Unifi Dream Machine Pro (aka UDM Pro) is a nice appliance for acting as Unifi controller for your Access points (APs), while it also offers a 8-port managed switch using low power, noise and heat. It is an average router, and a lousy security appliance (hopefully they will improve a lot in this area). This is where pfSense comes into play. In this tutorial, I will setup a pfSense and UDM Pro routers in a daisy chain fashion. pfSense will be on the edge of the Internet, taking care of stuff like security and VPN servers. UDM Pro, in turn, will act as my LAN router, being protected by pfSense and making a nice integration with all my Unifi products.
The easiest way to get started is doing a basic configuration in each appliance separately. Connect your ISP wire on your pfSense WAN port and your computer on pfSense LAN port (e.g. OPT1). Each pfSense appliance has its own ports configuration and I won’t cover pfSense setup in this article, but make sure you configure at least one WAN port and one LAN port. If you pfSense has several ports, like the Netgate SG-2440 (4 ports), you can create one WAN and three LAN for future use.
Once your pfSense is working and you have Internet access through it, disconnect it and put UDM Pro in its place and do a basic configuration, which I won’t cover in this article too.
Now both devices are working individually and we can setup them to work together!
For pedagogical reasons, the following convention will be used for this and following articles:
- Domain name: lan.domain.com
- Hostname: pfsense.lan.domain.com
- IP: 10.0.0.1
- Name: udmpro.lan.domain.com
- 192.168.1.1 (LAN port)
- 10.0.0.2 (WAN port)
- Synology NAS:
- Name: synology.lan.domain.com
- IP: 192.168.1.5
I could connect my ISP wire on my pfSense WAN port and then connect a LAN port of my pfSense into any LAN port of the UDM Pro to avoid many of the hurdles we are going to discuss. I didn’t do it because that would also kill the router functionality of the UDM Pro and lots of management features. Another approach would be putting UDM Pro in bridge mode, but I didn’t because UDM Pro doesn’t implement bridge mode and if it didn’t, this would also kill the routing functionality. A third approach that I didn’t want was to disable DHCP server on the UDM-Pro and put it on a DMZ network on pfSense because it would result in killing the router functionality of the Unifi too.
Instead, I connected the Internet wire from my ISP into my pfSense WAN port. Next, I connected my pfSense LAN port (e.g. OPT1) into the WAN port of the UDM Pro. With that, I created two separate networks: The pfSense network (eg. 10.0.0.x/24 from now on) and the UDM Pro network (e.g. 192.168.1.x/24 from now on). This setup is known as daisy-chained routers. The most challenging issue in this setup is Double NAT that may causes connectivity issues in some scenarios. Universal Plug and Play (UPnP) and Port forwarding also suffers with connectivity issues.
The solution for the issues with Double NAT, UPnP and port forwarding is the same: doing a manual port forwarding from the inner router to the outer router. In plain English, this means creating a port forwadring rule from UDM-Pro to the pfSense, so that it allows pfSense and its devices to connect to devices behind the UDM-Pro. If you want devices from Internet to connect to devices behind your UDM-Pro, then another port forwarding from the LAN port of your pfSense to its WAN port. For example, if you are at school and want to connect through SSH (port 22) to your laptop behind your UDM-Pro at home, you would have to create a port forwarding rule on your UDM-Pro exposing port 22 from your laptop (say 192.168.1.50) to the port 22 of your UDM-Pro. At this point, devices connected to your pfSense would be able to connect via SSH to your laptop. Next, to allow the connection from internet, on your pfSense you also create a port forwarding rule allowing that port 22 from your pfSense to connect to your laptop on port 22 too. Something like:
you_on_Internet -> pfSense:22 -> UDM-Pro:22 -> laptop:22
One interesting consequence of daisy chaining routers is that although the outer router (pfSense) doesn’t know the inner router’s network (UDM-Pro), the opposite isn’t true. That means that devices connected to the UDM-Pro router do have access to the pfSense’s network.
Setting up NTP server on pfSense
It is a good idea to have a NTP server running on your network to allow all devices to synchronize their time. Go to Services >> NTP >> Settings page to get started. At the Interface list, make sure all your LAN, VPN Server or possibly WAN interfaces that you want to serve time are selected (or leave all blank to server all). Add 0.pfsense.pool.ntp.org, 1.pfsense.pool.ntp.org, 2.pfsense.pool.ntp.org and 3.pfsense.pool.ntp.org to the Time servers list with the is a pool option checked and finish the setup clicking on Save.
Configuring DHCP Server on pfSense
We will customize your pfSense DHCP server configuration to add NTP and DNS Servers configuration as well as a Domain Name that will also be used on the UDM-Pro DHCP server settings.
Go to Services >> DHCP Server and for each LAN interface do as follow:
- DNS Servers: 10.0.0.1
- Domain name: lan.domain.com
This domain must match your domain name on the UDM-Pro)
- NTP Server 1: 10.0.0.1
Click Save to finish. From now on, the DHCP Server will send NTP/DNS server and the domain name to the clients along with the IP lease.
Setting up NTP server on UDM-Pro
In our daisy chained setup, we will configure UDM-Pro to use pfSense as the NTP Server. On the Network application, go to Settings >> Network settings >> Location & Time page and do as follows:
At Timezone & Location section, set Timezone and Country or Territory accordingly.
At Network Time Protocol (NTP) section, set your pfSense IP as the NTP Server hostname and finish by clicking Apply changes.
Configuring DHCP Server on UDM-Pro
Similarly to the pfSense DHCP Server configuration, we will need to configure UDM-Pro to distribute the NTP and DNS server and Domain name along with the IP leases. Go to the Network application, then Settings >> Networks >> Local networks and click on Edit on each LAN and do as follows:
- Domain name: lan.domain.com
- DHCP Name Server: 192.168.1.1
This is the IP of UDM-Pro, which in turn uses the pfSense DNS server
DHCP Controls >> Advanced DHCP Options
- DHCP NTP Server: 192.168.1.1
This is the IP of UDM-Pro, which in turn uses the pfSense NTP server
When you click Apply changes, future leases will also distribute these additional settings.
Reserve a static IP from pfSense network to the UDM Pro
Now that the UDM Pro is physically connected to the pfSense LAN port and your DHCP server is properly configured, your UDM-Pro will get an IP from it. We will reserve a static IP for the UDM Pro to facilitate future integrations between the two appliances. In order to do that, we need the UDM Pro MAC address. On your UDM Pro, go to Network >> Devices and click on your UDM Pro entry in the list. In the Overview section, take note of the MAC address field.
To create the reservation, login to your pfSense page and go to Services >> DHCP Server. For your LAN interface, scroll to the bottom of the page until you reach the DHCP Static Mappings for this Interface section. Click on Add and fill in the appropriate MAC address. You can also fill in the Client Identifier and Hostname with the name of the Unifi. At the IP address you put the stain IP for your UDM Pro (e.g. 10.0.0.2) and finish the process clicking on Save. This change is not performed immediately, but you can force it by disconnecting and reconnecting the WAN port of your UDM Pro or by restarting it. After reconnection, your UDM Pro will always receive the same IP.
Allowing SSH from pfSense into UDM Pro
By default, UDM Pro blocks incoming connections from the Internet port, especially for services such as SSH. In our setup, we want to enable SSH on the UDM-Pro WAN to allow a tight integration with pfSense, such as transfer of Let’s Encrypt certificates issued by pfSense to UDM-Pro. Normally this would be a terrible idea, but remember the WAN port of the UDM Pro is not exposed to the internet, but to a LAN port of your pfSense.
On your UDM Pro, login and click on Network application. Go to Settings >> Internet Security >> Firewall and click on WAN in the Rules tab. Click on Create new rule and do as follow:
At the General section
- Change Type to WAN Local
- In the Description field, type something like Allow SSH from WAN local
- Make sure it is Enabled
- Rule applied: Before predefined rules
- Action: Allow
- IPv4 Protocol: TCP
At the Source section
- Source Type: IP Address
- IPv4 Address: <pfSense address> (e.g. 10.0.0.1)
- Port: Blank
At the Destination section
- Destination Type: IP Address
- IPv4 Address: <UDM Pro address from pfSense net> (e.g. 10.0.0.2)
- Port: 22
Click Apply at the bottom of the page. Now you should be able to run something like ssh root@<UDM Pro ip> from pfSense and connect into your UDM Pro.
Note we used the UDM Pro IP as 10.0.0.2 instead of 192.168.1.1. This was intentional, as pfSense doesn’t really know the 192.168.1.x network and the only IP it knows to connect to the UDM Pro is the one assigned by the pfSense itself on its 10.0.0.x network.
Adding UniFi Access Points
In the very beginning, I started simple and added the Unifi AP directly into one of the eight UDM-Pro LAN ports. This is the simplest way to get Wi-Fi going on, as the Unifi Controller and AP are on the same network and the setup process is standard. First you adopt the new (AP) device in the controller Web UI by entering in the Network application, clicking on Devices and hitting Adopt button for the newly listed AP. Next, you navigate to Settings >> Wi-Fi >> Wi-Fi Networks and press Create New Wi-Fi network. A wizard will be presented and if you pick Create Basic Wi-Fi, all you have to do is choose a Wi-Fi name and password.
In the future we may need to revisit this topology if we wish, for example, to create different Wi-Fi networks, each of which being able to go out to Internet using different gateways. For now, let’s enjoy the simplicity provided by Unifi 🙂