VLOG Thursday 422: UniFi Firewall Migration and Homelab Q&A [YouTube Release]

Additional Resources:

Connect With Us

Hire Us for a project: Hire Us – Lawrence Systems
Toms’ Twitter :bird: / tomlawrencetech
Our Website https://www.lawrencesystems.com/
Our Forums https://forums.lawrencesystems.com/
Instagram / lawrencesystems
Facebook / lawrencesystems
GitHub lawrencesystems (Lawrence Systems) · GitHub
Discord / discord

Lawrence Systems Shirts and Swag

►👕 Lawrence Systems

AFFILIATES & REFERRAL LINKS

Amazon Affiliate Store
:shopping_cart: https://www.amazon.com/shop/lawrences

UniFi Affiliate Link
:shopping_cart: Ubiquiti Store

All Of Our Affiliates help us out and can get you discounts!
:shopping_cart: Partners We Love – Lawrence Systems

Gear we use on Kit
:shopping_cart: Kit

Use OfferCode LTSERVICES to get 10% off your order at
:shopping_cart: Tech Supply Direct - Premium Refurbished Servers & Workstations at Unbeatable Prices

Digital Ocean Offer Code
:shopping_cart: DigitalOcean | Cloud Infrastructure for Developers

HostiFi UniFi Cloud Hosting Service
:shopping_cart: HostiFi - Launch UniFi, UISP and Omada in the Cloud

Protect your privacy with a VPN from Private Internet Access
:shopping_cart: https://www.privateinternetaccess.com

Patreon
:moneybag: / lawrencesystems

Have you been tracking this project to build a hardware firewall appliance https://youtu.be/qSQbpS9waIA?si=cQ4KYRA49HqF_pTB

Ships with openWRT but mentions VyOS as an option. I need to study up a bit more and see what’s what with it. Then maybe buy one.

I looked at it, interesting project. Cool to see that he is using Vector Packet Processing & DPDK because to my knowledge he will be among the first to support that in OpenWRT.

Speaking of unifi and wireguard site-to-site, basically not understanding what was going until I had a look at the fw logs from unifi. Opnsense WG server to Unifi WG client. Local traffic routes fine both ways, but wan traffic that’s routed from opnsense into the tunnel and should exit to wan on unifi dosent work.

Traffic from opnsense wg server to unifi wg client, destination local ip:

IN=wgclt1 OUT=br31 SRC=10.0.80.2 DST=10.1.90.3

Traffic that comes into the WG client interface, destination wan ip:

IN=wgclt1 OUT=wgclt1 SRC=10.0.80.2 DST=195.88.54.16

Similar test made from a teleport client, destination wan ip:

IN=tlprt0 OUT=eth4 SRC=192.168.2.2 DST=195.88.54.16

Did chat with unify support, and they stated that WG client is intended for Client-to-server and not peer-to-peer, which seems a bit odd with Wireguard. No expelnation to why local IP gets the correct OUT interface and not WAN traffic apart from the client-to-server reply.

So I might be headed back to Opnvpn as well…

In the future they will have full NORMAL Wireguard support.

That GATEWAY device is interesting, but the NXP ARM processor is going to make it hard to support OPNsense like they want. There is no official ARM release, only a third party operated by a single person. If it had an AMD APU in it, I’d order one of the first to see how it runs and support their effort.

It’s going to be Apple pretty when they get the aluminum case done, but it’s going to add a lot of expense too.