Last Updated on August 14, 2022 by Thiago Crepaldi
Unifi Dream Machine Pro (aka UDM Pro) is a nice appliance for acting as Unifi controller for your Access points (APs), while it also offers a 8-port managed switch using low power, noise and heat. It is an average router, and a lousy security appliance (hopefully they will improve a lot in this area). This is where pfSense comes into play. In this post, I will setup a pfSense and UDM Pro routers in a daisy chain fashion. pfSense will be on the edge of the Internet, taking care of stuff like security and VPN servers. UDM Pro, in turn, will act as my LAN router, being protected by pfSense and making a nice integration with all my Unifi products.
Getting started
The easiest way to get started is doing a basic configuration in each appliance separately. Connect your ISP wire on your pfSense WAN port and your computer on pfSense LAN port (e.g. OPT1). Each pfSense appliance has a different port configuration which I won’t cover in this post, but make sure you configure at least one WAN port and one LAN port. If you pfSense has several ports, like the Netgate SG-2440 (4 ports), you can create one WAN and three LAN for future use.
Once your pfSense is working and you have Internet access through it, disconnect it and put UDM Pro in its place and do a basic configuration from your PC, which I won’t cover in this article too.
Now both devices are working individually and we can setup them to work together!
For this post, the following convention will be used:
- Domain name: lan.domain.com
- pfSense
- Hostname: pfsense.lan.domain.com
- IP: 10.0.0.1
- UDM-Pro
- Name: udmpro.lan.domain.com
- IP:
- 192.168.1.1 (LAN port)
- 10.0.0.2 (WAN port)
- Synology NAS:
- Name: synology.lan.domain.com
- IP: 192.168.1.5
Physical connection
I could connect my ISP wire on my pfSense WAN port and then connect a LAN port of my pfSense into any LAN port of the UDM Pro to avoid many of the hurdles we are going to discuss. I didn’t do it because that would also kill the router functionality of the UDM Pro and lots of management features. Another approach would be putting UDM Pro in bridge mode, but I didn’t because UDM Pro doesn’t implement bridge mode and if it did, this would also kill the routing functionality. A third approach that I didn’t want was to disable DHCP server on the UDM-Pro and put it on a DMZ network on pfSense because it would result in killing the router functionality of the Unifi too.
Instead, I connected the Internet wire from my ISP into my pfSense WAN port. Next, I connected my pfSense LAN port (e.g. OPT1) into the WAN port of the UDM Pro. With that, I created two separate networks: The pfSense network (eg. 10.0.0.x/24 from now on) and the UDM Pro network (e.g. 192.168.1.x/24 from now on). This setup is known as daisy-chained routers. The most challenging issue in this setup is Double NAT that may causes connectivity issues in some scenarios. Universal Plug and Play (UPnP) and Port forwarding also suffers with connectivity issues.
The solution for the issues with Double NAT, UPnP and port forwarding is the same: doing a manual port forwarding from the inner router to the outer router. In plain English, this means creating a port forwarding rule from UDM-Pro to the pfSense, so that it allows pfSense and its devices to connect to devices behind the UDM-Pro. If you want devices from Internet to connect to devices behind your UDM-Pro, then another port forwarding from the LAN port of your pfSense to its WAN port. For example, if you are at school and want to connect through SSH (port 22) to your laptop behind your UDM-Pro at home, you would have to create a port forwarding rule on your UDM-Pro exposing port 22 from your laptop (say 192.168.1.50) to the port 22 of your UDM-Pro. At this point, devices connected to your pfSense would be able to connect via SSH to your laptop. Next, to allow the connection from internet, on your pfSense you also create a port forwarding rule allowing that port 22 from your pfSense to connect to your laptop on port 22 too. Something like:
you_on_Internet -> pfSense:22 -> UDM-Pro:22 -> laptop:22
One interesting consequence of daisy chaining routers is that although the outer router (pfSense) doesn’t know the inner router’s network (UDM-Pro), the opposite isn’t true. That means that devices connected to the UDM-Pro router do have access to the pfSense’s network.
Setting up NTP server on pfSense
It is a good idea to have a NTP server running on your network to allow all devices to synchronize their time. Go to Services >> NTP >> Settings page to get started. At the Interface list, make sure all your LAN, VPN Server or possibly WAN interfaces that you want to serve time are selected (or leave all blank to server all). Add 0.pfsense.pool.ntp.org, 1.pfsense.pool.ntp.org, 2.pfsense.pool.ntp.org and 3.pfsense.pool.ntp.org to the Time servers list with the is a pool option checked and finish the setup clicking on Save.
Configuring DHCP Server on pfSense
We will customize your pfSense DHCP server configuration to add NTP and DNS Servers configuration as well as a Domain Name that will also be used on the UDM-Pro DHCP server settings.
Go to Services >> DHCP Server and for each LAN interface do as follow:
Servers
- DNS Servers: 10.0.0.1
Other Options
- Domain name: lan.domain.com
This domain must match your domain name on the UDM-Pro) - NTP Server 1: 10.0.0.1
Click Save to finish. From now on, the DHCP Server will send NTP/DNS server and the domain name to the clients along with the IP lease.
Setting up NTP server on UDM-Pro
In our daisy chained setup, we will configure UDM-Pro to use pfSense as the NTP Server. On the Network application, go to Settings >> Network settings >> Location & Time page and do as follows:
At Timezone & Location section, set Timezone and Country or Territory accordingly.
At Network Time Protocol (NTP) section, set your pfSense IP as the NTP Server hostname and finish by clicking Apply changes.
Configuring DHCP Server on UDM-Pro
Similarly to the pfSense DHCP Server configuration, we will need to configure UDM-Pro to distribute the NTP and DNS server and Domain name along with the IP leases. Go to the Network application, then Settings >> Networks >> Local networks and click on Edit on each LAN and do as follows:
General
- Domain name: lan.domain.com
DHCP Controls
- DHCP Name Server: 192.168.1.1
This is the IP of UDM-Pro, which in turn uses the pfSense DNS server
DHCP Controls >> Advanced DHCP Options
- DHCP NTP Server: 192.168.1.1
This is the IP of UDM-Pro, which in turn uses the pfSense NTP server
When you click Apply changes, future leases will also distribute these additional settings.
Reserve a static IP from pfSense network to the UDM Pro
Now that the UDM Pro is physically connected to the pfSense LAN port and your DHCP server is properly configured, your UDM-Pro will get an IP from it. We will reserve a static IP for the UDM Pro to facilitate future integrations between the two appliances. In order to do that, we need the UDM Pro MAC address. On your UDM Pro, go to Network >> Devices and click on your UDM Pro entry in the list. In the Overview section, take note of the MAC address field.
To create the reservation, login to your pfSense page and go to Services >> DHCP Server. For your LAN interface, scroll to the bottom of the page until you reach the DHCP Static Mappings for this Interface section. Click on Add and fill in the appropriate MAC address. You can also fill in the Client Identifier and Hostname with the name of the Unifi. At the IP address you put the static IP for your UDM Pro (e.g. 10.0.0.2) and finish the process clicking on Save. This change is not performed immediately, but you can force it by disconnecting and reconnecting the WAN port of your UDM Pro or by restarting it. After re-connection, your UDM Pro will always receive the same IP.
Allowing SSH from pfSense into UDM Pro
By default, UDM Pro blocks incoming connections from the Internet port, especially for services such as SSH. In our setup, we want to enable SSH on the UDM-Pro WAN to allow a tight integration with pfSense, such as transfer of Let’s Encrypt certificates issued by pfSense to UDM-Pro. Normally this would be a terrible idea, but remember the WAN port of the UDM Pro is not exposed to the internet, but to a LAN port of your pfSense.
On your UDM Pro, login and click on Network application. Go to Settings >> Internet Security >> Firewall and click on WAN in the Rules tab. Click on Create new rule and do as follow:
At the General section
- Change Type to WAN Local
- In the Description field, type something like Allow SSH from WAN local
- Make sure it is Enabled
- Rule applied: Before predefined rules
- Action: Allow
- IPv4 Protocol: TCP
At the Source section
- Source Type: IP Address
- IPv4 Address: <pfSense address> (e.g. 10.0.0.1)
- Port: Blank
At the Destination section
- Destination Type: IP Address
- IPv4 Address: <UDM Pro address from pfSense net> (e.g. 10.0.0.2)
- Port: 22
Click Apply at the bottom of the page. Now you should be able to run something like ssh root@<UDM Pro ip> from pfSense and connect into your UDM Pro.
Note we used the UDM Pro IP as 10.0.0.2 instead of 192.168.1.1. This was intentional, as pfSense doesn’t really know the 192.168.1.x network and the only IP it knows to connect to the UDM Pro is the one assigned by the pfSense itself on its 10.0.0.x network.
Adding Unifi Access Points
In the very beginning, I started simple and added the Unifi AP directly into one of the eight UDM-Pro LAN ports. This is the simplest way to get Wi-Fi going on, as the Unifi Controller and AP are on the same network and the setup process is standard. First you adopt the new (AP) device in the controller Web UI by entering in the Network application, clicking on Devices and hitting Adopt button for the newly listed AP. Next, you navigate to Settings >> Wi-Fi >> Wi-Fi Networks and press Create New Wi-Fi network. A wizard will be presented and if you pick Create Basic Wi-Fi, all you have to do is choose a Wi-Fi name and password.
In the future we may need to revisit this topology if we wish, for example, to create different Wi-Fi networks, each of which being able to go out to Internet using different gateways. For now, let’s enjoy the simplicity provided by Unifi 🙂
Thanks a lot for this write up! I am planning on adding a pfSense box to protect an existing UDMP network as I want the full routing functionality to remain with UDMP. I was wondering if possibly adding a route on pfSense and/or UDMP could allow pfSense to know about 192.168.1.1 where UDMP lives. I don’t suspect you’ve had issues with your UDMP having two LAN IPs. Are you using any VLANs on the UDMP? I am using a few VLANs and just hope pfSense won’t have an issue with that – or require creating the same VLANs on the pfSense box.
“Note we used the UDM Pro IP as 10.0.0.2 instead of 192.168.1.1. This was intentional, as pfSense doesn’t really know the 192.168.1.x network and the only IP it knows to connect to the UDM Pro is the one assigned by the pfSense itself on its 10.0.0.x network.”
Hi Francois, I didnt try creating an static route, but I could try and let you know! I wonder why you want to do this 🙂 I can try to help you achieve what you want and maybe learn something during the process
I use 192.168.1.x as the LAN IP and several VLANs on the Unifi AP and it works fine (such as 192.168.10.x, 192.168.20.x, 192.168.30.x, etc). If you want to use different gateways for each VLAN, then you have to move your AP from UDM-Pro to the pfSense, as UDM-Pro can handle multiple VLANS on the WAN port. This post discusses that in detail!
Thanks for this write-up. It was very helpful and I managed to get my setup working much quicker than I expected due to the knowledge you shared. I’m curious if you use Synology’s free DDNS, and if so how you managed to get that working given the daisy-chained routers? My setup is fairly close to what you described (ISP -> pfSense WAN (public IP) ->pfSense LAN (10.0.0.1) -> UDM Pro WAN (10.0.0.2) -> UDM Pro LAN (192.168.200.x/24) – Synology NAS (192.168.200.x). I’m guess I need an entry added on the pfSense – but is the entry a static route or custom DDNS? Thanks in advance for any feedback you can provide.
Hi Duane, one good question to make your self is why do you want DDNS on a device which is behind the firewall. I’d argue that maybe configuring DDNS on your pfSense makes more sense, as it is the real edge of your network. For such, you could follow this post on pfSense + Cloudflare for DDNS
Now that your your customers can find your IP. The next step would configure port forwarding on your pfSense which redirects you to the UDM Pro. Then you configure your UDM Pro to port forward to your Synology NAS. That means that pfSense advertised your public IP but then chained port forwarding in both routers took you to the final service
However, if you really want Synology DDNS to work, you will need to port forward the port used by the DDNS service on your pfSense to UDM Pro and from UDM Pro to Synology. Then you repeat this process, as above, to port forward the ports of the service you want to expose
Consider not exposing anything on the Internet, especially if you are the only one using it. Instead, configure cloudflare DDNS and configure a OpenVPN server and then port forward whatever you need to access behind your UDM Pro from pfSense
“The solution for the issues with Double NAT, UPnP and port forwarding is the same: doing a manual port forwarding from the inner router to the outer router. In plain English, this means creating a port forwadring rule from UDM-Pro to the pfSense, so that it allows pfSense and its devices to connect to devices behind the UDM-Pro.”
Can you tell me how to this exactly based on your model? THANK YOU!
Hello Thiago! I have had this setup for a while and I am trying VPN, however, I am not sure what could be the best practice on this scenario.
I have a pfSense as a Open VPN server at location “A” with a UDM PRO behind it ; I have another pfSense on location “B” configured with OpenVPN as client. Connection is successful.
From location “B” I would like to VPN (connect) into the network behind the UDM PRO on location “A”.
Any suggestion?
Hi Tiago, what you want to do is called site-to-site tunnel. I wouldn’t use OpenVPN server in each site for that, but instead, I would use IPSec, just like I described here. That will make both pfSense talk to each other in an efficient and safe way. Next you will probably have to create some static routes between your pfSense and the UDM Pro behind it or port forwarding, depending on your scenario. Hope that helps
Thanks for this BRILLIANT idea. I have pretty much an identical hardwares setup like yours, but how can I get ipv6 addresses for client devices behind the UDMP? Seems like only devices right behind the first router, in this case the pfsense router, have a chance to receive ipv6 addresses provided by the ISP. Is this possible? Greatly appreciate!
You spoke about the pfsense knowing about the UDM Pro but not being able to see the network. What method would you recommend to access the pfsense from inside the UDMP network? For instance if I was on my UDMP network with wifi and I wanted to login to pfsense. Right now my UDMP and computers on its network can traverse over the connected external pfsense and see the internet but thats it, I can’t access the actual pfsense configuration or other devices on the same network or parallel to the UDMP. I was able to connect via its external web IP, so I know its working.
https://geekistheway.com/2020/07/05/daisy-chaining-pfsense-udm-pro-to-work-together/?#allow-ssh-from-pfsense-into-udm-pro is an example on how to do a port forward from pfsense to UDM Pro for SSH (port 22)
Hi Tony, technically speaking IPv6 allows so many IPs that NAT wouldn’t be needed. NAT is usually used when IPs are scarce, but each grain of sand on Earth could have one IPv6 :).
Having said that, I didn’t experiment with IPv6 myself, but the same rules applies, as far as I know. You can create a port forward using IPv6 from pfSense to your UDM Pro and then another port forward from UDM Pro to whichever device you want just like IPv4 scenarios
Devices behind UDM Pro should be able to see the pfSense network, including pfSense’s admin page. The other way around that is not possible, meaning devices connected to pfSense can’t see what is behind your UDM Pro.
Check firewall settings to make sure something else is blocking access to your pfSense configuration page.
i wonder hows your experience so far. im thinking of doing this as well.
I actually sold my UDM Pro and got a Unifi 24 por switch instead. Now I have the goods from pfsense as router and the goods from Unifi as manager switch. No regrets
Dealing with double não for every scenario in the network is just not worth
thank you so much for the update. Im thinking of doing that as well but I have the unifi doorbell with me which will need the physical controller.
Do you need the physical controller or do you need a 24/7 controller? I run the unifi controller on a Docker container for my network and it worked really well https://geekistheway.com/2020/11/04/installing-unifi-controller-docker-container-on-synology-nas/
Another alternative is a physical controller without the router such as https://store.ui.com/collections/unifi-accessories/products/unifi-cloudkey
Ya I need the physical type to get the unifi protect service. I am not sure if the Protect will run on a container. Will need to research more on it.
I would try https://hub.docker.com/r/iamjamestl/unifi-protect and if doesn’t work, selling the UDM Pro and getting a Cloud Key 2 might be an option. Good luck
Thiago,
In following your walkthrough at the below part, I’m stuck on correctly creating the port forwarding rules. I am trying to port forward my Plex Server for remote access however I keep failing. So, I’m not quite sure how to properly fill in the rules on both my UDMP & the pfSense box. I thought I was close but alas..
“The solution for the issues with Double NAT, UPnP and port forwarding is the same: doing a manual port forwarding from the inner router to the outer router. In plain English, this means creating a port forwadring rule from UDM-Pro to the pfSense, so that it allows pfSense and its devices to connect to devices behind the UDM-Pro.”
Could you provide some guidance on this? Or maybe be willing to chat offline to help me get these rules complete so that I can create others in the future.
But do you still get the network traffic stats on the fancy GUI on the unifi network controller?
Hi there..I have pfsense and USW 24 pro switch with Cloud key gen2+ but I want to get the network traffic on showing on my unifi console software…is this possible?