Monday, April 18, 2022

Unifi Controller - STUN Not Working Through Cloudflare



I had made some changes, removed the previous CDN and started using Cloudflare on a new site. Everything seemed ok at first. Setup the DNS records Cloudflare asks for on my serving host, Cloudflare verifies you own the domain, 24 hours later, and you're good to go......sorta.


I have a slew of DDNS names running off of another domain for clients. About a week goes by and I realize I'm not able to resolve a client's DDNS name. I figure it's part of a local outage. Later that day I try again and the issue persists so I press on.


First off I realized that the DDNS NS records didn't get pulled in to Cloudflare.

Ok so to solve that I literally had to import in each DDNS name, mark it as a NS record, and point it back to the name server where I have the DDNS service running. Within 15 minutes all of the NS records started working again.

A few days pass and I log into to take a look at my Unifi controller. Normally it's blabbering about latency errors from every single wireless client on every single site I have. The device don't actually have an issue but Ubiquiti doesn't seem to care when you try to inform them about the situation. Anyway that's a whole other conversation for another time.

I'm seeing STUN errors on every single device. I login into the router and double check port forwarding for the standard port of 3478. It's there all right. Turns out you can't hide an IP address through Cloudflare which has a STUN server running on it. Cloudflare only port forwards a select number of HTTP and HTTPS ports. The default for STUN, 3478, is not on the list. (While using a Unifi Cloud Key you cannot change this port. I can't even SSH into the damn thing to play around with the internals. I will do this in another post). So you have to select the gray cloud icon in Cloudflare and set that A record to not be proxied. Bummer.


Here's a link to Unifi's default ports:

Here's a link to the article on Cloudflare denoting what port are forwarded:


No comments: