1. Information

You can have the UniFi controller on a different subnet as long as there is a route from the one the APs are on to the one that the controller is on. If your network goes L3 router → Netgear router → APs and you want the controller to be connected direct to the L3 router, you just need a route from the Netgear subnet to the L3 subnet (which you’ve probably got already).

Once you’ve migrated the controller database from the existing server to the desktop workstation and shut off the original controller, you can issue a "set-inform" on the APs (using SSH to log into them) and redirect the AP to the new controller address. As long as this is accessible from the AP, then it will work.

Note that port 8443 is used for the management panel and port 8080 is used for the informs. Also, DHCP option 43 can be used to tell the APs what the controller address is, when it isn’t on the same L2 network but it is routable.

sudo syswrapper.sh restore-default
set-inform http://ip.of.the.controller:8080/inform

2. Linux

2.1. Installation

# Needed for Debian 12 Bookworm only.
wget http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl1.1_1.1.1f-1ubuntu2_amd64.deb
sudo dpkg -i libssl1.1_1.1.1f-1ubuntu2_amd64.deb
dpkg -l | grep -i libssl1

# sudo smru setup apache                # Install and configure apache web server.
sudo smru setup gnupg                   # Install and configure gnupg.
sudo smru setup jre-headless            # Install and configure java runtime environment.
sudo smru setup mongodb-4.4             # Install and configure mongodb 4.4 server.
sudo smru setup unifi-controller        # Install and configure unifi controller.

  • Enter the following commands at a Command Line.

    echo "deb https://www.ui.com/downloads/unifi/debian stable ubiquiti" |
  sudo tee /etc/apt/sources.list.d/100-ubnt-unifi.list
sudo wget -qO /etc/apt/trusted.gpg.d/unifi-repo.gpg https://dl.ui.com/unifi/unifi-repo.gpg
# ls -al /etc/apt/sources.list.d
# cat /etc/apt/sources.list.d/100-ubnt-unifi.list
# apt-key --keyring /etc/apt/trusted.gpg.d/unifi-repo.gpg list

# Set JDK for UniFi.
JAVA_HOME="$(readlink -f "$(which java)" | sed "s|/bin/.*$||")"
echo JAVA_HOME="${JAVA_HOME}" | sudo tee /etc/default/unifi
sudo ln -s "${JAVA_HOME}/lib" "${JAVA_HOME}/lib/amd64"
# cat /etc/default/unifi

sudo apt-get update
sudo apt-get install apt-transport-https ca-certificates
sudo apt-get install unifi
# dpkg -l | grep -iw "unifi"
# sudo systemctl status unifi

2.2. Configuration

  • Enter the following commands at a Command Line.

    # Fix for latest Java.
sudo cp -a /var/lib/unifi/system.properties /var/lib/unifi/system.properties.org
echo "unifi.https.sslEnabledProtocols=TLSv1.2,TLSv1.1,TLSv1" |
  sudo tee --append /var/lib/unifi/system.properties
sudo diff /var/lib/unifi/system.properties.org /var/lib/unifi/system.properties
sudo systemctl restart unifi
sudo diff /var/lib/unifi/system.properties.org /var/lib/unifi/system.properties
sudo systemctl status unifi

# Test connection.
openssl s_client -connect localhost:8443 -showcerts

sudo java -jar /usr/lib/unifi/lib/ace.jar info
    unifi.version=6.2.26 (atag_6.2.26_15319 - release)
unifi.https.port=8443
unifi.ip=10.10.1.16
os.name=Linux
os.version=4.19.0-17-amd64
java.version=11.0.11
java.home=/usr/lib/jvm/java-11-openjdk-amd64

2.3. Uninstallation

  • Enter the following commands at a Command Line.

    dpkg -l | grep -iw "unifi"
ls -al /etc/apt/sources.list.d

sudo apt-get purge unifi
sudo apt-get purge jsvc libcommons-daemon-java
sudo rm /usr/lib/jvm/java-11-openjdk-amd64/lib/amd64
sudo rm /etc/apt/sources.list.d/100-ubnt-unifi.list*
sudo rm /etc/apt/trusted.gpg.d/unifi-repo.gpg
sudo rm /etc/default/unifi

dpkg -l | grep -iw "unifi"
ls -al /etc/apt/sources.list.d

  • Uninstall MongoDB 3.6.

  • Uninstall MongoDB 4.4.

  • Optional: Uninstall Java.

  • Optional: Uninstall Apache 2.

  • Enter the following commands at a Command Line.

    dpkg -l | grep -Eiw "java|jdk|jre"
dpkg -l | grep -iw "mongodb"
dpkg -l | grep -iw "unifi"

3. Windows

3.1. Installation

  • Note: Install only UniFi-installer-5.10.17.exe version not later version.

  • Run the UniFi-installer-5.10.17.exe file with administrative privileges.

  • Click Install.

  • Uncheck Start UniFi Controller after installation.

  • Click Finish.

3.2. Configuration

3.2.1. Windows Service

  • Note: This will start UniFi Controller service automatically when the computer startup.

  • 32-bit: Add C:\Program Files (86)\Java\jre1.8.0_212\bin path in Eviroment Variables > System variables | Path.

  • 64-bit: Add C:\Program Files\Java\jre1.8.0_212\bin path in Eviroment Variables > System variables | Path.

  • Enter the following commands at a Command prompt with administrative privileges.

    cd "C:\Users\Administrator\Ubiquiti UniFi"
java -jar lib/ace.jar installsvc
net start "UniFi Controller"

3.2.2. Windows Firewall

Inbound Rules

  • Open Windows Firewall.

  • Click Advanced settings.

  • Right-click Inbound Rules.

  • Select New Rule…​.

  • Choose Port (Rule that controls connections for a TCP or UDP port).

  • Click Next.

  • Choose TCP under Does this rule apply to TCP or UDP?.

  • Choose Specific local ports: under Does this rule apply to all local ports or specific local ports?.

  • Type 8443 in Specific local ports: field.

  • Click Next.

  • Choose Allow the connection.

  • Click Next.

  • Select Domain, Private, and Public.

  • Click Next.

  • Type UniFi-Controller-Port 8443 in Name field.

  • Click Finish.

  • Right-click UniFi-Controller-Port 8443 in Inbound Rules.

  • Select Properties.

  • Click Scope tab in UniFi-Controller-Port 8443 window.

  • Choose Local IP address | Any IP address.

  • Choose Remote IP address | These IP addresses:.

  • Click Add under Remote IP address.

  • Choose Predefined set of computers: in IP Address window.

  • Select Local subnet in Predefined set of computers dropdown list.

  • Click OK.

  • Click Apply.

  • Click Add under Remote IP address.

  • Type 10.10.1.0/24 in This IP address or subnet: Textbox.

  • Click OK.

  • Click Apply.

    Local IP address
  ● Any IP address
  ○ this IP addresses:

Remote IP address
  ○ Any IP address
  ● These IP addresses:
    Local subnet
    10.10.1.0/24

  • Click OK.

  • Close Windows Firewall with Advanced Security.

  • Close Windows Firewall.

4. Setup

  • Browse to https://10.10.1.4:8443

  • Type SMRU UniFi Controller in the Server Name field.

  • Select Thailand for the Country/Region.

  • Check I agree to End User License Agreement and Terms of Service.

  • Click Next.

  • Type smru-it@shoklo-unit.com in UI Account Email field.

  • Type the Ubiquiti - UniFi Account password stored in the KeePass Password Manager.

  • Click Sign In.

  • Type get-totp <secret> in the Command Prompt.

  • Type the 2FA code.

  • Click Sign In.

  • Select SMRU > Sign Out.

  • Close Browser.

5. Certificates

  • Log in as smru on the tbhf-ops-mrm server.

  • Enter the following commands at a Command Line.

    sudo keytool -v -list -keystore /var/lib/unifi/keystore -storepass aircontrolenterprise
    Keystore type: PKCS12
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: unifi
Creation date: Jun 20, 2024
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=UniFi, OU=UniFi, O=Ubiquiti Inc., L=New York, ST=New York, C=US
Issuer: CN=UniFi, OU=UniFi, O=Ubiquiti Inc., L=New York, ST=New York, C=US
Serial number: 6673bc4e
Valid from: Thu Jun 20 12:21:18 ICT 2024 until: Wed Sep 23 12:21:18 ICT 2026
Certificate fingerprints:
         SHA1: 6F:9D:62:3F:B1:AE:DD:15:25:4B:DB:A3:77:DE:E7:B8:04:A2:40:81
         SHA256: 56:26:4A:CD:2F:BB:9E:C2:23:1D:55:1D:CD:F2:73:C7:3F:95:CB:F0:C1:E2:A3:FC:B9:C6:56:78:01:A8:D3:EF
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3

Extensions:

#1: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  serverAuth
]

#2: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  DNSName: UniFi
]

  • Todo

6. Troubleshooting

  • Note: If you receive notification Rogue AP Detected, investigate below.

  • The Rogue AP Detected mean there is/are other APs with the same SSID as your UniFi AP that is/are not UniFi AP.

Classic mode

  • SSID: smru-clinic: Browse to https://10.10.1.6:8443

  • SSID: SMRU: Browse to https://10.10.1.6:8443

  • SSID: SMRU-Guest: Browse to https://192.168.88.16:8443

  • Optional: Confirm Security Exception.

    • Click Advanced.

    • Click Accept the Risk and Continue.

    User Name               SMRU
Password                ********
        □ Remember me

  • Click SIGN IN.

  • Click INSIGHTS.

  • Select Neighboring Access Points on the first dropdown list.

  • Search for the AP that has the same SSID.

  • If the AP is setup by you then click Mark as known.

  • Select USERNAME SMRU > logout.

  • Check /usr/lib/unifi/logs/server.log.

  • Check /usr/lib/unifi/logs/mongod.log.

7. SSH

  • MST: Browse to https://10.10.1.6:8443

  • Log on as SMRU.

  • Select the SETTINGS page.

  • Select the System Settings sub page.

  • Expand Controller Configuration.

  • Expand Device SSH Authentication.