Running tcpdump on Ubiquiti Airmax Equipment

Posted on March 15, 2023 by admin

Ubiquiti Airmax gear has tcpdump included. We can easily use it to capture packets to a file and then use SCP from the device to copy the file for analysis.

SSH to the device

ssh ubnt@192.168.1.20
cd /tmp/

Start tcpdump with the following command. Change ath0 and file.cap to the appropriate interface and file name.

tcpdump -i ath0 -w file.cap

After we are done collecting, we can quit with ctrl + c

Now we can use scp or sftp to copy the files off. There is an issue using scp or sftp from a normal Linux machine to the radio, fails with a “sh: /usr/libexec/sftp-server: not found”. It works fine if you initiate scp from the radio.

scp /tmp/file.cap username@remoteip:~/

Find UniFi Network Cloud Inform URL

Posted on February 1, 2023 by admin

What is the format for the UniFi Network Cloud inform URL?

The format for the UniFi inform URL should be similar to the following

a38927b1-23aa-e95d-94b4-8394abce9302.unifi-hosting.ui.com

Now Where is the UniFi Cloud Inform Link?

The inform URL is supposed to be on the cloud console page. However, it appears that it doesn’t show the link if you are not Owner.

Web Development Tools to the rescue!

On the UniFi console page, click on “About this Console”

Open up the Web Tools, Click on the Network tab, make sure that you have the Domain column enabled.

Refresh the page.

Look for the Domain that matches the UniFi Cloud URL format.

Example: a38927b1-23aa-e95d-94b4-8394abce9302.unifi-hosting.ui.com

You can confirm this is the correct URL by browsing to it directly. It should redirect to your cloud instance.

Extra tip: If you are migrating from a UniFi Console (CloudKey, UDM, DreamMachine) to UniFi Cloud, you can restore a backup of your CloudKey (Or other console) and then use the Host Inform Override option (from CloudKey) to tell all the devices on the network to connect to the cloud instance. May need to reboot or force provision.

https://community.ui.com/questions/Unifi-Controller-Migration-Question/a49914df-f770-4c2d-a0e4-143d6314c9a4

Change VLAN ID Ubiquiti Radio from SSH

Posted on November 29, 2022 by admin

First we’ll need to ssh into the device

ssh ubnt@192.168.1.20

Next lets open up the config file

vi /tmp/system.cfg

Now search for vlan and replace the vlan id with the appropriate number

In VI you can search by hitting / and then type in vlan

After you have changed all the vlan ids, save the file with esc, wq, enter.

Now we can save the config with

cfgmtd -f /tmp/system.cfg -w && reboot

OIDs for UI / Ubiquiti Solar Charge Controller

Posted on November 21, 2022 by admin

Here is a list of OIDs for Ubiquiti’s solar charge controller. You can download the

Top interesting ones are

Battery Voltage 1.3.6.1.4.1.41112.1.11.1.1.2
Panel Voltage 1.3.6.1.4.1.41112.1.11.1.2.2

snmptranslate -Pu -Tz -m ./UBNT-MIB:./UBNT-SUNMAX-MIB
"org"                   "1.3"
"dod"                   "1.3.6"
"internet"                      "1.3.6.1"
"directory"                     "1.3.6.1.1"
"mgmt"                  "1.3.6.1.2"
"mib-2"                 "1.3.6.1.2.1"
"transmission"                  "1.3.6.1.2.1.10"
"experimental"                  "1.3.6.1.3"
"private"                       "1.3.6.1.4"
"enterprises"                   "1.3.6.1.4.1"
"ubnt"                  "1.3.6.1.4.1.41112"
"ubntMIB"                       "1.3.6.1.4.1.41112.1"
"ubntORTable"                   "1.3.6.1.4.1.41112.1.1"
"ubntOREntry"                   "1.3.6.1.4.1.41112.1.1.1"
"ubntORIndex"                   "1.3.6.1.4.1.41112.1.1.1.1"
"ubntORID"                      "1.3.6.1.4.1.41112.1.1.1.2"
"ubntORDescr"                   "1.3.6.1.4.1.41112.1.1.1.3"
"ubntSnmpInfo"                  "1.3.6.1.4.1.41112.1.2"
"ubntSnmpGroups"                        "1.3.6.1.4.1.41112.1.2.1"
"ubntORInfoGroup"                       "1.3.6.1.4.1.41112.1.2.1.1"
"ubntORCompliance"                      "1.3.6.1.4.1.41112.1.2.1.2"
"ubntAirosGroups"                       "1.3.6.1.4.1.41112.1.2.2"
"ubntAirFiberGroups"                    "1.3.6.1.4.1.41112.1.2.3"
"ubntEdgeMaxGroups"                     "1.3.6.1.4.1.41112.1.2.4"
"ubntUniFiGroups"                       "1.3.6.1.4.1.41112.1.2.5"
"ubntAirVisionGroups"                   "1.3.6.1.4.1.41112.1.2.6"
"ubntMFiGroups"                 "1.3.6.1.4.1.41112.1.2.7"
"ubntUniTelGroups"                      "1.3.6.1.4.1.41112.1.2.8"
"ubntAFLTUGroups"                       "1.3.6.1.4.1.41112.1.2.9"
"ubntSunMaxGroups"                      "1.3.6.1.4.1.41112.1.2.10"
"sunMaxCompliances"                     "1.3.6.1.4.1.41112.1.2.10.1"
"sunMaxGroups"                  "1.3.6.1.4.1.41112.1.2.10.2"
"ubntAirFIBER"                  "1.3.6.1.4.1.41112.1.3"
"ubntEdgeMax"                   "1.3.6.1.4.1.41112.1.5"
"ubntUniFi"                     "1.3.6.1.4.1.41112.1.6"
"ubntAirVision"                 "1.3.6.1.4.1.41112.1.7"
"ubntMFi"                       "1.3.6.1.4.1.41112.1.8"
"ubntUniTel"                    "1.3.6.1.4.1.41112.1.9"
"ubntAFLTU"                     "1.3.6.1.4.1.41112.1.10"
"ubntSunMax"                    "1.3.6.1.4.1.41112.1.11"
"sunMaxMIB"                     "1.3.6.1.4.1.41112.1.11.1"
"sunMaxBatteryStats"                    "1.3.6.1.4.1.41112.1.11.1.1"
"sunMaxBatCurrent"                      "1.3.6.1.4.1.41112.1.11.1.1.1"
"sunMaxBatVoltage"                      "1.3.6.1.4.1.41112.1.11.1.1.2"
"sunMaxBatPower"                        "1.3.6.1.4.1.41112.1.11.1.1.3"
"sunMaxBatTemp"                 "1.3.6.1.4.1.41112.1.11.1.1.4"
"sunMaxPvPanelStats"                    "1.3.6.1.4.1.41112.1.11.1.2"
"sunMaxPVCurrent"                       "1.3.6.1.4.1.41112.1.11.1.2.1"
"sunMaxPVVoltage"                       "1.3.6.1.4.1.41112.1.11.1.2.2"
"sunMaxPVPower"                 "1.3.6.1.4.1.41112.1.11.1.2.3"
"sunMaxOutPutStats"                     "1.3.6.1.4.1.41112.1.11.1.3"
"sunMaxOutCurrent"                      "1.3.6.1.4.1.41112.1.11.1.3.1"
"sunMaxOutVoltage"                      "1.3.6.1.4.1.41112.1.11.1.3.2"
"sunMaxOutPower"                        "1.3.6.1.4.1.41112.1.11.1.3.3"
"security"                      "1.3.6.1.5"
"snmpV2"                        "1.3.6.1.6"
"snmpDomains"                   "1.3.6.1.6.1"
"snmpProxys"                    "1.3.6.1.6.2"
"snmpModules"                   "1.3.6.1.6.3"
"zeroDotZero"                   "0.0"

Get battery voltage

We can get the battery voltage from the controller with the following SNMP walk command. Change the community “ubnt” to your SNMP community.

snmpwalk -c ubnt -v2c 10.96.1.9 1.3.6.1.4.1.41112.1.11.1.1.2

Return value is

SNMPv2-SMI::enterprises.41112.1.11.1.1.2.0 = INTEGER: 24990

You may need to add a zero if you are trying to add the OID in LibreNMS for a custom OID.

Custom OID not not working but snmpwalk test does?
byu/tb808 inLibreNMS

Restart UniFi services on UDM

Posted on October 31, 2022 by admin

Mark manages the Ubiquiti UniFi applications at Incredigeek Inc. and is unable to access the UniFi controller. It starts loading and then stops. The URL bar shows that it is trying to load a null network site.

Thankfully the WiFi is still working, Mark thinks to himself, but how am I supposed to manage the network? I am able to access the UniFi Core application, so maybe I can login using a secure shell and check on the application.

ssh root@192.168.1.1

Once logged in, and after using the google, he finds that unifi-os restart will restart the UniFi applications. But I just need to restart the Network application. Running “unifi-os” –help reveals the following options.

# unifi-os --help
Usage: /usr/sbin/unifi-os [stop start restart shell 'update url']

Oh shell!

unifi-os shell

Alternatively, we know that on the UDM’s the UniFi Applications are run inside a Docker container. We could run “docker ps” to show the containers and then “docker exec -it unifi-os bash”

Now we can restart just the UniFi Network application.

systemctl restart unifi

It can take a little bit to restart.

UDM Pro Error Changing WAN IP Addresses

Posted on October 25, 2022 by admin

There appears to be a bug on the UDM Pro that you can encounter while trying to update your WAN IP addresses. The error was similar to “Can’t change IP Address “PublicIP” used in Default Network”

https://community.ui.com/questions/UDM-Pro-Cant-set-Static-IP-Address-on-WAN-interface/9f83c841-da1a-4b16-b963-c4be3ae3fbab?page=2

It appears that the issue stems from the Internet Source IP being used in the LAN Network settings.

The way to work around this is to disable the Internet Source IP. However, this is greyed out which keeps us from making any changes. We can however use the Chrome Developer tools to get around this restriction.

Enable the Legacy Interface. UniFi Network Settings -> System -> Legacy Interface
Go to Settings -> Networks -> Edit (Select Default Network)
Open up the Dev tools with Ctrl + Shift + i and select Console
Paste the following in and hit enter

$$('[disabled]').forEach( a => a.disabled=false )

Find “Internet Source IP”, Disable and Save!

Swap back to the new user interface and go change the WAN IP address.

Disable Wireless Security (WPA2) Preshared Key on Ubiquiti AC

Posted on September 27, 2022 by admin

Update: Found this handy dandy FAQs link https://help.ui.com/hc/en-us/articles/115009192828

Included in the FAQ is a section on “How to Disable Wireless Security on airMAX AC Devices?”

The default security configuration for AC devices since firmware version 8.5.11 was changed to WPA2 AES with a pre-shared key 0000:0000.
Ubiquiti Default AC device WPA2 Preshared key

On Ubiquiti AC radios, you can not disable WPA 2 security through the web interface. This is not necessarily bad, however, what happens if you have a client that is reset and will only connect to the default ubnt SSID?

Fortunately there is a way to disable the WPA2 Preshared key.

Log into the device over ssh.
Run the following command to disable WPA2 in the config
sed -i s/aaa.1.wpa.mode=2/aaa.1.wpa.mode=0/g /tmp/system.cfg
Save the config file with
/usr/etc/rc.d/rc.softrestart save
Login to the client device and configure the SSID.

After you are done, you can click the enable button to re-enable Wireless Security.

Note: aaa.1.wpa.mode=2 doesn’t appear to be on all devices. If not, change “wpasupplicant.status=enabled” to “wpasupplicant.status=disabled”

Screenshot from UI help page on Wireless Security on airMAX AC devices

Auto Reboot Ubiquiti Devices with ubntmod.sh

Posted on September 3, 2022 by admin

Most of the heavy lifting is done by the ubntmod.sh script. All you need is the IP addresses for the access points. The script will figure out the connected devices, reboot them first, then reboot the AP.

Here is a quick run down of the steps we need to perform.

Create list of AP’s and put them into an ap.lst file
Install ubntmod.sh script
Configure usernames and passwords to use with ubntmod.sh
Setup crontab to automatically run

Create list of AP’s and put them into an ap.lst file

This is really as simple as creating the ap.lst file and filling it with the access point IP addresses. One per line. The script uses wstalist to discover connected devices.

nano ap.lst

Install ubntmod.sh script

Installing the script is really hard. 2 lines to get setup.

wget http://incredigeek.com/home/downloads/ubntmod/ubntmod.sh
chmod +x ./ubntmod.sh

More information can be found here.

https://www.incredigeek.com/home/ubntmod/

Setup usernames and passwords to use with ubntmod.shd

When you first run ubntmod.sh without the -y option, it should prompt you to setup usernames and passwords to use. After this is setup, the script automatically reads from the config file for future use.

You can manually modify the ubntmod.conf file update any usernames or passwords.

Example contents of ubntmod.conf file.

unpw=( "ubnt,ubnt"
"ubnt,password"
"admin,password"
)

Setup crontab to automatically run

Open up crontab with

crontab -e

Configure the time. Refer to here for crontab date syntax

10 1 * * * cd /home/bob/ && ./ubntmod.sh -A

That’s it. Should be good to go.

Searching for devices in UniFi via command line / MongoDB

Posted on April 22, 2022 by admin

While the UniFi controller is nice and everything, it does make it hard to see if a device is already adopted. At least if you have a ton of sites. Fortunately, we can search the database directly to find out if a UniFi is already adopted and which site it is assigned to.

Connect to Mongo DB

First we need to connect to MongoDB. And then we need to use the ace database.

mongo -port 27117

use ace

List all the devices on the controller

This command will list all the devices on the controller. Regardless of which site they are assigned to.

db.device.find({}, { site_id:"", ip : "", name :"", mac:""})

Example output

{ "_id" : ObjectId("563a4d94e4b054e5376fc600"), "mac" : { "_id" : ObjectId("563a4d94e4b054e5376fc600"), "mac" : "44:d9:e7:34:d1:08", "ip" : "192.168.1.200", "name" : "Main_WiFi", "site_id" : "39485e9abf0e9a047bcded96" }
{ "_id" : ObjectId("9873b39ed1f5d30a6738abe"), "mac" : "44:d9:e7:01:a3:d4", "ip" : "192.168.1.201", "name" : "Testing_Wifi", "site_id" : "39485e9abf0e9a047bcded96" }

Each UniFi will have a “site_id”. You can use that ID to figure out which site it is assigned to.

List all the sites on the controller

db.site.find()

Example output

{ "_id" : ObjectId("39485e9abf0e9a047bcded96"), "name" : "default", "desc" : "Testing Site", "attr_hidden_id" : "default", "attr_no_delete" : true, "anonymous_id" : "83ae20ba-2948-458e-fd0a-1320583ecb04" }

Using our “site_id” from above, we see that the Testing_Wifi device is assigned to the “Testing Site” on the controller.

Something else to look at would be to use the UniFi controller API.

https://ubntwiki.com/products/software/unifi-controller/api

Extract UniFi .unf backup file

Posted on December 3, 2021 by admin

In this post we are going to extract the contents of a UniFi .unf backup.

This is helpful if we need to do any sort of recovery, or need to look through the database to find system information.

Acquire backup
Decrypt and extract backup
Dump database to JSON file

Acquire Backup

This is easy to do. Log into the web interface go to Settings -> System -> Maintenance -> Backup and Restore

Scroll down to Available Backups and download.

You can also get the file via scp or sftp. Manual backups are located in

/usr/lib/unifi/data/backup

and auto backups are in

/usr/lib/unifi/data/backup/autobackup

Decrypt and Extract Backup

We’ll be getting the following decrypt script from here. https://github.com/zhangyoufu/unifi-backup-decrypt More notes on it below.

We’ll need to make sure that openssl and zip are installed

sudo apt install openssl zip

Download the script with wget

wget https://raw.githubusercontent.com/zhangyoufu/unifi-backup-decrypt/master/decrypt.sh

Make it executable

sudo chmod u+x decrypt.sh

And now we can convert the UniFi .unf backup file to a .zip

sudo ./decrypt.sh autobackup_6.2.33.unf autobackup_6.2.33.zip

Now we can extract the zip archive. You can do this on Windows, macOS, or Linux through the GUI or you can extract with

sudo unzip autobackup_6.2.33.zip -d unifi

This will extract all the files and folders to a directory named unifi.

cd unifi

Dump database to JSON

You should now see the db.gz file. This is a compressed archive of the database in BSON (Binary JSON) format. We can use the mongo-tools to convert this to a more human readable JSON format.

sudo apt install mongo-tools

Now we can extract the archive and pipe it through bsondump.

gunzip -c db.gz | bsondump

You can run it through grep to filter out what you need.

You can also dump the db to a json file with

bsondump --bsonFile=db --outFile=db.json

More notes on the decrypt script.

The decrypt script is really simple. It looks like it uses a key to decrypt the UniFi backup and then puts all the contents into a zip file. There is also an encryption script. Theoretically you can decrypt, make changes to the config and then reencrypt and restore to a server.

#!/bin/sh

# Authors:
# 2017-2019 Youfu Zhang
# 2019 Balint Reczey <balint.reczey@canonical.com>

set -e

usage() {
    echo "Usage: $0 <input .unf file> <output .zip file>"
}

if [ -z "$2" -o ! -f "$1" ]; then
    usage
    exit 1
fi

INPUT_UNF=$1
OUTPUT_ZIP=$2

TMP_FILE=$(mktemp)
trap "rm -f ${TMP_FILE}" EXIT

openssl enc -d -in "${INPUT_UNF}" -out "${TMP_FILE}" -aes-128-cbc -K 626379616e676b6d6c756f686d617273 -iv 75626e74656e74657270726973656170 -nopad
yes | zip -FF "${TMP_FILE}" --out "${OUTPUT_ZIP}" > /dev/null 2>&1