Unifi on foosel.nethttps://foosel.net/tags/unifi/Recent content in Unifi on foosel.netHugoen-usGina Häußge (foosel)Mon, 28 Aug 2023 00:00:00 +0000How to monitor network traffic on my USG via Wiresharkhttps://foosel.net/til/how-to-monitor-network-traffic-on-my-usg-via-wireshark/Mon, 28 Aug 2023 00:00:00 +0000https://foosel.net/til/how-to-monitor-network-traffic-on-my-usg-via-wireshark/<p>I&rsquo;m currently trying to figure out some internal network issues<sup id="fnref:1"><a href="#fn:1" class="footnote-ref" role="doc-noteref">1</a></sup> and for that need to monitor the traffic of a specific device on my network. I&rsquo;m using a Unifi USG as my router (behind the ISP&rsquo;s Fritzbox that I consider hostile since it&rsquo;s not mine). I found <a href="https://www.reddit.com/r/Ubiquiti/comments/ar444z/what_is_the_best_way_to_monitor_traffic_of_a/egkv91p/">this post on reddit</a> that explains how to capture traffic on the USG via <code>tcpdump</code> and send it through the SSH session to Wireshark on my laptop:</p>I’m currently trying to figure out some internal network issues1 and for that need to monitor the traffic of a specific device on my network. I’m using a Unifi USG as my router (behind the ISP’s Fritzbox that I consider hostile since it’s not mine). I found this post on reddit that explains how to capture traffic on the USG via tcpdump and send it through the SSH session to Wireshark on my laptop:

ssh admin@192.168.1.1 'sudo tcpdump -f -i eth1 -w - src 192.168.1.12' | wireshark -k -i -

I could confirm that this works and created a small script to make it easier to use by throwing this into ~/.local/bin/gatedump2:

#!/bin/bash

ARGS="$@"
TCPDUMP="sudo tcpdump -f -w - $ARGS"

ssh usg "$TCPDUMP" | wireshark -k -i -

This now allows me to easily run tcpdump remotely with custom arguments, e.g. gatedump -i eth1 host 192.168.1.123, and have it fire up Wireshark automatically. Wish me luck I’ll now be able to figure out what’s going on on my network, because it’s driving me up the wall.

Update from 2023-12-06: In case you are wondering how this story ended, the issue resolved itself with the next OS update of my partner’s iPhone. So whatever caused it, it’s gone now, and I hope for good.

  1. The iPhone of my partner seems to do something that makes my ISP’s router freak out and drop packets every couple of minutes. No issue when he’s not here or doesn’t have it connected to the WiFi, immediate packet loss when it’s on the WiFi. It started at the start of this month and we are both currently out of explanations. ↩︎

  2. ssh usg does automatically use the correct host, port and user thanks to an entry in ~/.ssh/config↩︎

]]>How to add a switch for a port forward on Unifi to Home Assistanthttps://foosel.net/til/how-to-add-a-switch-for-a-port-forward-on-unifi-to-home-assistant/Fri, 17 Feb 2023 00:00:00 +0000https://foosel.net/til/how-to-add-a-switch-for-a-port-forward-on-unifi-to-home-assistant/<p>This is admittedly something I did not learn today but rather learned and adapted a couple years ago <a href="https://community.home-assistant.io/t/automating-unifi-port-forwarding-based-upon-presence-detection/168185">from this post on the Home Assistant forum</a>, but I just had to use it again today and so I figured I&rsquo;d write it down with all the bells and whistles just in case I ever need this information again - or anyone else does.</p> <p>First of all, in your unifi controller you should create a new user that Home Assistant will act as to manage your port forward(s) for you. So, log into the controller, go into Settings &gt; Administrators and add a new Administrator user<sup id="fnref:1"><a href="#fn:1" class="footnote-ref" role="doc-noteref">1</a></sup>.</p>This is admittedly something I did not learn today but rather learned and adapted a couple years ago from this post on the Home Assistant forum, but I just had to use it again today and so I figured I’d write it down with all the bells and whistles just in case I ever need this information again - or anyone else does.

First of all, in your unifi controller you should create a new user that Home Assistant will act as to manage your port forward(s) for you. So, log into the controller, go into Settings > Administrators and add a new Administrator user1.

Then create your port forward in Settings > Routing & Firewall > Port Forwarding. Take note of the id of the port forward you have created - you can find it by clicking edit on it again, it will be the number at the end of the URL of the edit page. E.g. if the URL looks like this: https://my.unifi.controller/manage/site/default/settings/portforward/edit/1234567890 then this is the id of the port forward: 1234567890.

Next, copy this shell script to /config/scripts/unifi.sh in your Home Assistant. Make sure to adjust https://my.unifi.controller (and, if necessary, the site default) to your own values.

#!/bin/sh

set -e

# based on https://community.home-assistant.io/t/automating-unifi-port-forwarding-based-upon-presence-detection/168185

cookie=$(mktemp)
headers=$(mktemp)
curl_cmd="curl --silent --cookie ${cookie} --cookie-jar ${cookie} -D ${headers} --insecure"

BASEURL="https://my.unifi.controller"
SITE="default"

auth() {
  USERNAME=$1
  PASSWORD=$2

  # authenticate against unifi controller
  ${curl_cmd} --output /dev/null -d "{\"username\":\"$USERNAME\", \"password\":\"$PASSWORD\"}" $BASEURL/api/login

  # grab the `x-csrf-token` and strip the newline (added when upgraded to controller 6.1.26)
  csrf="$(awk -v FS=': ' '/^x-csrf-token/{print $2}' "${headers}" | tr -d '\r')"
  echo $csrf
}

portfwd() {
  USERNAME=$1
  PASSWORD=$2
  FORWARD_ID=$3
  FORWARD_ENABLED=$4

  # authenticate against unifi controller
  csrf=$(auth $USERNAME $PASSWORD)

  # enable/disable firewall rule
  body=$(${curl_cmd} -X GET $BASEURL/api/s/default/rest/portforward/$FORWARD_ID | jq '.data[0] | .enabled='$FORWARD_ENABLED'')
  ${curl_cmd} -X PUT $BASEURL/api/s/default/rest/portforward/$FORWARD_ID -H "Content-Type: application/json" -H "x-csrf-token: ${csrf}" -d @<(echo "$body")
}

isportfwd() {
  USERNAME=$1
  PASSWORD=$2
  FORWARD_ID=$3

  # authenticate against unifi controller
  csrf=$(auth $USERNAME $PASSWORD)

  ${curl_cmd} -X GET $BASEURL/api/s/default/rest/portforward/$FORWARD_ID | jq '.data[0].enabled'
}

"$@"

Now, let’s imagine you want to add a switch for an SFTP port forward that you’ve just created. Then, in your secrets.yaml file, add the following:

unifi_forward_sftp_check: '/bin/bash /config/scripts/unifi.sh isportfwd <user> <password> <forward_id>'
unifi_forward_sftp_enable: '/bin/bash /config/scripts/unifi.sh portfwd <user> <password> <forward_id> true'
unifi_forward_sftp_disable: '/bin/bash /config/scripts/unifi.sh portfwd <user> <password> <forward_id> false'

Replace <user>, <password> and <forward_id> with the login credentials and id of the forward you just created.

Next, add a command line switch definition to your configuration.yaml (or in my case to my packages/network.yaml file):

switch:
  - platform: command_line
    switches: 
      sftp_port_forward:
        friendly_name: "SFTP Port Forward"
        command_state: !secret unifi_forward_sftp_check
        command_on: !secret unifi_forward_sftp_enable
        command_off: !secret unifi_forward_sftp_disable
        value_template: '{{ bool(value, false) }}'

Throw that somewhere on your dashboard, or alternatively tie it into some automation, and you’re good to go!

  1. Maybe a regular user suffices as well, I honestly can’t remember, but I’m using an admin user here. ↩︎

]]>