Currently we’re using vpn to access other locations but it only allows one user from the same public IP (has this ever been fixed?). I’m exploring the idea of site to site vpn but have no idea if it’ll work when our locations have the same exact IP addresses. My requirements are for HQ to have access to both locations a and b, the sites don’t have to communicate with each other. Is this possible?
Hello! Thanks for posting on r/Ubiquiti!
This subreddit is here to provide unofficial technical support to people who use or want to dive into the world of Ubiquiti products. If you haven’t already been descriptive in your post, please take the time to edit it and add as many useful details as you can.
Please read and understand the rules in the sidebar, as posts and comments that violate them will be removed. Please put all off topic posts in the weekly off topic thread that is stickied to the top of the subreddit.
If you see people spreading misinformation, trying to mislead others, or other inappropriate behavior, please report it!
I am a bot, and this action was performed automatically. Please contact the moderators of this subreddit if you have any questions or concerns.
Well you should fix that and deploy different subnets for a variety of reasons, this being the biggest one.
I’ve seen it done but it involves setting up nats to hide the real private IP and is just really messy.
if you dig hard enough you will find that there are site to site solutions that don’t require unique address space, but for the love of god don’t do it.
even if you manage to make it work there are so many weird issues you will have to deal with.
it’s not that hard to change a subnet.
VPNs are easy to set up as a simple rule of thumb you should have a different local area networks at each so that routing can take place across the VPN to the unique public IP address of the remote. Leave HQ the way it (assuming its 192.168.1.1/24) because likely it has the most devices that you wouldn’t want to change ip addresses on. Then move on the site B and change the lan address of the router to 192.168.2.1/24. if that’s appropriate. And move on the site three and make it local area network address 192.168.3.1/24 if appropriate. Once that’s done you can set up site to site VPNs. I would also recommend each site have a static wan address.
Sadly unifi does not offer nat translation via vpn. I have had this headache forever. Typically I setup nat translation on client side which uses sonicwall and then vpn to my udm pro
If you have same exact subnet addresses, then perhaps putting both of those subnets behind DNAT is the way to go. Pick the apps you need on each side and setup port forwarding to them
I would’ve had them different but I don’t have control over that sadly. The main reason they’re the same is for serviceability since each site is on their own and we only vpn to assist in repairs. It seems like a bad idea looking at the comments so I’ll probably drop this. Hopefully unifi comes up with a solution over this vpn problem
The subnets have been established and I don’t have control over them sadly. I’d do it if it was up to me. I’ve used site to site network and it’s so much easier to just use the IP I need.
Seems like a pain looking at the comments. I may just drop this idea. I’ll take a look at sonicwall though.
This isn’t an issue for unifi to come up with a solution to fix sadly. It’s TCP/IP 101. Like it’s baked into the RFC. Serviceability is a smokescreen to they don’t know what they are doing, or not thinking long term.
Your network group has failed the company horribly.
if you control the router you control the subnet.
if you don’t control the router site-to-site is out of the question anyway.
For nat translations over vpn sonicwall makes it fairly easy.
You hit the nail in the head lol that’s what I thought too when I started a few months ago. We’re a startup that didn’t expect to get multiple locations up. I’ll mention this the next time it comes up and will push the subnet change. Also I don’t have an IT background but this somehow got pushed to me. Good learning experience though.
I hate sonicwall! Just absolutely hate them. I have to manage a dozen sites with sonicwall routers with tunnels. Yeah, IPSec works great and all but the rest of the system just annoyes me and I have experience with lots of different routers.
I’ll stop ranting.
If I was in the OP I would tell them you need different subnets and there is no plan B. Ofcourse there is a plan B but like everyone has mentioned it gets messy. Just pretend there is no Plan B.
The best time to make the subnet changes to the network was yesterday. The next best time is today.
If it’s a startup, might as well do it now while it’s relatively painless, and before it’s even worse.
Sonicwall is fine but the ui can be annoying. I manage 112 sonicwalls ranging from soho 250 up to nsa 2650s. I do everything via ssh though and it’s quick and reliable.