Today I happened to be getting a Ubiquiti U6-AP-Pro delievered and after yesterdays stressful, but eventually successful, VLAN setup, I was destined to get VLANs on my Wi-Fi going. Thankfully, for better or for worse, the UniFi Network Application kind of abstracts a lot of the work away.
However, first I needed to get the UniFi Network Application. To do this, I just spun up a LXC container with Docker installed. The
docker-compose.yml file looks something like this:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 version: "3.8" volumes: config: services: unifi-controller: image: lscr.io/linuxserver/unifi-controller:latest container_name: unifi environment: - PUID=1000 - PGID=1000 volumes: - config:/config ports: - 443:8443 - 3478:3478/udp - 10001:10001/udp - 8080:8080 - 1900:1900/udp - 8843:8843 - 8880:8880 - 6789:6789 - 5514:5514/udp restart: unless-stopped
This is basically an exact copy of the
docker-compose.yml that Linuxserver gives, except I map port 8443 to 443 just so I don’t see the dangling port in my web browser. It’s also important you do not remap any of the ports as they are hard-coded into Ubiquiti devices.
If you’re running this in Docker like I am, one import setting to change is in
Settings -> System and then scroll all the way down to the bottom and look for
Overide Inform Host (for me it was the last setting). You’ll want to enable this and then give it the local IP of your Docker host
If you do not change this you will not be able to adopt any UniFi devices.
VLANs are pretty simple in UniFi controller with the U6-AP-Pro as when you assign it in the interface it’s not dumb like I am and already knows to give itself a trunk port.
First go to
Settings -> Networks and you’ll want to click the button that says
Create New Network
- Give your network a name
- Now if you’re like me and don’t have a UniFi OS console (I run an OPNsense router) you’ll want to check the
- Give it a VLAN ID
- Enable IGMP Snooping or DHCP guarding if you’d like
and then click
Now you should see it listed in your
Next go to
Settings -> WiFi and click
Create New WiFi Network.
- Give your WiFi Network a name, this will be the broadcase SSID
- Give it a password
Networkselect the new Network you just created
- Select which Access Points you want to have this network (for me I only have one so I clicked
Now this is all you need for a basic set up but I’m going to go ahead and add a Guest Portal for fun.
Now, I don’t *need* a guest portal, but because it’s my network and I like to experiment, I set one up anyway.
To begin, scroll down to
- Switch from
- If you want to limit guests to 2.4GHz you can do that here, you can also set bandwidth limits later on
WiFi Type, select
This is all the configuration that needs to be done here, but there are plenty more settings like
Client Device Isolation you can go tweak later on.
Now you can click the
Guest Hotspot Profile link and it will open in a new tab. You can go back to the
New WiFi Network tab and click
Add WiFi Network. Now migrate back to the
Guest Hotspot tab.
To begin, select an
Authentication Type, here I’ve selected
Password to have a simple password. There are several types to choose from, even a payment based authentication if you wanted to charge your friends and family to use your internet.
Next, turn the
Guest Landing Page on. The preview feature for this is really great in my opinion. Go through and set it how how you want it to look and then once you get to the
Advanced tab, switch to manual.
Set your expiration time. Configure any languages. Here I’ve set it to use a custom domain
guest.example.com. Now you’ll need to make sure you have a local DNS server that will return a response for this domain, and this response needs to either point at your UniFi Network Application server or in my case, a proxy that points to it. Also you will have to ensure that your firewall rules allow your VLAN access to these devices.
Unfortunately UniFi hard codes the 8843 port into the guest landing page redirect, even if you use a custom domain, so you need to make sure if you’re using a proxy that it binds 8843
Now I’m not 100% sure this is necessary but I’ve added my proxy as an
Allowed Authorization Access IP. The reason why I’m not sure is because my proxy is actually run on my gateway.
Apply Changes and you should be all set.