Reply
Emerging Member
Posts: 56
Registered: ‎07-15-2017
Kudos: 1

Need design assistance with two sites and EdgeRouters, AC-PROs, CloudKey and the tricky part IoT.

I have two sites A and B located in two difference cities.  Both site have dynamic IP addresses from ISP.

A is primarysite with an EdgeRouterX, 3 AC - Pros, wired and wireless comptuer clients and has a Cloud key. 

B is the secondary having an EdgeRouter POE and 4 AC-Pros, wirered and wirelss comptuer clients. 

Adding IoT data monitoring sensosor whihc send email alarms to a gMail account.

I have a Google Domains domain for DDNS. - Not yet configured.

 

Goals

1 - Site B AC-Pros need to be manages from site A using site A's cloud key.

2 - IoT wireless sensors need to be managed/monitored from Site A.  Should be separate netowork from "normal" comptuer traffic.

3 - Site A's Cloud Key manage Site B's AC-Pros and EdgeRouter PoE.

4 - Site B's IoT sensors data and management from Site A on a network separate from "normal" comptuer traffic.

5 - Manage Site B's EdgeRouter POE from Site A.  

 

Proposed solution/questions

Can Site A's cloud Key can manage the AC-Pros at Site B but not the EdgeRouter PoE with on a protected/isolated network? 

For the IoT sensor traffic I'm thinking of setting up a SSID for the sensors at Site B and Site A.  Ubiquity's documentation is a bit confusing.  The IoT traffic only needs to be isolated from Site B's comptuer traffic. 

One thought is to confgure a site to site Edge Router to Edge Router VPN using a "sensor SSID" at Site A and Site B.  To access the IoT from Site A one would just join the Sensor SSID.

 

The other thought is to use DDNS and set-up port forwarding on the EdgerRouter at site B to the IoT sensor.

 

Any thoughts or suggestion?   

 

 

20190515_191418434_iOS.jpg
Member
Posts: 303
Registered: ‎10-16-2017
Kudos: 32
Solutions: 5

Re: Need design assistance with two sites and EdgeRouters, AC-PROs, CloudKey and the tricky part IoT

Hello Dough Spiders,
of course is it possibe to use one controller for both sites. But I would suggest you to use a cloud space controller with an static ip and ssl certificate. This is easier to mantain. You can google to cross talk solution, he has an easy setup for histed setups. https://www.youtube.com/watch?v=poGSr5Qvj0A and of course some other have similar howtos here for it.

If you have a private ip from your ISP, than its not possible to use the cloud key with an external site. (without an external ipv4 relay server, advanced setup with other hardware and service provider)

The UNifi Controller cant manage the edge router.

When its possible its much easier to use on both sites an USG. Depenting on your ISP speed and needed functions, maybe the USG 3P is enough. With this setup you can use sitetosite vpn (public IP on both sites, double NAT must be checked, is bridge mode or modem possible for your ISP, I didn´t try it with both sites on ddns. One site with static IP will work for sure)
Separating the network with an VLAN is simply with unifi, if you were having all switches from unifi. Its also possible with other manufactures, but I guess you won´t find anyone here for helping in this setup.

Best regards
Torsten 


@DougSpindler wrote:

I have two sites A and B located in two difference cities.  Both site have dynamic IP addresses from ISP.

A is primarysite with an EdgeRouterX, 3 AC - Pros, wired and wireless comptuer clients and has a Cloud key. 

B is the secondary having an EdgeRouter POE and 4 AC-Pros, wirered and wirelss comptuer clients. 

Adding IoT data monitoring sensosor whihc send email alarms to a gMail account.

I have a Google Domains domain for DDNS. - Not yet configured.

 

Goals

1 - Site B AC-Pros need to be manages from site A using site A's cloud key.

2 - IoT wireless sensors need to be managed/monitored from Site A.  Should be separate netowork from "normal" comptuer traffic.

3 - Site A's Cloud Key manage Site B's AC-Pros and EdgeRouter PoE.

4 - Site B's IoT sensors data and management from Site A on a network separate from "normal" comptuer traffic.

5 - Manage Site B's EdgeRouter POE from Site A.  

 

Proposed solution/questions

Can Site A's cloud Key can manage the AC-Pros at Site B but not the EdgeRouter PoE with on a protected/isolated network? 

For the IoT sensor traffic I'm thinking of setting up a SSID for the sensors at Site B and Site A.  Ubiquity's documentation is a bit confusing.  The IoT traffic only needs to be isolated from Site B's comptuer traffic. 

One thought is to confgure a site to site Edge Router to Edge Router VPN using a "sensor SSID" at Site A and Site B.  To access the IoT from Site A one would just join the Sensor SSID.

 

The other thought is to use DDNS and set-up port forwarding on the EdgerRouter at site B to the IoT sensor.

 

Any thoughts or suggestion?   

 


 

best regards
Torsten

Emerging Member
Posts: 56
Registered: ‎07-15-2017
Kudos: 1

Re: Need design assistance with two sites and EdgeRouters, AC-PROs, CloudKey and the tricky part IoT

Torsten, thank you for your reply. 

Are you suggesting using static IP over DDNS becuase the EdgeRouters do not suppport DDNS?

There's a video on DDNS.

 

Don't have and can't get static IPs.  That's why I'm using DDNS.

Are you sure one can not use DDNS with a Cloud Key?  Doen't make sense to me.  Please explain. 

 

https://www.youtube.com/watch?v=3AeD5nL3vdc

 

Member
Posts: 303
Registered: ‎10-16-2017
Kudos: 32
Solutions: 5

Re: Need design assistance with two sites and EdgeRouters, AC-PROs, CloudKey and the tricky part IoT

Hello @DougSpindler 

It can be a problem when you use site to site VPN or . any type of VPN. The Controller himself has no bigger problems with DDNS. It depends a little bit on how good it's working. When the ISP is changing your IP, how long will it take to notify the ddns service? When you use a cloud based controller, it doesn't matter, but a local controller will loose connection to all devices from the external site. 

And the tunnel is disconnected for this time periods.

 

When you can live with this, it will work as well as a static public IP. If it is a business used setup, it's maybes problem. IOT devices are maybe not available on the other site. 

 

You can get a static public IP over service providers. These are the same ways for users with private ISP addresses. for example http://www.feste-ip.net/

 

 

best regards
Torsten

Member
Posts: 303
Registered: ‎10-16-2017
Kudos: 32
Solutions: 5

Re: Need design assistance with two sites and EdgeRouters, AC-PROs, CloudKey and the tricky part IoT

[ Edited ]

Hello @DougSpindler 

It can be a problem when you use site to site VPN or . any type of VPN. The Controller himself has no bigger problems with DDNS. It depends a little bit on how good it's working. When the ISP is changing your IP, how long will it take to notify the ddns service? When you use a cloud based controller, it doesn't matter, but a local controller will loose connection to all devices from the external site. 

And the tunnel is disconnected for this time periods.

 

When you can live with this, it will work as well as a static public IP. If it is a business used setup, it's maybe a problem. IOT devices are maybe not available on the other site. 

 

You can get a static public IP over service providers. These are the same ways for users with private ISP addresses. for example http://www.feste-ip.net/

 

By the way, when you were using port forwarding for any device it is a real unsecure setup. You should better use VPN instead. 

If a botnet or any other is compromising your IOT devices, it doesn't make a difference when the are isolated from your private devices.

best regards
Torsten

Emerging Member
Posts: 56
Registered: ‎07-15-2017
Kudos: 1

Re: Need design assistance with two sites and EdgeRouters, AC-PROs, CloudKey and the tricky part IoT

Thank you for your reply. Doesn't a static public IP over service have the similar pitfalls of DDNS. (Not the same, but similar issues?)

I agree with you about botnets and VPNs but didn't get an answer. Can I create a VPN from an SSID on Site A to an SSID on Site B? With Site A and Site B being isolated from the other WiFi traffic?
I think it can be done, It's just I'm not getting a clear understanding of how Ubiquity separates/firewalls WiFi traffic. It appears to me once that isolated traffic hits a switch its not isolated anymore.







Member
Posts: 303
Registered: ‎10-16-2017
Kudos: 32
Solutions: 5

Re: Need design assistance with two sites and EdgeRouters, AC-PROs, CloudKey and the tricky part IoT

A public static IP service like feste-ip.net is using an VPN tunnel to the server from feste-ip.net. if the ISP disconnects you for changing the local IP, you have only for a very short time, below 1minute no connection. Free Ddns services needs  much more time, 5 minutes or more. If some short downtimes are no problem, you don't need to worry about it.

 

I haven't used or tried vlans trough VPN. So I can't say it to you if this would work.

best regards
Torsten

Emerging Member
Posts: 56
Registered: ‎07-15-2017
Kudos: 1

Re: Need design assistance with two sites and EdgeRouters, AC-PROs, CloudKey and the tricky part IoT


@TVT73 wrote:

A public static IP service like feste-ip.net is using an VPN tunnel to the server from feste-ip.net. if the ISP disconnects you for changing the local IP, you have only for a very short time, below 1minute no connection. Free Ddns services needs  much more time, 5 minutes or more. If some short downtimes are no problem, you don't need to worry about it.

 

I haven't used or tried vlans trough VPN. So I can't say it to you if this would work.


Thanks, I will check feste-ip.net out.  I should have mentioned I will only need to connect to this site once or twice a year.  Five minutes is not big deal.

 

This might be helpful for others.  I'm going to leave a Windows 10 comptuer there with TP-Link Smart home plug.  I'm changing the BIOS setting to "When power resumes, power on computer".  This way I can use the TP-Link Smart Home app (KASA) to remotely power the piug which will turn the comptuer on.  Then I can RDP in.  Once I'm done, I will power off the comptuer and use the KASA app to power off the SmartHome plug.

 

 

 

Member
Posts: 303
Registered: ‎10-16-2017
Kudos: 32
Solutions: 5

Re: Need design assistance with two sites and EdgeRouters, AC-PROs, CloudKey and the tricky part IoT

ok?

It sond a bit strange. Kasa is a cloud based smart home system, a notebook on the site leaving all time off? Where is the need to have a direct connection between those two sites? 

Put the controller on a cloud based server, like I explained, is for unifi a perfect solution. It can be used from both sites.

best regards
Torsten

Reply