Want to skip to a section:
This is my second Ubiquiti UDM Pro (Dream Machine, UniFi Cloud Gateway) article. If you still need to read it, here is thefirst article.
When I first started researching for a home solution, I had the requirements below. Once I received the UDM Pro, I needed to figure out the following:
- Two Internet ports.
- Two networks and the UDM is the gateway and the DHCP server for both.
- Failover between the two ISPs and Policy-Based routing for two networks.
- Access ports work end devices.
- A trunk port is needed to connect my Cisco switch to the UDM.
I eventually figured out the above bullet points using my experience and the help of the UniFi forums, blogs, and videos. Also, I did break things a couple of times, and of course, trial and error.
Let’s move on to understanding the ports (interfaces) of the UDM Pro (I’ll refer to it as the UDM going forward).
NOTE: As I continue this article, I’m using the web interface (https://unifi.ui.com/) from my laptop for the screenshots and instructions.
Although I use the real ISP names in my home and connected to the UDM for this article, I’m not promoting any ISP.
UDM Pro Ports
Here is where you can access the Ports page.
The graphical interface for viewing and managing ports on the UDM reminds me of SonicWall. The Ports page shows the UDM ports, what ports are active, what is connected to that port, and the port’s connected speed. There is a row for each port and additional information on this page, but not included in the screenshot.
To accommodate the one ISP with 2 Gb service and 10 Gb interface, I purchased this SFP from Amazon for the 10 Gb connection (RJ45) from the one ISP: https://amzn.to/3vO3O0p.
Now, let’s jump over to the Networks page. We will return to the Ports page, but we need to configure the networks first. Based on my criteria, I need the UDM for at least two networks.
UDM Pro Networks
The interface for viewing and managing networks on the UDM reminds me of SonicWall. Here is where you can access the Networks page.
The Networks Page shows us the networks created and the default network. I found no reason to use or modify the default network. As you can see, I created two networks: Work and Home. Their purpose is obvious as work is our work-from-home office, and the other is the rest of the house.
Here are the details of the Work network. In the screenshot, I did not include all the details. But, if you want to configure the network settings manually, click the Manual button next to Advanced.
I won’t show the details for the Home network. To summarize, I have two networks: Home with VLAN 10 using IP subnet 10.0.0.0/24 and Work with VLAN 68 using IP subnet 192.168.68.0/24.
If you have only one network, the Networks and Ports configuration is much simpler. I need to configure the networks first because I have two networks, with devices connected directly to the UDM and a trunk port that connects to a Cisco switch.
Back to the Future (oh, Ports page)
Now that the networks/VLANs are configured, we can configure the ports accordingly.
Ports 9, 10, and 11 are defaulted for Internet connections. If you click on one of these ports, you will see further details for changing the port type to WAN, WAN2, or LAN. I’m not going into detail on these ports, as they work as intended without modification.
I must configure the UDM ports based on the network for the connected device. In this example, I chose port 1, my work laptop.
You can name the port and enable (Active) or disable the port.
The “Native VLAN/Network” field defines which network this port should be in. Since this is an access port for an end device, we select the network/VLAN. In this case, it’s Work/VLAN 68. Going forward, I will refer to VLAN(s).
Now, the more confusing part, or not. The “Tagged VLAN Management” field is mainly used for trunk ports.
I won’t explain trunks and VLAN tagging, as there are many blogs, articles, and videos on the subject. By default, the UDM allows all VLANs to be tagged, so you will see the “Allow All” button selected.
For a port that is not a trunk port, I recommend setting the “Tagged VLAN Management” field to “Block All.”
Trunk Ports
As mentioned, the default configuration on the UDM is to allow all VLANs. Basically, all ports are allowed to be a trunk.
For the trunk port I need from the UDM to my Cisco switch, I did not enable any Native VLANs, and I’m allowing all (1, 10 (Home), and 68 (Work)). So, in this example, on port 5, I’m allowing those 3 VLANs to be tagged on this port. I have the same configuration on the Cisco switch port.
Failover
By default, if there are two ISPs (or two connections from the same ISP), the UDM uses failover. After testing the loss of the primary ISP, the failover works and is quick to failover to the secondary.
This image is the default configuration with two ISPs. I was going to show the failover results with screenshots, but the default configuration works, trust me.
In the image above, the “Automatic Speed Test” option is enabled by default—a very cool feature.
In the following sections, we go into “Load Balancing” and “Policy-Based Routes.”
Load Balancing
Having two ISPs is excellent for high availability if one goes down. The downside (no pun intended, well maybe) is that one ISP is not in use. There may be valid reasons for this, but with home use, paying for two but using one is not financially feasible. This holds true when one is a 1 Gb fiber, and the other is a 2 Gb fiber.
This link shows the software version needed for the load balancing (Distributed) feature. If you have a new UDM or are getting one, most likely, you will have this version or will have it when you do a software update.
This image shows the Load Balance setting set to Distributed and the traffic balanced 50/50 across both ISPs. This setting can be found in the left menu Settings>Internet.
With this configuration, traffic will balance across both ISPs. I tried this, and it works well. I won’t go into much detail as it is straightforward.
Load Balancing with Policy-based Routing – Settings
As mentioned earlier, I have two networks at home, Home, and Work. My goal was to send Work traffic out one ISP and the Home network out the other. This is where Policy-based Routing saves the day!
I’ve worked with policy-based routing on multiple vendor platforms and routing traffic based on destination or source. The UDM supports destination or source for policy-based routing.
The “Policy-based Routes” (PBR) section can be found in Settings>Routing>Policy-Based Routes tab.
On the Home-Fidium PBR settings, I’m sending the Home network traffic to Fidium. The settings are straightforward, but what if we don’t want to send all traffic but specific traffic? This is what the Specific Traffic option allows us to do.
PBR Specific Traffic
Using the Specific Traffic option, you can forward traffic using the following three options.
- Domain Name
With this option, you can forward traffic to this ISP with a specific domain name. For example, I can forward traffic destined for netflix.com to a specific ISP. I can see this as a common option for home and business.
- IP Address
This option may not be commonly used for home use, but I certainly see it used in business. This option sends traffic destined to an IP address(es) to the specific ISP. Also, using this option, a destination port number can be specified.
- Region
Newer firewalls, such as Next Generation Firewalls, have this country-based option, Regions. With this, you can send traffic destined for a specific country to the specified ISP. I’ve used Regions to block traffic to or from specific countries but not send traffic. I’m sure there are valid reasons to use this option.
The Fallback option seems confusing as I have some idea of what it does. My configuration fails over to either ISP when the other fails and works for both the Home and Work networks. More on this later.
Here are the PBR settings for the Work network.
Load Balancing with Policy-based Routing & Failover
Now, here are the results of PBR and failover! It works! Continue reading for more details.
This screenshot is my personal laptop on the Home network, which uses Fidium.
I don’t have a screenshot, but I can confirm that the Work network with my work laptop on it uses Spectrum, as intended.
Let’s simulate Fidium going down. I need to set the context that the UDM and ISP equipment are in front of my desk in my home office.
I disconnected the Fidium Ethernet cable from the UDM and quickly returned to my desk to check the status. After doing so, the Home network had already switched over to using Spectrum. So, in other words, the switchover is fast!
When I reconnected the Fidium cable, the traffic quickly switched back to Fidium.
Let’s simulate Spectrum going down. I performed the same test by disconnecting Spectrum, and the Work network switched to Fidium with no issues. My work VPN stayed connected after the switchover from Spectrum to Fidium. I don’t have screenshots of this failover test, but it works.
Now, one disclaimer: although the PBR is working as expected, the failover with PBR may be working because of the Load Balance setting I have set. When researching the configuration for PBR and failover, many forums and other posts questioned the configuration or function of PBR, failover, and load balancing options. With the configuration and results above, here are my Load Balance settings.
I haven’t tested settings other than what I posted here, but what I posted (configured) works as intended for my needs. I’m satisfied and happy with the configuration and performance.
Conclusion
As I mentioned in my first Ubiquiti UDM Pro article, I’ve worked (and continue) with multiple vendors and products, such as high-end Next Generation Firewalls, Application Delivery Controllers, and similar devices. Is the Ubiquiti UDM Pro in line with these devices? No.
Is the UDM an option for home or small to medium-sized businesses? Yes.
The ability to handle two ISPs, multiple networks, failover, and policy routing, as well as have these features work together and do so intuitively, is impressive.
So far, I’m impressed with the UDM Pro and how the UniFi system is designed to work cohesively. I look forward to working with the other Ubiquiti (Unifi) products and am satisfied with the purchase of the UDM.
Want to know when I add new or updated content? Sign up for email updates.
Copyright © Packet Passers 2024