Ubiquiti Migration

I’ve been using Ubiquiti’s APs for years and they’ve been solid so when I was looking to get a new switch, I decided to look at replacing my firewall too and moving the controller off a VM onto a new UDM-Pro. It was pretty simple to swap things out but there have been some speedbumps…

Prior to the upgrades I’d been using Sophos UTM9 on a no-name appliance I got from Amazon for my firewall. I had an old Cisco 48-port layer-2 switch along with VMware and TrueNAS servers. I have a VM running Windows for AD providing DHCP, DNS, LDAP, RADIUS, etc. I have another running Ubuntu and the Unifi controller. There are other VMs for dev and tinkering but they’re not relevant. I have a couple UniFI APs - models irrelevant.

I replaced the Sophos firewall with a UDM-Pro and the switch with a smaller Unifi 24-port PoE model. I kept almost everything else; the VMware and TrueNAS servers, the WinServer VM, the APs. I shutdown the UniFi VM.

As I said at the start, it was pretty simple to get the basics in place. As I moved through replacing each facet of the old setup, I ran into speedbumps.

  • First, as it’s been discussed elsewhere, I needed to switch back and forth between the controller’s new and old web UIs. I get that they need to be able to replace agin systems but it seems unwise to start adding features to the new one (i.e. content filter schemes) before having replaced all the old features. I develop software or a living so perhaps I’m overly retentive on this front.

  • I bought a short SFP-to-SFP cable to interconnect the firewall and switch but it didn’t work initially. I found later that I needed to specify the speed at 1G on both ends. I know it’s best-practice to avoid “auto” but it would have been nice for this to work OOB.

  • I run a site-to-site tunnel between an internal “Office” LAN and my work’s network; i.e. a “Work” VPN network on the controller. The firewall at work is another Sophos UTM9 machine. I found two issues connecting the UDM-Pro to Sophos:

    • First, there’s no support for using a hostname for the local (UDM-Pro) end of the tunnel. I had to use the IP I’d been assigned so the tunnel will fail when that assignment changes.
    • Second, there’s no option to specify the local networks to expose so it’s trying to setup tunnels for each local network. The Spohos is only set to allow my office subnet so the other SAs are invalid.
    • Last, there’s nothing in the UI AFAIK to check the status of thae tunnel. I fould it wasn’t working and had to restart it to recover but got no indication of a fault in the UI.
  • Given the issues with the IPSEC tunnel, I looked at using an SSL tunnel instead and quickly hit a wall. The Sophos expects to provide a config file for client but it incldes certificates, not keys that the UDM-Pro expects.

  • When setting up the firewall, I found that I was unable to use the “Work” VPN network for the source or destination in rules. Regular LAN networks can be referenced directly but I had to created a separate group. Annoying. The same happened when I setup a remote-acceess “VPN” subnet. Cab;t reference them in firewall rules.

  • IPv6 PD seems to only expect a single internal LAN. My ISP allows me to get a /60 delecation but the web UI doesn’t seem to have a way to slice that into a sepearte /64 for each LAN. Waiting to head back on a post in the forums…

  • I had to manually setup on-boot scripts to add configs to dnsmasq to resolve internal zones using the AD machine instead of an external DNS server. It works but the Sophos UI supported this OOB.

  • I was using the reverse-proxy built into the Sophos to expose a some local web applications; i.e. OwnCloud and HomeAssistant. It handled getting certs from LetsEncrypt and relaying requests to VMs on my DMZ or Home LANs. The UDM-Pro has nothing for this so I had to roll a new “proxy” VM to handle it myself then port-forward HTTP/HTTPS to it. Not the end of the worls but it would be a nice feature for Ubiquiti to add.

I’ll add more stuff here as I continue. I’m not displeased or surprised by any of this. I did my research ahead of time and knew most of these were going to need extra attention. Don’t mean to be negative here.

comments powered by Disqus