This guide provides step-by-step instructions for manually installing UniFi Controller on Firewalla Gold series using macvlan networking.
- SSH access to your Firewalla
- Management network configured (e.g., 192.168.240.0/24)
- One available IP address for the UniFi Controller
| Device | IP Address | Network |
|---|---|---|
| Firewalla | 192.168.240.1 | Management Network |
| UniFi Controller | 192.168.240.2 | Management Network (macvlan) |
| MongoDB | N/A | Internal Docker Network (isolated) |
Note: MongoDB runs on an internal Docker network and is not exposed to your management network for security.
mkdir -p /data/unifi
mkdir -p /data/unifi-db
mkdir -p /home/pi/.firewalla/run/docker/unifi
mkdir -p /home/pi/.firewalla/config/post_main.dcat > /data/unifi-db/init-mongo.js << 'EOF'
db.getSiblingDB("unifi").createUser({
user: "unifi",
pwd: "YOUR_SECURE_PASSWORD_HERE",
roles: [{ role: "readWrite", db: "unifi" }]
});
EOFWARNING: Replace YOUR_SECURE_PASSWORD_HERE with a strong, unique password.
Create /home/pi/.firewalla/run/docker/unifi/docker-compose.yaml:
version: "3.8"
services:
unifi-db:
image: docker.io/mongo:4.4
container_name: unifi-db
environment:
- TZ=America/New_York
volumes:
- /data/unifi-db:/data/db
- /data/unifi-db/init-mongo.js:/docker-entrypoint-initdb.d/init-mongo.js:ro
restart: unless-stopped
networks:
- unifi-internal
unifi:
image: lscr.io/linuxserver/unifi-network-application:latest
container_name: unifi
depends_on:
- unifi-db
environment:
- PUID=1000
- PGID=1000
- TZ=America/New_York
- MONGO_USER=unifi
- MONGO_PASS=YOUR_SECURE_PASSWORD_HERE
- MONGO_HOST=unifi-db
- MONGO_PORT=27017
- MONGO_DBNAME=unifi
volumes:
- /data/unifi:/config
restart: unless-stopped
networks:
unifi-internal:
unifi-net:
ipv4_address: 192.168.240.2
networks:
unifi-internal:
driver: bridge
internal: false
unifi-net:
driver: macvlan
driver_opts:
parent: br0
ipam:
config:
- subnet: 192.168.240.0/24
gateway: 192.168.240.1
ip_range: 192.168.240.2/32Important: Adjust the following values for your network:
- Replace
YOUR_SECURE_PASSWORD_HEREwith the same password you used in Step 3 - Change
192.168.240.xaddresses to match your management network TZto your timezone (e.g.,America/Chicago,Europe/London)parent: br0- verify your interface withip addrip_range: 192.168.240.2/32- reserves only 1 IP for the controller
Create /home/pi/.firewalla/config/post_main.d/start_unifi.sh:
cat > /home/pi/.firewalla/config/post_main.d/start_unifi.sh << 'EOF'
#!/bin/bash
sudo systemctl start docker
sleep 5
cd /home/pi/.firewalla/run/docker/unifi
sudo docker-compose up -d
EOF
chmod +x /home/pi/.firewalla/config/post_main.d/start_unifi.sh
chown pi:pi /home/pi/.firewalla/config/post_main.d/start_unifi.shcd /home/pi/.firewalla/run/docker/unifi
sudo docker-compose pull
sudo docker-compose up -dCheck that both containers are running:
docker psYou should see both unifi and unifi-db containers with status "Up".
From a device on your management network (not the Firewalla itself), open:
https://192.168.240.2:8443
Accept the certificate warning and proceed with setup.
docker logs unifi
docker logs unifi-dbdocker network ls
docker network inspect unifi_unifi-netcd /home/pi/.firewalla/run/docker/unifi
sudo docker-compose restartcd /home/pi/.firewalla/run/docker/unifi
sudo docker-compose down -v
sudo rm -rf /data/unifi /data/unifi-db
# Then start from Step 2