====== Ubiquiti - Controller - Install Controller on Ubuntu 20.04 ======
===== Bash Install Script =====
# Scripted install of Unifi Server App on Ubuntu - recommended!
apt-get update; apt-get install ca-certificates wget -y
rm unifi-latest.sh &> /dev/null; wget https://get.glennr.nl/unifi/install/install_latest/unifi-latest.sh && bash unifi-latest.sh
# Enable automatic startup of Unifi controller service
sudo systemctl enable unifi
# For reference: how to disable auto-start
# sudo systemctl disable unifi
# Check if it's now auto-started upon reboots
systemctl is-enabled unifi
systemctl is-active unifi
# Manual install of Unifi Server App on Ubuntu - not 100% reliable
sudo apt-get update && sudo apt-get install ca-certificates apt-transport-https
echo 'deb https://www.ui.com/downloads/unifi/debian stable ubiquiti' | sudo tee /etc/apt/sources.list.d/100-ubnt-unifi.list
sudo wget -O /etc/apt/trusted.gpg.d/unifi-repo.gpg https://dl.ui.com/unifi/unifi-repo.gpg
sudo apt-get update
sudo apt-get update && sudo apt-get install unifi -y
sudo service unifi start
# Change default port 8443 to 443
sudo iptables -t nat -I PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports 8443
# sudo iptables -t nat -D PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 8443 # How to remove a firewall NAT rule
# Deal with port 80
#sudo iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080
# sudo iptables -t nat -D PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080 # In case of reversal
### Save configs with persistency upon reboots ###
# Install iptables persistence
sudo apt-get install iptables-persistent -y
# How to manually call iptables-persistent app
# sudo dpkg-reconfigure iptables-persistent
# Set iptables and persistence to autostart
sudo systemctl enable iptables
sudo systemctl enable netfilter-persistent
# Check firewall rules
iptables -L -n
# If not using ufw to add set firewall rules, iptables can be edited directly with these commands
# It's advisable to use ufw as that is easier to admin
# Note that -I appends rule at the start of chain, whereas -A attaches it at the end
sudo iptables -I INPUT -p tcp --dport 22 -j ACCEPT
sudo iptables -I INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -I INPUT -p tcp --dport 8080 -j ACCEPT # Prevent issue with devices showing "Disconnected" after controller reboots
sudo iptables -I INPUT -p tcp --dport 8880 -j ACCEPT
sudo iptables -I INPUT -p tcp --dport 8443 -j ACCEPT
sudo iptables -I INPUT -p tcp --dport 443 -j ACCEPT
sudo iptables -I INPUT -p udp --dport 3478 -j ACCEPT
sudo iptables -I INPUT -p udp --dport 10001 -j ACCEPT
sudo iptables -I INPUT -p udp --dport 6666 -j ACCEPT
sudo iptables -I INPUT -p udp --dport 47763 -j ACCEPT
# How to remove a rule
# sudo iptables -D INPUT -p tcp|udp --dport xxxx -j ACCEPT
# Save existing rules
# Dont do this: sudo /sbin/iptables-save > /etc/iptables/rules.v4
# ERROR: -bash: /etc/iptables/rules.v4: Permission denied
sudo sh -c "iptables-save > /etc/iptables/rules.v4"
sudo sh -c "ip6tables-save > /etc/iptables/rules.v6"
----
===== Check status =====
systemctl status netfilter-persistent
returns:
● netfilter-persistent.service - netfilter persistent configuration
Loaded: loaded (/lib/systemd/system/netfilter-persistent.service; enabled; vendor preset: enabled)
Drop-In: /etc/systemd/system/netfilter-persistent.service.d
└─iptables.conf
Active: failed (Result: exit-code) since Tue 2020-11-24 15:48:27 PST; 14min ago
Docs: man:netfilter-persistent(8)
Process: 494 ExecStart=/usr/sbin/netfilter-persistent start (code=exited, status=1/FAILURE)
Main PID: 494 (code=exited, status=1/FAILURE)
Nov 24 15:48:28 Unifi-Controller netfilter-persistent[502]: run-parts: executing /usr/share/netfilter-persistent/plugins.d/15->
Nov 24 15:48:28 Unifi-Controller netfilter-persistent[504]: Another app is currently holding the xtables lock. Perhaps you wan>
Nov 24 15:48:28 Unifi-Controller netfilter-persistent[502]: run-parts: /usr/share/netfilter-persistent/plugins.d/15-ip4tables >
Nov 24 15:48:28 Unifi-Controller netfilter-persistent[502]: run-parts: executing /usr/share/netfilter-persistent/plugins.d/25->
Nov 24 15:48:28 Unifi-Controller netfilter-persistent[507]: Another app is currently holding the xtables lock. Perhaps you wan>
Nov 24 15:48:28 Unifi-Controller netfilter-persistent[502]: run-parts: /usr/share/netfilter-persistent/plugins.d/25-ip6tables >
----
===== Fix startup conflicts between iptables & netfilter-persistent =====
sudo systemctl edit netfilter-persistent.service
vim /etc/systemd/system/netfilter-persistent.service.d/iptables.conf
### Verify this content ###
[Unit]
Conflicts=iptables.service ip6tables.service
### Modify content and save file ###
[Unit]
After=iptables.service ip6tables.service ufw.service
----
===== Check Firewall Rules =====
sudo iptables -L
sudo ip6tables -L
----
===== Optionally, disable ufw as it may conflict with iptables-persistent / netfilter-persistent =====
sudo ufw disable
----
===== Verify =====
Try to access the Unifi controller at both of these URLs:
* https://ip.of.your.server:8443
* https://ip.of.your.server
----
===== Backups =====
**NOTE:** Backup files are normally found at:
* /usr/lib/unifi/data/backup/autobackup/
* /usr/lib/unifi/data/backup/
----
===== References =====
https://unifi.ui.com/
https://network.unifi.ui.com/
https://www.ui.com/download/unifi/
https://help.ui.com/hc/en-us/articles/204952144-UniFi-How-can-I-restore-a-backup-configuration-
https://community.ui.com/questions/UniFi-Installation-Scripts-or-UniFi-Easy-Update-Script-or-UniFi-Lets-Encrypt-or-UniFi-Easy-Encrypt-/ccbc7530-dd61-40a7-82ec-22b17f027776