Miscellaneous Considerations and Concluding Remarks

The site-to-site VPN setup created with the help of ZeroTier is able to provide easy access to systems in both sites without involving a relay in the middle. Remote management of systems connected to the UDM from the US is straightforward - essentially dealing with something in the local LAN. The need for port forwarding and other overheads is done away with. Performing offsite backups is also simplified. A NAS connected to the UDM is equivalent to a NAS connected to the USG Pro 4 as far as backup jobs go, as all the routing is handled transparently within the USG Pro 4 and the UDM. The two remaining aspects I set out to achieve - seamless utilization of OTT services on either side (particularly, Indian ones on the US side) and transparent extension of the Indian Wi-Fi network in the US were achieved only on a per-device basis (by configuring a proxy). My next step was to address that by creating a wireless network on the USG Pro 4 that would defer to the UDM as the gateway.

Policy-Based Routing on the USG Pro 4

The first step involved the configuration of a new network in the web UI, followed by creating a new Wi-Fi SSID and allocating the new network to it. In my case, the new network was allocated VLAN ID 5. The USG was allowed to provision itself after these changes before moving on to the next step. Using the same config.gateway.json scheme adopted for task scheduling, a new routing table was created with the default route pointing to the ZeroTier IP of the UDM deployed in India.

The next step involved creation of new firewall rules with the modify tag. All VLANs except for the newly created one with ID 5 were relegated to the usage of the main routing table. The new VLAN alone (singled out using the source address subnet) was allocated the newly created routing table. Most importantly, source validation was disabled.

 

Finally, the new firewall rules were allocated to the newly created VLAN.

Upon provisioning the new configuration, the new Wi-Fi SSID became equivalent to the one on the UDM side. For all practical purposes, clients connecting to that SSID appeared to be accessing the web from an Indian IP address. This method of VPN access also circumvents checks put in by some OTT apps, wherein streaming would get disabled upon the recognition of any VPN profile on the device.

Future Work

The satisfaction of getting the site-to-site VPN working aside, I am not particularly happy that I had to involve a third-party service in the mix. Eventually, I would like to get either manual IPSec or WireGuard working. Both are suppoed to not have trouble with the public WAN IP side acting as a server and the machine behind the CGNAT acting as a peer as long as the required ports are open. However, I have not had much luck (as described in detail in the IPSec section). WireGuard debugging is also complicated by the fact that the USG Pro 4 is a relatively closed system (enabling kernel level debugging of WireGuard using the recommended scheme doesn't work).

Given that I am not a professional network administrator, it is entirely possible that there is a much simpler solution for my requirements here - experienced readers are welcome to provide suggestions in the comments.

Final Words

Ubiquiti's UniFi lineup is immensely popular among prosumers, and enjoys a cult following. It is easy to see why - simple aspects are easy to configure over the web UI, while SSH access is available for the more esoteric things. At the same time, the relationship is a bit frustrating too (the propensity of the gateways to corrupt themselves at the drop of a hat in the event of a power failure, and the UDM being silent about unsuccessful NTP synchronization attempts are cases in point). On balance, I would still recommend Ubiquiti equipment, and upgrades to my primary deployment of the USG Pro 4 and host of Wi-Fi 5 APs are likely to be UniFi-based in the future.

Back in 2017 (when I decided to go with UniFi for my residential installation), the concept of economical managed SDN solutions for prosumers was in its infancy, with Ubiquiti's offerings being the only game in town. Since then, we have seen other vendors step in with their own suite of products - Netgear's Insight-managed business networking products, TP-Link's huge Omada line-up with support for both cloud-based and local management controllers, and QNAP's set of products supporting QuWAN are examples. In light of the increased competition, Ubiquiti would do well to address some of the pain points outlined in this article. In particular, the absence of a guaranteed upgrade path for customized USG Pro 4 installs like the one above to one of the newer AArch64-based gateways is a cause of concern. There are also features taken for granted (like the NTP server functionality in the USG Pro 4) that are not present in the newer gateways. Considering that Ubiquiti has opted for a container-based architecture in the UDM and subsequently released UniFi gateways, they might as well create an official curated app store to enable additional functionality.

Moving forward, I hope to address other interesting aspects of Ubiquiti's lineup of products in this series of articles. Suggestions from readers are welcome.

 
Activating ZeroTier - A Virtual SDN
Comments Locked

35 Comments

View All Comments

  • bradh352 - Wednesday, December 21, 2022 - link

    First thing that comes to mind is why you didn't attempt to use ipv6 addresses to create the ipsec vpn? I know comcast/xfinity supports ipv6, and I'd have to imagine anyone deploying CGNAT for ipv4 is providing a public ipv6 address, thus negating any of the issues described.

    Typically these ipsec vpn sessions are in tunnel mode which means they can transport both ipv4 and ipv6 packets, even if the public ips being used are only ipv4.

    Maybe ubiquiti doesn't support this in their UI for some reason? The underlying system should be capable of this though (strongswan afaik).
  • edzieba - Wednesday, December 21, 2022 - link

    "I'd have to imagine anyone deploying CGNAT for ipv4 is providing a public ipv6 address"

    Sadly, such a sane and customer-oriented approach remains firmly in your imagination for the vast majority of ISP CGNAT deployments. Most commonly, IPv6 will just not be available at all.
  • ganeshts - Wednesday, December 21, 2022 - link

    Airtel does provide an IPv6 address with their CGNAT configuration. Sadly, there is no IPv6 support on the Comcast front over here in the US, and Ubiquiti doesn't support IPv6 in their VPN configuration either (at least from the web UI perspective).
  • ViRGE - Wednesday, December 21, 2022 - link

    "Sadly, there is no IPv6 support on the Comcast front over here in the US"

    Huh? Comcast was one of the very first major US ISPs to implement IPv6. They've been running a full dual stack implementation for nearly a decade now.

    https://web.archive.org/web/20160329232139/http://...
  • cgull.at - Wednesday, December 21, 2022 - link

    I was amused to see that the IPv6 post I was contemplating was ninja-ed before birth by the very first post.

    I suspect the reason Ganesh isn't seeing IPv6 is his "ancient cable modem". Very likely it's not DOCSIS 3.0 or later and doesn't do IPv6. The DOCSIS 3.0 standard was released in 2006, 3.1 in 2013. Upgrade, already!
  • cgull.at - Thursday, December 22, 2022 - link

    Also: Comcast was one of the major leaders and instigators of "World IPv6 Day". That was back in January 2012. As I recall, somewhere around 50% of their customers were IPv6-enabled then.

    Why? They were running out of IPv4 addresses to give to customers, which also explains why Ganesh is seeing CGNAT now.

    My ISP had (and probably still has) IPv4 addresses in reserve. They haven't enabled IPv6 for consumer internet service yet.
  • dersteffeneilers - Saturday, December 24, 2022 - link

    with my ISP over in Germany, you can use both IPv4 with CGNAT and IPv6, but you only get an IPv6 address if you already have an IPv4 one. Ridiculous, I can't imagine a technical reason for that.
  • Leeea - Thursday, December 22, 2022 - link

    Nobody in their right mind uses ipv6 unless they absolutely have to.

    They really should come up with another standard that is less ideologically pure and way more practical.
  • ballsystemlord - Thursday, December 22, 2022 - link

    Could you expand on that a bit more Leeea?
    It's unclear to me why an IP addressing scheme would be impractical as a result of ideological purity.
  • jack21159 - Thursday, December 22, 2022 - link

    IPv6 was made for ultra-nerd and it's difficult to understand.

    I mean, IPv4 still is a learning curve, but at least it's easier to understand. Most people don't know how to segment a network (/23 , /24) or do custom routes, but that's fine you can use it even if you don't understand all the concept.

    IPv6 by contrast, no. a course is needed to understand that.
    they could have just added a few Bytes to the standard 4 Bytes scheme (ie 255.255.255.255.255.255 for exemple) But nooo let use hexadecimal, something than only computers and ultra nerds understand !

Log in

Don't have an account? Sign up now