This seems like a simple enough request, but I have been struggling to make it work.
I am using the MAX BR1 Pro 5G as a Dual WAN failover device and am feeding it’s primary WAN to a UDM pro & Unifi network (with dual NAT enabled likely). It works great for that purpose, but ideally I’d like to avoid uploading my ~17 or so nest camera feeds when I am using the Google Fi in a failover scenario.
I have tried firewall settings blocking dropcam.com and other related Nest domains, but that obviously can’t be isolated to one or the other WAN. When I try to do outbound policy blocking none of it seems to work.
Thanks - I tried the mac address outbound rule and it didn’t work for some reason. That was my first instinct as it should theoretically work regardless of which LAN or IP it’s on.
I think my problem is that nothing is on the peplink ‘WAN’ directly - it’s all behind the Ubiquiti Dream Machine Pro so the Peplink only sees one IP. I was going to do VLANs, etc and set it up that way but I would need everything on the Peplink which I don’t want to have to change. I added this as a failover device late in the game and am curious if there is a way to prevent the nest traffic from getting out.
To clarify further, I am not using the Wi-Fi on the Peplink at all. The Wi-fi for the Nest cameras comes from Unifi APs.
Oh, that wasn’t clear… yes you will then have to try and identify the target traffic by port, destination network , or DNS, but then you need to have the UDM forward the DNS queries to the BR1 Pro…
the DNS server for the DHCP clients needs to be the UDMpro (served via DHCP) then the DNS server for the UDM needs to be the BR1 Pro. Therefore the BR1 is processing all DNS requests.
Then you can put in an outbound policy domain rule (all of the Nest Domains)… The domain rule requires that the BR1 do the DNS lookup… and then it puts the IP address that is returned into the Domain rule’s IP list (behind the scenes) So subsiquent traffic to those IP addresses are captured by the domain rule.
Can you create a network diagram?..
I seem to think you are using nest camera → UNIFI → UDM → Br1 → networks.
Is it possible to walk me through setting up the BR1 to be the UDM DNS Server? I am digging through the menus and it’s a little confusing how this might work.
Have you tried the new 8.3 fw and see if correctly identifies the device type?
Then you could set all audio/video or what ever device type you want to enforced wan.
The easiest method for this is going to be to setup VLAN’s and move all the cameras over to 1 VLAN, then block that VLAN from using cellular using one of the outbound algorithms.
This will most likely only work if the Peplink device is the main router and the UDM is behind it.
Setup should be: Modem → Peplink → UDM → Camera VLAN
The Peplink device handles all the DHCP, VLAN, and outbound policies.
The UDM just has VLAN’s created.
There really isn’t a simple answer, mainly due to a couple things. You currently have a flat network, with the UDM in front of the Peplink. Making a couple changes could fix these issues.
I can confirm that a UDM does correctly work with VLAN’s from a Peplink device like the setup outlined above.
For anything Peplink - you can probably find the answers on the forum here, for creating VLAN’s or whatever.
For the UDM - I would just google UDM behind another router, and see if the instructions that populate will be helpful.
Understood - I assume this means after I create the VLAN and assign that VLAN to a new SSID on all of the APs that I would then need to point each (of 17) nest cameras to the new SSID to get them on the VLAN? I was trying to avoid having to redo any camera setup steps as that will take a while but if that’s the best option I may end up doing that.
@Sivart321, If you were using 1 router it would be that simple. Create the VLAN with DHCP on Peplink device, create new SSID and assign VLAN to WIFI network. Then setup the VLAN to not be allowed to use cellular.
You could always create a new SSID for everything else, and let your 17 cameras only use the previous SSID.
The easiest thing to do would probably be this:
Create VLAN’s on Peplink device.
UDM create VLAN’s and WIFI SSID. Do not create any sort of LAN/Corp network, only VLAN’s with the same numbers as created on Peplink device.
Let the AP’s sync from the UDM, then plug them directly into the Peplink device, not the UDM. As there is only 1 LAN port on BR1 5G, you are going to need a switch on the LAN side for extra network ports. The AP’s will pick up the different VLAN’s and should start giving out IP addresses per SSID.
After you have done all that, you can still have the AP’s sync over to the UDM, you just need to SSH into the devices and set the “inform” IP address on the WAN side of the UDM, replacing the previous LAN IP address.
As you can see no straight forward way to easily make the UDM a switch more than a router. UDM’s software just has too many little quirks.
If you are trying to utilize Unifi AP’s as a cheaper WIFI means, you should really look back in the AP’s Peplink offers. The price is very comparable, and the integration is already streamlined.
