Migrating Omada controller to VM
As part of my migration of core services off the router to VMs I am moving the Omada controller. I have already moved the SaltStack controller and Debian pre-seed web site, but as these were straight-forward migration of daemons and data I did not write any notes about the process.
The Omada controller, on the other hand, is slightly more complex as it currently sits directly on a management VLAN (which I put the access point’s management interfaces onto) not currently exposed to the virtual machine, or its host, as well as being a Docker container. I considered migrating from Docker to directly hosting it on the VM, however it is the only piece of software not installed from a package repository and this would create a different headache with keeping it up to date which I do not have with Docker as my salt states update and restart the container when required.
Networking
I was going to extend the management VLAN to the VM, however this does increase the exposure of the VLAN by passing it through the host machine and potentially risking exposure to the other VMs (in the absence of a dedicated interface/bridge for this VM or ebtables to firewall it appropriately). It is not actually required to run the controller on the same logical network as the devices, so instead I decided to move the controller over which puts it on the main network and allow the router to route from the APs to the controller, including to the captive portal on the guest VLAN. I also added option 138 to the managements VLAN’s DHCP configuration so new APs will automatically find the controller when connected.
Migration
Again, I had envisaged that I would:
- shutdown the old docker container
- copy its volumes over
- create the new one
- import the volumes to the new one
However I discovered that the management interface has a wizard for migrating one controller to another, which includes updating the AP configurations so I used that.
There were no problems with the migration, except that the one wireless network with a hidden SSID was not hidden (at least it was visible on some of my devices that have never joined it). The settings showed that the SSID broadcast was disabled, however toggling it on and back off again seemed to restore it to really be hidden.