This is a theoretical ask, which might go real world at some point. Is it possible to have a UDMPRO-SE behind another UDMPRO-SE? I guess it doesn’t really matter the make, the ask is a router behind a router. And what would the config look like for that, more specifically the UDMPSE
I have a couple of multi client buildings where over time and bad management of the site, tenants have been allowed to install their own routers in their spaces. Some of which have UDMPSE’s. These sites are coming up for upgrades and 2 in particular want to go full unifi stack, their requirements are basic so pfsense might be overkill, plus the requirement is Unifi specifically if possible.
What’s wrong with tenants installing their own routers? I though that would be standard practice. As a tenant, I would want control over my network resources and I wouldn’t want to rely on the lessor for network security. As far as I am concerned in that scenario, everything not under my control is untrusted.
A router “behind” another router is not technically a problem. If there is no NAT involved, there is not even technically a notion of direction as every host can reach every other host (unless prohibited by firewalls). But I’m assuming the tenants in your scenario don’t get public IP addresses, which means their routers are behind one layer of NAT and their clients are behind two layers of NAT. Outbound connections will still work fine, but double NAT makes it harder to manage incoming connections.
I probably should have elaborated a little but I wanted to keep the post short and tl;Dr free.
The site provides the only internet to all tenants. Ech suite (tenant) has their own VLAN assigned with their own isolated network. Most only use their internal routers to provide WiFi in their space. Some as mentioned have UDMP to run protect etc. and others just use the network as provided to the wall socket.
The building does provide.in house WiFi in the form of a single SSID and psk to provide access to their respective VLANs.
Also, FWIW, this is commonly done at scale in large organizations, and it’s usually done with routes and no NAT except at the edge. I had a secure data enclave setup this way,I just had a static route from my core → pfsense (later palo alto and ospf cause I finally got money) for a /24 where sensitive stuff lived. Firewalls are routers, too , just remember to give it a route back.
I dont know if Ubiquiti can NOT NAT tho. No experience with that.
, just remember to give it a route back.