Tuesday, March 20, 2018

Adopting Unifi Security Gateway (USG) into existing network


Ubiquiti Networks makes the Unifi Security Gateway (USG) as part of their Unifi series of enterprise networking products. A core feature of these units is that a software controller holds all the relevant information about a site, and centrally configures the respective devices at that site. So far, so good.

Unless you are building a completely new network, you might already have Unifi devices installed in your network. I have a couple Unifi accesspoints, and a bunch of Linux infrastructure including an existing controller. Adding a USG to the mix turned out to be surprisingly non-intuitive.

At first I took the common route of connecting the WAN interface of the USG to my internal network, and a laptop to the internal network behind the USG. Of course, in order to now configure the USG, I need a controller on that laptop. The process of adopting the USG to that controller worked just fine. I played around with the settings until I was confident in what and how I want to set this up.

After factory reset I connected the LAN port of the USG to my internal network, and in a browser went to the existing controller on that network. The USG shows up in the Devices list ready for adoption, I click [Adopt] and almost immediately get "Adoption Failed". Huh!

After a bit of futzing around and digging through the Unifi help forum it dawned on me what the problem is:
The internal network of the USG by default uses network 192.168.1.0/24 with the USG using IP 192.168.1.1. For smaller networks the USG is intended to act as the DHCP server, so devices behind the USG will end up with an address in 192.168.1.0/24. The process of adopting a device requires that the device is able to talk to the controller. If the controller is not on 192.168.1.0/24, the adoption process won't proceed beyond the initial detection that the device is present (which I assume works by local broadcast), since the controller can't open a HTTP connection with the USG.
The solution is to configure the LAN port of the USG for the right network before attempting adoption. Different people describe various ways of doing this on the Ubiquity help site. I found the CLI approach to be the easiest:
  1. Connect the LAN port of the USG to the internal network. Don't connect the WAN port yet.
  2. Manually change the IP on my laptop to 192.168.1.10/24
    The actual IP doesn't matter as long as it is not 192.168.1.1
  3. ssh to 192.168.1.1 as user ubnt with password ubnt
    ubnt/ubnt is the default user and password before the USG is adopted by a controller
  4. Enter configuration mode and replace the IP address on the LAN interface with an unused IP address of my internal network:
    configure
    set interfaces ethernet eth1 address 192.168.200.167/24
    delete interfaces ethernet eth1 address 192.168.1.1/24
    commit
  5. As soon as I hit commit, the ssh connection died since the USG has changed its IP address. Change the laptop's networking configuration back to the internal network.
  6. Disconnect the existing firewall and connect the ISP uplink to the USG WAN port. Site network outage begins.
  7. Click [Adopt] in the Controller UI, and the USG should now be adopted without issue. 
  8. If you have a static IP from your ISP, enter the respective routing information in the WAN settings of the controller UI and save it. The controller will provision the changes to the USG. Site network outage ends.
  9. Now continue with any other firewall configuration you might want
  10. ... and we're done.

No comments: