Disclaimer: not a network expert, solution might be super simple - thanks in advance!
I have a Unifi UCG Ultra which is setup with several networks and everything is working nicely. I now have a third party device (a VPN-box from a supplier which hosts some of our infrastructure).
My default network, to which the VPN Router is attached, is 192.168.0.0/20.
The VPN box is setup with static IP 172.16.31.129 in a 172.16.31.128/27 subnet. No DHCP server. If i manually set my IP to eg. 172.16.31.132 i can reach the box fine.
What I am trying to achieve is the ability to have the UCG ultra route traffic to 172.16.31.128/27 via the VPN router on 172.16.31.129.
Additionally i need to setup another static route to the ip 10.230.56.31 to also be routed through the VPN router on 172.16.31.129.
Here are the routes i have tried to setup on the UCG Ultra.
https://preview.redd.it/7sznazuc9k8d1.png?width=2348&format=png&auto=webp&s=f64cb6edff1eddfee099cc285d8a156334d1614c
When i SSH into the UCG and run ip route show all nothing in mentioned of any of the two static routes, leaving me a tad confused. The routing, of course, does not work - hence my post here.
Thank you for any pointers in the right direction, it is much appreciated.
Hello! Thanks for posting on r/Ubiquiti!
This subreddit is here to provide unofficial technical support to people who use or want to dive into the world of Ubiquiti products. If you haven’t already been descriptive in your post, please take the time to edit it and add as many useful details as you can.
Please read and understand the rules in the sidebar, as posts and comments that violate them will be removed. Please put all off topic posts in the weekly off topic thread that is stickied to the top of the subreddit.
If you see people spreading misinformation, trying to mislead others, or other inappropriate behavior, please report it!
I am a bot, and this action was performed automatically. Please contact the moderators of this subreddit if you have any questions or concerns.
The routes don’t work because the UCG has no idea how to reach 172.16.31.129 - in order for an IP to be the next-hop of a static route, it needs to be within a subnet the router has, so that it can be found via ARP.
Please clarify how things are connected. It sounds like the WAN port of the VPN router is connected to the LAN of the UCG. If that is the case, then you would use the WAN IP that the VPN router is getting (192.168.x.x) as the next-hop IP, and possibly have to modify the firewall/ACL on the VPN router to allow incoming connections from its WAN port
You MIGHT be able to accomplish this by connecting the VPN box’s WAN port to a LAN port on the UCG, and connect the VPN box’s LAN port to the WAN2 port on the UCG and set it up as a separate WAN connection without failover. Then, you can route traffic to your remote subnet out WAN2 and that will cause it to go the VPN box and eventually to the other side of the VPN.
No idea if this will actually work, but it’s the only thing that I can imagine that might work on a device that doesn’t have a bunch of “do whatever you want with them” ports on the front of them that can be configured at will like a more enterprise firewall.
Thanks u/brwainer, appreciate the response.
Currently both the WAN and LAN side of the VPN router are connected to the LAN-side of the UCG. The WAN to allow it external access, and the LAN side for us to be able to connect to the local server on the LAN side of the VPN.
Its a weird setup, agreed, but it is the only way our supplier can offer us. It sucks.
Thanks u/TapeDeck_ . I’ve fiddled a bit around with it, and doing it this way adds the route to the UCG’s routing table, but still no response to ping from the UCG - it looks like it does not set the gateway correctly (it should be 172.16.31.129 not 172.16.31.149.
5.xx.xx.xx/27 dev eth4 proto kernel scope link src 5.xx.xx.xx
172.16.31.128/27 dev eth3 proto kernel scope link src 172.16.31.149
192.168.0.0/20 dev br0 proto kernel scope link src 192.168.1.1
192.168.16.0/24 dev tun1 proto kernel scope link src 192.168.16.1
192.168.100.0/24 dev br100 proto kernel scope link src 192.168.100.1
192.168.200.0/22 dev br200 proto kernel scope link src 192.168.200.1
192.168.210.0/24 dev br210 proto kernel scope link src 192.168.210.1
root@XXX:~# ping 172.16.31.129
PING 172.16.31.129 (172.16.31.129) 56(84) bytes of data.
172.16.31.129 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms
In that case, I would make another network on the UCG, using a VLAN, for the VPN router LAN. You can give the UCG an IP in the 172.16.31.128/27 subnet and then it will be able to find the local IP and route it.
That isn’t a route with the nexthop of 172.16.31.149, that IP is the source that packets should use when leaving that route, which is actually a local subnet entry pointing to port eth3. You must have added 172.16.31.149/27 to a port on the UCG.