Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
tanr
Valued Contributor II

FYI: Unifi Controller and devices behind FortiGates

Hi All,

 

Thought I'd post the FortiGate configs to work with some Unifi devices.  Let me know if this isn't appropriate for the forum.

 

After setting up a Unifi Cloud Key, switches, and access points behind a FortiGate, with vlan separation between the cloud key (controller used for management) and other Unifi devices, and with remote access to the Unifi system working through the FortiGate, I thought I'd post what I found that worked to save others some time.  Hope this is useful, and feel free to post corrections.

 

The cloud key and other Unifi devices all assume native vlans and DHCP to start.  The switches (and newer APs) can now be set to work with tagged vlans, but make sure they're getting untagged native vlans to start with.

 

Note that you can use "exec ssh" from remote/cloud access to the FortiGate to access the cloud key.  I found that if I moved the cloud key to a new subnet, or from a lab with one public IP to a location with a different public IP, that remote web access would stop working till I used ssh to connect and reboot the cloud key.

 

Per https://forum.fortinet.com/tm.aspx?m=167150 if you put your Unifi Controller (cloud key in this case) in a different subnet/vlan, you can provide the IP of the controller to other Unifi devices by using DHCP Option 43.  If you're using the FortiGate for DHCP this is a little tricky, as you need to set the Additional DHCP Options to the custom option code of 43, then set the hex value to indicate the sub-type, number of bytes, and IP in hex, like so:

  01: suboption   04: length of the payload (4 bytes)   c0a80001: 192.168.0.1 in hex

  == 0104c0a80001

 

To access the cloud key locally you'll need to allow the following services from your management PC to the cloud key:

 

HTTPS

TCP/8443 (HTTPS_ALT)

PING

SSH TCP/8880 (HTTP Portal redirct - optional) TCP/8843 (HTTPS Portal redirect)   Allow the following services both from the cloud key to the other Unifi devices and the other direction:  

TCP/8080 (HTTP_ALT)

TCP/8443 (HTTPS_ALT)

UDP/3478 (STUN)

TCP/27117 (UNIFI LOCAL DB ACCESS)

UDP/10001 (UNIFI-AP-DISCOVERY)

UDP/1900 (UNIFI-L2-DISCOVERABLE-UPNP) TCP/6789 (UNIFI-MOBILE-SPEED-TEST - optional)   Unifi controller (cloud key) outbound to wan:   DNS NTP HTTP HTTPS SMTPS UDP/3478 (STUN) TCP/8543 (UNIFI-CLOUD-ACCESS)TCP/11143 (UNIFI-CLOUD-ACCESS-OLD - probably no longer needed) UDP/5656-5699 (UNIFI-AP-EDU-BROADCAST - maybe optional, or only for AP EDU units)   This should be enough to get everything working locally, and if you have VPN access to the site, this is all you'll need to do as you can access the controller and devices over the VPN.   However, if you don't have VPN access to the site and need remote access to the cloud key that is stable, there is more to do.  The above config will allow you adopt the cloud controller from a remote unifi.ubnt.com session, and to SORT OF launch remote access.  But if you restrict outbound UDP traffic then remote access will regularly disconnect with a 400 error and have some other problems because of the way the Unifi controller (and some other Unifi devices) use WebRTC for the remote connection.   To get remote access working in a stable manner, there are a couple more things to do, per my discussion of this at https://community.ubnt.com/t5/UniFi-Wireless/Undocumented-outbound-UDP-from-Cloud-Key/m-p/2521917.  Note that from my tests so far, unlike most of the other recommendations I found, you DO NOT need to open up any inbound ports for the remote access.   The Unifi controller will attempt to contact a TURN service at global.turn.twilio.com using a large range of UDP ports.  When you initiate/launch a remote connection it will then try to connect to your public IP with WebRTC using a random UDP port.  Similarly, your local management PC will attempt to send a random UDP port to the Unifi controller's public IP.   If you have static, or DDNS public IPs for the locations, you can allow outbound UDP (I used 10000 to 65535, though WebRTC says *any* UDP) from the cloud key (and possibly the Unifi APs if you're using ones that post data like the AP AC SHD) to global.turn.twilio.com and to the public IP of your management PC.   Allow outbound UDP from your management PC to global.turn.twilio.com and to the public IP of the cloud key.   That's all you need to do.  Now the remote access (launching from unifi.ubnt.com) should work and not disconnect.
2 REPLIES 2
SecurityPlus
Contributor II

Thank you for this information!
tanr
Valued Contributor II

Hopefully it's only opening it outbound!

 

I listed all the ports I was aware of in this thread and the referenced thread at https://community.ubnt.com/t5/UniFi-Wireless/Undocumented-outbound-UDP-from-Cloud-Key/m-p/2521917, so afraid I don't have much more to suggest.

 

As noted the ports listed under "Unifi controller (cloud key) outbound to wan:" should be the only ones you need to allow out to the wan, unless you're wanting non-vpn remote management.  In that case, you can allow the suggested range of UDP *only* to the TURN servers at global.turn.twilio.com.

 

I set this up last year, so Unifi might have changed things.

 

Labels
Top Kudoed Authors