Unifi Access Point SSH upgrade

I was in the process of upgrading a few Unifi Access Point firmware’s and ran in to a problem where the AP’s would not (re)connect to the Unifi Controller when I initiated the firmware update. It was stuck in the update state without actually updating the firmware. The controller showed them as offline/updating.
It was still able to ping it and it was reachable over SSH.

I needed a way to update the firmware using SSH. I looked up the exact firmware download URL on https://www.ui.com/download/. I connected to the specific AP using SSH (Putty) and was able to perform the update manually by running the following command:

((`which nohup` /usr/bin/syswrapper.sh upgrade http://dl.ui.com/unifi/firmware/U7PG2/ >/dev/null 2>/dev/null)&) ; sleep 1

This command took a few minutes to start running and successfully completed the firmware update. I was able to manage them again in the controller with it’s new firmware.

If the AP is on a low firmware level, it may come back with a error that it could not download the firmware because of a certificate error. In that case you can simply change https:// to http://.

EdgeRouter OpenVPN Setup

In this post, I will help you through configuring an OpenVPN connection. I have found out that could not find a good configuration guide that configures everything I wanted in one post. I had to use 4-6 different websites to configure my OpenVPN on the EdgeRouter.. so i’ve decided to create a guide myself.

So about VPN.. In short, what is a VPN? You can think of a VPN connection like encrypted tunnels used to connect computers on different networks over the internet. VPNs can be used to provide yourself with a secure connection when using the internet on a public network, like a public wifi hotspot. They are also being used a lot to create a secure, remote connection to your (work or home) local network.

I have chosen to use the OpenVPN protocol instead of other well known protocols like PPTP (older, more insecure, easily detacable and blockable) or L2TP/IPSec (easily detacable and blockable but available on most operating systems).
I like the OpenVPN protocol because it is easy to setup, open source, more secure than PPTP and can be used with port 443 (https) which makes it almost undetectable and shown as normal HTTPS traffic. The downside of OpenVPN is that it uses a third-party app instead of the built-in software from Windows or your phone.

Different types of VPN tunneling

When configuring the VPN, you will need to chose how you want to use it. You can chose to use a split-tunnel or a full-tunnel.

  • Split-tunnel allows you to access your local network resources but normal internet traffic is not going through the tunnel and is not encrypted
  • full-tunnel allows you to access your local network resources and your normal internet traffic is going through the tunnel and is encrypted. But you can probably cannot access local resources, unless you are already connected to them.

I have chosen to use the full tunnel, because I want secure internet access and access to my local resources. You can also add a route to your work network to access its resources through vpn. I haven’t tested that.

Click the READ MORE button to start going though the actual configuration

Read More

T-Mobile Thuis fiber with EdgeRouter X SFP

In my previous post I have shown you my configuration with T-Mobile Thuis fiber with the EdgeRouter Lite. I’ve told you there that I still had a few configuration issues with IPTV. I wasn’t able to create a working scenario without a few (annoying) workarounds.
So to create a better working setup I have chosen to replace the EdgeRoute Lite with the EdgeRouter X SFP. As the name already tells you, this router has an built-in SFP (fiber) port. This router is alo has switching capabilities and PoE (Power over Ethernet) to directly power my Ubiquiti Access Points.

My (changed) set-up

I have updated my set-up a bit since my last post. I have added the (two) Ubiquiti AP’s to the PoE ports on the EdgeRouter instead of the managed switch, so I can get rid of the PoE converters. The T-Mobile settopbox is directly attached to the EdgeRouter. I can also chose to attach these to the managed switch, so I can add more settopboxes than two. All my other ethernet devices are attached to the managed switches (like my Tradfri gateway, PS4, SmartTV, HTPC, etc.)
Both switches are configured to deliver VLAN300 (internet) and VLAN640 (IPTV). Between both switches is a trunk configured to transfer both VLAN’s.

The configuration of the EdgeRouter X SFP

Below here is a copy of my configuration with a few details like port mappings, IP assignments and passwords cleared.
In short, i have the following configuration:

  1. Configure ETH5 as the SFP port;
  2. Create an internal switch for seperating traffic to VLAN300 (internet) and VLAN640 (IPTV) and VLAN1 for the internal network;
  3. Configure the PoE ports for the Access Points;
  4. Configure the internal switch and assign the ports on the router for internet, internal network or iptv;
  5. Configure default firewall rules, allow NAT, configure offloading, etc.

Click ‘read more’ to view the configuration details.

Read More