Disclaimer/Note: All configurations in this document are advanced configurations and should be used by advanced users only. Particular precautions should be taken as incorrectly applying these settings can disable critical functions. Prior to contacting support such unsupported manual configurations should be removed from your environment.
The file config.properties is used for advanced configurations. By default, there is no such a file, a user has to create this file in order to use it. The config.properties file is used to define site-wide parameters for the UniFi controller hence it is placed under each [UniFi base]/data/sites/the_site directory.
In V3, the_site is the name of the site. However, in V4, the controller no longer uses the folder name as the the site name in the directories structure. It uses a random string instead. The reason for this change is to allow us expanding controller down the road by avoiding site names colliding with each other. The easiest way to find out this string is to open the controller in a browser, and browse to the corresponding site. Then in the browser URL, you will find something similar to the below,
For every site, you will find a unique random string that assigns to the site. In above case, the random string ceb1m27d is the folder name that shall be used under [UniFi base]/data/sites/. Therefore, in my case, I will create a folder named ceb1m27d underneath, and then place config.properties inside this ceb1m27d folder (with corresponding minrssi configs), and then trigger a provision to APs. The AP shall take in config after that.
Important note: At any point below where you enter a UAP or USW MAC you enter it without any punctuation marks (colons, periods, etc.), and letters should be in lower case. So an example of the PROPER way to enter a device MAC is 24a43c02d824.
- To change the default NTP server being used,
- To enable/disable uapsd (some clients may or may not work with uapsd enabl
- To enable/disable IGMP snooping (for multicast enhancement, default is enabled)
- This is to facilitate portal redirect process, most users would never need to change this (note: this is deprecated since 3.2.10)
- This configuration sets the subnets that should be allowed to access for p
ortal pages. For example, to set paypal express checkout. As paypal.com no longer uses static IP subnets, the current workaround is to enable all HTTPS traffic
- To set whether to automatically authorize all guests when the controller is down. All guest isolation / policy is still enforced.
config.selfrun_guest_mode=off # disable all the guest SSIDs when controller is not
- To set minimum RSSI feature related parameters (see linked article for detailed explaination),
config.minrssi.UAP_MAC.[ng|na]=[Minimum RSSI value].
- To customize UAP provisioning (see linked article for detailed explanation),
config.system_cfg.1= or config.system_cfg.UAP_USW_MAC.1= depending on whether you want to apply customizations site wide or to a specific device
e.g. config.system_cfg.1=ebtables.1.cmd=-t nat -A PREROUTING --in-interface eth2 -d BGA -j DROP
- (v3.2.9+) To change guest portal redirect behavior for HTTPS page
config.redirect_https=true - guests will receive invalid cert error while doing https browsing
config.redirect_https=false - This is the default behavior (3.2.10+ or 4.6.3+). Guests get timed out while trying https browsing
- (v4.6.3+) To change guest portal behavior
config.redirect_to_https=true - Guests will be redirected to HTTPS guest portal (8843)
config.redirect_to_https=false - This is the default behavior. Guests will be redirected to HTTP guest portal (8880)
- (UAP-AC only) To disable broadcast and multicast filters,
Note that by default DHCP and ARP will be passed through (NOT filtered). The filter only kicks in if there are too many broadcast/multicast traffic in the network (which affects performance). However, a more accurate solution to this kind problem is to refine subnet size.
- (UAP-AC only) Starting from v3.1.12+, TxBF (transmit beamforming) is OFF by default due to reported client-side issues. If enabling this feature is desired, we would suggest you update all clients drivers to the latest version first, and then add below config into config.properties file.
A value of 0 = tx off and rx off.
A value of 1 = tx off and rx on.
A value of 2 = tx on and rx off.
A value of 3 = tx on and rx on.
radio.1 is for 5G interface named "eth2" in UAP-AC. Thus the radio.1.devname=eth2. radio.2 is for 2G interface named "eth1" in UAP-AC.
For UAP-ACs before v3.1.10, TxBF is ON by default. To turned it off, ssh into the target AP and issue below commands. Note that, this change is NOT persistent and won't survive pass AP reboot.
wl -i ethX down
wl -i ethX txbf 0
wl -i ethX txbf_bfr_cap 0
wl -i ethX txbf_bfe_cap 0
wl -i ethX up
You can check if values are set into the AP by typing these,
wl -i eth2 txbf
wl -i eth2 txbf_bfr_cap
wl -i eth2 txbf_bfe_cap
Note: The default value is 1 (means enable) for all three.
- To bind SSHD only on the management interface (v3.1.7+),
On controller, to push this config to all APs within a site, add these into config.properties,
The above will cause issues with USW SSH access, so if limiting AP SSHD to br0 add this for USW:
- Configurable Management Frame Rate (v4.6.3+)
# set mgmt rate for wlan with <ssid>
# set mgmt rate for device with <mac> and radio <n
- Configurable Broadcast and Multicast Rate (v4.6.3+)
# set bcast/mcast rate for wlan with <ssid>
# set bcast/mcast rate for device with <mac> and radio <
- (USG only) To disable response to ping on WAN:
config.firewall.internet.local.icmp=false (Note: This has been deprecated in 5.5.4 and newer controller versions. Ping on WAN is disabled by default, and can be permitted via WAN LOCAL firewall rules configured in the controller UI if desired.)
- (USG only) To enable UPnP support:
- (USG only, 4.6.3+) To enable mDNS reflector:
- (USG only) To disable SIP ALG support: