pfSense and Ubiquiti USG working together.

Smoothrunnings

Yes I have looked through this forum and found one posting on this topic from 2018 which I could have replied to but it's from 2018. :)

To level the playing field here. I have a homelab that consists of a newly added WG Firebox M400 with pfSense 2.4.5 installed on it. My network is 95% Microsoft Windows products. I work for an MSP.

So my pfSense has one connection, cable dhcp, I used haproxy, and have other servers like Exchanage and Plex to name a few in my environment. DHCP for the LAN is run from my AD server.

I have Ubiquiti APs and a cloud key. My purpose for getting the USG is that a lot of the features in the Ubiquiti controller require a USG, such as creating a guest WiFi network, etc. I don't care about DPI. Since I am not a *nix and every proxy *nix server I have tracked down requires you to set it up in command line, sorry pfSense has spoiled me, the ones that have 3rd party add-on's to do this charge you enterprise pricing, for my homelab its simply not worth it.

So I have a USG 3 port coming. I know about disabling the NAT on the USG which I will do. And from what I have seen on YT about creating a static route in pfSense that part of it makes sense. Where I am lost is understanding what I need to do on the USG to allow the traffic back to the pfSense and vise versa when it comes to the Exchange OWA/ActiveSync and web server which are hosted on different machines or if I need to worry about it at all?

If you have extra questions please ask.
Otherwise I need your help to understand if anything what I need to do on the USG side which again will have it's NAT disabled.

Thanks,

stephenw10

Can you give us a diagram of how this will be connected?

If it's just as a downstream router between pfSense and the access point(s) then there should not be any config required as long as pfSense is the default route for the USG.
The only thing will be on pfSense adding the USG as a gateway and static routes to the subnet(s) behind it via that gateway.

Not entirely sure why you needed it though. You should be able to add additional SSIDs and VLANs to the access points via any controller.

Steve

Smoothrunnings

@stephenw10 I have the USG and PFS connected, it looks like this.

internet -> wan pfs -> lan 192.168.90.1/28 <- wan usg 192.168.90.2 -> lan usg (my internal LAN).

Once I disabled the NAT on the USG and copied the json file over to the controller. I created a gateway and setup a static route, then updated the LAN firewall rules to allow traffic through. I just had to enable a firewall rule on the USG to allow all WAN traffic and my HAPRoxy works.

Now I am trying to setup a Guest WiFi network on the USG, its set to 172.16.0.1/24 on VLAN 80. I understand that I have to create a VLAN on the pfsense I am just not sure how-to apply it to my gateway/static route, I am guessing it goes through the same gateway I am just not sure about the static route, unless I am wrong about the gateway??

Thanks,

stephenw10

I don't know if you can pass the VLAN through the USG. I would think you may not be able to.

So if you want that traffic to come in on a different interface in pfSense you will have to create a VLAN on the WAN side of the USG and route traffic from the internal guest VLAN to it. Then you can have that as a VLAN interface in pfSense and apply different firewall rules or routing to it.

Steve

bjurkovski

I have Ubiquiti gear behind a pfsense firewall and I've been able to get the gust WiFI feature working without a USG including WPA2+Enterprise using the freeradius package on pfsense.

I can't think of any reason to put a USG behind a pfsense firewall especially given the support issues with the platform and lackluster throughput. I've had a heck of a time getting any real support out of those folks.

If you are going to go with the USG I would recommend getting the UDM Pro. It's super unstable but at least it can do full gigabit routing/inspection and host your controller eliminating the need for your could key.

Even their "Enterprise class DPI" isn't real layer 7 inspection like on an enterprise class NGFW and cannot block traffic with this feature but only report. As far as I can tell their using Suracata as their IDS/IPS engine and there is nothing you can do with it you can't do with the same package on pfsense. And the Suracata package on pfsense is way more configurable than on the USG.

Smoothrunnings

@stephenw10 I figured this out. My thinking was just wrong. :) It works now!

Smoothrunnings

@bjurkovski said in pfSense and Ubiquiti USG working together.:

I have Ubiquiti gear behind a pfsense firewall and I've been able to get the gust WiFI feature working without a USG including WPA2+Enterprise using the freeradius package on pfsense.

I can't think of any reason to put a USG behind a pfsense firewall especially given the support issues with the platform and lackluster throughput. I've had a heck of a time getting any real support out of those folks.

If you are going to go with the USG I would recommend getting the UDM Pro. It's super unstable but at least it can do full gigabit routing/inspection and host your controller eliminating the need for your could key.

Even their "Enterprise class DPI" isn't real layer 7 inspection like on an enterprise class NGFW and cannot block traffic with this feature but only report. As far as I can tell their using Suracata as their IDS/IPS engine and there is nothing you can do with it you can't do with the same package on pfsense. And the Suracata package on pfsense is way more configurable than on the USG.

First of all the UDM Pro doesn't have any DNAT feature nor can you simply disable it like you can with the USG's the main reason for this is because its OS is still pretty much in BETA.

I used my pfSense for something other than a firewall. HAPROXY. Because I have 1 IP address on my homelab and multiple websites things have to work this way.

Maybe if and when the UDM Pro has the ability to allow users to disable the NAT on it I will consider it, oh and if the price is right too. :)

Thanks,

csfshore

This is my scenario as well. pfSense in front of USG.
While I have it working, I am confused about a few things

1. Why do I have to have a static route between pf LAN and USG WAN?

2. If I disable NAT (as every post indicates) it stops working!
   Leaving NAT enabled it works. Why?

(While pfSense is new to me, I can sling config.gateway.json with the best of them)

I know this post is old, but think this the best place for my questions, thanks for any help

stephenw10

1. You don't. You need a route from pfSense to the USG LAN. Otherwise pfSense has no idea how to reach it and traffic that it gets for a client in the USG LAN will not be routed correctly.

2. If you don't have a statuc route back to the USG LAN the NAT allows it work by translating all the traffic to the USG WAN address which pfSense does know how to reach.

1x NAT is better so add the static route to pfSense. Disable NAT on the USG.

Steve

csfshore

Ahh so static from pfSense WAN to USG LAN?
(How can I do that as my WAN is DHCP?)

(Again, while I don't understand it), if I disable
NAT on the USG, I cannot connect to the Internet
from the USG LAN

Thanks for the help

stephenw10

The static route has to be on pfSense itself. You have to add a static route via a gateway so first go to System > Routing > Gateways and add a new gateway.

Set the USG WAN IP as a gateway and on the pfSense LAN interface which will be in the same subnet.
Now go to the static routes tab. Add a new static route to the USG LAN subnet via the new gateway you just added.

With that in place pfSense can reach the clients without the USG having to NAT.

Steve

csfshore

<Lightbulb goes off!>

Thank you!