UniFi AP's w/ Untangle Router @ home, Not Working Properly

[ch33zw1z]

Because the unmanaged aps and hardwired clients seem to work fine, I suspect the opposite.

Ok, that's fine, but we haven't really gotten enough info to verify either. The UAP's are not going to interfere or even forward DNS traffic, as it's not their job or design as layer 2 devices. DNS settings on the UAP's are only for the the UAP to use.

Either way, he should factory reset a single UAP (prefer the LR) and start from scratch, leave the others out of the mix altogether (both the old and new) and confirm whether that clears it up.

If that doesn't clear it up, then it's back to the untangle software.

He could also try the untagged vlan thing, but my UAP worked fine with and without it.

For now, we've only had words, no config screenshots or outputs, etc...

 

[SamirD]

Agreed. Starting with one fully reset would be the best way to diagnose this. In fact, just replacing one of the unmanaged units with a ubiquiti and going from there would be my starting point. This way you've got the working configuration to compare it to.

Do the APs have the ability to nat? I've not played with any ubiquiti gear.

 

[ch33zw1z]

Agreed. Starting with one fully reset would be the best way to diagnose this. In fact, just replacing one of the unmanaged units with a ubiquiti and going from there would be my starting point. This way you've got the working configuration to compare it to.

Do the APs have the ability to nat? I've not played with any ubiquiti gear.

The AP's are essentially enterprise devices at Layer 2, they don't interfere with much, but configurations can be very specific. However, they don't provide any layer 3 or high functions, such as NAT. Inside the controller software, they are many options that allows the UAP to integrate with their more robust routers (USG's)

The OP could let us know the full network topology to assist further. How many other layer 2 or 3 devices are in the mix? Most people would probably have 2 NIC in the untangle box, and at least a layer 2 switch outside of it. Anyways, if what we recommend doesn't help, we need more information to isolate the problem.

 

[SamirD]

That's pretty much what I thought.

I think the OP sounds like they know what they're doing, but I think it's really one of those rare unknown conflicts between equipment, in this case the untangle and the ubiquiti. I bet if either one is changed from its current firmware/software version, the issue would disappear.

 

[mxnerd]

I setup a Untangle VM, did not set any DNS entries and did not add any extra options commands. Client behind Untangle uses Untangle's LAN IP as DNS and worked absolutely fine.

 

[EXCellR8]

In post #9 you said if you put in Googls DNS IP in endpoints then it works, you mean PC/tablet/smartphone right?, so your WiFi clients still get router IP as their DNS server via Untangle DHCP?

There should be only one device acting as DHCP server on your network, and it should be Untangle.

Yes, putting DNS servers in manually on any client allows for perfect internet connectivity; I do want Untangle as the sole DHCP server.

What happens when you turn untangle off? Untangle is a firewall, right?

Firewall & router, and it's all up to date.

...The DNS requests should just flow from the clients to the router software without the AP's interference.

agreed. that's what should be happening. I've configured much more complicated equipment without half this much trouble.

...try changing to another firmware version on the ubiquities and see if the problem magically fixes itself.

not sure how to do that off-hand, but I will do some searching...

Because the unmanaged aps and hardwired clients seem to work fine, I suspect the opposite.

I've noticed that the hardwired clients are now dropping DNS connectivity, when no servers are manually entered in. this means setting the "dhcp-option=6" string isn't doing anything.

...Client behind Untangle uses Untangle's LAN IP as DNS and worked absolutely fine.

That's how it should be, but it's just not working.

 

[EXCellR8]

All three AP's are running firmware 4.0.42, but the fact that my wired enpoints are now dropping DNS connectivity means that Untangle is to blame, or perhaps my modem.

Thanks for all the help btw.

 

[SamirD]

I'd first revert back to your original setup and see if you have any more issues.

If you don't, I'd try just removing one unmanaged ap for a ubiquiti and then go from there. It could be some oddball thing going on that will take wiresharking to figure out.

 

[mxnerd]

Feel that Untangle is just - meh.

Setup WAN using a static IP. Then when I try to change the config to use DHCP, it won't get me a dynamic IP no matter how I save the config multiple times, ask it to refresh it's WAN IP using DHCP, it just won't do anything! It just want to retain its static IP config.

The only way to change the config is to re-install the software.

And I followed the instruction here

https://support.untangle.com/hc/en-us/articles/200683548-Can-I-use-OpenDNS-with-NG-Firewall-

using the DNS "Override" feature of internal DHCP so I can pass my preferred DNS to client.　The bad part is that you can only set one DNS as override DNS server.

Guess what? It didn't work! It still passed router IP as client's DNS IP. Just what OP experienced.

@EXCellR8, just give up using Untangle as your router/firewall. Anything else is better.

 

[ch33zw1z]

@mxnerd - kudos for going through all that. I always liked pfsense, although I dont use it currently, it would be my "go-to" for roll your own router setups.

 

[EXCellR8]

Yes, kudos indeed. I felt everything was set up correctly so having it "just not work" after each tweak was driving me nuts.

...The bad part is that you can only set one DNS as override DNS server.

I think you can actually use a comma to separate servers

I wouldn't mind giving pfSense another try; I feel as though Untangle, when it works, is great but there's a lot of little caveats I've come across over the years. This is certainly no exception.

 

[mxnerd]

I think you can actually use a comma to separate servers

No, you can't. I tried comma, semicolon and space. None worked. You can only have one.

 

[mxnerd]

@mxnerd - kudos for going through all that. I always liked pfsense, although I dont use it currently, it would be my "go-to" for roll your own router setups.

Me too. I also don't use one currently. I did test it or use it for a while multiple times though. It's a bit complex if you dive deeply but very reliable. Will also be my go-to router/firewall if I decided that I need one.

 

[ch33zw1z]

Me too. I also don't use one currently. I did test it or use it for a while multiple times though. It's a bit complex if you dive deeply but very reliable. Will also be my go-to router/firewall if I decided that I need one.

Last time I used it was a VM to run an Always on VPN device, hung an old SOHO router-as-wap off the port, so had 3 lan and wifi for always on vpn worked great

 

[EXCellR8]

Good news and bad news... wiped Untangle off of the drive and loaded pfsense. Once interfaces were assigned and IP addressed everything worked great.

However, woke up this later this morning to no internet connectivity on any device. Hard reset of pfsense and it was back. So, there could be an issue with the hardware itself... looks like I'm not quite out of the woods yet.

 

[ch33zw1z]

Ok, check your hardware against their qualified list and adjust as needed. If you want assistance from us, post detailed specs if the hardware, specifically the NIC's

 

[mxnerd]

Yep, it seems it's your NICs are causing problems. Usually when a NIC starts to deteriorate the first thing usually is that it can't get an DHCP IP address as an client.

 

[ch33zw1z]

Also, when you get issue like that, using ping is a great way to start determining where the trouble is.

 

[EXCellR8]

The board is a Jetway NF9HQL-525 but the NIC's are Realtek AFAIK so I wouldn't be surprised if they are on their way out. The board has also been running almost constantly since I first installed it in Q2 2016 so it has seen its share of usage hours. This would explain why Untangle just sort of stopped working well--because it had been fine for 3 years. I'll swap in a more generic router tonight but I'm probably not going to dig too far into what could be to blame on the HW side.

Also, if anyone has some suggestions on a slim ITX board replacement, let me know.

 

[ch33zw1z]

I dunno man, if I put money into anything right now, especially to use UBNT UAP's, I would be buying a UBNT USG, but I would also be getting a switch with it for a full seamless network setup

So someone else may be able to answer your itx question

 

[mxnerd]

Your Jetway NF9HQL-525 has 4 integrated Realtek NICs, if it you need a replacement, I would suggest QOTOM mini-pc with INTEL NIC (they have different model with either Realtek or INTEL chips).

A long discussion here.
https://forums.anandtech.com/threads/want-to-downsize-my-pfsense-box-netgate-sg-1000.2561731/

If you don't trust the brand, just get a mini itx board with CPU with AES-NI capability and buy a quad port NIC with INTEL chips. (under $30 on eBay for used HP brand)

https://www.ebay.com/sch/i.html?_fr...3.TR3.TRC2.A0.H0.TRS0&_nkw=HP+NC365T&_sacat=0

You might need a new case & PSU though. I believe you have a slim case for Jetway NF9HQL-525.

==

QOTOM is based in China but seems no presence in USA so support could be a problem.

Protectli has firewall hardware similar to QOTOM but has U.S. contact.
https://protectli.com/

==

And yes, like what ch33 has said, probably UBNT USG is all you need.

 

[EXCellR8]

Yes, it's a slim case but I have a couple other vacant ones for whatever. I just liked it because of the small footprint but no real preference. I do have a board that I'm not using with available PCIe x4 so the Intel NIC is an attractive option. Some boards are real finicky about add-on cards though, but for $30-$40 it's worth a shot.

I may try moving WAN/LAN to the other two NICs on the Jetway board just for S&G but that would probably be the extent of HW troubleshooting. The fan has also become rather loud but I'm just surprised it's still working. I'm going to grab the old Netgear Firewall from the office to use in the interim. Part of the reason this is so aggravating is that I don't need anything real special. DHCP, a few forwarded ports, couple custom traffic rules and done.

I will look into UBNT USG since the AP's didn't cost me anything... they're equipment is plenty reasonable.

 

[SamirD]

Part of the reason this is so aggravating is that I don't need anything real special. DHCP, a few forwarded ports, couple custom traffic rules and done.

I thought you were using untangle or pfsense for their feature set--yeah, if you don't need the bulk, shed it and just get a box to do the job as they're cheap enough now.

 

[EXCellR8]

I like having the feature set available, if I am running a game server, plex, or VPN. But yea, a regular router/firewall is not off the table. I am contacting my ISP today about possible issues with my modem--though I haven't had any in the past. Last night I configured a Netgear VPN firewall, along with DHCP on LAN and some static entries/reservations. Same thing happens... works for a time and then everything goes down--seemingly for no reason.

My focus has sort of shifted to the modem; the NICs on the Jetway board check out.

 

[mxnerd]

If you have used the same modem for several years, it's possible it's on its way out.