diff --git a/src/content/docs/magic-wan/configuration/manually/third-party/ubiquiti.mdx b/src/content/docs/magic-wan/configuration/manually/third-party/ubiquiti.mdx new file mode 100644 index 000000000000000..26f7b1d6fa41b8f --- /dev/null +++ b/src/content/docs/magic-wan/configuration/manually/third-party/ubiquiti.mdx @@ -0,0 +1,127 @@ +--- +pcx_content_type: integration-guide +title: Ubiquiti +reviewed: 2025-10-02 +--- + +Connect a Ubiquiti UniFi Gateway to Cloudflare's network using Magic WAN. These steps use the Cloud Gateway Max (UCG-Max) but work with other UniFi gateways supporting route-based IPsec VPNs, like the Dream Machine series. + + +## Prerequisites + +- Cloudflare account with Magic WAN enabled (contact your account team) +- UniFi Cloud Gateway or Dream Machine with IPsec support +- UniFi Network Application (self-hosted or cloud) +- Static public IP from your ISP +- Admin access to both Cloudflare and UniFi +- Gather a **Magic Anycast IPv4** address from the **Leased IPs** section in the dashboard **IP addresses** > **Leased IPs** (Contact your account team if you do not see any IPs listed) + +## Step 1: Configure Magic WAN + +1. In the [Cloudflare dashboard](https://dash.cloudflare.com), go to **Magic WAN** > **Configuration** +2. Under **Select tunnel type**, select **IPsec Tunnel** and click **Next** +3. Under **Tunnels**, click **Create**: + - Name: `unifi-gw-primary` + - IPv4 Interface Addess: `10.252.2.28/31` or referer to the [Tunnel endpoints Documentation](/magic-wan/configuration/manually/how-to/configure-tunnel-endpoints/) + - Customer Endpoint: Your UniFi Gateway's WAN IP (e.g., `203.0.113.10`) + - Cloudflare Endpoint: `One of the IPv4 addresses gathered from Leased IPs` +4. Under **Tunnel Health checks**: + - Health check rate: `set to desired level` + - Health check type: `Request` + - Health check direction: `Bidirectional` + - Health check target: `Default` +5. Under **Pre-shared key**: + - Leave **Add pre-shared key later** selected (this key will be given during the Unfi site-to-site VPN configuration) + +## Step 2: Configure Site-to-Site VPN on UniFi + +1. In UniFi Network, go to **Settings** > **VPN** > **Site-to-Site VPN** +2. Click **Create New** +3. Configure: + - **VPN Type:** `IPsec` + - **Name:** `Cloudflare-MagicWAN` + - **Preshared Key:** Copy this key for use in the Magic Wan Tunnel Configuration created in `Step 1`. + - **Local IP:** Select the WAN interface (e.g., `WAN1`) + - **Remote IP:** Cloudflare endpoint IP from `Step 1` + - **VPN Method:** Route Based + - **Tunnel IP:** `10.252.2.29/31` or referer to the [Tunnel endpoints Documentation](/magic-wan/configuration/manually/how-to/configure-tunnel-endpoints/) + - **Remote Networks:** Inside Cloudflare tunnel address (e.g., 10.252.2.28/31) and other remote subnets to access through Magic WAN +4. Set Advanced settings: + - Key Exchange Version: IKEv2 + - IKE Encryption: AES-256 + - IKE Hash: SHA256 + - IKE DH Group: 14 + - IKE Lifetime: 28800 + - ESP Encryption: AES-256 + - ESP Hash: SHA256 + - ESP DH Group: 14 + - ESP Lifetime: 28800 + - PFS: Enabled + - Local Authentication ID: `Auto` + - Remote Authentication ID: Uncheck `Auto`, enter the Cloudflare endpoint IP from `Step 1` + - MTU: 1436 +5. Click **Apply** + +## Step 3: Add Preshared Key to Cloudflare + +1. Go to **Magic WAN** > **Tunnels** and edit your tunnel +2. Paste the preshared key from Step 2 +3. Click **Save** + +## Step 4: Configure Routes and Health Checks + +1. Go to **Magic WAN** > **Static Routes** > **Create**: + - Prefix: Your local network (e.g., `192.168.1.0/24`) + - Tunnel: Select your tunnel + - Priority: `100` +2. Go to **Health Checks** > **Create**: + - Name: `UniFi-Health-Check` + - Type: `ICMP Ping` + - Endpoint: Customer endpoint address from Step 1 + - Rate: Low frequency +3. Edit your tunnel and enable the health check + +## Verification + +Wait a few minutes, then check: +- **Cloudflare:** Magic WAN > Tunnels shows **Healthy** +- **UniFi:** Settings > VPN shows connected status + +## Troubleshooting + +**Tunnel down:** +- Verify Peer IP, preshared key, and IPsec settings match on both sides +- Check ISP isn't blocking UDP ports 500/4500 + +**Traffic not routing:** +- Verify Remote Subnets setting in UniFi VPN config +- Check firewall rules aren't blocking VPN traffic + +**Health check fails:** +- Allow ICMP from Cloudflare to the customer-side tunnel IP +- Target should be the `/31` interface IP, not your LAN gateway + +## Policy-Based Routing + +To route only specific devices through Cloudflare (UniFi Network Application): + +1. Remove necessary routes from Remote Subnets in your VPN config +2. Go to **Settings** > **Policy Table** under Policy Engine > **Create New Policy**: + - Select `Route` + - Name: Provide a name for the policy + - Type: Policy-Based + - Interface/VPN Tunnel: Select the VPN Tunnel (e.g., `Cloudflare-MagicWAN`) + - Kill Switch: Enabled (recommended) + - Source: Select `Device/Network` and then choose the Device(s) or Networks(s) + - Destination: Any + - Interface: Your VPN tunnel + +## Next Steps + +- Use [Magic Firewall](https://developers.cloudflare.com/magic-firewall/) for network policies +- Configure a second tunnel for redundancy +- Monitor traffic in the Magic WAN dashboard + +--- + +You're now routing traffic through Cloudflare's global network with enterprise-grade security and performance. \ No newline at end of file