New Member
Posts: 1
Registered: ‎03-12-2017

Connect Controller to External Site on Hardware VPN with Sonicwall

I was wondering if anyone has had any issues getting a controller that is at one site to connect to the UBNT equipment at an external site.  I have a three site setup and installed Unifi 48 750 Switches and about 18 UAPs between sites.  I already have a site to site VPN setup with my Sonicwall TZ600's.  When i am at a site i can only see that sites UBNT equipment, but I do already have access to each external network with shares and domain already running.



Each site would be as the following equipment


Spectrum ISP with ARRIS Modem (STATIC IP) ==> SonicWall TZ600 ==> UBNT US-48-750W

I have a fail over tunnel between each site as well as using LTE as a fail-over WAN.  The WAN ports on the SonicWalls are WAN X1-2 with X1 being Static X2 being DHCP with both ports in a group with DDNS running management to maintain connectivity if main ISP goes down.


Any help would be appreciated.  Thanks


Senior Member
Posts: 2,674
Registered: ‎04-21-2015
Kudos: 396
Solutions: 104

Re: Connect Controller to External Site on Hardware VPN with Sonicwall

[ Edited ]

Can your controller be reachable over the DDNS on the port 8080 (port forwarding might be required).

Don`t blame the device as it`s always doing what you have asked it to do, this is not always the same as what you want.
Regular Member
Posts: 374
Registered: ‎07-27-2012
Kudos: 507
Solutions: 11

Re: Connect Controller to External Site on Hardware VPN with Sonicwall

I would setup a L2 controller.

Basically you put a full-time controller at one site, with public IP address and do port-forwarding in your sonicwall to make that happen.  You need ports 80, 8080, 8443 & 8880.  You don't technically need port 80, but I put a redirect on there to the 8443 port.


Then you use the DHCP option 43 in the Sonicwall to "advertise" the controller's public IP address.

Option Name : UNBT

Option Number : 43 (Vendor Specific Information)

Option Array : Checked

In the text box put : 0x01;0x04;0x48;0x28;0x58;0x5B

The last four hex numbers are your public IP address.

(0x48;0x28;0x58;0x5B translates to - this is not my ip address; just an example.)


Your remote sites will now "see" your controller all the time.

When you connect new equipment, you will see it in the controller, and can adopt it.

You can have 3 sites in the controller, so each site will have the correct subnet, etc.

You get the advantage of stats, since the controller will gather the stats as it is running all of the time.


Does that make sense?


I guess, technically, you could use a private IP address instead of a public IP address, assuming that you have site-to-site VPN between the sites.


A simple VM should be able to run the sites easily without too much CPU or RAM.