A working IPv6 guest network for the UniFi ecosystem

-

Motivation

The number of forum entries on the Internet suggests that IPv6 and UniFi are like fire and water. While corporate networks can be configured without any problems, the implementation for guest networks seems more or less broken. After several attempts and more than a year of research, I found a solution for my setup at home.

Caveat

The setup does not cover a functional "Guest Portal". Since it is not necessary for my home network, I have not bothered with it. If you require this feature for your network, please treat this guide with caution.

My environment

I operate a Controller (Build: atag_7.0.22_17284) on a Raspberry Pi 4, a USG Pro 4, a USW 24 PoE and some UAP AC Pro distributed in the house.

The wired part

A configured guest network for the wired network is required. Here's how I did. My guest network covers the subnet 10.255.0.1/16 for IPv4 and XXXX:XXXX:XXXX:XXXX::1/64 for IPv6 (masked). The DNS entries (DHCP name server) point to my Pi-Hole. You can leave that on "auto".

IPv4 Guest Network

IPv6 Guest Network

Proper firewalling

Like IPv4, there are preconfigured rules for IPv6. With one problem: if you are using a DNS server off the gateway, requests to external name servers (such as Pi-Hole) are dropped. To work around the problem, I created a DNS group that is used in a rule before the predefined rules for the guest network on interface GUEST_IN.

Firewall DNS Group

IPv6 GUEST_IN rule

IPv6 GUEST_IN rules

Fix IPv6 Router Advertisement

For some reason, the system blocks router advertisements across LAN boundaries when enabling "Guest Policies" for WiFi networks. To configure a behavior similar to that for IPv4, we need to transfer the "allow to DHCP server" rule to IPv6. In IPv6 networks, ICMP handles control packets to let clients configure their IPv6 address via SLAAC, so we explicitly allow it on the GUEST_LOCAL interface and call it "allow ICMPv6".

IPv6 GUEST_LOCAL rule

IPv6 GUEST_LOCAL rules

The WiFi part

The last step is a common configuration for the WiFi guest network. The important part here is the configuration of the "Network" by selecting the previously created "Guest" LAN.

WiFi Guest Network

Disclaimer

I am not a network specialist and have not tested in detail whether the guest network is completely firewalled against the rest of the network. Constructive criticism explicitly desired.

Location: Vienna, Austria

Comments

Post a Comment

Popular posts from this blog

Fixing IPv6 Router Advertisements on the UXG Pro

-
Image
Motivation I recently bought a Ubiquity UniFi Next Generation Gateway Pro and at first glance I was happy that the transition from the USG Pro 4 went smoothly. But then I had to realize that my clients did not receive IPv6 addresses. So I did some research and found this post, but it's about the Dream Machine Pro. https://blog.mikejmcguire.com/2020/12/13/fixing-ipv6-router-advertisements-on-the-udm-pro/ Environment Currently I'm using Firmware 1.13.8 for the UXG Pro. Prerequisites Be sure to enable both IPv6 RA and DHCPv6 for your networks. Otherwise the configuration composed to /run/dnsmasq.conf.d/ will not show any IPv6 configuration. Fixing things to get SLAAC (not managed) Smart people found a way to put boot scripts in the UXG Pro. All steps were executed through SSH into the UXG Pro. https://github.com/unifi-utilities/uxg-boot After the installation, a directory is available under /mnt/data/on_boot.d/ whose shell scripts are executed after the boot process. I wrote a s
Read more

Pi-hole with DNSCrypt-Proxy and Quad9

-
Image
Motivation So far I've been very happy with my setup of Pi-Hole and DNS upstreams from Quad9. I have rarely thought about the security of the DNS service. However, DNS is very easy to hijack and very susceptible to man-in-the-middle attacks and sniffers that can compromise privacy. Solutions on the market There are now several ways to make DNS a little "more secure". From DNSSEC to DoT to DoH and DNSCrypt , the possibilities are in competition and are reminiscent of the first browser wars. Ultimately, what convinced me about DNSCrypt was this comparison , which also serves as an excellent source of understanding the technical mechanisms behind it. Unfortunately, Pi-hole doesn't directly support DoT, DoH or DNSCrypt, but there is a perfect solution that at the same time preserves the "separation of concerns" pattern. DNSCrypt-Proxy A proxy acts like a man-in-the-middle under your control. It enables you to use classic DNS internally in your network while t
Read more