net: UniFi 3.0

net: UniFi 3.0

Well, we’ve been waiting a long time for older devices like the Unifi Dream Machine and the Unifi Dream Machine Pro to finally move from the 1.x branch to the new 3.0 and it finally happened about three months ago. Having migrated five UDMs and a UDM Pro. Evan McCann as usual has a great overview of what the new 3.x is all about, so I shameless crib from that.

Background: Moving to a new OS

The big issue is that UniFi OS 1.x used a completely different operating system containerization scheme than the newer OS 2.x/3.x. The migration is pretty complicated because you have to go from 1.x to 2.x and then finally to 3.x, but it does work. They did a nice job of not requiring a complete rebuild of the system on this migration, so it took a while but it definitely did work at least for me

New features of OS 3.x

The big changes here are synchronized with UniFi Network 7.x which runs on OS 3.x, the big change by the way is to add more applications like Protect and Access, so what was once a single application just for networking now has multiple applications running on top. They confusingly call it the console which sounds like hardware, but perhaps the better name for OS is the management OS, and a better name for application is management modules, here are the big new features:

  1. Wireguard. This allows a much simpler VPN system for those of you who want a private VPN between branches in your organization. I normally use Tailscale for home use, so not useful to me. They have a similar feature called Teleport, but this is UniFi-specific and Tailscale is independent which is nice.
  2. Load Balancing on UDM Pro. This actually happened with OS 2.5.7, but with the UDM Pro, you can not only have two network connections but can balance between them. Sadly, I can’t support Starlink anymore (Elon ugh!), but it would be nice to have an unlimited hotspot with T-mobile and then allow sharing, I will probably reinstall the network backup, but I did find that Comcast does intermittently lose connection so even with a 30GB hotspot, I was using up all the data.
  3. Ad Blocking they have support for this now, but I’ve not quite figured out how to use it. I normally use NordVPN for this and find that there are a host of problems with sites that don’t work with it on, so I hope it is configurable.

GitHub Port Unblocking Has Moved to the System Log

One of the big pains I’ve been suffering with is that GitHub has so many different hosts (they apparently do not use a load balancer on their front end) that I’m constantly getting ssh: connect to host port 22: Operation timed out

What this means is pretty mysterious, but it sometimes means 1Password is not up and running since I use it for my SSH keys are stored there, but usually it means there is a new IP address and I have to go to UniFi to allow it.

For the latest UniFi 3.1, here is how you do that:

  1. Start the UniFI OS console
  2. Goto Networks > Filtering Activities
  3. Then you will see a list of clients, look for your machine. Note that if you are using a network connection, it might appear as the Thunderbolt device rather than being listed as your computer.
  4. Note that this actually just redirects you to Unifi Console > System Log > Security Detections
  5. Now click on your device, and you should see the connection to GitHub IP, make sure this is really a GitHub IP with an IP looked up and make sure it is owned by GitHub.
  6. Then look at it, it should say something like ET SCAN Potential SSH Scan and this just choose Allow This IP
  7. YOu can check that the new rule added is correct by going to Settings > Firewall & Security and scrolling down the list at the bottom should be what you just added
  8. This should look like a whole bunch of manual IPS Deny List which are specific bad actors out there that are to be blocked.

I’m Rich & Co.

Welcome to Tongfamily, our cozy corner of the internet dedicated to all things technology and interesting. Here, we invite you to join us on a journey of tips, tricks, and traps. Let’s get geeky!

Let’s connect