*** Official Ubiquiti Discussion Thread ***

ChrisD. said:
You need to export the certificate from the browser. The reason it doesn't work via IP address is because the hostname won't match the IP and it's a system generated certificate, ie, self signed. Usually once you ignore it in a browser it should remember that choice but the behaviour varies.
Click to expand...

That's what I did, exported from Chrome (saved to a file), then imported that to MMC. However, like you say, the hostname won't ever match the IP and therefore even though the cert is now saved, it's still an invalid cert in Chrome's eyes (or at least that's my completely ignorant theory). So I still have the 'Not secure' red warning triangle in the far left of the address bar.

I know the quick and easy answer to this is to continue ignoring it like I have been doing until now, but, like I say, it's just grating on me and I'd like to understand how to fix it, if only for my own sanity
 
ChrisD. said:
Where in MMC did you import it to? Has to be the right area.
Click to expand...

I followed the instructions here - https://asu.secure.force.com/kb/art...cation-Authorities-Store-for-a-Local-Computer

1. Click Start, click Start Search, type mmc, and then press ENTER.
2. Click Yes if you get the UAC screen.
3. On the File menu, click Add/Remove Snap-in.
4. Under Available snap-ins, click Certificates, and then click Add.
5. Under This snap-in will always manage certificates for, click Computer account, and then click Next.
6. Click Local computer, and click Finish.
7. If you have no more snap-ins to add to the console, click OK to return to the console root screen.
8. In the console tree, double-click Certificates.
9. Right-click the Trusted Root Certification Authorities store.
10. Click Import to import the certificates and follow the steps in the Certificate Import Wizard.

Does tthis appear to be the correct area?
 
The certificate you imported will be for the host name for the controller, if you browse to https://controller_dns_name it should work. You'll get the error if browsing to the IP address as that's not the host name presented in the certificate. You'll have to create a static entry on your router or edit your computer's host file.
 
After a day or so I've finally managed to get a BGP route based VPN running between my USG and AWS using the config.gateway.json file. It would have been way, way easier if only it were exposed in the GUI. It's also a shame the USG doesn't support SHA 2.
 
Good evening all

I have a SH4 set to pass through only and 3 x Unifi LR APs across my property, I have a new printer as my last one died but it fails to connect to the Unifi network and if I do it on my phone is shows that there are 2 MAC addresses being shown (Unifi) and fails to connect again?

Is there a setting I'm missing within the Unifi settings to correct this or?

Its driving me insane! :(
 
iMacMart said:
Good evening all

I have a SH4 set to pass through only and 3 x Unifi LR APs across my property, I have a new printer as my last one died but it fails to connect to the Unifi network and if I do it on my phone is shows that there are 2 MAC addresses being shown (Unifi) and fails to connect again?

Is there a setting I'm missing within the Unifi settings to correct this or?

Its driving me insane! :(
Click to expand...

I've be searching the internet and see nothing thats giving me a steer? :(
 
Ok so disabling fast roaming allowed me to connect the new Canon printer and enabling it made no difference? Can print and AirPrint to it still? Go figure….
 
iMacMart said:
Ok so disabling fast roaming allowed me to connect the new Canon printer and enabling it made no difference? Can print and AirPrint to it still? Go figure….
Click to expand...

What controller version are you running? Fast roaming was basically killed before the end of Version 5. Fast roaming was a kludge before they got the signal strength algorithm working properly. Use RSSI at under 65dB to get the phones to roam if you always want them on the closest access point, but the more you roam, the more breaks in connectivity you have. You’ll only notice it if you’re running mobile VOIP phones really.
 
WJA96 said:
What controller version are you running? Fast roaming was basically killed before the end of Version 5. Fast roaming was a kludge before they got the signal strength algorithm working properly. Use RSSI at under 65dB to get the phones to roam if you always want them on the closest access point, but the more you roam, the more breaks in connectivity you have. You’ll only notice it if you’re running mobile VOIP phones really.
Click to expand...
Cloud key - V1.1.13
Firmware version - 6.0.43-14348-1 (New available version - 6.2.26-15319-1)
Controller - 6.0.43.0

I don't tend to bother updating anything any more as I've been bitten before where I update straight away and it breaks connection in my house for weeks/months
 
Hi everyone, was hoping to pick your collective brains on an issue I'm having. I've got a sky fibre setup with a USG 3-P and most stuff is working very well. I've DMZed the USG on in the sky modem /router and disabled pretty much everything on the sky router. Behind the USG there are two APs, two switches and the controller running on a raspi.

The issue I'm having is getting my work VPN connection to work. It's on a dedicated corporate laptop running AT&T Global Network client with Gemalto password authentication. It connects fine and gets the tunnel up and running but very limited traffic seem to pass through the tunnel. Essentially only the Skype internal messaging tool seem to work, outlook can't connect, can't access internet through the vpn or any internal folders.

I've forwarded all the relevant VPN ports I can think of (udp 500 / 4500, tcp 1701/1723) to the work laptop through both the sky router and the USG.

Is it likely down to the double NAT situation and can be resolved by getting a draytek modem or is it more likely a config issue with the USG not routing the traffic properly (and would persist even with a modem in bridge mode)?

Thanks in advance
Dan
 
Port forwarding isn't the problem, you can bin that off.

Double NAT can be a problem for VPN connections (Cisco MaybeConnect, sorry, AnyConnect doesn't much like it) but it's usually a case that the connection won't come up rather than some stuff won't work. I'd be looking at MTU issues. I know the older Cisco IPSEC client was quite fussy but I haven't used your client so can't say for sure.
 
Try it with just the Sky router and you can rule out double NAT straight away. As mentioned above, you do not need to port forward as VPN clients are an outgoing connection and your router will SNAT like it does for any other outbound connection.
 
Thanks both, it does work with just the Sky router (with MTU @ 1500). I've tried MSS clamping the USG to try and sort any MTU issue.

My private NordVPN seem to work fine though through the USG off a different machine.

I was going to get a replacement for the sky router so will give that a try and see if it was the double nat for sure.
 
I take it there's still no update/ETA on the UXG ?

Moving house soon and I'm itching to replace my USG, and for just simple ease wanted to stick with Unifi but it looks like I might have to look elsewhere and stick with the Ubiquiti WAPs only.
 
You could avoid double NAT and create a /30 network between the USG and the Sky Hub and create a static route pointing at the Sky's LAN address on that network. Or get a separate modem and faff about with Sky's DHCP authentication nonsense. Or just use Sky's router. :)
 
platypus said:
Moving house soon and I'm itching to replace my USG, and for just simple ease wanted to stick with Unifi but it looks like I might have to look elsewhere and stick with the Ubiquiti WAPs only.
Click to expand...
I'm currently in the same boat, I run 10 GbE networking at home and I'd love a L3 device that can push traffic between VLANs at line speed. If Ubiquiti don't hurry up I'll likely build an Untangle appliance or run is as a VM.
 
I am just not in a position to drop loads of £ on the Qnap above yet unfortunately :(.

I need to find a good 4g router and aerial and might well just have to stick with whatever I find until Fibre rolls into the village (Q4 this year it starts!).
 
You must log in or register to reply here.
Back
Top Bottom