Today is part 2 on our series about setting up a Ubiquiti EdgeRouter X and access point. The audio portion of this episode covers the following topics:
1. Creating true VLAN isolation
I made a boo-boo last week in that my setup did not create true VLAN isolation. The way I fixed it was to create a new 192.168.3.x network, assign VLAN 3 to it, and then pass it out of port 4 (where the AP is connected) of the Edge Router X.
However, the good news is that Ubiquiti has a great KB article to create VLAN isolation. Follow that and you’ll be good to go.
2. Setting up a managed wireless controller
If you want to use a guest network with a voucher system, you need to either be running the UniFi controller software on a machine at all times, or host it in the cloud.
What I did is picked up some cheap VMs from CloudAtCost and then installed the UniFi software (following this article) on a Ubuntu VM I created.
What I found is that after I installed the software, the UniFi ports were not open and listening properly. I had missed implementing the loopback firewall rule, and I also recommend inserting some additional firewall rules so only your public IP can talk to the controller. Here’s what my base ruleset looks like:
sudo apt-get install iptables-persistentsudo service iptables-persistent startsudo iptables -Fsudo iptables -A INPUT -i lo -j ACCEPTsudo iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPTsudo iptables -A INPUT -s my.public.ip.address -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPTsudo iptables -A INPUT -s my.public.ip.address -p tcp -m tcp --dport 8081 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPTsudo iptables -A INPUT -s my.public.ip.address -p tcp -m tcp --dport 8080 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPTsudo iptables -A INPUT -s my.public.ip.address -p tcp -m tcp --dport 8443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPTsudo iptables -A INPUT -s my.public.ip.address -p tcp -m tcp --dport 8880 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPTsudo iptables -A INPUT -s my.public.ip.address -p tcp -m tcp --dport 8843 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPTsudo iptables -A INPUT -s my.public.ip.address -p tcp -m tcp --dport 27117 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPTsudo iptables -A INPUT -s my.public.ip.address -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPTsudo iptables -P INPUT DROPsudo iptables-save > /etc/iptables/rules.v4
3. Point your AP to the cloud-hosted controller
Once my Ubuntu cloud-hosted UniFi controller was setup, I went through the basic setup of the AP, I SSH’d in and pointed the controller to be "adopted" by following this article. The key commands are:
set-inform http://ip.address-of.my-cloud.controller:8080/inform
Then, you log into your cloud-hosted controller, and follow the instructions to setup a guest access point with a voucher system. Cool and nerdy = fun! 🙂
Edit: listener Mike suggested listeners check out this write-up on installing Unifi in the cloud as well, as it contains additional info on installing Fail2Ban and further protection of the login page if you wanted to leave it "open."
Share on socials: