I managed to adopt them. I did nothing, just kept retrying for about 1-2h. This is pretty dumb. There's probably a bug somewhere.

For anyone else reading this, here's a port breakdown for the Omada software controller:

• UDP 29810 is for discovery -- whether the devices even pop up in the UI
• TCP 29811 is for management after adoption
• TCP 29812 is for the adoption process specifically
• TCP 29813 is for upgrades only

That's it. You do not need TCP 29810 & UDP 29811-13. You can get away with shennanigans and re-map some ports however you want on the controller end, just make sure the endpoint that you feed to the APs have those ports specifically exposed because you can't change them client-side.

Note: at least for the APs you can't get to the point where you can input your controller hostname without changing the default user & pass. So the first adoption try will always fail because it assumes default credentials. On the 2nd try it will prompt you for credentials.