Unifi Security Gateway Subnets and VPNs

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.
J

Jeff Hodges

New Member
May 4, 2015
15
4
3
31
I recently setup a new network on the other side of the country and before I left, I managed to get my USG up and running but my problem now is that my network isn't configured correctly and I can't get the VPN to work right.

I have a feeling my issue is with Routes/ Subnets/ Subnet Masks.

My USG is running into a Fortinet Fortigate and I have an External IP assigned to my port of 71.14.xxx.xxx.

My gateway IP is 192.168.150.1 and my WAN address is 192.168.150.5 (supposedly set-up by people smarter than I).

I was then told (again by people assumed to be smarter than I) that I can't talk to my device because my USG was giving itself an internal LAN IP of 192.168.1.1 so I went in and changed the "Gateway/Subnet" setting on the Network page so that it was 192.168.150.1/24 to match what I'm supposed to be in according to the Fortigate but that didn't have the desired effect either.

At the end of the day, I need my USG to think its address is really 71.14.xxx.xxx (which is where all packets get forwarded that hit the WAN IP anyways) and then to have an internal LAN that I can bridge to through the L2TP VPN.

OR

My issue is with the person who set up the Fortigate because I can't even ping my USG, which I believe means that my packets aren't getting forwarded as well as they should be.

Does anyone have any suggestions, or see pretty easily where I went wrong?
 

Attachments

Last edited:
audio catalyst

audio catalyst

Member
Jan 4, 2014
89
13
8
Jeff Hodges said:
I recently setup a new network on the other side of the country and before I left, I managed to get my USG up and running but my problem now is that my network isn't configured correctly and I can't get the VPN to work right.

I have a feeling my issue is with Routes/ Subnets/ Subnet Masks.

My USG is running into a Fortinet Fortigate and I have an External IP assigned to my port of 71.14.xxx.xxx.

My gateway IP is 192.168.150.1 and my WAN address is 192.168.150.5 (supposedly set-up by people smarter than I).

I was then told (again by people assumed to be smarter than I) that I can't talk to my device because my USG was giving itself an internal LAN IP of 192.168.1.1 so I went in and changed the "Gateway/Subnet" setting on the Network page so that it was 192.168.150.1/24 to match what I'm supposed to be in according to the Fortigate but that didn't have the desired effect either.

At the end of the day, I need my USG to think its address is really 71.14.xxx.xxx (which is where all packets get forwarded that hit the WAN IP anyways) and then to have an internal LAN that I can bridge to through the L2TP VPN.

OR

My issue is with the person who set up the Fortigate because I can't even ping my USG, which I believe means that my packets aren't getting forwarded as well as they should be.

Does anyone have any suggestions, or see pretty easily where I went wrong?
Click to expand...
your Wan on the unifi site is a private ip range, assume it is going throught a natting router.

you have a few options

1 ( and the best in my opinion), make sure your usg get a true external ip, no natting and no firewall in front

2 use a aggressive ipsec tunnel ( configure in config.json)
do make sure protocol 50 and 0 are allowed through you natting device in front of the usg

3 dont do tunnels , or replace the fortigate with a device that allows openvpn

you could do some fiddling with the fortigate , but experience has learned me it is simply not stable enough for production

send from a mobile device, so typo's are to be expected
 
J

Jeff Hodges

New Member
May 4, 2015
15
4
3
31
audio catalyst said:
your Wan on the unifi site is a private ip range, assume it is going throught a natting router.

you have a few options

1 ( and the best in my opinion), make sure your usg get a true external ip, no natting and no firewall in front

2 use a aggressive ipsec tunnel ( configure in config.json)
do make sure protocol 50 and 0 are allowed through you natting device in front of the usg

3 dont do tunnels , or replace the fortigate with a device that allows openvpn

you could do some fiddling with the fortigate , but experience has learned me it is simply not stable enough for production

send from a mobile device, so typo's are to be expected
Click to expand...
Thanks for the input. Unfortunately I think I'm stuck with 2 because I'm off-premise and can't move cables around.


Sent from my iPhone using Tapatalk
 
You must log in or register to reply here.
Top Bottom