How to manage a second USG with one controller. Layer-3 adoption

January 4, 2021 Marcin Michalczyk 0 Comments

This casestudy is ment to go through the process of setting up a second Gateway managed by one contoller

Background

If you are trying to use a second WAN interface in order to connect an alternative parallel local network and you want to managed the WAN Port with separate firewall rules you might realise that this task can become somewhat difficult. This is because there is no direct possibility of managing two WAN ports through the Unify GUI interface. This option has unfortunately not been implemented although requested since many years on the USG gateway series. One of the workarounds is to work with the “.json” files, where you will need to set all the rules manually. This can be quite challenging of course. One workaround is to take a second USG and integrate it into the existing network so that we can separately manage it through the same controller.

This procedure can also be used if you have a separate site which is physically found on a different premises.

I hope to save you same time and give a clear indication on how to implement this solution.

Prerequisits

For this task we will require:

2 x USG gateways (for exmple USG-Pro-4 and USGP3)

2 x Public IPs

1 x Switch

1 x Controller (Keycloud or Server)

Steps

  1. Site Creation
  2. Frontend Network Creation
  3. WAN Network Creation
  4. Backend Network Creation

Let us first create a new site which will be used for the connection of the second USG. In our example we are going to call it TestSite

Let’s create a frontend network. This network will be used for containing our USG Router later on.

Now let us create a WAN Network, and configure it in order to reflect the ISPN internet configuration. In our example the Internet router is in a bridge mode, meaning we are going to use IP Addresses provided from the ISPN. If your ISP has enabled DHCP you might also use that option to gain the necessary IP configuration automatically.

Now, add a network which will contain any other devices, such as servers, pcs, and other equipemment. For this I will use the default network which had been automatically created as we created the new “TestSite”

Finally, we will create a Site-to-Site VPN network. We are going to need this so that the controller can manage the newly bound USG.

Make sure to have a “Site-to-Site” network on both sites setup i.e. on the new ‘TestSite’ but also on the already existing site. Make sure to point towards each site in the option “Remote Site”.

USG Connection and adoption

Now let us concentrate on getting the USG connected to the newly created “TestSite” and have it adopted through the Cloudkey controller.

  1. Connect your USG to WAN
  2. Plug in a Laptop or PC into LAN 1 of the USG.
  3. Set your local Laptop Network adapter settings to the default USG IP range. In my case I have set it up to: 192.168.1.50/24. DNS settings can be omitted.
  4. Call out the USG default factory IP address. Should be 192.168.1.1. This should open the default USG login page. Use the default pass und Login name if required: ubnt/ubnt
  5. Set the IP configuration according to the “Frontend” network we set up earlier through the controller . I set it to 192.168.100.1/24. Additionally choose the connection type. In my case I could choose DHCP as the ISP had bound my gateway to the DHCP using its MAC address. You might need to add the manual IP configuration. If you don’t have it you might need to contact your Internet provider to get one.

Apply the changes. It will now be necessary to change the network settings of your pc/laptop network adapter again, and to set the IP address in the range of the USG. Since we changed the USG IP to 192.168.100.1 let us change the laptop IP to 192.168.100.50.

After doing so reconnect to the USG using the default credentials

Before we proceed any further we are going to have to update the firmware of your USG before trying to connect it to the controller. This is important, because the versions should not have too much difference between each other. I have experienced that in case of a large version difference either an error occurs during adoption or the controller simply doesn’t recognise the USG. In order to achieve this it will be necessary to ssh the USG.

Start windows cmd with administrator rights and type the following:

c:\ ssh ubnt@192.168.100.1

Accept the ssh key and enter the default usg password “ubnt”

Having an active ssh session now, type the following.

upgrade https://dl.ui.com/path/to/upgrade-v1234.bin

You will need to replace the address with the one corresponding to the newest firmware version of your USG. Follow this link.

After the USG has updated and restarted itself you will need to log in again. Search for a field which has  http://unifi:8080/inform in it. In this field we are going to place the external IP of your primary gateway.

Make sure to forward port 8080 to the internal IP address of your primary gateway before you proceed.

In our example this will look like this: http://186.165.90.10:8080/

After having placed the address you are going to get the option to send the adoption request. Having done so go back to your controller and choose “Devices”. Your new USG should pop up there and be ready for adoption. After the adoption has been completed you can confirm on the new usg that it had been adopted and basically you can disconnect your laptop now and connect your new usg to your switch. Make sure that the port of the switch is set up for the Backend network in this example the default LAN Network.

You have now adopted a second USG which can be managed through one controller. You may also close the forwarded port 8080 now as the adoption has been completed.

Categories:

Leave a Reply

Your email address will not be published. Required fields are marked *