Unifi APs, switch and untangle

[Tech Savvy]

Hello fellow nibblers!

I’ve been racking my brain trying to get this setup correctly. The problem is the WiFi keeps dropping connection and for long periods of time (the WiFi is dropped more than it’s even active). The setup is pretty standard, but I’ll explain it in detail anyway:


Untangle UTM in router mode. Has 4 LAN ports:
- OUTSIDE - static ip from ISP
- INSIDE - 10.10.0.0/24 for all inside network devices (printers, computers, time clock tablet)
- VOIP - 10.20.0.0/24 for phones
- GUEST - 192.168.0.0/24 for guest WiFi

In addition to the physical interfaces I have VLANs setup:
VLAN ID 100 Bridges to INSIDE
VLAN ID 101 Bridges to VOIP
VLAN ID 102 Bridges to GUEST

currently firewall is left as defaults in order to simplify setup to rule out config problems on the Untangle.

DHCP is set up for each network on the untangle with the first 99 addresses removed from the pool for static assignment.

The wiring is like this (if I was on a computer I’d make a diagram, I need to do it anyway for documentation, but for now I think this will be okay.

Untangle
Port 1 (outside) cable modem
Port 2 (inside) unifi switch
Port 3 (VoIP) netgear dummy switch
Port 4 (guest) same unifi switch


This is the second time I’m using a unifi switch, so bear with me.

The unifi switch’s MGMT network is set to Corporate for the network 10.10.0.0/24

The unifi switch has VLAN Only networks for INSIDE(100) and GUEST(102)

The unifi switch’s management network is set to MGMT

The unifi switch has the following port assignments where the profile is in parentheses:
- 1 uplink to INSIDE (All)
- 1 uplink to GUEST (All)
- 1 cloud key (INSIDE)
- 3 APs (All)
- all other ports (INSIDE)

Originally I had the uplinks INSIDE/GUEST only but it wouldn’t work when I set them that way. Normally with a Cisco switch I set the uplinks as access ports since I have dedicated physical interfaces to the firewall.

The APs are set to broadcast 2 SSIDs, one for guest and one for inside.

I increased the DITM value to 3 to help with the time clock tablet (iPad)

Any change I make with the cloud key results in a never ending provisioning loop of the APs or switch, and will continue until i restart the cloud key, but even after restart and unplug of the cloud key, WiFi isn stable.

All computers hard wired into the unifi switch work fine.

Cables are new, shielded, and tested.

When WiFi isn’t working it keeps saying password is incorrect. Even though it definitely is correct. And that’s on either network, guest or inside.

No old APs on the network. Ive unplugged all APs except for one and problem still exists even after swapping cable and AP

I’m out of ideas and it’s going on day 3! What can I do? And if there is a unifi/untangle pro that wants to just take this mess off my hands and take it on as a sub please be my guest and pm me!















Sent from my iPhone using Tapatalk

 

[nerd2u]

Do you have the ssids associated with a VLAN?

Sent from my SM-G870W using Tapatalk

 

[Markverhyden]

What do the logs say?

 

[timeshifter]

When WiFi isn’t working it keeps saying password is incorrect. Even though it definitely is correct. And that’s on either network, guest or inside.

Had a problem like that a while back. UniFi AP would say password incorrect although I knew it was right. Took the AP home and it worked fine. But back at client’s office it would complain about the password being wrong, even though that AP and my laptop worked fine at home. But that AP and my laptop at their office was not.

I had some help in the process. In the end we decided that there were too many APs from a different company on an adjacent floor.

 

[nerd2u]

Try changing the channel of the AP?

I would also try removing the password from the AP and see if you can connect as an open network.

I've also had a few instances where a unifi AP didn't get the password update correctly from the controller and had to be reset and readopted to the controller

Sent from my SM-G870W using Tapatalk

 

[YeOldeStonecat]

We do a LOT of "Untangle at the ege, Unifi (and Edge) on the inside" setups. I love taking the additional interfaces Untangle units have and using them for separate internal networks. Don't forget to add the filter rule to keep traffic from crossing internal networks....by default devices on different internal networks can talk across the networks to each other.

What I usually do though, I don't use Untangles VLAN support to tag the VLANs, I just create different networks via the multiple ETH interfaces. And then on the switch port that faces that ETH interfaces, I UNtag that VLAN in that switch port, and I exclude the other VLANs. Although technically it should work having Untangle manage the top of the VLANs via its tagged support.

Now...the management VLAN for Unifi. I LOOOOOVE Ubiquiti and their products, but probably my only gripe with the Unifi system is...the "pain in the butt" stuff that happens when you try to do the best practice of changing the management to a non default VLAN. I tried this on a fairly complex network about a year ago....a 7 port Untangle beast with about 8 Unifi switches and around 20x APs. Back then...experience pees in the Unifi forums where generally saying it's "not quite cooked yet...don't bother". I appeared to have it working (while configuring it all at our office)...but I got to thinking about trying to troubleshoot things long distance afterwards, or what about replacing devices...the steps in adopting new devices as you can't set its management VLAN ahead of time. So I chickened out and reverted it back to default VLAN for management.

Unifi does do things "oddly" in how you manage VLANs with the ports. It's better to do it by creating and applying "profiles".

In re-reading your post..it looks like you're not trying to put the Unifi network on a network other than the primary one. So...it makes me ask "Why are you creating a VLAN 100..that's from what I can see...just behaving like your default network?" I'd skip creating VLAN100. It looks like it's for your usual network devices, and your Unifi controller. Just remove VLAN 100. Have that 10.10.0.0/24 network be your default corporate network in the Unifi controller.

FYI...when you're in the Unifi controller, and you're at the "Settings...Networks" section, where you see the default "LAN Corporate"...the reason you can edit that network and change its IP range is only for when you have a Unifi Security Gateway..that sets the gateway address that the DHCP scope for the USG. If you're using any other router and DHCP source...such as Untangle...you actually don't have to modify this at all. I still do, just for "appearance""..but it technically has no functionality if you don't use a USG.

So for your Untangle box....assuming it has 4x ETH ports....
ETH0...WAN
ETH1...LAN
ETH2...VoIP
ETH3...WiFi Guest

In Unifi...I see 2x networks...optionally 3x networks.
LAN...Corporate...default. No VLAN ID. Can edit that subnet to 10.10.0.0/24 if you want for visual neatness
Guest..VLAN Only...VLAN 102

It appears you're not passing VoIP through the Unifi switch so you can avoid using it, although you could toss the Nutgear switch and create a VLAN in Unifi for VoIP..it supports LLDP MED so most current generation VoIP phones will auto discover the voice VLAN that you define in Unifi via LLDP MED and jump on the correct VLAN.
So you could create a 3rd network in Unifi...a VoIP network, VLAN 101. You define the voice network in profiles.

On the Unifi switch port facing ETH1 in Untangle...just have LAN profile assigned to it, which will exclude VLAN 101 and 102.
On the Unifi switch port facing ETH2 in Untangle...just have a VoIP profile assigned to it (basically untag VLAN 101)
On the Unifi switch port facing ETH3 in Untangle, just have the Wifi Guest profile assigned to it (basically untag VLAN 102)

I suspect the lack of connectivity for wifi clients is due to the APs being paused while in the provisioning loop.

 

[Tech Savvy]

Do you have the ssids associated with a VLAN?

Sent from my SM-G870W using Tapatalk

Yes inside has 100 and guest has 102

What do the logs say?

Which logs do you want to see? Switch? APs? or cloud key? Or all three? when it’s in the provisioning loop I can’t ssh in to pull the logs.

In the controller, there aren’t any events other than “device xxx disconnected” and “device yyy connected.

Try changing the channel of the AP?

I would also try removing the password from the AP and see if you can connect as an open network.

I've also had a few instances where a unifi AP didn't get the password update correctly from the controller and had to be reset and readopted to the controller

Sent from my SM-G870W using Tapatalk

I’ll try this but idk if that would help me. I think the incorrect password thing is a symptom, but not the root cause. But hey, I’ll try anything at this point. Lol


Sent from my iPhone using Tapatalk

 

[Tech Savvy]

We do a LOT of "Untangle at the ege, Unifi (and Edge) on the inside" setups.

....

I suspect the lack of connectivity for wifi clients is due to the APs being paused while in the provisioning loop.

I’m going to try this adjustment tonight! And post back. Thank you for the detailed response!!



Sent from my iPhone using Tapatalk

 

[Tech Savvy]

On the Unifi switch port facing ETH1 in Untangle...just have LAN profile assigned to it, which will exclude VLAN 101 and 102.
On the Unifi switch port facing ETH2 in Untangle...just have a VoIP profile assigned to it (basically untag VLAN 101)
On the Unifi switch port facing ETH3 in Untangle, just have the Wifi Guest profile assigned to it (basically untag VLAN 102)

I tried this first, but I didn’t get it to work until I tagged the VLAN at the untangle. But that makes sense and since the two uplinks from the unifi to the untangle are trunk ports maybe it’s flip flopping between networks and constantly reprovisioning. I’m excited this setup seems promising to me!



Sent from my iPhone using Tapatalk

 

[YeOldeStonecat]

I tried this first, but I didn’t get it to work until I tagged the VLAN at the untangle. k

The vlans were probably still tagged on the switch port facing Untangle...so didn't have a termination point.

 

[Tech Savvy]

The vlans were probably still tagged on the switch port facing Untangle...so didn't have a termination point.

This worked perfect!! Removed the VLANs from untangle, removed the INSIDE VLAN Only network from the unifi, set the ports to use the LAN network only. Made the uplink of the inside net to the untangle to LAN network, made the uplink of the guest network to GUEST only, and set APs inside SSID to not use a VLAN! And voila! It works!!

Thank you so much!!! It makes so much sense now! Much appreciated!!