (and likely other devices) make their calls back to the controller on TCP port 8080 and UDP port 3478.

    The problem with leaving a Firebox' web UI listening on port 8080 is that if the UniFi access points are outside of one's LAN, for example my clients' UniFi access points phoning home to my controller behind my Firebox, then when they try to phone home, they would hit the Firebox listening on 8080 and they would not show up in the controller.

    It is FAR BETTER to change the Firebox to listen on 8888 than it is to try to mess with every installed UniFi access point.

    If one has no external UniFi devices phoning home to a controller behind a Firebox, then there is no reason to change the Firebox' listening port. Leave it on 8080. I change ALL of my Fireboxes to 8888 just so that I can remember the web UI port on the RARE occasion that I need to use it and to make my outbound rules easier/cleaner.

    Gregg Hill

  • Flexifi,

    I just re-read the original post. I thought you had a controller behind a Firebox and external UniFi devices needed to reach that controller. If that were the case, the Firebox listening on port 8080 would be a problem. UniFi makes a "Cloud Key" controller, and that is what my brain was thinking, i.e., you had a Cloud Key behind a Firebox that your UniFi devices were trying to reach.

    HOWEVER, in your situation where you just need 8080 going OUT to a cloud controller, then the Firebox listening on TCP 8080 is NOT a problem.

    Create a policy to allow TCP 8080 and UDP 3478 outbound to the IP or FQDN (better!) of the cloud controller. That should be all you need for adoption and monitoring.

    Gregg Hill

Sign In to comment.