Ubiquiti USG Pro 4 & Firewalla Gold
Good Morning All,
New user here...trying to configure FWG with my ISP (fiber, 1 GB) and my existing Ubiquiti-based network which uses a USG Pro 4.
The basic environment is this. My ISP provides a single ethernet cable (connected to a fiber cable that is run to my house) for me to connect to my own network. There is NO router provided by the ISP...just the cable.
The USG Pro 4 handles DHCP for downstream devices (10.0.x.x).
My initial FWG setup is as follows. I think this configuration qualifies as "Router Mode":
- The ISP Ethernet cable is connected to the FWG WAN port.
- FWG LAN1 is connected to WAN1 on the USG Pro 4.
- LAN1 on the USG Pro 4 is connected to the balance of my home network.
Results:
- All home network devices continue to operate normally
- Internet service is available to all devices on the network.
However, alarms do not produce the per-device level of identification or detail that I was expecting. See screenshot below. Basically, all it says is that "some" device on the Ubiquiti network is gaming (in this example).
So have I configured this wrong?
My home network is somewhat large (about 100 devices) and about 25 of those have fixed IP addresses so I really don't want to scramble my network by redoing the DHCP range.
Any suggestions or guidance would be appreciated. I bought the FWG specifically for more granular control of devices on my network including controlling gaming and social media access for grandchildren. At this point, I can't even identify specific devices.
Screenshots:
Two devices show for "high level" network components. The FWG and the Ubiquiti Network:
When notified of Alarms, this is what I see. Clicking on "Gaming Activity" provides more details about "where the game is" but doesn't tell me which device on my network is gaming.
-
If you convert the USG to bridge mode or equivalent, you will have to re-do all of your IP assignments which you said you preferred not to do. You could also try restoring the USG to its formerly pre-eminent position of WAN connection then attaching your FWG to one of its LAN ports in Simple mode. If it works with the USG, then you will now see everything. There may be a speed hit which I cannot quantify for you. The FWG, no longer being the primary router, will lose some of its other features like LAN segmentation. Were you intending to use that? There are other (fast) Firewalla solutions, depending on your needs (and $). I suggest one of the above two first.
-
Thank you for your reply and suggestions.
I tried using the FWG in various configurations while still maintaining the Pro 4 in its current position as the main entry point from the ISP but nothing worked as well as I had hoped. In the end, I removed the USG Pro 4 from the network and placed the FWG as the main router/entry point from the ISP. That worked with some minor adjustments.
Here are adjustments I made to permit the FWG to match my existing network:
- I changed the FWG's IP assignment range/subnet mask to match what the USG Pro 4 had been using (10.x.x.x) so that all devices on the network (static or DHCP-issued) would remain within that range. That worked.
I would also note that out-of-box, the FWG does not default to the 10.x.x.x range, so with the USG Pro 4 removed, any non-fixed IP address device initially were assigned a 192.x.x.x (or similar) IP address. So when I changed the IP range on the FWG, I also changed the "lease time" from 24 hours to 1 hour so that those 192.x.x.x addressed would convert to the new 10.x.x.x addresses that I needed quickly. That worked. Now that those devices have changed to the 10.x.x.x range, I will readjust the IP lease time to 24 hours.
- Since the IP range is matching, the Ubiquiti Cloud Key (CK) still is on-line and is accessible via the normal Ubiquiti remote access procedure. Having the CK functional is very important as it is the main method of managing a Ubiquiti Network.
-
Since the Ubiquiti CK is still available, I reviewed the port forwardings that were previously place and adjusted the FWG (using the FWG app) to "match". Port forwards on the FWG must still "match" those in place on the Ubiquiti CK though you can take a "generic" approach such as forwarding Port 80 to the Ubiquiti CK then let it route to the specific device based on previously defined forwarding in the CK.
I have several servers on my network...one of which is a family-only WordPress website along with several Amateur Radio (ham radio) related servers so forwarding rules needed to remain intact.
- I also reviewed the CK's list of fixed IP devices and used the FWG app to set those same IPs as "reserved". That also worked.
Once the IP range of the FWG matched that of the previously-assigned/used IPs by the Pro 4, the FWG began identifying every item on the network as it should. Over the next couple of hours as various devices performed their functions, the FWG notified me of what they were doing.
At the moment, 108 devices show up on our network. So for now, all is well and the FWG is doing the things it should be doing.
All in all, the transition was not as bad as some I have encountered and I'm very pleased with the results.
Gary
- I changed the FWG's IP assignment range/subnet mask to match what the USG Pro 4 had been using (10.x.x.x) so that all devices on the network (static or DHCP-issued) would remain within that range. That worked.
Please sign in to leave a comment.
Comments
5 comments