Routing Question

[esupportsquirrel]

Hello everyone, long time viewer but this is my first time on the forums. So I have a Unifi USG and I am trying to put it In-Line with my pfsense gateway (that way I can properly separate home network traffic from disruption if my website is DDoS'd when I get around to moving it in-house). I am aiming to do something like this.

 

ISP Modem

        |

pfsense router

       |

unifi USG / Internal Router

      |

Home Network

 

I can't figure out how to properly configure the USG and pfsense to act well and be accessible. I can get pfsense to work properly for routing OR I can get the USG working properly but I can't do both. Any ideas?

[cole0622]

Is the unifi set to be a router or ap? you should be able to use it as an ap and have pfsense route the connection to it using a vlan or a separate interface.

[esupportsquirrel]

I have it set as a router. I want it to route all internal network traffic so that if pfsense goes down all I lose is the internet. Perhaps the diagram would help.

[Donut417]

35 minutes ago, esupportsquirrel said:

I can't figure out how to properly configure the USG and pfsense to act well and be accessible. I can get pfsense to work properly for routing OR I can get the USG working properly but I can't do both. Any ideas?

My only guess is the USG is double NATed due to the PFsesne box also acting as a router. This is why you cant access the PFsesne box behind the USG. 

 

[esupportsquirrel]

So I should disable NAT on the USG and that should fix the issue?

[Donut417]

1 minute ago, esupportsquirrel said:

So I should disable NAT on the USG and that should fix the issue?

Why do you need PFsesne and the USG? I mean you could replace the USG with a swtich and it would work as well. 

 

Id imagine it would work. BUT genreally when I had to do simular setups I had to do LAN to LAN between the routers. Because the WAN port, well is for WAN. Unless the USG lets you reconfigure it. Im not an expert on Ubiquti products. 

[cole0622]

3 minutes ago, Donut417 said:

Why do you need PFsesne and the USG? I mean you could replace the USG with a swtich and it would work as well. 

 

Id imagine it would work. BUT genreally when I had to do simular setups I had to do LAN to LAN between the routers. Because the WAN port, well is for WAN. Unless the USG lets you reconfigure it. Im not an expert on Ubiquti products. 

if there is a switch then if pfsense goes down dhcp is lost in the local/home side

[Donut417]

2 minutes ago, cole0622 said:

f there is a switch then if pfsense goes down dhcp is lost in the local/home side

Yes, But to my understanding you really CANT do multiple DHCP servers. They will fight eachother. So in that case, you could setup a backup server to turn on when you need it., maybe a raspeberry pi or something. OR set static IP's on the imporatnt network hardware. For example my Desktop, NAS, and Plex server all have static IP's. 

[mynameisjuan]

4 minutes ago, Donut417 said:

Yes, But to my understanding you really CANT do multiple DHCP servers.

You can, even on the same subnet. RFC for DHCP is to send out an ICMP prior to giving out an address and if a response is received, a new address is chosen and repeated.

 

But key is the devices need to respond to ICMP which by default tend not to. Not saying problems can arise out of it, especially is Ubiquiti decides to **** with protocols like they like to do

[esupportsquirrel]

I have 1 DHCP that will be serving the inside of the network. My intent is that if pfsense goes down, I lose internet but the internal network will be fully working.

[cole0622]

4 minutes ago, Donut417 said:

Yes, But to my understanding you really CANT do multiple DHCP servers. They will fight eachother. So in that case, you could setup a backup server to turn on when you need it., maybe a raspeberry pi or something. OR set static IP's on the imporatnt network hardware. For example my Desktop, NAS, and Plex server all have static IP's. 

I haven't had any problems doing that, as long as dhcp is enabled on the wan the upstream dhcp server gives it an address. setting static is a good idea on things functioning as a server. could you put a small switch in front of pfsense and split the home side and the web server

[Donut417]

3 minutes ago, cole0622 said:

wan the

Where not talikng WAN here. We are talking the LAN side. The OP wants to make sure if his PFsesen box goes down. The internet is the only thing he will loose. If the PFsense box is the DHCP server and it goes down. BOOM no DHCP server. 

 

3 minutes ago, cole0622 said:

could you put a small switch in front of pfsense and split the home side and the web server

You cant. Most ISP's only give 1 IPv4 address. Unless you have a business account and or pay a monthly fee. 

[mynameisjuan]

3 minutes ago, esupportsquirrel said:

I have 1 DHCP that will be serving the inside of the network. My intent is that if pfsense goes down, I lose internet but the internal network will be fully working.

If DHCP is being handled internally, not by PFsense or the USG, then there is nothing to worry about as long as the switches stay up and are connected (which doesnt appear to be in the diagram)

 

If DHCP is being handled by either the PFsense or USG, set the lease for a week or something well within the time that you can get it back up and running. This will keep current devices functioning at least.

[esupportsquirrel]

The problem isn't the DHCP or even the switches, it's that I can't wrap my head around how to route from the USG to the pfsense.

[cole0622]

2 minutes ago, esupportsquirrel said:

The problem isn't the DHCP or even the switches, it's that I can't wrap my head around how to route from the USG to the pfsense.

Is the USGs wan set to dhcp and not static?

[mynameisjuan]

1 minute ago, esupportsquirrel said:

The problem isn't the DHCP or even the switches, it's that I can't wrap my head around how to route from the USG to the pfsense.

If you want to have the USG take over routing if PFsense fails you're going to need to use VRRP

[esupportsquirrel]

2 minutes ago, cole0622 said:

Is the USGs wan set to dhcp and not static?

Actually I was trying to set it to static...but it might be a better idea to set it to DHCP and turn DHCP on in pfsense too...

 

2 minutes ago, mynameisjuan said:

If you want to have the USG take over routing if PFsense fails you're going to need to use VRRP

I want them in line: Internet -> pfsense -> usg -> internal network.

[Donut417]

Just now, esupportsquirrel said:

Internet -> pfsense -> usg -> internal network.

Thats what Im trying to warp my head around, WHY? You essential have two routers daisy chained. Whats the purpose? 

[cole0622]

3 minutes ago, esupportsquirrel said:

Actually I was trying to set it to static...but it might be a better idea to set it to DHCP and turn DHCP on in pfsense too...

 

I want them in line: Internet -> pfsense -> usg -> internal network.

use pfsense to set static if you need it static

[esupportsquirrel]

Just now, Donut417 said:

Thats what Im trying to warp my head around, WHY? You essential have two routers daisy chained. Whats the purpose? 

I thought it would be the best way of doing it. I could be wrong and that may be why I can't wrap my head around how to do it.

[cole0622]

3 minutes ago, esupportsquirrel said:

I thought it would be the best way of doing it. I could be wrong and that may be why I can't wrap my head around how to do it.

that's how I have the guest network at my house

[Donut417]

6 minutes ago, esupportsquirrel said:

I thought it would be the best way of doing it. I could be wrong and that may be why I can't wrap my head around how to do it.

I just read your first post again. If your trying to have seperate networks at your home. Maybe look in to VLAN's. Put your website on one VLAN and the rest on another. Mabye @mynameisjuan can comment on that. 

 

Im going to take it this webiste has very low traffic. I mean its the only way the ISP doesnt know your running a web server out of your home. Most residental ISP's forbid this practice. 

[mynameisjuan]

24 minutes ago, esupportsquirrel said:

I want them in line: Internet -> pfsense -> usg -> internal network.

Im guessing information is getting all mixed up.

 

1. If you just want to route from PFsense to USG

- Set the subnet statically on the PFsense interface facing the USG

- Do the same for the same subnet on the USG WAN interface

- Done

 

There routing is done via connected interfaces, AKA the way routers route. This is going to lead to double NAT issues. But basically if PFsense goes down, nothing internal is affected.

 

2. You should just go PFsense or USG. Personally I would go PFsense because I hate Ubiquiti but that is your call. You have switches behind the USG with internal DHCP.

 

The main reason behind DDoS and your proposed setup is when the firewalls tend to be much weaker and cannot handle the DDoS at your provided bandwidth. This is why in the professional space routers tend to be ahead of the firewalls because they can handle the load with l3/4 filtering and the firewall (USG in your case) will see little impact. This really only applies to a much larger scale, not home use.

[mynameisjuan]

1 minute ago, Donut417 said:

I just read your first post again. If your trying to have seperate networks at your home. Maybe look in to VLAN's. Put your website on one VLAN and the rest on another. Mabye @mynameisjuan can comment on that. 

Agree on that point. Even simpler is just directly connect the web server to the PFsense, set the subnet, setup zones and deny all between the web zone and internal zone and call it a day.

 

6 minutes ago, Donut417 said:

Im going to take it this webiste has very low traffic. I mean its the only way the ISP doesnt know your running a web server out of your home. Most residental ISP's forbid this practice. 

That is also something to take into account. 

[esupportsquirrel]

8 hours ago, Donut417 said:

Im going to take it this webiste has very low traffic. I mean its the only way the ISP doesnt know your running a web server out of your home. Most residental ISP's forbid this practice. 

Yes, I expect very low traffic. My goals are basically to eventually move from web hosting to internal hosting for the website, which will enable things like being able to do a minecraft server, my personal web server and some other family stuff. I should also say that I run openVPN currently on the pfsense. Not trying to make things overly difficult but I was also trying to do a "Defense in Depth" type strategy.

 

I'm starting to think it'd just be easier to take pfsense out of the equation (the USG costed some money so I at least want to use it) and install OpenVPN on the USG (found some tutorials on that but was hesitant to do so since the current setup works so well). Yes it would be fun to tinker but it's getting a little too complicated of a project, lol.