Community discussions

 
RackKing
Member Candidate
Member Candidate
Topic Author
Posts: 254
Joined: Wed Oct 09, 2013 1:59 pm

Please check my FW rules for Unifi controller?

Sun Jun 09, 2019 5:16 pm

Hi, I have a Unifi controller behind a Mikrotik 3011 that works for my local gear. I want to add another site with APs that are at a friends house. I got the port list from https://help.ubnt.com/hc/en-us/articles ... Ports-Used that need to be open.

Can someone confirm my firewall rules are configured correctly? The unifi server is at 192.168.254.12
/ip firewall filter
add action=accept chain=forward comment=\
    "Unifi TCP Ports" connection-nat-state=dstnat \
    connection-state=established,related dst-port=8080,8443,8880,8843,6789 \
    in-interface-list=WAN protocol=tcp
add action=accept chain=forward comment=\
    "Unifi UDP Ports" connection-nat-state=dstnat \
    connection-state=established,related dst-port=3478 in-interface-list=WAN \
    protocol=udp

/ip firewal nat
add action=dst-nat chain=dstnat comment="Unifi TCP Ports" dst-address=\
    x.x.x.x dst-port=8080,8443,8880,8843,6789 in-interface-list=WAN \
    protocol=tcp to-addresses=192.168.254.12
add action=dst-nat chain=dstnat comment="Unifi UDP Ports" dst-address=\
    x.x.x.x dst-port=3478 in-interface-list=WAN protocol=udp \
    to-addresses=192.168.254.12
I believe this to be correct and I see some packets flowing, but the site is offline. I am just trying to narrow down the problem - so if anybody can confirm these are setup correctly I would appreciate it.
 
sindy
Forum Guru
Forum Guru
Posts: 3284
Joined: Mon Dec 04, 2017 9:19 pm

Re: Please check my FW rules for Unifi controller?  [SOLVED]

Sun Jun 09, 2019 5:36 pm

You've mixed things together in the filter rules.

"action=accept connection-state=established,related"´is used to accept packets belonging or related to already known connections, so in usual cases there should be no additional conditions in this rule. Rules following it are used to enable establishment of new connections. So you should use a separate rule with just "action=accept connection-nat-state=dstnat" to permit any incoming connection previously dst-nated by /ip firewall nat rules. As you've combined the conditions which "new" packets must meet in order to be accepted with a condition saying they must not be "new" in a single rule, no "new" packet will ever go through, so no connection will ever be initiated.

Plus whatever you do with the firewall must be done in the context of already existing firewall rules. So post the complete export, not just the part you think may be related. See the mini-howto in my automatic signature.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
RackKing
Member Candidate
Member Candidate
Topic Author
Posts: 254
Joined: Wed Oct 09, 2013 1:59 pm

Re: Please check my FW rules for Unifi controller?

Sun Jun 09, 2019 6:01 pm

You've mixed things together in the filter rules.

As you've combined the conditions which "new" packets must meet in order to be accepted with a condition saying they must not be "new" in a single rule, no "new" packet will ever go through, so no connection will ever be initiated.
You are a scholar and a gentlemen. That was the nudge I was looking for. I have that established,related rule above these. As usual, you were spot on.

I unchecked connection state established & related and left the connection-nat=dstnat. The moment I did that it packets matched and it started working.

I have learned a great deal from you on this forum. Your willingness to consistently share your expertise and teach all of us is remarkable. You are an asset to this community and I appreciate your efforts very very much. Good karma to you sir.

Thank you.

Who is online

Users browsing this forum: Bing [Bot] and 26 guests