Multiple public IPs on Unify Security Gateway (with multiple VPN connections)
Posted on tis 16 april 2019 in Sysadm
I have been using the Unify line of network equipment for a while and in general I'm very pleased! One limitation though is that the graphical interface to the Security Gateway (USG) is not capable of controlling more than one external IP-address. The functionality is there, but you need to go "under the hood" to access it.
Recently, I needed to complement the already present VPN connection with a site-to-site VPN and since more than one external IP was available we decided to use a fresh IP for the site-to-site. This post is more of a "remember-how-I-did-it" post than a true instruction, but hopefully it can help someone (me if not anyone else...)
GUI configuration
It should be noted that there are plans to add GUI configuration for multiple public IP addresses to the USG, but it's been in the planning state for a really long time...
When it's ready, this will be a lot easier than what I'm about to describe below.
SSH configuration
To be able to do the setup, you need to enable SSH access to the devices in the site configuration at the controller.
Adding a second public IP address and configure NAT forward of "normal" VPN
After Googling and reading the Unify forums and help for a while, the following procedure was found.
- The addition of a second public IP address is made by creating a
config.gateway.jsonfile in/srv/unifi/data/sites/default/(I'm using a CloudKey controller) and putting in the "interfaces" section as below. - But an extra IP won't help by itself and since port-forwarding in the GUI dosn't limit on public IP we also need to set firewall and NAT rules for the port forward here.
{
"interfaces": {
"ethernet": {
"eth0": {
"address": [
"<EXTERNAL IP #1>/29",
"<EXTERNAL IP #2>/29"
]
}
}
},
"firewall": {
"name": {
"WAN_IN": {
"rule": {
"1000": {
"action": "accept",
"description": "L2TP Ports",
"destination": {
"address": "<INTERNAL IP FOR VPN SERVER>",
"port": "50,500,4500"
},
"log": "enable",
"protocol": "tcp_udp"
}
}
}
}
},
"service": {
"nat": {
"rule": {
"1000": {
"description": "L2TP to VPN",
"destination": {
"address": "<EXTERNAL IP #1>",
"port": "50,500,4500"
},
"inbound-interface": "eth0",
"inside-address": {
"address": "<INTERNAL IP FOR VPN SERVER>"
},
"protocol": "tcp_udp",
"type": "destination"
}
}
}
}
}
Setting up site-to-site VPN
With this in place, it was possible to set up the site-to-site VPN through the GUI after changing the WAN address of the USG to <EXTERNAL IP #2>
Trouble shooting
If/when problems arise, some good pointers on trouble shooting (especially the VPN connections) can be found at Ubiquiti's help pages.