I have a pfSense at a colo with a globally routable IPv4 /24 that chopped into /27s At home, I have an UDM Pro (latest EA). I would like to tunnel one of the /27 from the colo to my home, assigning the /27 to a VLAN. Enabling the hosts on that VLAN to be assigned public IPv4 addresses with their traffic exiting via the colo only.
I established an IPSec site-to-site tunnel between the two routers.
However, UniFi Network requires the creation of a “Network” to create a VLAN. I am unable to figure out how to create a Network within UniFi without that Network being behind a NAT. Is it indeed impossible on the UDM Pro to pass the raw /27 onto a VLAN? I also would like the UDM Pro to handle DHCP for that /27, but first I need to find a way to get the IP addresses onto that VLAN. I can live with having to run a separate DHCP server on that VLAN.
If passing IP addresses through a tunnel onto a UniFi VLAN is impossible, does anyone here know of a way to use a separate overlay network host, such as Tailscale or Netbird, that sits on a UniFi VLAN to tunnel globally routable IP addresses from a corresponding host on a VLAN at the colo with that /27 to the VLAN at my home? Every example that I have seen assumes that RFC1918 addresses are used.
How can I give the hosts at home some of the ample IPv4 addresses that I have at the colo? (An outside observer should not be able to determine that the hosts at my home are anywhere other than the colo, other than perhaps through the increased latency).
The similarity of the two previous answers gives me the impression of “I dropped this into an LLM and this is what it spit out” - and probably the same LLM. I understand people trying to be helpful, but the answers really don’t seem to be…
On my UDM-SE I had no issue making a network e.g. 8.76.54.0/27, by giving the router the gateway IP of 8.76.54. You can’t do anything else if you want the traffic to route through the UDM, if its going to be part of the Layer 3 path then it’s going to need to be the gateway of the subnet. I don’t believe Unifi has any Layer 2 tunnel support.
You can make this work with a setup like this:
Presumably your PFSense has some sort of uplink connection with your ISP, a /30, and they are routing the /24 to you via that IP. So the routing table on their side looks something like “8.76.54.0/24 → 1.2.3.5/30”. If instead they are acting as the gateway of the /24 then this gets much harder and probably not a good fit with a Unifi router.
In your IPSec tunnel you would use some other internal IP addresses, 10.255.255.252/30 as an example. The PFSense has one IP, 10.255.255.253 for example, and the UDM has the other, 10.255.255.254. I’m assuming you’re using route based IPSec, not policy based.
On the PFSense side you make a route like “8.76.54.128/27 → 10.255.255.254”
Make a network on the UDM with the 8.76.54.128/27 network. The UDM will use one of the IPs and everything within the network will use it has the gateway.
On the UDM side you make a policy based route that anything coming from the new network is redirected over the IPSec tunnel. This is instead of a normal route since only the traffic from that VLAN should be sent.
The network you make shouldn’t be subject to NAT when its traffic goes across the tunnel. The default source NAT / masquerade rules apply when traffic leaves one of the WAN ports directly.
Much appreciate your explanation. I was able to to set up a site-to-site IPSec tunnel between pfSense and my UDM Pro using two hardcoded IP addresses in a /30 for the two tunnel endpoints. This bypassed the NAT on the UDM Pro side, establishing the tunnel for the /27 between the colo and my house.
Alas, I immediately ran into a CVE-worthy defect on the UDM Pro side:
UniFi Network drops all site-to-site tunnels into the “VPN” firewall zone. The zone into which the tunnel terminates is not configurable by the administrator, defeating the very purpose of having a zone-based firewall. The VPN zone in turn is highly permissive, including granting access to the Internal zone. If my tunnel carrying globally routable IP addresses were the only tunnel between the two routers, I suppose I could just reconfigure the VPN zone to be highly restrictive, not granting access to any of the other zones. But that is not the case. I have tunnels between the sites that should be able to talk to the Internal zone.
Fortunately, I caught within about 15 minutes that had just opened up my Internal zone to the global Internet at large. I wonder what percentage of other users catch this. Certainly not all. I would not complain if UniFi Network were to by default select a highly permissive VPN zone in a drop-down list of zones in which the IPSec tunnel terminates. I am having serious issues with the destination zone not being selectable at all.
Ubiquiti tech support told me to go pound sand: if I don’t like the permissions of the zone into which they drop the IPSec tunnel, I can edit the properties of the zone. Ubiquiti does not appear to have any plans to make the IPSec tunnel exit zone configurable to other, less permissive, zones.
The state of play is that I told Ubiquiti that I need to see a date by when the zone becomes selectable or I’ll file a CVE. What they are shipping is a security trap into which some users are guaranteed to fall into. Not to mention the fact that they are making it impossible to tunnel both trusted and untrusted networks through IPSec tunnels.
Have you tried moving your tunnel endpoint to a container/vm running inside a standard (restricted) vlan? Bypassing the UDM limitations all together.
I’m thinking of a wiregaurd tunnel for this, it’s been a really long time since I messed with IPSec - and never with NAT. Depending on your setup you could just hand the wg interface off to the container for its sole interface.
Absolutely. I can set up an isolated VLAN that doesn’t route through my UDM Pro at all, attach a container/VM interface to that VLAN in Proxmox and feed that WG/Tailscale VM from another interface attached to a VLAN with Internet access. Configuring the container/VM as an exit router for the tunnel. (I will likely do just exactly that in the interim).
To clarify, since you are mentioning NAT: NAT is not involved in any way, shape, or form. I have a static IPv4 at the UDM Pro side, which is where the IPSec tunnel terminates.
But I didn’t pay Ubiquiti good money for a router only to have to run a second router, because the UniFi router is unsuitable to task and Ubiquiti screwed up their zone-based firewall implementation.
Somebody needs to complain to Ubiquiti and do so loudly or the crap they are shipping today will not get fixed. Perhaps I am overreacting. I have been in this business for some 35 years. I have seen a lot of crap along the way. Nonetheless, my jaw just about dropped when I realized what UniFi Network is actually implementing.
I think I follow most of what you are trying to do in the first paragraph. It sounds more complicated than what I was thinking of. My idea was to simply delete the IPSec tunnel endpoint on the UDM Pro and move it to a server running in a standard vlan from the UDM router (hence nat traversal). Then add the routes in UDM router to that server if layer 3 traffic is necessary. Or scratch all that and just terminate the tunnel at the targeted server directly.
I’m sure your setup will get the job done too. I build out my tunnels in the way I described above. Never directly on the router’s host OS. Doing this provides better security, performance, and customization.
With that said, everybody wants it built in. So it is shocking to hear all these limitations & scary default settings that you describe. More people should know about this.