Swisscom IB3 with Unifi Dream Machine PRO Network Config

    • Swisscom IB has LAN network of 192.168.11.1 and is DHCP for segment 192.168.11.x

    UDMPro has LAN address of 192.168.11.2 in the IB network and 192.168.2.1 in its own network and is DHCP for segment 192.168.2.x

    DMZ in the Swisscom IB set to 192.168.11.2

    PC in the UDMPro LAN (i.e. 192.168.2.xx) accesses the Internet and all resources in the Swisscom IB network 192.168.2.xx

    But:

    PC in the Swisscom IB network cannot find the resources in UDMPro?

    I tried to create a route on IB Box 192.168.2.0 255.255.255.0 192.168.11.2 but with no effect!!!

    Option:

    just a network. I tried using the DHCP relay in UDMPro but that doesn’t work.

    Any help welcomed

    Show original language (German)

    • Well, that’s clear: the UDM Pro blocks traffic from its WAN interface to the internal LAN, so you can’t access the UDM’s LAN from the IB network. That is also the purpose of a firewall. If you don’t want that, you would have to configure the UDM accordingly, ie. NAT and if necessary also deactivate the firewall.

    Well, that’s clear: the UDM Pro blocks traffic from its WAN interface to the internal LAN, so you can’t access the UDM’s LAN from the IB network. That is also the purpose of a firewall. If you don’t want that, you would have to configure the UDM accordingly, ie. NAT and if necessary also deactivate the firewall.

    Show original language (German)

    Have you tried turning it off and on again?

    10 days later
    a year later

    Hello,

    Until now I had a Unifi network with a switch but without UDMPro.

    I have now acquired this because I want to build the network the way it should be.

    Now my question regarding the assignment of IP addresses. Unfortunately, I’m not very well versed in logic yet.

    Wouldn’t it be better that in the Treath described above the IB has the IP 192.168.11.1, but the UDMPro has the 192.168.1.1? DMZ in the IB then to 192.168.1.1.

    Or does that have no relevant influence?

    Thanks for your input

    Greetings Thierry

    Show original language (German)

    @ThierryP that wouldn’t work at all.

    In order for two devices to communicate with each other, they must be on the same network but have different addresses.

    An (IPv4) network is usually a range of 256 contiguous addresses. To put it very simply for this scenario: for two devices to be on the same network, the first 3 numbers of the address must be the same and the last one must be different. In the example above, the IB has the address 192.168.11.1 and the external interface of the UDM has the address 192.168.11.2, so the devices can communicate with each other. The DMZ function of the IB then only means that all external requests are forwarded to the UDM in a flat rate.

    If the IB has the IP 192.168.11.1 as you suggested, but the external interface of the UDM has the 192.168.1.1, then they are no longer in the same network in terms of IP and therefore can no longer communicate with each other.

    What you could do differently in the example above is to set the IPv4 of the LAN interface to something other than 192.168.2.xx. For example, 192.168.1.xx, as long as this area is not already used by the external interface of the UDM. For other reasons (VPNs from external networks, for example), it is advisable to set your own IP range to anything other than 192.168.1.xx.

    Show original language (German)

    Have you tried turning it off and on again?

    @PowerMac

    Many thanks for your response. I really appreciate that. Basically I understand the issue of IP addresses but I hear different approaches to solutions from the left and the right and I’m a bit confused as to which one is the right one.

    Info about my current network:

    IB3 (192.168.1.1) –> Unifi 8Port Switch (192.168.1.100) –> Synology NAS (192.168.1.201) –> Synology BackUp NAS (192.168.1.202) –> U6-LR (192.168.1.109) - -> Various end devices (DHCP)

    This works perfectly and external access (currently with port forwarding on the IB3) also runs perfectly.

    Now I have a new, unconfigured UDMPro, which I would now like to integrate correctly (actually rebuild the network on the UDMPro). Afterwards, two external VPNs would be added.

    If I understood your message correctly, it could now look like this:

    IB3 (192.168.1.1) –> UDMPro (in the IB network 192.168.1.100 // own network 192.168.2.1) –> SYN NAS (192.168.2.100) –> etc…

    Or why do you think it would be better if the UDMPro was also in the 192.168.1.xx range?

    Show original language (German)

    @ThierryP wrote:

    […]

    IB3 (192.168.1.1) –> UDMPro (in the IB network 192.168.1.100 // own network 192.168.2.1) –> SYN NAS (192.168.2.100) –> etc…

    Or why do you think it would be better if the UDMPro was also in the 192.168.1.xx range?

    No, that’s not exactly what I mean, ie. It’s fine the way you wrote it. Especially if you want to operate VPNs, it is highly advisable NOT to operate the internal network in the 192.168.1.xx range. This is because many private LANs use this range as standard, occasionally also 192.168.0.xx or, for Fritzbüchsen, 192.168.178.xx. If a client is somewhere on a foreign connection and the VPN wants to use the same area, there is a conflict and the connection establishment fails. It is therefore advisable to choose an area where there is a small chance that it will also be used by external networks.

    Show original language (German)

    Have you tried turning it off and on again?

    @PowerMac wrote:

    @ThierryP that wouldn’t work at all.

    In order for two devices to communicate with each other, they must be on the same network but have different addresses.

    @PowerMac

    Yes, you can connect two different networks using a router or a Layer 3 switch with routing options. And in certain cases you don’t want the devices to be able to communicate between networks but only within your own subnet. An example of this is the IB’s guest WiFi.

    @ThierryP

    Before you plug any devices together, you should create a network concept with the desired features, taking into account topics such as addressing, subnets, routing, VPN, VLAN, security, DMZ, port forwarding, etc. and then implement the concept accordingly.

    Show original language (German)

    Is it correct that if I point the DMZ in the IB3 to the IP of the UDM, then I no longer need the port forwardings in the IB3, but have to configure them in the UDM?

    Show original language (German)

    @ThierryP wrote:

    Is it correct that if I point the DMZ in the IB3 to the IP of the UDM, then I no longer need the port forwardings in the IB3, but have to configure them in the UDM?

    That’s exactly how it is.

    Show original language (German)

    Have you tried turning it off and on again?