Private VLANs

Private VLANs are used to isolate ports or groups of ports within the same primary VLAN/subnet. Shared resources like routers or servers are configured on promiscuous ports which can be reached by any member of a community or isolated private VLAN.

Topology subnet 192.168.100.0/24

This is the configuration for SW1 where VLAN 100 is the primary VLAN, 101 is an isolated VLAN which can only communicate with promiscuous ports and 102 is a community VLAN that where hosts in the same secondary VLAN can communicate with each other and promiscuous ports.

vlan 100
  private-vlan primary
  private-vlan association 101-102
!
vlan 101
  private-vlan isolated
!
vlan 102
  private-vlan community

Interface E0/0 configuration. This is attached to the router.

interface Ethernet0/0
description ROUTER
switchport private-vlan mapping 100 101-102
switchport mode private-vlan promiscuous

Interfaces E1/0 and E1/1 belong to community VLAN 102

interface Ethernet1/0
switchport private-vlan host-association 100 102
switchport mode private-vlan host
!
interface Ethernet1/1
switchport private-vlan host-association 100 102
switchport mode private-vlan host

Interface E1/2 belongs to isolated VLAN 101

interface Ethernet1/2
description ISOLATED
switchport private-vlan host-association 100 101
switchport mode private-vlan host

With this configuration, VPC3 and VPC4 can ping each other along with the router. They cannot ping VPC5.

VPC5 can ping the router only.

xRDP – The Infamous “Authentication Required to Create Managed Color Device” Explained

This is the reason:

xRDP – The Infamous “Authentication Required to Create Managed Color Device” Explained

This is how to fix it

xRDP – How to Fix the Infamous system crash popups in Ubuntu 18.04 (and previous versions)

HOWTO: Ubiquiti Site to Site VPN – Double NAT

Ubiquiti Unifi’s Auto-VTI site to site VPN feature does not work when one of the firewalls (peers) terminating the VPN resides behind an existing NAT router or firewall. In this scenario, the easiest way to get a VPN running is to use the OpenVPN option.

In this example, there are two sites to be connected:

Milton Keynes
LAN 192.168.3.0/24
WAN 80.80.80.80

Northampton
LAN: 192.168.100.0/24
WAN: 192.168.1.123
REAL WAN: northampton.vpn.com

Both sites use USG 3P firewalls with the default firewall ruleset and are connected to the same controller running Unifi version 5.10.24 on Ubunti 18.04 LTS.

Note that Northampton has an RFC1918 private IP address assigned to the WAN interface and therefore it resides behind a NAT’d Internet connection.

We need to ensure that the router terminating the Internet connection is forwarding the relevant tunnel ports on to the Northampton USG or even better, simply forwarding ALL incoming traffic to the USG. We also need to make sure we know the real public IP address for the site.

Create an Open VPN Shared Secret

The first stage is to create an Open VPN shared secret which is the password that will be shared by both VPN peers.

As per the official Ubiquiti article (https://help.ubnt.com/hc/en-us/articles/360002426234-UniFi-USG-VPN-How-to-Configure-Site-to-Site-VPN#7) this can created by using SSH to log into one of the USG firewalls.

Tip: If you don’t know the SSH username or password for your USG firewall, login to your controller’s GUI interface, select Settings (the cog icon at the bottom left) and then select Site. At the bottom of the Site menu are the Device Authentication settings including the username and password. The password can be shown by clicking the “eye” icon in the password field.

Once connected via SSH, run the following command:

generate vpn openvpn-key /config/auth/secret

You will see the following output:

admin@MKUSG001:~$ generate vpn openvpn-key /config/auth/secret
Generating OpenVPN key to /config/auth/secret
Your new local OpenVPN key has been generated

Now the key has been generated, we need to view it which is done using the following command:

sudo cat /config/auth/secret

This will present the following output (your key will be different obviously):

#admin@MKUSG001:~$ sudo cat /config/auth/secret
 # 
2048 bit OpenVPN static key
#
 -----BEGIN OpenVPN Static key V1-----
 14f7fdd75bf029fe02c8642ce158d6a0
 a466bb7d9617472c4f5240b7fffa6da0
 dc7dacd7f4d0c344e8dbb89eb6b7b942
 7b028060d097c951fccd884003b7fc6d
 0cc4d04c4a10cbe44f7ba217270044ea
 10731247243b12de7e69aca801c70e04
 dcc97fc4edab45699cad218f420abde8
 a4d40c7b00fd25447f9fa7ae6f39e223
 96f84fa25bead71689c8ffe44e7aaf16
 8abc53503113e7ab436857255f16a49f
 437bc4c30fcb70b41c86a01154c3f868
 5d7ed5b186c8cdb9788b02b535db2f10
 fe2e472f7c716902a352e046348c5159
 db1a44ef82b475e66738c3a944db2971
 d4470b447053481267da6b333f8715b9
 86976c4fbf7a9950d3cdb88f87fe69ad
 -----END OpenVPN Static key V1-----

Copy and paste into a text editor, all of the lines between the —-BEGIN and —END statements. We now need to manipulate the key so it can be pasted into the GUI as sometimes, the paste leaves spaces between the lines which can cause problems later on.

In the text editor, format the key so it is one continuous length of text and looks something like this:

14f7fdd75bf029fe02c8642ce158d6a0a466bb7d9617472c4f5240b7fffa6da0dc7dacd7f4d0c344e8dbb89eb6b7b9427b028060d097c951fccd884003b7fc6d0cc4d04c4a10cbe44f7ba217270044ea10731247243b12de7e69aca801c70e04dcc97fc4edab45699cad218f420abde8a4d40c7b00fd25447f9fa7ae6f39e22396f84fa25bead71689c8ffe44e7aaf168abc53503113e7ab436857255f16a49f437bc4c30fcb70b41c86a01154c3f8685d7ed5b186c8cdb9788b02b535db2f10fe2e472f7c716902a352e046348c5159db1a44ef82b475e66738c3a944db2971d4470b447053481267da6b333f8715b986976c4fbf7a9950d3cdb88f87fe69ad

Point to Point Tunnel Subnet Allocation

Now we have the shared key, we need to allocate a private subnet that will act as the tunnel end points between the two firewalls. Think of this as a virtual point to point circuit (the orange dotted line in the diagram below) and we will use this later on when it comes to routing.

Milton Keynes: 192.168.255.1/24
Northampton: 192.168.255.2/24

Here’s the topology diagram once again for reference:

Milton Keynes Configuration

We are now ready to configure the Milton Keynes Firewall.

  • On the Unifi Controller, make sure the Milton Keynes site is selected and then browse to Settings > Networks.
  • Click Create New Network
  • Enter a name for this Connection in the Name field – for example L2L VPN
  • Select the Site-to-Site VPN radio button from the Purpose field.
  • Select OpenVPN from the VPN Type field.
  • Check the Enable checkbox.
  • Enter the IP subnet 192.168.100.0/24 (Northampton) in the Remote Subnets field.
  • Leave Remote Distance at 30.
  • In the Remote Host field, enter the REAL WAN IP address of the firewall at Northampton. Remember, the Northampton USG is behind NAT so this will need to be the real public WAN address of the router sat in front of the USG.
  • In the Remote Address field, enter the IP address allocated for the Northampton end of the point to point tunnel – in this case – 192.168.255.2. Set the Port field to 1321.
  • In the Local Address field, enter the IP address allocated for the Milton Keynes end of the point to point tunnel – in this case – 192.168.255.1. Set the Port field to 1321.
  • Finally, in the Shared Secret field, copy and paste in the key you edited in the text editor earlier.
  • Click Save.

Finally, we need to update the routing:

  • Click Settings > Routing and Firewall.
  • Click the Create New Route button.
  • In the Name field, enter a name for this route for example, Northampton.
  • Check the Enabled checkbox.
  • Leave Type as Static
  • In the Network field, enter the IP subnet of the LAN at Northampton (192.168.100.0/24)
  • Leave Distance as is.
  • From the Static Route Type options, select Next Hop.
  • In the Next Hop field, enter the private IP address of the Northampton end of the VPN tunnel – 192.168.255.2.
  • Click the Save button.
  • Wait for the configuration to be provisioned to the Milton Keynes USG.

Northampton Configuration

We are now ready to configure the Northampton Firewall.

  • On the Unifi Controller, make sure the Northampton site is selected and then browse to Settings > Networks.
  • Click Create New Network
  • Enter a name for this Connection in the Name field – for example L2L VPN
  • Select the Site-to-Site VPN radio button from the Purpose field.
  • Select OpenVPN from the VPN Type field.
  • Check the Enable checkbox.
  • Enter the IP subnet 192.168.3.0/24 (Milton Keynes) in the Remote Subnets field.
  • Leave Remote Distance at 30.
  • In the Remote Host field, enter the WAN IP address/hostname for Milton Keynes (80.80.80.80)
  • In the Remote Address field, enter the IP address allocated for the Milton Keynes end of the point to point tunnel – in this case – 192.168.255.1. Set the Port field to 1321.
  • In the Local Address field, enter the IP address allocated for the Milton Keynes end of the point to point tunnel – in this case – 192.168.255.2. Set the Port field to 1321.
  • Finally, in the Shared Secret field, copy and paste in the key you edited in the text editor earlier.
  • Click Save.

Finally, we need to update the routing:

  • Click Settings > Routing and Firewall.
  • Click the Create New Route button.
  • In the Name field, enter a name for this route for example, Milton Keynes.
  • Check the Enabled checkbox.
  • Leave Type as Static
  • In the Network field, enter the IP subnet of the LAN at Milton Keynes (192.168.3.0/24)
  • Leave Distance as is.
  • From the Static Route Type options, select Next Hop.
  • In the Next Hop field, enter the private IP address of the Milton Keynes end of the VPN tunnel – 192.168.255.1.
  • Click the Save button.
  • Wait for the configuration to be provisioned to the Northampton USG.

Testing

Assuming all has gone well, you should be able to ping hosts across the VPN tunnel. For example, from Milton Keynes (192.168.3.0/24), we should be able to ping hosts in the 192.168.100.0/24 subnet at Northampton:

C:>ping 192.168.100.107
 Pinging 192.168.100.107 with 32 bytes of data:
 Reply from 192.168.100.107: bytes=32 time=27ms TTL=62
 Reply from 192.168.100.107: bytes=32 time=27ms TTL=62
 Reply from 192.168.100.107: bytes=32 time=26ms TTL=62
 Reply from 192.168.100.107: bytes=32 time=28ms TTL=62
 Ping statistics for 192.168.100.107:
     Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
 Approximate round trip times in milli-seconds:
     Minimum = 26ms, Maximum = 28ms, Average = 27ms

We can also check the status of the VPN connection from one of the USG firewalls by logging in via SSH and issuing the following command:

show openvpn status site-to-site

admin@MKUSG001:~$ show openvpn status client
 Cannot find active OpenVPN client connections
 admin@MKUSG001:~$ show openvpn status site-to-site
 OpenVPN client status on vtun64 [L2L VPN] 
 Remote CN       Remote IP       Tunnel IP       TX byte RX byte Connected Since
 
 None (PSK)      northampton.vpn.com 192.168.255.2     10.8M   10.9M N/A

fin!