Migrating existing Ubiquiti UniFi Controller to Docker in Synology NAS

Ubiquiti Migrating existing Ubiquiti UniFi Controller to Docker in Synology NAS

Currently reading
Ubiquiti Migrating existing Ubiquiti UniFi Controller to Docker in Synology NAS

I do not have my firewall on in my synology on. It's a home network behind my router's firewall so I don't see the need. I was tired of the Unifi controller crashing so I finally ran it on docker on my NAS by following the steps in this post: here. Now I am getting the error on my devices:
This device is not able to connect to the internal STUN server on your Controller. Please check if the device is able to reach the STUN server on port 3478

I've tried to read up on this, your network can work with this error, which mine does. I do want the error gone. I have tried a port forwarding rule in the controller. My whole system is in one network, so not sure why all the requests to port forward (i guess logging in from the outside?).
 
the mentioned guide from Ruud’s is right.
from any reason, try to use the NAS firewall. It’s last level of security in your network topology.
STUN with 3478 UDP is one of the requirements, when you setup your container
then UDP Port 3478 must be open inbound on the controller machine.
if no, then you can see warning icon next to each Unifi devices in your LAN (switch, AP,...)

Here is the original recommendation directly from Ubiquiti site, works for me from beginning:
To resolve this, make sure to open UDP port 3478 on your controller machine firewall and ensure that your router is properly relaying STUN traffic to the UniFi Controller from the UniFi devices.
If you are using your UniFi Controller to manage devices that are not located behind the same router, you will need to set up a port forward similar to how you created one for the inform packets to be forwarded to the controller using port 8080.
 
here is an aggregated guide for check of your correct routing way for STUN:
1. check the "stun_url" and "mgmt.servers.x.url" are point to the same ip address (or FQDN) in the controller file "/etc/persistent/cfg/mgmt"
2. in SSH
cd cfg
vi mgmt
check what IPs there you can see
ctrl z to get out of vi
try to ping that host by the STUN IP from the mgmt
for example, my STUN url is stun://unifi/, so I would ping unifi
see if you get ping responses.
 
Thanks for replies. I should have stated this before, I turned on the firewall and implemented these rules as stated in the blog post with no luck. The controller is on the network so I don't see how this would change anything either.

my synology's etc folder does not have the folder persistent so I cannot find "/etc/persistent/cfg/mgmt" I even checked with root access on ssh.

People that also had this problem just changed controller mounts to goofball. This also seems odd.
Should something be here?
To view this content we will need your consent to set third party cookies.
For more detailed information, see our cookies page.
 
Sorry for a delayed answer, OFC- I miss your last question, you have to open these ports:
- in container level setup (up to your routing preferences - same port or custom)
- also in NAS FW

Container seup:
1586884216140.png
 
Sorry for a delayed answer, OFC- I miss your last question, you have to open these ports:
- in container level setup (up to your routing preferences - same port or custom)
- also in NAS FW


Is there a way to do this after the fact, in other words now? Or do I have to go back and re setup the whole process? I didn't see this option in the guide I referenced above.


Thanks
 
Last edited:
just waiting for a stable new 6.x version of the controller.
When you have heavy irresistible calling for a test of such “beta releases” don’t forget to keep your current controller container for easy fall back. Again, one of excellent example of hurry to market approach with new major version.
 
Last edited:
Hi, thanks a lot for this very usefull resource.

Everything is working fine except I was not able to configure the DSM Synology Reverse Proxy to work with the dockerized UniFi controller.

My docker instance for the controller runs on DSM with a different fixed IP than DSM itself. I used
Bash:
sudo docker network create -d macvlan --gateway=xxx.xxx.xxx.xxx --subnet=xxx.xxx.0.0/24 --ip-range=xxx.xxx.xxx.fixedip/32 -o parent=bond0 UniFi-Network
If I nat 8443 on my router to this IP I get access to UniFi gui without any problem.
If I nat 443 to DSM and then configure the reverse proxy to rewrite https://unifi.mydomain.com:443 to https:local_ip:8443 (I have other apps using the reverse proxy this way) it ends up with an error message from the proxy (Sorry, the page you are looking for cannot be found.) when trying to access to the controller.

I tried to add the following header to the proxy -> no success too:

NGINX:
X-Real-IP $remote_addr
X-Forwarded-Host $host
X-Forwarded-For $proxy_add_x_forwarded_for
X-Forwarded-Proto $scheme
Upgrade $http_upgrade
Connection "Upgrade"

Any idea ?
 
Any idea ?
I can say that the reverse proxy works fine with unify controller docker setup just like any regular app that I run. Nothing fancy going on there.

I know it's not helping you atm, but if you are getting a syno page cannot be found that means that RP is calling out. Try and check the /var/log/nginx/error.log log file for some more info (if there will be some info).
 
Sorry I should have put it in my post :

Code:
2020/10/29 14:06:32 [error] 9862#9862: *37556 connect() failed (113: No route to host) while connecting to upstream, client: xxx.xx.xx.xx, server: unifi.mydomain.com, request: "GET / HTTP/1.1", upstream: "https://local_ip:8443/", host: "unifi.mydomain.com"
 
Sorry I should have put it in my post :

Code:
2020/10/29 14:06:32 [error] 9862#9862: *37556 connect() failed (113: No route to host) while connecting to upstream, client: xxx.xx.xx.xx, server: unifi.mydomain.com, request: "GET / HTTP/1.1", upstream: "https://local_ip:8443/", host: "unifi.mydomain.com"
Well, that's a clear problem right there. Guessing you are getting error 5xx from your client browser (when you get that sorry the page cannot be found)?

If the controller is working this might be a problem with this specific reverse proxy entry. What happens when you use your unifi container with a default bridge network? Same error?
 
Well, no error 500 just

Screenshot 2020-10-29 at 14.47.40.png


I did not tried to use default bridge as it requires to open way too many ports on DSM's own IP and I have some that are already used by other services (which cannot be changed easily), that why I was trying to give a specific fixed IP to the docker container.

I have to figure out how to route the address.
 
Yes, you are right for external access, but on the LAN, the DSM IP (ex: 192.168.2.100) will be configured to answer all local ports required by UniFi container (3478, 5514, 8080, 8443, 8880, 8843, ...). So, if I already have local services on DSM that are bounds to those ports... I'm stuck.

If I provide to the container a dedicated IP I can open ALL ports without any issue (except the RP 😄)
 
May be I'm wrong but aren't UniFi devices (WiFi AP for example) configured by default to talk to the controller on specific ports (8080, 1900, 10001...) ? If I change the local ports on the container, all devices may not be able to talk to controller, no ?
 
May be I'm wrong but aren't UniFi devices (WiFi AP for example) configured by default to talk to the controller on specific ports (8080, 1900, 10001...) ? If I change the local ports on the container, all devices may not be able to talk to controller, no ?
I can't answer that from that perspective considering that I don't have an AP. Still, aren't you able to change those ports?

In any way, I just wanted to say that running the Controller on the macvlan might be part of the problem when it comes to RP.
 
In any way, I just wanted to say that running the Controller on the macvlan might be part of the problem when it comes to RP.

Your are certainly right. I'm not very familiar with IP ROUTING so I need to dig a bit to see if there is something I can do. Anyway, Thanks for your help
 
1. you don’t need the port 1900, because it’s about “mDNS query” controller feature - Make controller discoverable on L2 network.

2. also you don’t need to use the port 10001 when you don’t have in usage others Ubiquiti (not Unifi range) products. it’s similar to Cisco CDP.

bridge network for the container is the right way
 
1. you don’t need the port 1900, because it’s about “mDNS query” controller feature - Make controller discoverable on L2 network.

2. also you don’t need to use the port 10001 when you don’t have in usage others Ubiquiti (not Unifi range) products. it’s similar to Cisco CDP.

bridge network for the container is the right way
Ok thanks.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Back
Top