UniFi Protect – Optimizing Camera Connectivity

This article describes how to access your UniFi Protect application locally or remotely, the factors that create access issues, and how to solve said issues.

How to connect to UniFi Protect

There are two ways to access your UniFi Protect application:

Locally by accessing the IP address of the UniFi OS Console hosting Protect; or
Remotely on the Protect web application (unifi.ui.com ) or mobile app (iOS / Android ).

Note: Remote access must be enabled in your Protect application. It is enabled by default.

To enable Remote Access in your UniFi Protect application:

Access the UniFi OS Console hosting Protect via its IP address.
1. If you don’t know your UniFi OS Console’s IP address , use the WiFiman app (iOS / Android ) to locate it on your WiFi network.
Log in to your Ubiquiti SSO account.
Go to the System Settings > Advanced menu, and enable the Remote Access toggle.

Identifying issues

To identify potential reasons for Protect connectivity issues:

Try accessing your UniFi OS Console locally by entering its IP address in your web browser, or remotely via Protect web application (unifi.ui.com ) or mobile app.
Use different mobile devices, ideally running different operating systems (iOS, Android).
Use different supported browsers, such as Chrome, Firefox, or Safari, on different computers.
Connect to different client locations, such as:
- A local network with the same subnet as the Protect application.
- A mobile carrier network via a mobile device or tethering.
- A remote network, such as a workplace or public WiFi network.
Have multiple users, ideally with different system roles, attempt to access the Protect application.

Note: Note your observations. They may be helpful if you need to contact our technical support team.

My camera streams load slowly or buffer frequently

To identify potential reasons for slow stream loading and/or frequent buffering:

Check the stability of network connection:
- Perform a speed test using the Wifiman app while connected to the same network as your UniFi OS Console. UniFi Protect should perform well with a network connection better than 5 Mbps and decently with a connection of at least 2.5 Mbps. Below this, performance may suffer.
Ensure that your computer or mobile network is not limiting bandwidth:
- A VPN could be preventing client devices from making a peer-to-peer connection with your UniFi OS Console, meaning that all data is first relayed through Ubiquiti’s Remote Management Service—leading to diminished performance. If so, disable the VPN.
- Check if there’s a subnet conflict where the UniFi OS Console is on a different subnet than the client, but still on LAN. If the client needs to reach your UniFi OS Console’s subnet but doesn’t have a route, it will hit the gateway (the local router), which knows how to route to the UniFi OS Console. If a VPN is enabled and there’s a configured route on the VPN that goes to another network with the same subnet, it will override.
Inspect your UniFi OS Console’s performance data by making sure you haven’t exceeded its maximum supported camera limit . If so, streaming performance will be diminished.
Check your computer’s CPU utilization. A lower-specialization computer may not be capable of playing back multiple video streams. If the CPU utilization is nearing 100%, try playing back fewer video streams (e.g., fewer cameras on the live view matrix).

I can access Protect locally but not remotely

If you can’t access the Protect application remotely:

Check if Remote Access is enabled:
1. If it is enabled , try disabling it and enabling again.
Confirm that you have permission to access Protect remotely. For more information, see UniFi Protect – Add and manage users .
Visit status.ui.com to see if there are any issues with Ubiquiti’s Remote Management Service currently being resolved.

I can’t access Protect from the mobile app

If you can’t access Protect from the mobile app:

Verify that the UniFi Protect mobile app is updated to the latest version.
Ensure that the UniFi Protect mobile app is not restricted from accessing WiFi or cellular data:
1. For iOS devices , go to the Settings > Cellular Data menu and make sure UniFi Protect is toggled on.
2. For Android devices , go to the Settings > WiFi & Internet > Data Usage > Cellular Data Usage menu, select UniFi Protect, and make sure WiFi and cellular data are not disabled in the App data usage section.
Disable VPN if one is enabled since some VPNs may block WebRTC connectivity, which is used by Protect.
1. For Android devices with VPN enabled , try disabling the Private DNS in the Settings > WiFi & Internet > Private DNS menu. On some WiFi and mobile carrier networks, certain Private DNS providers such as CloudFlare’s 1.1.1.1 may interfere with WebRTC.
Disable or remove any third-party security or privacy apps that may interfere with network connectivity.
Force-quit the mobile app and open it again.
Uninstall the mobile app, reinstall, and open it.

I can’t access Protect from my web browser

If you’re having trouble accessing Protect from a web browser, but you can connect with the mobile app or a web browser on a different network, there may be an issue with your network configuration. For more information, see the Advanced troubleshooting processes section.

If you have a UniFi Cloud Key Gen2 Plus (UCK G2 Plus) updated to Version 2.0.24 running Protect application Version 1.14.0 or higher , it operates via UniFi OS and, therefore, can be accessed remotely at unifi.ui.com , not protect.ui.com.

If you don’t see your Cloud Key-hosted Protect application on unifi.ui.com , make sure your UCK G2 Plus’s firmware is up to date. For more information, see UniFi – How to manage & upgrade the Cloud Key .

If your Cloud Key’s firmware is up to date and can see the Protect application at unifi.ui.com but can’t access it , check if Remote Access is enabled. The recent firmware upgrade might have disabled Remote Access functionality. Follow the steps in the How to connect to UniFi Protect section.

I can’t access Protect on a specific browser

Browser-specific access failures are most often caused by third-party software, such as a browser extension or an application on the host computer.

Common extensions, software, and other features known to cause issues include:

uBlock Origin
Privacy Badger
WebRTC Leak Prevent
Various VPN services, such as Tunnelbear
Ad or traffic blockers that interfere with WebRTC connectivity used by UniFi Protect

To troubleshoot browser issues:

Disable all suspected third-party security or privacy-related browser extensions and software.
If you can now access Protect , re-enable the extensions and software, one at a time, and test your Protect access after each one. This will help you identify the inhibiting software.
(For Chrome only ) Disable the feature flag, Anonymize local IPs exposed by WebRTC :
1. Copy and paste the following into your address bar: chrome://flags/#enable-webrtc-hide-local-ips-with-mdns
2. Select Disabled , then restart Chrome.

Once you’ve found the inhibiting software, leave it disabled or uninstall it. If it’s essential, however, contact the developer’s support team for further guidance on how to configure it so it doesn’t prevent Protect access.

I’m a new user and see a No Controllers Detected notification

If you’re a new user signing in via unifi.ui.com or the Protect mobile app and the UniFi OS Console that hosts your Protect application isn’t appearing , make sure that your user permissions include remote access to the UniFi OS Console. For more information on creating users, see UniFi Protect – Add and manage users .

In some cases, a new user can accept a Protect application invitation, log in to their Ubiquiti account via web browser, initially see their UniFi OS Console, then receive a No Controllers Detected notification.

If you’re a new user and see a No Controllers Detected notification after trying to access Protect web application :

Make sure that your UniFi OS Console and Protect application versions are up to date.
Make sure that you have permission to remotely access the UniFi Protect application. For more information, see UniFi Protect – Add and manage users .
Verify that you are a verified and active user by going to unifi.ui.com , clicking on your UniFi OS Console, navigating to the Users menu, and checking your user status.
If this doesn’t resolve the issue , delete the custom users and user roles created, reboot the UniFi OS Console, and recreate the users:
1. Log in to your UniFi OS Console from the Owner account.
2. Go to unifi.ui.com , click on your UniFi OS Console, navigate to the Users menu, and delete all custom users and user groups.
3. Click on the dot grid icon in the top-right corner of the dashboard, navigate to Protect > Roles , and delete all custom user roles.
4. Click on the dot grid icon in the top-right corner of the dashboard, click the Settings > Advanced tab on the left side of the following screen, and click Restart Device .
5. Once the device reboots, log in again with the Owner account and recreate all desired users, groups, and roles.

Advanced troubleshooting processes

Check if a WebRTC connection can be established

UniFi Protect uses WebRTC technology to establish connections between your UniFi OS Console and client devices through NAT and firewalls, such as a UniFi gateway, without requiring explicit port forwarding or the revision of firewall rules.

Typically, you won’t need to make any changes to your network, device, or client configurations in order to access Protect locally or remotely.

However, to establish a WebRTC connection needed to access Protect, both networks (i.e., the one that your Protect application connects to and the one that your client device(s) connect to) must meet these requirements:

Reliable access to Internet and DNS service
Adequate bandwidth for basic connectivity and video transfer
Outbound TCP connection capability on Port 443
Outbound UDP connection capability on Ports 0–65535

Note: Port forwarding is not required for TCP or UDP connectivity.
A firewall configured to accept solicited, inbound UDP traffic
No network security appliances (e.g., IPS) or services blocking WebRTC (e.g., STUN or DTLS)
No gateways configured to use Symmetric NAT, which either block peer-to-peer connections, force the use of a relay server (i.e., TURN), or cause said relay to fail

Note: For more information on the technical aspects of WebRTC, please visit webrtc.org .

Troubleshooting WebRTC connection issues caused by Symmetric NAT

Symmetric NAT , while uncommon, can cause issues when establishing WebRTC and other peer-to-peer connections because it does not maintain a 1:1 port mapping ratio for established connections, causing them to fail.

If that happens, WebRTC will attempt to connect via a relay server (i.e., TURN), which will result in either diminished connection quality or outright connection failure.

If you are behind a Symmetric NAT , you can either:

Establish a VPN connection between the client and Protect; or
Configure your router to a mode other than Symmetric NAT, such as Cone NAT.

The UniFi OS Console hosting your UniFi Protect application will automatically detect and log Symmetric NAT on its side but will be unable to determine the NAT type on the clients’ side.

If you suspect Symmetrical NAT on the console-side connection:

Establish an SSH connection to your UniFi OS Console.
Execute the following command: grep -Ri “symmetric” /srv/unifi-protect/logs

Any results will confirm that the connection failed due to Symmetric NAT.

Troubleshooting issues with a particular network

If you identify connectivity problems within a particular network , focus your troubleshooting efforts there. For example, if you can connect to your business’s Protect deployment from home, but not while at a friend’s house, focus on troubleshooting the latter network.

If you can’t access Protect from any remote location , focus first on the application’s on-site network.

In both cases:

Verify that the UniFi OS Console hosting Protect and all client device(s) have a stable internet connection, including a valid gateway IP and DNS servers. Some DNS providers are known to cause problems, such as 1.1.1.1. Try changing it to Google’s 8.8.8.8.
Verify that selected DNS servers properly resolve the following domains:
1. Device.svc.ubnt.com
2. Device.amplifi.com
3. Global.stun.twilio.com
4. Global.turn.twilio.com
Review your firewall configuration to ensure it meets the requirements listed in the Check if a WebRTC connection can be established section. If you’ve configured custom firewall rules, try disabling them temporarily to test.
Remove any port forwards for UniFi Protect that may have been configured incorrectly.
Disable any network-level security appliance or service rules intended to block WebRTC’s internal protocols, STUN or DTLS. If you are using a UniFi gateway , the UniFi Intrusion Prevention System (IPS) does not require a specific configuration to prevent WebRTC connectivity blockage.

Source :
https://help.ui.com/hc/en-us/articles/360034238233-UniFi-Protect-Optimizing-Camera-Connectivity

Enabling & Managing Windows Firewall Settings

About this article

In this article, we are going to start by describing what the Windows Firewall feature is and what it is used for. This information will then allow you to enable and manage the Windows Firewall on your Windows PC or laptop. We will cover all the different versions of the Windows operating system that are currently supported by the Secure Remote Worker Validation Tool.

Lets first describe what a firewall actually is.

What is a firewall?

A firewall can be either a physical hardware device, software-based application that you install on your PC, or in the case of the Windows Firewall, an integrated feature of the operating system that is designed to protect your PC against the attack of malicious files. The firewall checks information and data sent across the internet or other networks to your PC. If the firewall detects that the information may contain malicious files then it will block them from reaching your PC, therefore protecting your PC from that threat. Equally, it can prevent you PC sending malicious content to other PCs.

Windows Firewall is an integrated firewall solution that is part of the Windows operating system. In this article, we are going to configure the Windows Firewall to work with Secure Remote Worker. In the following sections, we are going to discuss the process for each of the different version of the Windows operating, starting with Windows 10.

Important configuration note:

You should only have one software firewall solution installed at any one time. If you install additional security software on your PC that also has its own software-based firewall solution, then you will need to disable this if you are to use the Windows Firewall solution.

Enabling the firewall on Windows 10 devices

In this section, we are going to describe the process for enabling the Windows Firewall feature on Windows 10. Follow the steps below to work through the process of enabling the firewall:

Press the Windows key on your keyboard and then start to type in “control panel” in the search box highlighted (1). You will then see the Control Panel App appear at the top of the list as the best match, highlighted (2). Click on the Control Panel App to launch it as shown in the following screenshot:

Click to Zoom

2. You will now see the Control Panel as shown in the following screenshot:

Click to Zoom

3. Now click on System and Security as highlighted (3) in the screenshot above.

4. You will now see the System and Security configuration options as shown in the following screenshot:

Click to Zoom

5. Click on Windows Defender Firewall as highlighted (4) in the above screenshot.

6. You will now see the Windows Defender Firewall configuration screen as shown in the following screenshot:

Click to Zoom

7. Click on Turn Windows Defender Firewall on or off as highlighted (5) in the above screenshot.

8. You will now see the Customize settings for each type of network as shown in the following screenshot:

Click to Zoom
9. First, enable the firewall for private networks. To do this click the radio button for Turn on Windows Defender Firewall under the Private network settings section as highlighted (6) in the previous screenshot.

10. Next, enable the firewall for public networks. To do this click the radio button for Turn on Windows Defender Firewall under the Public network settings section as highlighted (7) in the previous screenshot.

11. The other thing to configure is to make sure that you check the box for Notify me when Windows Defender Firewall blocks a new app for both network settings, so Public and Private. This means that you will be notified when something potentially malicious is blocked.

12. Finally, once configured, click the OK button to close the configuration window, and then click the red X button in the top right-hand corner to close the control panel.

You have now successfully enabled the Windows Firewall for Windows 10 operating systems.

Enabling the firewall on Windows 8.1 devices

In this section, we are going to describe the process for enabling the Windows Firewall feature on Windows 10. Follow the steps below to work through the process of enabling the firewall:

1. Press the Windows key on your keyboard and then start to type in “control panel” in the search box highlighted (1). You will then see the Control Panel icon appear at the top left of the screen in the Results section, highlighted (2). Double click on the Control Panel icon to launch it as shown in the following screenshot:

Click to Zoom

2. You will now see the Control Panel as shown in the following screenshot:

Click to Zoom

3. Now click on System and Security as highlighted (3) in the screenshot above.

4. You will now see the System and Security configuration options as shown in the following screenshot:

Click to Zoom

5. Click on Windows Firewall as highlighted (4) in the above screenshot.

6. You will now see the Windows Firewall configuration screen as shown in the following screenshot:

Click to Zoom

7. Click on Turn Windows Firewall on or off as highlighted (5) in the above screenshot.

8. You will now see the Customize settings for each type of network as shown in the following screenshot:

Click to Zoom

9. First, enable the firewall for domain networks. To do this click the radio button for Turn on Windows Defender Firewall under the Domain network settings section as highlighted (6) in the previous screenshot.

10. Next, enable the firewall for private networks. To do this click the radio button for Turn on Windows Defender Firewall under the Private network settings section as highlighted (7) in the previous screenshot.

11. The final one to enable is the firewall for public networks. To do this click the radio button for Turn on Windows Defender Firewall under the Public network settings section as highlighted (8) in the previous screenshot.

12. The other thing to configure is to make sure that you check the box for Notify me when Windows Firewall blocks a new app for domain settings, public settings, and private settings. This means that you will be notified when something potentially malicious is blocked.

13. Finally, once configured, click the OK button to close the configuration window, and then click the red X button in the top right-hand corner to close the control panel.

You have now successfully enabled the Windows Firewall for Windows 8.x operating systems.

Enabling the firewall on Windows 7 devices

In this section, we are going to describe the process for enabling the Windows Firewall feature on Windows 7. Follow the steps below to work through the process of enabling the firewall:

1. Press the Windows key on your keyboard and then start to type in “control panel” in the search box highlighted (1). You will then see the Control Panel icon appear at the top of the screen under Programs(1), highlighted (2). Double click on the Control Panel icon to launch it as shown in the following screenshot:

Click to Zoom

2. You will now see the Control Panel as shown in the following screenshot:

Click to Zoom

3. Now click on System and Security as highlighted (3) in the screenshot above.

4. You will now see the System and Security configuration options as shown in the following screenshot:

Click to Zoom

5. Click on Windows Firewall as highlighted (4) in the above screenshot.

6. You will now see the Windows Firewall configuration screen as shown in the following screenshot:

Click to Zoom

7. Click on Turn Windows Firewall on or off as highlighted (5) in the above screenshot.

8. You will now see the Customize settings for each type of network as shown in the following screenshot:

Click to Zoom

9. First, enable the firewall for domain networks. To do this click the radio button for Turn on Windows Defender Firewall under the Domain network location settings section as highlighted (6) in the previous screenshot.

10. Next, enable the firewall for private networks. To do this click the radio button for Turn on Windows Defender Firewall under the Home or work (private) network location settings section as highlighted (7) in the previous screenshot.

11. The final one to enable is the firewall for public networks. To do this click the radio button for Turn on Windows Defender Firewall under the Public network location settings section as highlighted (8) in the previous screenshot.

12. The other thing to configure is to make sure that you check the box for Notify me when Windows Firewall blocks a new program for domain settings, public settings, and private settings. This means that you will be notified when something potentially malicious is blocked.

13. Finally, once configured, click the OK button to close the configuration window, and then click the red X button in the top right-hand corner to close the control panel.

You have now successfully enabled the Windows Firewall for Windows 7 operating systems.

Source :
https://kb.thinscale.com/secure-remote-worker-validation-tool/enabling-managing-windows-firewall-settings

Why Continuous Security Testing is a Must for Organizations Today

The global cybersecurity market is flourishing. Experts at Gartner predict that the end-user spending for the information security and risk management market will grow from $172.5 billion in 2022 to $267.3 billion in 2026.

One big area of spending includes the art of putting cybersecurity defenses under pressure, commonly known as security testing. MarketsandMarkets forecasts the global penetration testing (pentesting) market size is expected to grow at a Compound Annual Growth Rate (CAGR) of 13.7% from 2022 to 2027. However, the costs and limitations involved in carrying out a penetration test are already hindering the market growth, and consequently, many cybersecurity professionals are making moves to find an alternative solution.

Pentests aren’t solving cybersecurity pain points

Pentesting can serve specific and important purposes for businesses. For example, prospective customers may ask for the results of one as proof of compliance. However, for certain challenges, this type of security testing methodology isn’t always the best fit.

1 — Continuously changing environments

Securing constantly changing environments within rapidly evolving threat landscapes is particularly difficult. This challenge becomes even more complicated when aligning and managing the business risk of new projects or releases. Since penetration tests focus on one moment in time, the result won’t necessarily be the same the next time you make an update.

2 — Rapid growth

It would be unusual for fast-growing businesses not to experience growing pains. For CISOs, maintaining visibility of their organization’s expanding attack surface can be particularly painful.

According to HelpNetSecurity, 45% of respondents conduct pentests only once or twice per year and 27% do it once per quarter, which is woefully insufficient given how quickly infrastructure and applications change.

3 — Cybersecurity skills shortages

As well as limitations in budgets and resources, finding the available skillsets for internal cybersecurity teams is an ongoing battle. As a result, organizations don’t have the dexterity to spot and promptly remediate specific security vulnerabilities.

While pentests can offer an outsider perspective, often it is just one person performing the test. For some organizations, there is also an issue on trust when relying on the work of just one or two people. Sándor Incze, CISO at CM.com, gives his perspective:

“Not all pentesters are equal. It’s very hard to determine if the pentester you’re hiring is good.”

4 — Cyber threats are evolving

The constant struggle to stay up to date with the latest cyberattack techniques and trends puts media organizations at risk. Hiring specialist skills for every new cyber threat type would be unrealistic and unsustainable.

HelpNetSecurity reported that it takes 71 percent of pentesters one week to one month to conduct a pentest. Then, more than 26 percent of organizations must wait between one to two weeks to get the test results, and 13 percent wait even longer than that. Given the fast pace of threat evolution, this waiting period can leave companies unaware of potential security issues and open to exploitation.

5 — Poor-fitting security testing solutions for agile environments

Continuous development lifecycles don’t align with penetration testing cycles (often performed annually.) Therefore, vulnerabilities mistakenly created during long security testing gaps can remain undiscovered for some time.

Bringing security testing into the 21st-century Impact

A proven solution to these challenges is to utilize ethical hacker communities in addition to a standard penetration test. Businesses can rely on the power of these crowds to assist them in their security testing on a continuous basis. A bug bounty program is one of the most common ways to work with ethical hacker communities.

What is a bug bounty program?

Bug bounty programs allow businesses to proactively work with independent security researchers to report bugs through incentivization. Often companies will launch and manage their program through a bug bounty platform, such as Intigriti.

Organizations with high-security maturity may leave their bug bounty program open for all ethical hackers in the platform’s community to contribute to (known as a public program.) However, most businesses begin by working with a smaller pool of security talent through a private program.

How bug bounty programs support continuous security testing structures

While you’ll receive a certificate to say you’re secure at the end of a penetration test, it won’t necessarily mean that’s still the case the next time you make an update. This is where bug bounty programs work well as a follow-up to pentests and enable a continuous security testing program.

The impact of bug bounty program on cybersecurity

By launching a bug bounty program, organizations experience:

More robust protection: Company data, brand, and reputation have additional protection through continuous security testing.
Enabled business goals: Enhanced security posture, leading to a more secure platform for innovation and growth.
Improved productivity: Increased workflow with fewer disruptions to the availability of services. More strategic IT projects that executives have prioritized, with fewer security “fires” to put out.
Increased skills availability: Internal security team’s time is freed by using a community for security testing and triage.
Clearer budget justification: Ability to provide more significant insights into the organization’s security posture to justify and motivate for an adequate security budget.
Improved relationships: Project delays significantly decrease without the reliance on traditional pentests.

Want to know more about setting up and launching a bug bounty program?

Intigriti is the leading European-based platform for bug bounty and ethical hacking. The platform enables organizations to reduce the risk of a cyberattack by allowing Intigriti’s network of security researchers to test their digital assets for vulnerabilities continuously.

If you’re intrigued by what you’ve read and want to know about bug bounty programs, simply schedule a meeting today with one of our experts.

www.intigriti.com

Source :
https://thehackernews.com/2022/09/why-continuous-security-testing-is-must.html

Record DDoS Attack with 25.3 Billion Requests Abused HTTP/2 Multiplexing

Cybersecurity company Imperva has disclosed that it mitigated a distributed denial-of-service (DDoS) attack with a total of over 25.3 billion requests on June 27, 2022.

The “strong attack,” which targeted an unnamed Chinese telecommunications company, is said to have lasted for four hours and peaked at 3.9 million requests per second (RPS).

“Attackers used HTTP/2 multiplexing, or combining multiple packets into one, to send multiple requests at once over individual connections,” Imperva said in a report published on September 19.

The attack was launched from a botnet that comprised nearly 170,000 different IP addresses spanning routers, security cameras, and compromised servers located in more than 180 countries, primarily the U.S., Indonesia, and Brazil.

The disclosure also comes as web infrastructure provider Akamai said it fielded a new DDoS assault aimed at a customer based in Eastern Europe on September 12, with attack traffic spiking at 704.8 million packets per second (pps).

The same victim was previously targeted on July 21, 2022, in a similar fashion in which the attack volume ramped up to 853.7 gigabits per second (Gbps) and 659.6 million pps over a period of 14 hours.

Akamai’s Craig Sparling said the company has been “bombarded relentlessly with sophisticated distributed denial-of-service (DDoS) attacks,” indicating that the offensives could be politically motivated in the face of Russia’s ongoing war against Ukraine.

Both the disruptive attempts were UDP flood attacks where the attacker targets and overwhelms arbitrary ports on the target host with User Datagram Protocol (UDP) packets.

UDP, being both connectionless and session-less, makes it an ideal networking protocol for handling VoIP traffic. But these same traits can also render it more susceptible to exploitation.

“Without an initial handshake to ensure a legitimate connection, UDP channels can be used to send a large volume of traffic to any host,” NETSCOUT says.

“There are no internal protections that can limit the rate of a UDP flood. As a result, UDP flood DoS attacks are exceptionally dangerous because they can be executed with a limited amount of resources.”

Source :
https://thehackernews.com/2022/09/record-ddos-attack-with-253-billion.html

UniFi Network – WAN Failover and Load Balancing

What is WAN Failover?
Failover enables you to connect a second Internet connection to your UniFi Gateway which will serve as a “backup”. If your primary Internet service goes down, you will begin utilizing your secondary Internet connection.

How does UniFi determine if my Internet goes down?
The UniFi Network Application checks for connectivity and latency to an “echo server”. By default, this is set to ping.ui.com which leverages responses from various locations to ensure maximum accuracy.

Note: Some advanced network administrators may choose to manually select their own echo server depending on their specific requirements.

What is WAN Load Balancing?
Unlike WAN Failover which only uses a single Internet source at a given time, WAN Load Balancing will split Internet traffic between both of your sources. This will be supported by UniFi Gateways beginning in version 1.13 (UDM Pro / UXG Pro) and 2.5 (UDM SE).

How many Internet connections are my UniFi Gateways capable of?
In addition to the two WAN connections, UniFi Gateways also support the use of our UniFi LTE Backup which is connected to a LAN port. This is only capable of being used as a failover option.

Source :
https://help.ui.com/hc/en-us/articles/360052548713-UniFi-Network-WAN-Failover-and-Load-Balancing

UniFi Network – Configuring Port Forwarding

Create Port Forwarding rules within UniFi Network in the Settings > Firewall & Security section. Refer to the troubleshooting steps below if your Port Forwarding or custom Destination NAT rule is not working.

Your UniFi Gateway does not have a public IP address (Double NAT).
This happens if your UniFi Gateway is located behind another router/modem that uses NAT. You are likely affected by this if your UniFi Gateway has a WAN IP address in one of the following ranges:

10.0.0.0/8 (10.0.0.0 – 10.255.255.255)
172.16.0.0/12 (172.16.0.0 – 172.31.255.255)
192.168.0.0/16 (192.168.0.0 – 192.168.255.255)
100.64.0.0/10 (100.64.0.0 – 100.127.255.255)

To fix this issue, try to re-configure your ISP modem/router into bridge mode so that your UniFi Gateway can obtain a public IP address on the WAN interface.

If that is not supported, you will need to first forward the port(s) on the upstream router/modem to the WAN address of your UniFi Gateway in addition to forwarding them from your UniFi Gateway to the desired location. You may wish to contact your ISP to assist with port forwarding or providing a DMZ option that allows you to automatically forward the ports.

Your UniFi Gateway is already forwarding the port to another device or has UPnP enabled.
A given WAN port can only be forwarded to a single device within your network. For example, TCP port 443 can only be forwarded to one LAN port.

Note: It is possible to forward multiple WAN ports to the same LAN port.

Another possible cause is that UPnP is enabled and is already using the port. Try disabling UPnP in your UniFi Network Application’s Internet Settings.

Incoming traffic is not reaching the WAN interface of your UniFi Gateway.
In this case, the traffic is most likely blocked somewhere upstream, such as at the ISP modem/router, or a third party firewall. We recommend disabling any upstream firewalls for testing, and then contacting your ISP for more details.

The LAN host is blocking the port with a local firewall, or does not have the correct route configured.
In this case, the host/server on the LAN is not allowing outside connections to access the port. On Windows computers, this may be a result of the Windows Firewall rules. On Linux machines, this could be a result of the connection not being allowed in the iptables firewall. We recommend consulting with the particular client’s manufacturer for more information.

There is an incorrect route configured on the LAN host.
It is possible that the LAN host does not know how to reach the IP address of the Internet client. This can result if the default gateway is not configured correctly. You should verify your routing settings on the local host to resolve this situation.

Source :
https://help.ui.com/hc/en-us/articles/235723207-UniFi-Network-Configuring-Port-Forwarding

UniFi Network – Configuring Remote Access VPNs (VPN Server)

We strongly recommend Teleport VPN for most users seeking to remotely access their UniFi OS Console’s network. It’s faster, more secure, and requires zero configuration.

For more information about Teleport and other VPN options, see our Introduction to UniFi VPNs.

Setup

VPN server configuration requires a UniFi gateway and a public IP address. We recommend obtaining a static public IP address from your ISP to avoid having to reconfigure all of your clients every time your IP changes. Your UniFi gateway will automatically update server-side settings.

Note: Dynamic DNS can be used to avoid reconfiguring your clients’ VPN when IP changes occur, but this process is not outlined here.

To set up a VPN server, you must create a Pre-shared Key (UniFi generates a secure one automatically) and user credentials (Username and Password) that are entered on clients to authenticate their remote network access.

Note: Users are linked to the UniFi gateway’s internal RADIUS server. Although UniFi supports third-party RADIUS server integration, we recommend contacting the third-party server provider if you have troubleshooting questions.

Configuring Clients

You can connect any L2TP VPN client, including those provided by Microsoft Windows or macOS. We recommend using your operating system’s native VPN client.

Although we outline OS-specific client configuration processes below, we still recommend consulting your device’s manufacturer on how to use their platform’s VPN client.

Microsoft Windows 11

Go to Settings > Network & internet > VPN > VPN connections > Add VPN and select L2TP/IPsec with pre-shared key as your VPN type.

Note: Your username, password, and pre-shared key are the same as those in your UniFi Network settings.
Go to Settings > Network & internet > Advanced network settings > More network adapter options > L2TP Adapter properties
Click the Security tab, then set your authentication method to MS-CHAP v2.

macOS

Go to System Preferences > Network > +.
Select VPN in the Interface field.
Select L2TP over IPsec in the VPN Type field.
Enter l2tp as the Service Name.

Note: Your username, password, and pre-shared key are the same as those in your UniFi Network settings.
Route all traffic through the VPN by going to Options > Session Options and selecting Send all traffic over VPN connection.

Troubleshooting

If your client cannot connect to the VPN server, or is unable to route traffic through the VPN, you may receive error messages stating that the server is not responding, the client disconnected, or that a processing error occurred. Your VPN connection may also fail. These events are likely related to one of the following:

Your UniFi Gateway Does Not Have a Public IP Address (Double NAT)

This typically occurs if your UniFi gateway is located behind another router/modem that uses Network Address Translation (NAT). You are likely affected if your UniFi gateway has a WAN IP address in one of the following ranges:

10.0.0.0/8 (10.0.0.0 – 10.255.255.255)
172.16.0.0/12 (172.16.0.0 – 172.31.255.255)
192.168.0.0/16 (192.168.0.0 – 192.168.255.255)
100.64.0.0/10 (100.64.0.0 – 100.127.255.255)

To resolve this, set your upstream router to Bridge Mode. If this is not possible, try forwarding UDP Ports 500 and 4500 from the upstream router/modem to your UniFi gateway. Please note that this will not work if your upstream router doesn’t have a public IP address.

Note: By default, Windows computers cannot establish L2TP VPN connections with servers behind NAT. To get around this restriction, you will need to manually change the AssumeUDPEncapsulationContextOnSendRule registry value from 0 to 2. For more details, please refer to Microsoft’s support page.

For help configuring your device to bridge mode or port forwarding, we recommend contacting your ISP for further assistance. Please note that IP addresses in the 100.64.0.0/10 subnet range always require ISP assistance in order to establish a VPN connection.

Required Ports Are Blocked by an Upstream Device or Forwarded by Your UniFi Gateway to Another Device on Your Local Network

Make sure that no third-party routers, firewalls, or ISP modems are blocking UDP Ports 500 or 4500 from reaching your UniFi gateway. You may need to contact your ISP to verify that your network traffic is being routed correctly.

Once you confirm that your traffic is not being blocked, please ensure that your UniFi gateway is not forwarding these ports to another device on your local network. You can remove existing port forwarding rules in the Firewall & Security section of your UniFi Network application.

Authentication Failures Due to Incorrect Configuration

This occurs when the VPN server and client have mismatching pre-shared keys, authentication methods, or login credentials. Please ensure that all of these match what is configured in your UniFi Network application. Also, ensure that client devices are using the MS-CHAP v2 authentication method, and that the VPN type is set to L2TP. Lastly, verify that you are authenticating with a pre-shared key and not a certificate.

Re-enter the pre-shared key, username, and password and check for typos.

Your Client Cannot Establish an L2TP Connection

Try using a different client or operating system to verify if this is a client-specific issue. If so, check for any device updates or contact the manufacturer for further assistance.

Note: Most Android clients require you to enable Weak Ciphers in your UniFi Network’s VPN server configuration.

Your Client Is Routing Over the VPN, but Its Traffic is Prohibited

In this scenario, the client can connect to the VPN but cannot communicate with any other devices on the local network.

To resolve this, please ensure that there are no traffic or firewall rules preventing VPN clients from communicating with your local network. Alternatively, individual clients on the local network could be dropping incoming traffic at their local firewalls. The Windows firewall, for example, drops all ICMPv4 (ping) traffic by default.

If you are testing with ping, then you will need to allow this traffic through the Windows firewall. For more details, please refer to the Microsoft support page.

The Client and VPN Server Use the Same Local IP Range

In this scenario, the client can connect to the VPN but cannot communicate with any devices on the local network. This could be because the client has an IP address that overlaps with the subnet of the network it is attempting to connect to.

For example, if your client has a 192.168.3.21 address on its local network, and it is trying to connect to the UniFi VPN server configured on the 192.168.3.0/24 subnet, the client will always utilize its local network connection instead of the VPN. To resolve this, either change the client’s local IP or adjust your UniFi Network subnet range.

Your Client Has Split Tunneling

This will prevent clients from communicating with certain VPN-connected devices despite being connected to the network itself. To resolve this, we recommend routing all traffic through your VPN:

For Windows clients, enable Use default gateway on remote network in the Advanced TCP/IP Settings.
For Mac clients, enable Send all traffic over VPN connection in your VPN network preferences.

For more OS-specific guidance, please contact your device’s manufacturer.

Expedite Your Support Request

If you’re submitting a support request, please include answers to the following to ensure that our Support Engineers are fully apprised of your unique situation and can deliver the best, most personalized support experience possible.

What is the model and operating system of each affected client?
What error message(s) are you receiving?
How are your client(s) configured? (Please provide screenshot(s), if possible.)
Have you tested this on a different client?
How is each client attempting to connect to the VPN? Is it using LTE data, or is it connected to a different WiFi network?
What is the IP address of each affected client, and what is your UniFi gateway’s VPN server subnet range?

Also, please provide a copy of your support file, along with a timestamp of when you last attempted to connect to the VPN server. More detailed instructions can be found here.

UniFi OS Console users can obtain their support file from their UniFi OS Settings (*.tgz extension).
Self-hosted Network users can obtain their support file from their Network application settings (*.supp extension).

Source :
https://help.ui.com/hc/en-us/articles/115005445768-UniFi-Network-Configuring-Remote-Access-VPNs-VPN-Server-

UniFi – Maintaining Connectivity with your UniFi Devices

A UniFi device with an Offline state has lost communication with its application host meaning that you will be unable to manage its configuration. This does not necessarily mean it has stopped working. As long as it is powered on with connectivity to the rest of your network it will continue operating in a “Self-Run” state using the last known UniFi configuration.

A UniFi device can go offline for a number of reasons, but this is most common for those with third-party equipment, or those that choose to self-host the Network Application instead of using a UniFi OS Console.

Here are the most common reasons why UniFi devices go offline:

Physical Connection Issues

Device connection can be disrupted by faulty cabling, power supply issues, or other problems with your physical networking hardware. First, ensure that your device is being powered by Power-over-Ethernet (PoE). Then, replace its cabling, confirm that both ends are securely connected, and try a new port to rule out physical damage.

Device Cannot Obtain an IP Address from Your DHCP server

This is most common for users with a third-party DHCP server. To fix this, start by verifying that the device has been assigned a correct IP and gateway. You can do this by reviewing your server’s DHCP leases, or you can scan your network with the WiFiman mobile app (Android / iOS).

Note: 192.168.1.20 is used as a fallback IP address, so its usage may indicate that your device cannot obtain another IP from your DHCP server.

Please also verify that your DHCP server’s network is added as a member of all your switch port profiles. Additionally, ensure that UDP Ports 67 and 68 are open on any firewalls on your network. Otherwise, none of your devices will be able to obtain an IP address and connect to your network.

Your Wirelessly Adopted Devices Have Poor Connectivity

A wirelessly adopted device is like any other wireless client. See Optimizing Wireless Client Connectivity for more details.

Firewall Blockages

This is the most common for users self-hosting the Network Application, especially on Windows hosts. For troubleshooting purposes, we recommend temporarily disabling your firewalls to verify if they are preventing your UniFi devices from coming online.

Please also note that some Windows updates can reconfigure your firewall settings. As such, please ensure that your firewall is set to Private.

Next, verify that TCP Port 8080 and UDP Port 10001 are both open. For instructions on how to verify other required port configurations, see our Required Ports Reference.

If you have any Layer 3-adopted APs, please disable any custom firewall rules blocking traffic across VLANs between your UniFi device and the Network Application.

Your Network Application Host Moved or Its IP Address Changed

If you change the location of your UniFi Network host, your devices could still be attempting to communicate with its old IP address. If the old and new IPs are on the same Layer 2 network (i.e,. same subnet and VLAN), your devices will be able to re-discover and reconnect to your host.

If you moved the Network host to a new VLAN, however, you must use Layer 3 Adoption to re-establish connectivity. This should only be done by advanced users. Otherwise, we recommend reconfiguring your setup so that your Network Application and UniFi devices are on the same Layer 2 network.

Those who have performed a Layer 3 adoption should also verify if their public IP address has changed. This happens if your ISP provides IP addresses via DHCP. An IP address change will leave your L3-adopted devices still trying to communicate with the old IP address. We recommend using a Dynamic DNS (DDNS) service to avoid this.

The Management VLAN Is Not a Member of Your Switch Port Profile

Your UniFi device’s Management VLAN must be a member of all switch ports. The Management VLAN configuration is found in the Settings tab of the device’s properties panel, which can be accessed by selecting it on the UniFi Device page.

Packet Loss and High Latency Between the UniFi Network Application and Device

The UniFi Network Application has a 60-second disconnection threshold, meaning that it will wait one minute for a response from the device before declaring it disconnected. Packet loss and increased network latency can occasionally trigger device disconnections.

Expedite Your Support Request

Prior to reaching out to support, we recommend gathering/verifying the following information. Including these details in your request will expedite your support experience.

How are you hosting your UniFi Network Application (i.e., UniFi OS Console vs. self-hosted)?
What is your UniFi Network Application version? Please refer to our Software Releases page to confirm if you have the latest version.
What is the model and firmware version of your device? Please refer to our Software Releases page to confirm if you have the latest version.
Does your device frequently change statuses, or is it stuck in an Offline state?
When did this issue begin? Did you make any notable changes prior to it occurring?

Also, please provide a copy of your support file, along with the MAC address(es) of all affected device(s). More detailed instructions can be found here.

UniFi OS Console users can obtain their support file from their UniFi OS settings (*.tgz extension).
Self-hosted Network users can obtain their support file from their Network application settings (*.supp extension).

Source :
https://help.ui.com/hc/en-us/articles/7258465146519-UniFi-Maintaining-Connectivity-with-your-UniFi-Devices

UniFi Network – Configuring Site-to-Site VPNs

Site-to-site VPNs are primarily used by businesses looking to connect numerous remote locations. If you are a home user, we strongly recommend Teleport VPN—our fast, secure, one-click remote access solution that requires no configuration.

To learn more about Teleport and other UniFi VPN options, check out our Introduction to UniFi VPNs.

Setup

UniFi gateways support two site-to-site VPN protocols: IPsec and OpenVPN. Depending on the one you select, you will need to ensure that the following settings are the same for all gateways used to create site-to-site connections:

We recommend using UniFi gateways at all of your sites to maximize connection compatibility and performance. Additionally, some third-party gateways allow you to configure settings that are unavailable in the UniFi Network application. Troubleshooting these types of settings lies outside of Ubiquiti Support’s scope, but you can check out our Considerations for Third-Party Equipment: Site-to-Site VPNs for more information.

IPsec

Pre-Shared Key: This is used to authenticate VPN connections.
UniFi Gateway IP: This is your UniFi gateway’s public IP address.
Shared Remote Subnets: This is the list of networks shared by the remote gateway. Please note that UniFi gateways share all local networks. You must ensure that there are no overlaps within your sites’ local subnets.
Remote IP: This is the remote gateway’s WAN IP address.

Additional Notes:

There are also Advanced settings that should match across all gateways. We recommend using the default settings unless you are proficient with VPN security.
Your UniFi gateway will automatically create the static routes required to direct traffic through the VPN. Do not try to create new ones for this purpose.

OpenVPN

The OpenVPN Site-to-site VPN uses a 512-character pre-shared key for authentication. The key should be the same for both gateways and shouldn’t contain line breaks. You can either create this key yourself or generate it on your UniFi gateway. To do this:

SSH into your UniFi gateway.
Generate your key by using the following command: openvpn –genkey secret /tmp/ovpn
You can now view/copy the key by running the command: cat /tmp/ovpn
Note: Be sure to remove any line breaks when copying the key.

Note: USGs must use generate vpn openvpn-key /tmp/ovpn to generate the key, then sudo cat /tmp/ovpn to view/copy the key.

Additionally, the following information is required:

Local Tunnel IP Address: This is the IP used for your local “tunnel”. Traffic sent to the remote gateway will be routed through this IP address. This address should be available on the local and remote site. We recommend selecting a private IP from a subnet that is unused on both gateways.
Local Port: By default, UDP Port 1194 is used for OvenVPN. This port must not be used by other services or other OpenVPN connections. If you’re using multiple OpenVPN tunnels, each one must be assigned to its own port. The local and remote ports do not need to be the same.
Shared Remote Subnets: This is the list of networks shared by the remote gateway. Please note that UniFi gateways share all local networks. You must ensure that there are no overlaps within your sites’ local subnets.
Remote IP Address: This is the remote gateway’s WAN IP address.
Remote Tunnel IP Address: This is the IP address of the remote gateway’s tunnel. Do not enter the gateway’s WAN IP.
Remote Port: This is the remote gateway’s OpenVPN port. The local and remote ports do not need to be the same.

Note: Your UniFI gateway will automatically create the static routes required to direct traffic through the VPN. Do not try to create new ones for this purpose.

Troubleshooting

If you’re unable to establish a VPN tunnel between your sites, or your connection drops periodically, you likely have at least one site with an incorrect VPN or network configuration. Please refer to the common mistakes below.

Your UniFi Gateway Does Not Have a Public IP address (Double NAT)

This typically occurs if your UniFi Gateway is located behind another router/modem that uses Network Address Translation (NAT). You are likely affected if your UniFi Gateway has a WAN IP address in one of the following ranges:

10.0.0.0/8 (10.0.0.0 – 10.255.255.255)
172.16.0.0/12 (172.16.0.0 – 172.31.255.255)
192.168.0.0/16 (192.168.0.0 – 192.168.255.255)
100.64.0.0/10 (100.64.0.0 – 100.127.255.255)

To resolve this, set your upstream router to Bridge Mode. If this is not possible, try forwarding the necessary ports from the upstream router/modem to your UniFi gateway. IPsec uses UDP Port 500 and 4500. By default, OpenVPN uses UDP Port 1194, but this can be changed. Please note that this will not work if your upstream router doesn’t have a public IP address.

If this doesn’t work, we recommend contacting your ISP. Please note that IP addresses in the 100.64.0.0/10 subnet range always require ISP assistance in order to establish a VPN connection.

Required Ports are Blocked by an Upstream Device or Forwarded by Your UniFi Gateway to Another Device on Your Local Network

Make sure that no third-party routers, firewalls, or ISP modems are blocking the required ports from reaching any of the gateways supporting your site-to-site VPN. IPsec uses UDP Port 500 and 4500. By default, OpenVPN uses UDP Port 1194, but this can be changed. Please note that if you reconfigure a port for one gateway, you must also reconfigure the same port for all other site-to-site VPN gateways.

Authentication Failures Due to Mismatched Gateway Configurations

Every gateway supporting your site-to-site VPN must have the same configuration, including Advanced settings. Failure to do so will prevent you from establishing a VPN connection or sustaining one for a long period of time.

We recommend using UniFi gateways at all of your sites to maximize connection compatibility and performance. This is because some third-party gateways allow you to configure settings that are not available in the UniFi Network application, but rather automatically set in the background. A mismatch in these configurations can still result in a connection failure. Troubleshooting these types of settings lies outside of Ubiquiti Support’s scope, but you can check out our Considerations for Third-Party Equipment: Site-to-Site VPNs for more information.

Also, please note that UniFi gateways are configured to share all local networks. Ensure these are configured in the paired gateway’s Shared Remote Subnets list.

Your Client Is Routing Over the VPN, but Its Traffic is Prohibited

In this scenario, the client can connect to the VPN but cannot communicate with any other devices on the local network.

If you are testing with ping, then you will need to allow the traffic through the Windows firewall. For more details, please refer to Microsoft’s support page.

Your Sites Have Overlapping IP Ranges

Overlapping IPs can prevent a VPN from establishing. Even if the VPN tunnel is established, it may prevent proper communication across the VPN. This is because a client will always prioritize IP addresses on a local network connection rather than those on the opposite end of a VPN. The only way to prevent overlapping is to review each gateway’s local networks and, if necessary, adjust their IP address ranges. For example, if one gateway has a local network configured to 192.168.0.0/24, its IP addresses range from 192.168.0.1 – 192.168.0.255. Your remote gateway should not use any addresses within that range.

Overlapping IPs ranges may prevent proper communication across your VPN, or it can prevent the connection from establishing altogether. Assuming the VPN establishes,

Your Client Has Split Tunneling

This will prevent clients from communicating with certain VPN-connected devices despite being connected to the network itself. To resolve this, we recommend routing all traffic through your VPN:

For Windows clients, enable Use default gateway on remote network in the Advanced TCP/IP Settings.
For Mac clients, enable Send all traffic over VPN connection in your VPN network preferences.

For more OS-specific guidance, please contact your device’s manufacturer.

Source :
https://help.ui.com/hc/en-us/articles/360002426234-UniFi-Network-Configuring-Site-to-Site-VPNs

UniFi Network – Optimizing Wired Network Speeds

The main factors that contribute to wired speeds are:

Physical (Layer 1) connections between your networking devices
Available device resources (e.g., CPU and Memory)
Protocol limitations
Software or configuration limitations

Follow these guidelines, and those in Optimizing Wireless Network Speeds, to maximize your total network throughput.

Recommendations

Check Your Cabling

Make sure your cables are undamaged and securely connected to their respective ports. If your speeds are slower than you expect, swap out your cables for new ones. We recommend using SFP/SFP+ modules or DAC cables, when possible, to maximize speeds. Otherwise, use CAT6 RJ45 cables.

Check out our Beginner’s Guide to Network Cabling for more information.

Ensure That All Ports Negotiate Proper Speeds

All UniFi devices automatically negotiate their speeds. Some clients, however, may be incapable of doing so. For these devices, we recommend manually setting their link speed in the Port Management section, found in the UniFi Devices tab of the Network Application.

Please be sure to check each client’s specifications. Not all clients have a Network Interface Card (NIC) capable of negotiating at faster rates, such as 1 Gbps.

Note: Clients with speed negotiation issues often result in dropped connectivity. This is a telltale sign to look for if you suspect a client-specific issue.

Disable Resource-intensive Software Features

Resource-intensive features such as Threat Management and Smart Queues may reduce throughput by up to 30%. Please consider this when prioritizing network speed, performance, and security.

Note: Smart Queues are only recommended if you have expected Internet speeds of 250 Mbps or less and you consistently have more internet traffic than your bandwidth can support.

Other features that may impact throughput include:

Device and Traffic Identification (Deep Packet Inspection)
Firewall Rules
Content Filters
VPNs

To approximate your deployment’s resource usage, try our UniFi OS Console Resource Calculator.

Note: These features will only affect traffic routed through your gateway or to the internet. It should not affect LAN traffic between devices on the same network.

Minimize Network Congestion

A high number of concurrent clients routing traffic through a local network device, like a single switch, may reduce throughput. To resolve this, we recommend separating network traffic or adopting an additional Layer 3 switch.

Be Aware of Protocol and Client Limitations

Certain protocols offer lower performance. For example, L2TP VPNs are relatively slower compared to Wireguard or Teleport. Another example of a traditionally slow protocol is SMB file transfers.

Similarly, some clients may be limited by the resource intensity of the applications they run, independently of your network.

Use DHCP or Static WAN (Internet) Connection When Possible

PPPoE is a very CPU-intensive protocol that may reduce throughput compared to DHCP or Static IP configurations.

Remove Traffic Rules and Bandwidth Profiles That Limit Client Traffic

We always recommend taking a moment to verify that there are no active Traffic Rules or Bandwidth Profiles reducing client throughput.

Expedite Your Support Request

Please include answers to the following in your request to expedite your support experience:

What are your expected speeds?
How are you hosting your UniFi Network Application (i.e., UniFi OS Console vs. self-hosted)?
What version of UniFi Network are you running? What firmware versions are your network devices running (e.g., switches, APs, gateway, etc.)? Please refer to our Software Releases directory to verify everything is up-to-date.
If you are using a UniFi OS Console, what version of UniFi OS are you running? Please refer to our Software Releases directory to verify if you are running the most up-to-date UniFi OS.
How widespread is your throughput issue? Does it affect wired clients, wireless ones, both, or just certain devices?
When did this issue start?

Source :
https://help.ui.com/hc/en-us/articles/6949005136919-UniFi-Network-Optimizing-Wired-Network-Speeds