Unifi Controller setup in docker (across VLANs)

Making things hard on myself.
linux
networking
docker
Published

January 18, 2024

Introduction

This post is about how I set up a Unifi network controller for my wireless access points in docker, dealing with VLANs along the way.

Background

I have a couple of Unifi Wireless Access points for Wifi in my house. Configuration of all Unifi network devices is done through a web portal. I think if you have one of their routers it’s hosted on the router itself, but I use pfsense for my router. You can also buy a standalone “cloud key” but they’re like $200 and that seems silly. You can also host the controller service in a docker container. I’ve been doing that for quite a while without issue, but some recent changes in my setup led to me modifying how I do that, and also this post.

Previously, my docker host machine was on the same subnet as my access points and I happily ran the unifi-controller container from linuxserver with a bunch of ports exposed and everything worked fine. As part of the virtualization and network segmentation adventure I’ve been on I’ve been rebuilding my container host in a VM, and I’ve moved that VM to a different VLAN than my Access points. This has surfaced some issues.

First issue - outdated containers

As part of my migration I took a look to see if there were any updates to my controller container. This turns out to have been timely, as it had been deprecated not too long before I took this project up. The good news is there’s a new unifi-network-application container. The bad news is it’s a real pain to set up, at least for me.

As per the docs I performed a backup from my old unifi-controller and shut it down. That part went fine. When it came to standing up the new container I had a nightmare of a time getting the mongodb container it needs (which is also pinned to a very outdated version thanks to Unifi) to start up with a proper database and credentials. There are a bunch of open and closed issues with people having varying degrees of success getting things working. For the life of me I couldn’t get it stood up in a fully automated way. I attached the correct init scripts to the container, validated they were visible in it etc, but nothing worked. Eventually I stood up the mongo container, remoted into it and just ran mongo unifi /docker-entrypoint-initdb.d/init-mongo.js, which worked. Why it didn’t correctly pick that up and run it at instantiation like it was supposed to is beyond me. Whatever.

After that I got the network application container up and running easily and restored my config. I even remembered to update the inform host setting to my new IP since otherwise it just gives the docker container’s IP, which is not visible to the rest of the network. But at this point I hit my second issue.

Second issue - device discovery across networks

Now for the next issue. My APs are on my infra network, but this VM is on my services network. Apparently device discovery does not work across subnets. I looked this up and there are some ways to address this while keeping things on different networks. I could have ssh’d into each of my APs and hard coded the controller IP. That probably would have worked, and I only have a couple APs so it would have been scalable, but I wanted to find a better way.

My first attempt was to create an IPvlan docker network and attach the container to that. Everything ran, but I couldn’t connect to the container at the address I assigned. I’m pretty sure that’s because the network interface I created for the VM running the container in XCP-NG was set with a VLAN tag so it’s automatically stripping all other VLAN tags and adding in the assigned one.

To address that I modified the machine’s config in terraform to add another network interface that was associated with my infra network. After that I was able to create an IPvlan network (without specifying the VLAN tag at the docker level) associated with that interface and give the container an IP. With that working my APs were adopted and I was good to go, happy ending!

Conclusion

I had a bit of a hassle getting my Unifi access points to talk to my reinstalled Unifi controller. I wanted to document what I went through here as either a reference to myself in the future, or to help others.