Highlighted
New Member
Posts: 17
Registered: ‎09-06-2018
Kudos: 1
Solutions: 1
Accepted Solution

Advice on planned ISP modem swap and impact on my Ubiquiti network

Hello,

 

I wanted to ask the forum members for some advice on my ISP's planned modem swap.

 

At the moment I have a cable modem from my ISP (plain simple without routing or WiFi) who is connected to my Ubiquiti USG on wich is then connected to my Ubiquiti 24P POE swicth where all my Ubiquiti AP's and other network devices are connected to. There's a seperate VLAN for Guest WiFi and IoT devices. Also on my network there's a Synology NAS who runs a few services like OpenVPN server, Ubooquiti, Deluge etc. To reach these services I have registeren a FQDN who is connected through CNAME records to my Synology's DynDNS service on wich is traffic redirected to the correct service with the Synology's built-in reverse proxy. All working fine.

 

Here come's the trouble: my ISP decided to not support the current cable modems anymore and want to swap it with according to them a "better" device, the modem they want to replace it with is infact a Router/WiFi modem. On that modem there's no way to disable the DHCP server or NAT interface. The only thing you can do is disable the WiFi, setup port forwarding and set 1 ip in DMZ.

 

So what would be the best way to implement this in my current setup without loosing any functionality?

 

The way I figured it ou (and correct me if I'm wrong) is to place the Ubiquiti USG's IP adress in the DMZ of my ISP's modem so I don't have to setup port forwarding rules on the ISP modem and also disable the WiFi. Will this work? Also, will the DynDNS service on the Synology NAS be able to update it's public IP adress and will I still be able to reach my services through the reverse proxy on my NAS ?

 

Thx


Accepted Solutions
New Member
Posts: 9
Registered: ‎05-06-2018
Kudos: 1
Solutions: 1

Re: Advice on planned ISP modem swap and impact on my Ubiquiti network

[ Edited ]

I have had similar issues, and a rather similar setup.

 

Not being able to disable the DHCP is manageable.

Make sure the network (ip subnet) zone between the modem and the USG is different from the networks behind the USG.

The DHCP server will in that case not mess with your internal DHCP.

 

I guess the "1 machine in DMZ" is your best option, if that means "exposed host": e.g. all ports, unless specified otherwise, are forwared to the USG. (I have this at my main site, it works)

 

Otherwise, most modems allow to configure that a client always gets the same IP address. Do so for your USG, and forward all the ports you want/need. This is a bit annoying, as you will need to forward twice: once from the modem to the USG, and once from the USG to the NAS. Not elegant, but it will work. (I have this at some remote sites, it works)

 

Technically, you are in a double-NAT situation, but in practice it will behave like a single-NAT environment for most practical purposes. Please be aware that the internet-facing IP of your USG from the perspective of the USG is not the public IP by which it can be reached from the internet. It you run IPsec VPN services, this may bite you if you are not aware of this.

 

DynDNS services typically don't care whether they are behind NAT or double-NAT. I guess this will just work.

 

Wifi: just switch it off if you can. On some modems, you cannot. In that case, try to configure a Wifi channel on the modem that does not interfere with your unifi APs. Or the other way round, configure your unifi APs close to the modem to use a channel different from the modem. This is the least of your worries. (if all else fails, put some tin foil around your ISP modem to weaken its signal ...)

 

hth,

Wouter

edit: typos

View solution in original post


All Replies
New Member
Posts: 9
Registered: ‎05-06-2018
Kudos: 1
Solutions: 1

Re: Advice on planned ISP modem swap and impact on my Ubiquiti network

[ Edited ]

I have had similar issues, and a rather similar setup.

 

Not being able to disable the DHCP is manageable.

Make sure the network (ip subnet) zone between the modem and the USG is different from the networks behind the USG.

The DHCP server will in that case not mess with your internal DHCP.

 

I guess the "1 machine in DMZ" is your best option, if that means "exposed host": e.g. all ports, unless specified otherwise, are forwared to the USG. (I have this at my main site, it works)

 

Otherwise, most modems allow to configure that a client always gets the same IP address. Do so for your USG, and forward all the ports you want/need. This is a bit annoying, as you will need to forward twice: once from the modem to the USG, and once from the USG to the NAS. Not elegant, but it will work. (I have this at some remote sites, it works)

 

Technically, you are in a double-NAT situation, but in practice it will behave like a single-NAT environment for most practical purposes. Please be aware that the internet-facing IP of your USG from the perspective of the USG is not the public IP by which it can be reached from the internet. It you run IPsec VPN services, this may bite you if you are not aware of this.

 

DynDNS services typically don't care whether they are behind NAT or double-NAT. I guess this will just work.

 

Wifi: just switch it off if you can. On some modems, you cannot. In that case, try to configure a Wifi channel on the modem that does not interfere with your unifi APs. Or the other way round, configure your unifi APs close to the modem to use a channel different from the modem. This is the least of your worries. (if all else fails, put some tin foil around your ISP modem to weaken its signal ...)

 

hth,

Wouter

edit: typos