Skip to content
Geek is the Way!
Menu
  • Forums
  • Sobre o blog
  • Contato
  • English
    • Português
Menu

Daisy chaining pfSense + UDM Pro to work together

Posted on July 5, 2020December 30, 2024 by Thiago Crepaldi

Last Updated on December 30, 2024 by Thiago Crepaldi

Unifi Dream Machine Pro (aka UDM Pro) is a nice appliance for acting as Unifi controller for your Access points (APs), while it also offers a 8-port managed switch using low power, noise and heat. It is an average router, and a lousy security appliance (hopefully they will improve a lot in this area). This is where pfSense comes into play. In this post, I will setup a pfSense and UDM Pro routers in a daisy chain fashion. pfSense will be on the edge of the Internet, taking care of stuff like security and VPN servers. UDM Pro, in turn, will act as my LAN router, being protected by pfSense and making a nice integration with all my Unifi products.

Getting started

The easiest way to get started is doing a basic configuration in each appliance separately. Connect your ISP wire on your pfSense WAN port and your computer on pfSense LAN port (e.g. OPT1). Each pfSense appliance has a different port configuration which I won’t cover in this post, but make sure you configure at least one WAN port and one LAN port. If you pfSense has several ports, like the Netgate SG-2440 (4 ports), you can create one WAN and three LAN for future use.

Once your pfSense is working and you have Internet access through it, disconnect it and put UDM Pro in its place and do a basic configuration from your PC, which I won’t cover in this article too.

Now both devices are working individually and we can setup them to work together!

For this post, the following convention will be used:

  • Domain name: lan.domain.com
  • pfSense
    • Hostname: pfsense.lan.domain.com
    • IP: 10.0.0.1
  • UDM-Pro
    • Name: udmpro.lan.domain.com
    • IP:
      • 192.168.1.1 (LAN port)
      • 10.0.0.2 (WAN port)
  • Synology NAS:
    • Name: synology.lan.domain.com
    • IP: 192.168.1.5

Physical connection

I could connect my ISP wire on my pfSense WAN port and then connect a LAN port of my pfSense into any LAN port of the UDM Pro to avoid many of the hurdles we are going to discuss. I didn’t do it because that would also kill the router functionality of the UDM Pro and lots of management features. Another approach would be putting UDM Pro in bridge mode, but I didn’t because UDM Pro doesn’t implement bridge mode and if it did, this would also kill the routing functionality. A third approach that I didn’t want was to disable DHCP server on the UDM-Pro and put it on a DMZ network on pfSense because it would result in killing the router functionality of the Unifi too.

Instead, I connected the Internet wire from my ISP into my pfSense WAN port. Next, I connected my pfSense LAN port (e.g. OPT1) into the WAN port of the UDM Pro. With that, I created two separate networks: The pfSense network (eg. 10.0.0.x/24 from now on) and the UDM Pro network (e.g. 192.168.1.x/24 from now on). This setup is known as daisy-chained routers. The most challenging issue in this setup is Double NAT that may causes connectivity issues in some scenarios. Universal Plug and Play (UPnP) and Port forwarding also suffers with connectivity issues.

The solution for the issues with Double NAT, UPnP and port forwarding is the same: doing a manual port forwarding from the inner router to the outer router. In plain English, this means creating a port forwarding rule from UDM-Pro to the pfSense, so that it allows pfSense and its devices to connect to devices behind the UDM-Pro. If you want devices from Internet to connect to devices behind your UDM-Pro, then another port forwarding from the LAN port of your pfSense to its WAN port. For example, if you are at school and want to connect through SSH (port 22) to your laptop behind your UDM-Pro at home, you would have to create a port forwarding rule on your UDM-Pro exposing port 22 from your laptop (say 192.168.1.50) to the port 22 of your UDM-Pro. At this point, devices connected to your pfSense would be able to connect via SSH to your laptop. Next, to allow the connection from internet, on your pfSense you also create a port forwarding rule allowing that port 22 from your pfSense to connect to your laptop on port 22 too. Something like:
you_on_Internet -> pfSense:22 -> UDM-Pro:22 -> laptop:22

One interesting consequence of daisy chaining routers is that although the outer router (pfSense) doesn’t know the inner router’s network (UDM-Pro), the opposite isn’t true. That means that devices connected to the UDM-Pro router do have access to the pfSense’s network.

Setting up NTP server on pfSense

It is a good idea to have a NTP server running on your network to allow all devices to synchronize their time. Go to Services >> NTP >> Settings page to get started. At the Interface list, make sure all your LAN, VPN Server or possibly WAN interfaces that you want to serve time are selected (or leave all blank to server all). Add 0.pfsense.pool.ntp.org, 1.pfsense.pool.ntp.org, 2.pfsense.pool.ntp.org and 3.pfsense.pool.ntp.org to the Time servers list with the is a pool option checked and finish the setup clicking on Save.

Configuring DHCP Server on pfSense

We will customize your pfSense DHCP server configuration to add NTP and DNS Servers configuration as well as a Domain Name that will also be used on the UDM-Pro DHCP server settings.

Go to Services >> DHCP Server and for each LAN interface do as follow:

Servers

  • DNS Servers: 10.0.0.1

Other Options

  • Domain name: lan.domain.com
    This domain must match your domain name on the UDM-Pro)
  • NTP Server 1: 10.0.0.1

Click Save to finish. From now on, the DHCP Server will send NTP/DNS server and the domain name to the clients along with the IP lease.

Setting up NTP server on UDM-Pro

In our daisy chained setup, we will configure UDM-Pro to use pfSense as the NTP Server. On the Network application, go to Settings >> Network settings >> Location & Time page and do as follows:

At Timezone & Location section, set Timezone and Country or Territory accordingly.

At Network Time Protocol (NTP) section, set your pfSense IP as the NTP Server hostname and finish by clicking Apply changes.

Configuring DHCP Server on UDM-Pro

Similarly to the pfSense DHCP Server configuration, we will need to configure UDM-Pro to distribute the NTP and DNS server and Domain name along with the IP leases. Go to the Network application, then Settings >> Networks >> Local networks and click on Edit on each LAN and do as follows:

General

  • Domain name: lan.domain.com

DHCP Controls

  • DHCP Name Server: 192.168.1.1
    This is the IP of UDM-Pro, which in turn uses the pfSense DNS server

DHCP Controls >> Advanced DHCP Options

  • DHCP NTP Server: 192.168.1.1
    This is the IP of UDM-Pro, which in turn uses the pfSense NTP server

When you click Apply changes, future leases will also distribute these additional settings.

Reserve a static IP from pfSense network to the UDM Pro

Now that the UDM Pro is physically connected to the pfSense LAN port and your DHCP server is properly configured, your UDM-Pro will get an IP from it. We will reserve a static IP for the UDM Pro to facilitate future integrations between the two appliances. In order to do that, we need the UDM Pro MAC address. On your UDM Pro, go to Network >> Devices and click on your UDM Pro entry in the list. In the Overview section, take note of the MAC address field.

To create the reservation, login to your pfSense page and go to Services >> DHCP Server. For your LAN interface, scroll to the bottom of the page until you reach the DHCP Static Mappings for this Interface section. Click on Add and fill in the appropriate MAC address. You can also fill in the Client Identifier and Hostname with the name of the Unifi. At the IP address you put the static IP for your UDM Pro (e.g. 10.0.0.2) and finish the process clicking on Save. This change is not performed immediately, but you can force it by disconnecting and reconnecting the WAN port of your UDM Pro or by restarting it. After re-connection, your UDM Pro will always receive the same IP.

Allowing SSH from pfSense into UDM Pro

By default, UDM Pro blocks incoming connections from the Internet port, especially for services such as SSH. In our setup, we want to enable SSH on the UDM-Pro WAN to allow a tight integration with pfSense, such as transfer of Let’s Encrypt certificates issued by pfSense to UDM-Pro. Normally this would be a terrible idea, but remember the WAN port of the UDM Pro is not exposed to the internet, but to a LAN port of your pfSense.

On your UDM Pro, login and click on Network application. Go to Settings >> Internet Security >> Firewall and click on WAN in the Rules tab. Click on Create new rule and do as follow:

At the General section

  • Change Type to WAN Local
  • In the Description field, type something like Allow SSH from WAN local
  • Make sure it is Enabled
  • Rule applied: Before predefined rules
  • Action: Allow
  • IPv4 Protocol: TCP

At the Source section

  • Source Type: IP Address
  • IPv4 Address: <pfSense address> (e.g. 10.0.0.1)
  • Port: Blank

At the Destination section

  • Destination Type: IP Address
  • IPv4 Address: <UDM Pro address from pfSense net> (e.g. 10.0.0.2)
  • Port: 22

Click Apply at the bottom of the page. Now you should be able to run something like ssh root@<UDM Pro ip> from pfSense and connect into your UDM Pro.

Note we used the UDM Pro IP as 10.0.0.2 instead of 192.168.1.1. This was intentional, as pfSense doesn’t really know the 192.168.1.x network and the only IP it knows to connect to the UDM Pro is the one assigned by the pfSense itself on its 10.0.0.x network.

Adding Unifi Access Points

In the very beginning, I started simple and added the Unifi AP directly into one of the eight UDM-Pro LAN ports. This is the simplest way to get Wi-Fi going on, as the Unifi Controller and AP are on the same network and the setup process is standard. First you adopt the new (AP) device in the controller Web UI by entering in the Network application, clicking on Devices and hitting Adopt button for the newly listed AP. Next, you navigate to Settings >> Wi-Fi >> Wi-Fi Networks and press Create New Wi-Fi network. A wizard will be presented and if you pick Create Basic Wi-Fi, all you have to do is choose a Wi-Fi name and password.

In the future we may need to revisit this topology if we wish, for example, to create different Wi-Fi networks, each of which being able to go out to Internet using different gateways. For now, let’s enjoy the simplicity provided by Unifi 🙂

Share this:

  • Tweet

Related

22 thoughts on “Daisy chaining pfSense + UDM Pro to work together”

  1. Francois says:
    October 4, 2020 at 10:14 PM

    Thanks a lot for this write up! I am planning on adding a pfSense box to protect an existing UDMP network as I want the full routing functionality to remain with UDMP. I was wondering if possibly adding a route on pfSense and/or UDMP could allow pfSense to know about 192.168.1.1 where UDMP lives. I don’t suspect you’ve had issues with your UDMP having two LAN IPs. Are you using any VLANs on the UDMP? I am using a few VLANs and just hope pfSense won’t have an issue with that – or require creating the same VLANs on the pfSense box.

    “Note we used the UDM Pro IP as 10.0.0.2 instead of 192.168.1.1. This was intentional, as pfSense doesn’t really know the 192.168.1.x network and the only IP it knows to connect to the UDM Pro is the one assigned by the pfSense itself on its 10.0.0.x network.”

    Reply
    1. Thiago Crepaldi says:
      October 12, 2020 at 10:17 AM

      Hi Francois, I didnt try creating an static route, but I could try and let you know! I wonder why you want to do this 🙂 I can try to help you achieve what you want and maybe learn something during the process

      I use 192.168.1.x as the LAN IP and several VLANs on the Unifi AP and it works fine (such as 192.168.10.x, 192.168.20.x, 192.168.30.x, etc). If you want to use different gateways for each VLAN, then you have to move your AP from UDM-Pro to the pfSense, as UDM-Pro can handle multiple VLANS on the WAN port. This post discusses that in detail!

      Reply
  2. Duane says:
    April 24, 2021 at 9:47 PM

    Thanks for this write-up. It was very helpful and I managed to get my setup working much quicker than I expected due to the knowledge you shared. I’m curious if you use Synology’s free DDNS, and if so how you managed to get that working given the daisy-chained routers? My setup is fairly close to what you described (ISP -> pfSense WAN (public IP) ->pfSense LAN (10.0.0.1) -> UDM Pro WAN (10.0.0.2) -> UDM Pro LAN (192.168.200.x/24) – Synology NAS (192.168.200.x). I’m guess I need an entry added on the pfSense – but is the entry a static route or custom DDNS? Thanks in advance for any feedback you can provide.

    Reply
    1. Thiago Crepaldi says:
      April 25, 2021 at 10:29 AM

      Hi Duane, one good question to make your self is why do you want DDNS on a device which is behind the firewall. I’d argue that maybe configuring DDNS on your pfSense makes more sense, as it is the real edge of your network. For such, you could follow this post on pfSense + Cloudflare for DDNS

      Now that your your customers can find your IP. The next step would configure port forwarding on your pfSense which redirects you to the UDM Pro. Then you configure your UDM Pro to port forward to your Synology NAS. That means that pfSense advertised your public IP but then chained port forwarding in both routers took you to the final service

      However, if you really want Synology DDNS to work, you will need to port forward the port used by the DDNS service on your pfSense to UDM Pro and from UDM Pro to Synology. Then you repeat this process, as above, to port forward the ports of the service you want to expose

      Consider not exposing anything on the Internet, especially if you are the only one using it. Instead, configure cloudflare DDNS and configure a OpenVPN server and then port forward whatever you need to access behind your UDM Pro from pfSense

      Reply
  3. Park says:
    June 30, 2021 at 3:08 PM

    “The solution for the issues with Double NAT, UPnP and port forwarding is the same: doing a manual port forwarding from the inner router to the outer router. In plain English, this means creating a port forwadring rule from UDM-Pro to the pfSense, so that it allows pfSense and its devices to connect to devices behind the UDM-Pro.”

    Can you tell me how to this exactly based on your model? THANK YOU!

    Reply
  4. Tiago says:
    July 19, 2021 at 10:38 AM

    Hello Thiago! I have had this setup for a while and I am trying VPN, however, I am not sure what could be the best practice on this scenario.

    I have a pfSense as a Open VPN server at location “A” with a UDM PRO behind it ; I have another pfSense on location “B” configured with OpenVPN as client. Connection is successful.

    From location “B” I would like to VPN (connect) into the network behind the UDM PRO on location “A”.

    Any suggestion?

    Reply
    1. Thiago Crepaldi says:
      October 18, 2021 at 5:45 PM

      Hi Tiago, what you want to do is called site-to-site tunnel. I wouldn’t use OpenVPN server in each site for that, but instead, I would use IPSec, just like I described here. That will make both pfSense talk to each other in an efficient and safe way. Next you will probably have to create some static routes between your pfSense and the UDM Pro behind it or port forwarding, depending on your scenario. Hope that helps

      Reply
  5. Tony Chen says:
    August 28, 2021 at 7:16 PM

    Thanks for this BRILLIANT idea. I have pretty much an identical hardwares setup like yours, but how can I get ipv6 addresses for client devices behind the UDMP? Seems like only devices right behind the first router, in this case the pfsense router, have a chance to receive ipv6 addresses provided by the ISP. Is this possible? Greatly appreciate!

    Reply
  6. Andres R says:
    September 7, 2021 at 10:41 AM

    You spoke about the pfsense knowing about the UDM Pro but not being able to see the network. What method would you recommend to access the pfsense from inside the UDMP network? For instance if I was on my UDMP network with wifi and I wanted to login to pfsense. Right now my UDMP and computers on its network can traverse over the connected external pfsense and see the internet but thats it, I can’t access the actual pfsense configuration or other devices on the same network or parallel to the UDMP. I was able to connect via its external web IP, so I know its working.

    Reply
  7. Thiago Crepaldi says:
    October 18, 2021 at 8:07 PM

    https://geekistheway.com/2020/07/05/daisy-chaining-pfsense-udm-pro-to-work-together/?#allow-ssh-from-pfsense-into-udm-pro is an example on how to do a port forward from pfsense to UDM Pro for SSH (port 22)

    Reply
  8. Thiago Crepaldi says:
    October 18, 2021 at 8:13 PM

    Hi Tony, technically speaking IPv6 allows so many IPs that NAT wouldn’t be needed. NAT is usually used when IPs are scarce, but each grain of sand on Earth could have one IPv6 :).

    Having said that, I didn’t experiment with IPv6 myself, but the same rules applies, as far as I know. You can create a port forward using IPv6 from pfSense to your UDM Pro and then another port forward from UDM Pro to whichever device you want just like IPv4 scenarios

    Reply
  9. Thiago Crepaldi says:
    October 18, 2021 at 8:17 PM

    Devices behind UDM Pro should be able to see the pfSense network, including pfSense’s admin page. The other way around that is not possible, meaning devices connected to pfSense can’t see what is behind your UDM Pro.

    Check firewall settings to make sure something else is blocking access to your pfSense configuration page.

    Reply
  10. Edi says:
    November 5, 2021 at 8:37 PM

    i wonder hows your experience so far. im thinking of doing this as well.

    Reply
    1. Thiago Crepaldi says:
      November 7, 2021 at 7:28 PM

      I actually sold my UDM Pro and got a Unifi 24 por switch instead. Now I have the goods from pfsense as router and the goods from Unifi as manager switch. No regrets

      Dealing with double não for every scenario in the network is just not worth

      Reply
  11. edi says:
    November 7, 2021 at 11:30 PM

    thank you so much for the update. Im thinking of doing that as well but I have the unifi doorbell with me which will need the physical controller.

    Reply
  12. Thiago Crepaldi says:
    November 8, 2021 at 7:15 AM

    Do you need the physical controller or do you need a 24/7 controller? I run the unifi controller on a Docker container for my network and it worked really well https://geekistheway.com/2020/11/04/installing-unifi-controller-docker-container-on-synology-nas/

    Another alternative is a physical controller without the router such as https://store.ui.com/collections/unifi-accessories/products/unifi-cloudkey

    Reply
  13. Edi says:
    November 11, 2021 at 1:32 AM

    Ya I need the physical type to get the unifi protect service. I am not sure if the Protect will run on a container. Will need to research more on it.

    Reply
  14. Thiago Crepaldi says:
    November 11, 2021 at 8:28 AM

    I would try https://hub.docker.com/r/iamjamestl/unifi-protect and if doesn’t work, selling the UDM Pro and getting a Cloud Key 2 might be an option. Good luck

    Reply
  15. Nick says:
    November 11, 2021 at 2:30 PM

    Thiago,

    In following your walkthrough at the below part, I’m stuck on correctly creating the port forwarding rules. I am trying to port forward my Plex Server for remote access however I keep failing. So, I’m not quite sure how to properly fill in the rules on both my UDMP & the pfSense box. I thought I was close but alas..

    “The solution for the issues with Double NAT, UPnP and port forwarding is the same: doing a manual port forwarding from the inner router to the outer router. In plain English, this means creating a port forwadring rule from UDM-Pro to the pfSense, so that it allows pfSense and its devices to connect to devices behind the UDM-Pro.”

    Could you provide some guidance on this? Or maybe be willing to chat offline to help me get these rules complete so that I can create others in the future.

    Reply
  16. Andrew says:
    May 5, 2022 at 12:59 AM

    But do you still get the network traffic stats on the fancy GUI on the unifi network controller?

    Reply
  17. Andrew says:
    May 5, 2022 at 1:03 AM

    Hi there..I have pfsense and USW 24 pro switch with Cloud key gen2+ but I want to get the network traffic on showing on my unifi console software…is this possible?

    Reply
  18. Pingback: Routing Internet Traffic Through a Site-to-Site IPsec VPN on a specific Wi-fi over VLAN - Geek is the Way!

Leave a ReplyCancel reply

LIKED? SUPPORT IT :)

Buy Me a Coffee


Search


Categories

  • Cooking (1)
  • Homelab (79)
    • APC UPS (6)
    • pfSense (40)
    • Proxmox (20)
    • Shopping (1)
    • Supermicro (2)
    • Synology NAS (8)
    • Ubiquiti (6)
    • UDM-Pro (4)
  • Random (3)
  • Wordpress (1)

Tags

Agentless monitoring (3) AP9631 (3) Apache2 (3) APC UPS (6) Bind9 (3) certificates (5) crontab (2) DDNS (5) debian (3) DNS (7) DSM (6) DuckDNS (2) Dynamic DNS (4) en_US (2) Firewall (9) gmail (3) LDAP (2) Let's Encrypt Certificates (7) monitoring (18) networking (21) PBS (3) pfsense (43) port forwarding (3) proxmox (17) proxmox backup server (3) proxmox virtual environment (16) pve (5) rev202207eng (76) security (28) SNMP (4) SNMPv1 (3) ssh (4) SSL (6) subnet (2) Synology (7) udm-pro (5) unifi (6) unifi controller (3) unifi switch (2) UPS (5) VLAN (4) vpn (9) wifi (4) Zabbix (18) Zabbix Agent2 (11)

See also

Privacy policy

Sitemap

©2025 Geek is the Way! | Design by Superb