Ubiquiti USG-3P to PFSense
-
Other than the cloud key is everything else working?
By adding static routes to all the subnets behind pfSense like that you probably want to disable outbound NAT on pfSense and allow the USG to outbound NAT those subnets directly.
A VPN client connecting out should still work fine. External clients connecting to a VPN server on pfSense would break unless the USG is forwarding that.
Steve
-
-
@macusers In your case the PPPoE (passed-through the CPE) has to be handled by the USG.
-
thanks @stephenw10!!
Could you explain a bit more? Things like accessing Internet etc. from any subnets/VPCs are working fine. Anything from inside, whatever I checked so far, is working, apart from connecting to CKG2. Looks like anything frpm outside, not working. -
@macusers Please be aware, your screenshot suggest you have the USG behind a NAT already.
-
@nightlyshark said in Ubiquiti USG-3P to PFSense:
@macusers In your case the PPPoE (passed-through the CPE) has to be handled by the USG.
Thanks @NightlyShark!
Just trying to understand - isn't USG already handing the PPPoE for me - otherwise I wouldn't get IP from ISP (or even the Internet) in the first place, right?Or, I completely misunderstood?
-
@nightlyshark said in Ubiquiti USG-3P to PFSense:
@macusers Please be aware, your screenshot suggest you have the USG behind a NAT already.
If I disable NAT on USG, I don't get Internet from inside any of the LAN subnets.
-
@macusers Hi!
That means you have the USG in a private network (192.168.XXX.XXX is not routable through the internet) and are behind a NAT. Check out the post I pointed to before, it explains most of it, although, in your case, you need to configure USG to use PPPoE in WAN, not PfSense.
https://download.discomp.cz/Ubiquiti/Navody/UniFi_Controller_V4_UG.pdf
Page 58 -
That is the USG. Looks like the PPPoE is just not connected at that point. Or hasn't yet passed a gateway. Or, since it's a PtP protocol, it doesn't need one.
-
@macusers You need to be able to PPPoE from your USG to your ISP (Internet Provider) through your CPE (customer premises equipment, the cheep modem, router or both in one your ISP gives you), in order to have a true public IPv4. The ability to connect your own router (USG) through your CPE modem hinges on either have your CPE not block layer 2 direct PPPoE connections from other devices through it's modem (layer 2) stream (what is called PPPoE passthrough and is usually only enabled by calling your ISPs support and specifically request it) or have the CPE modem not connect to your ISP at all (bridge mode, again, consult your ISP for details). You then configure USG with PPPoE.
PPPoE is a Layer 2 protocol, meaning its packets are not routable, eg are not sent to an IP from USG, but rather, the USG must be able to connect with your ISP on a "switch" (Data Link Layer) level, to put it simply, with MAC addresses. That is why the modem needs to allow PPPoE, because it bypasses it entirely. I hope I did not confuse the issue, some things may be lost in translation (english is my second language, not my native)
-
@stephenw10 PtP protocols are Layer 3 (they have IP packets). PPPoE is Layer 2 (the sender and the recipient are identified at an electronic digital network circuit switch (what we call a switch) level, so they need special treatment to pass from any LAN ports on the CPE to the ISP, what we call PPPoE passthrough. Without PPPoE pass-through (it's in the word) the packets are treated as invalid by the switch or bridge on the CPE, because the ISP's MAC (or any MAC that responds to PPPoE frames) address doesn't exist in that network, so they are dropped.
-
@nightlyshark said in Ubiquiti USG-3P to PFSense:
@macusers You need to be able to PPPoE from your USG to your ISP (Internet Provider) through your CPE (customer premises equipment, the cheep modem, router or both in one your ISP gives you), in order to have a true public IPv4. The ability to connect your own router (USG) through your CPE modem hinges on either have your CPE not block layer 2 direct PPPoE connections from other devices through it's modem (layer 2) stream (what is called PPPoE passthrough and is usually only enabled by calling your ISPs support and specifically request it) or have the CPE modem not connect to your ISP at all (bridge mode, again, consult your ISP for details). You then configure USG with PPPoE.
PPPoE is a Layer 2 protocol, meaning its packets are not routable, eg are not sent to an IP from USG, but rather, the USG must be able to connect with your ISP on a "switch" (Data Link Layer) level, to put it simply, with MAC addresses. That is why the modem needs to allow PPPoE, because it bypasses it entirely. I hope I did not confuse the issue, some things may be lost in translation (english is my second language, not my native)
I'm very confused here - perhaps the lack of my understandimg but very confused. I do get the real Public IPv4 from ISP, which is assigned to me as Static.
This is tghe WAN setup on USG:
And this WAN in pfSense:
What am I missing?
My another issue is: as USG cannot connect the CK (hence cannot adopt), cannot do much in terms of configuration on USG apart from those settings only. -
@macusers To clarify:
You want to have a topology of:
---INTERNET---
---ISP PPPoE endpoint---
---ISP CPE Modem with PPPoE passthrough enabled---
---USG PPPoE configuration of WAN interface---
---USG NAT---
---PfSense FW---
---Clients---or
---INTERNET---
---ISP PPPoE endpoint---
---ISP CPE Modem with PPPoE passthrough enabled---
---PfSense PPPoE configuration of WAN interface---
---PfSense NAT---
---USG and other Clients---
? -
@macusers For example, my config is:
---INTERNET---
---ISP PPPoE endpoint---
---ISP CPE Modem with PPPoE passthrough enabled---
---PfSense:
---PfSense NAT---
---Clients--- -
@macusers USG and controller need to be in the same broadcast domain (same "switch", same VLAN, same IPv4 subnet, eg 192.168.1.2 for USG and 192.168.1.200 for the controller) in order to adopt devices. I am not trying to nag you, but this in particular is a UI community issue...
-
@macusers I edited the posts because I forgot the CPE modem...
-
You can adopt devices between different subnets but you need to use a different method. Like at the CLI of the switch/ap etc.
-
@nightlyshark said in Ubiquiti USG-3P to PFSense:
@macusers USG and controller need to be in the same broadcast domain (same "switch", same VLAN, same IPv4 subnet, eg 192.168.1.2 for USG and 192.168.1.200 for the controller) in order to adopt devices. I am not trying to nag you, but this in particular is a UI community issue...
I'm not sure about if it's the special case for USG only but that's not true for Unifi switchs or APs. My controller is always on a seperate network and 12 other devices are happily adopted. As long long the device in question can ping the controller IP, it can be adopted. I think my issue is: USG doesn't know how to get to the 10.0.20.1/28 subnet from it's 192.168.10.1 address.
-
Hmm, the routing table implies it does.
Can it not ping to it?
-
@stephenw10 said in Ubiquiti USG-3P to PFSense:
You can adopt devices between different subnets but you need to use a different method. Like at the CLI of the switch/ap etc.
yeah, I tried from the CLI, but main issue is USG cannot reach to controller to send the adoption request - that was my 2nd issue in my original post. form
CKtoUSGping is fine but not the other way around.
