USG - yeah, OK - I guess it's OK... might get better ;)
-
First off I need to give a shout out to this post - without it, it would have taken me a lot longer to figure out what was going on.
So I've been wanting to play with a Ubiquiti Security Gateway device for a while hoping it would slip right in with the UBNT controller. Well, if you use any network besides the default 192.168.1.x, you will hate setting this thing up!
Getting this to work on a pre-existing network requires some work.
First thing first, you'll want to migrate your controller to a laptop if possible - oh boy, what fun! Make sure that works as expected after migrating it.
Once you have done this, now take that laptop and connect it to the LAN side of the USG. To save yourself a ton of headaches you should configure your NIC manually for an IP of your production network, and and IP in 192.168.1.x/24
If you haven't setup a Network in the controller, now's the time to do that. Create your production network, listing the IP of the gateway, this will be assigned to the USG, decide if DHCP should be enabled on the USG, etc.
Now have your controller locate your USG. It will likely need a Firmware update - I did it, not sure if the current new one is better or not than what it came with, you'll have to do your won research there.
upon restarting (like 10 mins) the USG should pull down the networks that you have setup in UBNT controller and attempt to set itself up based on that. If you get lucky, you'll be able to ping the USG in under 10 mins, changing networks seems to take a really long time.
Once you see the USG come back online, ping it make sure you can see it. Assuming all is well, you can now replace your old router, put the laptop back on the normal network, and migrate the Controller back to it's home.
-
while writing this, I realized that if you can afford internet downtime, you install the USG in the place of the router first. Then on whatever server/device has the USG, add a second IP in the 192.168.1.x range. Once you do that, you should be able to ping the USG at 192.168.1.1. Once you can, have your controller attempt to find and adopt the USG.
Again do the firmware update (if you want, otherwise just reboot). Assuming you have the network settings as mentioned above in place, the USG will reboot, pull the settings from the controller, update it self, reboot again, and join your production network.
Once you can see the USG in the controller with the new production IP, assuming you haven't already set it up, you can set the external IP assuming it doesn't use DHCP.
-
So is the "not a great product" only based on the setup process? How does it work after that?
-
Isn't this about the same sort of thing you'd have to go through with just about any internet facing router?
-
@scottalanmiller said in USG - yeah, not a great product:
So is the "not a great product" only based on the setup process? How does it work after that?
Yes.
I haven't put it in production yet. I'm sure it will be fine once it's in production, but damn - they really made it pretty damned hard to setup in a non default'ish way.
-
@travisdh1 said in USG - yeah, not a great product:
Isn't this about the same sort of thing you'd have to go through with just about any internet facing router?
No, because you'd log directly into the device, either CLI or GUI make the change, save the change which normally causes it to reboot, and if DHCP went along with it, you'd release/renew you PC and be reconnected, or change your hard coded IP to the new range and again be fine.
No, instead you can't manage the USG from itself, you must use the controller software. Also, not sure yet, you might not be able to do anything unless the USG can see the internet itself. The use of the controller software on a pre existing network is what makes this a huge PITA.
-
@Dashrender Well, honestly, I'd expect that with any product from Ubiquity, it's just how they do things. Still, you can't login to an ssh shell at all?
-
OK I'm ready to climb off the edge.
This link has a really good config.gateway.json file for setting up IPSec L2TP for remote users. This one is designed to expand the LAN over the VPN, but you could mode it to be it's own IP range if you wanted.
Getting this to work is as simple as download the config file, make the changes you want to the file, save it in the correct location on the controller, cause a provisioning event on the USG - BAM - done!
-
@travisdh1 said in USG - yeah, not a great product:
@Dashrender Well, honestly, I'd expect that with any product from Ubiquity, it's just how they do things. Still, you can't login to an ssh shell at all?
I never tried until tonight. that works pretty well, but you can't just type things in there, they will be lost if you do any provisioning change on the network.
-
Ran into a snag today. When applying this update to a USG with a dynamic external IP, it works fine. But the moment you assign it a static IP it goes into a boot loop and removes the default gateway.
To get it back to a working state I had to hard reset the USG, re acquire and re setup.
I'll be posting to the USG boards shortly.
