Note that you don’t necessarily have to make the controller GUI accessible from the internet in order for clients to have their devices communicate with it, because these are two different services. Also, STUN is in fact not required at all, but I highly recommend using it. However, I don’t think you can change the STUN port (3478). As far as I know, you can change the port of the inform address from 8080 to anything you want, since this is manually provided by you during the inform process. The device-controller communication takes place on TCP 8080 and UDP 3478. You can change this to whatever you like. So even if the DNS and Traefik is down I can use one of the swarm IPs :8443 to access my controller.I like to think of the unifi controller as multiple different services, not just a single big one, that you can make accessible independently of one another. Unifi doesn’t use any standard ports that I need besides 8080 and I don’t want to add any single point of failures with Traefik, DNS etc to keep the Unifi Controller from operating as independently as it can from my docker swarm. Since the Unifi Controller needs a lot of ports for it’s operation of the network I just leave them on the ingress network.
# Make Traefik communicate over SSL with Unifi Controller deploy:ģ Standard configuration same as all of my containers I use Traefiks docker label configuration. There are a few additions compared to the other containers. The USW Lite 8 PoE also offers an extensive suite of Layer 2 switching protocols, and can be monitored or.
The Switch Lite 8 PoE (USW Lite 8 PoE) is a fully managed switch with (8) GbE RJ45 ports, including (4) 802.3at PoE+ ports, and a 52W total PoE supply for your UniFi access points and other PoE devices. On the Unifi Controller container we need to add the configuration for Traefik. Layer 2, PoE switch with (8) GbE RJ45 ports, including (4) 802.3at PoE+ ports. If you have the dashboard enabled you need to switch that from port 8080 to something else, this is the standard port used by the Unifi Controller for it’s /inform calls from all the equipment. On the setup from my other article, listed above, we just add this command line parameter: -serversTransport.insecureSkipVerify=true So first we need to allow Traefik to use self signed certificates. However, if you have a firewall that is restricting outbound traffic, youll need to allow the following ports outbound to your controller IP address: UDP 3478. The communication between Traefik and the Unifi Controller will be secured with the self signed certificate on the controller. When you initiate/launch a remote connection it will then try to connect to your public IP with WebRTC using a random UDP port. My goal was only to have a proper URL like with a proper SSL certificate for the admin interface. The Unifi controller will attempt to contact a TURN service at using a large range of UDP ports. There are a number of ports on the controller and several needs to be accessible for the /inform requests from the equipment. Still the controller best live in the same physical network as the equipment in my opinion. Specially if you have no external access to consider. The setup of Unifi Controller behind any reverse proxy is easy enough. I run my controller in a docker container on my swarm and have Traefik for ingress and SSL. The self signed certificate is fine from a security standpoint but enjoying when accessing the controller. A proper SSL certificate on the Unifi Controller is more of a cosmetic fix then a security one.