Hi Guys,
I have a unifi controller installed in a jail on my freenas server managing multipul sites. in general all working well just couple of things didnt manage to fix.
when i installed unifi controller i managed to open ports 8080, 8443, 8880, 8843 TCP on my ERL router but when trying to open port 3478 UDP for STUN it wont work show closed. it didn't bother me till now as i didn't get any errors. since upgrading to version 5.6.24 unifi controller was programmed to show STUN error "STUN Communication Failed" to anyone who has issues with that port or other related.
running netstat -a shows the following output
i can see port udp46 3478 state is not listening and port 8080 show both waiting and closed state.
system. properties output show the following
as you can see i only uncommented 3478 as all the others was working as expected as far as i know
First does anyone have an idea why i cant open port 3478 and secound how to fix the STUN error?
do i need to add new firewall or NAT rules? (see config below)
i must also mention the other issue i'm unable to use the unifi mobile app cloud access remotely, on the app i can see the server online but when i try to go in it hangs on "requesting SDP offer" no problem using the unifi app when i'm on my LAN
Other information that might be related
- i'm able to log in remotley to the unifi controller via browser and adopt AP via L3
- ERL Config
Thank you
I have a unifi controller installed in a jail on my freenas server managing multipul sites. in general all working well just couple of things didnt manage to fix.
when i installed unifi controller i managed to open ports 8080, 8443, 8880, 8843 TCP on my ERL router but when trying to open port 3478 UDP for STUN it wont work show closed. it didn't bother me till now as i didn't get any errors. since upgrading to version 5.6.24 unifi controller was programmed to show STUN error "STUN Communication Failed" to anyone who has issues with that port or other related.
running netstat -a shows the following output
Code:
XXXX@UniFi:/ # netstat -a Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address Foreign Address (state) tcp4 0 0 UniFi.8080 xxxxxxxxxxxxxxx..52234 TIME_WAIT tcp4 0 0 UniFi.8080 xxxxxxxxxxxxxxx-.42833 TIME_WAIT tcp4 0 0 UniFi.8080 xxxxxxxxxxxxxxx..41664 TIME_WAIT tcp4 0 0 UniFi.8080 xxxxxxxxxxxxxxx..52829 TIME_WAIT tcp4 0 0 UniFi.8080 xxxxxxxxxxxx.50699 TIME_WAIT tcp4 0 0 UniFi.8080 xxxxxxxxxxxxxxx-.52620 TIME_WAIT tcp4 0 0 UniFi.8080 xxxxxxxxxxxxxxx-.44089 TIME_WAIT tcp4 0 0 UniFi.8080 xxxxxxxxxxxxxxx..48916 TIME_WAIT tcp4 0 0 UniFi.8080 xxxxxxxxxxxxxxx-.38351 TIME_WAIT tcp4 0 0 UniFi.8080 xxxxxxxxxxxxxxx-.35432 TIME_WAIT tcp4 0 0 UniFi.8080 xxxxxxxxxxxx.42696 TIME_WAIT tcp4 0 0 UniFi.8080 xxxxxxxxxxxxxxxx.48963 TIME_WAIT tcp4 0 0 UniFi.ssh xxxxxxxxxxxxx.61382 ESTABLISHED tcp4 0 0 UniFi.8443 xxxxxxxxxxxxx.61254 ESTABLISHED tcp4 0 0 UniFi.8443 xxxxxxxxxxxxx.61217 ESTABLISHED tcp4 0 0 localhost.27117 localhost.10243 ESTABLISHED tcp4 0 0 localhost.27117 localhost.60915 ESTABLISHED tcp4 0 0 localhost.10243 localhost.27117 ESTABLISHED tcp4 0 0 localhost.60915 localhost.27117 ESTABLISHED tcp4 0 0 localhost.27117 localhost.64528 ESTABLISHED tcp4 0 0 localhost.64528 localhost.27117 ESTABLISHED tcp4 0 0 localhost.27117 localhost.51572 ESTABLISHED tcp4 0 0 localhost.51572 localhost.27117 ESTABLISHED tcp4 0 0 localhost.27117 localhost.33415 ESTABLISHED tcp4 0 0 localhost.33415 localhost.27117 ESTABLISHED tcp4 0 0 localhost.27117 localhost.40737 ESTABLISHED tcp4 0 0 localhost.40737 localhost.27117 ESTABLISHED tcp4 0 0 UniFi.57802 xxxxxxxxxxxxxxxx.https ESTABLISHED tcp46 0 0 *.6789 *.* LISTEN tcp4 0 0 localhost.27117 localhost.41459 ESTABLISHED tcp4 0 0 localhost.41459 localhost.27117 ESTABLISHED tcp4 0 0 localhost.27117 localhost.14021 ESTABLISHED tcp4 0 0 localhost.14021 localhost.27117 ESTABLISHED tcp4 0 0 localhost.27117 localhost.28914 ESTABLISHED tcp4 0 0 localhost.28914 localhost.27117 ESTABLISHED tcp4 0 0 localhost.27117 localhost.16313 ESTABLISHED tcp4 0 0 localhost.16313 localhost.27117 ESTABLISHED tcp4 0 0 localhost.27117 *.* LISTEN tcp4 0 0 UniFi.8080 xxxxxxxxxxxxxxx..41274 CLOSED tcp46 0 0 *.8880 *.* LISTEN tcp46 0 0 *.8843 *.* LISTEN tcp46 0 0 *.8443 *.* LISTEN tcp46 0 0 *.8080 *.* LISTEN tcp4 0 0 *.ssh *.* LISTEN tcp6 0 0 *.ssh *.* LISTEN udp46 0 0 *.3478 *.* udp46 0 0 *.10001 *.* udp4 0 0 UniFi.26905 *.* udp4 0 0 *.syslog *.* udp6 0 0 *.syslog *.*
i can see port udp46 3478 state is not listening and port 8080 show both waiting and closed state.
system. properties output show the following
Code:
GNU nano 2.8.7 File: /usr/local/share/java/unifi/data/system.properties ## system.properties # # each unifi instance requires a set of ports: # ## device inform # unifi.http.port=8080 ## controller UI / API # unifi.https.port=8443 ## portal redirect port for HTTP # portal.http.port=8880 ## portal redirect port for HTTPs # portal.https.port=8843 ## local-bound port for DB server # unifi.db.port=27117 ## UDP port used for STUN # unifi.stun.port=3478 # ## the IP devices should be talking to for inform # system_ip=a.b.c.d ## disable mongodb journaling # unifi.db.nojournal=false ## extra mongod args # unifi.db.extraargs # ## HTTPS options # unifi.https.ciphers=TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA # unifi.https.sslEnabledProtocols=TLSv1,SSLv2Hello # unifi.https.hsts=false # unifi.https.hsts.max_age=31536000 # unifi.https.hsts.preload=false # unifi.https.hsts.subdomain=false # # Ports reserved for device redirector. There is no need to open # firewall for these ports on controller, however do NOT set # controller to use these ports. # # portal.redirector.port=8881 # portal.redirector.port.wired=8882 # # Port used for throughput measurement. # unifi.throughput.port=6789 # #Wed Nov 22 13:37:16 UTC 2017 is_default=false unifi.stun.port=3478
as you can see i only uncommented 3478 as all the others was working as expected as far as i know
Code:
unifi.stun.port=3478
First does anyone have an idea why i cant open port 3478 and secound how to fix the STUN error?
do i need to add new firewall or NAT rules? (see config below)
i must also mention the other issue i'm unable to use the unifi mobile app cloud access remotely, on the app i can see the server online but when i try to go in it hangs on "requesting SDP offer" no problem using the unifi app when i'm on my LAN
Other information that might be related
- i'm able to log in remotley to the unifi controller via browser and adopt AP via L3
- ERL Config
Code:
firewall {
all-ping enable
broadcast-ping disable
group {
network-group BOGONS {
description "Invalid WAN networks"
network 10.0.0.0/8
network 100.64.0.0/10
network 127.0.0.0/8
network 169.254.0.0/16
network 172.16.0.0/12
network 192.0.0.0/24
network 192.0.2.0/24
network 192.168.0.0/16
network 198.18.0.0/15
network 198.51.100.0/24
network 203.0.113.0/24
network 224.0.0.0/3
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name LAN_IN {
default-action accept
description "Wired network to other networks."
}
name LAN_LOCAL {
default-action accept
description "Wired network to router."
}
name WAN_IN {
default-action drop
description "Internet to internal networks"
enable-default-log
rule 1 {
action accept
description "allow established/related"
log disable
state {
established enable
related enable
}
}
rule 2 {
action drop
description "drop invalid"
log enable
state {
invalid enable
}
}
rule 3 {
action drop
description "drop BOGON source"
log enable
protocol all
source {
group {
network-group BOGONS
}
}
}
}
name WAN_LOCAL {
default-action drop
description "Internet to router"
enable-default-log
rule 1 {
action accept
description "allow established/related"
log disable
state {
established enable
related enable
}
}
rule 2 {
action drop
description "drop invalid"
log enable
state {
invalid enable
}
}
rule 3 {
action drop
description "drop BOGON source"
log enable
protocol all
source {
group {
network-group BOGONS
}
}
}
rule 4 {
action accept
description "rate limit ICMP 50/m"
limit {
burst 1
rate 50/minute
}
log enable
protocol icmp
}
}
name WLAN_IN {
default-action accept
description "Wireless network to other networks"
}
name WLAN_LOCAL {
default-action accept
description "Wireless network to router."
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
address A.B.C.D/24
description LAN
duplex auto
firewall {
in {
name LAN_IN
}
local {
name LAN_LOCAL
}
}
speed auto
}
ethernet eth1 {
address A.B.C.D/24
description "Wireless LAN"
duplex auto
firewall {
in {
name WLAN_IN
}
local {
name WLAN_LOCAL
}
}
speed auto
}
ethernet eth2 {
address dhcp
description WAN
duplex auto
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
speed auto
}
loopback lo {
}
}
port-forward {
auto-firewall enable
hairpin-nat enable
lan-interface eth0
rule 1 {
description "Unifi Controller"
forward-to {
address A.B.C.D
port 8080
}
original-port 8080
protocol tcp
}
rule 2 {
description "Unifi Controller"
forward-to {
address A.B.C.D
port 8443
}
original-port 8443
protocol tcp
}
rule 3 {
description "Unifi Controller"
forward-to {
address A.B.C.D
port 8880
}
original-port 8880
protocol tcp
}
rule 4 {
description "Unifi Controller"
forward-to {
address A.B.C.D
port 8843
}
original-port 8843
protocol tcp
}
rule 5 {
description "Unifi Controller"
forward-to {
address A.B.C.D
port 3478
}
original-port 3478
protocol udp
}
wan-interface eth2
}
service {
dhcp-server {
disabled false
hostfile-update disable
shared-network-name wired-eth0 {
authoritative enable
description "Wired Network - Eth0"
subnet A.B.C.D/24 {
default-router A.B.C.D
dns-server 8.8.8.8
dns-server 8.8.4.4
lease 86400
ntp-server A.B.C.D
start A.B.C.100 {
stop A.B.C.240
dns {
dynamic {
interface eth2 {
service dyndns {
host-name XXXXXXXXXXXX
login XXXXXXXXXXXX
password ****************
protocol noip
server dynupdate.no-ip.com
}
}
}
forwarding {
cache-size 150
listen-on eth0
listen-on eth1
system
}
}
gui {
http-port 80
https-port 443
listen-address A.B.C.D
listen-address A.B.C.D
older-ciphers enable
}
nat {
rule 5010 {
description "WAN MASQ"
log disable
outbound-interface eth2
protocol all
type masquerade
}
}
upnp {
listen-on eth0 {
outbound-interface eth2
}
}
}
system {
conntrack {
expect-table-size 4096
hash-size 4096
table-size 32768
tcp {
half-open-connections 512
loose enable
max-retrans 3
}
}
host-name EdgeRouter
ipv6 {
disable
}
login {
banner {
post-login "Welcome to EdgeMAX"
pre-login "\n\n\t UNAUTHORIZED USE OF THE SYSTEM\n\n\t IS PROHIBITED! \n\n "
}
name-server 8.8.8.8
name-server 8.8.4.4
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
offload {
hwnat disable
ipsec enable
ipv4 {
forwarding enable
}
ipv6 {
forwarding disable
}
}
package {
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
Thank you
